Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Software Technology

A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency (qz.com) 146

An anonymous reader quotes a report from Quartz: In the aftermath of an erroneous missile warning that terrified Hawaiians on Saturday (Jan. 13), the state's emergency management agency has come under increased scrutiny, from the poor design of the software that enables alerts to a particularly slapdash security measure by one of its employees. Old photos from the Associated Press inside the agency's office appear to show an unspecified password on a yellow Post-It note, stuck to a computer monitor. The image, which shows operations manger Jeffrey Wong standing in front of the computer, was taken in July and appeared in articles published at the time about the agency's preparedness in the face of a nuclear threat. The agency verified that the password is indeed real but wouldn't go into specifics on what program the password was supposed to be used for.
This discussion has been archived. No new comments can be posted.

A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency

Comments Filter:
  • by nospam007 ( 722110 ) * on Wednesday January 17, 2018 @04:30PM (#55949053)

    "yellow Post-It note, stuck to a computer monitor."

    Everybody knows real security can only be had by posting it under the keyboard, where nobody can photograph it.
    Duh!

    • warningpoint2 also sounds like the system name as well.

    • Or in my desk drawer under the monitor and keyboard.
    • by ShanghaiBill ( 739463 ) on Wednesday January 17, 2018 @05:49PM (#55949635)

      David Ige, the governor of Hawaii has said this has been a "learning experience" for everyone involved, that it will not turn into a witch hunt, and no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

      • no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

        There can be accountability besides firings. Being excluded from promotion decisions could be one of them.

        • by ShanghaiBill ( 739463 ) on Wednesday January 17, 2018 @06:57PM (#55949991)

          There can be accountability besides firings.

          Perhaps. But is a ballistic missile attack response team really the right career for someone that requires a lot of on-the-job training?

          Being excluded from promotion decisions could be one of them.

          Well, if they screw up the response to a real ballistic missile attack, then sure, delaying their promotion would be warranted.

          Perhaps it is time to question whether we should even have state-level bureaucrats assigned to ballistic missile response. Shouldn't that be something handled at the Federal level? The is especially true for Hawaii, which has near Louisiana levels of corruption and incompetence.

          • by rtb61 ( 674572 )

            The real ballistic appropriate ballistic missiles response, bend over and kiss you arse goodbye, because fucker, you are going to kill you one way or another. No such things as one going off, one goes off, they all go off, no one can take any chance of being the one not to fire, so they all go, targeting everyone because even if you had none and fired none, those that fired and were fired upon, can not leave you to take over, that insanity goes with the territory of nuclear insanity. The insanity of believi

          • Re: (Score:2, Informative)

            by Anonymous Coward

            Dude, did you see the "GUI" they are using? You can tell what has happened just by looking at the result.
            (Image of the GUI [medium.com] is a bit down in the article.)

            The reason this bullshit happened is because the person leading the development didn't have the competence needed to judge the state of the system or he didn't get the funding needed to finish the project.

            You can tell just by looking at it that someone programmed the backend and made it work, and to test the system he spent 5 minutes to make a web-page that

      • by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Wednesday January 17, 2018 @07:32PM (#55950197)

        David Ige, the governor of Hawaii has said this has been a "learning experience" for everyone involved, that it will not turn into a witch hunt, and no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

        You're falling into the "we must fire someone for accountability" trap.

        That leads to basically incompetents running your ship - if everyone is deathly afraid of losing their job for making a mistake, you end up with a corporate culture of timidity, cover your ass and hiding mistakes.

        The modern method is not to fire the person who pushed the button, but to find out the true reason. This is often' called "The Five Whys" because it literally asks Why over and over again.

        Like in this case, given what we know.

        Why was a missile alert called? Because someone clicked the link to send it.
        Why did they click that link? Because they clicked the wrong link - they meant to click the one that produced a test message instead.
        Why did they click the wrong link? Because the links were presented as an unsorted list, with the test links appearing on some events ahead of the real link, and sometimes afterwards.
        Why did they click the wrong link? Because when you're looking at a huge list of unsorted links, you tend to focus on the one that matches what you're wanting even though it may not be exactly what you're looking at.
        Why didn't the software confirm? The software did confirm - it merely asked if they wanted to send the message out.
        Why didn't he click no? Because the software didn't tell him what link he clicked, just if he was sure. (E.g., you close an app with a dozen documents open, and all you get is "Save file?" instead of it actually telling you what file to save).

