[EAS] Password cracking basics

David Turnmire eassbelist at cableone.net
Fri Feb 15 10:06:37 CST 2013 

On 2/15/2013 4:49 AM, Tom Taggart wrote:
> "If all network access EXCEPT the web interface is disabled,
> then you have restricted the hacker to guessing the password
> (fixed by decent passwords... at least if they aren't shared
> with your office computer!), and the vulnerability of the
> web software and perhaps some one or two other software
> packages on the
> box."
>
> All very well, but totally unrealistic.  If the FCC walks in
> and wants your operator to send an RWT--how do they do it?
> Go walking back to the rack room? (no-one is going to buy
> six of these things just to have one for each station in a
> cluster).  For that matter, how do you retrieve the log from
> the Endec?
Not sure I understand how you got from my statement to yours.  On the 
boxes I'm familiar with the web interface (and in some cases the front 
panel) IS the way you send the RWT... and check the logs.  In the latter 
case it may also involve the email protocol (SMTP).  In any case, my 
argument was for shutting down the protocols that you didn't NEED.  And 
it is hardly "my" argument... the IT industry has been saying that for 
many years.  At the heart of things, I'm just asking the broadcast 
equipment vendors to adopt widely held notions of "good engineering 
practice" the IT industry has held for many years.
> The problem is not the box.  The problem is using the
> internet to communicate with the box.
>
On that point, let me quote someone you know... "All very well, but 
totally unrealistic. "   :)

Contrary to popular opinion, the government doesn't have unlimited 
funds.  And we as broadcasters certainly don't.  The public internet 
allowed for a fairly economical means to distribute CAP messages. Sure 
there are alternatives, but they cost more.  Likewise, there are 
alternatives to broadcast engineers doing remote access via the 
internet, but engineers do what they can afford (and understand). And it 
isn't like the alternatives don't have their own issues.

The upside of CAP is many of us are already getting better quality audio 
on our air space.  Already broadcasters are getting alerts they would 
have missed before due to problems at their LPs.  More benefits to 
follow as everyone gets the kinks out.  I've been around long enough to 
remember Windows 2!  Whatever one's complaints about today's computers 
and operating systems... the intervening years has worked out a LOT of 
kinks and made that a device used by countless "non-geeks".  Likewise 
the broadcast industry will figure out how to maximize the benefits of 
the public internet and reduce exposure to its dark side.  And the 
broadcast "hardware" vendors that now find themselves in the "IT world" 
will gradually adopt the best security practices of that world.

This "Zombie" attack and all the discussion it has prompted has made 
people more aware of some of the risks of the internet.  Some engineers 
and their management will re-evaluate their funding (and time) 
priorities in light of that and make changes to lessen those risks.  
Which is  a good thing and makes this discussion forum worth subscribing to.

Dave

More information about the EAS mailing list