ROS Software vulnerability: anonymous remote email flooding/spamming

Discussion in 'Working Different Modes' started by IZ0IEN, Aug 18, 2010.

Thread Status:
Not open for further replies.
ad: L-HROutlet
ad: l-rl
ad: L-MFJ
ad: MessiPaoloni-1
ad: Left-3
ad: Left-2
ad: Subscribe
  1. IZ0IEN

    IZ0IEN Ham Member QRZ Page

    The ROS software written by J.Nieto, used to code and decode "ROS mode", have a feature that a malicious user can exploit to send many unsolicited mail on a target email recipient. "Many" depends from how many station are listening and from HF propagation.

    The author of the software was contacted, but just ignore the 4 mail with the whole thing detailed and a Non Disclosure Agreement proposal to hear what he will do to resolve before publish the problem.

    More details here:
    http://www.hamradioweb.org/forums/showthread.php?t=7419

    Regards,

    Cristiano IZ0IEN
     
  2. IK7JWY

    IK7JWY Ham Member QRZ Page

    HI Chris, nice to meet you on qrz.com too :D
    I think Nieto have to fix the problem as soon as possible.
    73 de IK7JWY Art
     
  3. IK7JWY

    IK7JWY Ham Member QRZ Page

    sri for mistake :eek:
     
  4. G0GQK

    G0GQK Ham Member QRZ Page

    The ROS mode has created such a disturbance in the radio amateur world that I don't think it will ever be as popular as PSK 31. In the US only one radio amateur has been given permission to test the mode for the FCC, and the results of his activities will no doubt be chewed over for so long by the FCC that everyone will by then have forgotten all about it.

    G0GQK
     
  5. IZ0IEN

    IZ0IEN Ham Member QRZ Page

    I agree. But the question is a little bit more important than a new digital mode.

    Personally, i don't complain about "new things". Discover is the essence of radioamateur hobby. I complain about the fact that not many hams are so pratical in PC-related things. The ROS software expose *anyone* in the world, even people that don't ever see a HAM callsign and don't know what is an HAM, to receive unsolicited mail in their email recipients because an uncontrolled, automatic feature of the ROS mode software that can be exploited by anyone that have a HF radio and is able to connect this radio to a PC.

    I complain about the fact that, when someone tries to interface the radio world with the internet world, must use *extreme* careful. And if the HAM community report to you that something is wrong on your software, you must listen, not just ignore what other people are saying.

    Privacy also must be taken into account. What about an autospot originated by my PC - my boss also an HAM know i'm at work - and the autospot give him the apparent evidence that i'm in radio ?? What about ?? How you can figure out a valid explanation of this ??

    Internet world need careful. Radio world need careful. You can't just put those two elements in a shaker, shake it and serve the cocktail for the masses.

    Apologize my bad english, and those are my 2 (euro)cent.

    Cristiano IZ0IEN
     
  6. M0WAN

    M0WAN Ham Member QRZ Page

    I get a bit twitchy about this whole ROS thing - if experimentation is taking place with a new highly robust mode, why on earth not just release the basic decoding/encoding software with no additional baggage?

    I'm sure enthusiasts are quite capable of arranging skeds and confirming contacts with each other - why make that side of thing automated? Perhaps I have that part wrong, but evidently some part is automated - unnecessarily in my view.

    I'm afraid I find the mode extremely irritating occupying as much bandwidth as it does - more than phone, at least from the perspective of adjacent interference.

    As for a mode designed to be able to operate down to obscene S/N ratios, what's wrong with Olivia? Has sufficient experimentation really taken place with that? I have personally been very impressed with Olivia's robustness and see ROS as simply another wheel of a slightly different and rather annoying colour.

    I can't help wondering if there is some hidden agenda here, especially as the author of the software seems unwilling to explain himself.

    I'm going to boycott the mode and refuse to use it. :)
     
  7. odye25

    odye25 Banned

    The above statement is seen to be contradictory. The situation is very critical and need an experience complainer to resolve it.
    I show a lot of forums on a regular basis and for the most thing, group deficiency sum but, I vindicatory hot to piddle a excitable account to say I'm glad I saved your installation.
    =======================
    New Nissan Patrol
     
  8. N1SZ

    N1SZ QRZ Lifetime Member #233 Platinum Subscriber Life Member QRZ Page

    ROS

    ROS = Run Other Software

    Let’s take a look at some significant “red flags” with the ROS software:

    1.)Special code added in apparent anger to keep critics from using the software (although reportedly removed in recent versions)

    2.)Won’t make the source code open for public inspection (not that it is 100% required, but it would allay a lot of concerns about the software)

    3.)Requires Gmail e-mail account and password – (giving such things away would make any IT security professional lose their mind)… is this still the case?

    4.)PDF literature provided by Jose had PDF file signatures and “Authored by” signature of another well know digital mode author in Jose’s own work….. I wonder how that happened?

    5.)Automatically sends messages to a hard coded list of servers… and possibly other places?

    6.)Apparently sends bogus callsigns and spots to various reflectors

    7.)Gives users little if any control over the software’s spotting to the internet

    8.)Now, after “going away” for a short time, has a new version that if you try and defeat the automatic spotting with a firewall, it automatically shuts down. (Sounds like a child’s temper tantrum to me…)

    Well, I’ve make it known that I’ve been suspicious of Jose’s intentions all along, but if this all seems “Normal” to you and doesn’t bother you…. I say good luck and press on with your use of ROS. But from my limited interactions in the world of IT security, it sure sets off a lot of alarms and warning signs to me.

    Now vulnerability is discovered..... and the author won't respond.... HMMMM??? I'm shocked.... NOT!

    For those not familiar with all of the "history" of the ROS mode, the following thread is worth your time:

    http://forums.qrz.com/showthread.php?t=239742&highlight=ROS

    It is worth reading ALL 13 pages!


    73,

    SZ
     
  9. M0WAN

    M0WAN Ham Member QRZ Page

    Thanks for putting peoples' concerns together in one place - anyone care to add to these, or with firm evidence refute any of them? How about the author, who I'm sure comes here??
     
  10. G4ILO

    G4ILO Ham Member QRZ Page

    Someone in the digital modes Yahoo group conducted some comparative tests and concluded that the benefits of the ROS mode did not justify its use of bandwidth. Olivia was just as good, and required less spectrum.

    I totally agree that one of the most worrying aspects of this episode has been that it has demonstrated how completely trusting so many people are to run a bit of software from a source they know nothing about. If it were open source, or developed by a ham with an existing track record in developing new digital modes, one would have more reason to trust it.
     
Thread Status:
Not open for further replies.

Share This Page