Gav's Blog

Since buying into the iPhone ‘cult’ back in July, I have been intrigued as to the applications that will be released for the it that have relevance to emergency managers. One I’ve just discovered (via TUAW – check out their pics of the app) is one called Hurricane. Whilst this was released last year, it has since been updated to incorporate new functionality.

The price is reasonable (USD$3.99) if you want quick access to storm information in your phone at all times. It sounds as though when there are active storms, that when opened the app will come up with a quick list of current storms to provide quick access to more information. Outside of that, it has a record of past storms, as well as quick access to satellite view.

Sure, much of this information can easily be obtained for free, but the benefits of an application such as this indicate the an application wrapper that makes it fast and transparent to get the information you’re after. The only thing that I can think of at a quick glance would be also linking to the text watches and warnings from the NOAA Storm Prediction Centre.

It is going to be exciting to see what applications are released in the coming years that provide quick access to both remote and locally stored emergency management information!

In a decision that will probably frustrate some Aucklanders, it has been announced the Whenuapai Airport will remain in the hands of the NZ Defence Force. This is probably the best outcome, as it will ensure that the field remains as an emergency alternative airstrip in case anything happens to Auckland International in Manukau. Whilst Auckland probably doesn’t need a second commercial airport, you never know when you might need an alternate airstrip during an emergency.

I’ve only recently started following the NZ Health WebEOC blog, but it is exciting to see this sort of information sharing taking place. Congratulations to Charles and the team for the work involved. I found in their feed today an article about the Ministry of Health suffering from the recent Conficker worm outbreak over the past few days. There is more info here from Computerworld.

First, what is Conficker? From Wikipedia.

Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim’s computer. The worm also attaches itself to certain critical Windows processes such as svchost.exe, explorer.exe and services.exe.

What is interesting is that the security hole that Conficker utilises to gain control of the Windows operating systems was plugged in a security patch released on 23 October 2008. That means in theory that all those systems that have been compromised in the past week were systems that had not had the patch applied that was released in late October. The security patch to protect against Conficker-like attacks for Windows 2000, Windows XP and Windows Server 2003 was marked as critical and should have been installed in a timely manner.

What are some lessons from an emergency management and business continuity perspective?

1. If you’re running Microsoft Operating Systems – you must keep them patched, and do it in a timely manner. Windows represents the largest near-homogenous family of operating systems in the world. This makes them the primary target for the developers of botnets and malicious software. Whilst I recognise that it takes time to deploy patches in a large organisation such as the Ministry of Health – an organisation will always be at risk if it doesn’t install security updates in a timely manner. All Microsoft ‘Critical’ patches should be patched within weeks of release.

2. Where possible, organisations should attempt to diversify the installed base of operating systems in an organisation. If you solely run Microsoft operating systems then a worm has the potential to take down an entire organisation. If you run a heterogeneous  computing environment that has a variety of operating systems (e.g. Windows, Unix and OS X), then any outbreak of malicious software will only directly impact some of the systems. In our small business I support all three of these platforms. We have Windows and OS X clients, and servers on Linux, OS X Server, OS X Desktop, and this is one of the main reasons I refused to deploy solely Windows software for client and server when setting up our business. Reliance on a homogeneous computing environment decreases overall IT resiliency.

3. Emergency Management Information Systems (EMIS) should ideally be able to be segregated from the production systems. Malicious software doesn’t have to infect a system to have an impact on it. Even if the malicious software just consumes 100% of the network bandwidth, that will be enough to create a continuity issue by denying access to critical systems – such as servers. Therefore, EMIS should really be configured on a separate network so that even if the internal network bandwidth has been fully consumed, and access to the Internet severely restricted to limit the spread, critical systems can still be provided to the wider world. Network segmentation can be used to limit the impact upon critical systems. Direct access to the emergency network segment could be provided from network jacks in the EOC. Once again, these should be on an entirely independent network segement  to ensure that emergency operations can continue during an outbreak of malicious software on the main LAN.

