[aprssig] Universal APRS messaging
Steve Dimse
steve at dimse.com
Sun Oct 19 18:41:20 EDT 2008
The problem is that OpenAPRS's license verification system does not
even provide protection under the US's Part 97 rules for message
forwarding systems, many other countries have more restrictive rules.
97.219 states
"Except as noted in paragraph (d) of this section, for stations
participating in a message forwarding system, the control operators of
forwarding stations that retransmit inadvertently communications that
violate the rules in this Part are not accountable for the violative
communications. They are, however, responsible for discontinuing such
communications once they become aware of their presence.
(d) For stations participating in a message forwarding system, the
control operator of the first forwarding station must:
(1) Authenticate the identity of the station from which it accepts
communication on behalf of the system; or
(2) Accept accountability for any violation of the rules in this Part
contained in messages it retransmits to the system."
Note that this specifically details the requirement of the control
operator of the first forwarding station. (Station is a defined term
in Part 97, the key point being an "apparatus necessary for carrying
on radiocommunications"). This is the IGate operator. Since the
control operator does not meet the requirements of 97.219d(1),
97.219d(2) applies. The IGate control operator is responsible for the
content of the transmission.
The fault is not with OpenAPRS, their system is as good as one can
expect from a verification system. The problem is what follows. Like
everyone else, OpenAPRS sends their messages to the APRS IS, and the
APRS IS has no security. It has not for many a year. Messages are
marked as validated and unvalidated, and that is still used by IGate
programs to decide whether to IGate, but that validation is easily
spoofed.
For those without gray hair matching my own, let me give the history.
When I first created the internet to RF capability, I added a
deliberately weak verification scheme to try to meet the requirements
for Part 97. Users were verified through the registration of software
clients. The problems began with the introduction of aprsd, an IGate
and hub released as open source. The verification algorithm was
released as a library at first to protect the algorithm, and before
any aprsd hub could join the network they had to apply and be tested
by me for security. The network grew exponentially causing this to be
an untenable task, made worse when the author of aprsd decided that to
meet the requirements of the GPL he had to release the source code for
the validation algorithm.
At that point I decided the integrity of the APRS IS could no long be
assured, and I also released the validation code publicly, on the sig
and elsewhere. It can still be found via google, I'm not providing a
link so as to not make the problem worse. It is also in xastir and
aprsd source code downloadable from hundreds of sites. The net result
of all this is that there is no security on the APRS IS, and every
IGate operator is basically on their own. My hope was that the
publicity would lead people to create a secure second generation APRS
IS system, but that hasn't happened. Now, my fear is that an increased
opening to other messaging forms will cause the FCC or another
country's equivalent organization to crack down on the IGate operators.
Say I register through OpenAPRS, and then send a message that violates
Part 97, perhaps profanity or business use, I am legally responsible
for violating the rules only if the FCC could prove I actually sent
the message. The APRS IS does not have logs that can show which IP
address initiated which message. There are literally hundreds of hams
that have the ability to make it appear that I sent sent a profane
message. I can make it appear any of you did the same in about 20
seconds (OK, maybe 2 minutes because I would have to look up the
message format, I always forget the number of spaces before the
colon!). Scared yet?
OpenAPRS and the APRS IS hub operators are certainly not responsible
for violating the rules, there is no FCC accountability for the
internet side of the system. Even if there was, they all operated in
good faith. Only the IGate operators which transmitted the message can
be proven responsible. Given that the APRS IS has been insecure for
the better part of a decade, I doubt the FCC would accept a claim the
APRS IS validation is the way they verified the identity of a ham. If
the FCC decides to chase down a violation, the only place blame could
be placed is the IGate operator.
I have had the capability to send a message entered on a web form to
the APRS IS almost as long as findU has existed. It was trivial to
write. I know people would have loved it. I have not released it out
of concern for the IGate operators around the world. I'm concerned now
that people do the easy part without addressing the real problem,
security. I hope that the new web developers will share that concern
for the system as whole, and carefully consider the ramification of
what they release.
