The ARRL incident of May 2024, a year later Podcast Por arte de portada

The ARRL incident of May 2024, a year later

The ARRL incident of May 2024, a year later

Escúchala gratis

Ver detalles del espectáculo

Acerca de esta escucha

 Foundations of Amateur Radio Just over a year ago, the ARRL, the American Radio Relay League, the peak body for amateur radio in the United States and one of the oldest of such organisations, experienced an incident. During the weeks following, the ARRL was tight-lipped about the extent of the incident and most amateurs only really noticed that services were off-line or slow to respond. After months of delay and disinformation, the ARRL finally revealed that it was the subject of a ransomware attack and that it had paid a million dollar ransom. It went on to blame the authorities for its silence. Mind you, it didn't tell me personally, it made public statements on its website. Similarly when I specifically contacted the ARRL to discover what information of mine it held, and what the status of that information was, the ARRL responded that I should refer to its public statements. It continued to state that my information was not compromised, since it only lived in LoTW, the Logbook of The World, the system it uses to coordinate the verification of amateur radio contacts, which are used to distribute awards like the DXCC and Worked All whatever. Imagine my surprise when I received an email this week, sent from "memberlist@arrl.org" to my non-amateur radio email address. I confirmed with several amateurs that they too received this email. Informative, to a point, but likely well beyond anything intended by its author, it stated that LoTW was being updated with associated down time, incidentally, inexplicably, coinciding with the 2025 ARRL Field day, and it "will be fully migrated to the cloud". It went on to solicit donations. It made no reference whatsoever to the ransomware attack. There's a lot hidden in that email. Although the attack last year was linked to the outage associated with LoTW, the ARRL has continued to claim that the LoTW data was not impacted by the ransomware attack, but the email reveals that the system is being migrated to the cloud, in other words, right now, it's not in the cloud. Which begs the question, where is the server infrastructure for LoTW today, and more importantly, where was it a year ago when its systems were compromised? From a public post by Dave AA6YQ, dated the 2nd of February 2021, in response to a message about a January LoTW committee meeting, we know that the LoTW server "now employs the current version of an SAP database engine". A month before that, Dave wrote another informative email that indicated that 105 thousand callsigns submitted logs to LoTW in the last 1,826 days or the five years between 2016 and 2021. There were logs from 21 thousand callsigns in the week prior to that January post. In all, according to Dave, there were 153,246 callsigns who submitted contacts to LoTW. The LoTW committee meeting minutes are no longer available from the ARRL website, but I have a copy. The document states that there were 1.2 billion contacts entered into LoTW, big number right? The next line tells us that this resulted in 262 million QSO records. I wonder what happened to the other billion records? This activity was generated by 139 thousand users using 200 thousand certificates. For context, every VK callsign automatically comes with an AX callsign, but LoTW requires that you separately register each with its own certificate. As someone who has been playing with databases since the 1980's I can tell you that LoTW is a tiny database. For comparison, the WSPR database is an order of magnitude larger, not to mention, more active. I have no insight into the business rules within the LoTW database, but the fact that updates are being processed in batches and that it regularly has delays indicates a level of complexity that I cannot account for. As an aside, the LoTW committee document lists 10 members. Dave is not one of those listed. It makes me wonder who else has access to this database. Note that I have no reason to believe that Dave's information is questionable, nor that he has access that he shouldn't, he was after all a member of the LoTW committee from 2013 until 2017 when the ARRL removed all development resources from the LoTW. I'm asking who else has access and why? While we're here, who has been doing maintenance and updates on this system over the past seven years? Moving on. The database for LoTW contains information from amateurs all over the planet, including those in Europe where the GDPR, the General Data Protection Regulation, enacted in 2016, is extremely strict on the security and disclosure of personal data with very heavy penalties for breaches. The GDPR requires notifications be sent within 72 hours of a breach, and that an organisation must designate a data protection officer. I wonder who has that role at the ARRL and I wonder if they told anyone? Did any European amateurs receive personal notification from the ARRL about their data, I know I didn't. My first activation of LoTW was in 2013, now twelve years ago. I received ...
Todavía no hay opiniones