Issue #37: The Hack that Nearly Hammered Amateur Radio

This is troubling.

One should ALWAYS enter legal support with a clear sense of cost and a clear knowledge of where and how the money comes from and how it will be paid. That is why lawyers have 'engagement' letters.

It is certainly not RARE for lawyers to do pro bono work for non profits. Often discounts are offered. But if ORI(?) feels it got hit with a cost that OTHERS should pay for, I think that is at best naive, and worst just outrageous.

IOW I think you should be grateful ARDC paid the first tranch....

As to sticking your neck out: don't stick your neck out and then push the expense on others. Fiduciary responsibility in non profits DICTATES prudence and forecasting on money matters. There is no 'hey people you now need to pony up because we are in a hole' language in the fiduciary responsibilities.

Don't undertake actions you can't pay for, and have not set monies aside to get closure. That's not just advice: its fiduciary imperative.

73
Chip W1YW

 

Great imperious commandment, there's the "should" word.

And that never happens. I've never had an "engagement letter" that specified fixed costs, it's always open ended. Even for simple common open shut cases!

 

In my business (consulting vs lawyering) we always used an Engagement Letter, but those always set the groundwork for billing and never alluded to one final, fixed cost. That always floated based on the need. I think that's probably the way that most lawyers work. Dave

 

Never said anything about fixed cost.

My point is that its not the responsibility of the amateur radio community to argue out costs for ITARS issues. It never should be. Nor is.

Groups or individuals make the tech and groups or individuals deal with the ITARS regs. That means groups or individuals need to plan out the costs for 'negotiating' same, and not expect Part 97 licensees at large to pony up for them.

If you OWN the tech they why should someone else PAY for it? This is why there are patents--they define CONTROL but they also define RESPONSIBILITY

73
Chip W1YW

 

I have ALWAYS had concerns about open source software, but admit I us it almost daily. I agree with Michele in that it is a matter of ethics, but also trust and integrity. What is about certain people that want to harm others? Open source is such a great thing, but has it's dangers. I hope this incident will raise the awareness that all distributed software needs to be looked at very carefully for malicious code. I think people would be willing to pay some small fees if it insured the code was well vetted. What do all think?

 

I think we should all make a lot more contributions to open source projects!

The thing is, all these changes were "vetted," but the end result was a security hole to drive a container ship in to! So, we did what you suggest.

Some folks suggest that software engineering ought to make the "step up" to "professional engineering", wet stamp PhDs reviewing projects, like civil engineers etc.

That won't work. Because of Turing, the Halting Problem. It's a physical law of the Universe, there are always software bugs, you can never be "done".

No one will sell you liability insurance to be a "Software Engineering PE". The risks are too great and unknown. I think that says it all.

 

What they need to do is actually begin assigning some real consequences to the people they catch hacking or stealing identities. A light slap on the wrist or a short stay in a white collar prison is hardly enough of an incentive for these people to stop. Perhaps treat them as terrorists and send them to Guantanamo for a while. Hacking is the new terrorism. If they ever implement an all digital currency and other refinements, imagine the outright devastation a hacker could potentially cause. With more and more of the consumer base trusting their data to "the cloud", it is a wonder that things aren't ten times worse than they currently are. I for one avoid "the cloud" as if it were cancer. I like keeping things on backup drives or burning them to DVD for safe storage. I don't like the new "all digital life" that the current generation embraces. I am a proud member of the last generation that actually played outside and didn't grow up holding a cellphone. Remember: Digital = Hackable.

 

Hard to do when you don't know who they are, and they reside in countries that do not extradite to US.

Can you figure out who Jia is and where they are? The world is waiting, kthxby.

(Anyway, gitmo needs to be closed.)

 

"Jia" is almost certainly a state actor. Who else would play such a long game?

 

Open source software is important for reasons well beyond ham radio. Many companies are aggressively herding us into to a rental model. You thought you owned your copy of your favorite spreadsheet or word processor to use forever? Nope. You licensed it, and now the license terms have changed. You have to pay SuperSoft X dollars per month for the rest of your life, or lose access to your work. Plus, your operating system and browser have become platforms where every square millimeter of your screen is for sale to advertisers, and every byte of your personal information is for sale to anyone who will buy it.

Open source can be a cure for this. The shareware and donation models work to some extent. Open source already provides "more than good enough" alternatives for most of what most people need. And it provides for niche uses like ham radio. But if it is to be widely used, we can't expect every user--even computer savvy ones--to be security experts.

