The title topic comes up here and there, and I’m often asked about it on the air, so I thought I’d take the opportunity to detail, once and for all, why I have zero interest in ARRL’s Logbook of the World.
To be fair, it does what it does and based on the number of users, it does it reasonably well – you install their software, jump through their hoops, and you can submit your logs in a way that ARRL will accept for award credit. At that level, I have no complaint with the system.
However, Logbook of the World has a number of shortcomings that are sufficiently off-putting that cause me to lose all interest in the system.
1. It’s great for one or two callsigns, but becomes an ever increasing gluteal pain if you operate lots of special event and other callsigns.
Yes, if you have multiple callsigns, you need a separate cryptographic certificate for each additional callsign. That’s extra files you have to keep track of, extra things to check that you have properly configured before you submit logs, extra things to get deleted/munged if you have a computer failure. It’s also wholly unnecessary – with a database that’s even half-decently designed, one should be able to register once with a primary call and use that cryptographic signature with other calls associated with that particular user. In fact, that’s pretty much the way public key cryptography was DESIGNED to be used, but the ARRL chose not to do it that way.
2. It’s “pretend” security, making a proverbial mountain out of a molehill. What security it provides is unnecessary.
Public Key cryptography – the driving engine behind LotW security is intended to provide two levels of security. First, the radio amateur identifies himself to the certificate issuer satisfactorily. A digital certificate is issued and through the magic of mathematics, whenever the amateur uses the certificate to sign a message, it can be verified that that specific certificate was used. In order to say that an identity is verified, however, one must have assurance that the certificate has not been shared. So although I might jump through ARRL’s identity hoops, I could share my certificate around deliberately… or because it sits as a file on my computer, a malicious person could steal it from my hard drive. Unless the certificate is protected at some level, it offers little or no assurance that it is being used by the intended person. That is why serious systems that use public key cryptography store the certificate in a smart card or similar device – something the proper owner can carry with them and can’t be easily hacked. Yes, the owner could share it around, still but when it’s used he can’t say “well someone hacked it.”
Additionally, it is important that the issuance of certificates cannot be subverted in some way. In particular, for non-US operators, you need only send a real-looking copy of a licence, and a copy of some other official-looking document to verify your identiy. If we assume that ARRL awards are something important enough to try and get by undeserving individuals, it’s probably fair to assume that faking these two simple documents would require only a few minutes of time on the internet and with a program like MSPaint of Photoshop. Therefore, the identity value of the cryptographic certificate is precisely zero by any measure. In fact, ARRL’s identification system is no better than eQSL, and arguably worse (eQSL can at least verify you have access to the mailing address you provide).
But… the certificate is also used to protect the submission in transit. Yes, the traffic is encrypted, but all that does is prevent it from being read by an interceptor (no value, not sensitive info), or modified by an interceptor (theoretically possible, but there would be MUCH easier ways to generate fake QSO records). I might accept this as a valid security measure if the ARRL could produce documentation indicating that they have done a Threat and Risk Assessment and determined that log information is at risk from this kind of attack. These are amateur radio QSO records, not government secrets.
In short, encrypting the records with public key cryptography is like swatting a mosquito by exploding an atomic bomb.
Looking at it another way: why don’t you put a 10 meter fence, a moat and a minefield around your house? You’d probably almost never get broken into, that would be certain. Odds are you don’t go to this extreme because the level of security isn’t justified by the level of risk. And even if you did put a 10 meter fence with a moat and minefield, you wouldn’t put a bridge over the whole thing right to your door. Public key cryptography is that fence/moat/minefield, and the slack authentication and identification process to get a certificate is that bridge.
Use of certificates also costs money. The certificates have to be maintained, they expire, people lose their passwords, they get compromised, they get lost, and all these problems are dumped on the certificate issuer to sort out. That costs time, and time is money. Having considerable experience in the specific field of PKI management, it would not be unreasonable for about 15-25% of certificates to be turned over in any given year just due to lost passwords and compromised certificates – not counting expired certificates and new issues. ARRL pays for that, which means that somewhere, users pay for it.
3. I have to install software on my machine.
Ok, this one is nit-picky, but there is no reason that anyone should have to install software to do these submissions. Even the certificates could be used through a java applet. The whole system is so old-tech. I’m not interested in installing and maintaining a piece of software so I can use pretend security to submit my logs when they can already be submitted automatically from my logging software to eQSL, HRDLog and other places.
4. ARRL charges LotW users for using LotW contacts in award applications.
Users of LotW are charged 25 cents (US) per LotW contact submitted for an award. This is probably related to the costs I mentioned in point 2. And even though that’s not much, it does add $25.00 to the cost of a DXCC if you do it all through LotW. Think about it – you’re paying ARRL for the privilege of saving THEM from sorting through your cards and proof. YOU ARE PAYING TO MAKE THEIR JOB EASIER – not yours, theirs. If anything, they should be reducing the charges for the award, but as noted above, operating a public key infrastructure costs money and they have to get it back somewhere.