Finally, emergency managers should also make themselves aware of the Centre for Critical Infrastructure Protection (CCIP), and consider signing up for vulernability alert emails. These are sent out for critical advisories associated with information security risks, and can be good prompts for getting in touch with IT, and making sure that your systems are patched and up-to-date.

Update 2009-01-27: I see that the Manager of the CCIP went public yesterday saying the CCIP advised MOH of the security patch in October. The real question is whether the Ministry has custom applications installed on all its systems (e.g. including clients), or if they are just talking about server applications. If most of the desktops are only running Office and a groupware application such as Outlook or Notes, then they should have been able to be relatively easily patched before December. It is well recognised that patching servers running legacy applications takes longer to test for complications before deploying patches.

After hearing about one of our GPS Society members losing their data in a computer malfunction tonight, I’ve decided to sit down and flesh out some thoughts on developing a good backup strategy for your computer(s). This is one of those get a round ‘tuit posts that I’ve been meaning to do after seeing people caught by HD failures on the Digital Photography School forums.

The topic of developing a good backup strategy for your computer surely makes most peoples eyes glaze over. It is decidedly unsexy until such time as you need it. Of course, by then it is too late. I’m hoping to combine some of my IT, risk and emergency knowledge to provide some insight into develop a suitably robust backup strategy.

If the consequence is lost data, what are the risks?

When developing a backup strategy, it is important to have a good understanding of how data can be lost – the risks – so that we can create a simple yet comprehensive plan to backup our data that accommodates the many different ways data can disappear.

So, lets pick a few. I’ve named them L1-L5 where ‘L’ is for loss.

• L1 Loss of computer (e.g. theft, smoke or water damage; electrical surge from computer power supply)
• L2 Filesystem accidents – formatting of filesystem, deletion of files, data corruption
• L3 Malicious software – formatting, deletion, or encryption of files with an unknown key (e.g. encrypt and extort)
• L4 Mechanical failure of the hard drive (the dreaded clunking sounds)
• L5 Loss of home containing computer (e.g. fire, earthquake, flood, landslide)

Whilst not comprehensive, this includes a good range of different issues we may face where a backup would be very handy and save us a lot of time, and potentially money. If we can come up with something that protects us from these losses, we should be doing pretty well.

What we need to do now, is look at various means available to backup data, and then create a quick matrix comparing each type of backup, and which losses it may/may not protect us from.

Firstly, let’s identify a number of backup solutions.

• S1 Backup to CD/DVD/HD and store on site
• S2 Backup to external HD on site
• S3 Backup to internal HD
• S4 Backup to other computer at home
• S5 Backup to Internet (service or web host)
• S6 Backup to CD/DVD and store off site
• S7 Backup to HD and store off site

Now, all these solutions are not equal. What we need to investigate now is which type of loss a given backup solution can protect against. I’ve created a sample table below to give you some idea of how it all comes together.

We start with a grid comparing types of loss and solutions. A green box means the solution generally prevents that type of loss, and red box that it generally doesn’t protect, and an orange one means that it may provide some protection.

Next, we compare solutions with various costs and constraints – in this grid green means it isn’t really a cost/constraint, red means it is a cost/constraint, and again, orange means it might be a cost/constraint.

In this example matrix, two points stand out.

• backing up to an internal hard drive does not provide much protection against data loss
• quite a few backup solutions do not protect against major losses such as the loss of a home from fire.

Additionally, every backup solution has a number of costs and/or constraints on its operation. The next step has been to add some cells that identify some of the more common costs and constraints associated with each solution.

What we can see is that there is no single perfect solution. We could extend this further and add a grid outlining some of the benefits of each backup solution – they all have some – and this would also further educate us in the development of our backup strategy.

Now, we’ll use this grid to look at selecting a couple of complementary backup solutions that avoid each others weakness.

