[EAS] EAS Zombie Attack

Alex Hartman goober at goobe.net
Thu Feb 14 00:23:37 CST 2013 

Dave is correct on all points. A 100 character password when
remembering if you took your blood pills this morning??? No, simply
won't do. And yes, it'd seem the TV people aren't in this universe if
you believe it's perfectly acceptable practice to never change a
password? It's very standard practice with your email, why is it not
standard practice with equipment? Is it all that hard to take the
p-touch to the front of the spacious box? Unless you have IP cams
aimed at the gear that can be hacked or viewed from the public
internet, i doubt anyone is going to have physical access to it who
doesn't know how to use it. When it changes, change the label.

"Hell0w0r1d" is 97% secure according to most "checkers" on the 'net
oddly enough. If it's good enough for the email system, it's perfectly
acceptable to have it on the appliances around the stations. The
downside of most appliance gear in the broadcast plant is that they
use the standard ports as Dave points out, thus the need for a good
NAT router on multiple subnets because the vendors typically don't
allow you to change the ports used by the equipment *such as the CAP
encoders* who use https (443). Well, what if i have a Sharepoint
server running too? That uses 443 as well, or how about the scheduling
web interface for the playback system? Probably using 443 as well. How
do you get 3 devices using the same ports out to the world when they
don't let you change the ports? Well, you have to move them somewhere,
and the router is the best place to do that.

"Security theater" as you call it seems to be the exact problem here.
PSIP encoders, EAS alike, all have to play nice in the IP land. What
if we put a bunch of profanity into the EPG because the guy who
designed the encoder didn't think it was required to change the
default password? Or change programming? Or even move the damn digital
remap....

Broadcasters are not IT people, and IT people are not broadcasters.
It'd seem that even some IT people these companies hire aren't even IT
people. But we all have to get along in this world and the pissing
match really has to stop between vendors of IT products and broadcast
products. Everyone's product is flawed. And honestly, with those
comments, if i was consulting a station looking to purchase a PSIP
encoder, i'd tell them to steer clear, simply because security doesn't
matter to you.

--
Alex Hartman

More information about the EAS mailing list