[CQ-Contest] authentication for log submission

Zack Widup w9sz.zack at gmail.com
Wed Jun 6 08:13:42 PDT 2012


For ARRL contests (and others) I always receive a confirmation e-mail of
some sort that I submitted a log. If someone wanted to send in a log to
replace my actual submission, it seems they would want to use one of my
e-mail addresses as the return address. I would then get a confirmation
e-mail, which would clue me in.

Maybe they would use their own e-mail address for the return address. This
might get by for a major contest where there are thousands of logs sent in.
But for some smaller contests, it would be a giveaway if the contest
sponsor cared to look at where the e-mail came from or got suspicious.

Perhaps contest entrants can register with the sponsor as a general
application for all contests by that sponsor so that any log entries always
got acknowledged to a certain e-mail address. That way, if someone sent in
a log for W9SZ, I would always get the acknowledgement no matter what
address the log said it came from. Just a thought.

Question - I know this was brought up as a scenario that could happen and
that we should be at least a little concerned about, but has it actually
happened? How likely is it to happen in the future?

73, Zack W9SZ


On Wed, Jun 6, 2012 at 6:18 AM, Yannick DEVOS (XV4Y) <
yannick.devos at online.fr> wrote:

> Dear Katsuhiro, Michael,
>
> Katsuhiro, you are right this is a serious security flaw in the way the
> log submission are handled.
> It can lead to spoofing (someone use your identity to upload logs) and
> flooding (trying to overload the server).
> However, as Michael stated, this issue is mitigated by the difficulty in
> forging logs that could be really harmful to the whole contest integrity.
> A well designed server will also discard bad crafted logs without too much
> database load.
>
> The only way to have a 100% secure system is the way LotW goes.
> However it is not easy to handle and will increase contest handling costs
> a lot.
>
> If I were a contest server administrator, what I will do is the following :
> - for 95% of the participant, nothing at all just like today
> - optionally, participant who want to secure their log can request an "ID
> token" upon sending one hand written dated and signed scan of their license
> - an additional filed in the Carbrillo format will content this token and
> it will be checked while the log is processed
>
> This is not fully secured as someone can "sniff" the token on the network
> (it is never crypted in the process) or hack the contestant computer and
> copy it.
> However if someone is serious enough to do this, this means all the
> security on the server and the contestant computer has to be checked, and
> this raises the bar significantly.
> For me, it add a fair level of authentication for a marginal managing cost
> increase.
>
> 73,
> Yan.
> ---
> Yannick DEVOS - XV4Y
> http://xv4y.radioclub.asia/
> http://varc.radioclub.asia/
>
> > I'm not sure this was discussed before, but this reminds me that
> > someone who has malicious intention may submit other station's
> > log to defeat the station after first submission by actual station.
> > There looks no authentication method to verify the station for major
> > contests(please correct me if I am wrong).  Complicated method to
> > authenticate the station may lead decreasing the number of log
> > submission, so this may not be applied to all stations.  But I think
> > there should be some method to authenticate at least for stations who
> > want to win a prize.
> >
> > Please ignore this message if my concern is baseless fear, the
> > contest sponsors have already taken care of this, or we can trust
> > everybody since we all have good morals.
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest at contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
>


More information about the CQ-Contest mailing list