[aprssig] Universal APRS messaging

Steve Dimse steve at dimse.com
Thu Oct 23 16:43:56 EDT 2008 

On Oct 23, 2008, at 3:17 PM, Phillip wrote:
>
> If you want to be able to do this Universal APRS Web based messaging  
> and you
> put in position the means to do it then you as the site owner could  
> be held
> responsible.

Can you cite a single country's amateur radio rules that would suggest  
this? If you can I'll look at it, otherwise I consider this a  
hypothetical, fictional, and unrealistic scenario.

In the US, providers of Internet Services are specifically immunized  
against the actions of their users that violate terms of service. You  
have to agree that you are a ham using your own callsign to send a  
message through findU, that is more than adequate for this country.

Even if a country could hold someone else responsible, which server  
would you blame? findU? The APRS hubs the message traveled through?  
The ISP that connected the IGate to the internet? All have the same  
"vulnerability", passing messages without authentication of sender.  
How can you prove any server owner was actually involved? ANYONE can  
send ANYTHING on the APRS IS. I can make it seem like YOU sent the  
message. And in fact, if I were trying to do something nefarious, I  
would certainly make sure the evidence pointed somewhere other than  
where I actually did my evil deed.
>
> There should be a secure way of checking who places the message and  
> the
> content of the message...

It is not possible without a complete revamping of the APRS Internet  
System. This would be the best possible outcome. It would be difficult  
and painful, like the APRS QSY was, but the end result would also be  
as worthwhile.
>
> Here in NZ we had the very same question arrive some years back when  
> Packet
> BBS's and  the Internet arrived in force our Regulation Body was  
> asked some
> questions and the out come was that the originator would be  
> responsible ..

That is the law in the US as well, but the law is specifically for the  
originating STATION, and station is specifically defined in the rules  
as the equipment to transmit. The person on the internet is not  
responsible under the communications rules of the US.
>
> I would say that authenticating a message on APRS would fall on the  
> server
> owner who allows these messages to be passed on
> to the APRS community

That is absolutely not the case with US rules, our FCC specifically  
addresses this situation in Part 97. If it is different in your  
country, or any other that you know of, I'd love to see a link to  
those rules! And agin, which server owner?
>
> As an Igate sysop if the Universal APRS messaging gets out of  
> control and is
> abused then the easiest  way would be to exclude
> messaging from the Igate  every Igate Sysop is in control of his /  
> her own
> station.

Absolutely, that is where the responsibility rightfully, and (at least  
in the US) legally belongs. I turned off the internet to RF direction  
of my IGate on the day many years ago when the APRS Internet System  
became insecure. The thing I fear I have still not adequately conveyed  
is there is NO new insecurity in the APRS IS. From the day aprsd  
published the source code to do APRS IS validation, ANYONE could send  
ANYTHING on the APRS IS completely without detection or traceability.

Anyone who thinks there has been any security on the APRS IS for the  
last ~8 years, and that internet messaging makes it worse, either does  
not understand the situation or is burying their head in the sand.
>
> Bob, you want Universal APRS messaging and software writers to produce
> software how about getting on to those that have
> these programs and get them to either update them or release them to  
> others
> that can carry on improving them
> APRS/CE would be a go start ...

That's a whole separate argument, but I firmly believe that everyone  
has the right to do whatever they like with their own intellectual  
property. For example, I can't begin to understand why Roger chose to  
end UI-View when he became terminally ill, instead of handing it off.  
I want what I've created to outlive me, but I absolutely respect his  
right to choose how to handle the situation, and I'll fight viciously  
anyone who claims they have the right to force someone to act against  
their wishes.

Once APRS development was closed. Anyone that was on the sig in early  
1999 will tell you I fought (yes, viciously) to get it opened up to  
all developers. I did that so you could write your own version. If you  
want a CE version, write it!

Steve K4HG

More information about the aprssig mailing list