[aprssig] APRS-IS Passcode Has Become An Utter and Total Joke....

Andrew Pavlin AndrewEMT at hotmail.com
Fri Mar 28 16:52:41 EDT 2014 

You mean I've been wasting my time validating callsigns before issuing passcodes to users of my software? ;-)

Bear in mind that the open-source Xastir software includes the callpass program as well, so self-service has been out there for years. It's just become ridiculously easy lately. Not sure why all those people thought they should provide that "service".

So what shall we do in the meantime? Migrate to a new authentication scheme in APRS-IS servers and eventually drop support for the old one? That would be rough on all the die-hard UIView users. :-) 

Just FYI, I am currently working on an HMAC scheme for authenticated telecommand over APRS. Maybe something like that would work for APRS-IS.

The key is to make sure the ability to issue authenticated identities doesn't get into the "wrong hands", as always. It would be a bear for the network itself to have to issue ID's, but that may be what we have to go to, since, if anyone can issue authorization, then everyone can.

Andrew Pavlin, KA2DDO
author of YAAC ("Yet Another APRS Client")
http://www.ka2ddo.org/ka2ddo/YAAC.html

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Stephen H. Smith" <wa8lmf2 at aol.com>
Sender: aprssig-bounces at tapr.org
Date: Fri, 28 Mar 2014 16:08:38 
To: TAPR APRS Mailing List<aprssig at tapr.org>
Reply-To: TAPR APRS Mailing List <aprssig at tapr.org>
Subject: [aprssig] APRS-IS Passcode Has Become An Utter and Total Joke....

I was Googling for information on the APRS-IS today, and discovered that there 
are now numerous webpages that have interactive self-serve passcode generators 
for APRS-IS "validated" log-ins on them.   Many will accept absolutely any 
random alphanumeric string such as tactical calls, CB handles, cipher groups or 
anything else.

Here are some of the ones I found:

      <http://callpass.kf5jwc.us/>
      This one DOES verify that the string entered is a real callsign.

      <http://apps.magicbug.co.uk/passcode/index.php/passcode>
      This one will accept anything as input

If you don't want to go online to generate your passcode, this downloadable 
Windows program will do the job locally:

<http://blog.eagleflint.com/software-downloads/aprs-is-passcode-generator/>

K4HG has been warning for ages that the APRS passcode scheme is totally 
non-secure, but it has now reached a new level of uselessness with these 
ready-to-run interactive pages and apps.

I.e. you no longer need to know how to translate the documented algorithm into 
actual program code in some language.


_____________________________________________________


--

Stephen H. Smith    wa8lmf (at) aol.com
Skype:        WA8LMF
EchoLink:  Node #  14400  [Think bottom of the 2-meter band]
Home Page:          http://wa8lmf.net


  Long-Range APRS on 30 Meters HF
     http://wa8lmf.net/aprs/HF_APRS_Notes.htm

High Performance Sound Systems for Soundcard Apps
    http://wa8lmf.net/ham/imic.htm
    http://wa8lmf.net/ham/uca202.htm

"APRS 101"  Explanation of APRS Path Selection & Digipeating
   http://wa8lmf.net/DigiPaths




_______________________________________________
aprssig mailing list
aprssig at tapr.org
http://www.tapr.org/mailman/listinfo/aprssig

More information about the aprssig mailing list