        Well, there's something you need to fix - the UI sucks and it's really only an accidental mis-click away from saying the president is dead to missiles have been launched.

        So the UI has two problems with it - a huge nasty list of unsorted messages that really should be put in order somehow. And perhaps a big ass button that selects test messages from actual messages. And a confirmation dialog that actually confirms what you are going to send. Perhaps if it was a real message, it would ask first "The message you are sending is not a test message. Click OK to continue and have your supervisor access his console to do same" as well as "Send the non-test message 'Missiles are incoming'?"

        Firing someone over mistakes doesn't ensure mistakes don't happen (because the person who learned from it will no longer be present). It instills a culture of fear - that if they click the wrong link, they can get fired. So what would take a few minutes now takes 10 people and an hour because the person who is to send the message has to check multiple times they're clicking the right thing. And the underlying cause won't get fixed, leading to more errors in the future

        And imagine if (heaven forbid) a real event happens. You have 5 minutes before missiles hits. Do you want 4 of them to be wasted because the person at the desk responsible for sending it to triple check that yes, that's really the intent because if oh my god if there aren't any missiles I'm going to get fired?

        It's why no one was fired for Amazon AWS going down last year, or when GitHub suffered a massive meltdown - errors were made, but the root cause turned out to be an opportunity for human error to do bad things accidentally.

        https://en.wikipedia.org/wiki/... [wikipedia.org]

        Far too often the question asked is "Who" as if firing that person to make a point will fix the problem. It is the dominant question if you want to assign blame and move on, and it is politically popular among the people who are looking for someone to hang. But it turns out doing so doesn't fix underlying structural issues, it just covers it up.

        • by ihavnoid ( 749312 ) on Wednesday January 17, 2018 @11:28PM (#55951225)

          I second this. I work for a big company designing high-tech products. Never did I see anybody get fired because they made a fatal mistake which cost the company massive loss. I believe this is perfectly normal in this industry - we learn from the mistake, figure out how to prevent that in the future, and move on.

          Actually, you might be grateful if you are fired. What usually happens after a royal screw-up is that the person usually will need to take some responsibility and will be the person who will do all the work to make it right. Not only to jump in and fix the problem, but also participate in all sorts of investigations, inquiries, report-writing, etc. I already feel pretty sorry about that operator since he will get interviews/meetings/questioning with all sorts of three-leter agency investigators who will be disappointed and would want to go through every single action that person took that day, having him/her go through all the horror that he experienced again and again.

          That alone is already a deterrent painful enough to make people think twice before doing something risky.

          • There's also more to this. Humans are imperfect and make mistakes. Firing a human over a mistake doesn't mean you'll end up fixing the problem in a way that the mistake can't happen again. The replacement human is just as fallible.

            To fix any mistake you need to first identify the systematic problems that allowed the mistake to escalate into an incident. Simply firing someone shows that you not only don't understand humans, but also that you refuse to improve your own systems.

        • OTOH, clearly this facility is also run like a newbie help desk, keeping critical passwords on post-its stuck to a monitor and then allowing a photograph to be taken and released to the public on top of that. Sure the alert interface sucked, but that's obviously not the only problem here. You'd really think people in those positions there would have better training in security and a less casual attitude.

      • See , removing people making a single error from chain of command or skilled work, means your hierarchy and your worker NEVER learn from their error. The one replacing them will have heard of the error, maybe laugh at it, but most of the time they did not LEARN of it, The one which got burned by it, on the other hand, will remember a long time. Experience is also learning from error. By cutting out people which did error, you are not enhancing your process, hierarchy and worker, on the contrary.
        • by gwjgwj ( 727408 )
          Harrisberger's Fourth Law of the Lab: Experience is directly proportional to the amount of equipment ruined.
      • The thing that I've wondered about is: how did the public respond to the warning? I mean, you can run the test drill to check out the equipment all day long, but when people know it's just a test they will probably kind of just ignore the warning, when you know it's just a drill people just to go through the motions of what is expected of them. If this had been a real incident, how was the public supposed to respond, and did they do that correctly? I think people are too focused on pointing fingers and tryi
    • Make them work for it- put it under the monitor!

  • by Anonymous Coward

    There was no password!!!

  • The weakest security is always the human involved.

    IMHO people posting, sharing or otherwise exposing passwords, should be written up, and eventually fired.

    What is the point of a password that is out in the open like this? Are passwords that hard to remember?

    I wanna run away screaming!

