CQ-Contest
[Top] [All Lists]

Re: [CQ-Contest] authentication for log submission

To: <cq-contest@contesting.com>
Subject: Re: [CQ-Contest] authentication for log submission
From: "Ron Notarius W3WN" <wn3vaw@verizon.net>
Date: Wed, 06 Jun 2012 23:34:30 -0400
List-post: <cq-contest@contesting.com">mailto:cq-contest@contesting.com>
Well Mike, I'm very glad you've never had a problem with your financial
institution.  I have, albeit relatively small, and I know of people who've
had major problems.

The reality is that more financial institutions are moving in the direction
that LotW is already at.  

And we won't even go into federally required encryption due to HIPAA &
HITECH and other things that nibble away at my working day.

So the guys up at the League are ahead of the game.  

"Would it be prudent to have security on log submissions?"

Possibly.  I would first wonder if by doing so, we're not in the process of
creating a solution to a problem that doesn't exist yet.

That thought aside... how can one be against LotW security, and yet want
security on log submissions?  The two thoughts seem at least somewhat in
contrast.

73

-----Original Message-----
From: W0MU Mike Fatchett [mailto:w0mu@w0mu.com] 
Sent: Wednesday, June 06, 2012 4:57 PM
To: Ron Notarius W3WN
Cc: cq-contest@contesting.com
Subject: Re: [CQ-Contest] authentication for log submission

Actually it speak volumes for the financial institutions.  I have never 
lost a dime by using an online solution and find it quite practical and 
safe.

Ham Radio is simply a hobby.  Reasonable security is reasonable.  For 
log submission there is really no security other than the hope that 
nobody messes with a fake submission or a submission of zero.

Would it be prudent for have some security on log submissions?  It would 
seem that most people would be ok with something.

Mike W0MU

W0MU-1 CC Cluster w0mu.net:23 or w0mu-1.dnsdynamic.com
Http://www.w0mu.com


On 6/6/2012 2:12 PM, Ron Notarius W3WN wrote:
> I think that's more a sad commentary on the state of security of most of
our banking&  financial institutions than it is an indictment of Logbook of
the World for being "too secure."
>
> 73
>
>
> On 06/06/12, W0MU Mike Fatchett wrote:
>
> I think LOTW went a bit far. I don't need to jump through all those
> hoops to trade stocks or check my bank accounts etc. Most browsers have
> security built in with encryption. This could be used.
>
> I wonder how many people refuse to use LOTW because of the difficulties
> getting going? We certainly do not want to get to point where people
> will not submit scores because a system is too difficult or restrictive
> to use.
>
> Mike W0MU
>
> W0MU-1 CC Cluster w0mu.net:23 or w0mu-1.dnsdynamic.com
> Http://www.w0mu.com
>
>
> On 6/6/2012 5:18 AM, Yannick DEVOS (XV4Y) wrote:
>> Dear Katsuhiro, Michael,
>>
>> Katsuhiro, you are right this is a serious security flaw in the way the
log submission are handled.
>> It can lead to spoofing (someone use your identity to upload logs) and
flooding (trying to overload the server).
>> However, as Michael stated, this issue is mitigated by the difficulty in
forging logs that could be really harmful to the whole contest integrity.
>> A well designed server will also discard bad crafted logs without too
much database load.
>>
>> The only way to have a 100% secure system is the way LotW goes.
>> However it is not easy to handle and will increase contest handling costs
a lot.
>>
>> If I were a contest server administrator, what I will do is the following
:
>> - for 95% of the participant, nothing at all just like today
>> - optionally, participant who want to secure their log can request an "ID
token" upon sending one hand written dated and signed scan of their license
>> - an additional filed in the Carbrillo format will content this token and
it will be checked while the log is processed
>>
>> This is not fully secured as someone can "sniff" the token on the network
(it is never crypted in the process) or hack the contestant computer and
copy it.
>> However if someone is serious enough to do this, this means all the
security on the server and the contestant computer has to be checked, and
this raises the bar significantly.
>> For me, it add a fair level of authentication for a marginal managing
cost increase.
>>
>> 73,
>> Yan.
>> ---
>> Yannick DEVOS - XV4Y
>> http://xv4y.radioclub.asia/
>> http://varc.radioclub.asia/
>>
>>> I'm not sure this was discussed before, but this reminds me that
>>> someone who has malicious intention may submit other station's
>>> log to defeat the station after first submission by actual station.
>>> There looks no authentication method to verify the station for major
>>> contests(please correct me if I am wrong). Complicated method to
>>> authenticate the station may lead decreasing the number of log
>>> submission, so this may not be applied to all stations. But I think
>>> there should be some method to authenticate at least for stations who
>>> want to win a prize.
>>>
>>> Please ignore this message if my concern is baseless fear, the
>>> contest sponsors have already taken care of this, or we can trust
>>> everybody since we all have good morals.
>> _______________________________________________
>> CQ-Contest mailing list
>> CQ-Contest@contesting.com
>> http://lists.contesting.com/mailman/listinfo/cq-contest
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest@contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
>

_______________________________________________
CQ-Contest mailing list
CQ-Contest@contesting.com
http://lists.contesting.com/mailman/listinfo/cq-contest

<Prev in Thread] Current Thread [Next in Thread>