Issue #37: The Hack that Nearly Hammered Amateur Radio

Good point, Steven. That's so true . . . open source is important to the Amateur Radio Services, and always has been. This is why I find Michelle's comments about the culture to be fascinating and worthy of discussion. Dave, W7DGJ

 

Ria,

It's fine to have "the other side of the coin" represented here in the discussion about Michelle's interview. You have done a good job of presenting your commentary without malice and by stressing that your comments were personal opinion. I will take it one step further and pin a link to your commentary at the end of the article, so that people can see that there are two sides to the ARDC story.

Here are my personal concerns about the matter . . . this ARDC chunk of money seems at times to be the equivalent of an unregulated SuperPAC. The money did come from amateur radio in the beginning, right? The problem with money (in general) is that it attracts those who love the power and control they get from the process. In some ways, it could be seen as very slowly dripping the money back to where it came from in the beginning. It could also be misused by those who would weaponize it against people who "don't play along." I'm not saying I have examples of this, Ria. I'm just cautioning you that it could be present in any organization with money that is spreading it out into the community. I was very happy when reading your comments to see that you haven't encountered any of this.

The narrative from the ARDC will always be louder and carry further because of that money -- this is just a fact of life. And sadly, people will do or say pretty much anything to keep it coming - especially the people they pay salaries to or divert grants and overhead towards. This is, again, a problem that is universal where large chunks of money are involved.

I hope that you as a Director will work on developing a culture that catches these issues before they present themselves. Unfortunately, the League has itself taken so much money from ARDC that they now aren't able to provide any real brakes on bad behavior either. Once an organization such as our ARRL picks up millions of dollars from one source, it's awfully hard to be critical of that same source or to help correct bad behavior if it is spotted. Dave, W7DGJ

 

There are in fact a lot of regulations around the ARDC endowment. The IRS has strict rules that such a foundation must abide by including minimum distributions and audit requirements. It’s something ARDC takes extremely seriously. For example the statement that Thompson has made about conflict of interest requirements is not true. We are required to sign a statement and abide by conflict of interest rules.

The money came from a partial sale of an underused asset that amateur radio community has access to. The IP addresses were requested by Hank Magnuski, KA6M. Eventually ARDC was formed to manage the asset. Much like the ARRL manages 225 Main Street and W1AW. If they wanted to, they could with their board approval sell part of that property to create an endowment. Or pretty much anything the league owns, like it does with its auctions. The IP address sale, the brainchild of Brian Kantor WB6CYT (SK) is similar in that regard. And there are still plenty of addresses that amateur radio operators will have access to. ARDC has even launched an automated portal for anyone wanting 44Net IP space for amateur radio or similar use. If you want 44Net space, by all means, request it.

This is why ARDC extensively involves the community in its granting process. From the GAC to the community meetings, ARDC wants to ensure the granting is driven by the community. This is a huge reason why ARDC is so successful in the amateur radio world. Is some of it driven by collective and personal desire? Absolutely! We want to see students thrive and make great contributions to society. We want to see amateur radio progress and remain viable. We want to lift up people and great ideas - things like M17 project are a great example.

I’m not so sure of that. I worked for big media and often you find that the “influencers” aren’t always the ones with the most money, but the loudest voice and compelling story, regardless of the facts.

I don’t have to. ARDC will always have controversy, whether real or manufactured. Controversy doesn’t imply wrongdoing but it does imply disagreement. With that said we have a solid foundation and a great community around us which will drive us into the future.

 

Dave, though I am starting to be one of those folks that our 17 year old selves pointed to at Hamfests talking amongst themselves in the coffee corner.
Folks make assumptions about us. They think we can't hear or understand.

My point was 3 fold:
* Amateur Radio is not web dependent - never has been. 100 + years now, how did we ever manage without the web... hmm.
* Those who want to make Amateur Radio web dependent do so at their own risk.
* Amateur Radio VIOP networks and discussion groups are not "Amateur Radio" any more than this Forum is.

I am not a computer novice at all. I understand how they work, and how the Web works. I also know which side the bread is buttered.
Money has always been the exchange medium of computing. I remember buying CPU "Time" on a Universities Univac. You paid by the CPU cycle.
We're a bit beyond that now, in that Users no longer pay for each CPU cycle, but we do pay for services. The concept that the Internet and the services Companies provide are "Free". They never have been, and never will be; someone pays. If for a second you think that (for example) Google provides you Free services, you are sadly mistaken; you even pay a local service provider to connect to Google.

