ROS Software vulnerability: anonymous remote email flooding/spamming

Discussion in 'Working Different Modes' started by IZ0IEN, Aug 18, 2010.

Thread Status:
Not open for further replies.
ad: L-HROutlet
ad: l-rl
ad: L-MFJ
ad: Left-2
ad: MessiPaoloni-1
ad: Subscribe
ad: Left-3
  1. MW0UZO

    MW0UZO Ham Member QRZ Page

    I might as well stick my oar in - this is copied from posts on another thread on this topic, by myself. A bit of preamble is that I was trying to demonstrate the misunderstandings and misinformation that contribute to a unfairly destructive situation.

    Let me show an example post on digitalradio that looks like ok criticism at first, but when you examine it becomes BS.

    Quoted from Jim, N1SZ

    Dave & All,

    No, I was thinking the same thing. Let’s take a look at some significant “red flags” with the ROS software:

    1.) Special code added in apparent anger to keep critics from using the software (although reportedly removed in recent versions)
    2.) Won’t make the source code open for public inspection (not that it is 100% required, but it would allay a lot of concerns about the software)
    3.) Requires Gmail e-mail account and password – (giving such things away would make any IT security professional lose their mind)… is this still the case?
    4.) PDF literature provided by Jose had PDF file signatures and “Authored by” signature of another well know digital mode author in Jose’s own work….. I wonder how that happened?
    5.) Automatically sends messages to a hard coded list of servers… and possibly other places?
    6.) Apparently sends bogus callsigns and spots to various reflectors
    7.) Gives users little if any control over the software’s spotting to the internet
    8.) Now, after “going away” for a short time, has a new version that if you try and defeat the automatic spotting with a firewall, it automatically shuts down. (Sounds like a child’s temper tantrum to me…)

    Well, I’ve make it known that I’ve been suspicious of Jose’s intentions all along, but if this all seems “Normal” to you and doesn’t bother you…. I say good luck and press on with your use of ROS. But from my limited interactions in the world of IT security, it sure sets off a lot of alarms and warning signs to me.

    Jim
    N1SZ

    PS – I know… I’m feeding Jose’s need for attention

    I'll deal with each point.

    Let’s take a look at some significant “red flags” with the ROS software:
    1.) Special code added in apparent anger to keep critics from using the software (although reportedly removed in recent versions)


    This is not a professional way of behaving. However, given the pressure exerted by hams for whatever reason, it is understandable that the author would want to do something to vent pressure. Writing some code to restrict certain calls would be first on the list, imo. He realises after some time this is not constructive, however stupid some of the criticism was. He removes the code. This is now not an issue.



    2.) Won’t make the source code open for public inspection (not that it is 100% required, but it would allay a lot of concerns about the software)


    This was probably written on Microsoft Windows! It is totally up to the author what code to release and what not to. He wrote it, Jim didn't. There is no argument here.



    3.) Requires Gmail e-mail account and password – (giving such things away would make any IT security professional lose their mind)… is this still the case?


    Is the user's email account used for sending QSO reports? What would be the author's interest in stealing accounts? He's written a datamode for god sake, not a chat program for horny males. Let's be realistic here.


    4.) PDF literature provided by Jose had PDF file signatures and “Authored by” signature of another well know digital mode author in Jose’s own work….. I wonder how that happened?


    Jose's first language is Spanish. Any excellent description of a process would inevitably be cut and pasted from English sources.


    5.) Automatically sends messages to a hard coded list of servers… and possibly other places?


    Probably for the QSO reporting. Has Jim actually looked at the code himself? No.



    6.) Apparently sends bogus callsigns and spots to various reflectors


    Software bug. Incorrectly decoded calls sent without checking, multiple spots by software bug. A lot of bug are easy to miss, developing on your own.


    7.) Gives users little if any control over the software’s spotting to the internet


    Its software in development, perhaps he hasn't got round to making that all important gui panel. The author is interested in writing code, not panels.



    8.) Now, after “going away” for a short time, has a new version that if you try and defeat the automatic spotting with a firewall, it automatically shuts down. (Sounds like a child’s temper tantrum to me…)

    This is the most funny for me. Jim obviously hasn't heard of exception handling. If an error occurs, it is up to the application to catch and handle it, otherwise the application just quits and disappears. Jose hasn't forseen someone playing around with the firewall and when an error is thrown, it is not caught and the program disappears.

    As you can see after this, there are not many valid points left. This demonstrates the BS that hams propagate without any thought whatsoever. And all along, they are convinced they are right. Whats quite disturbing in this particular case, is that Jim has quite clearly already decided that Jose has suspicious intentions without evidence and is taking pleasure in continuing false information.
     
  2. MW0UZO

    MW0UZO Ham Member QRZ Page

    Again, another copy from the other thread. At the time I was quite angry - so I do accept that some of this is rude and in retrospect should be toned down a little.


    To continue this theme of analysis let us look at another case, involving a well respected member of the ham community who has contributed constructively to the hobby, or so we would think.

    Julian, G4ILO, has a website and blog containing several very interesting things. He has written several useful programs and is interested in experimentation and advancement of knowledge. If we were to meet in a pub we could no doubt chat for hours about circuits, new ideas, CW, code etc.


    So lets look at a recent thread posted yesterday to someone inquiring about digital modes Olivia, from a new ham wanting to learn about digital modes.

    http://forums.qrz.com/showthread.php?t=254670

    While not immediately apparent, the agenda underneath is clear. The crusade against ROS and the discrediting of its author. The new ham has read the BS, absorbed it as truth and in no fault of his own now is biased against a modulation type without even using it. Misdirection from the highest level. The new ham will report his findings to his associates. Negative comments propagate much more quickly than positive or neutral ones, thus continuing the BS.


