Today I want to talk about something that might feel only tangentially related to our hobby, but it likely affects you.
Recently the ARRL announced that it was “in the process of responding to a serious incident involving access to our network and headquarters-based systems”. A day later it sought to assure the community that the “ARRL does not store credit card information” and they “do not collect social security numbers” and went on to say that their “member database only contains publicly available information”. Five days after that it’s “continuing to address a serious incident involving access to our network and systems” and that “Several services, such as Logbook of The World® and the ARRL Learning Center, are affected.”, but “LoTW data is secure”. Over a third of the latest announcement, more than a week ago, was to assure the community that the July QST magazine is on track but might be delayed for print subscribers.
Regardless of how this situation evolves, it’s unwelcome news and much wider reaching than the ARRL.
LoTW, or Logbook of The World, is used globally by the amateur community to verify contacts between stations. The IARU, the International Amateur Radio Union, is headquartered at the ARRL office.
I’ve been told that I should have empathy and consider that the ARRL is only a small organisation that may not have the best of the best in technology staff due to budget constraints and finally, that LoTW being down for a few days is not going to kill anyone.
All those things might well be true and mistakes can and do happen.
The ARRL has been in existence for well over a century, bills itself as the answer to “When All Else Fails” and has even registered this as a trademark, but hasn’t actually said anything useful about an incident that appears to have occurred on the 14th of May, now over two weeks ago. By the way, that date is based on the UptimeRobot service showing less than 100% up-time on that day, the ARRL hasn’t told us when this all occurred, it didn’t even acknowledge that anything was wrong until two days later.
This raises plenty of uncomfortable questions.
What information did you share with the ARRL when you activated your LoTW account? For me it was over a decade ago. I jumped through the hoops required and managed to create a certificate. What information I shared at the time I have no idea about. As I’ve said before, I do know that security was more extreme than required by my bank, even today, and the level of identification required was in my opinion disproportionate to the information being processed by the service, lists of amateur stations contacting each-other.
Something to take into account, on the 30th of October 2013, Norm W3IZ wrote in an email to me: “Data is never removed from LoTW.” - I have no idea how much or which specific information that refers to.
If you used the ARRL Learning Center, what information did you share? If you’re a member of the ARRL, or you purchased something from their online store, what data was required and stored? Is the data at the IARU affected? What infrastructure, other than the office, do they share?
While I’ve been talking about the ARRL, this same issue exists with all the other amateur services you use. QRZ.com, eQSL.cc, eham.net, clublog.org, your local regulator, your amateur club, your social media accounts, all of it.
What information have you shared?
Do you have an internet birthday, address and middle name?
Recently I received a meme. It shows two individuals talking about life, the universe and everything. They discuss their favourite books, the first movie they ever watched, the name of their pets, what car they learnt to drive in, their interests and other things you talk about when you meet someone new and interesting. The last image of the meme shows the heading: “Security Questions Answered, Welcome Amanda.”
So, my question is this: What’s your favourite colour and your mother’s maiden name?
Seriously, next time you access a service online, have a look at what data that service has. When you sign up, consider the requirements for the service and how much information that’s worth. Do you really need to send your birthday, your gender and your physical address with a copy of your passport or another government approved identity document? If you’re being asked for the name of your first pet, consider answering something unique. In my case, I generate a random string of characters to use as an answer for each security question.
The ARRL “incident” is the tip of the iceberg. This problem is’t going away, it’s only going to get bigger and happen more often.
Final observation. With the potential of a global shopping list for thieves coming out of the database at the ARRL, will you be sharing your station address next time and if you’re subject to the GDPR, the General Data Protection Regulation, perhaps it’s time to ask your online service providers just exactly what they’re doing to protect your information, and that includes the ARRL.
I have sent two emails to the ARRL in relation to these questions, but have yet to receive an acknowledgement, let alone answers.
By the time this reaches you, perhaps the ARRL has answers to my questions and more.
I’m Onno VK6FLAB
vk6flab@lemmy.radio 5 months ago
ARRL statements:
Suggestions that the ARRL “incident” is considerably more significant:
LoTW status page:
I also note that I received a response from the ARRL that instructed me to read their announcement linked above.