1 comments

  • mmooss16 hours ago
    > "GSC [the vendor] and the frequency experts consulted shared that the risk of someone's ability to access this communication was very low," Big 12 chief football and competition officer Scott Draper wrote in the memo.

    Unless they use frequency hopping, why would the risk be low?

    Also, what about integrity and availability - couldn't someone else communicate on the frequency with disinformation or a DoS attack?

    And couldn't the attacker be anyone in the stadium, including fans, journalists, etc.?

    > "There's no real advantage," one Big 12 chief of staff argued. "One, you're speaking a different language. Two, if you think you'd be able to enact in real time what they say and try to do it on the field, you're delusional. You're just being your stereotypical paranoid football coach. You can't relay it to the kids fast enough."

    I think telling the defense what the offensive play call is, or vice versa, would be an enormous advantage. And the attackers could learn what the usual plays and calls by attending prior games of their upcoming opponent, which is what Michigan did with their visual sign-stealing.

    Also, I was a little surprised by this part:

    > The Big 12 has instructed its 10 schools playing games this weekend to send their helmet communication devices back to GSC, the provider for all 68 Power 4 teams this year, for a software update that would provide encryption

    Part of me thinks, 'lol, they didn't encrypt their comms', but I wonder: Is there something I don't know? Is encryption somehow unnecessary for security here?

    Part of me thinks: Why not encrypt them? Is it that hard? It seems so commonplace by now.

    And finally: What is GSC thinking?? They got this super-high profile client, and they let this embarassing, newsworthy problem linger for four weeks? And then the client has to send in the equipment for update - your negligence, but the fix is their problem - when the client is at their busiest, when they need the equipment in a few days (which also means compliance will likely be low)?

    If I was GSC, we would be up late with two teams - patch the bug, and figure out deployment. Personal visits to each school are great - it also makes an impression and builds a relationship. For clients you can't get to, overnight them new equipment with the update.

    Finally, no remote update mechanism? In 2024? There's a free WAN that GSC could use, which has endpoints pretty much everywhere in the U.S.