Personally, I’m a fan of backing up my home computer using Time Machine on a Mac to an external USB hard drive (effectively S2). As you can see from the matrix, this protects me against most of the common losses, except the rather catastrophic loss-of-home. Clearly then, I can select an Internet or off-site solution as well that will provide me with more complete data protection than just backing up to an external hard drive.

Quite a few people will look at the Internet backup option (S5) and think that it looks pretty good, but be warned, there are some issues that you may face including – the speed of your internet connection when backing up files to remote servers, ongoing service fees, and potential privacy risks by storing you files on a remote server of a business.

I’d recommend selecting solutions so that you can meet the follow three four requirements.

1. You should have at least three copies of your data (source + two backups).
2. At least one backup must be reasonably current and disconnected from the computer most of the time (except when a backup is being made).
3. At least one backup file must be offsite.
4. At least one backup should be incremental.

Ian (in the GPS forums) made a good point about incorporating incremental backups into the process. Broadly speaking, there are two types of backups, full (where everything is copied at once) and incremental (where only the files that have changed since the last backup are copied). When doing incremental backups, the first backup is a full backup, and then incremental backups take place from there on. Time Machine is a good example of incremental backup software – every hour it backs-up any changed files.

As I’m not that keen personally on online backups, I’d recommend one of the following as the minimum. There is nothing wrong with making more copies on CD/DVD media to supplement the main backup solutions.

• external hard drive onsite + DVD media offsite (affordable setup)
• external hard drive onsite + external hard drive offsite (same sizes, switch them once a week or month, expensive setup)
• synchronise files between two home computers on network + external hard drive offsite (utilise existing hardware and provide backups of both computers)

There are three other tips to provide as well:

• If you use backup software, keep a copy of the install media (and licence key if appropriate) with the backups
• If you need quick access to data upon failure, make sure that at least one of your backups uses a very accessible filesystem on external hard drives (CD/DVDs are good as they generally use filesystems that are accessible in any computer). This means you can literally plug them in and access key files without having to perform a software installation and full restore
• AND TEST THAT YOU CAN ACCESS BACKED-UP DATA and/or RESTORE FROM BACKUPS

Finally, as you should have a GetAway Kit for natural disasters and the like, in addition to your other important paper information such as identification, policies and photos – you should also include a backup of your data in the kit. If you haven’t got a GetAway Kit, then now is a good time to learn about how to get ready!

I’ve been involved in some discussions in the past few days about the use of Twitter for emergency management purposes. It’s something I’ll write about in more detail and rigour in the next wee while, but I just want to get a few links to article out there in the meantime.

This GovTech article spawned the discussion on the IAEM email list. Twitter is certainly not a robust notification system, but it is a social messaging system that does have its place – particularly for interacting with the public.

Concerns were raised about how Twitter usernames could masquerade as offical agencies, and other issues around the authority of information provided on Twitter.

In reply on the list, I made the following brief comments that may help an agency adopt and utilise a social network such as Twitter and mitigate some of the issues.

Hi Eric,

Some valid concerns about the risks, but there are always means of mitigating them.

1. Re: Globalisation – one of the biggest issues you missed is that of privacy and the protection of private information submitted and stored in these systems. Ironically, the United States is one of the few civilised countries that doesn’t provide wide-ranging privacy protections when compared to European countries and the likes of New Zealand that have very strong privacy legislation. The way information submitted to social networking sites vary significantly depending on the jurisdiction it is hosted in. As many sites are hosted in the United States, it would indeed be good to see the United States implement stronger legislation protecting personal information (e.g. to the level provided in Europe and New Zealand, not sure on Canada, and I think Australia might fall somewhere between US and NZ).

