Educause Security Discussion mailing list archives

<SPAM> Re: emergency alert system

From: Stephen John Smoogen <smooge () UNM EDU>
Date: Tue, 15 Apr 2008 15:35:28 -0600

HALL, NATHANIEL D. wrote:

Mike Iglesias wrote:

John C. A. Bambenek, GCIH, CISSP wrote:

*sigh*

These systems are really a very very bad idea.

I won't argue with you on that point.


Could you tell why you believe these systems area bad ideas?  I am
curious why you are against them.


I do not have enough data to say if they are definitively good or bad.
However, there are several down side reasons for them:

1) They take time to get data out. While the service can get the data
and have it out from them in 2-3 minutes.. It can take hours for the
various Cell phone and pager companies to deliver the messages when you
have 10k or more recipients.

2) The message is not guaranteed to reach its recipients, but people
expect it to.

3) The message length most cell phone carriers allow does not allow for
you to give precise information (what to do, what is the threat, where
to go, who to avoid, whats going on) and the delay in getting updates
out can make a bad message worse.

All of these mean that you are going to have misinformation about what
is happening as people do and do not get messages. The telephone game
will cause messages changed as people tell others what they heard from
someone else. There is also a tendency to use the idea that getting the
information out is all you need to do... but it is only a step.

What are the evacuation guides, do people go to a safe spot or leave the
building. Do you drill regularly?(not if you are billed per incident by
your service provider) Do you have training programs to teach people
what to do? How do you co-ordinate it? Is local law enforcement part of
this planning?

The paranoid view on this would also add:

1) The messages are forgeable. Once a standard message is chosen to help
people realize its important.. an attacker could chose to empty a
classroom etc by sending a message to people in the room.

2) The plans have to take in multiple contingencies... they can't just
be one size fits all. If an attacker knows of the plans, is he going to
use them to push people to their killing zone?

Then there is the fact that while such events seem to be more common,
are they a high enough risk for the amount of resources spent on it.
There are other methods at lower costs that can help people feel and be
more secure.

--
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-8219  Email: smooge () unm edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"

Current thread:

<SPAM> Re: emergency alert system Stephen John Smoogen (Apr 15)
- <Possible follow-ups>
- <SPAM> Re: emergency alert system Kevin Shalla (Apr 15)
- <SPAM> Re: emergency alert system Mike Iglesias (Apr 15)
- <SPAM> Re: emergency alert system Randy Marchany (Apr 15)
- <SPAM> Re: emergency alert system John C. A. Bambenek, GCIH, CISSP (Apr 15)
- Re: <SPAM> Re: emergency alert system Brad Judy (Apr 15)
- Re: <SPAM> Re: emergency alert system Allison Dolan (Apr 16)
- Re: <SPAM> Re: emergency alert system Roger Safian (Apr 16)
- Re: <SPAM> Re: emergency alert system Valdis Kletnieks (Apr 16)
- Re: <SPAM> Re: emergency alert system John C. A. Bambenek, GCIH, CISSP (Apr 18)
- Re: <SPAM> Re: emergency alert system Brad Judy (Apr 18)

(Thread continues...)