Slashdot Mirror
The World's Most Dangerous Password
NonNullSet writes "Minutemen ICBMs were deployed in the early 1960s, and grew to over 1000 in number. They were allegedly protected from a "rogue launch" by an approach known as PAL (Permissive Action Link). The PAL required that the correct 8-digit launch code be entered by the missiliers before the missile would establish ignition. What if all the PAL codes had been set to '00000000,' and 'everyone' in the Strategic Air Command knew it? That is unbelievably what happened, as described in this article from the Center for Defense Information. Not exactly a great example for getting people to choose difficult passwords!"
What if all the PAL codes had been set to '00000000,' and 'everyone' in the Strategic Air Command knew it?
Stupid David played with the WOPR again!
Username: cisco
password: cisco
'nuff said.
This is why we trust politicians, ridiculous as they are, with our lives, and make the warriors answer to them. Because incompetent politics generally inhibits war, while incompetent warriors encourage it. And they're all incompetent - nobody knows the right way to do it.
--
make install -not war
And here I thought that password would be something like, "password" or "login"... Instead, they chose the kind of code an idiot would put on his luggage.
Funniest thing I've read all day. Makes lots of seemingly 'implausible' films about unauthorised nuke launches and hacking, a lot less implausible.
'Hmm.. it's asking for a password ? Try zero zero zero'
12345 Though now we know the President's suitcase combination. :)
By reading this you acknowledge that you have read it.
Airman 1: Hey, Jeff, what do you think the secret password is?
Airman 2: Dunno. Try P-A-S-S-W-O-R-D or something.
Airman 1: Nah, it's just numerals. And it's not like the secret code could be 0000000. Nobody would be _that_ stupid.
*ATTENTION - PREPARE FOR GLOBAL THERMONUCLEAR WAR*
Airman 1: What you say!
for great justice
If a hacker tried to brute force that, I think it would have been the fastest hack on record.
Dear aunt, let's set so double the killer delete select all
of some of Microsoft's choices for authentication passwords. For example: 1111111111111111 (dont remember how many, but a good guess) for activating a MS Visual studio package. Nice protection for a $1500 license.
Things have changed on the global level more than just a little bit, and I'd imagine a good deal of the security surrounding the prevention of launches centered around the PHYSICAL security. If the bad guy can't reach the keyboard to enter the codes - well, then, does it matter what the passwords set to?
For better or worse, the system seemed to have worked - there weren't any unauthorized missiles launched that I'm aware of.
As with any mission critical systems, there is redundancy in every aspect of the ICBM system from the authentication to the verification of the target being neutralized. So what if there was a password set to 0000000? There still has to be a number of other things set by others in numerous locations in order to do this. One reason was so that the president could not launch a missile on a bad hair day or a mad general (or group, in fact) could not launch in order to lead a coup.
in addition, the passwords for the different sub-systems would vary as well as require a number of actual physical keys in order to get the nuclear war machine into motion.
If you really think it only takes one password to launch an american military nuke (even if we were in the 60s), you're totally mislead.
Just enter the recall code. Mandrake has told us it's a variation of the letters POE, which probably stands for 'Purity Of Essence' or 'Peace On Earth'. Just try all the variations, and the launch will be aborted. Hooray!
Now stop fighting in the War Room!
I hear there's rumors on the Slashdots
I stumbled over THIS manual about passwords one day, and I found it absolutely amusing!
Now I realize that the movie wasn't nearly as stupid as reality.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
00000000 was the name of Secretary of Defense McNamara's dog.
Maybe this is a fake password. Only a few people know the real password, but "everyone" knows this one. Anyone foolish enough to try to use it would immediately find themselves in a world of trouble.
Am I part of the core demographic for Swedish Fish?
It was Edgar Allan Poe, The Purloined Letter
And damn good it is too.
The best is the enemy of the good
The physical security refers to someone trying to get in from the outside. The two guys inside the silo launch center would be able to get the launch off in time.
Insofar as a single deranged person trying to launch the missiles, both launch keys have to be turned at the same time. The keylocks are separated by a distance making it impossible for a single human being to turn both simultaneously.
Crews are rotated such that the same two are not on duty on any but one shift (to prevent conspiracy), and the crewmen are subjected to some excruciatingly serious background and psychological tests before, during, and after their tours of duty in the silos.
