CQ-Contest
[Top] [All Lists]

Re: [CQ-Contest] authentication for log submission

To: Ron Notarius W3WN <wn3vaw@verizon.net>
Subject: Re: [CQ-Contest] authentication for log submission
From: W0MU Mike Fatchett <w0mu@w0mu.com>
Date: Wed, 06 Jun 2012 14:57:12 -0600
List-post: <cq-contest@contesting.com">mailto:cq-contest@contesting.com>
Actually it speak volumes for the financial institutions.  I have never 
lost a dime by using an online solution and find it quite practical and 
safe.

Ham Radio is simply a hobby.  Reasonable security is reasonable.  For 
log submission there is really no security other than the hope that 
nobody messes with a fake submission or a submission of zero.

Would it be prudent for have some security on log submissions?  It would 
seem that most people would be ok with something.

Mike W0MU

W0MU-1 CC Cluster w0mu.net:23 or w0mu-1.dnsdynamic.com
Http://www.w0mu.com


On 6/6/2012 2:12 PM, Ron Notarius W3WN wrote:
> I think that's more a sad commentary on the state of security of most of our 
> banking&  financial institutions than it is an indictment of Logbook of the 
> World for being "too secure."
>
> 73
>
>
> On 06/06/12, W0MU Mike Fatchett wrote:
>
> I think LOTW went a bit far. I don't need to jump through all those
> hoops to trade stocks or check my bank accounts etc. Most browsers have
> security built in with encryption. This could be used.
>
> I wonder how many people refuse to use LOTW because of the difficulties
> getting going? We certainly do not want to get to point where people
> will not submit scores because a system is too difficult or restrictive
> to use.
>
> Mike W0MU
>
> W0MU-1 CC Cluster w0mu.net:23 or w0mu-1.dnsdynamic.com
> Http://www.w0mu.com
>
>
> On 6/6/2012 5:18 AM, Yannick DEVOS (XV4Y) wrote:
>> Dear Katsuhiro, Michael,
>>
>> Katsuhiro, you are right this is a serious security flaw in the way the log 
>> submission are handled.
>> It can lead to spoofing (someone use your identity to upload logs) and 
>> flooding (trying to overload the server).
>> However, as Michael stated, this issue is mitigated by the difficulty in 
>> forging logs that could be really harmful to the whole contest integrity.
>> A well designed server will also discard bad crafted logs without too much 
>> database load.
>>
>> The only way to have a 100% secure system is the way LotW goes.
>> However it is not easy to handle and will increase contest handling costs a 
>> lot.
>>
>> If I were a contest server administrator, what I will do is the following :
>> - for 95% of the participant, nothing at all just like today
>> - optionally, participant who want to secure their log can request an "ID 
>> token" upon sending one hand written dated and signed scan of their license
>> - an additional filed in the Carbrillo format will content this token and it 
>> will be checked while the log is processed
>>
>> This is not fully secured as someone can "sniff" the token on the network 
>> (it is never crypted in the process) or hack the contestant computer and 
>> copy it.
>> However if someone is serious enough to do this, this means all the security 
>> on the server and the contestant computer has to be checked, and this raises 
>> the bar significantly.
>> For me, it add a fair level of authentication for a marginal managing cost 
>> increase.
>>
>> 73,
>> Yan.
>> ---
>> Yannick DEVOS - XV4Y
>> http://xv4y.radioclub.asia/
>> http://varc.radioclub.asia/
>>
>>> I'm not sure this was discussed before, but this reminds me that
>>> someone who has malicious intention may submit other station's
>>> log to defeat the station after first submission by actual station.
>>> There looks no authentication method to verify the station for major
>>> contests(please correct me if I am wrong). Complicated method to
>>> authenticate the station may lead decreasing the number of log
>>> submission, so this may not be applied to all stations. But I think
>>> there should be some method to authenticate at least for stations who
>>> want to win a prize.
>>>
>>> Please ignore this message if my concern is baseless fear, the
>>> contest sponsors have already taken care of this, or we can trust
>>> everybody since we all have good morals.
>> _______________________________________________
>> CQ-Contest mailing list
>> CQ-Contest@contesting.com
>> http://lists.contesting.com/mailman/listinfo/cq-contest
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest@contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
>
_______________________________________________
CQ-Contest mailing list
CQ-Contest@contesting.com
http://lists.contesting.com/mailman/listinfo/cq-contest

<Prev in Thread] Current Thread [Next in Thread>