14 күн бұрын
21 күн бұрын
Пікірлер
@tomdonahoe3539 Күн бұрын
Boomer here. I'm on the same page with you on more effective presentations of information. Pages & pages of black & white text in Times New Roman doesn't cut it. That's why I prefer video presentations. 73
@briangroh444 Күн бұрын
SMSGTE website says it is no longer functioning and may not function for a while. Please let me know if anyone hears otherwise - but that's likely why you are not getting the results. I used SMSGTE when it was working at it was awesome in California mountains. I also thought it was something you needed to sign up for - not sure if that's covered here. Please feel free to correct or update if I have it wrong.
@ModernHam Күн бұрын
@@briangroh444 you are correct in that SMSGTE is no longer a service. It has since been replaced by a new SMS service by NA7Q I believe with the call "SMS" that you must opt in to beforehand.
@941jpanderson Күн бұрын
Update, Patch, Policy, Test, and Audit. Rise and Repeat.
@РусланДавлетханов-ч5к Күн бұрын
Lopez Sandra Moore Deborah Smith Jose
@bett059 2 күн бұрын
Thank You!
@DuttVivian 2 күн бұрын
17462 Raphael Stream
@MagicRoosterBluesBand 2 күн бұрын
Wow! This is awesome. Thank you. Just getting started in digital modes.
@streets814 3 күн бұрын
This is very cool! Can multiple radios connect to a single point like this like a hub and spoke network? 1 master multiple clients?
@chuckfarley7642 3 күн бұрын
Thanks for posting this. I am a 30 year tech veteran with 13 years experience building cloud apps for AWS and Azure. You are "right on" with pretty much all of this. I'll only disagree on two small points. 1. The age of a language has nothing to do with memory safety. COBOL is a memory-safe language and it's older than me and you put together. Java and Python are also memory-safe and are 30+ years old at this point. Not knocking Rust, but Java and Python unlock access to large pools of talent that could work on these apps. Rust is a smaller pool. 2. While the GIL does limit Python's ability to vertically scale on compute-bound workloads, there are ways around this. The most obvious is to design your app to scale out horizontally, which most people agree is a better practice than vertical scale. Most web back-ends tend to be I/O bound as they often are just orchestration layers that push the "heavy lifting" to a database or other downstream system. In those cases the GIL isn't an issue - we run 200-300 threads per node this way at my job. Given LoTW's age, if it was written in Python, it's likely Python 2, which is no bueno at this point. Also, given the days-long waits we often see, I'm pretty sure it's a vertically scaling application. If it were me I would focus on solving the scale-out problem first and then maybe upgrade to Python 3. That might allow some pieces of the existing logic to be preserved. Of course LoTW has lots of usability problems I covered in another comment too 🙂 Definitely want to add a +1 for ARRL's recent openness. They seemed to believe in the "security through obscurity" model in the past. I suspect their IT team has consisted of hobbyist-level volunteers or maybe retired mainframe guys who just don't have the experience in operational web IT. It's great to see them soliciting feedback from professionals. They should definitely not be running all of this stuff out of the basement of Newington!
@ke8mattj 3 күн бұрын
Cool, so they ran it like they run ham radio: staying in the past and never embracing the future.
@gordslater 3 күн бұрын
the main reason Foxpro doesn't run with modern OSs is that it's entireley dependant on the Mayan calendar and blood sacrifices
@ripnlips-KF0NNA 4 күн бұрын
Thanks for providing this information. Wow, there is no place to begin. This has nothing to do with the IT department. ARRL continues to have major problems as a company. The entire board and executive management should be removed. The entire company should be audited. The new leadership should decide what this company is. But it appears they amazingly got their insurance to cover the ransom and I doubt they got their policy renewed. They put a bandaid on it and announced to the world they are still vulnerable. I expect them to be out of business in a year. So sad.
@daniell8387 4 күн бұрын
So this is goign to come off as offensive but I can't find a PC way of saying it so go ahead and hate me. This seems very much like a symptom of an aging IT/admin department. I do tech support for a software company, and I'm always getting calls from older folks who end up with extremely complicated upgrades because they have had that "if it ain't broke, don't fix it" mentality drilled into their head. "If it ain't broke don't fix it" is great when you can recognize when it's broken, but it's obvious they can't because they're not keeping up with the times. I regret that I had a membership between 2021-2023, because my info was likely compromised thanks to this.
