[aprssig] Universal APRS messaging

Steve Dimse steve at dimse.com
Wed Oct 22 11:24:29 EDT 2008 

On Oct 22, 2008, at 9:44 AM, Robert Bruninga wrote:

> I am excited about all of these methods for sending APRS
> messages, but I think that browser based systems need an
> authentification system.  Users should have to set up an
> "account" so that they can establish a PIN number or something
> to authenticate.

An authentication system on findU would be like an expensive new lock  
on the front door of a building with no rear wall. You may feel more  
secure looking from the front, but it is a false sense of security. It  
may even deter a casual thief, but anyone with malice is going to look  
around the back. It is also a lot of work to create the authentication  
system, and even more to handle all the problems people would have  
getting authenticated. If the back end is secure, it would be worth  
the effort. With the back wall wide open I'm not going to waste my time.

The code for sendmsg.cgi is all of 51 lines. More than half that is  
just standard code to extract the parameters from a cgi request. It is  
trivial, anyone could do it in a day, including the time to research  
the APRS message format and APRS IS connection protocol. Even if I did  
authenticate, it should not make you feel one bit more secure.

I spelled out the ways that an IGate operator could be left holding  
the bag for transmissions that violate the rules. Not one single IGate  
operator said that they were concerned. Instead, on the sig and  
privately I was called paternalistic and protectionist. OK, I can see  
that now. I guess the cause is the heat I took when developing the  
Internet side of APRS. There were a lot of hams that considered me a  
traitor and weren't afraid to tell me (including you Bob, for the  
first few days after I released javAPRS, until I convinced you it  
would be good for APRS). That made me overly defensive, and I was  
holding back things just to avoid hearing from those people again if  
something went awry. I see now that I was wrong, and I apologize.
>
>
> Another thing we can do is have any such message generated by a
> non-RF device insert its own identificaiton in the message.  My
> thoughts are in the LINE number field.  There we can use the
> last two bytes as an identifier, insert {xxxFU for Findu, or
> {xxxFI for Finland or whatever.  This is because the radios
> display at least the last two bytes of the line number.

Per the spec, message numbers are used only if an ACK is expected. I  
initially had them for no particular reason, but someone said there is  
a problem with queries and numbers. I checked the spec and realized  
the numbers should not be there for this application anyway, so I  
removed them. Note that there is already an indication of internet  
origination in every packet, the TCPIP or TCPXX. That is, assuming the  
programmers follow the rules. I could just as easily had the code send  
the packet with a q construct indicating origination on RF. Even if  
someone decided to filter out everything TCP(IP,XX) they should not  
feel one bit more secure. If someone is worried about security, they  
either need to build a new, secure APRS IS, or find another ham radio  
system to play with!

Bob, come towards the light. You and I were apparently the only ones  
left that felt protective about the system, everyone else wanted  
convenience. Now I am enjoying my new found freedom, and you stand  
alone.

Steve K4HG

More information about the aprssig mailing list