Topics

Some Error all of a Sudden

Monty
 

Thanks….I found a solution.  Download the confirmation data from LOTW which save an ADIF file on my computer.  Then HRD Logbook has the capability to IMPORT a LOTW file.  That will work until HRD gets their security programming updated.  I did submit a ticket to HRD to let them know of the issue.

 

cheers

 

John L. “Monty” Wilson, NR0A

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Rick Murphy
Sent: Monday, October 15, 2018 9:47 PM
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

On Mon, Oct 15, 2018 at 10:17 PM Monty <jwilson16@...> wrote:

I am having the same issue with HRD Log.  This morning I attempted to download LOTW data to update my HRD Log.  It worked OK last night.

 

I understand the need for the security changes.  The programmers will need to work through the issues.

 

Meanwhile, anyone know of a work around?

 

There's probably some way to download your QSOs using a web browser and import them offline into HRD. 

I'd expect directions to do that to come from the HRD maintainers.

73,

    -Rick

 

 

John L. “Monty” Wilson, NR0A

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Bill
Sent: Monday, October 15, 2018 12:04 PM
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

I have notified my vendor about this issue.

Hopefully it is an easy fix.

Bill
K2WH


 

--

Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA

Rick Murphy
 

On Mon, Oct 15, 2018 at 10:17 PM Monty <jwilson16@...> wrote:

I am having the same issue with HRD Log.  This morning I attempted to download LOTW data to update my HRD Log.  It worked OK last night.

 

I understand the need for the security changes.  The programmers will need to work through the issues.

 

Meanwhile, anyone know of a work around?


There's probably some way to download your QSOs using a web browser and import them offline into HRD. 
I'd expect directions to do that to come from the HRD maintainers.
73,
    -Rick
 

 

John L. “Monty” Wilson, NR0A

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Bill
Sent: Monday, October 15, 2018 12:04 PM
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

I have notified my vendor about this issue.

Hopefully it is an easy fix.

Bill
K2WH



--
Rick Murphy, CISSP-ISSAP, K1MU/4, Annandale VA USA

roamer
 

In a word YES!

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Gilbert Baron
Sent: Monday, October 15, 2018 2:45 PM
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

But are they really needed for Amateur Radio. How many years we lived without them.

 

Outlook Desktop Gil W0MN

Hierro Candente Batir de Repente

44.08226 N 92.51265 W EN34rb

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Chuck Milam
Sent: Monday, October 15, 2018 16:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <aa6yq@...> wrote:

+ Applications that employ the internet must stay current with security standards.

 

 Corollary:  People who use the Internet must stay current with security standards.

 

---

Chuck Milam, N9KY

Monty
 

I am having the same issue with HRD Log.  This morning I attempted to download LOTW data to update my HRD Log.  It worked OK last night.

 

I understand the need for the security changes.  The programmers will need to work through the issues.

 

Meanwhile, anyone know of a work around?

 

John L. “Monty” Wilson, NR0A

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Bill
Sent: Monday, October 15, 2018 12:04 PM
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

I have notified my vendor about this issue.

Hopefully it is an easy fix.

Bill
K2WH

Dave AA6YQ
 

AA6YQ comments below

On Mon, Oct 15, 2018 at 03:52 PM, iain macdonnell - N6ML wrote:

1) For digitally signing QSOs records, which is intended to reasonably
authenticate the source of the data. We can argue for the rest of time
whether or not this is overkill for an online QSL system.

If the original LoTW designers had optimized for user convenience over authentication, and tens of thousands of bogus confirmations valid for DXCC were later found to have been silently inserted into the LoTW database over multiple years, everyone would then agree that LoTW's security was too weak. Unfortunately, DXCC and the other ARRL-sponsored awards would be considered dead by the many DXers for whom standings matter.

The risk of too little security is much greater than the risk of too much security. Had the original LoTW development team not been skeletal, more of the complexity associated with the current security implementation could have been hidden or automated away. There's still an opportunity to do some of that.

       73,

              Dave, AA6YQ

 

iain macdonnell - N6ML
 

On Mon, Oct 15, 2018 at 3:43 PM Gilbert Baron <w0mn00@...> wrote:

YES for payments then HTTPS and even better 2 factor authentication but not for QSL logging. , I just do not think the minimal cheating avoidance is even close to worth the problems of the Public Key Cryptography used by LoTW, especially outside of highly developed countries.
You completely missed my point (about the responsibility to maintain
reasonable security levels for any service involving authentication
with a password over the internet, because passwords may or many not
be dedicated).

