[aprssig] Universal APRS messaging

Steve Dimse steve at dimse.com
Sun Oct 19 18:41:20 EDT 2008

The problem is that OpenAPRS's license verification system does not  
even provide protection under the US's Part 97 rules for message  
forwarding systems, many other countries have more restrictive rules.

97.219 states

"Except as noted in paragraph (d) of this section, for stations  
participating in a message forwarding system, the control operators of  
forwarding stations that retransmit inadvertently communications that  
violate the rules in this Part are not accountable for the violative  
communications. They are, however, responsible for discontinuing such  
communications once they become aware of their presence.

(d) For stations participating in a message forwarding system, the  
control operator of the first forwarding station must:

(1) Authenticate the identity of the station from which it accepts  
communication on behalf of the system; or
(2) Accept accountability for any violation of the rules in this Part  
contained in messages it retransmits to the system."

Note that this specifically details the requirement of the control  
operator of the first forwarding station. (Station is a defined term  
in Part 97, the key point being an "apparatus necessary for carrying  
on radiocommunications"). This is the IGate operator. Since the  
control operator does not meet the requirements of 97.219d(1),  
97.219d(2) applies. The IGate control operator is responsible for the  
content of the transmission.

The fault is not with OpenAPRS, their system is as good as one can  
expect from a verification system. The problem is what follows. Like  
everyone else, OpenAPRS sends their messages to the APRS IS, and the  
APRS IS has no security. It has not for many a year. Messages are  
marked as validated and unvalidated, and that is still used by IGate  
programs to decide whether to IGate, but that validation is easily  

For those without gray hair matching my own, let me give the history.  
When I first created the internet to RF capability, I added a  
deliberately weak verification scheme to try to meet the requirements  
for Part 97. Users were verified through the registration of software  
clients. The problems began with the introduction of aprsd, an IGate  
and hub released as open source. The verification algorithm was  
released as a library at first to protect the algorithm, and before  
any aprsd hub could join the network they had to apply and be tested  
by me for security. The network grew exponentially causing this to be  
an untenable task, made worse when the author of aprsd decided that to  
meet the requirements of the GPL he had to release the source code for  
the validation algorithm.

At that point I decided the integrity of the APRS IS could no long be  
assured, and I also released the validation code publicly, on the sig  
and elsewhere. It can still be found via google, I'm not providing a  
link so as to not make the problem worse. It is also in xastir and  
aprsd source code downloadable from hundreds of sites. The net result  
of all this is that there is no security on the APRS IS, and every  
IGate operator is basically on their own. My hope was that the  
publicity would lead people to create a secure second generation APRS  
IS system, but that hasn't happened. Now, my fear is that an increased  
opening to other messaging forms will cause the FCC or another  
country's equivalent organization to crack down on the IGate operators.

Say I register through OpenAPRS, and then send a message that violates  
Part 97, perhaps profanity or business use, I am legally responsible  
for violating the rules only if the FCC could prove I actually sent  
the message. The APRS IS does not have logs that can show which IP  
address initiated which message. There are literally hundreds of hams  
that have the ability to make it appear that I sent sent a profane  
message. I can make it appear any of you did the same in about 20  
seconds (OK, maybe 2 minutes because I would have to look up the  
message format, I always forget the number of spaces before the  
colon!). Scared yet?

OpenAPRS and the APRS IS hub operators are certainly not responsible  
for violating the rules, there is no FCC accountability for the  
internet side of the system. Even if there was, they all operated in  
good faith. Only the IGate operators which transmitted the message can  
be proven responsible. Given that the APRS IS has been insecure for  
the better part of a decade, I doubt the FCC would accept a claim the  
APRS IS validation is the way they verified the identity of a ham. If  
the FCC decides to chase down a violation, the only place blame could  
be placed is the IGate operator.

I have had the capability to send a message entered on a web form to  
the APRS IS almost as long as findU has existed. It was trivial to  
write. I know people would have loved it. I have not released it out  
of concern for the IGate operators around the world. I'm concerned now  
that people do the easy part without addressing the real problem,  
security. I hope that the new web developers will share that concern  
for the system as whole, and carefully consider the ramification of  
what they release.

