[CQ-Contest] L.O.T.W.

Dick Green WC1M wc1m at msn.com
Fri Jul 29 02:36:46 EDT 2005 

> -----Original Message-----
> From: Bill Turner [mailto:dezrat1242 at ispwest.com] 
> Sent: Thursday, July 28, 2005 3:02 PM
> To: wc1m at msn.com; cq-contest at contesting.com
> Subject: RE: [CQ-Contest] L.O.T.W.
> 
> At 11:20 AM 7/28/2005, Dick Green WC1M wrote:
> >The simple answer is that doing security at the ARRL end would not 
> >change or eliminate the registration requirements. Further, such a 
> >system would have to rely on password logon, which is not secure.
> 
> _________________________________________________
> 
> It isn't the registration I find annoying, it's the signing 
> and uploading.

What is it about this that you find annoying? It's a simple matter of
running a program between two steps (log extraction and upload) that would
be required whether or not the records get signed. It's a lot less
complicated than learning to operate a modern transceiver! (I'm thinking of
my FT-857D, which has baffled me more than once :-)

If you accept the benefits of tagging log records with digital signatures,
then you should know that there would be little or no difference in the user
interface if records are signed on the ARRL computer or your computer,
except that the latter is much more secure. You would still have to interact
with a program on the ARRL computer to specify  information (like call, QTH,
etc.) and wait for the records to be signed.

If you do not accept the benefits of tagging log records with digital
signatures, then please refer to my reply to K1TTT. The bottom line is that
they provide an affordable way to protect integrity of the DXCC database and
open the potential for exporting QSL records to other awards programs.

> 
> Wouldn't password login be secure if the ARRL issued the 
> password with the following conditions:
> 
> 1. Passwords will be assigned by ARRL. You may not pick your own.
> 2. No "mother's maiden name" nonsense. You use the password 
> you were assigned and can not change it.
> 3. Passwords will be as long as needed to achieve the level 
> of security needed. 128 characters would be fine with me, 
> although fewer would probably do the job. Everyone knows how 
> to copy and paste, or better yet, use RoboForm to 
> automatically fill them in. RoboForm is free for up to ten passwords.
> 4. Many if not most password security problems arise from use 
> of easily guessed passwords. #1, 2 and 3 above will eliminate that.
> 5. The password will only be mailed to the address on the 
> license, just as it is now.  No emailing. Email is easily spoofed.
> 
> I just checked my RoboForm passwords. I have 35 of them as of 
> today, most of which I use regularly. I have never had a 
> problem with any of them.
> 
> I am not convinced that LoTW demands a higher level of 
> security than what banks use to transfer billions of dollars 
> every day. If anyone can show me how QSLs are more valuable 
> or more prone to hacking than cash I will drop the whole matter.

Your argument about bank security systems do not apply because banks have
stringent internal network and computer access requirements that would be
far too costly for ARRL to implement. LoTW's digital signature system is a
much more affordable way to ensure integrity of the DXCC database.

As I have detailed in a reply to K1TTT, while the bank's networks, computers
and databases are relatively safe from hackers and malicious insiders, your
online bank account is quite vulnerable. However, only one person will be
affected by a violation of your account -- you. Thousands of people could be
affected by a violation of VU4RBI's account by a hacker. As I said to K1TTT,
I'm not saying QSLs are more important than money, but collapse of DXCC's
integrity will affect many people.

It's true that many hams do not give a rat's behind about DXCC integrity.
But there are many hams who do care -- a lot. I wouldn't assume that QSLs
don't equate to cash for these people. Imagine if the DXCC database were to
be hacked undetectably in such a way that serious questions were raised
about the legitimacy of awards credits. The ham who spent many thousands of
dollars for tower(s), antenna(s), rotor(s), cables, radio, computer, etc.,
and spent decades chasing DX, might feel every bit as violated as you would
feel if someone stole $100 from your online bank account. 

73, Dick WC1M

> 
> In the meantime, we are all losing QSLs because many hams 
> refuse to participate due to the complexity. LoTW should be 
> attracting hams because of it's ease of use and security, not 
> turning them off because it is a PITA. As of today, only 
> about one ham in 200 worldwide is using LoTW. 
> That's way too low.
> 
> Bill, W6WRT
> 
>

More information about the CQ-Contest mailing list