Way back when the APRS IS was "secure" and I was actively managing it,
my biggest concern was that Joe Ham would let his wife use his copy of
WinAPRS on his computer to send a message to him via RF. I had an
automated tool looking at messages to and from the same call. Most
were test messages, but there were a couple dozen times I caught
people obviously using the system in an illegal fashion. Always a
simple message stopped it when people realized how easily they were
caught. Add integration with SMS and web messaging, and this could
become a problem again.
If you really want to make bidirectional RF <-> Internet messaging
work, the answer has to be better security. Business as usual is
dangerous to the IGate operators.
Or, just stick your head in the sand, and hope nothing bad happens!
Steve K4HG
On Oct 19, 2008, at 4:31 PM, Gregory A. Carter wrote:
> I've got an iPhone app in beta stages that I have every reason to
> believe will be accept by Apples Store (it has several other non-ham
> features) that will have full APRS messaging support through
> OpenAPRS's DCC interface. It will also enable iPhones to be tracked
> using their GPS through the internet network to OpenAPRS's servers
> and out to APRS-IS. Both systems follow OpenAPRS's license
> verification system.
>
> I've also been trying to actively search for Blackberry developers
> to do the same for those.
>
> I expect to release the softwsre sometime in late November, I have
> to finish messing with Kalman filters on the GPS side before it goes
> out. Also have a little debugging to do.
>
> Greg
>
> NV6G
> OpenAPRS.Net
>
>
> On Sun, Oct 19, 2008 at 10:11 AM, Robert Bruninga
> <bruninga at usna.edu> wrote:
> We have a golden opportunity for new programmers in APRS...
>
> Since 9-11 and the Katrina situation, a primary motivation for
> APRS has been to make sure that Amateur Radio operators can
> always find each other, in place, time, and frequency and
> establish communications. This must be a fundamental and
> universal mission of APRS.
>
> Now that we are making progress on the frequency aspect with the
> many initiatives of the www.aprs.org/localinfo.html project, and
> the www.aprs.org/aprstt.html project bringing in all radios, now
> it is time to move on to the final stage which is making sure
> that we can communicate callsign-to-callsign using any and ALL
> devices and mechanisms.
>
> This means, palm devices, PC,s, notebooks, Iphones, everything.
>
> I admit that I have not kept up with the many initiatives by
> many individuals in APRS to try to use these other devices for
> sending and receiving APRS messages, but now I would like to
> collect a directory of such applications and put the links on
> the www.aprs.org web page. These do not need to be full-up APRS
> applications, but they should have a minimum APRS messaging
> capability.
>
> Help me build this list:
>
> LIST OF APRS APPLICATIONS FOR UNIVERSAL APRS MESSAGING:
>
> PC's, Macs - Run numerous native APRS client applications
> APRS>Email - WU2Z engine handles all APRS to EMAIL
> Email>APRS - This nut has not been fully cracked
> WinLINK - Handles bidirectional email
> PalmPilot - Pocket APRS (no longer supported?)
> OLPC - APRS-xo by Jack Zielke
> Wince's - APRSce...
> Iphone -
> IM -
> TextMsging-
> Etc... -
>
> The goal is to be able to send and receive (small) amateur radio
> APRS text messages aywhere in the world by callsign alone.
> This is a big project, because it will be hard to provide the
> security concenrs we all share over th epotential for abuse...
> But we do need to be working on it!
>
> My motivation comes from the simple fact that as ham radio
> operators, we must be able to establishe communications using
> whatever tools we have available, and cell phones and text
> messaging are everywhere.
>
> My motivation comes from my weekend trip to Monterrey Mexico
> where I gave an APRS presentation to their IEEE attended by
> about 100 students from many technical universities. They all
> had cellphones and wanted to know why APRS could not be used to
> communicate with them?
>
> Duh... Good question. We need more people in ham radio working
> on these projects...
>
> Thanks
> Bob, Wb4APR
>
>
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> https://lists.tapr.org/cgi-bin/mailman/listinfo/aprssig
>
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> https://lists.tapr.org/cgi-bin/mailman/listinfo/aprssig
More information about the aprssig
mailing list