[aprssig] Igateing a Non Amateur

kb2scs at optonline.net kb2scs at optonline.net
Sat Oct 1 20:04:40 EDT 2005 

Hi Steve
               Thank you for pointing out a possible crack in my APRS-
SCS security code.
I just tried to change the call sign of my registered version of aprs-
scs while aprs-scs was connected to the APRS-IS  as a validated user.
I change KB2SCS to my sons call (Not on rf at the time) 

And I am very happy to report that aprs-scs will not let you do that. 
In other words on the setup form the only place you can change the 
station call sign when you click on ok aprs-scs out puts an error 
message that states that the registration number does not match the 
call sign.

I left the setup form up with my son's call in the stations call sign 
box and then waited for aprs-scs to transmit. When it did it 
transmitted with the call sign of KB2SCS as it should have.

In other words Steve thank you for pointing out a possible problem 
with the security code of aprs client programs. When I wrote this 
portion of the aprs-scs code I did not think of this possibility but 
some how programmed for it. Or I did program for it but just forgot 
that I did. It was a few years ago.

In any case thanks.
On 1 Oct 2005 at 16:59, Steve Dimse wrote:
Snip
> I just tried in MacAPRS to change my callsign and then connect to  
> APRS IS. This results in an unvalidated connection, as it should.  
> Perhaps WinAPRS works differently in this regard (I know the   
> registrations numbers are not interchangable)... I can see how code 
 
> could be written in such a way that registration was only checked 
at  
> startup (or even just when entering the number), and that a 
callsign  
> change after that point would result in the validation number being 
 
> generated on the new callsign rather than on the registered 
callsign.  
> In this case, WinAPRS becomes exactly as insecure in this regard as 
 
> UI-View. Can anyone prove it by coming online as, say K4HG-14 with  

> WinAPRS? This is worst case, one could indeed then use WinAPRS to  
> have a validated connection as any callsign... exactly as one has  
> been able to do with UI-View since the algorithm became public.
Snip

Let us hope we never witness the "Silence Of The Hams"
73 DE John  KB2SCS
       E-Mail:            kb2scs at arrl.net
       APRS-SCS     http://www.tapr.org/~kb2scs
       Web Page:     http://www.qsl.net/kb2scs

More information about the aprssig mailing list