LoTW uses PKI in two different contexts:

1) For digitally signing QSOs records, which is intended to reasonably
authenticate the source of the data. We can argue for the rest of time
whether or not this is overkill for an online QSL system.

2) For basic security of the web-based service, using TLS. This is the
standard for *every web service*, *everywhere*.

The current discussion is about the latter. Let's not confuse it with
the former.

73,

~iain / N6ML



-----Original Message-----
From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of iain macdonnell - N6ML
Sent: Monday, October 15, 2018 17:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

IMO, *YES*. LoTW requires you to authenticate over the internet with a password. Many people (hopefully) are diligent about not using the same password for services of varying sensitivity, but I'd be willing to bet that there are many who use the same password for LotW as for other things. The ARRL has a responsibility to maintain reasonable security levels. TLS is a ubiquitous standard for HTTP security - basically anything web-based. The ARRL must keep current with TLS standards.

73,

~iain / N6ML


On Mon, Oct 15, 2018 at 2:44 PM Gilbert Baron <w0mn00@...> wrote:

But are they really needed for Amateur Radio. How many years we lived without them.



Outlook Desktop Gil W0MN

Hierro Candente Batir de Repente

44.08226 N 92.51265 W EN34rb



From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Chuck
Milam
Sent: Monday, October 15, 2018 16:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden



On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <@AA6YQ> wrote:

+ Applications that employ the internet must stay current with security standards.



Corollary: People who use the Internet must stay current with security standards.



---

Chuck Milam, N9KY

@chuckmilam






Gilbert Baron
 

YES for payments then HTTPS and even better 2 factor authentication but not for QSL logging. , I just do not think the minimal cheating avoidance is even close to worth the problems of the Public Key Cryptography used by LoTW, especially outside of highly developed countries.

Outlook Desktop Gil W0MN
Hierro Candente Batir de Repente
44.08226 N 92.51265 W EN34rb

-----Original Message-----
From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of iain macdonnell - N6ML
Sent: Monday, October 15, 2018 17:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

IMO, *YES*. LoTW requires you to authenticate over the internet with a password. Many people (hopefully) are diligent about not using the same password for services of varying sensitivity, but I'd be willing to bet that there are many who use the same password for LotW as for other things. The ARRL has a responsibility to maintain reasonable security levels. TLS is a ubiquitous standard for HTTP security - basically anything web-based. The ARRL must keep current with TLS standards.

73,

~iain / N6ML


On Mon, Oct 15, 2018 at 2:44 PM Gilbert Baron <w0mn00@...> wrote:

But are they really needed for Amateur Radio. How many years we lived without them.



Outlook Desktop Gil W0MN

Hierro Candente Batir de Repente

44.08226 N 92.51265 W EN34rb



From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Chuck
Milam
Sent: Monday, October 15, 2018 16:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden



On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <@AA6YQ> wrote:

+ Applications that employ the internet must stay current with security standards.



Corollary: People who use the Internet must stay current with security standards.



---

Chuck Milam, N9KY

@chuckmilam

iain macdonnell - N6ML
 

IMO, *YES*. LoTW requires you to authenticate over the internet with a
password. Many people (hopefully) are diligent about not using the
same password for services of varying sensitivity, but I'd be willing
to bet that there are many who use the same password for LotW as for
other things. The ARRL has a responsibility to maintain reasonable
security levels. TLS is a ubiquitous standard for HTTP security -
basically anything web-based. The ARRL must keep current with TLS
standards.

73,

~iain / N6ML

On Mon, Oct 15, 2018 at 2:44 PM Gilbert Baron <w0mn00@...> wrote:

But are they really needed for Amateur Radio. How many years we lived without them.



Outlook Desktop Gil W0MN

Hierro Candente Batir de Repente

44.08226 N 92.51265 W EN34rb



From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Chuck Milam
Sent: Monday, October 15, 2018 16:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden



On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <@AA6YQ> wrote:

+ Applications that employ the internet must stay current with security standards.



Corollary: People who use the Internet must stay current with security standards.



