AWSA website

[disland]

Anyone know whats going on with the web site? Any idea when it will be fixed?

Can events still be sanctioned?  how are results being submitted?

[LeonL]

In another thread usaws told @Horton that they anticipated a fix by "the end of the week".  That's was last week. 

[Horton]

yeah guys I'm not surprised this is taking a long time. there's no telling what hackers did inside the database. I'm sure it is super ugly.

[JackQ]

I don't understand as a former Chief Information Officer how a backup (daughter or granddaughter) is not available to establish/restore the DB or a separate failover cluster and/or snapshots available. I hope they are learning to prevent future failure/ vulnerabilities.  

[MISkier]

@JackQ, I had the same questions.  And, if this was a hacking incident, who are they hiring to do their security reviews and penetration testing?

For the database, a product like Delphix Continuous Data (database virtualization) maintains snapshots that can be provisioned into database copies, should a specific version of the database be needed for recovery - and the provisioning time for one of these is often faster than a restore (like less than 15 mins for a multiple TB database).  I'm sure there are others as well that provide immutable snapshot management.

[MISkier]

Also, if it is a hacking incident, the timing might indicate someone with knowledge of AWSA and perhaps a grudge.  This occurred right after Nationals, when all the COA calculations for next year will occur and there could also possibly be World Ranking implications from the L scores achieved at Nationals.  They picked a prime time for this incident.

[Horton]

my understanding is that there are backups but the hacking happened months ago so it is a nightmare. You also have to remember that the  site was created largely by volunteer developers and is roughly 10 years old. As a small underfunded sporting federation this kind of disaster is not surprising.  

I seriously doubt that it is some sort of conspiracy against water skiing. I know the previous version of BallOfSpray was hacked more than once and it was expensive to get it all fixed each time. My experience is that hackers are just looking for a place to spawn spam emails and host fake pages so they can commit fraud. 

[ToddL]

I received an email from Nate as an official acknowledgement of the event.   There was no mention of a hack or security compromise.   In most corporate settings when a breach occurs they immediately assess risks to private personal data.  I was thinking about what might be within the AWSA database.  (Hard to say what is at USAWS and what is at AWSA...)

IIRC, every single official has an address and phone number that can be shown when searching for officials.  I think they have everyone's birthdates.  Possibly the Bio data is stored there which includes employer, hobbies, etc.  Given all of this and possibly more, I would expect AWSA to formally inform membership of what data was present and possibly compromised.   

[MISkier]

They previously had birthdates.  I know they had mine and my family’s.

[Horton]

@ToddL

there's no data in there that really matters. if some hacker wants to know my home address and age they can have it. Until they get to my SS number and or a credit card number, it's all irrelevant and frankly it's all been compromised across the internet 100 times by now.

Additionally, most people's SS number has probably already been compromised across the internet a couple of dozen times. It's increasingly a less critical data point for somebody to actually commit fraud. 

So if you are paranoid then yes this is a problem, but I think if you understand how internet fraud works, you'll realize there's nothing to worry about here. If you're really worried, you should email me your bank account numbers and pin codes and so I can make sure that all your money is safe.

[sunperch]

@Horton Wouldn't credit card numbers be a concern in a hack as auto renewal of membership is an option at USAWS?  I don't consider myself paranoid, concerned about my credit card number being obtained, yes.  Paranoid, no.  Additional information from USAWS regarding any potential information obtained by hackers would be nice.  

[LeonL]

Maybe I'm wrong, but wasn't our membership number once upon a time our SSN? Long ago?

[jcamp]

@LeonL Yes, long ago but hasn't been that way for probably 10-20 years. 

[Horton]

@sunperch

I believe your credit card number does not live in the AWSA database. Every time I sign up for tournament I get bounced to PayPal & every year you have to resign up through a credit card processor for your membership. I could be wrong but I really don't think there's anything in the data that any of us should be worried about.

[MISkier]

@Horton, I believe that the credit card people have strict requirements for vendors to collect and process payments through them.  PCI (Payment Card Industry) compliance specifies how a vendor can handle your credit card number and if they are allowed to store it locally.  Most vendors do not store it, due to the PCI auditing that occurs and the requirements their data centers and network infrastructure must meet.  

That said, it would be good for USA Water Ski to issue statements on the data it maintains and how it may have been affected or exposed during this incident.

[Horton]

@MISkier

the data that I'm upset about is the record of all my shitty scores

[MISkier]

Yep.  I'd like all my missed openers deleted.  What are the chances they did that?

 

[CharlieThreeThree]

There are other consequences to data breaches than getting your email address spammed or credit card numbers stolen or prior results vanishing - you personally might not be worried about someone showing up at your house, but sexual assault victims sure are. And "but other sites do it too" is no excuse for lax security. GDPR rules and regs are no joke either, this puts businesses in jeopardy. It's all valuable data because none of us could have put in fake/throwaway stuff like we would with any other random site, so it's pretty much all verified.

