We had a good, lively session, with a quick run-through of the various tools in Three Rings’ Admin tab, and spoke to several volunteers interested in joining the Three Rings team, either to help with testing, technical support and possibly even system development (and if you didn’t manage to catch us after the talk, feel free to contact us so you can volunteer too!).

Possibly the best part of the session, though, came when a volunteer from Lancaster Nightline discovered the job of Rota Manager was going to be much easier than previously thought, thanks to our Suggest Somebody feature, which can apply the Autopopulator system to a single shift, and rank each available volunteer according to how good a match they are. You could almost feel the Rota Manager’s worries about losing all their free time to the traditional gap-filling ring-round melt away, and they took the time to catch us on their way out of the session:

‘That has literally made my day!‘ they said ‘Thanks to Three Rings, I might actually pass my exams!’

It’s great to be making a difference!

One of the ways we’d like to celebrate is to take the time to explore some of our history now and then (just to stop the blog from being solely technical!).

As we’ve said before, Aberystwyth Nightline were the first people to get access to Three Rings, which was introduced by their then Co-Ordinator, Liz. Today, Liz continues to use Three Rings as a Samaritans volunteer, and she was kind enough to tell us a bit about her experiences both back then and as a user today (as an individual, rather than as a representative of her branch).

This gives some idea of the chaos that existed before Three Rings was used for the rota (with apologies for the terrible quality image)

Liz writes:

The arrival of Three Rings had a hugely positive impact on how we worked at Nightline. Before Three Rings, we were completely dependant on a paper based rota in our private call centre office. The office, and therefore the rota, was only accessible if you were on duty or on campus and requested the key from a warden. The wardens were available before the shift to hand keys over, but were notoriously difficult to get hold of at other times.

The rota was difficult to manage and we were increasingly dependent on dedicated individuals to take shifts at the last minute. There were also a number of instances where we found ourselves chasing up those who had forgotten they were on shift.

Most members willing to help, got involved testing the system and trialling it before it was launched. With the wealth of individuals involved, there were a number of ideas to further develop the system tried out.

There have been many iterations and improvements on the original Three Rings system since those early days, but even then it was a godsend to us. It allowed us greater flexibility and control in both filling shifts and and ensuring a full rota.

I am now a Samaritan and although Three Rings has changed since those early days, I’m impressed every day by the dedication of developing a system which is tailored to the needs of individual organisations.

It is easy to underestimate how different each Samaritans and Nightline branch works and therefore the differences in their needs which the Three Rings team cater for. Everyone who has been involved down the years have volunteered their time, over and above the requirements of their day jobs, to develop something which is provided at cost to Samaritans and Nightline.

It is incredible that the project we were so excited about in 2002, which we hoped would improve the way we worked, has been so successful and that so many others have benefited from it.

Macclesfield Samaritans use Three Rings and it was only the other day that I saw an email floating about ‘yet again Three Rings saves the day.’ It made me smile.

I would like to say that I’m proud to have had a part in bringing Three Rings to where it is today, but I didn’t really play a role at all. I just rode along on the wave of eagerness and confidence that led to us welcoming the advent of a fantastically innovative solution to our rota needs.

Here at Three Rings, February is about the time for our Annual General Meeting – necessary, but rarely the most fun part of our volunteering work.

So this year we thought we’d combine the two events, and made the business of our AGM a little nicer by holding it over a quiet pint in our local pub!

Paul, Dan, Ruth & JTA at the AGM

Of course, Feel Good Friday is all about supporting the excellent work Samaritans around the UK do to help those in distress or dispair, so we’ll be sending our own small contribution too. It’s nothing too grand, because much of our budget this year is devoted to making our 10th Anniversary Discount possible, but hopefully enough to be of some help in supporting Samaritans.

Because doing that makes us feel good, too!

A view of Leicester branch, painted by local artist Sue. Used with permission.

The 100th branch is Leicester, who run a managed rota and have been using a DOS-based program to automatically assign shifts for the last 20 years, showing a serious dedication to making life easier on their rota secretaries! Thanks to the Autopopulator functionality we introduced in Milestone Iridium, Leicester are now trialling Three Rings against an updated version of their DOS program to see which one best matches their needs.