---

Chuck Milam, N9KY

@chuckmilam

Charles Gallo
 

It has to do with the LOTW taking credit cards, and what the credit card processors are saying is minimum standard

73 de KG2V

On Oct 15, 2018, at 5:44 PM, Gilbert Baron <w0mn00@...> wrote:

But are they really needed for Amateur Radio. How many years we lived without them.

 

Outlook Desktop Gil W0MN

Hierro Candente Batir de Repente

44.08226 N 92.51265 W EN34rb

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Chuck Milam
Sent: Monday, October 15, 2018 16:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <aa6yq@...> wrote:

+ Applications that employ the internet must stay current with security standards.

 

 Corollary:  People who use the Internet must stay current with security standards.

 

---

Chuck Milam, N9KY

Charles Gallo
 

Except that credit card processors insist that you have a certain minimum level of security for your whole site. Leaving the older encryption levels on there make the whole site more vulnerable. The fact that certain software vendors don’t issue updated, or they do, and users don’t apply them, literally for over a decade is a big issue. Sorry, as a developer, I know what can happen. I personally think the league should have done this long before the deadline, like 5-6 years ago

73 de KG2V

On Oct 15, 2018, at 5:30 PM, Frank T Brady <franktbrady@...> wrote:

Dave
I wasn't supposing that ARRL would do anything different to accommodate me.
I was just voicing my displeasure.
I repeat - I don't believe that the security vulnerability had anything to do with a web query for a qsl download and a little effort could have solved the real problem without causing all this disruption.
This "security" BS can be a never ending pain for users to keep up with.
Thanks for taking the time to comment.
Frank

On 10/15/2018 5:10 PM, Dave AA6YQ wrote:
+ AA6YQ comments below

On Mon, October 15, 2018 12:51 pm, Frank T Brady wrote:
Well, Rick - that sounds like a very user-unfriendly policy for ARRL
to make a change that requires everyone to get updated software. User
friendly implementation would be to accommodate existing user software
interface methods - not force everyone to change or fail. 73, Frank
W0ECS
So you mean that you'd prefer that the ARRL should leave a security vulnerability open for more than a DECADE after the patch has been put out there? Maybe you vendor should have updated your software in that time?
(Framework 3.5 sp1 came out in August 2008)

+ Several weeks ago, the ARRL announced that this change was coming:

< http://www.arrl.org/news/arrl-updating-its-website-security-software>

+ and

<https://groups.io/g/ARRL-LoTW/message/29458>

+ This announcement was also posted to the email list provided for developers whose applications interact with LoTW.

+ Applications that employ the internet must stay current with security standards.

73,

Dave, AA6YQ





KA9JAC
 

No,
BUT
then you should not whine when something no longer works.
And do not start complaining when your computer crashs.

On 10/15/2018 4:44 PM, Gilbert Baron wrote:

But are they really needed for Amateur Radio. How many years we lived without them.

 

Outlook Desktop Gil W0MN

Hierro Candente Batir de Repente

44.08226 N 92.51265 W EN34rb

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Chuck Milam
Sent: Monday, October 15, 2018 16:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <aa6yq@...> wrote:

+ Applications that employ the internet must stay current with security standards.

 

 Corollary:  People who use the Internet must stay current with security standards.

 

---

Chuck Milam, N9KY



Virus-free. www.avg.com

Charles Gallo
 

On Oct 15, 2018, at 5:10 PM, Dave AA6YQ <@AA6YQ> wrote:

+ AA6YQ comments below

+ Applications that employ the internet must stay current with security standards.

73,

Dave,
Preach it!

73 de KG2V

Gilbert Baron
 

But are they really needed for Amateur Radio. How many years we lived without them.

 

Outlook Desktop Gil W0MN

Hierro Candente Batir de Repente

44.08226 N 92.51265 W EN34rb

 

From: ARRL-LoTW@groups.io <ARRL-LoTW@groups.io> On Behalf Of Chuck Milam
Sent: Monday, October 15, 2018 16:33
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <aa6yq@...> wrote:

+ Applications that employ the internet must stay current with security standards.

 

 Corollary:  People who use the Internet must stay current with security standards.

 

---

Chuck Milam, N9KY

Chuck Milam
 

On Mon, Oct 15, 2018 at 4:10 PM Dave AA6YQ <aa6yq@...> wrote:
+ Applications that employ the internet must stay current with security standards.

 Corollary:  People who use the Internet must stay current with security standards.

