Re: NDAA passed: Internet and Online Streaming Services Emergency Alert Study

[George Herbert <george.herbert () gmail com>]

I've already had to spike one widely announced WAN UDP protocol that
someone had proposed without thinking through security and DDOS features.
Please don't let's try that trick again.

We have perfectly good approaches that don't involve insecure
untraceable transport layers.  This isn't 1985.  TCP and something SSL
encrypted - HTTPS comes to mind, even if it gets its own port (11911 is
available...).


-george

On Sat, Jan 2, 2021 at 10:02 PM Mark Foster <blakjak () blakjak net> wrote:

> On 3/01/2021 2:41 am, Masataka Ohta wrote:
> > Sean Donelan wrote:
> >
> > > the Commission shall complete an
> > > inquiry to examine the feasibility of updating the Emergency
> > > Alert System to enable or improve alerts to consumers provided
> > > through the internet, including through streaming services.
> >
> > It is trivially easy to have a dedicated UDP port to receive
> > broadcast packets for such purposes, as "through streaming
> > services" is not the requirement.
>
> but "including" is...
>
> And I don't see that opening up a UDP port on every end-user device to
> receive some sort of broadcast (unicast?) is going to be great security.
> Someone will find away to exploit it.
>
>
> > As streaming services are often offered from distant places
> > including foreign locations, generations of emergency alert
> > packets *MUST* be responsibility of *LOCAL* ISPs.
> >
> > A problem is that home routers may filter the broadcast
> > packets from ISPs, but the routers may be upgraded or
> > some device to snoop the alert packets may be placed between
> > ISPs and the routers.
> I think you're overthinking this.
>
> In my mind it's simple.  The streaming companies need to have a channel
> within their streaming system to get a message to a 'currently active
> customer' (emergency popup notification that appears when their app is
> open or their website is active with an authenticated user).  The
> streaming company will also know the location of their customer (billing
> information) so will know what geographic locations are relevant to that
> customer.
>
> Local Authorities can feed emergency broadcast information to the
> streaming companies tagged with a geolocation and the streaming company
> will only rebroadcast it to those customers who are interested in that
> geolocation.
>
> Providing for network-layer alerts of this nature is overcomplicated and
> unnecessary - as was pointed out there are existing means to do this
> (cellphone emergency broadcasts, weather radio service, etc) and the
> intent appears to be to simply add another channel for those who might
> not be able to receive the other. Asking the likes of Netflix to be able
> to channel an brief emergency notifcation across a relevantly-located
> customers streaming service doesn't actually seem that complex, and
> because it's all 'in band' it requires no specific intervention from the
> underlying network operator.
>
> Mark.

-- 
-george william herbert
george.herbert () gmail com