Does it surprise me that if people are involved that there are Politics going on? No, people are involved.
Does it surprise me that someone tried to make money off ""us"" by charging for services? No. Outside of the Amateur Radio community, we are just people - more so as far as web services go.
So this was an article about SOP BS that happens in the computer world. And "nearly" only counts in Horse Shoes and Hand Grenades.

I am connected to the Internet more than I like. Seems like more and more basic communication is being transferred from physical services to virtual ones -it seems to be the most economic path to choose for many companies.
But as far as Amateur Radio goes, the Internet is only a tool to use - it is not and will never be "Amateur Radio".

I do keep a log on my computer, and that data is physically backed up on a separate physical drive. Every once in a while I upload that data to QRZ and EQSL and do so as a courtesy to others who chase awards. The programs I run on my computer are not cloud based, they are standalone applications. If I loose services, or the source of those programs goes tits up, or the whole WWW takes a dump, I loose nothing and it does not affect my ability to participate in the Hobby.

 

Ron, I certainly didn't make any "accusations . . . " I just asked a logical question, if the Web goes down because we let malicious software get introduced, couldn't you have possibly downloaded software that puts your computer at risk? Not saying it would take you off the air (it would for some people). Some in the ham radio community must care about this, because I had more positive emails about this article than anything else I've published in the last year -- so it's at least an interesting discussion. I'm in your age bracket and hang around in the coffee cluster as well at Hamfests, so you're not arguing with some young digital modes fanatic. I clicked on "Like" for your post because we generally agree on much of it. Dave, W7DGJ

 

This has nothing to do with being web dependent. A lot of devices run busybox, a Linux distribution made by Bruce Perens, K6BP and other open source code. There’s less chance of anything happening to a completely airgapped system, but these are becoming less common.

Also consider that while you may be unconnected, other hams are not. A lot of repeaters run Linux on raspberry pi and other open source code. Flex Radios run Linux. Maybe some others too.

And look at the bigger picture - the power grid and other critical infrastructure is prime for a cyberattack. A lot of operational technology like SCADA is vulnerable. Remember colonial pipeline? Don’t worry, many others have forgotten about that too.

 

Thanks Ria. Good additional points for Ron. When I was first hearing about this, in the back of my mind I thought "This won't affect me, only Martin and Tim and other young guys I know who work FT-8." That was wrong, for sure. Dave

 

Dave,
I am starting to believe that the more compressed version of my original post that I edited did not convey where threats comes from.
And again, your article framed this is an Amateur Radio issue. It is not, it is a computer industry wide issue.

If the WWW itself goes down, I can pretty much assure you it had nothing to do with any one person or computer. It is robust system that was originally designed for Military use, and converted to Civilian use. If you have to worry about anything in that regard, I suspect you read too much Bradbury

If a web site goes down, it is not "we" the users who introduced malicious software, it was the sysop or one of the agents using the computer it is running on. Most likely though, it is something like targeted DNS attacks which targets the DNS server software, or overloads the capability of the DNS Server to resolve traffic. This isn't anything "we" can do about as it is usually a group of bad actors acting in bad faith targeting a server.

Many of us use Open Source Software (OSS). The reason it that it is generally cheaper than name branded software. Along with that, there is a risk that it has extra (as Microsoft would say) "Features" (bugs). Before release, it has been Beta tested by a group of users to find faults before the final version is released. I think it's safe to say that it is pretty safe to use.

I would bet the average security threat to your average Ham would be the default settings on their Wi-Fi Router and the indiscriminate opening of emails from those they don't know, and clicking on the links contained in that email

If you've been around computers for a while, this is basic internet security 101.

 

Ria, I am trying to find your logic.
Are you saying that a particular version of Linux has a security fault?
Are you blaming folks who release OSS? Because you do know each new version is beta tested.
Or are you blaming remote access

Either way, this affects the art of radio - how exactly?
No hacker is going to bother finding a single repeater attached to the internet and taking it off-line.
And no hacker is going to single out W9ZYZ's Flex because they can.
There is no gain in it.

And computers attached to the utilities are not our problem.
Though, since you mentioned Colonial Pipeline, you do remember it was not a computer problem, but a computer operator who installed ransomware via opening an email and clicking on a link.