---
Chuck Milam, N9KY

Frank T Brady
 

Dave
I wasn't supposing that ARRL would do anything different to accommodate me.
I was just voicing my displeasure.
I repeat - I don't believe that the security vulnerability had anything to do with a web query for a qsl download and a little effort could have solved the real problem without causing all this disruption.
This "security" BS can be a never ending pain for users to keep up with.
Thanks for taking the time to comment.
Frank

On 10/15/2018 5:10 PM, Dave AA6YQ wrote:
+ AA6YQ comments below

On Mon, October 15, 2018 12:51 pm, Frank T Brady wrote:
Well, Rick - that sounds like a very user-unfriendly policy for ARRL
to make a change that requires everyone to get updated software. User
friendly implementation would be to accommodate existing user software
interface methods - not force everyone to change or fail. 73, Frank
W0ECS
So you mean that you'd prefer that the ARRL should leave a security vulnerability open for more than a DECADE after the patch has been put out there? Maybe you vendor should have updated your software in that time?
(Framework 3.5 sp1 came out in August 2008)

+ Several weeks ago, the ARRL announced that this change was coming:

< http://www.arrl.org/news/arrl-updating-its-website-security-software>

+ and

<https://groups.io/g/ARRL-LoTW/message/29458>

+ This announcement was also posted to the email list provided for developers whose applications interact with LoTW.

+ Applications that employ the internet must stay current with security standards.

73,

Dave, AA6YQ



Dave AA6YQ
 

+ AA6YQ comments below

On Mon, October 15, 2018 12:51 pm, Frank T Brady wrote:
Well, Rick - that sounds like a very user-unfriendly policy for ARRL
to make a change that requires everyone to get updated software. User
friendly implementation would be to accommodate existing user software
interface methods - not force everyone to change or fail. 73, Frank
W0ECS
So you mean that you'd prefer that the ARRL should leave a security vulnerability open for more than a DECADE after the patch has been put out there? Maybe you vendor should have updated your software in that time?
(Framework 3.5 sp1 came out in August 2008)

+ Several weeks ago, the ARRL announced that this change was coming:

< http://www.arrl.org/news/arrl-updating-its-website-security-software>

+ and

<https://groups.io/g/ARRL-LoTW/message/29458>

+ This announcement was also posted to the email list provided for developers whose applications interact with LoTW.

+ Applications that employ the internet must stay current with security standards.

73,

Dave, AA6YQ

Bill
 

I was just informed, HoseNose (Logic) is aware of the situation and is working on a fix.

Bill
K2WH

Charles Gallo
 

Which also uses the same framework 

73 de KG2V

On Oct 15, 2018, at 3:53 PM, Bill <k2wh@...> wrote:

They do not use VB.NET.

The code in question is in "C#".

K2WH

Charles Gallo
 

It is not just VB.NET, but anything that uses the .net framework, so C# has the same issue

73 de KG2V

On Oct 15, 2018, at 3:51 PM, Bill <k2wh@...> wrote:

I was just informed by Hosenose, (Logic9) they do not use VB.NET.

 

K2WH

 

From: ARRL-LoTW@groups.io [mailto:ARRL-LoTW@groups.io] On Behalf Of W0MU
Sent: Monday, October 15, 2018 2:11 PM
To: ARRL-LoTW@groups.io
Subject: Re: [ARRL-LoTW] Some Error all of a Sudden

 

First I have heard that Firefox no longer works with Windows 7.  Are you running Firefox in Administrator mode?   Logic9 uses a web browser to download your data?  That seems odd.

Why don't you just wait until the issue is fixed before doing the manual work?  Is there a rush?  Heck you don't even need a logging program to apply for awards if they are all on LOTW. 

Are you having a browser issue or a logic9 issue? 

W0MU

 

 

 

On 10/15/2018 11:55 AM, Bill wrote:

I don't use Microsoft IE, I have Firefox and win7 is no longer supported.

I understand my entries into LOTW are safe and what I have done to work around the issue is to log onto ARRL LOTW site and searching manually for calls and updating my Logic9 log, tedious.

Logging program is up to date.

Rebooted twice.

Since this LOTW change went into effect today, I may be the first to raise the red flag on this issue.

K2WH

Look, I'm not a computer guru, know very little about how it is supposed to work, just looking for help instead of confrontations !



K2WH

 

Bill
 

They do not use VB.NET.

The code in question is in "C#".

K2WH