    • by michiganbob ( 1136651 ) on Wednesday January 17, 2018 @04:41PM (#55949151)

      What is the point of a password that is out in the open like this? Are passwords that hard to remember?

      Actually, yes. When your password must contain upper and lower-case letters, at least one number, a special character, must be at least 12 characters long, must be changed every 3 months, and cannot be a variation of or contain any previous password. That's when you get yellow sticky notes on the monitor.

      • by Cro Magnon ( 467622 ) on Wednesday January 17, 2018 @04:44PM (#55949179) Homepage Journal

        Particularly when you have 50 such passwords.

        • by Anonymous Coward

          Or hundreds....This is why I had to resort to using a password manager (keepass and vault), it was becoming to hard to remember everything. I found myself reusing password, simply because I knew any more would be hard to remember.

          • by Anonymous Coward

            That works great until a bug is discovered in CPU that allows any process to dump your password database.

        • by arth1 ( 260657 )

          Particularly when you have 50 such passwords.

          And that's when people ask for bigger monitors, to hold all the stick-it notes.

      • by Anonymous Coward on Wednesday January 17, 2018 @05:02PM (#55949373)

        So much so that the latest NIST recommendations are that you Should NOT impose composition rules and you Should NOT require the password is changed frequently. It's better to train employees to come up with memorable secure passwords (which don't require hard to remember composition rules https://xkcd.com/936/) and use things like password managers and 2FA.

        • by msauve ( 701917 ) on Wednesday January 17, 2018 @05:53PM (#55949653)
          Unfortunately, common sense and authoritative recommendations often succumb to security theater. Like proverbial lemmings. Real quote: "we need to adhere to standards that our customers, the market and other auditory bodies follow."
        • Reference ? I've been fighting against ridiculous password policies for years but I couldn't point to anything else than my opinion.
          • The reference is the lates NIST recommendation. https://pages.nist.gov/800-63-... [nist.gov]

            5.1.1.1 Memorized Secret Authenticators
            Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed. A rationale for this is presented in Appendix A Strength of Memorized Secrets.

        • by Anonymous Coward

          At NIST, we still have to change our passwords every three months along with a bunch of other asinine rules. Dogfood not eaten here.

        • Comment removed based on user account deletion
        • So much so that the latest NIST recommendations are that you Should NOT impose composition rules and you Should NOT require the password is changed frequently.

          Key word in there is highlighted. Given those NIST recommendations are less than 6 months old, we've got another 4 and a half years at the very least before you start to see them adopted widely.

      • by msauve ( 701917 )
        Obligatory...

        Squeal like a pig! [dilbert.com]
      • When your password must contain upper and lower-case letters, at least one number, a special character, must be at least 12 characters long, must be changed every 3 months

        Making passwords hard to remember isn't security. It is building in faults because the experts are too lazy to figure out a better method.

        Three significant length words should be sufficient. That way, you only have to remember 3 things, a couple symbols and one number. And is it sufficient for current password strengths

        Gorilla!Bamboo(Mastodon)01

        For the 01 means "January". "Change" your password every month on the first and you have 12 passwords without changing anything meaningful.

        You can vary it up if you

      • by bondsbw ( 888959 )

        And who is to say that a sticky note is that bad? How many passwords are just saved in some plain text file or email?

        At least physical access is required to obtain the password, which is probably securely restricted to people you know and trust. Sticky notes are pretty much hacker-proof.

        It's even better if you lock your sticky notes in a drawer, to avoid accidents like in TFA.

      • can't they just use Ihatemyjob1!
      • That's why you choose a handful of passwords, of differing difficulty, and importance.

        For instance, the password to your GMail account should include some number, letters, symbols, whitespace characters, Chinese / Japanese / Thai characters, musical / mathematical notation, and a statement that if read aloud in court would get someone in a heap in trouble (FBI, CIA, NSA, or someone else in trouble).

        Conversely, the password to your Amazon account doesn't need the last three types.

      • Comment removed based on user account deletion
      • by be951 ( 772934 )

        That's when you get yellow sticky notes on the monitor.

        Certain people will probably always do that. But good password managers have been around for a while, and can easily accommodate such requirements. If anyone is unaware of those types of tools, that's probably a failing of their IT department for not having or properly communicating a standard for password management.

    • by pz ( 113803 )

      Are something (fingerprint).
      Have something (RFID badge).
      Know something (unique-to-user pass phrase).

      You would think that all three would be required to send out an emergency alert message.

