[aprssig] Universal APRS messaging

Gregory A. Carter gcarter at openaprs.net
Thu Oct 23 18:57:17 EDT 2008

I still maintain that it would be wise to create an OpenID style system.  Of
course it would take quite a while before the various pieces of software
eventually got up to date to use the new auth system for APRS-IS (and some
software may never), however the longer the implementation is delayed, the
longer it will take to impliment (how's that for a brain teaser).

It's easy to fire off emails to the list and complain about how APRS-IS's
hash algirythm is weak or how this web service or that web service is
secure/insecure but it is all counter productive without action.  As I've
stated several times, I'm willing to open up our verification system for use
with an OpenID project, but I won't bother if no one is willing to use it.
It wouldn't be too difficult to create some sort of user replication system
for redundancy and allow all of the APRS-IS servers the ability to verify
incoming connection auth pairs.

Claiming that anyone can use RF and spoof a message is a poor excuse to not
be diligent about securing APRS-IS from abuse.  Head-in-the-sand approaches
always backfire in the end, the Internet is full of bored teenagers and
dranged adults just waiting to annoy someone.



On Thu, Oct 23, 2008 at 2:52 PM, Tyler Allison <tyler at allisonhouse.com>wrote:

> >> There should be a secure way of checking who places the message and the
> >>  content of the message...
> >
> > It is not possible without a complete revamping of the APRS Internet
> > System. This would be the best possible outcome. It would be difficult
> > and painful, like the APRS QSY was, but the end result would also be as
> > worthwhile.
> Not just the APRS-IS. All of APRS. APRS was never designed to authenticate
> the owner.  You can secure the APRS-IS all you want and I can still send a
> "nasty" APRS message to somebody in NZ using my APRS enabled radio using
> someone elses callsign, unless you stop traffic in the RF to internet
> direction..which effectively breaks the value of the APRS-IS.
> >> As an Igate sysop if the Universal APRS messaging gets out of control
> >> and is abused then the easiest  way would be to exclude messaging from
> >> the Igate  every Igate Sysop is in control of his / her own station.
> >
> > Absolutely, that is where the responsibility rightfully, and (at least in
> > the US) legally belongs. I turned off the internet to RF direction of my
> > IGate on the day many years ago when the APRS Internet System became
> > insecure. The thing I fear I have still not adequately conveyed is there
> > is NO new insecurity in the APRS IS. From the day aprsd published the
> > source code to do APRS IS validation, ANYONE could send ANYTHING on the
> > APRS IS completely without detection or traceability.
> Let's be pure in our argument please. There never was real security in the
> authentication system with or without the publishing of the aprsd source
> code.  It would take a reasonably smart developer about an hour to reverse
> the algorithm used for 'authentication' by doing simple crypto analysis.
> If you want an actual time, I'll ask one of the guys at my work to do it
> blind and I'll time him. I got beer money he can do it under an hour.
> I'm not trying to thrown stones or claim this was some huge oversight. It
> is what it is. The choice before us is a mater of "reasonable" security. I
> personally think even _after_ the publication of the algorithm it is still
> "reasonable" security.  It is sufficiently difficult to stop the average
> man on the street. The point is...you will _NEVER_ make APRS, or a future
> derivative, secure enough to claim within impunity you know who originated
> the session. Propose an idea you think can do it and I'll poke wholes in
> it all day long. Stop trying to make it perfect and find a "reasonable"
> solution.
> -Tyler
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> https://lists.tapr.org/cgi-bin/mailman/listinfo/aprssig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20081023/2585f115/attachment.html>

More information about the aprssig mailing list