While they’re making their choice, Leicester are making use of our standard one calendar month free trial to see how well Three Rings suits them without any obligation until the 1st of March. That’s fine by us – while we love it when the organisations come to us are already sure Three Rings is the right choice for them, it’s equally wonderful to see a branch taking the time to experiment and make absolutely certain that they’re getting the system that best suits their style.

We’ve only been offering Three Rings to Samaritans since 2008, and we’d like to think that reaching the milestone of supporting 50% of branches in so little time is speaks for the quality of our features itself, but no matter what organisation you’re from, if you’re not sure Three Rings is right for you, you can always follow Leicester Samaritans’ example and use both the standard free trial and our special Anniversary Discount to find out!

We encourage our users to get in touch to suggest new features for future versions of the system, but sometimes branches just have great ideas of their own!

Each Samaritans branch in the UK gets a Branch Visit every few years, where two Samaritans from a different part of the country visit the branch. Partly this is to help ensure Samaritans offers a unified service (so if a caller rings Telford one night, and Preston the next, they’ll be listened to just as carefully as if they’d called London), but it’s also a chance for branches to demonstrate what they’re doing well, and what ideas they’ve had that other branches might be able to benefit from.

Normally that’s an internal process, but we were recently contacted by Jayne from Warrington, Halton & St. Helens branch, who found she was able to use Three Rings to make their branch visit a lot easier:

We find the filestore an incredibly useful feature of 3Rings. We upload Committee minutes, OGT material, branch bulletins, meeting powerpoints etc so that everyone can have access to them where ever they are. As a Caretaker Director, living an hour away from the branch, this is particularly helpful for me.

However, when preparing for our Branch Visit and gathering all the paperwork to be sent to the Visitors, 3Rings really came into its own!

We created temporary accounts for both of our Visitors, with permission to ‘view’, so they could then log in to look at all the documents in the filestore, see our rota, our directory of volunteers and all the news and updates from the overview page. They were able to get a really good feel for the work of the branch and I didn’t have to send out a single piece of paperwork, which saved a huge amount of work. It couldn’t have been easier for us or for our Visitors.

Not one of us here at Three Rings had thought of using the system that way, but we think it’s brilliant: Branch Visits can mean a Director has even more on their plate, and to use Three Rings to make the visit easier on both the visitors and the branch is such a great idea we couldn’t help but share!

Thanks to Jayne for letting us know – and if any one else has found a clever way of using Three Rings that other people might not have thought of, we’d love to hear from you!

Up to now, you’ve been able to follow blog posts either by checking in now and then, or by using our RSS feed ( either with a RSS reader built into your web browser, or a free online RSS reader like Bloglines or Google Reader).

However, RSS can be daunting for some people and, if you’re not regularly following other RSS feeds, asking you to start just so we can talk to you seems a bit pushy! Instead, we’ve launched an account on Twitter, @3RingsLtd, which we’ll update each time we make a post here on the blog.

So if you’re on Twitter, and want to get links to new blog posts without using RSS, follow us here!

Three Rings’ documentation website was exposed to a malware attack over the New Year period. Thanks to the high level of security countermeasures we have in place data on the live site remained entirely secure during the attack, however some users attempting to access Three Rings by running a Google search for the specific term ’3r.org.uk’ may have been exposed to malware going by the name ‘Windows Vista 2012 Security’, or similar variations.

Once installed on a computer the malware creates fake warnings about viruses it claims are on the user’s computer, and asks them to pay for the ‘full’ version of the tool. Users should not pay for this, since there are no viruses, and paying will simply cause the program to cease faking warnings once it has their money.

Any users that are concerned are advised to run an antivirus check. While Three Rings does not specifically endorse any one antivirus or security system, users who do not already have antivirus software installed can find free versions of both AVG Antivirus and Microsoft Security Essentials which should work perfectly well.

That’s the key information. However, in line with our commitment to open and transparent operation, we’re also providing you with the details of this attack, so that you can see exactly what happened, who may have been affected, and what we’ve learned and are doing about the incident:

What happened:

The Three Rings system runs on its own dedicated server, at 3r.org.uk. Other websites are also hosted on that server, including the ‘corporate’ site – www.threerings.org.uk – and the Documentation site, docs.3r.org.uk. You may notice that the web address for the Documentation site is almost the same as the address for the live site – it’s just got ‘docs.’ written in front of it. This is technically known as a ‘subdomain,’ because it is part of the larger ’3r.org.uk’ website.

