[Top] [All Lists]

Re: [CQ-Contest] authentication for log submission

To: cq-contest@contesting.com
Subject: Re: [CQ-Contest] authentication for log submission
From: W0MU Mike Fatchett <w0mu@w0mu.com>
Date: Wed, 06 Jun 2012 09:11:06 -0600
List-post: <cq-contest@contesting.com">mailto:cq-contest@contesting.com>
I think LOTW went a bit far.  I don't need to jump through all those 
hoops to trade stocks or check my bank accounts etc.  Most browsers have 
security built in with encryption.  This could be used.

I wonder how many people refuse to use LOTW because of the difficulties 
getting going?  We certainly do not want to get to point where people 
will not submit scores because a system is too difficult or restrictive 
to use.

Mike W0MU

W0MU-1 CC Cluster w0mu.net:23 or w0mu-1.dnsdynamic.com

On 6/6/2012 5:18 AM, Yannick DEVOS (XV4Y) wrote:
> Dear Katsuhiro, Michael,
> Katsuhiro, you are right this is a serious security flaw in the way the log 
> submission are handled.
> It can lead to spoofing (someone use your identity to upload logs) and 
> flooding (trying to overload the server).
> However, as Michael stated, this issue is mitigated by the difficulty in 
> forging logs that could be really harmful to the whole contest integrity.
> A well designed server will also discard bad crafted logs without too much 
> database load.
> The only way to have a 100% secure system is the way LotW goes.
> However it is not easy to handle and will increase contest handling costs a 
> lot.
> If I were a contest server administrator, what I will do is the following :
> - for 95% of the participant, nothing at all just like today
> - optionally, participant who want to secure their log can request an "ID 
> token" upon sending one hand written dated and signed scan of their license
> - an additional filed in the Carbrillo format will content this token and it 
> will be checked while the log is processed
> This is not fully secured as someone can "sniff" the token on the network (it 
> is never crypted in the process) or hack the contestant computer and copy it.
> However if someone is serious enough to do this, this means all the security 
> on the server and the contestant computer has to be checked, and this raises 
> the bar significantly.
> For me, it add a fair level of authentication for a marginal managing cost 
> increase.
> 73,
> Yan.
> ---
> Yannick DEVOS - XV4Y
> http://xv4y.radioclub.asia/
> http://varc.radioclub.asia/
>> I'm not sure this was discussed before, but this reminds me that
>> someone who has malicious intention may submit other station's
>> log to defeat the station after first submission by actual station.
>> There looks no authentication method to verify the station for major
>> contests(please correct me if I am wrong).  Complicated method to
>> authenticate the station may lead decreasing the number of log
>> submission, so this may not be applied to all stations.  But I think
>> there should be some method to authenticate at least for stations who
>> want to win a prize.
>> Please ignore this message if my concern is baseless fear, the
>> contest sponsors have already taken care of this, or we can trust
>> everybody since we all have good morals.
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest@contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
CQ-Contest mailing list

<Prev in Thread] Current Thread [Next in Thread>