[EAS] Fallout Over False Alert Continues

[Mike McCarthy]

Without going into detail of the vulnerabilties and exploitations, I agree
that some measure of validation, including a year stamp in addition to the
Julian day, would be a wise addition to the system. I can't speak to how
that would be implimented and whether the existing pool of hardware
contains the ability to add such validation and year fields. But this
example of systemic exposure to inappropriate incidents is not the least
bit comforting.

Some measure of strict time, such as the field impimented in the Sage
boxes, is but one component to system security. The FCC's notion of no
time/date  validation for an EAN is simply akin to leaving the chicken
coop door open and assuming the fox will not enter. This last incident has
shown the fox will go where ever the fox wants to go and when.

As for the validation...one thought.  Since every box is looking at the
IPAWS servers, authentication codes could be distributed from there.  Yes,
I know that a dedicated hacker could circumvent that layer. But to extend 
securing against future accidents such as this event, a "red envelop" code
downloaded weekly with the RWT along with a year field would go a long
ways towards securing the system against all but the most informed and
diligent hacker or well placed accident source.

MM

On Wed, October 29, 2014 2:44 pm, Rich Parker wrote:
> Well put - the elephant in the room for EAS continues to be issues of
> authentication and non-repudiation - which we had a pretty high level of
> in the days of the 'red envelope' ;) But simply using a 'date stamp' alone
> to verify anything is madness - and clearly there is no 'real' form of
> authentication and non-repudiation - otherwise, the You-Tube 'brapps'
> could not have caused receivers down the line to respond and react.