TinyMCE version 2.1.2 is an off-the-shelf application that was used in one of the other websites hosted on the Three Rings server (and was nothing to do with the ‘live’ site that hosts our clients’ data). A vulnerability in TinyMCE came under attack from a ‘botnet,’ an automated network of computers based in Russia.

This was not a targeted attack on Three Rings: the botnet was trying random addresses, in a bid to make money from malware victims, and – like any Internet server could be – the Three Rings’ server simply got caught in the line of fire.  Using the many computers under its control to ‘brute force’ the password on that application, the Botnet kept guessing passwords repeatedly until one worked. This took place over the course of three days, but was not detected because the botnet used it’s network distribution to switch IP address every three attempts, and thus evade our countermeasures designed to detect multiple password attempts from one location.

Having cracked the password, the botnet was able to exploit the vulnerability in the TinyMCE application to upload malicious code to the Three Rings server. Thanks to our particularly hardened security policies, the live site 3r.org.uk was protected from this code, and no direct damage to any data stored on Three Rings took place. However, the malicious code did allow the botnet to ‘poison’ (ie, corrupt) the .htaccess file in the Documentation website.

What it did:

The effect of this poisoned file on the Documentations page meant that users in a specific set of circumstances could be exposed to the ‘Windows Vista 2012 Security’ malware. This affected those users who:

1. Were running Microsoft Windows, and
2. Using vulnerable versions of Internet Explorer as their web browser, and
3. Ran a Google search for ’3r.org.uk’ rather than accessing the site directly.

The live website, 3r.org.uk, uses what is known as a Robots file to prevent search engines from showing it in their search results. However, because of a quirk in the way Google treats subdomains, searches for 3r.org.uk incorrectly generated links to the documentation site, at docs.3r.org.uk.

Because the .htaccess file at docs.3r.org.uk had been corrupted by the botnet’s malicious code, users who googled ’3r.org.uk’ while using Internet Explorer and running Microsoft Windows and subsequently clicked on the link to the Documentation website provided in the Google search results will instead have been forcibly redirected to a site called ‘Spacer Float’. That website then took advantage of a known vulnerability existing in some versions of Microsoft Internet Explorer to install the ‘Vista Security 2012′ malware onto their computer.

How we’re responding:

We’re fairly confident that the impact of this attack will have been minimal: the crucial data on the Three Rings live site was protected thanks to our robust countermeasures, which kept the data secure even after the botnet managed to add one file to the server, and the set of circumstances required for the malware to infect a user’s computer are very specific, and likely to be comparatively uncommon. However, there’s still a lot we’ve been able to learn, and steps we’ll be taking to prevent this sort of problem from happening again:

• Countermeasures on the Three Rings server designed to detect attempts to brute-force passwords were thwarted by the sheer scale of the botnet: it looked like lots of different users were accessing the server, not like a single controlling network was mounting an attack from multiple computers. We’re currently investigating ways we can better-detect this sort of attack without erroneously blocking genuine users who are accessing the system from different computers.
• Some of our users are evidently more comfortable accessing Three Rings through Google and other search engines, rather than using a Favourites or Bookmark link, or typing 3r.org.uk into their browser’s address bar. Because this led to their searches returning links to the Documentation site (and thus to forced redirects due to the corrupt file), we’re looking into ways we can generate more relevant search results for such users, to ensure they find results better matching the pages they’re actually looking for.
• The compartmentalised nature of the Three Rings server helped to keep the live site, and all its data, safe throughout this attack. We’re now in the process of adding further safeguards to the system, isolating the separate websites into distinct user groups. This alone would have foiled the botnet attack, limiting it’s capacity for damage to the TinyMCE program alone and protecting the Documentation website from damage. Implementing this now will ensure no further attacks of this nature are effective.