2. As per any form of public alerting/notification, it is important to teach the receiver that they should attempt to cross-check, verify, and go hunting for more information. One technique that was mentioned in the Govtech article linked earlier in this thread was using TinyURL to embed links to official websites to provide corroboration of information, or more detailed information than can be wedged into the 140 characters provided by Twitter. Likewise, agencies should put pages up on their websites that act as a means to identify their official Facebook page, official Twitter username etc. Not only can they point out their official Twitter username for example, but they could also identify usernames that may be masquerading as that organisation. You could use the Twitter > Profile > More Info URL to link back to this page on a web site that the agency controls. It is still not perfect, but it would provide a far more robust approach for providing evidence that a given Twitter username does represent an official person/agency.

3. Official and unofficial directories of usernames can be provided e.g. <http://govtwit.com/> These can be constructed and the people/organisations using them can contact the organisations to verify that they do indeed manage that username. This, again, allows for a far more trustworthy list of official representatives to be constructed. A state EM organisation for example could maintain a web page on their official website that lists all the official EM and related agencies Twitter usernames in that state. As long as you have a trusted representative constructing the directory, there is less concern about those usernames in the directory as they will perform the authentication for you. E.g. IAEM may elect to build a register and maintain it on our website.

4. If an agency finds someone masquerading as their organisation, they can always approach say Twitter, and highlight the problem username and that they do something about it. Twitter is a private company in San Francisco. E.g. if the unofficial usdhs Twiiter username started spreading false information during an emergency, I’m sure a call from DHS to Twitter in San Francisco would fix that fairly quickly.

The whole idea of social networks is that you build your own network of trust. This means that there is some work associated with constructing it, but there are a number of means to build this web of trust – some of which I’ve mentioned above. Link with other official agencies, link to it from your official websites that you control. Fake usernames will not be able to compete with this and will quickly be identified as fakes as they will not be able to build up a web-of-trust.

And yes, social networks are not for secure communication. They are to get information out and widely disseminated as quickly as possible.

One reason sites like Twitter have become so popular with the public is because they can get information quicker than we, as emergency managers, are able to otherwise provide it. That sends a pretty strong message that we need to do better in terms of getting information out to the public.

Cheers Gavin

I’ll try and expand on this in the not-to-distant future – I might end up writting an article for the IAEM Bulletin. As an aside, a related topic is how to use tags to identify emergency management related posts on a social network site such as Twitter. I’ve passed this on to the EIIF W3C Incubator Group I’m involved with as I believe that any tagging structure needs to be compatible with other standards used for emergencies and disasters. This way software could watch out for certain tags to pick them up and into a disaster management system such as Sahana.

Once again the key point is trying to create an integrated approach to an emergency management information system (EMIS) – the software is only half the deal, the other half is the suite of information standards to communicate with other systems. Any tags designed for Twitter, much be designed in a way that an EMIS can search, gather and try to understand them.

What else can one say? The law is broken and 92a should be immediately repealed.

Copyright Law “Ethically Flawed”, says NZCS

PRESS RELEASE – NZ Computer Society Inc. (NZCS)
15 January 2009
For Immediate Release

The New Zealand Computer Society (NZCS) today labeled Section 92a of the new Copyright Amendment (New Technologies) Act 2008 “Illogical” and potentially “Ethically Flawed”.

The criticism comes after NZCS Chief Executive wrote to ICT Minister Steven Joyce last week asking him to intervene to prevent the changes coming into force in February.

Section 92a, championed by previous Associate Arts Minister Hon Judith Tizard, states that Internet Service Providers must look to disconnecting the Internet service of those that have been repeatedly accused of accessing copyrighted material online.

Almost every technology commentator in the country has spoken out against the changes as well as every significant ICT representative organisation in New Zealand, including the NZ Computer Society (NZCS), InternetNZ, Telecommunications Users Association of NZ (TUANZ), the ISP Association of NZ, Telecommunications Carriers Forum, Women in Technology, the NZ Open Source Society, and many others.

The new law has also prompted the creation of the Creative Freedom Foundation, a group of creative artists strongly opposing the changes and furious that the changes are being justified in their name.

