While travelling home from the excellent TM2 conference (thank you all that attended), I saw an article in USA Today indicating bad guys had unleashed a ransomware virus for windows based on some leaked NSA tools. It hit places in Europe first and then some in North America.

In the vein of better be safe than sorry, we always suggest that venues make an offsite backup of their database on a daily basis. It is better if this backup is:

• on a different network than the main database and/or
• on an external drive that is physically disconnected from the server after the backup is done and/or
• sent to an FTP site or machine external to the server and/or
• sent to some cloud backup

The important concept is that if you do get hit by ransomware or malicious software, then you have a backup that is ‘airgapped’ on another machine that is not connected to this machine. It is also why recommend that the database sever never be on a domain - making it harder for a virus to propagate from a download.

Today, we are suggesting that everybody make a backup onto another device, especially if you have windows servers — and make it standard practice going forward. Copying todays backup to a USB key today and removing it is probably a good first step.

 

If you want to read about the virus.

• http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/
• http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-...
• https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-r...
• http://www.zerohedge.com/news/2017-05-12/massive-ransomware-attack-goes-...

There is some good news — apparently the makers of the virus software put a kill switch in it — and a particularly astute individual diagnosed this and helped mitigate the attack.

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds...

 

Those who are:

1. using linux or OSX database servers are not affected.
2. running their servers on our Cloud are not affected.
3. using our cloud backup storage for offsite backups - have an offsite backup from last night at minimum

Regardless, making a backup just in case and copying to another machine is wise.

We apologize in advance if this might sound urgent (it is) .. and, like any cold prevention - better to stop it before you catch it. if you have any questions or need assistance, please let us know on the support email.

Second National Theatre Manager User Conference

Save the Date for a Proctors/Arts Management Collaboration
REGISTER NOW for early bird pricing

Mon, May 8 - Thurs, May 11, 2017
at Proctors Theatre
Schenectady, New York.

Updated April 6, 2016

For venues using authorize.net, the issues authorizing cards was caused by authorize.net making production server changes and eliminating an important bit of deader information in the credit card authorization response send back to Theatre Manager. As noted in the developer comments for the day, they removed an important bit of information - the 'content-length' header which contains the size of the message being returned. This is a very important part of all https requests - and was restored towards the end of the day.

April 5, 2016

If you use authorize.net and Theatre Manager 10.05.xx, you may be running into issues authorizing and/or settling your credit card batches. Authorize.net indicated they would throw the switch to require TLS 1.2 sometime after they sent a warning letter to merchants in September 2015. In that letter, Authorize.net said they would follow the PCI council mandate for TLS 1.2 before June 2016.

Well, April 4th, 2016 is as good a day as any. We've had a few venues (using TM 10.05.xx) tell us that Authorize.net does not like the settlement message we've been sending for years while others (using 10.06.xx) are working fine. The conclusion is that authorize.net threw the switch to require TLS 1.2

First National Theatre Manager User Conference

Save the Date for a Proctors/Arts Management Collaboration

Mon, May 9 - Wed, May 11, 2016
at Proctors Theatre
Schenectady, New York.

 

An Invitation to Learning

Proctors, in association with Arts Management Systems, invites you to the First National Theatre Manager Conference.

For the past 5 years, Proctors and other presenting houses using Theatre Manager in the North East have hosted annual regional conferences. Attendees coming to these friendly informative sessions have steadily grown and we are excited to extend this platform to a national level.

These conferences are aimed at employees and volunteers engaged in box office, marketing, patron development, database and server management, accounting, web sales, ticket scanning and other topics.

Specific details will follow in about a week.

 

Conference Organization

Arts Management Systems, beleives passionately that the best user conference experience is one that is owned and organized by the users themselves.

While our staff will host some topics, the user community will present some other really interesting sessions. If the past is any guide, expect a lot of interaction with your peers as well as revelations about the extensive capabilities of Theatre Manager.