 

Every software has security faults. The xz attack would have created a wide ranging backdoor, and would have potentially affected many things.

I’m not blaming anything here. I am pointing out that an attack isn’t limited to remote access.

For example some people love to blame keyless entry systems in cars for making them easier to steal via relay attacks. But the reality is that there are numerous ways to get into a car. The latest is canbus attacks where an attacker can connect to a component like a headlight and steal the car.

You may think there is no gain but IOT devices can be used for other attacks. Much of the compromises that are found in the wild including those I’ve found in incident response were launched from other compromised machines.

Having control over systems that can send radio waves, and also the same radios that are sold to military and government customers is an attractive proposition. Especially to state sponsored cyber criminals, of which there are many.

Even without the internet - imagine if a hostile nation gets an encryption key to our military drone’s communications via a back door. This could potentially allow that nation to counter those drones when used in defense purposes. Yes it is that serious.

It’s not just computers. Many pieces of equipment are controlled by embedded systems including those that run Linux or other open source software. This is a reality we can’t escape from. These systems are now necessarily complex and we cannot go back to manual controls prone to human error.

And the colonial example was just one example. There are countless others including those sponsored by our own government against foreign nations. This is more than just a few hacks, this is a new frontier in warfare.

Realistically you cannot 100% train your way out of this problem. Some user will always do something stupid. Your best defenses are countermeasures and risk mitigation, risk transfer and in some cases risk acceptance.

That said, old systems with completely analog electronics aren’t going to be affected, unless a botnet of connected radios engages in massive, coordinated jamming across the bands. In which case the airwaves you use to play radio are the least concern.

 

So through your musings, you show that you actually understand the 3 main points I made.

I think this is a good jumping off point for me.

Dave, If I may suggest a future article?
"IT security for the average Ham"
Discussion point: MS, Linux, and Apple OS and their actual, not perceived ability to be hacked.
Discussion point: Home network security.
Discussion point: How viruses, phishing enter systems, and what bad actors hope to gain my doing so.
Discussion point: Anti-viral software like AVG, Norton, etc.
Discuss tools, and basic strategies to use to prevent or thwart attacks on our home systems.

 

I agree that ARDC has done some great work--

Some is amateur radio related. Some is not. For example: the MIT radome is immaterial to Part 97. I believe it is the largest or among the largest,grant by far, or was, for example.

But ARDC is not Part 97 amateur radio and never will be. Nor will any non profit claim that.

It's emphasis is a PART of who we are and how we, Part 97 licensees , secure and utilize the privilege of license as per the mission statement of the service.

ARDC needs to be reminded that it does not set THE direction of Part 97: it secures a place for a certain philosophical bent. It does not represent the amateur radio service. It represents a PART of the amateur radio service.

ALL actions pertaining to amateur radio-present and future --need careful consideration of the Part 97 mission statement and the over 700,000 licensees.

The FCC and the licensees set the direction of Part 97 . ARDC does not. ARRL does not, and so on.

On a related matter, I believe I expressed a cordial opinion on Phil, KA9Q, In the absence of facts showing otherwise, I caution not to disparage nor falsely characterize Phil. You need not respect his vision (although I do; although I disagree) but he proceeded with what he perceived as 'good works' and y'all should leave it at that. MO.

 

Thanks Chip. Phil is participating with me on a future column, which should be out around Hamvention timeframe. I'm looking forward to his comments. Dave

 

Phil is a good guy.

Not everyone has to see eye to eye. But it sure helps to respect that they too have vision!

 

Chip: In fact, I did attend a high school with a ham club in Lexington, MA!

I posted some old pictures (1969-ish) of our ham radio club on Facebook several years ago. Two women from my class wrote to me that they wished they had known the club existed. They would have liked to join. It wasn’t on their radar to look for it, and it wasn’t on the guy’s radar to invite them. In our defense, we tended to keep discussion of our esoteric interests to others we knew were of like mind. Even at LHS, not being perceived as a “regular guy” could lead to persecution by the “lord of the flies” types.

It’s interesting to ponder what Michelle has described. Give the grown-up techie kids power, and many will behave just as badly as the “regular guys.” The same goes for women. We're all human. I have noticed that many techie types are way too sure of themselves, and think that because they are genius coders, they know everything about everything. Spoiler alert: They don’t. Especially in the human relations department. This can lead to good projects going sour, sometimes over the pettiest of reasons.