      • You would think that all three would be required to send out an emergency alert message.

        Then in case of an actual emergency (say, when category 9 hurricane 'Zorro' hits Hawai in a couple of months), you'd be complaining that the alert wasn't sent because it relied on a complex validation procedure that required perfectly coordinated simultaneous action by 5 person, one of which was sick on that day, and the other lost his keyfob 12 months ago when his dog ate it.

        That's the complex problem with emergency procedures, they need both at the same time be quick enough to execute in case of actual em

    • by jetkust ( 596906 )
      Sometimes a password isn't needed and doesn't add any real security but is required. You're very quick to fire someone without really knowing the situation or what the password even was for.

      And yes, passwords are hard to remember when you have to remember a hundred of them. If they weren't, why do people use password managers?
    • by AHuxley ( 892839 )
      Re 'What is the point of a password that is out in the open like this?"
      So that anyone on call can take over the job of alert/test that shift?
      • So that anyone on call can take over the job of alert/test that shift?

        Most likely.

        Having a readily posted password isn't a problem - depending on how you balance your risk. For example, is it worse if people in the control room (or the world who doesn't have access to the control room) knows the password; or if WHILE RIDICULOUSLY STRESSED THAT AN ICBM IS HEADING FOR YOU (caps since it would be REALLY stressful) you can't remember the password to tell everyone about to seek shelter from a nuclear weapon t

        • by AHuxley ( 892839 )
          +1 for the stress part too. That would be something that was given some thought. A pity the shift change test and alarm section was not given much thought.
    • by SirGarlon ( 845873 ) on Wednesday January 17, 2018 @05:14PM (#55949453)

      Are passwords that hard to remember?

      Once you start requiring them to be 12 characters long, and contain at least one uppercase character, one lowercase character, one numeral, and one Egyptian hieroglyph they are.

      By the way, those complexity rules have been officially withdrawn by NIST [sophos.com]. In fact, TFA is an instance of the very problem that drove the rule change. Now all we have to do is spend 20 years undoing the damage of the old, stupid, complexity rules.

    • The weakest security is always the human involved.

      That's true. It's also the reason why password setups and protocols should be made as easy and enjoyable to use as humanly possible.

      If you build a password system that's hard to use, hard to remember, and force the user top jump through hoops, you're putting a lot of strain over the weakest link in the system. I.e., you're making the system brittle and easy to hack.

  • by Anonymous Coward

    ... the mainframe, all programs and all desktops.

  • That's bad, but (Score:5, Insightful)

    by RightwingNutjob ( 1302813 ) on Wednesday January 17, 2018 @04:44PM (#55949183)
    publishing photographs of the insides emergency management and civil defense facilities isn't such a hot idea either. Information wants to be free.
    • publishing photographs of the insides emergency management and civil defense facilities isn't such a hot idea either

      Why? This isn't some super secret military facility. What you find in this room will likely be no different to any other emergency response room anywhere in the world. If anything the firestation we have at work looks more complex than this.

      What have we learned?
      They have multiple clocks.
      They have cameras.
      They monitor the weather.
      They have more than 2 telephones like any emergency room.
      They have swipe card access.
      There's a password for an unknown system on the monitor.

      We could have guessed what this picture

    • publishing photographs of the insides emergency management and civil defense facilities isn't such a hot idea either. Information wants to be free.

      No kidding. Reminds me of when the officially admitted submarine depth capability had to be doubled, due to something said on a #%&^% TV documentary!

      "Oh, um ... I guess say "greater than 800 feet" now. Because we are idiots."

  • by geantvert ( 996616 ) on Wednesday January 17, 2018 @04:57PM (#55949317)

    Where can I buy Post-It with pre-printed passwords? That would save me so much time.

  • For no particular reason, at a previous job, I kept a brightly colored Postit stuck to my monitor with a random string written on it. It wasn't the password to anything. And now, for no particular reason, I've shared it with all of you.
  • Not one of the red and green buttons with the word "test" and "alarm"?
    Someone has to use the computer with a pw and select test or alert from a GUI?
    A test is selected every shift? Is the alarm so easy to select in the GUI too? Any "Sure?" on the GUI to confirm alarm was selected and not the much used test?
    • by vux984 ( 928602 )

      Apparently real and test were two adjacent entries in a drop down list; and then there was a confirmation box "Are you sure?"

      Seems like an easy issue to fat-finger, especially if you get the same confirmation box with either selection.