@sparkybluefox 4 күн бұрын
I am retiring from ARRL after over 50 years of membership........sigh
@major__kong 4 күн бұрын
Who's using Rust or Python to query databases? It's usually the native query language of the database or a services wrapper plus a web front end. Not sure what about this LOTW app would require processing of query results. Displaying a table with results from a query is super simple PHP. And let your web hosting company keep the backend up to date. Don't be your own web hosting company.
@David0lyle 4 күн бұрын
😳 actually it’s all pretty easy to do!! In the similar incident I saved the day by restoring from a network drive. It sounds more heroic than admitting that the hackers didn’t find it because I was too dumb to figure out how to do the automatic backup. 😬 Sporadic manual backup and the fact that I sort of blew it off the week that the virus was implanted saved the day. 😅
@N0LSD 4 күн бұрын
I don't have a dog in this fight because I'm not a member of the ARRL and wholeheartedly support the dissolution of the organization, liquidation of their assets, and utilizing the proceeds to fund an organization that actually does the work of advocating for the interests of the Amateur community in the US. The ARRL does not do this and has not done this for at least a generation. Further, this notion that, "Well, they're all we've got, so we ought to support them," -- I'm sorry, this amounts to throwing good money after bad. Honestly, I'd support every single member withholding their membership renewal fees until the ARRL collapses -- it's *that* bad in my view. Frankly, the ARRL deserves every single bit of criticism being heaped upon it as a result of this "security incident." The fact is they got pwned because they have failed, over the last 20 years or more, to do what every single other ** Corporation ** does as a matter of course: maintain their IT infrastructure. Windows 98? Having to call the dude that wrote an program a generation ago to come in and solve issues? This isn't a matter of, "remediate it and move on". There are fundamental questions that need answers. ARRL points to LOTW and these other IT-based services in their fundraising and membership drives - meanwhile, they've been running these same services on operating systems that are nearly a quarter-century old? No one budgeted to keep these machines updated, periodically migrating as technology has changed? How does that happen in a modern ** Corporation ** ??? No backups? --not unsurprising: they don't sell 3.5" floppy drives anymore. Seriously, that's how stuff was backed-up when Windows 98 was around. Let's get real: the ARRL is a self-licking ice cream cone that exists solely the propagate the continued employment of those within the organization. They don't advocate -- heck, they don't even have an office in D.C.; and they can't even seem to see the need to update the IT infrastructure that runs services core to their supposed mission. If I were a member, the number one question I would have would be whether the price for this gross incompetence is going to be passed on to current members when membership renewals go out.
@TerraMagnus 4 күн бұрын
Background: I’m a technology executive that used to be a systems engineer before jumping into management. And I’m still an enthusiast in my spare time. I hear their story and just SMH. They are so stuck in old tech, hand built tech. This is the time to make some critical build vs buy decisions. How much can they push off to SaaS managed platforms?
@pasixty6510 4 күн бұрын
Your verdict is very fair. Sad truth: one million paid by insurance, as some thousands spent would have helped to prevent the incident. It’s not very hard to find out what went wrong.
@chaoticsystem2211 4 күн бұрын
98 needed to go away in '98
@rayslinky 4 күн бұрын
It's incredible. Minster needs to go.
@MikeNie1 4 күн бұрын
I used to do some internal DB development in Foxpro. It was a runtime application environment, not a language, per se. I stopped, because I'm a hardware guy and it became a huge time suck. I finally through the last of the manuals away a couple of years ago. If you follow the lineage, Foxpro was purchased by Microsoft and became .NET, in a manner of speaking. At one time Access would open Foxpro data files. I do not know if it still does. Many years ago when I needed to open a data file that did work. I loved working in Foxpro, but I'm glad I don't do any development anymore. Unless you do it everyday, it's too time consuming.
@linuspoindexter106 4 күн бұрын
I imagine the insurance company will have something to say about IT going forward...