More to the point, I like paper cards anyway, and I use paper cards, so why would I want to sink effort into a system that only matters for ARRL awards when I meet their award requirements for free with no extra work on my part?
I think I have laid out, in sufficient detail, why I don’t have interest in participating in the Logbook of the World. I hope it’s clear enough for everyone to understand. Please understand that I harbour no ill-will toward the ARRL or LotW users… If LotW works for you, that’s awesome – enjoy it.
However, since I am regularly asked why I am not interested in LotW, I felt it would be worthwhile to post the reasons here and then refer to them later so I don’t have to type the same thing over and over.
[edit 2014: I did finally sign up for LotW on my primary callsign late last year. I upload about twice a month. My return rate appears to be less than eQSL or paper, so despite all the bleating about how awesome LotW is, it’s actually not as good as eQSL or paper, at least for me. I’ll guess that maybe CW or phone people get more hits through this method.]
[edit 2017: In 2017, an interesting technology is arising – Quantum Computing. If the purpose of certificates in LotW is security, then be warned… in a decade, give or take, maybe less, quantum computers will destroy public key cryptography, and the “security” of LotW will be truly non-existent.]
As noted in the previous post, I have a Yaesu VX-8R now and I thought I’d post some of my impressions in my standard review format…
This radio is top-notch in a number of areas:
The GPS unit works well, even from inside my house. It has a nice little display that gives all your position info.
These are really snivels. There’s only one real issue with this radio as noted in the next section.
I have only one major complaint about this radio, and that it uses a complicated menu system. The main menu has something like 100 items. So many of the features of this radio are accessed from the menu, that there is a very steep learning curve. Sure, the basic functionality is straightforward, but if all you wanted was a couple of VFOs for talking, you would buy a much less expensive radio. I am certain that another row of front-panel keys could have reduced the menu complexity a bit and not added significantly to the size and weight of the radio. Even simple features like squelch are in the menu system, making them hard to use.
Whatever you do… DO NOT LOSE THE MANUAL! I guarantee you’ll need the manual often.
I am very pleased so far. I have some accessories on order (speaker-mic, GPS antenna). I may explore the Bluetooth board, although I am not convinced I want to use a bluetooth headset – mostly because I usually have such a headset for my telephone and don’t think I need two headsets on at the same time. I will be seeking that AA cell battery pack. That’s a must-have in my book.
The stock battery seems to have a lifetime of about 3 hours while using high power to talk on a repeater AND transmit an APRS beacon every two minutes. I haven’t decided if that is good, bad, or ugly. For most of my use, I don’t expect to use high power, so I would expect to get more battery life.
It’s not something I’d normally do, but this is an event worthy, I think, of being put here as well as my amateur radio blog…
Of late I’ve been playing a bit with slow scan TV. This mode, for the non-amateur reading this, is used by amateur radio enthusiasts to send single pictures to each other, usually via HF radio.
In the olde days, you’d need a camera at your end and a display of some sort at the other end, and some electronics to decode it. In theory, one could still do SSTV that way, but the more usual way is to use a computer and software hooked up to your radio. The still images are now JPG files.
It’s an interesting mode to demonstrate amateur radio to others as well because the picture slowly filling the screen is a real attention grabber.
As stated previously, I also volunteer at the Canada Museum of Science and Technology and operate the radio station there: VE3JW. I had noticed that there was software for SSTV so I decided this weekend to put up a new demo – instead of the digital modes that I normally use, I’d run up some SSTV. By coincidence, there was also a contest on, so there were a LOT of nice images coming in nearly constantly and it made for a really interesting display on the big screen for visitors to watch and ask questions about.
Interesting, that is, until some American yahoo had to transmit a scantily clad woman.
Now don’t get me wrong – at the most basic level, I have no problem with scantily clad women. I encourage less clothing wherever feasible. However, amateur radio SSTV is NOT an appropriate place for it. It was fortunate that I noticed it quickly enough to get it off the screen before anyone complained.
I’d like to thank the operator who sent that picture for personally embarrassing me in front of the public, for embarrassing the national science museum, and for making amateur radio operators look like immature asses. I hope it was worth it in your quest for that important contest QSO. I’m going to be polite and not publish the callsign… this time. You know who you are.
I can’t believe it’s actually necessary to screen for this kind of material in amateur radio. There are so many other venues to pass those kinds of pictures around, do amateur radio hobbyists really need to do it there too? I’d expect better of a high school student, let alone an adult. I was talking to another operator of the museum station and he, too, mentioned that he stopped showing SSTV because of these kinds of pictures. Thanks to the drooler population of amateur radio, we can’t demonstrate something really cool for fear that some softcore porn image will come up. Just what I need to show mom, dad, and their two grade-school kids who stop by the display. Nothing like some half-dressed tart on the screen to leave a good impression about amateur radio.
So, SSTV operators, grow up and leave your nudie pics on your hard drive. Send that crap via email if you must move the pics around. You never know who might be watching.