6 min
The ARRL incident of May 2024 Foundations of Amateur Radio
-
- How To
Foundations of Amateur Radio
Today I want to talk about something that might feel only tangentially related to our hobby, but it likely affects you.
Recently the ARRL announced that it was "in the process of responding to a serious incident involving access to our network and headquarters-based systems". A day later it sought to assure the community that the "ARRL does not store credit card information" and they "do not collect social security numbers" and went on to say that their "member database only contains publicly available information". Five days after that it's "continuing to address a serious incident involving access to our network and systems" and that "Several services, such as Logbook of The World(R) and the ARRL Learning Center, are affected.", but "LoTW data is secure". Over a third of the latest announcement, more than a week ago, was to assure the community that the July QST magazine is on track but might be delayed for print subscribers.
Regardless of how this situation evolves, it's unwelcome news and much wider reaching than the ARRL.
LoTW, or Logbook of The World, is used globally by the amateur community to verify contacts between stations. The IARU, the International Amateur Radio Union, is headquartered at the ARRL office.
I've been told that I should have empathy and consider that the ARRL is only a small organisation that may not have the best of the best in technology staff due to budget constraints and finally, that LoTW being down for a few days is not going to kill anyone.
All those things might well be true and mistakes can and do happen.
The ARRL has been in existence for well over a century, bills itself as the answer to "When All Else Fails" and has even registered this as a trademark, but hasn't actually said anything useful about an incident that appears to have occurred on the 14th of May, now over two weeks ago. By the way, that date is based on the UptimeRobot service showing less than 100% up-time on that day, the ARRL hasn't told us when this all occurred, it didn't even acknowledge that anything was wrong until two days later.
This raises plenty of uncomfortable questions.
What information did you share with the ARRL when you activated your LoTW account? For me it was over a decade ago. I jumped through the hoops required and managed to create a certificate. What information I shared at the time I have no idea about. As I've said before, I do know that security was more extreme than required by my bank, even today, and the level of identification required was in my opinion disproportionate to the information being processed by the service, lists of amateur stations contacting each-other.
Something to take into account, on the 30th of October 2013, Norm W3IZ wrote in an email to me: "Data is never removed from LoTW." - I have no idea how much or which specific information that refers to.
If you used the ARRL Learning Center, what information did you share? If you're a member of the ARRL, or you purchased something from their online store, what data was required and stored? Is the data at the IARU affected? What infrastructure, other than the office, do they share?
While I've been talking about the ARRL, this same issue exists with all the other amateur services you use. QRZ.com, eQSL.cc, eham.net, clublog.org, your local regulator, your amateur club, your social media accounts, all of it.
What information have you shared?
Do you have an internet birthday, address and middle name?
Recently I received a meme. It shows two individuals talking about life, the universe and everything. They discuss their favourite books, the first movie they ever watched, the name of their pets, what car they learnt to drive in, their interests and other things you talk about when you meet someone new and interesting. The last image of the meme shows the heading: "Security Questions Answered, Welcome Amanda."
So, my question is this: What's your favourite colour and your mother's maiden na
Foundations of Amateur Radio
Today I want to talk about something that might feel only tangentially related to our hobby, but it likely affects you.
Recently the ARRL announced that it was "in the process of responding to a serious incident involving access to our network and headquarters-based systems". A day later it sought to assure the community that the "ARRL does not store credit card information" and they "do not collect social security numbers" and went on to say that their "member database only contains publicly available information". Five days after that it's "continuing to address a serious incident involving access to our network and systems" and that "Several services, such as Logbook of The World(R) and the ARRL Learning Center, are affected.", but "LoTW data is secure". Over a third of the latest announcement, more than a week ago, was to assure the community that the July QST magazine is on track but might be delayed for print subscribers.
Regardless of how this situation evolves, it's unwelcome news and much wider reaching than the ARRL.
LoTW, or Logbook of The World, is used globally by the amateur community to verify contacts between stations. The IARU, the International Amateur Radio Union, is headquartered at the ARRL office.
I've been told that I should have empathy and consider that the ARRL is only a small organisation that may not have the best of the best in technology staff due to budget constraints and finally, that LoTW being down for a few days is not going to kill anyone.
All those things might well be true and mistakes can and do happen.
The ARRL has been in existence for well over a century, bills itself as the answer to "When All Else Fails" and has even registered this as a trademark, but hasn't actually said anything useful about an incident that appears to have occurred on the 14th of May, now over two weeks ago. By the way, that date is based on the UptimeRobot service showing less than 100% up-time on that day, the ARRL hasn't told us when this all occurred, it didn't even acknowledge that anything was wrong until two days later.
This raises plenty of uncomfortable questions.
What information did you share with the ARRL when you activated your LoTW account? For me it was over a decade ago. I jumped through the hoops required and managed to create a certificate. What information I shared at the time I have no idea about. As I've said before, I do know that security was more extreme than required by my bank, even today, and the level of identification required was in my opinion disproportionate to the information being processed by the service, lists of amateur stations contacting each-other.
Something to take into account, on the 30th of October 2013, Norm W3IZ wrote in an email to me: "Data is never removed from LoTW." - I have no idea how much or which specific information that refers to.
If you used the ARRL Learning Center, what information did you share? If you're a member of the ARRL, or you purchased something from their online store, what data was required and stored? Is the data at the IARU affected? What infrastructure, other than the office, do they share?
While I've been talking about the ARRL, this same issue exists with all the other amateur services you use. QRZ.com, eQSL.cc, eham.net, clublog.org, your local regulator, your amateur club, your social media accounts, all of it.
What information have you shared?
Do you have an internet birthday, address and middle name?
Recently I received a meme. It shows two individuals talking about life, the universe and everything. They discuss their favourite books, the first movie they ever watched, the name of their pets, what car they learnt to drive in, their interests and other things you talk about when you meet someone new and interesting. The last image of the meme shows the heading: "Security Questions Answered, Welcome Amanda."
So, my question is this: What's your favourite colour and your mother's maiden na
6 min