@russellhltn1396 4 күн бұрын
I think this all comes down to money. They're trying their best to project a positive image of themselves, but lack the funding to do the structural changes that are largely invisible. I think the house of cards is falling. Their decision to no longer send QST with renewals is likely to come back and bite them.
@RechargeableLithium 4 күн бұрын
"Incompetence" is a primary trait of the League. They fail editing Handbooks and magazines, they fail to protect our spectrum, they fail in lobbying for our service, and clearly they have middle-school-calibet IT staff. I'll stay with my membership in the RSGB.
@chuckcrizer 4 күн бұрын
This sort of thing is not uncommon with non profits.
@c128stuff 4 күн бұрын
Like you. I have proper backups of my home computing environments, even sticking to the rule of having 3 backups in 2 different locations, using 2 different storage technologies. One of them is 'more online' than the others, in the sense that it is easy to access and trivial to restore from, but the used technology is slightly less reliable long term. The 2nd and 3rd use more robust storage technology, but are much slower to restore from, and are not directly accessible beyond being able to write backups to them. This means they also are very difficult to 'encrypt' for ransomware. Ah yes. all of them are tested, and get tested again every so often by picking a number of random environments, and doing a complete 'bare metal' rebuild of those on test hardware, and verifying their completeness and proper operation. And that goes way beyond what the very very very large majority of organisations do, regardless of them being commercial, non proffit, government, you name it. The typical state of backups in most organisations is shockingly bad. You don't want to know how often I've had to tell an organisation that: "No, having 7 days of 'file history' is not having proper backups. Yes, it covers one particular and more common use case for which you want backups, but does not cover the slightly less common but much more important reasons for having backups". and... "no, keeping 5 days of snapshots on the same storage where your data lives is not having backups either". So.. I'm not at all shocked the ARRL had no working backups, rather, I'd have been somewhat surprised if they did, as that is sadly not the norm, eventho it should be.
@q5go84q 4 күн бұрын
HAM community in 99% are retired people who use it tell old man stories on social nets. Only a very tiny part of the community see HAM as enigineering hobby and does any technical projects / tries to innovate. Quality of HAM-centric software is the example (WinLink Express, proprietary Windows-only codecs, proprietary digital modes, JS8Call and other), all in despair.
@arsnb9m907 4 күн бұрын
@@q5go84q this crotchety OM is shaking his cane at you... :)
@straypacket 4 күн бұрын
FoxPro... Oh dear.
@q5go84q 4 күн бұрын
Would love to see Rust more in firmware development, signal processing, digital modes etc., much more pleasant than C. But it's not a business applications language, ARRL needs something highly popular and simple like C# or Python, or even out of box SaaS solutions to not have maintenance burden at all.
@Tokyo1991.JL1AJE 4 күн бұрын
I read through most of the comments and can’t help but think that the following needs to happen. Open source front end tool to handle QSO confirmation and what ever data mining you want to do (awards etc). But most importantly this needs to go distributed blockchain. Everyone uploads their logs to their own ‘wallet’. Each QSO for the operators call sign is tokenized. Solana (SOL) seems ideal in terms of speed, scale and cost (almost literally free). Essentially you are able to mint as many QSO tokens as you wish but they are meaningless unless your contact in the QSO mints an equivalent QSO token that corresponds to yours. The best decentralized app/service/website to offer the minting (convert logs to QSO tokens) wins as does the best data mining front end (aka blockchain explorer GUI). The front end could work based on an agreed level of granularity or fuzziness (+-5mins confirmation window etc). This way a LOTW no longer has to be operated by a single centralized entity and as it’s on the blockchain it will be theoretically immune to attack. Each country’s ARL could handle the KYC locally and issue a token tied to your call sign, the reception of which into your wallet confirms identity / ownership of the call sign. Not that blockchain savvy here. Just thinking out loud.
@JimJimmington-e8i 4 күн бұрын
They need to be badgered for this. Running antique platforms and hoping to never be a target is a horrible business AND security decision. This video makes good points about going forward. I think the ARRL needs to crawl out of the IT dark ages and move into the modern era. This is highly inexcusable and is something that membership dues should have been paying for all along. There is literally no excuse for this and they are 100% responsible for the weak security. Why they can run something that big and not take security into account is clearly coming from a saving money standpoint. Ultimately, it bit them in the ARRL and now here we are. I hope they fix this and stay more modern because things like this will stunt membership hard.
