My current understanding of the latest firmware is that SSID "BROADCAST" cannot be disabled.

My assumption is that the idea behind this action is to ensure part 97 compliance via having your callsign as part of your ssid.

However, there is a major issue with this setup.

1) Phones/Laptops/etc Can see the nodes... (people will get curious and fiddle with them)

2) It is possible to connect a phone to one of these nodes and sniff the network for an ip address to access the nodes network

3) You CAN disable SSID broadcasting and stay part 97 Compliant.

Number 3 most people don't seem to know within the HSMM community. I am a wireless network security professional. (OSWP certified). When you have for example an access point with an SSID and disable the SSID Broadcast this does two things..

1) Standard computers/phones/devices will NOT see the network

2) Whenever the hardware is communicating IE:Meshed/linked the SSID is transmitted in the raw packet data....

In other words if you were looking at the raw data over the air (very easy to do under linux with a monitor mode capable wifi adapter) you can see the SSID of any access point (or HSMM node) that does not broadcast its SSID as long as the node is transmitting/communicating with another device.

I would strongly like to propose that an option to disable the broadcast function be added to the next firmware release, this will increase (security through obscurity) while continuing to be Part 97 compliant.

Windows computers and cellphones ( and many other devices ) will not look for wireless deivce, it will just wait until it sees a broadcast. With broadcasting turned off non-licensed individuals won't realize the network is there while the FCC/Licensed ham/and Technician could see the network if they so pleased, this simply hides the network from devices that shouldn't be attempting to connect anyway.

It in no way, shape, or form hinders the devices ability to function under part 97

HOWEVER, that being said, if you do a site-survey you will NOT see any node that is not broadcasting, you would need to add a manual-entry option where you could enter the SSID of the device/node you are connecting to.. Most stock routers have these capabilities.

Even in ad-hoc it is possible to disable ssid broadcast. I need to take a look at the firmware but are you using OLSR? Regardless you can disable ssid broadcast in that "mode", there is nothing that would cause the node to fail without a broadcast. You would of course have to manually configure accepted nodes to talk to but that is part of creating a stable semi-secure network.

An amateur network should not be showing its face on commercial/retail devices.

I echo what AD5OO said.  That is part of the requirement for an ad-hoc network.  You cannot hide the SSID.

Now on to what I noticed:

"My assumption is that the idea behind this action is to ensure part 97 compliance via having your callsign as part of your ssid."

Okay, let us assume your assumption is correct to ensure part 97 compliance.  First, Broadband-Hamnet/HSMM-MESH utilizes an ad-hoc network.  Part of how an ad-hoc network works is that each item that wants to join that particular network must have the same SSID.  If each individual user had their own callsign as part of the SSID.  The nodes would not be able to connect. 

"You would of course have to manually configure accepted nodes to talk to but that is part of creating a stable semi-secure network."

That is not how I understand how Broadband-Hamnet/HSMM-MESH works.  The goal here is to be as autonomous as possible with nodes joining and leaving the network as they wish and being self-configuring.

Assuming you could hide an ad-hoc network...What would you do if you self-dispatched in a disaster (bad idea...ICS100) to another city with a Broadband-Hamnet/HSMM-MESH network that you had to find and manually configure?  Would not you want something more automatic that is plug and play and spend less time in configuring something that otherwise works?

The firmware does use OLSR and inside the firmware there is also script that will transmit the hostname of the node to remain Part 97 FCC Compliant.  So, hopefully you setup your node hostname with your callsign or else you are not Part 97 Compliant.

The FCC mandated callsign ID occurs with OLSR node name advertisements, not with ad-hoc beacon packets.

"Hiding" the SSID will absolutely break the ad-hoc network, which has an SSID of HSMM-MESH. These beacons advertise to other nearby nodes, and are part of how the thing works, including self-healing and mobile nodes joining new neighbors.

Hiding SSIDs is a bad idea anyway. It doesn't actually secure anything, and clients that connect to (and store for later) a hidden network will frequently send a beacon request. Is KD0NRC-HOME there? Is KD0NRC-OFFICE there? etc. This opens up the possibility for automated evil twin attacks using what's known as KARMA. Read up on Jasager and how it works. The stuff is evil. I gave a pretty interesting presentation to a security conference a few years ago, wherein I roped in dozens of unwitting network devices and captured many session cookies for websites, all because these people had one or more "hidden" SSIDs saved.

Finally: Addresses aren't handed out via DHCP. Address negotiation, routing information and all of that is handled by OLSR. Your average joe, or even your fairly-savvy, internet-addicted freak next door probably won't figure out how to route to other nodes by setting their card to ad-hoc mode on SSID HSMM-MESH. Even if they use a sniffer and find the addresses, it'll be tedious. The best way for someone to access HSMM unauthorized would require them to install and configure OLSR on a linux laptop.

Although HSMM basically relies on security through obscurity, the barrier to entry is reasonably high. I'll be frank with you: if someone is that knowledgable, hiding the SSID isn't going to do you a darn bit of good anyway. They'll see 802.11 and be able to get the SSID from the ethernet frames with any sniffer and a decent monitor-mode WiFi card.

I can not say what kind of manual configuration is needed in that case, but the primary goal of HSMM-MESH unlike a herd of other projects is to create a plug-and-play solution to lower the entry level of computer knowledge required, so that more hams would be able to join the mesh.In that case extra configuration vs extra protection is definitely to be solved in favor of an easier solution.

Also is showing the amateur face on commercial devices really such a bad idea? I have seen a lot of people willing to impose technical protection against non-ham use, but look at the older tech - there is nothing to stop a non-licensed person from buying a VHF radio and start using your repeater. Nor buying an HF radio and start transmitting all over the world. There are legal ways to stop them, but not technical. And if the person needs this kind of communication so badly he might as well turn into a new ham, that's simple. Same here. If the person is not only tech savvy, but also a little bit smart, he will first google the name and come to this website. And no matter how you protect, he will flash his router and be a part of the mesh.

The only thing that is really so different between now and then is the Internet access through the mesh. But this is a grey area anyway, and a wise ham would not open the whole Internet to the mesh, but rather allow access to specific services like DX cluster, maybe QRZ.com, etc. Don't forget that any banners you carry is "radiocommunications in support of business activities", and if you give access to a news website, this is "commercially recorded material", so be wise. And if a script-kiddie is still interested in your network after all these limitations, you are probably looking at a future ham.

FWIW, if it means anything... even if it were possible to disable the SSID broadcasts on the mesh (and keep the mesh working), each node has short script that runs every 5-minutes that transmits a UDP broadcast with the node's hostname on port 4919.  See /usr/local/bin/fccid which is run by cron.