[aprssig] APRS-IS authentication (Was: APRS-IS Passcode Generator On-Line)

Georg Lukas DO1GL georg at op-co.de
Thu Aug 19 11:42:21 EDT 2010 

Hello Stephen, hi all!

* Stephen H. Smith <wa8lmf2 at aol.com> [2010-08-08 06:04]:
>   While studying stats for my website last night, I discovered that this 
> address was producing referals to my site:
> 
> <http://wiki.github.com/ge0rg/aprsdroid/>

[..]

I am really sorry for the confusion I caused to you, and I would have
been really glad to hear from you directly. I can remove the links to
your site if you wish so (or mirror the data on my own if you are
concerned about the traffic). However, as you pointed out, the
information is freely available to anyonce capable of using google ;-)

My primary concern with this reply however is the access barrier to
APRS-IS. Once released to Android Market, APRSdroid will be available to
a huge audience, consisting mainly of non-hams. Right now, the access
barrier consists of a warning dialog at the first program start, stating
that it is probably illegal to use without a license, and the
requirement to figure out the APRS-IS passcode.

So far, some people asked me via e-mail, some others found the aprspass
tool from aprsd, but most users used your online passcode generator.

Of course, this method can be easily circumvented with bad intent.

On the other hand, requiring an authentication mechanism comparable to
the one on EchoLink just to access a 16-bit hash number is neither
efficient nor adequate. After all, other applications are just taking
the callsign and silently calculate the passcode.

What would be the adequate level of checking for this (or any other)
APRS-IS application?

The options I see so far are:

 * No checking, automatic passcode calculation (too easy for accidental
        abuse by non-hams?)

 * Match the callsign against a regular expression

 * Require entry of the passcode, providing an online form for passcode
       generation

 * Provide an online form requiring name, callsign and email address and
       logging the data for abuse management

 * Require passcodes to be requested by e-mail (adds much work but does
       not really prevent callsign stealing)

 * Perform an EchoLink-like authentication check

I'd be glad to hear opinions and suggestions from this community!

73 de DO1GL, Georg Lukas
-- 
|| http://op-co.de ++  GCS/CM d-- s: a- C+++ UL+++ !P L+++ E--- W++  ++
|| gpg: 0x962FD2DE ||  N++ o? K- w---() O M V? PS+ PE-- Y+ PGP++ t+  ||
|| Ge0rG: euIRCnet ||  5 X R(+) tv b+(++) DI+++ D+ G e+++ h- r++ y?  ||
++ IRCnet OFTC OPN ||________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20100819/b190dd7a/attachment.asc>

More information about the aprssig mailing list