Interesting. I don't give anything out anymore. I think I signed up to ARRL like 6-7 years ago, but never signed up for LOTR or other systems, because that's not the purpose I got licensed for. I usually give fake date of births, fake first dog names and other such info unless they can prove a legitimate need. My online and IRL info is different even for my doctor and bank. Sucks having worked in IT and knowing all the ways you can be phished...
I have received reports of amateurs sending in copies of their passports. I wish I could recall what I sent, but I take comfort in that I've moved several times since, have had several identity documents renewed and our regulator has never published my physical address.
@@vk6flab Nice things about US Passports is they do not contain US Social Security numbers, and don't have a street address. Unfortunately, FCC does show mailing address. Like you, though, I've moved several times, and use a PO Box for a lot of mailing addresses.
If they can hack it they will. Use this as a training experience. We need to come up with a better system in order to help others in a emergency. Communications are everything.
I've pointed out elsewhere, and I'll point it out here: ARRL does not have a CISO -- a Chief Information Security Officer. They have a President, two Vice-Presidents, a CEO, a treasurer...but no one insuring that their information systems are secure. And I really, *really* don't want to hear about, "...but they're a *small* company" -- no, they're a CORPORATION. They *really* like to put that out there in all their communications with their membership: that they're a *corporation*. Ok --well, if you're a corporation, then you should have a Chief Information Security Officer. What we need is for organizations and corporations to be transparent up-front, *before* we fork over information, about what they're going to do about protecting the information we provide to them. Then, when they get pwned, they need to be transparent about what was compromised and why. Then, they need to be held accountable. Additionally, companies need to be made to understand that simply offering credit checks after their systems have been compromised is not a data protection policy. THe bits of information that are stolen from ARRL's systems, alone, may not be enough to steal someone's identity. But these data breaches do not occur in a bubble, and information stolen from one place can be put next to information stolen from another place to then have enough information to steal someone's identity. This isn't rocket surgery - this process can be automated.
It's interesting that an organisation such as the ARRL, supposedly with expertise in emergency situations appears to be so completely ineffectual in its own emergency.
It is staggering to me that the concept of "Know Your Customer" (YNC) is so pervasive today that it is used as an excuse to save all incoming data. At no point has anyone stated that you should use this identity information once to establish an account, then dispose of the information. I have no doubt that the ARRL trove will turn out to contain significantly more information than the public data currently claimed. As for the lack of CISO, par for the course in most organisations. I've been in this industry for 40 years and it's rare I come across one, let alone get quizzed by one when my services are requested. Come to think of it, I've NEVER been quizzed by a CISO (or their representative) when I start assisting a company with their ICT requirements.
Paper cards in the mail seem a win to me on so many different levels, because you are not at the mercy of a data processing infrastructure that someone else runs. Once I have a physical card, I have it, unless I lose it or destroy it, in which case it's me responsible for the loss.
It's interesting that I was encouraged to join my local peak body, in my case the WIA, to get benefit from the QSL Bureau, which is ironic, since now that I am no longer a member is potentially hampering my QSO confirmations, since cards sent to the "buro" are as I understand their systems likely to be shredded before I have the opportunity to collect them.
The ARRL has just published the following statement: Updated 6/4/2024 On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group. ARRL immediately involved the FBI and engaged with third party experts to investigate. This serious incident was extensive and categorized by the FBI as “unique,” compromising network devices, servers, cloud-based systems, and PCs. ARRL management quickly established an incident response team. This has led to an extensive effort to contain and remediate the networks, restore servers, and staff are beginning the testing of applications and interfaces to ensure proper operation. Thank you for your patience and understanding as our staff continue to work through this with an outstanding team of experts to restore full functionality to our systems and services. We will continue to update members as advised and to the extent we are able. This story will be updated with new developments. Source: www.arrl.org/news/arrl-systems-service-disruption
Remember that anyone using an IP address that's not inside the USA is "international" and anything that socially engineers a password is "sophisticated". I'm not saying that the current statement from the ARRL is wrong, but there is plenty of history around statements made like this that turned out to be a former employee with a grudge. In other words, I'm sceptical until a full after event debrief has been published.