@kennylyons2835 4 күн бұрын
It's what happens when the whole hobby is focused around openness and no encryption and security is in our regulations , it turns into a mindset and then this stuff happens . It's also funny to get the stuff where the arrl is trying to get me to join but I can't get a physical magazine and they can't keep their software upgraded but somehow I'm supposed to believe they're advocating for me and keeping the ham bands ham bands
@Bob814u 4 күн бұрын
They seem to have had the mindset that "If it ain't broke don't fix it". Well, where does the money go that they get for dues?
@whytebredd 4 күн бұрын
If you’ve registered for lotw through their convoluted password mailing system or interacted with the interface or tried to claim any awards then it should surprise you very little that something like this happened.
@chuckfarley7642 3 күн бұрын
LoTW is the most bizarre app I have ever seen. It seems to have been optimized around being used from the moon with the crazy cryptographic stuff. It is difficult to set up - far beyond the computer skills of the average ham. Why it's not simply a website that you log into with a username/password and upload a CSV is beyond me. I gave them this feedback years ago and it was summarily dismissed.
@brianjrichman 4 күн бұрын
I'm a member of the ARRL and really would love to see the entire top level of management and the board of the League removed and replaced by people who understand I.T. and appreciate that it is central to the mission of and the commercial success of the League. HOW do we as members get this done? By the way, I am a recently retired server admin at a university with 1500 VMs in a data center with backup appliances and offline backups. Yes. We move our portable backup media offsite and keep it offline just to address this kind of ransomware situation. We also tested recovery and also kept everything updated. So the basic screwups at the League are all apparently to do with the senior staff's general level of incompetence, ignorance and the (reported) toxic work environment. Franky they should all just go.
@LU1VJK 4 күн бұрын
Hola Billy, a mi me resulta extraño que no suceda más amenudo este tipo de ataques. Cuando veo plataformas como QRZ o eQSL... Pareciera que estuviera haciendo uso de The Wayback Machine of Internet para ver webs con tecnología de los años noventas... Por otra parte: ¿Tienes alguna opinió formada sobre World Radio League? Cuando suirgió el hackeo a LoTW yo era relativamente nuevo en la plataforma así que no sufrí mucho la incidencia, pero en ese mismo día me llegó una sugerencia de adherirme a WRL, se promocionan como el futuro de los logs de radioaficionados. Excelente video, como siempre!. Saludos cordiales desde Bariloche.
@w3wym 4 күн бұрын
I run a software dev agency. In our biz the key question is always what we can do with limited time and money. We avoid "legacy" projects like this, because in our experience there are NEVER enough resources to do things properly. The same patterns that get these orgs in this mess keep them there. Your advice is sound - all things are possible with enough time and money. IMHO, the ARRL simply does not have the budget to do things the right way. I bet the ARRL now wishes they had invested the $1M ransom in their IT instead, but I've estimated and run enough of these projects to know that is still not enough to modernize this tech. The only way out I can imagine is a dedicated fund for the tech or a monetization strategy for LoTW, with the proceeds rolled back into maintenance. Like the tech itself: doable, but complicated.
@w3wym 4 күн бұрын
Love your channel, btw. Keep it up!
@ModernHam 4 күн бұрын
Thanks!
@NorKavon 4 күн бұрын
All of your discussions and reccomendations require 2 things. Knowledgeable and up to date leadership, and proper support and finances from the board. I see neither of these now or in the future. LOTW is the kind of app a first year IT student could write.
@SHTFchef 4 күн бұрын
I still cannot sign up for LOTW. Seems like the problems continue.
@thebugg333 4 күн бұрын
These are hams, what was the OS baseline of ASL2 again? And yet there are people still building private networks based on 2. Even ASL3 is buggy as hell, but at least the OS and separate apps can now get updated. Ham programming = look it finally works, lets move on to add on to this buggy mess until enough people notice or complain.