Trusting volunteers to manage this stuff is a boneheaded move. It is not 2013 anymore. Now they've justifiably lost everyone's trust and it's going to take some serious changes to earn it back.

[Golfguy]

We have fall tournaments coming up that contestants now will have a difficult time entering. I am already seeing a diminished number of participants like almost 0. Aside from the spread sheet now provided, is there any hope that the problem will be resolved soon. Maybe an estimated back in service date?

Thank you.

I'm sure that I am not alone with this concern.

[Mateo_Vargas]

This is terrible, I have to actually talk to my friends to see how they are skiing.

[ALPJr]

And make there is ink in your printer so you can fill out the tournament registration form or copy the one in your guide book 😀

Edited August 24, 2023 by ALPJr

[jcamp]

What is this guidebook you speak of? 

[LeonL]

@CharlieThreeThree I don't think that you can automatically dismiss volunteers out of hand.  They may be IT professionals in real life.  It's bad, and maybe someone dropped the ball, but hackers are relentless. 

[CharlieThreeThree]

I'm bashing the idea of using volunteers for something of the scale of usaws, not the lovely people themselves. 

[Drago]

Seems to be approaching ridiculous... 

[JackQ]

Not providing an update of the “Update on Network disruption” is telling in itself.  Especially since the issue is highly unlikely related to a network issue.  

[ETskier]

Interesting that is seems the hackers went after the files we have a hard time living without rather than personsl info files etc. A friend suggested it might be a ransomeware attack. Those files could be gone forever.

Edited August 27, 2023 by ETskier

[LeonL]

Scorebooks may have to be recreated.  Scorers, hold on to your WSTIMS files.  Just a guess on my part.

[ToddL]

On 8/22/2023 at 6:31 PM, Horton said:

@ToddL

there's no data in there that really matters.  <snip>

So if you are paranoid then yes this is a problem  <snip>

I agree.  It is the principle of it:  not one mention of a hack; it's just "down".   That omission doesn't help build/repair any trust with leadership.  That was more of my point which I should have articulated better.  

[Horton]

has anybody have a copy of the USA water ski interim tournament listing document? can you send it to me horton@ballofspray.com

[SteveB]

Sent.

[Horton]

got it. awesome. thank you.

[RichardDoane]

https://docs.google.com/spreadsheets/d/1icWChCchsooiCzid129ByGeMdGadAFpo9FdAThej67E/edit#gid=215429832

[LeonL]

Any update?

[RichardDoane]

I've heard that a virus corrupted the databases, without having a suitable backed-up version to replace the damage

my guess is that when they have a platform that's safe to upload scorebooks in to, we'll all begin a new 12 month average

[RichardDoane]

and why the people in charge have not stepped up and told our rank and file members the plan for replacement is unsatisfactory

[Horton]

The last I heard the data has been recaptured and the infrastructure was being migrated to another server. it's quite a bit of work and you have to remember the site was built by and most of the corrections are being done by volunteers

[The_MS]

@RichardDoane do you mean the same people in charge that introduced SS to the members?

[CharlieThreeThree]

After all this time the iwwf still doesn't even have an SSL certificate on their site. That's something you have to willfully choose to exclude in 2023, literally every domain provider includes that in their cost.

 

Anyone know what's gonna happen with all the tournaments that happened but don't have any scores posted in wstims?

[Horton]

@CharlieThreeThree which IWWF site? there are approximately 10,000 domains that are all loosely disjointed from each other. 🤦‍♂️

Once the system is back up and running. I think all of the uncaptured data will fall into place

[CharlieThreeThree]

 http://www.iwwfed-ea.org and their wstims equivalent http://www.waterski-softwares.com/

At least iwwf-world and iwwf-ems have certs. 

[lpskier]

The European scoring system seems to be preferred by senior scorers scoring tournaments with a head to head component. Dana Garcia raves about it. 

[lvidmar]

Getting ready to score my 3rd consecutive tournament with no online database. 3x the fun!

Saving ALL the paperwork.

[RichardDoane]

I've scored 2 events from August, both have been compiled and sent up the chain of command, they'll get posted as soon as the system is ready to accept.  next weekend I'll do another double -header, luckily I have the files from other local events, and last years events to draw registration info from, it takes a little more time, but it's still part of the fun....

[rico]

It is challenging to prep a tournament, not knowing if skiers are ready to ski with safesport, renewed membership and whether they are in a new division...

[unksskis]

Wonder if Nate’s resignation may be associated with this?  Seems like a big mess. 

[Horton]

@unksskis No. Nate's resignation is a career move. 

[AdamCord]

@HortonI know you've always wanted this, go ahead and send your resume here:

 

https://www.teamworkonline.com/olympic-jobs/usngbjobs/usa-water-ski/executive-director-2053845

[Horton]

@AdamCord

I was interested until I saw these words "prudent fiscal controls"

[Drago]

They should just pay Melanie what she deserves and give he a couple more assistants.