[drats_users] drats_users Digest, Vol 40, Issue 3

[Dan Smith]

> Perhaps my misunderstanding, but I did not think E-mail Access
> controls had anything to do with E-mail forwarding.   It was my
> understanding that E-mail access controls were to allow certain
> D-RATS stations to access another D-RATS station's incoming and
> outgoing E-mail servers, which on our remote station are not
> configured because we don't have Internet, yet.

No, that's not the case. The access controls affect who can use your
staton as an email gateway. However, I think I see now that your concern 
is over all traffic passed over the gateway and that perhaps you're 
combining "email forwarding" with passing messages and other data.

> Even if it did, the E-mail Access controls in D-RATS do not allow
> for excluding certain callsigns, like the non-ham callsigns, it
> excludes EVERYBODY except for whom you give access, meaning one would
> have to enter every callsign in D-RATS nation into the E-mail Access
> Controls except for the non-ham callsigns you find coming online.  I
> couldn't imagine having to do this in any software.

You're describing an "open, unless closed" system. With respect to all 
other software outside the ham world, such a security policy hasn't been 
considered in decades. A policy of "open, unless closed" is reactionary 
and implies that a violation must have occurred before access can be 
restricted.

Right now, the ratflector that I run is really there to help people test 
and play with D-RATS without having to own a radio (or know someone else 
that does). There has long been an implied policy of "bridge to RF at 
your own risk" and I believe some people do this only while their 
bridging station is attended.

Systems like Winlink attempt to make sure that you're using a valid 
callsign on their system, which prevents the use of tactical calls when 
they are valid, and is really just as weak as a system that did no such 
verification. An unlicensed friend of mine (long ago) picked up a copy 
of QST one time, picked out a callsign from a distant state and 
proceeded to chat on the local 2m repeater with it. Not even the humans 
knew it was illegal. Any system that I put in place to validate 
callsigns would be susceptible to the same sort of attack. I'm not 
interested in spending my time on something with such a trivial known 
attack vector.

The one system I've seen that approaches real callsign verification is 
EchoLink's telephone verification procedure and subsequent centralized 
password authentication. If anyone is interested in going to the effort 
and expense of such a system, I'll gladly work with them.

> Our remote D-RATS station is purely an RF station right now and no
> ratflectors are connected.  We would like it to be connected to the
> main ratflector because that way an Internet only D-RATS station
> could forward E-mail through our remote D-RATS station to a D-RATS
> RF only station and vice versa, gating E-mail between RF and
> Internet.

You don't need to connect to one of the main ratflectors to do this. Run 
your own, publish the details (heck, I'll put it on the d-rats.com page) 
and provide contact information on how to register. People can request 
access, and you can add them to the access list and then they can 
connect to your RF stations. If you didn't manually approve folks and 
the system required something that looked like a valid US callsign, what 
would prevent my unlicensed and unscrupulous friend from picking a 
callsign out of QST and connecting? Would you feel more comfortable 
defending yourself to the FCC with this system over the current one?

Also note that D-RATS is used around the globe and validating every 
country's callsign is a non-trivial algorithm.

So, I understand where you're coming from, and I appreciate your desire 
to run a legal system. However, I think that what you're looking for is 
not sufficiently secure to run an otherwise wide-open automated system 
safely. Because it will require additional spare time on my part to 
implement, and still not really solve the perceived problem, I'm 
hesitant to add it.

-- 
Dan Smith
www.danplanet.com
KK7DS