[aprssig] Universal APRS messaging
Steve Dimse steve at dimse.comSun Oct 19 22:41:20 UTC 2008
- Previous message: [aprssig] Universal APRS messaging
- Next message: [aprssig] Universal APRS messaging
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The problem is that OpenAPRS's license verification system does not even provide protection under the US's Part 97 rules for message forwarding systems, many other countries have more restrictive rules. 97.219 states "Except as noted in paragraph (d) of this section, for stations participating in a message forwarding system, the control operators of forwarding stations that retransmit inadvertently communications that violate the rules in this Part are not accountable for the violative communications. They are, however, responsible for discontinuing such communications once they become aware of their presence. (d) For stations participating in a message forwarding system, the control operator of the first forwarding station must: (1) Authenticate the identity of the station from which it accepts communication on behalf of the system; or (2) Accept accountability for any violation of the rules in this Part contained in messages it retransmits to the system." Note that this specifically details the requirement of the control operator of the first forwarding station. (Station is a defined term in Part 97, the key point being an "apparatus necessary for carrying on radiocommunications"). This is the IGate operator. Since the control operator does not meet the requirements of 97.219d(1), 97.219d(2) applies. The IGate control operator is responsible for the content of the transmission. The fault is not with OpenAPRS, their system is as good as one can expect from a verification system. The problem is what follows. Like everyone else, OpenAPRS sends their messages to the APRS IS, and the APRS IS has no security. It has not for many a year. Messages are marked as validated and unvalidated, and that is still used by IGate programs to decide whether to IGate, but that validation is easily spoofed. For those without gray hair matching my own, let me give the history. When I first created the internet to RF capability, I added a deliberately weak verification scheme to try to meet the requirements for Part 97. Users were verified through the registration of software clients. The problems began with the introduction of aprsd, an IGate and hub released as open source. The verification algorithm was released as a library at first to protect the algorithm, and before any aprsd hub could join the network they had to apply and be tested by me for security. The network grew exponentially causing this to be an untenable task, made worse when the author of aprsd decided that to meet the requirements of the GPL he had to release the source code for the validation algorithm. At that point I decided the integrity of the APRS IS could no long be assured, and I also released the validation code publicly, on the sig and elsewhere. It can still be found via google, I'm not providing a link so as to not make the problem worse. It is also in xastir and aprsd source code downloadable from hundreds of sites. The net result of all this is that there is no security on the APRS IS, and every IGate operator is basically on their own. My hope was that the publicity would lead people to create a secure second generation APRS IS system, but that hasn't happened. Now, my fear is that an increased opening to other messaging forms will cause the FCC or another country's equivalent organization to crack down on the IGate operators. Say I register through OpenAPRS, and then send a message that violates Part 97, perhaps profanity or business use, I am legally responsible for violating the rules only if the FCC could prove I actually sent the message. The APRS IS does not have logs that can show which IP address initiated which message. There are literally hundreds of hams that have the ability to make it appear that I sent sent a profane message. I can make it appear any of you did the same in about 20 seconds (OK, maybe 2 minutes because I would have to look up the message format, I always forget the number of spaces before the colon!). Scared yet? OpenAPRS and the APRS IS hub operators are certainly not responsible for violating the rules, there is no FCC accountability for the internet side of the system. Even if there was, they all operated in good faith. Only the IGate operators which transmitted the message can be proven responsible. Given that the APRS IS has been insecure for the better part of a decade, I doubt the FCC would accept a claim the APRS IS validation is the way they verified the identity of a ham. If the FCC decides to chase down a violation, the only place blame could be placed is the IGate operator. I have had the capability to send a message entered on a web form to the APRS IS almost as long as findU has existed. It was trivial to write. I know people would have loved it. I have not released