Great care was taken in designing a fail-safe mechanism, where if the protection mechanism fails, it fails into a safe mode (like a default-deny in IPTables).
It was determined that it was better that a few missiles not leave the silos during a nuclear exchange than a few leave a silo during peace-time.
I have something in common with Stephen Hawking...
So assuming the article's correct: a) there wasn't even one password in the launch process at the time, only physical keys, b) four people in the right place could launch nuclear missiles, and no countermeasures would have been able to stop them, and c) given the lack of stringent security in allowing visitors access to those sites, it's not inconceivable that outsiders could have seized the opportunity to take control of two launch centers.
now i have to change the codes on all my nuclear weapons :<
I cant imagine anyone who had ACCCESS to ust this password having used it, the fact that were all still here shows it was perfectly secure, dont forget its not like some script kiddie could hop on the "Net" and use this password. There were some SERIOUS layers of physical security.
;)
*zoom back three years* "the fact that noone has ever deliberately flown a jumbojet into a building shows it is perfectly secure" I hope the military has some better understanding of risk analysis
There were serious layers of physical security? How serious? Just as serious as their passwords? Besides, the brass may be tough but the grunts guarding it are not above blackmail or greed.
Good security is layered. That also means that breach of security shouldn't be caused by a single failure. But in reality it often turns out one or no layers of security are actually *working* because everybody assumes the other layers will cover for it.
Kjella
Live today, because you never know what tomorrow brings
About 15 years ago, when our new computer labs were first opened, five key combination locks were put on the doors, with the access code set to the default.
15 years later and 5000 miles away on a continent on the other side of the planet, I'm on the walking trails beside our hotel and come across a gate on the boundary fence which has the exact same combination lock. And yes, it had the exact same access code.
According to the article, someone in the chain of command decided that they didn't want this safeguard, and ordered that the password be set to 00000000 and the dials used to enter the password left in that position; in effect, the equivalent of having a blank password so that you don't have to bother entering it.
The story here, then, is not that a bad password was chosen, but that somebody decided to disobey orders by disabling the password, and that the higherups were completely in the dark about it.
That seems to be the concensus at this point. People have repeatedly pointed out that the *physical* security was VERY VERY STRICT. Just because the password, a deterrant that top-level people thought was VERY VERY necessary was completely missing ...oh, that's fine. They still have keys and ummm other stuff, right?
RTFA. Blair and Brewer point out that, at the time, the military wanted to improve their public relations and would give TOURS of LCC's! B&B repeatedly point out that virtually anyone who asked could get access! The physical security was crap and the codes weren't in place. IE, any moderately funded and motivated terrorist group could have had a field day if they'd know about this severe weakness.
"Four individuals (two persons in each of two separate LCCs in the same squadron) acting in concert could succeed in mechanically launching one or more missiles." In seconds. Not minutes or hours.
"[...] annually thousands of visitors holding no clearance whatsoever were permitted access to operational LCCs."
"Located in each LCC are two launch keys, one for each member of the crew, and the codes needed to authenticate presidential launch directives. Only the launch keys, not the codes, are physical prerequisites for generating valid launch commands, the purpose of the codes being exclusively that of authenticating an execution directive."
B&B make it sound as if you happened to be on a tour and decided to overpower the minimal security force (two crew members + a couple of guards at best (isolated locations, remember?) then it's good to go - you already know the launch codes because it's always all zero's. Or, even worse:
"Technically, crew members can launch a nuclear attack with or without approval from higher authority. Unless PAL or its equivalent forecloses this option, as many as 50 missiles could be illicitly fired. Moreover, unless adequate precautions were instituted, an even more drastic option would be available. Crew members could conspire in the formatting and transmittal of strategic strike directives, deceiving the full contingent of Strategic Air Command (SAC) LCCs, as well as higher authorities, into reacting to a spurious launch directive as if it were valid and authentic. Or they could render the U.S. strategic force virtually impotent by formatting and transmitting messages invalidating the active inventory of presidential execution codes. Finally, crew members could aid accomplices in stealing thermonuclear warheads from missiles on active alert."
