Pete,
(The following is my opinion. I don't represent or speak for ARRL):
If you drop the requirement that both stations participating in the QSO be
LoTW members, then it's quite easy to impersonate another station or even
make up a call sign. You say the impersonator would have to borrow someone
else's LoTW certificate, but that's only the case if both stations must be
LoTW members. If, as you say, only one should suffice, then the one who
doesn't have to be an LoTW member can be an impersonator -- with ease.
Here's the scenario (or threat model, as we say in the biz): I make up call
sign UA0DLG, which is from the rare Birobidzhan Oblast. Last time I was in
that very remote part of Russia (2 1/2 years ago, to adopt my son), I didn't
see any ham antennas, and I've never worked anyone from Biro in a contest.
So it's less likely that the call sign would raise any suspicions among
local hams. But I don't even bother to get on the air during the contest. I
simply log QSOs for a handful of stations with whom I've made prior
arrangements. They log UA0DLG with the same pre-arranged QSO information.
These stations are all LoTW members, and I've made a financial deal with
them to get credit for Birobidzhan. We all submit our contest logs, and the
contest sponsor unwittingly verifies that the QSOs have taken place. Logs
for the LoTW members are uploaded by the "trusted" contest sponsor, and LoTW
gives them full credit for the QSO with UA0DLG. ARRL doesn't care about
oblasts, so the rare one doesn't pop up on their radar screen. Sometime
later, the "Worked All Oblasts on Saturday" award makes a deal with ARRL to
accept LoTW credits.
The system has been compromised.
Note that Joe's suggestion, having the contest sponsor sign (vouch for) the
records, doesn't work. The contest sponsor has no way of detecting that
UA0DLG is a bogus call. Unfortunately, many countries do not have easily
accessible licensee databases that can be used to verify existence of a call
sign. Besides, the perpetrator could hijack an existing call sign from
someone he/she knows to be inactive.
Now, there are a few holes in the scenario, but I wanted to illustrate
roughly how it could be done. Using a rare call sign might, in fact, be
detected (probably accidentally) by the contest sponsor or ARRL. But you can
see how an inconspicuous call sign could get by unnoticed. Many would say,
"Who cares if someone is handing out free credits for France? That's an easy
one." Well, we certainly considered that argument. My feeling was that any
evidence that bogus credits could be generated, even if they were for
non-rare entities, would undermine confidence in LoTW, and by extension,
DXCC.
Just imagine: We all know there are people out there who dislike the ARRL
(to put it mildly.) Perhaps it was because DXCC rejected their 9U/F5FHI card
(Oh, wait a minute, that was me... ;-) Maybe they're just malcontents. Some
of them would like to see DXCC, LoTW, and/or the ARRL get a black eye. After
spoofing the system with a scam like the one above, the person sends an
anonymous message to the cq-contest reflector from a free hotmail account
announcing that he/she has busted LoTW security, and providing links to a
hacked website containing screen shots and scans proving the deception. It
can all be done without the identity of the perpetrator being detectable.
Of course, an LoTW member can perpetrate a similar fraud by lying about QSOs
that never took place, or about the location from which the QSOs were made
(as did the famous Romeo.) But the perpetrator must be the actual owner of
the call sign, or must be in collusion with the person who owns the call
sign, or must be willing to break the law to get the LoTW private key (mail
fraud, breaking and entering, etc.) The odds are good that we're going to
find out the identity of the perpetrator, and we can delete the account and
ban that person from DXCC and LoTW for life.
One of the primary goals of LoTW is to prevent bogus or fraudulent records
from polluting the LoTW or DXCC database. LoTW works on the premise that the
identities of all participants are authenticated (known, more or less), and
that all QSO records are indelibly stamped with an unalterable code that
leads back to that authenticated identity. If one of the two participating
stations is excused from that requirement, based on the contest sponsor's
vouching for the identity of the license holder, then the contest sponsor's
authentication system needs to be at least as rigorous as LoTW's.
Is this overkill for a hobby? Some will say so. But given the passions that
have always surrounded DXCC, not to mention the many millions of dollars and
millions of hours spent in pursuit of the awards, it's much more than a
hobby. It has become a worldwide institution and the most respected award in
ham radio. That's worth perhaps going a little overboard to protect. The
most persuasive argument I can make for LoTW's current level of security is
that if we start out with a relatively tight system, and the hurdles becomes
too onerous for the users, we always have the option of relaxing the
security requirements -- especially as new data and technology become
available (e.g., reliable online license databases in other countries.) But
if we start out with loose requirements that allow the database to be
compromised, we may never be able to repair the damage, and may never be
able to make the system more secure.
73, Dick WC1M
> -----Original Message-----
> From: Pete Smith [mailto:n4zr@contesting.com]
> Sent: Tuesday, July 29, 2008 7:08 AM
> To: cq-contest@contesting.com
> Subject: Re: [CQ-Contest] ARRL and Open Logs - Time for the next step?
>
> At 10:18 PM 7/28/2008, Dick Green WC1M wrote:
> >....Anyone can submit a contest log labeled "F2xxx". ARRL and CQ
> >have absolutely no idea whether those logs came from the actual F2xxx
> or an
> >imposter. If someone wanted to game or discredit the DXCC system,
> they could
> >submit a contest log under a bogus call. The log would then be
> forwarded to
> >LoTW. If LoTW were to accept such a log without proper
> authentication, then
> >the system could be fooled into granting DXCC credits that were not
> earned.
> >Once that happens, confidence in the system is lost.
> >
> >Bottom line, LoTW won't accept QSO records from an unauthenticated
> source.
>
>
> I respect Dick's views on this, because of his intimate knowledge of
> both
> the LOTW system and ARRL contest policy. However, I think that these
> implementation issues can be ironed out, if we don't lose sight of the
> objective, which is to promote both contesting and the LOTW system.
> The
> point is for people to know that contest QSOs will show up in LOTW, so
> if
> they join, they can get award credit for them; conversely, if they
> participate in contests, they will benefit their quest for awards.
> For
> those of us who already upload every QSO to LOTW (like Mal), the
> practical
> difference is nil.
>
> I am clueless about the fine points of computer security. However,
> Dick
> assumes that a contest log must be authenticated, before a single
> contact
> from it is accepted into LOTW. It seems clear to me that if an LOTW
> certificate were required for submission of a contest log, that would
> be
> totally contrary to the idea of promoting contesting and LOTW.
> However, my
> view is that if logs for a given contest are open, and if only
> cross-checked contacts are transferred, the chances of a spoofer
> contaminating the system through a bogus log are very small. To begin
> with, he would have to actually operate in the contest using the fake
> callsign, to make cross-checked QSOs that would be transferred to
> LOTW. He
> would have to borrow the callsign of a station that had a LOTW
> certificate
> (forget my original notion of both stations needing to be members of
> LOTW -
> one should suffice). To me, that would almost require collusion
> between
> the spoofer and the person whose callsign was being borrowed. All of
> this
> would have to be done in public (because both contest logs and results
> would be published).
>
> I wonder if everyone has forgotten that back in the 1970s, DXCC credit
> *was* given for ARRL DX Contest QSOs. Was the system any less subject
> to
> gaming in those days? Were we any less concerned about the sanctity
> of DXCC?
>
> 73, Pete N4ZR
>
> 73, Pete N4ZR
>
_______________________________________________
CQ-Contest mailing list
CQ-Contest@contesting.com
http://lists.contesting.com/mailman/listinfo/cq-contest
|