As an ARRL member this affects me and so I'd like to thank the OP for pointing out the announcement of the hack in a group that is not to do with the ARRL but will have many ARRL members as subscribers.

Questions about what the ARRL is doing, why they delayed reporting it and why someone hasn't been sacked are for the ARRL to respond to if they feel they warrant a reply and should be addressed to the ARRL directly and/or ARRL discussion groups. Calling for a lynching is nothing to do with Linuxhams no matter who is at fault.

The important point I see is in the linked article "Keane said that in addition to reporting the security breach to federal law enforcement authorities" i.e. the law where the hacked server live are aware.

The immediate thing is there are some passwords to change now especially if you have used the same id and password for several sites. But we all know not to do that.

Andy, MM0FMF
ARRL member since 2001

Hi,
On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

Thanks for the heads-up.

Response:
You are most welcome!
========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

Now ARRL needs to tell:
(1) why that notice is of the form "Lie down and stay calm", and
was delayed a week;

Response:
All notices of this nature are much the same... Your choice of words
biases the entire concept of the notification. I read it and did not
get a "Lie down" feeling. I am sure the delay was to insure that they
have good data prior to a press release.
======================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(2) why the loss of personal data is dismissed as trivial since
someone could get the data elsewhere, say by hacking FCC's DB;

Response:
It is trivial because it is the same data as on the FCC database, which
is freely available to all, no need to hack the FCC database, as you
say... Again, biased words... Presumably the ARRL is not feeding lies
to us here, so all that was lost were call sign data, as it appears on
the FCC's site. Also password data, which is more concerning...
"Any information the hacker might have been able to glean from the ARRL
server, he said, is already publicly available — data such as names,
addresses, and call signs that appear in the FCC database."

There is a later reference to changing passwords if you had not changed
after 2010... That implies they implemented crypto on the password file
around 2010.

While I am not worried about this, I am sad to see that the ARRL servers
got hacked... If the press release is true, then the only real data
lost was the users password, and only from 2010 back. Not good, but not
personal data being dismissed as trivial.
========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(3) why IT Manager Keane and the author of that release remain
employed;

Response:
Because the breach does not constitute a fireable offence with the ARRL,
nor most companies. Neither you nor I, have the needed information to
make that sort of decision here... Only the parties involved do.
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(4) why members were not notified by email, since notifying members
individually is an established practice for every *other* administrative
change or revenue promotion;

Response:
It would have been good to get a note to change a password. However I
did not get mail from, Target, Chase, TJ Max, Home Depot, or any of the
multitude of others who have been hacked over the past year either, so
the ARRL followed accepted methods for this sort of breach, shy the
password. In my opinion, an email should have gone out for the password
issue though.
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(5) why loss of "old" passwords is discounted as *the member's
problem*;

Response:
Because it is the members problem... I don't want the ARRL selecting my
passwords for me, then sending them to me, so I have to deal with it,
hence it is *my* problem.
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(6) why user accounts with compromised passwords are not disabled;

Response:
Good question, probably should have been...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(7) why the nature of the hack was not disclosed, and when
Mr Keane will have removed the vulnerability;

Response:
Would have been good to hear this as well, but not the end of the world
if not...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(8) how long the vulnerability has gone unpatched;

Response:
Again, would have been nice to hear, but not the end of the world if I
don't know... I never found this out from Chase, TJ Max, Target, etc...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(9) who the hacker(s) might be;

Response:
Really? This again falls into the again would have been nice
category...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(10) whether passwords were being stored in plaintext;

Response:
One could assume from the supplied data that passwords were plaintext up
to 2010 and passwords after 2010 were not.
==========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(11) whether the hacker left any "surprises" behind, and how Mr
Keane can assure us concerning his answers.

Response:
You have asked an unanswerable question-- if there are "surprise's" then
no one would know about them, so no one could answer your question...
Perhaps your question should have been a statement, not a question?

I am not too worried about the ARRL assuring me of their answers being
correct... If they are lying to us, then they will tell us "all is
well"-- if all is well, they will tell us, "all is well", so whatever
the ARRL says the answer will be the same, "all is well". Your logic
dooms them to be questioned even if all is well, all the time...
==========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

I point out that Mr Keane's dismissive statement, “We don’t keep
anything of value [to a hacker] there. Hackers don’t care about DXCC
totals or want to read the online issue of QST. There’s nothing of
financial value there”, sounds dangerously naive or worse, cavalier.
How does he know the hacker's purpose? Why does he snark jokes? He
admits he does not know the extent of the violation.

Response:

I see no joke here... Not sure where you got that from. The statement
does not sound dismissive to me either...

Perhaps the statement is true, perhaps the ARRL financial data is on a
more secure network... Companies frequently keep financial data on
different networks from Internet facing networks, different security
models for different data...

Only the ARRL would know where it keeps it's financial data, so only the
ARRL can speculate about what was exposed, and what was safed...

Your statement that the ARRL comments were naive, or cavalier are at
best judgmental, and at worst finger pointing with zero data to prove
your point... You simply don't have the data to speculate reasonably.
==========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

Not knowing the extent of the intrusion, he cannot make statements like
the one made. What he possibly means to say is that there is no threat
to the financial assets of ARRL.

Response:
I an not sure the extent is unknown, and *you* can't be sure it is
unknown either... The network topology and structure may have forced
constraints on what a hacker has access too, so the extent of the attack
may very well be known... Again, there is not enough information for
either of us to make the statements you are making here...
--
Thanks and 73's,
For equipment, and software setups and reviews see:
www.nk7z.net
for MixW support see;
http://groups.yahoo.com/neo/groups/mixw/info
for Dopplergram information see:
http://groups.yahoo.com/neo/groups/dopplergram/info
for MM-SSTV see:
http://groups.yahoo.com/neo/groups/MM-SSTV/info
------------------------------------
Posted by: David Cole <dave-***@public.gmane.org>
------------------------------------