@@Brenda-jf2pe I think that the penalties for hacking have been well and truly established with absolutely over the top claims of loss by the "victim". Where society needs to focus its attention is the corporate lack of due diligence, the absurd amount of personal information being stored and the lack of repercussions for the board of a company. Finally, the actual victims, people whose information has been stolen, not the people who have been hacked, need to have a system of redress that goes well beyond a subscription to a credit watch service.
Glad I have never joined the ARRL!! I've always hated that organization. Many reasons but my biggest is that they have some sort of weird connection to the Freemasons. I happen to know that for a fact. Growing up in Indiana and experiencing those folks I really don't care for them. Masons dominate Indiana. I had a brother that infiltrated them to learn more about them. So now my family knows more than you wanna know about them. Trust me, you don't want to know. I understand that this has little do do with this breach or whatever it was but I'm just sayin'. When I was a ham in Indiana I saw how so many hams there (possibly the majority) are into mason stuff because I got a lot of "funny handshakes" from hams all the time.
Interesting assertion. Not sure if I have the energy to measure it, but I prefer to say A double R L, rather than ARRL, which I tend to only do as: A. R. R. L. when I'm referring to statements quoted from early 1900's comments.
A double R L seems to trip off the tongue nicely. I also think double F S takes longer for people to comprehend when I express disproval in a meeting!😂
From your Call Sign, I infer you have an Australian amateur radio license, and a simple QRZ search on your call sign can reveal more details about you. During an investigation of an incident, one does not discuss details in a public manner, such that anyone can read. Despite your best intentions or desires, you are complicating a crime scene in the middle of an investigation. Even e-Mails or phone calls do not authenticate you or provide any circumscribed security. Perhaps you are under the mistaken belief that just because amateur radio communication is open, unencrypted for anyone to hear. That has nothing to do with an internal investigation of a crime, which does not primarily involve you. Perhaps you have heard of the Official Secrets Act or the Digital Millennium Copyright Act. As a foreign individual, you may pose an indirect risk of phishing or social engineering, especially, if you are communicating in an open manner. As an ARRL member and U.S.A. Citizen, I find the terse information appropriate and necessary. Please respect ARRL‘s privacy, seriously.
You might not realise this, but like every single LoTW user, I am a potential victim of this "crime" as you put it. I have every right to make my opinion known here or on any other platform, regardless of my membership status or citizenship. I contacted the organisation that held my data and they referred me to their generic statements which, as I have pointed out on multiple occasions, do not actually answer any questions, instead hiding behind motherhood and public relations dribbling of information, something which is becoming pervasive in the case of data breaches. I note that I am an ICT consultant with over 40 years experience in addition to being an amateur and I am not alone in my disdain for the approach that the ARRL has taken in this matter. Crime or not, my activities have no impact. If they do, that speaks more to the incompetence at the ARRL than anything else. I also note that the ARRL website is currently down. Clearly they are still dealing with this issue and instead of spouting gibberish about a random field day, QST magazine and the club station being operational, they should focus their attention on their systems.
ARRL breach notice:
www.documentcloud.org/documents/24803975-arrl-breach-notification
Bleeping Computer article:
www.bleepingcomputer.com/news/security/arrl-finally-confirms-ransomware-gang-stole-data-in-cyberattack/
Interesting. I don't give anything out anymore. I think I signed up to ARRL like 6-7 years ago, but never signed up for LOTR or other systems, because that's not the purpose I got licensed for. I usually give fake date of births, fake first dog names and other such info unless they can prove a legitimate need. My online and IRL info is different even for my doctor and bank. Sucks having worked in IT and knowing all the ways you can be phished...
I have received reports of amateurs sending in copies of their passports. I wish I could recall what I sent, but I take comfort in that I've moved several times since, have had several identity documents renewed and our regulator has never published my physical address.