What users can do:

Just because we’ve stopped this attack from damaging Three Rings doesn’t mean other websites will have been so careful! However, there are a few things users can do to limit their exposure to both Vista Security 2012 and other malware when using the Internet:

• Use a virus scanner. If you’re not using one already, it’s worth the investment – especially with effective free solutions such as Avast, AVG, and Microsoft Security Essentials joining the ranks of commercial products like McAfee, Norton, and others: as long as you’ve got up-to-date antivirus software, you should be warned of any malware threats before they can do any damage.
• Keep both your operating system and your web browser up to date. Automatic updates and new versions will help to prevent malware from exploiting loopholes or bugs in your software: install new updates as they become available, rather than ignoring them or waiting until the last minute.
• Where possible, consider increasing your system security by using a more-secure web browser. All web browsers can be vulnerable, and the more out of date a browser is, the greater the risk. This can be particularly true of older versions of Microsoft Internet Explorer. For more information about getting the best and most-secure browser for your computer, see BrowserHappy.com.
• Always try to enter the web address yourself, if you know it. You can use a search engine to find the page for you, but this can be more risky: hackers may attempt to poison search results or will buy fake advertisements on search engines in order to try to lure you into clicking on the wrong thing. If you’re at a computer you use regularly, you can add bookmarks/favourites for your most-visited sites, so you never even have to search for them, and won’t need to keep typing the address each time.
• If you have been seeing warnings for Windows Vista 2012 Security, you can get instructions on how to remove it from your computer from SpywareRemove or from BleepingComputer.

Finally, just in case you’re not sure, here’s a screenshot taken by BleepingComputer that shows what Windows Vista 2012 Security looks like if it’s on your computer (remember – it’s malware, so these ‘Viruses’ aren’t on the computer shown, they’re just made up to scare you!):

This does look pretty convincing (apart from the spelling mistake!). Click for a larger view.

We’d like to apologise once again for any problems this has caused: while the key data on Three Rings was indeed kept secure by our various defence systems, it’s very unfortunate that this exploit was able to happen on our server. It’s precisely because this shouldn’t have happened that we’re taking the time to tell you how it did: so you can not only see the steps we’re taking to prevent such a problem repeating, but also be assured that – if there ever is a problem like this – we won’t try to hide it from you.

We tried to convey this with our Christmas card from last year, which showed a volunteer absorbed in a call even as Santa made his rounds, but this year we wanted to reflect the fact that there are people all around the world offering crucial support services, as well as having something that just looked a bit more fun!

So we got in touch with a fellow volunteer, who also happens to work as an artist, and gave her a few ideas about what we’d like to see. (If you like the final product, her name is Eleanor Reed, and she can be contacted by emailing  eleanorhr[at]gmail.com – just replace that “[at]” with the “@” symbol). Here’s a few photographs showing how the cards made it to your door!

Our artist gets to work:

Sketches based on early ideas (and tempered by the size of a Christmas card!)

Once the sketches were done, it was time to fill in the background colour using Photoshop:

Things are starting to take shape behind the glare of the monitor

Thanks to the number of organisations now using Three Rings, we needed to get quite a lot of cards printed out…

Signing and addressing all of these took a while!

We had Paul, the company secretary, get the cards in the post (although he didn’t actually do them one-at-a-time):

Paul's still holding that box full of cards. Apparently it was quite heavy!

All in all, it probably took more effort than last year’s card – although a lot of that work was Eleanor’s! – but we’re really pleased with the result. So we thought we’d share it here, too:

Notice the fundraising robins! (As with all the photos in this post, click to see it bigger)

So from all of us here at Three Rings, have a very Merry Christmas, and a Happy New Year!

Back in 2002, Three Rings was a tiny project intended to help the 10 or so volunteers that ran Aberystwyth Nightline. But word of mouth soon spread, and more and more Nightlines began to adopt Three Rings, and each new organisation wanted to tell other organisations about us…

The login page for Three Rings v0.721. Codenamed "Aloha", this was the first version to provide the Wiki feature.

…Now, ten years later, Three Rings supports over ten thousand users, at more than a hundred and twenty separate organisations, including Nightlines, Samaritans, and similar support networks around the UK and Ireland – and some even further afield.

Throughout that time, our aim has been the same: to streamline helpline administration so that volunteers can devote more time helping their callers, and less time to paperwork. We’ve aimed to provide the highest quality service, and the best, most flexible system we can make, at the lowest price we can afford so that every Three Rings client – from the largest Samaritans branch to the smallest Nightline – gets the best deal available, and can save more resources to devote to things like training and publicity.

