Emergency Alert System Insecure

glebe writes "The U.S. Emergency Alert System used to issue disaster warnings and other alerts over T.V. and radio is vulnerable to spoofing and denial-of-service attacks, SecurityFocus is reporting. Apparently, 'the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves.' The FCC acknowledged the security issues yesterday in a public notice seeking comment on the future of the system."

In search of the perfect dam

[syrinje]

First of all, a small clarification - I agree that critical, life-saving infrastructure must be secure. That unauthorized access to these systems must be prevented. That public confidence in the sources of information is key to saving lives in the event of a disaster - and hence must be guaranteed to be genuine. A 100% of the time.

That said - don't y'all sprain yer hamstrings to jump up and point fingers at the "government" or twist this into an open-source vs. closed source issue.

Every system is designed in relation to its operating environment. The EBS was originally designed for a far more benign environment than exists today. I bet the primary goal of the designers was to come up with a system that was simple and effective and would work even if large parts of the power grid and the telephone network collapsed. It is inconceivable that they did not ask themselves if they needed bullet-proof authentication mechanisms - it is equally probable that they discarded that requirement as being potentially failure-prone. Given the fairly benign security environment that they designed for, and given the technology available and the overarching goal of simplicity - they cam up with what is really quite functional.

And then the world changed (surprise, surprise). the environment that surrounded the EMS changed, rapidly and unpredictably. Where previously it was safe to assume that natural disasters would bring people in the community together to work in co-operation to face the threat, we now wonder which sleeper cells activate in these situations. The comfortable security blanket of yore that RipVanVinkle aka RVV dozed is suddenly yanked off - exposing us to the elements.

Its like waking up one day in the shadow of a dam and suddenly seeing a thousand leaks in it. The small leaks have always been there - all dams leak and sweat a little. But now we know that there are people out there that seek to widen the cracks and stuff them with C4 and stick some fulminate in them (amazing how much chemistry you can pick up from the newspapers isnt it?). So RVV franctically tries to seal the leaks in the dam. Paranoia? Perhaps.

The real tragedy is that the time that should be spent tending to his crops, playing with his children, making hot, sweaty love to his wife and dreaming big dreams in his afternoon nap is now spent in searching and classifying and closing the leaks in the dam.

Will RipVanVinkle make his dam perfect? Can any dam be made perfectly leak free? Go figure.