@@vk6flab Nice things about US Passports is they do not contain US Social Security numbers, and don't have a street address. Unfortunately, FCC does show mailing address. Like you, though, I've moved several times, and use a PO Box for a lot of mailing addresses.
Technology will be the end of us all yet the moths continue towards the flame.
So, not a collision with an astroid?
If they can hack it they will. Use this as a training experience.
We need to come up with a better system in order to help others in a emergency. Communications are everything.
I've pointed out elsewhere, and I'll point it out here: ARRL does not have a CISO -- a Chief Information Security Officer. They have a President, two Vice-Presidents, a CEO, a treasurer...but no one insuring that their information systems are secure. And I really, *really* don't want to hear about, "...but they're a *small* company" -- no, they're a CORPORATION. They *really* like to put that out there in all their communications with their membership: that they're a *corporation*. Ok --well, if you're a corporation, then you should have a Chief Information Security Officer.
What we need is for organizations and corporations to be transparent up-front, *before* we fork over information, about what they're going to do about protecting the information we provide to them. Then, when they get pwned, they need to be transparent about what was compromised and why. Then, they need to be held accountable.
Additionally, companies need to be made to understand that simply offering credit checks after their systems have been compromised is not a data protection policy. THe bits of information that are stolen from ARRL's systems, alone, may not be enough to steal someone's identity. But these data breaches do not occur in a bubble, and information stolen from one place can be put next to information stolen from another place to then have enough information to steal someone's identity. This isn't rocket surgery - this process can be automated.
It's interesting that an organisation such as the ARRL, supposedly with expertise in emergency situations appears to be so completely ineffectual in its own emergency.
It is staggering to me that the concept of "Know Your Customer" (YNC) is so pervasive today that it is used as an excuse to save all incoming data. At no point has anyone stated that you should use this identity information once to establish an account, then dispose of the information.
I have no doubt that the ARRL trove will turn out to contain significantly more information than the public data currently claimed.
As for the lack of CISO, par for the course in most organisations. I've been in this industry for 40 years and it's rare I come across one, let alone get quizzed by one when my services are requested. Come to think of it, I've NEVER been quizzed by a CISO (or their representative) when I start assisting a company with their ICT requirements.
this is why all info on every one , no matter who has it (cc, banks, emplyer, arrl, etc. sll info should not be on any computer connected to the web.
Whilst I understand the sentiment, how would an end-user update their data?
Paper cards in the mail seem a win to me on so many different levels, because you are not at the mercy of a data processing infrastructure that someone else runs. Once I have a physical card, I have it, unless I lose it or destroy it, in which case it's me responsible for the loss.
It's interesting that I was encouraged to join my local peak body, in my case the WIA, to get benefit from the QSL Bureau, which is ironic, since now that I am no longer a member is potentially hampering my QSO confirmations, since cards sent to the "buro" are as I understand their systems likely to be shredded before I have the opportunity to collect them.
I am still waiting for my tech license, I passed on may12, arrl says they have not received it when looking up my frn..
I'd contact the examiner and ask them for guidance.
The ARRL has just published the following statement:
Updated 6/4/2024
On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group. ARRL immediately involved the FBI and engaged with third party experts to investigate.
This serious incident was extensive and categorized by the FBI as “unique,” compromising network devices, servers, cloud-based systems, and PCs.
ARRL management quickly established an incident response team. This has led to an extensive effort to contain and remediate the networks, restore servers, and staff are beginning the testing of applications and interfaces to ensure proper operation.
Thank you for your patience and understanding as our staff continue to work through this with an outstanding team of experts to restore full functionality to our systems and services.
We will continue to update members as advised and to the extent we are able.
This story will be updated with new developments.
Source: www.arrl.org/news/arrl-systems-service-disruption
yes, it's playing victim.
why the scent.
I have no idea what you are referring to.
Enemy hackers probing.
