<SPAM> Re: emergency alert system

["John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () GMAIL COM>]

We're all technological here (I assume), so I don't need to convince you
that they are not life-saving devices.  If you have an active shooter, you
aren't going to get SMS out in time before the event is over.

The big problem is that with SMS systems in specific, they are insecure and
insecurable. Anyone, from anywhere in the globe can send an SMS as anyone
else without any real effort. This is important because you create a system
where people are trained to obey unquestioningly, immediately and without
thought. You don't want them analyzing the message, you want them to do X.
Insert the panic component as well, and most higher thought is out the
window for most people.

Now, take a scenario similar to the Omagh bombings. Basically, they called
in a fake bomb threat to the courthouse and people were evacuated basically
to where the bomb really was. Modify the scenario a little bit.  Spider
facebook to get cell phone numbers, or heck, just use the area code and
exchange and blast all the numbers, either way, you get alot of people with
text messages.  Tell them to head to an open location, quad, whatever.
That's where your suicide bomber is and his body count increases
dramatically when a bomb goes off open-air with people standing around.  A
bomb inside is no picnic, but you have walls and such that starts to
dissipate the impact.  You go from dozens killed to hundreds.

Now of course, that's worst case scenario... but think of the pranks a
moderately tech-savvy frat boy could pull. It'd be a game of simon says.

Add on top the very low threshold that is demanded in which these systems
are activated, 99 times out of a 100 (at best) you are dealing with false
alarms.  Someone with a can of spray paint not only shut down a university
for a week, it shut down unrelated schools simply because they were within a
mile or so. To be somewhat aggressive, at least the French know who they're
surrendering to. We've slamming these systems in place with the expectation
and policy to engage them far more than is effficient.  A couple of frat
boys with a few M80s could should down finals that they didn't study for,
for instance.  Remember, most people can't tell the difference between an
M80 and gunfire.  It doesn't matter, if the police don't here it, they
wouldn't know either and they have to respond as if a mass campus shooting
is eminent, no matter how much a stretch it is.  No one wants to be the one
who didn't connect the dots, after all.

That's about a quick brain dump.

EQ should have an article on this next time out from me and my RA.

On Tue, Apr 15, 2008 at 4:09 PM, HALL, NATHANIEL D. <halln () otc edu> wrote:

> Mike Iglesias wrote:
> > John C. A. Bambenek, GCIH, CISSP wrote:
> > > *sigh*
> > >
> > > These systems are really a very very bad idea.
> >
> > I won't argue with you on that point.
>
> Could you tell why you believe these systems area bad ideas?  I am
> curious why you are against them.
>
> --
> Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
> Network Security System Administrator
> OTC Computer Networking
> (417) 447-7535