[aprssig] Igateing a Non Amateur
Steve Dimse steve at dimse.comSat Oct 1 20:59:02 UTC 2005
- Previous message: [aprssig] Igateing a Non Amateur
- Next message: [aprssig] Igateing a Non Amateur
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Oct 1, 2005, at 4:00 PM, James wrote: > Unfortunately Steve this is one of the flaws in WinAPRS, unlike UI- > View there is NO validation code needed to send to a server to be > gated to RF. You have this backward. The programmer's registration is more easily concealed, being in the possession of only one person, than the validation algorithm which is public knowledge. WinAPRS unfortunately has sufferred from a crack having been performed that has resulted in a single validated registration becoming public knowledge. Crack sites have thousands of passwords for different versions of different programs, this is hardly a unique situation. However, anyone can install UI-View, use any of the many available APRS IS validation generating programs or web sites, and come online with any callsign. On the other hand, to masquerade as a different call with WinAPRS, a crack needed to be performed on the user password. > > The registration is all you need, the generator creates the code > and the default name is NITRUS, once you run the program then you > can change the name to your call and it will stay. In fact there is > a few crackz websites that list a code with the NITRUS for the > default name. The registration number is keyed to the callsign. You must enter both and they must match. Your registration number is different than mine. If I stole your WinAPRS reg number, I could go online as you. I could not use your number to make the program act validated under my call, unless... I just tried in MacAPRS to change my callsign and then connect to APRS IS. This results in an unvalidated connection, as it should. Perhaps WinAPRS works differently in this regard (I know the registrations numbers are not interchangable)... I can see how code could be written in such a way that registration was only checked at startup (or even just when entering the number), and that a callsign change after that point would result in the validation number being generated on the new callsign rather than on the registered callsign. In this case, WinAPRS becomes exactly as insecure in this regard as UI-View. Can anyone prove it by coming online as, say K4HG-14 with WinAPRS? This is worst case, one could indeed then use WinAPRS to have a validated connection as any callsign... exactly as one has been able to do with UI-View since the algorithm became public. > > WinAPRS also uses the registration code to SAVE the settings that > you input into the program, you can still use it without reg codes > but every time you close the program all your stats are erased. Yes, but in this mode, if you connect to the APRS IS it is as an unvalidated user. > > Issuing new passwords will not solve this problem, as soon as a > program is released there is a work around within a few hours if > not minutes. > This includes UI-View and WinAPRS and whatever else you can think of. I'm surprised there was even one crack of WinAPRS, they used a 9 or 10 digit number, so maybe there was a lucky guess, or a generated password got lost or stolen (though I can't see why there would have been a password generated for this call), or their algorithm was poorly chosen making a mathematical attack possible. Brute force seems unlikely with the number of digits used. A new algorithm will fix things if there was a flaw in the algorithm, making future versions secure from the attack that generated this call/pass pair. You are right that there is nothing that can be done to put the cat back into the bag...the cracked password will always work with earlier versions of the program, and nothing can be erased from the net. A new new password algorithm is just about protecting future versions. > > The validation code is the best way to prevent non hams to be > gated, it is also not perfect but it is a larger wall of defense. NO NO NO NO! The validation number is absolutely zero protection, it is a publicly available algorithm. It was never meant to be secure (no 15 bit hash can be considered secure in any way), just to pass muster with the FCC. Initially four people knew it (Brent, the Sprouls, and I), Dale made five when aprsd was released, later Roger made six. My public release of the algorithm was specifically designed to prevent the illusion that there was any defense in the validation number. For the reasons I explained the insecurity prior to the release of the algorithm was because the network was a sprawling mess, with far too many hubs to assure that there was not a rogue hub... if the back door and all the windows are wide open, it does not matter that the front door is locked! So please lose this misplaced trust in the validation number, it is meaningless! Steve K4HG
- Previous message: [aprssig] Igateing a Non Amateur
- Next message: [aprssig] Igateing a Non Amateur
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the aprssig mailing list