Way back when the APRS IS was "secure" and I was actively managing it,  
my biggest concern was that Joe Ham would let his wife use his copy of  
WinAPRS on his computer to send a message to him via RF. I had an  
automated tool looking at messages to and from the same call. Most  
were test messages, but there were a couple dozen times I caught  
people obviously using the system in an illegal fashion. Always a  
simple message stopped it when people realized how easily they were  
caught. Add integration with SMS and web messaging, and this could  
become a problem again.

If you really want to make bidirectional RF <-> Internet messaging  
work, the answer has to be better security. Business as usual is  
dangerous to the IGate operators.

Or, just stick your head in the sand, and hope nothing bad happens!

Steve K4HG

On Oct 19, 2008, at 4:31 PM, Gregory A. Carter wrote:

> I've got an iPhone app in beta stages that I have every reason to  
> believe will be accept by Apples Store (it has several other non-ham  
> features) that will have full APRS messaging support through  
> OpenAPRS's DCC interface.  It will also enable iPhones to be tracked  
> using their GPS through the internet network to OpenAPRS's servers  
> and out to APRS-IS.  Both systems follow OpenAPRS's  license  
> verification system.
> I've also been trying to actively search for Blackberry developers  
> to do the same for those.
> I expect to release the softwsre sometime in late November, I have  
> to finish messing with Kalman filters on the GPS side before it goes  
> out.  Also have a little debugging to do.
> Greg
> NV6G
> OpenAPRS.Net
> On Sun, Oct 19, 2008 at 10:11 AM, Robert Bruninga  
> <bruninga at usna.edu> wrote:
> We have a golden opportunity for new programmers in APRS...
> Since 9-11 and the Katrina situation, a primary motivation for
> APRS has been to make sure that Amateur Radio operators can
> always find each other, in place, time, and frequency and
> establish communications.  This must be a fundamental and
> universal mission of APRS.
> Now that we are making progress on the frequency aspect with the
> many initiatives of the www.aprs.org/localinfo.html project, and
> the www.aprs.org/aprstt.html project bringing in all radios, now
> it is time to move on to the final stage which is making sure
> that we can communicate callsign-to-callsign using any and ALL
> devices and mechanisms.
> This means, palm devices, PC,s, notebooks, Iphones, everything.
> I admit that I have not kept up with the many initiatives by
> many individuals in APRS to try to use these other devices for
> sending and receiving APRS messages, but now I would like to
> collect a directory of such applications and put the links on
> the www.aprs.org web page.  These do not need to be full-up APRS
> applications, but they should have a minimum APRS messaging
> capability.
> Help me build this list:
> PC's, Macs - Run numerous native APRS client applications
> APRS>Email - WU2Z engine handles all APRS to EMAIL
> Email>APRS - This nut has not been fully cracked
> WinLINK    - Handles bidirectional email
> PalmPilot - Pocket APRS (no longer supported?)
> OLPC      - APRS-xo by Jack Zielke
> Wince's   - APRSce...
> Iphone    -
> IM        -
> TextMsging-
> Etc...    -
> The goal is to be able to send and receive (small) amateur radio
> APRS text messages aywhere in the world by callsign alone.
> This is a big project, because it will be hard to provide the
> security concenrs we all share over th epotential for abuse...
> But we do need to be working on it!
> My motivation comes from the simple fact that as ham radio
> operators, we must be able to establishe communications using
> whatever tools we have available, and cell phones and text
> messaging are everywhere.
> My motivation comes from my weekend trip to Monterrey Mexico
> where I gave an APRS presentation to their IEEE attended by
> about 100 students from many technical universities.  They all
> had cellphones and wanted to know why APRS could not be used to
> communicate with them?
> Duh... Good question.  We need more people in ham radio working
> on these projects...
> Thanks
> Bob, Wb4APR
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> https://lists.tapr.org/cgi-bin/mailman/listinfo/aprssig
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> https://lists.tapr.org/cgi-bin/mailman/listinfo/aprssig

More information about the aprssig mailing list