Remember that anyone using an IP address that's not inside the USA is "international" and anything that socially engineers a password is "sophisticated".
I'm not saying that the current statement from the ARRL is wrong, but there is plenty of history around statements made like this that turned out to be a former employee with a grudge.
In other words, I'm sceptical until a full after event debrief has been published.
Stiff penalties for hacking, are needed our government has failed us legislation is needed with teeth! JohnBoyUtah yes I am a General!🇺🇸😎📡🎙
@@Brenda-jf2pe I think that the penalties for hacking have been well and truly established with absolutely over the top claims of loss by the "victim".
Where society needs to focus its attention is the corporate lack of due diligence, the absurd amount of personal information being stored and the lack of repercussions for the board of a company.
Finally, the actual victims, people whose information has been stolen, not the people who have been hacked, need to have a system of redress that goes well beyond a subscription to a credit watch service.
Glad I have never joined the ARRL!! I've always hated that organization. Many reasons but my biggest is that they have some sort of weird connection to the Freemasons. I happen to know that for a fact. Growing up in Indiana and experiencing those folks I really don't care for them. Masons dominate Indiana. I had a brother that infiltrated them to learn more about them. So now my family knows more than you wanna know about them. Trust me, you don't want to know. I understand that this has little do do with this breach or whatever it was but I'm just sayin'. When I was a ham in Indiana I saw how so many hams there (possibly the majority) are into mason stuff because I got a lot of "funny handshakes" from hams all the time.
I think hate is a strong word and I'm unsure if it assists with enabling a discussion.
Masons? Really? Complaining about Masons in 2024 is like insisting on using a fax machine.
It takes longer to say A double RL than ARRL
Interesting assertion. Not sure if I have the energy to measure it, but I prefer to say A double R L, rather than ARRL, which I tend to only do as: A. R. R. L. when I'm referring to statements quoted from early 1900's comments.
@@vk6flab Why do you prefer to say A double R L, rather than ARRL? To sound cool like their staff?
@@K1OIK I have no affiliation with the organisation and my ability to sound "cool" vanished with my increasing age several decades ago.
@@vk6flab then don't say A double RL like the employees and directors do. Do you say F double C?
A double R L seems to trip off the tongue nicely. I also think double F S takes longer for people to comprehend when I express disproval in a meeting!😂
From your Call Sign, I infer you have an Australian amateur radio license, and a simple QRZ search on your call sign can reveal more details about you. During an investigation of an incident, one does not discuss details in a public manner, such that anyone can read. Despite your best intentions or desires, you are complicating a crime scene in the middle of an investigation. Even e-Mails or phone calls do not authenticate you or provide any circumscribed security. Perhaps you are under the mistaken belief that just because amateur radio communication is open, unencrypted for anyone to hear. That has nothing to do with an internal investigation of a crime, which does not primarily involve you. Perhaps you have heard of the Official Secrets Act or the Digital Millennium Copyright Act. As a foreign individual, you may pose an indirect risk of phishing or social engineering, especially, if you are communicating in an open manner. As an ARRL member and U.S.A. Citizen, I find the terse information appropriate and necessary. Please respect ARRL‘s privacy, seriously.
You might not realise this, but like every single LoTW user, I am a potential victim of this "crime" as you put it. I have every right to make my opinion known here or on any other platform, regardless of my membership status or citizenship.
I contacted the organisation that held my data and they referred me to their generic statements which, as I have pointed out on multiple occasions, do not actually answer any questions, instead hiding behind motherhood and public relations dribbling of information, something which is becoming pervasive in the case of data breaches.
I note that I am an ICT consultant with over 40 years experience in addition to being an amateur and I am not alone in my disdain for the approach that the ARRL has taken in this matter.
Crime or not, my activities have no impact. If they do, that speaks more to the incompetence at the ARRL than anything else.
I also note that the ARRL website is currently down. Clearly they are still dealing with this issue and instead of spouting gibberish about a random field day, QST magazine and the club station being operational, they should focus their attention on their systems.