“NZCS strongly believes in the concept of Copyright, and ensuring artists have access to adequate protection”, Matthews said today. “However this law is a giant step too far and badly upsets the balance between protecting copyright holders’ rights, and the rights of computer and Internet users in New Zealand”, he said.

“Placing ISPs in the position where they have to act on accusation alone, without proper judicial process, places them in an impossible situation where they are expected to take an unethical stance and action by potentially denying an essential service from kiwi families and businesses, based on the accusation of a third party”, Matthews said.

“So either they risk breaching ethical standards of behaviour, or risk breaching the law”.

“Guilt by accusation is not acceptable in any other area of law, not appropriate in New Zealand, and should be rejected in the same way it has been in many other countries where similar laws have been proposed, especially when it places law-abiding companies such as ISPs in this impossible situation”, Matthews said.

“This could potentially affect families, businesses, schools and libraries”, Matthews said, who likened the Act to threatening to cut the electricity off from a library if someone photocopied too many pages of a book. “Internet access is a basic necessity in today’s digital age and this law interferes with that”, he said.

“There’s very good reason why, almost without fail, every commentator and ICT representative who understands the potential consequences of this law has spoken out against it”, Matthews said. “We ask that the new Government hears the voice of the ICT community and acts to ensure the rights of computer and Internet users aren’t severely eroded over what is regarded as a civil matter”, he concluded.

ENDS

Update/20090116: And now the New Zealand Library and Information Association of New Zealand has chimed in on the matter too. Interesting to note the risks to libraries – they could potentially lose their Internet connection. Via McGOVERN ONLINE.

After not using the blogroll for a while, I came across some new NZ EM blogs last night, and decided to reactivate the blogroll and add them to it. You’ll find it on the right hand side. The new blogs are the Manawatu-Wanganui CDEM Group Blog, NZ Health WebEOC and Porirua EMO.

Just want to highlight to fellow Kiwi’s to avoid webjet.co.nz for booking cheap flights.

A friend and I got caught out by WebJet.co.nz today when attempting to book a cheap flight from Christchurch to Auckland. The prices they list are in Australian dollars, and even if you’re a Kiwi, they charge Australian GST on it as well (even though they are charging someone outside of Australia). We didn’t expect to see AUD prices on a .co.nz website, and didn’t pick this up until after receiving the email confirmation. Have since cancelled the flight, accepted payment of the ~AUD$12.50 booking fee (non-refundable) and rebooked on an airlines official website. They also would have charged an AUD$5 per seat booking fee once the fine print was read. Since it was an international credit card transaction, you’d have also incurred extra bank charges.

My advice – don’t be lazy, have two/three airline websites (e.g. Air NZ, Qantas and Virgin) in your bookmarks and do a quick search on each to find the best flight, and book directly through them – it doesn’t take long, this is what I do for my work flight to find the cheapest ones. Don’t use third parties for flight bookings.

Oh yeah, and the rebooked flights directly through an airline, even with the AUD$12.50 fee are still cheaper…

Update 2009-01-26: Last week I received a call back from The Consumer, and they recommended that I contact the Commerce Commission as they felt that WebJet’s practices were misleading under the Fair Trading Act and that they should be considered by the regulator.

Screen Capture of WebJet’s New Zealand home page (taken @ 2009-01-26 12:21)

The key issue here is that a New Zealand website (webjet.co.nz) is listing their prices in Australian Dollars, and this is only highlighted in small text at the bottom of the table. For a New Zealand website to properly represent the prices with no ISO currency code, the prices should be listed in New Zealand Dollars. If they want to list them as Australian Dollars, then all the prices should be preceded by the Australian ISO currency code e.g. AUD$199.

The fine print that is easily overlooked (taken @ 2009-01-26 12:23)

In addition, I am also concerned that WebJet may be falsely claiming GST on an international transaction. As I am not resident in Australia at the time of the transaction, and the fact that the prices are listed in AUD, I assume they are charging me Australian GST – which I may not be liable for as I’m resident in New Zealand at the time of the transaction.

