29 Eylül 2015 Salı

Re: [TVHGC Members] question for Richard or someone from the UK league

Hi Marc,

I'm no expert on this and its probably worth discussing it directly with the UK PG XCL team.  There has been many debates on this subject on all the forums so without wanting to start another tread have a read through "UK Paragliding XC news" and "British Paragliding Competitions" Facebook pages and you'll find some threads on the subject. 

As I understand it there are a variety of reasons UK PG XCL don't permit tracks from XCSoar or Kobo LK8000 and one of those reasons is down to the 'open source code' and the keys meaning anyone with a bit of knowledge could alter the track data after the flight for whatever reason.  So unless something has changed and the devices have been made more secure I can't see the position with XCL and other competition organisers changing.



"On a Kono (kindle like) hardware"

Do you mean the Kobo?  yes LK8000 works on the Kobo thanks to the work of Bruno since January 2015 and all the alpha/beta testing that's been going on.  I've been using it throughout the season and apart from a few issues its a nice tool and pretty close to the full WinCE version that I use to use on the Vertica V2.


WinCE version

In terms of the XCL and the signed logs the WinCE version use to have a separate 'non open source' DDL program available which was used to sign the file.  This meant that LK8000 could be kept open source and only the bits relevant to the signing process was secured.  That used to be okay with UK XCL.

However I don't know the status of the WinCE version of the DDL any longer as I thought it stopped as there was a push back from CIVL due to the use of keys and that meant the project could no longer use it.  However I see on the LK8000 website there is no longer any mention of that so maybe they have resolved the dispute.

Kobo version

In terms of the Kobo (Linux) version similar to XCsoar on the Kobo as I understand it there isn't as yet a separate program as there is with the LK8000 WinCE version 'that isn't open source' handling the signing process and containing the keys.  So as you say its all publicly available unlike other dedicated 'non open' GPS units.  However if you know Bruno has now developed something to deal with this then its worth speaking with the UK XCL.

Cheers,
Nik.



On Mon, Sep 28, 2015 at 11:43 AM, Marc M <marcfrm@hotmail.fr> wrote:
Hi

I meet one of the developers of the LK8000.
On a Kono (kindle like) hardware (connected to an external GPS), it runs an application that displays the map, speed and all kind of paragliding information.

The LK8000 is able to sign the GPS tracks.
It uses a "private" key (this is a private seed of a standard Linux MD5 hash).
The LK8000 provides to the FFVL (and other paragliding bodies) a separate program (Linux I think) that is able to validate a signed GPS track. 

Problem: the LK8000 source code is open source, so with a careful reading of the C code, it is possible to read the "private" key and potentially forge a valid GPS trace.
The FFVL is aware of this potential "security" issue, but does not see it as blocking. Rational: someone that can read the source code and forge a valid GPS trace, is potentially able to forge the GPS messages on the serial line going to the LK8000 and therefore build a fake GPS track.
According to the developer I talk to, most of the paragliding national bodies, understand this limitation and accept it.

Only the BHPA (and 2 other countries) refuse to accept a signed GPS track generated from an open source device where the secret key can be found in the source code.

As a workaround, the LK8000 development team added a binary plug-in (i.e. not in open source) that contain the private key and sign the track for the UK league.

So the question (for Richard, or anyone in the UK paragliding league): would it be possible to speak with the BPHA/UK paragliding league to lift this restriction and accept that the private key that sign the GPS track is "visible" in the source code of the open source device ?


--
--
You received this message because you are subscribed to the Google Groups "TVHGC members list" group.
To post to this group, send email to TVHGC_Members@googlegroups.com
To unsubscribe from this group, send email to TVHGC_Members-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.co.uk/group/TVHGC_Members?hl=en-GB
Please note that TVHGC may withdraw any posted messages deemed
unsuitable but does not generally endorse any posted content.
---
You received this message because you are subscribed to the Google Groups "TVHGC members list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tvhgc_members+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

--
--
You received this message because you are subscribed to the Google Groups "TVHGC members list" group.
To post to this group, send email to TVHGC_Members@googlegroups.com
To unsubscribe from this group, send email to TVHGC_Members-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.co.uk/group/TVHGC_Members?hl=en-GB
Please note that TVHGC may withdraw any posted messages deemed
unsuitable but does not generally endorse any posted content.
---
You received this message because you are subscribed to the Google Groups "TVHGC members list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tvhgc_members+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hiç yorum yok:

Yorum Gönder