It is with pleasure that we announce the release of Theatre Manager Version 10.06. There are many under the hood changes and enhancements based on suggestions from customers.

There are some key things to know about this version:

• Theatre Manager has been audited for compliance with PCI-PA DSS 3.1 and the report is being submitted to the PCI council for approval. Theatre Manager has implemented PCI compliance requirements for nearly 15 years. Since 2008, the PCI council requires external auditing of our code and processes by a third party and we have recently finished the 4th successful biennial audit with Security Metrics in Utah. It is a big occasion for all of us.
• Security requirements change constantly in the face of threats. This version of Theatre Manager meets the most stringent requirements for authorizing credit cards using TLS 1.2 encryption. Banks require this by jun 2016, or earlier - all credit card authorizations must use this advanced encryption. It means you could have up to 6 months to install version 10.06. Plenty of time, but earlier is better.
• The responsive web pages have been very well received by everybody who has implemented them. This version contains some tweaks from feedback and become the standard pages deployed with the second gen listener and apache installers. The older style pages will still work if you prefer them.
• Online Subscription Renewals have a new feature to allow easy renewal of all subscriptions in a patrons package, including removal/including of optional events.
• Very easy implementation of google analytics of your web pages accesses, providing free completion statistics and page tracking. get a far better handle on your customer usage of your site. Just add the account to your Web Listener Setup - or let us help you do it.
• and more...

Refer to the full release notes and installation instructions for more information

There has been a concentrated effort by Google and other major players in the internet to move people away from older web browsers that are built on flawed security standards. Here are some of the recent initiatives and announcements.

• Google reiterated their announcement from much earlier this year that they would no longer support XP, Vista and OSX 10.08 and earlier as of the end of 2015
• The banking system, specifically the PCI council, has announced that only advanced security like TLS 1.2 and later will be supported for authorization of credit cards.
• The PCI council is also requiring use of TLS 1.2 or later for web sites that support e-commerce in order to protect the consumer from fraud.

Theatre Manager is keeping abreast of these changes, many times on a daily basis. We continually update all of our software components to work with the latest security requirements.

What does this mean to your patrons and why is this a good thing? You will likely receive sporadic reports from customers indicating that they are unable to purchase tickets from your web site using their browser. The answer is to help them understand that, for their own safety, commerce relies on high security. Moreover, all the current browsers are implementing this requirement and removing support for older browsers. This is part of a concentrated effort on the part of Google, FireFox, Safari, Opera and Microsoft Edge to move people to a place of safety. In many cases, all that a patron needs to do is switch browsers from older, no longer supported ones to the most current available.

We've been using Theatre Manager on the El Capitan developer Golden Master for a couple of days running through a number of the major tasks, including web sales.

At this time there are no known compatibility issues. However, it you wish to install El Capitan at your venue, we advise doing it to only ONE machine to start with and use it for a few days to find out if you have compatibility problems with other applications used in conjunction with Theatre Manager. We cannot say for sure if all your other important applications work, so best approach is one machine at a time.

Please do not update the postgres, apache, or second generation listeners servers at this time. Those servers also work with El Capitan - but save those for a couple of weeks.

Arts Management has completed and released a set of responsive web page templates. The means that the web pages automatically adjust their size, contents, and orientation depending if your patrons are looking at them on a computer, smart phone (landscape or portrait), tablet or other device.

The responsive web pages are available free to all venues. If you would like to try them out on our test web site, click this link for www2.artsman.com

A number of venues are already using them.

Jun 15, 2015 An update was released that all venues should installed immediately. Venues that auto-update already have the change in place.

Background

A way was found to show the name and address of a random patron who was not in your household via the account tab in web sales. No other data could ever be displayed (passwords and PCI information were never at risk). The worst possible outcome is that somebody, if they knew about the issue, could look up a name that they could find in the phonebook.

The issue was identified on Monday morning and a fix was auto-deployed by late afternoon the same day. Versions affected were TM 10.02, 10.03, 10.04, and 10.05 and a separate patch was issued for each version.