Update 2009-01-26: I have just filed a complaint with the Commerce Commission.

Details of Complaint (so that we can assess the situation quickly):
The name of the trader (the business or the individual) that you are complaining about.
WebJet New Zealand aka http://webjet.co.nz

The address of the trader and contact details if known.
Not known. It appears that they have a virtual presence only in New Zealand.

Full details of the complaint you wish to make in chronological order; this should include all contact you have had with the trader and any explanation that that trader has given you.
On January 14 a friend and I booked a return flight within New Zealand using WebJet.co.nz for a return flight from Christchurch to Auckland. The was a trip for non-business reasons – a friends wedding in Hamilton. It wasn’t noted at the time, due to the website being New Zealand in origin (e.g. .co.nz) that the listed prices were in fact Australian. This only become apparent at such time as the email receipt was received. At this point we went about cancelling the booking, and over the next few hours were able to cancel the booking except for an AUD$12.50 ‘non-refundable’ booking fee. At the same time we returned to the website and discovered the fine print.

We cancelled the booking because of the misleading practice and because we knew that we should be able to purchase the seats far more cheaply direct from the airline. We originally went ahead with the transaction as we were unaware that it was in Australian Dollars.

What you think are the misleading or false representations that are the basis of your complaint.
1. That prices on a website with a New Zealand domain name (.nz) should be assumed to be in New Zealand dollars if no ISO currency code is prefixed to the dollar amount. It is misleading to provide an NZ website (webjet.co.nz) that contains prices in Australian dollars and onlylist this in the small print. They should either be New Zealand dollars, or all prices should explicitly have the currency code e.g. AUD$199.

2. That webjet.co.nz is claiming Australian GST for a transaction whilst I am based in New Zealand. My understanding of Goods and Services Taxes are that they do not apply for international transaction e.g. if I am based in New Zealand and the company is based in Australia. I believe that WebJet should not be charging Australian GST to customers that place their orders whilst they are in New Zealand. Alternatively, if they are registered for GST in New Zealand, I couldn’t find the New Zealand GST number on the invoice received from WebJet. Either way, some clarification around WebJet’s handling of GST is required. Note that in the attached email confirmation and invoice, there are two GST line items listed – one for $38.40 and one for $2.79 (the currency and jurisdiction for these GST’s are note clearly outlined). I assume because the invoice has an ABN number that we are talking about Australian GST.

What else would be helpful for you to supply:
* Copies of any relevant advertising.
* Photos of misleading signs involved in your complaint.
* Copies of any notes you may have made concerning your contact with the trader.
* Copies of any correspondence between yourself and the trader concerning the matter of complaint.
* Any other information or documents that you feel could assist the Commission in assessing this complaint.

Attachments.
a. Webjet Booking Confirmation and Tax Invoice ABN 84 063 430 848 (pdf) – copy of email confirmation and tax invoice from WebJet
b. – my blog where I am documenting this online
c. Two screen images taken today from webjet.co.nz indicating the issues that still exist – e.g. the misleading pricing

I have no problems with Australian dollars if on an Australian website (.au). However listing Australian prices on a New Zealand website (.nz) is simply misleading advertising and is a practise that the Commerce Commission needs to come down on hard.

Update 2009-01-26 1329: Commerce Commission has received the complaint. Now to sit and wait a couple of months.

Update 2009-02-27 1202: I’ve just got off a 15 minute call with someone from Fair Trading, and I’ve just had the opportunity to clarify my complaint over the phone. They are now going to contact WebJet, and will keep me informed of the investigation.

Update 2009-05-01: I forgot to mention that quite a while ago, I think it was March, I got a call back from ComCom, and whilst they weren’t going to take formal action, they were sending a ‘letter’ asking WebJet to change some of their practices. I recall this was going to be a clarification around pricing, as well as better identification of GST.