@Dratchev241 4 күн бұрын
ASL2 is depped replaced by ASL3 which is Debian 12. ASL3 being buggy.. well are you reporting the bugs to them? A very big issue in many many many projects is 1 guy doing all the work which if it is a small project you can get by with but large projects the 1 guy doing everything leads to disaster. just look at the xz issue from earlier in the year.
@arsnb9m907 4 күн бұрын
I lost you when you started recommending Rust, and when you stated that Python "doesn't scale well." Head-scratcher. I have to wonder: how much support did IT staff get from ARRL management?
@ModernHam 4 күн бұрын
Many big platforms started with Python as a backend such as Instagram, but the ones that grew quickly found python became a major bottleneck and had to change to a lower level language. Python is my language of choice for almost everything. It's a flexible tool, but it is not the best for resource/processing intensive applications backend. A database backend of this size doesn't need to be rust exactly, but it needs to be written in a snappy language nevertheless, and C++ is growing quite old now. I think python not scaling well is common and accepted knowledge in the programming industry. That's why some implementations like C python have spawned to try and combat it. But programming languages are like tools. Some are some better for specific tasks and when possible, the "efficient" thing to do is use the right language for the job. Pythons great for prototyping, AI, and some web back ends, but it starts to show its speed when doing a lot of processing.
@arsnb9m907 4 күн бұрын
@@ModernHam Were you privy to precisely how AARL used Python? Like you and I, its use may have been specific to preprocessing data loads, data analysis, scraping etc - tasks which fall outside what ou are describing. Also, I doubt that ARRL had much of a problem with scaling to begin with. Their primary site was written in php for crying out loud. If the goal is to do forensics on the attack, why suggest a change to their stack when the more scalable options generally introduce additional attack vectors, complexity and technical debt? That's why I'm scratching my head. ARRL is not Instagram, and was never in a position to exploit what you propose to begin with. I'm not defending ARRL, which is why I'm questioning how supportive and engaged management was with their IT staff. That seems consistent with the pattern I've seen with them for the 42 years I've been a subscriber and user of their resources.
@attribute-4677 3 күн бұрын
Python doesn't scale well.. # 1. Global Interpreter Lock (GIL) - limits true parallelism with threads. # 2. Dynamic typing - runtime type checks slow performance. # 3. Interpreted language - slower than compiled languages. # 4. Memory management - garbage collection adds overhead. # 5. Concurrency limitations - limited use of multi-core CPUs. # 6. Inefficient multithreading - multiprocessing has high IPC cost. # 7. Dependency on third-party libraries - varying scalability. # 8. Interpreter overhead for large codebases - slow without JIT. # 9. High memory usage - inefficient data structures. # 10. Blocking libraries - many lack native async I/O support. ### 1. **Global Interpreter Lock (GIL)** - **Single Threaded Limitation**: Python's CPython implementation uses a Global Interpreter Lock (GIL), which essentially limits the execution of threads to one at a time, even on multi-core systems. This means that multi-threading, a common approach to scale applications, doesn't effectively utilize all CPU cores. For CPU-bound tasks, this can significantly hinder scalability. ### 2. **Dynamic Typing** - **Runtime Overhead**: Python's dynamic typing makes it easy to write flexible code, but this flexibility comes at the cost of runtime overhead. Types are checked at runtime, and variables can change types, which requires extra computational effort, reducing performance compared to statically-typed languages. For highly concurrent or high-performance requirements, this can become a bottleneck. ### 3. **Interpreted Language Overhead** - **Performance Limitations**: Python is an interpreted language, meaning the code is not compiled to machine-level instructions beforehand but is interpreted line-by-line at runtime. This significantly affects performance, making Python slower compared to compiled languages like C++ or Java. This limitation makes Python less suitable for applications needing high processing power, which can limit its scalability. ### 4. **Memory Management** - **Automatic Garbage Collection**: Python’s memory management relies on garbage collection, which automatically frees unused memory. While convenient, it can introduce latency and unpredictability in performance, particularly in memory-intensive applications where managing memory manually could result in more efficient scaling. The garbage collector can add overhead and reduce efficiency under high loads. ### 5. **Concurrency vs. Parallelism Challenges** - **Limited