[EAS] FCC DA 14-1626 and DA 14-1628

[Bill Ruck]

Warning!  Bill is stepping up on his soap box.  Rant follows.

If there ever was an example of "Closing the barn door after the cow 
got out" it would be the recent FCC's actions DA 14-1626 and DA 14-1628.

The whole problem is that the fundamental aspects of EAS really 
hasn't changed since the time we had to turn our carriers off and on 
three times.

The fact that nobody has tried to send a false EAN is pure 
luck.  There never has been any secure method of authentication, 
including the famous Red Envelope.  And the whole EAS system was 
designed from the ground up to run automatically.

If I were Emperor the show that originated the false EAN would be 
fined into bankruptcy and any station that carried it would not be 
admonished in any way.  Likely all the originator will get from the 
FCC is a small fine.  (Aside.  I once had a P D that previously had 
been Howard Stern's producer.  He told me that they had a line in 
their budget for FCC fines.  Howard said something, they got a NAL, 
and they just paid the fine.)

If we are to have any form of warning system it must be #1 _FAST_, #2 
_ACCURATE_, and #3 _SECURE_.  EAS and CAP and IPAWS may qualify as 
"fast" but there are obvious questions about "secure".

As I said last week, "Obscurity is not security".  At many times I've 
been in discussions about this with fellow engineers while consuming 
adult beverages.  We identified problems in the system and 
hypothesized ways to fool the system.  It's amazing how something 
makes perfect sense while your feet are on the bar rail but the next 
morning are forgotten.

The problem with EAS and especially EAN is that it is an unfunded 
mandate.  Further, the "voluntary" demand of EAN is supported only by 
a Presidential Finding which, according to a good friend that has 
both PE and Esq after his name, could be challenged as violating the 
Communications Act of 1934.

So the FCC has to tap dance through the mine field of making the 
system work reliably and safely while being cautious about 
over-reaching their authority.

I really like Mike McCarthy's suggestion of a secure authentication 
code.  I'm repeating it here because it makes perfect sense to 
me.  (And, being Sunday morning, my feet are not on a bar 
rail.  Yet.)  I recommend that we explore this further.

Since it was my idea, let me elaborate. The authentication code would be
made available and circulated either as the RWT or a referenced attached
file to the RWT retrieved by the EAS box each week. The code would then
be stored in the local unit until updated the following week. Thus when
there is such an alert, the box need not reach back to the mother ship
and probably through a very congested internet and server.

A safety would be either a two week overlap where either of two codes
would work and/or the box "phone home" if it should receive a request it
doesn't recognize or can confirm.

The key here is to 1) Make the authentication process lightning fast so
the relaying box can react accordingly. The process could be similar to
Kerbos to insure the code remains uncompromised. And 2) create something
in the message header compels the ENDEC to refer to that authentication
code and cross check to the companion code in the header.

Bottom line is that we need to formulate a response to the FCC's DA 
14-1626 and 14-2628.  It should make sense to those of us in the 
trenches and the reality of today's mostly unattended station operation.

Rant mode off.

Bill Ruck
San Francisco

P.S.  One of the lessons I learned in the U S Navy was "Never 
volunteer for nothing."  But I'll be happy to help.