    Let's have a look at some of the blog posts and comments about ROS: 'Pushing the envelope of stealth ham radio'

    Quote from G4ILO

    ROS would be less of a problem if people used it only in circumstances where it would not be possible to communicate using a narrower mode. Unfortunately that discipline does not exist among today's radio amateurs. People are using ROS to make contacts with others whose signals are strong enough that 30Hz wide PSK31 could be used. This is just selfish, and it is the reason why I feel that such a wide digital mode should not be permitted on HF at all.

    Ah an experimenter wishing to legislate against an experimenter. The hypocrisy. There's plenty of room, its 2.2kHz not 25kHz. Anyone is free to use what mode they choose, whether you like how they do it or not, or where they do it. Most people find an empty space, the size of what is required. Do remember that some of them may not hear YOU. I wonder if he would complain proportionally more about people using old AM equipment?


    Quote from G4ILO

    But even if he was a nice guy would the mode be worth using? I can't help thinking that if he was an experienced ham himself he would never consider introducing a 2.25kHz wide mode on the HF bands. But perhaps that's just me being narrow minded?

    Yep, it sure is. Something in the back of G4ILO's head is telling him something, but out of stubbornness and the lengths he has gone to talking about ROS and his viewpoint, he won't accept it.


    Quote from G4ILO

    Suppose you were a member of a village football team that had practised and played on the village green for years. And suppose that one day you turned up for a game and found a new rugby team using your pitch. You'd be pretty annoyed, wouldn't you? Even though the village green is common land and so legally there for all to use, the football team would not expect its use of the football pitch established over many years to be usurped in this way. So it isn't all that surprising that when it is, there's a punch-up.

    A ridiculous analogy, theres plenty of space on the amateur bands if you want got 'get outside the box'. Its not your pitch. You'd wait until their game was over then start yours. Ah, the ham radio spirit. Or in Julian's case, the NIMBY.


    Quote from G4ILO

    I am not against experimentation, and would suggest that a small part of each band be set aside for experimental modes, experiments being conducted by the developer and a few chosen testers. However, before a mode can be made available for general use it should be approved by an international committee which would take into consideration the benefits of the mode, the amount of bandwidth it occupies and what frequencies it may be used on.

    So you want to effectively set up a brick wall to other authors and experimenters and people who wish to use a new mode. Words escape me here, the hypocrisy is astounding.


    Quote from G4ILO

    Perhaps we should try and get it banned in the UK as well? :)

    This is actually scary Julian. You advocate banning a digital modulation type that takes up 2kHz bandwidth. You are seriously becoming cancerous :)


    What is also interesting is that a since deleted comment by Bas on his blog pointed out that it might be embarrassing continuing his shortsighted ROS campaign. This went way over his head.

    Julian has effectively started to discredit himself. A disagreement between Jose and himself and the resultant anger has totally clouded his judgment and he has lost his perspective.

    Could Julian really be start of one of these types that sit in the corner whinging about Foundation licence holders while their world sphere gets smaller and their contributions get more destructive? I hope not, in fact I hope he proves me wrong. And that in doing so, he may pause for breath to consider the stance he has adopted. :)
     
  3. MW0UZO

    MW0UZO Ham Member QRZ Page

    As for the OP, I would point out that the scope for abuse is likely small - this is an application run by relatively few people, not a common web application. It is also beta software. It's also good that the OP has reported the potential issue.

    Jose should of course listen to valid criticism. Sadly, this whole issue has been so stoked up that all reasonable relationship between the author and the ham community has broken down.
     
    Last edited: Aug 21, 2010
  4. K3DCW

    K3DCW QRZ Lifetime Member #212 Volunteer Moderator Platinum Subscriber Life Member QRZ Page

    re: ROS Software vulnerability: annonymous remote email flooding/spamming

    I wanted to paraphrase, condense and respond to many of 2W0UZO's verbose statements below:

    Not true...since it is a spread spectrum mode, it is illegal in the US below 1.25 meters. It may be legal elsewhere, but the initial questions raised about ROS revolved around this point, which led to Jose changing the description of his mode, posting false FCC reports, etc.

    I do agree with you that most people find an empty space and use it, but Jose developed a mode with fixed QRGs, assigned at his whim, with no regard to what is already taking place in the bands. He is still adding frequencies at will; the most recent software added 14091kHz, a 40m freq (I can't recall off the top of my head which one), another 17m freq, etc. I wonder who these were coordinated with?


    I see that you're willing to write off everything to coincidence, lack of time, beta mode, poor programming, etc...not a very convincing argument...especially if you are giving someone complete access to your machine and email accounts.


    Yes, the email account was used for sending QSO reports. I do not believe that it is REQUIRED any longer, but the hooks are still there and exploitable as reported by IZ0IEN. Now, if you don't know why someone would be interested in stealing accounts, then you don't understand the multi-billion dollar/pound spam and email marketing industry. Each email account can be used to send millions of emails, so you don't need a large user base to see how it would be POSSIBLE to send hundreds of millions of spam emails. I'm not saying that Jose is part of that, but just that the possibility for exploitation does exist.


    So, if there is no chance for a reasonable relationship between the author and the ham community, why does he continue development??? What is his ultimate goal?? Why put up with the criticism if he is doing this for altruistic purposes...or does he have another purpose?

    And why do ham operators so willingly open up their computers to someone who has absolute disdain for the way the amateur community operates?

    There are a lot of questions out there, and while some may have been resolved, the questions that remain still raise red flags.


    Dave
    K3DCW
     
  5. MW0UZO

    MW0UZO Ham Member QRZ Page

    I can assure you that this is not the case.
     
Thread Status:
Not open for further replies.

Share This Page