We’ve always been open about our pricing structure: individual Samaritans branches pay £150 a year, with no extra set-up charges or support fees, and Samaritans regions get a discount rate of just £120 per branch and access to our powerful suite of Regional Tools to support collaboration between neighbouring branches. Meanwhile, we support the Nightline Association by providing Three Rings free to affiliated Nightlines, and for £40 a year to non-affiliated Nightlines.

We’ve been able to keep these charges low thanks to our own dedicated team of unpaid volunteers – including our grassroots champions and advocates amongst our users – and through the use of the same free, trusted technologies used by Internet giants such as Amazon and Google. Right from the start, we worked to ensure a scalable architecture and a strategic business model that meant Three Rings would become increasingly sustainable as its popularity grew, rather than risking the company overreaching itself with rapid expansion.

With our scalable business model, and over 120 organisations using Three Rings, we're able to continue to improve the system and still reward your faith in us so far.

Thanks to that scalable structure, each new organisation we bring on board helps to sustain and improve Three Rings for all the others and, as we enter our 10th year, we think it’s time we gave something back. We’ve been planning to do this for a while, and it’s the best way we can thank you for helping us to help everyone:

To celebrate our 10th Birthday, and to reflect our support for the Nightlines that helped inspire and improve early versions of Three Rings, every invoice we issue during 2012 will be for the ‘unaffiliated Nightline’ rate of just £40 per organisation. That means our standard rate for Samaritans Branches, for non-affiliated Nightlines, and for any other comparable organisation, will be just £40 for the whole of 2012 (unless you’re a Nightline affiliated with the Nightline Association, in which case we still won’t charge you anything!).

If you already use Three Rings, you’ll be invoiced on your usual date. Every organisation will be issued an invoice for just £40, as if they were an unaffilitated Nightline, even if they’d normally pay £150. Samaritans Regions will be invoiced at £40 per branch, instead of the usual discount of £120 per branch. And, if you’re an organisation that decides to start using Three Rings in 2012, you’ll still get our standard full calendar month trial, and an invoice for £40 if you’d like to keep using the system after that.

An early version of Three Rings being presented at a Nightline conference in 2003

A decade ago, we never dreamed this project could get so popular with Nightlines, let alone with organisations like Samaritans, but our aims haven’t changed: we still want to make it easier for you to get volunteers on shifts. It’s thanks to the support of our existing clients that we’re doing so well in achieving that goal, and it’s thanks to our future clients that we’ll be able to build on our successes in the future.

So this is our way of saying thanks, not just to the Nightlines that nurtured us in the past, but to the Samaritans that continue to suggest enhancements today, and to the organisations curious about what we can do for them over the coming months. It’s a thank-you not just for the support you’ve given to us, but for the assistance you’ve given your fellow Three Rings users, and the vital support you continue to give your callers. Enjoy this year’s celebratory discount, and have some cake on us!

Everyone here at Three Rings HQ would like to offer our sincerest thanks to everyone on the testing team; the people who volunteered to explore the new system ahead of everyone else and give us their thoughts on the new features. Thanks to their efforts – whether they found a range of problems, or just wrote to say they’d looked around and found everything worked the way it should do – every user of Three Rings can be assured of a smoother experience, and improved features, confident in the knowledge that they aren’t walking into uncharted territory. It makes a massive difference to see how our testers would use the system ‘in the wild,’ and Three Rings wouldn’t be the excellent system it is today without their time and dedication.

We’d also like to thank everyone who was able to join us in our IRC chatroom for the online launch party: it was wonderful to see members of different branches and organisations chatting and networking with one another, on topics ranging from training exercises, though listening styles to the marketing reasons behind 3D cinema! Even if you only looked in for a couple of minutes, it was great for us to get a chance to chat with clients, and to see how many people stayed up to ‘see in the new Three Rings’!

Three Rings volunteers celebrating the completion of the Autopopulator, Milestone: Iridium's biggest new feature.

We’re done showing off new features until the next version, Milestone Jethrik, goes into beta testing (although we’ve not started feature planning yet, so if you’ve got a suggestion for a feature you’d like to see, please get in touch!), but that doesn’t mean we’re done with updates to the blog: we’re hoping to make an exciting announcement towards the end of the week, so be sure to watch this space!