      Yesterday I had to make a dash for the printer to cancel a job because "Print" and "Edit" are adjacent in the right click context menu for the windows desktop.

      (Really... does anyone really need one-click print without opening the document first, that they even need a right cli

  • how about fixing the Poor UI when you change the password system as well.

    https://www.theinquirer.net/in... [theinquirer.net]

  • A password on a yellow post-it note!! Haven't they ever heard of green or pink or light-blue post-it notes or whatever?!
  • by kimgkimg ( 957949 ) on Wednesday January 17, 2018 @05:20PM (#55949491)
    The password's been changed to "Warmingpoint3" now, so don't bother trying the old one, it won't work.
    • by SeaFox ( 739806 )

      The password's been changed to "Warmingpoint3" now, so don't bother trying the old one, it won't work.

      https://qzprod.files.wordpress... [wordpress.com]

      You're trying to attach the "r" to an "n". I'm pretty sure the password is "warningpoint2". You know, because this is an emergency management facility.

    • The feature request to change the hard-coded password has been filed - it's making its way through triage and prioritization. A meeting to decide what the new password should be has been scheduled. New layer of security is being implemented - non-transparent extra-sticky notes to always cover for the ones with the password have been ordered.

  • Oh my god Oh my god Oh my god!!! They managed to get a photo of the secret password that was written on the super-secret Post-It-Note that was secretly affixed on the front of the terminal of our hyper-ultra-secret nuclear-threat-preparedness system! We’re soooooo totally screwed now!

  • That password is for the honeypot...

  • by Sqreater ( 895148 ) on Wednesday January 17, 2018 @06:33PM (#55949869)
    I learned in the Air Force in the seventies that security is impossible to expect from your average American. They just don't get it, no matter how hard you try to explain it to them. Americans are just not afraid of things they should be afraid of, and not suspicious of people and things they should be suspicious of. They don't feel endangered. And it is very hard to make them feel so.
    • by Anonymous Coward

      Maybe it is because average people, no matter where they live in the world, don't have enmity towards each other.

      It is only the _leaders_ and the _militaries_ of the world that create threats, start wars and in general start the problems that lead to conflict.

      • by cstacy ( 534252 )

        Maybe it is because average people, no matter where they live in the world, don't have enmity towards each other.

        It is only the _leaders_ and the _militaries_ of the world that create threats, start wars and in general start the problems that lead to conflict.

        Yeah, normal humans don't have conflicts, just their (inherently evil) military leaders.
        And yet for some unfathomable reason there are locks on almost all doors.

  • When companies force you to change your password every 60 or 90 days "just because" and require the new password to be substantially different than their previous password people start writing them down.

    I never understood the thought behind forcing a password change because you've had your password for X days.

  • I know that a medical company IT staff I know, they go around (due to HIPAA reasons) making sure if people leave their desk they lock the screen on their workstation. He told me more than once, they found post it notes with a password. What they would do is go in and change the password, locking them out, then wait for them to call the help desk. Then they'd get ONE warning not to do it again, or be fired. NO ONE in a corporate world should be allowed to keep a password on a post it note.
    • I only need one post-it, for my login password. Everything else is in a text file named "Top Secret Passwords". What could go wrong?

  • Comment removed based on user account deletion
  • I don't know if it's true or not but I heard a story that the only time Harry Houdini couldn't pick a lock to escape from a jail cell was when the deputy didn't actually lock the lock. That story inspired me a long time ago to hang yellow sticky notes on my monitor with what appear to be passwords written on them. Everything from "secret123" to "p455w0rd". I crack me up.
  • This is why I keep my passwords in my "password suitcase", where it is encrypted until unlocked for use. (This way I only have to remember a single master password. It's the same numeric 5-digit code as on my other luggage...)

  • Something you don't have anymore, something you forgot, and something you ate.

    Or something like that.

  • I worked in a place with a security policy that included having somebody from IT walk through the offices looking for this kind of thing (e.g. Post-It notes under keyboards, on cube partitions, etc).

    This, in a place that had been a division of another company until a week before my arrival there: so all the legacy systems of the previous corporation plus all the systems of the new corporation, many of them providing the same services.

    And password policies like "you must change your password every six mo

  • The agency verified that the password is indeed real but wouldn’t go into specifics on what program the password was supposed to be used for.

    What a fucking stupid response. If somebody finds a key for something that I own, my first response would be to change the lock... I certainly hope they have changed the password.

Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie

Working...