On 21/01/2011, at 12:28 AM, <[email protected]> <[email protected]> wrote:
> If in a comp the O.O was looking over your shoulder as you loaded your task > and declared it, He un plugs it, he install’s it in the glider and seals the > cables with tape and markings photographes it with his camera , you fly the > task, as you finish your rollout he verifies the tape and markings and then > photo graphs it again, then he removes it for down load and submittal for > scoring. > With the official process adhered to no falsification can occur. Not actually true when the required equipment is small enough to carry in the baggage compartment, and can do its work without physical tampering with the OO's stuff. One could actually fly the task and come back with a forged logger trace which said that you flew it slightly differently (e.g., extended the distance just that little bit further into each turnpoint radius, giving you just that little bit extra distance) The resulting trace could be very similar to "real life," and have an identical set of timestamps on it, but show a bit more distance. And you've still had the fun of flying the task. :) The incentives for abuse are even higher for world record claims, and I reckon they'd be easier to forge too, because there's probably no potential to compare the traces to lots of others like you could at a comp. IGC approved loggers are surrounded by a thin veneer of technological gobbledegook which looks like "security" to someone who hasn't thought about it, but which is probably no such thing. The mystical aura of cryptography sure sounds impressive, but. The purpose of countermeasures isn't to directly prevent the behaviour you wish to protect against, it's to increase the cost of that behaviour enough to make it impractical. In the case of a logger, the security measures employed ought to make flying a task cheaper and easier than generating a forged trace. You can imagine the process the IGC went through: Problem: We want to prevent people from submitting fraudulent logger traces. Method: Editing the logger trace. Countermeasure: Use crypto to prevent editing. Supercomputer time is expensive, so this countermeasure makes flying the task cheaper and easier. Method: Alter the electronics inside the case. Countermeasure: Require tamper-proof packaging on an IGC logger. Performing alterations of hardware in tamper-proof packaging is generally expensive and technically challenging, flying the task is probably cheaper and easier. Method: Alter the software inside the case. Countermeasure: Require loggers to be submitted to IGC for test, audit, certification; Require tamper-proof packaging so software can't be altered after the fact. Previous notes about expense and simplicity also apply. Method: Feed-in fraudulent GPS position data. Countermeasure: Write a rule, because rules are never broken by cheats (!), and because the equipment required to inject fraudulent GPS position data is so expensive it's probably easier and cheaper to just fly the task. GPS signal injection isn't new, but what's changed is the "expensive and difficult" part. It just ain't anymore. So the countermeasure is no longer effective, and the "security" is illusory: The countermeasure probably doesn't make forging a logger trace more expensive or difficult than flying a task. Throughout this discussion I also note that nobody has addressed the $20 GPS jammer that's small enough to fit on a keyring. Combine it with a timer that only turns it on after the task has started, and gaffer-tape it inside someone's wheel well on the last day of a comp to make them lose. Costs almost nothing and is pretty much untraceable to any particular individual. You could even trivially rig it up to the undercarriage so that it jettisons when the wheel is extended, leaving no evidence. Touchy subject nobody wants to talk about? :-) As a competition organizer, Tim's "Make my day," attitude probably isn't helpful, it's setting up a situation where the only way to get the competition organizer to take any of this seriously is to actually provide proof by demonstration -- i.e., to successfully cheat. Security practitioners need to "think like the bad guy" to win, and the motivated bad guy probably knows all about your countermeasures and is diligently using his ingenuity to get around them. If you're not taking that seriously then you're just asking to have a National Championship invalidated due to cheating: It only costs $20, which is probably low enough to entice someone with no stake in the competition to try it just to piss everybody off. What effective countermeasures are available? - mark -------------------------------------------------------------------- I tried an internal modem, [email protected] but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 -----
_______________________________________________ Aus-soaring mailing list [email protected] To check or change subscription details, visit: http://lists.internode.on.net/mailman/listinfo/aus-soaring