Parallelism**: Due to the GIL, Python has a harder time taking full advantage of multi-core architectures. While concurrency can be achieved via `asyncio` for I/O-bound operations, true parallelism (e.g., in CPU-heavy tasks) requires workarounds like multiprocessing, which involves the overhead of creating separate processes and communicating between them, rather than efficiently using threads. ### 6. **Scaling with Multithreading vs. Multiprocessing** - **Inefficient Multithreading**: While Python has a `multiprocessing` module that allows scaling by using multiple processes, this approach comes with the overhead of inter-process communication (IPC) and memory duplication. This is generally less efficient compared to threading in other languages, which can lead to higher resource usage and limit scalability for some types of workloads. ### 7. **Dependency on Third-Party Libraries** - **Varying Quality and Efficiency**: Many of the tools that make Python great for rapid development rely on third-party libraries. These libraries vary in quality, and some may not be optimized for scalability. Dependency on third-party solutions means that applications may inherit inefficiencies or lack of scalability that come from less optimized code. ### 8. **Interpreter Overhead for Larger Codebases** - **Code Execution and Compilation Overhead**: As applications grow larger, the cost of interpretation and the lack of a just-in-time compiler (JIT) like those found in some other languages (e.g., Java's JVM) can lead to slow execution times. Tools like PyPy (a JIT compiler for Python) can mitigate this, but the standard CPython interpreter is not optimized for this kind of performance, leading to scaling challenges. ### 9. **Memory-Intensive Operations** - **Less Efficient Use of Memory**: Python’s data structures, such as lists and dictionaries, are very convenient but consume more memory compared to similar structures in lower-level languages. When scaling applications that need to handle large datasets, Python's higher memory usage can become problematic, particularly for memory-intensive operations that require efficiency and low latency. ### 10. **Lack of Native Asynchronous I/O Support in Libraries** - **Blocking Libraries**: Many of Python’s popular libraries, such as those for database interactions or networking, are not natively asynchronous. This lack of support means that certain operations can block the entire program flow, making it harder to build scalable, non-blocking architectures unless specific effort is made to use async-compatible alternatives.
@supremetalentco 4 күн бұрын
Like the lens setup you are using on your camera.
@donaldchittenden671 4 күн бұрын
Thank you for the update date. I was a member for 30 years I have know trust in the ARRL leadership any more. We need change in this .
@Pirate-xn6jm 4 күн бұрын
Billy, thank you for this excellant post event analysis and lessons learned video. I am also a 20 year IS professional (now retired) and although not surprised about the attack vectors I am totally surprised at how the ARRL essentially a technology organization could be so negligent with IT/IS system management. No excuse by the former and the current ARRL Board of Directors should be accepted, and no doubt that IT support was financially and resource constained for many years unable to maintain a safe operational posture. Hopefully ARRL will learn the lesson and take the measures to update and upgrade an archaic platform similar to your recommendations. W4JRT / CT7BEG CISSP/CISA and a bunch more
@kc0itf 4 күн бұрын
I'm a life member of the ARRL... and this is depressing and disappointing. For a lobby organization that doesn't practice what it preaches... in an emergency, HAM RADIO, except if your stuff has been HACKED! If only the League had some real competition... but it appears to be a monopoly right now!
@lyledal 4 күн бұрын
All of this makes me very angry. SMGDH
@cherrymountains72 4 күн бұрын
I’ve worked in IT albeit not in server environments but what you say sounds like common sense. It seems their biggest problem is a long lack of investment in keeping the systems up to date with the times. Windows 98? FoxPro? CentOS? They were lucky to get away with that for as long as they did but now they need to get their stuff in order. It’s time to take their users seriously and I genuinely hope they will let common sense prevail and bite the bullet they’ve been avoiding for too long it seems.
@JimJimmington-e8i 4 күн бұрын
They keep asking me to join, but I refuse. The details behind this hack told me I do not want to store much financial or other personal information with them. They need to get that IT house in order.
@ranchosinnombreannjimmy8427 4 күн бұрын
great fun breadboard project
@skillstacker 5 күн бұрын
CentOS EOL'd in June. Very disappointing. If they are not moving to containers and IaC it is all a waste of time.
@tolyaulyanov 5 күн бұрын
Hernandez Jessica Hall Margaret Gonzalez Sandra