it out of concern for the IGate operators around the world. I'm concerned now that people do the easy part without addressing the real problem, security. I hope that the new web developers will share that concern for the system as whole, and carefully consider the ramification of what they release. Way back when the APRS IS was "secure" and I was actively managing it, my biggest concern was that Joe Ham would let his wife use his copy of WinAPRS on his computer to send a message to him via RF. I had an automated tool looking at messages to and from the same call. Most were test messages, but there were a couple dozen times I caught people obviously using the system in an illegal fashion. Always a simple message stopped it when people realized how easily they were caught. Add integration with SMS and web messaging, and this could become a problem again. If you really want to make bidirectional RF <-> Internet messaging work, the answer has to be better security. Business as usual is dangerous to the IGate operators. Or, just stick your head in the sand, and hope nothing bad happens! Steve K4HG On Oct 19, 2008, at 4:31 PM, Gregory A. Carter wrote: > I've got an iPhone app in beta stages that I have every reason to > believe will be accept by Apples Store (it has several other non-ham > features) that will have full APRS messaging support through > OpenAPRS's DCC interface. It will also enable iPhones to be tracked > using their GPS through the internet network to OpenAPRS's servers > and out to APRS-IS. Both systems follow OpenAPRS's license > verification system. > > I've also been trying to actively search for Blackberry developers > to do the same for those. > > I expect to release the softwsre sometime in late November, I have > to finish messing with Kalman filters on the GPS side before it goes > out. Also have a little debugging to do. > > Greg > > NV6G > OpenAPRS.Net > > > On Sun, Oct 19, 2008 at 10:11 AM, Robert Bruninga > <bruninga at usna.edu> wrote: > We have a golden opportunity for new programmers in APRS... > > Since 9-11 and the Katrina situation, a primary motivation for > APRS has been to make sure that Amateur Radio operators can > always find each other, in place, time, and frequency and > establish communications. This must be a fundamental and > universal mission of APRS. > > Now that we are making progress on the frequency aspect with the > many initiatives of the www.aprs.org/localinfo.html project, and > the www.aprs.org/aprstt.html project bringing in all radios, now > it is time to move on to the final stage which is making sure > that we can communicate callsign-to-callsign using any and ALL > devices and mechanisms. > > This means, palm devices, PC,s, notebooks, Iphones, everything. > > I admit that I have not kept up with the many initiatives by > many individuals in APRS to try to use these other devices for > sending and receiving APRS messages, but now I would like to > collect a directory of such applications and put the links on > the www.aprs.org web page. These do not need to be full-up APRS > applications, but they should have a minimum APRS messaging > capability. > > Help me build this list: > > LIST OF APRS APPLICATIONS FOR UNIVERSAL APRS MESSAGING: > > PC's, Macs - Run numerous native APRS client applications > APRS>Email - WU2Z engine handles all APRS to EMAIL > Email>APRS - This nut has not been fully cracked > WinLINK - Handles bidirectional email > PalmPilot - Pocket APRS (no longer supported?) > OLPC - APRS-xo by Jack Zielke > Wince's - APRSce... > Iphone - > IM - > TextMsging- > Etc... - > > The goal is to be able to send and receive (small) amateur radio > APRS text messages aywhere in the world by callsign alone. > This is a big project, because it will be hard to provide the > security concenrs we all share over th epotential for abuse... > But we do need to be working on it! > > My motivation comes from the simple fact that as ham radio > operators, we must be able to establishe communications using > whatever tools we have available, and cell phones and text > messaging are everywhere. > > My motivation comes from my weekend trip to Monterrey Mexico > where I gave an APRS presentation to their IEEE attended by > about 100 students from many technical universities. They all > had cellphones and wanted to know why APRS could not be used to > communicate with them? > > Duh... Good question. We need more people in ham radio working > on these projects... > > Thanks > Bob, Wb4APR > > > _______________________________________________ > aprssig mailing list > aprssig at lists.tapr.org > https://lists.tapr.org/cgi-bin/mailman/listinfo/aprssig > > _______________________________________________ > aprssig mailing list > aprssig at lists.tapr.org > https://lists.tapr.org/cgi-bin/mailman/listinfo/aprssig
- Previous message: [aprssig] Universal APRS messaging
- Next message: [aprssig] Universal APRS messaging
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the aprssig mailing list