Re: <SPAM> Re: emergency alert system

[Brad Judy <Brad.Judy () COLORADO EDU>]

The reality is that most campuses will never use these for active
shooters, terorrist attacks, bombs, etc.  They will most often be used
for things like campus closures, threatening weather (tornado warnings,
hurricane coming, etc) and other more slowly unfolding events.  
 
To entirely dismiss them because they aren't instantaneous, perfectly
effective communications mechanisms is short-sighted.  
 
A point was raised that there may be a mis-match between expectations
and reality with these services.  I expect that is true on many
campuses, but this is an expectation setting problem.  This may
translate into a communications/documentation issue, vendor relationship
management issue or other issue on any given campus.  Figure out what
your system is really capable of and make sure people who make decisions
and receive the notifications understand the limitations.
 
As for shutting down campus for firecrackers, that's where you need good
people and procedures between the event and the notification.  Having
this type of notification system doesn't make that decision making
process any better or worse, it just changes the notification mechanism.

 
As for exploiting such a system to increase casualties in an attack,
first, this is an extremely unlikely scenario.  Second, if it were to
happen, one would get higher numbers coming to a quad using existing
technologies like Facebook/MySpace/blogs/e-mail to advertise a flashmob
or free food.  Having one of these services would not notably increase
the chances of this scenario.  
 
Some of the motivation for deploying these solutions might be misplaced,
but that doesn't mean they can't be useful and effective tools.
Whatever FUD went into the motivation, this kind of counter-argument has
far more FUD.
 
Brad Judy
 
IT Security Office
University of Colorado at Boulder

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John C. A.
Bambenek, GCIH, CISSP
Sent: Tuesday, April 15, 2008 9:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] <SPAM> Re: [SECURITY] emergency alert system


We're all technological here (I assume), so I don't need to convince you
that they are not life-saving devices.  If you have an active shooter,
you aren't going to get SMS out in time before the event is over.

The big problem is that with SMS systems in specific, they are insecure
and insecurable. Anyone, from anywhere in the globe can send an SMS as
anyone else without any real effort. This is important because you
create a system where people are trained to obey unquestioningly,
immediately and without thought. You don't want them analyzing the
message, you want them to do X.  Insert the panic component as well, and
most higher thought is out the window for most people.

Now, take a scenario similar to the Omagh bombings. Basically, they
called in a fake bomb threat to the courthouse and people were evacuated
basically to where the bomb really was. Modify the scenario a little
bit.  Spider facebook to get cell phone numbers, or heck, just use the
area code and exchange and blast all the numbers, either way, you get
alot of people with text messages.  Tell them to head to an open
location, quad, whatever.  That's where your suicide bomber is and his
body count increases dramatically when a bomb goes off open-air with
people standing around.  A bomb inside is no picnic, but you have walls
and such that starts to dissipate the impact.  You go from dozens killed
to hundreds.

Now of course, that's worst case scenario... but think of the pranks a
moderately tech-savvy frat boy could pull. It'd be a game of simon says.

Add on top the very low threshold that is demanded in which these
systems are activated, 99 times out of a 100 (at best) you are dealing
with false alarms.  Someone with a can of spray paint not only shut down
a university for a week, it shut down unrelated schools simply because
they were within a mile or so. To be somewhat aggressive, at least the
French know who they're surrendering to. We've slamming these systems in
place with the expectation and policy to engage them far more than is
effficient.  A couple of frat boys with a few M80s could should down
finals that they didn't study for, for instance.  Remember, most people
can't tell the difference between an M80 and gunfire.  It doesn't
matter, if the police don't here it, they wouldn't know either and they
have to respond as if a mass campus shooting is eminent, no matter how
much a stretch it is.  No one wants to be the one who didn't connect the
dots, after all.

That's about a quick brain dump.

EQ should have an article on this next time out from me and my RA.


On Tue, Apr 15, 2008 at 4:09 PM, HALL, NATHANIEL D. <halln () otc edu>
wrote:


        Mike Iglesias wrote:
        > John C. A. Bambenek, GCIH, CISSP wrote:
        > > *sigh*
        > >
        > > These systems are really a very very bad idea.
        >
        > I won't argue with you on that point.
        
        
        Could you tell why you believe these systems area bad ideas?  I
am
        curious why you are against them.
        
        --
        Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
        Network Security System Administrator
        OTC Computer Networking
        (417) 447-7535