[aprssig] APRS-IS Passcode Has Become An Utter and Total Joke....
AndrewEMT at hotmail.com
Fri Mar 28 15:52:41 CDT 2014
You mean I've been wasting my time validating callsigns before issuing passcodes to users of my software? ;-)
Bear in mind that the open-source Xastir software includes the callpass program as well, so self-service has been out there for years. It's just become ridiculously easy lately. Not sure why all those people thought they should provide that "service".
So what shall we do in the meantime? Migrate to a new authentication scheme in APRS-IS servers and eventually drop support for the old one? That would be rough on all the die-hard UIView users. :-)
Just FYI, I am currently working on an HMAC scheme for authenticated telecommand over APRS. Maybe something like that would work for APRS-IS.
The key is to make sure the ability to issue authenticated identities doesn't get into the "wrong hands", as always. It would be a bear for the network itself to have to issue ID's, but that may be what we have to go to, since, if anyone can issue authorization, then everyone can.
Andrew Pavlin, KA2DDO
author of YAAC ("Yet Another APRS Client")
Sent from my Verizon Wireless BlackBerry
From: "Stephen H. Smith" <wa8lmf2 at aol.com>
Sender: aprssig-bounces at tapr.org
Date: Fri, 28 Mar 2014 16:08:38
To: TAPR APRS Mailing List<aprssig at tapr.org>
Reply-To: TAPR APRS Mailing List <aprssig at tapr.org>
Subject: [aprssig] APRS-IS Passcode Has Become An Utter and Total Joke....
I was Googling for information on the APRS-IS today, and discovered that there
are now numerous webpages that have interactive self-serve passcode generators
for APRS-IS "validated" log-ins on them. Many will accept absolutely any
random alphanumeric string such as tactical calls, CB handles, cipher groups or
Here are some of the ones I found:
This one DOES verify that the string entered is a real callsign.
This one will accept anything as input
If you don't want to go online to generate your passcode, this downloadable
Windows program will do the job locally:
K4HG has been warning for ages that the APRS passcode scheme is totally
non-secure, but it has now reached a new level of uselessness with these
ready-to-run interactive pages and apps.
I.e. you no longer need to know how to translate the documented algorithm into
actual program code in some language.
Stephen H. Smith wa8lmf (at) aol.com
EchoLink: Node # 14400 [Think bottom of the 2-meter band]
Home Page: http://wa8lmf.net
Long-Range APRS on 30 Meters HF
High Performance Sound Systems for Soundcard Apps
"APRS 101" Explanation of APRS Path Selection & Digipeating
aprssig mailing list
aprssig at tapr.org
More information about the aprssig