CQ-Contest
[Top] [All Lists]

Re: [CQ-Contest] L.O.T.W.

To: "'Bill Turner'" <dezrat1242@ispwest.com>,<cq-contest@contesting.com>
Subject: Re: [CQ-Contest] L.O.T.W.
From: "Dick Green WC1M" <wc1m@msn.com>
Reply-to: wc1m@msn.com
Date: Thu, 28 Jul 2005 14:20:50 -0400
List-post: <mailto:cq-contest@contesting.com>
I don't want to prolong this thread, but Bill didn't get a good answer to
his question (see below.) The following is not an official response from
ARRL, just my own:

The simple answer is that doing security at the ARRL end would not change or
eliminate the registration requirements. Further, such a system would have
to rely on password logon, which is not secure.

More Detail:

Registration -- The difference between US and DX registration procedures has
nothing do with the secure digital signature system used for identifying log
records. Regardless of whether a certificate or password is used, there's
still the problem of authenticating the owner of the certificate or password
(i.e., making sure that the person requesting access to the system really
owns the call sign.) Short of a personal appearance at ARRL HQ (perhaps with
an original copy of the license, passport, DNA tests, fingerprints, iris
patterns, etc.), it's rather difficult to authenticate a user. The FCC
database and US postal system provide a pretty good way to do this for US
hams, albeit not perfect. Unfortunately, few if any other countries have
accurate and available government databases that can be used to authenticate
DX hams. Hopefully, this situation will improve in the future. 

Passwords -- While some have asserted that password logon is secure because
banks use it, they are mistaken. It's a simple matter to bust a password --
poke around on the net and you'll probably find free programs that do it.
Passworded accounts are poorly protected unless you take special
precautions, such as choosing randomly-generated passwords of eight
characters or more with mixed alphanumerics and case, and are very careful
when setting up password reminders (how many unsecure websites know your
mother's maiden name?)

Where Security is Done -- A somewhat more complicated reason for doing
security at the user end is that one of the goals was for each log record to
be permanently associated with its authenticated owner. This provides
long-term assurance that the log records upon which DXCC and other awards
programs are based have not been altered, and any records found to be
fraudulent can be easily eliminated. The only secure way to do this is to
use a cryptographic digital signature system. In theory, this could be done
at the ARRL end, but the above-mentioned password-based logon leads to
numerous security holes beyond just the inherent vulnerability of the
password itself. Further, doing digital signatures at the ARRL end would
potentially require enormous amounts of CPU power when large numbers of
users upload logs at the same time, resulting in unacceptably slow response
time for uploads and queries.

The "It's only a hobby" objection doesn't fly. Our hobby is filled with
hundreds of thousands of technically competent individuals, many of whom are
capable of figuring out how to bust through light security. Sadly, there's
ample evidence that a small number of our comrades would gladly execute on
that potential in order to gain undeserved fame or wreck the awards program.

I would hope anyone contemplating registration will bear in mind that it's a
one-time minor inconvenience for a lifetime of convenience. A pretty fair
trade, in my opinion.

Hope this is helpful.

73, Dick WC1M

> -----Original Message-----
> From: Bill Turner [mailto:dezrat1242@ispwest.com] 
> Sent: Wednesday, July 27, 2005 10:19 PM
> To: cq-contest@contesting.com
> Subject: Re: [CQ-Contest] L.O.T.W.
> 
> At 06:07 PM 7/27/2005, Joe Subich, W4TV wrote:
> >You are not going to maintain security by eliminating the 
> security ... 
> >that's like killing the patient to "cure the disease"
> 
> _________________________________________________
> 
> You guys are wearing me out here, but let me say it one more time:
> 
> I don't want to reduce security. I want the security 
> processing to occur at the ARRL's end, not at the user's end.
> 
> This is how the banks do it. It works for them and it should 
> be plenty good enough for us.
> 
> Until the ARRL makes the above possible, we are all losing 
> QSLs from stations which choose not to use it because of it's 
> complexity.
> 
> It is not "too complex", it is "unnecessarily complex".
> 
> Simplify it and they will come.
> 
> Bill, W6WRT
> 
> 
> 
_______________________________________________
CQ-Contest mailing list
CQ-Contest@contesting.com
http://lists.contesting.com/mailman/listinfo/cq-contest

<Prev in Thread] Current Thread [Next in Thread>