Commercial software vendors and large institutions have the resources to pay people to find bugs and vulnerabilities. But the profit motive has built-in perverse incentives for them not to do so. Open source has less resources. But as in the present case, sometimes the fact of a dedicated community can actually give open source an advantage.

A major problem is that except for a few highly-publicized cases, malicious hackers and malware spreaders are rarely caught and rarely face consequences. That has to change. Another is that the Internet is an open border. The ideal of connecting everything to everything is wonderful in theory. The sad reality is there are people and countries who wish us ill, and are dangerous to connect with. And what do we do when one of them is a major trading partner?

 

nothing to see here, hacks have been there since stone age. bottom line, if you can't read the source code of what you use, then It should not be considered safe or secure, in the same way as you read the ingredients of what you eat, DoD uses this simple premise, why you think TikTok is being banned? because "they" dont know what it does, cause they can't see the code, as "they" dont own it. One important remark is open source doesnt necessarily means "secure".

 

Wow. I agree with most of what she has to say, but I'm gonna call her out on one comment. This comment makes the hair stand up on the back of my neck. In just WHAT aspect of Amateur Radio is the hobby (or individual operators) are we NOT inclusive? Do we need mandated privileges for the LGBTQrstuv _+ etc in HAM RADIO TOO? As if that stuff isn't so crammed down our collective throats already everywhere else!! I think this hobby is about as inclusive as one can get.... although, I suppose we could ignore the lids out there on 7.200, 14.313. 3.930 and elsewhere that spend half their time transmitting "Baba-booey", out there trolling for other men, as gross as that is. Now, away from that, as I don't want to spend time pointing out the obvious on certain notorious frequencies. Overall, I think the Amateur Service (I refuse to call it a 'hobby") is worth its weight in gold. I am a part time net control op for several HF nets, I've been active in Skywarn and have volunteered for many community events, such as the Boston Marathon, the Athol/Orange (Massachusetts) River Rat Race, Memphis BBQ Fest, Music Fest and other sorts of things.... and I'm very active on both HF and VHF/UHF digital modes such as FT8/FT4/JT65, PSK-31/64, Contestia, Olivia and so on. So, with all my activities on the air, I've pretty much decided that the Ham radio service is valid and quite essential - not only as a hobby but as an important service to each and every community in America. Nobody will convince me otherwise, despite the few bad actors on the aforementioned frequencies.

The open source stuff.... I really can't argue with you. There's lots of vulnerabilities simply because of the nature of open source and you pretty much nailed it.
73
Steve, K1FRC
Beacon Falls CT'

P.S...... after a LONG work day outside landscaping, If there's glaring typos, I wouldn't be surprised. I can barely see to type at all........

 

Amen!

but... you just DID call it a "Hobby"

Whether you personally call it a "Hobby", "Vocation", "way of life", "life's work", etc; Amateur Radio is one of the few hobbies that has so many facets to it that it can accommodate most anyone's interests.

 

You're hilarious -- almost. 100% of people will be "obsolete", given passage of enough time. I think you meant to use a different construction.

I'm sure it's fun throwing millions of transistors at the non-problem of amateur radio communication to see what sticks, but SFAIC, that's just putting lipstick on a pi -- er, ham. I happen to like being the (analog wetware) modem, you see, and my particular enjoyment of the ham-radio hobby -- which it is; service is merely a synonym for class in this sense, as in "different classes of radio usage for the purpose of regulation" -- wouldn't be an enjoyable pastime for me if I handed "being the analog modem" over to silicon. But that's just Nearing "Obsolescence" Me.

As for facile predictions about who'll be "obsolete" (or not) and the grand and glorious "digital future" of ham radio, ho: all signals are analog in the real world, and engineers truly capable of grokking that and building "digital" hardware, software, protocols, and systems capable of withstanding and even leveraging The Analogization Of The Digital Ideal By The Real will ever be in strong demand. (Sheep merely buying whatever "digital" boxes are fashionable and merely plugging them in and playing, not so much -- except as consumers.)

You guys and gals go play your Official Big-Time Ham Radio As A Super-Serious Service games and have your version of fun. For the rest of us, it's the radio zen of the epigram of Gary Snyder's "Night Highway 99" from his Mountains and Rivers Without End:



And if Rip Van Winkle Regulator should wake up and want his precious Part 97 frequencies back because enough Very Serious Hams that particular figurative day ain't doing <insertPotaDuJourHere> with sufficiently modern radio robotry, there's always gardening. Or -- real radio challenge, Grasshoppers -- the constraints of Part 15.