Keep in mind that Blair was working in an LCC as a crew member in the mid-70's. He was obviously in a unique position (which virtually none of us were or are) to write this paper. His direct observation on how to subvert the access/security controls on the ICBM's trump anyone else's estimate on what might or might not happen. His letters and paper in 1977 are basically what got those locks activated in... 1977.
It is especially hypocritical that the majority of the Slashdot comments were fine with this poor use of a password mechanism. In your own place of business you most likely would NEVER allow this to happen and you just run some servers - as opposed to ICBM's capable turning your city into a big kitty litter box. Don't defend the actions of those in charge in the 60's and 70's. They were flat out wrong and frankly should have been thrown in military prison for such a massive security breach.
Exocet Industries - Taking over the world, one computer at a
I'd be more worried about the password for this [...]
Don't be. I'm a microbiologist and personally I think all this noise about bioweapons is a lot of nonsense. None of it has been shown to work in practice, while nuclear weapons have, and are a hell of a lot simpler, and thus scarier.
Alibek would just have been one of the numerous unemployable ex-Soviet scientists if he hadn't exaggerated the technology of a country that had little to no biological infrastructure (thanks to Trofim Lysenko, who managed to get nearly every competent Soviet biologist killed off from 1930-1960)
However, there's no question that all this hysteria has pumped money into microbiology -- the institute where I work has gotten quite deeply into anthrax research, despite B. anthracis basically being boring B. subtilis with a bad attitute.
I beg to differ. Having formerly done security system installations, this is a quite common practice, especially if you're dealing with security gueards. A large casino I worked for used '2222' for its security codes. McCarren Airport (Las Vegas) prior to 9/11 had '1234' for its password to get into "secure" areas.
It has to be something the lowest common denominator on the security team can remember.
What?? You thinking putting a bar on someone's shoulder makes them "tough?" And just because you call someone a "grunt" they're more suceptible to "blackmail or greed?" Newsflash -- EVERYBODY is suceptible to blackmail and greed. That's why the people who work with nukes are vetted by the security services -- officers and enlisted alike. You think the techs who worked on those missiles didn't know how to bypass those PALs regardless of what password was used?
My point is simple -- don't question someone's patriotism because I'm enlisted -- just because they don't get paid as much doesn't mean their values aren't just as strong as an officer's. The enlisted men and women in the military are the ones you have to trust -- we're the ones who make it all work.
I do not read or respond to AC's. If you want a discussion, log in. Otherwise, don't waste your time.
Terrorist 1: "We have done it! We have infiltrated the missile silos! Death to the [insert appropriate derrogatory term for American]s! Victory is ours!"
Terrorist 2: "Mua-ha-ha-ha-ha! Let us hurry and launch the missiles! Wh... what is this?"
Terrorist 1: "It... it appears to be some sort of security mechanism... What do we do?!?"
Terrorist 2: "We have no choice. We must try every combination and hope to find the correct sequence before we are captured. We will start from '00000000' and count upwards."
Terrorist 1: "Are you insane? Even if we could test one sequence per second, it would take us tens of thousands of hours to find the code! Our fingers would be worn into nubs so short that we wouldn't be able to depress the launch button! We could even die of starvation first!"
Terrorist 2: "You're right. We've failed."
I couldn't find this particular scene in the canon anywhere, although, "A Scandal in Bohemia" from The Adventures Of Sherlock Holmes , seems to fit somewhat.
Show me on the doll where his noodly appendage touched you.
As opposed to, say, 1970's vintage soviet tanks in poor repair, and an army without equipment like boots and uniforms. The condition of the army and its material was, very likely, well known to the Iranians.
Yes, I'd say WMD, or the threat thereof, would be the only significant weapons you could bring to bear.
The question is, do you stop to consider facts before you make your arguments? A little less blindly jingoistic support for our president, a little more thought is in order.
At least on the NES. The vault door to Fred's lab is locked by a keypad, and the combination is whatever the high score on Meteor Madness (second floor arcade room) happens to be. All you have to do is get the key to the outer door, get captured by Nurse Edna or Weird Ed, and get tossed in the basement before Fred plays Meteor Madness. Do this and the combination for the door is all zeros! :D
Found this out the hard way when I was a kid- I was stuck and didn't know where to look for the code, so I figured I'd brute force it (yes, I was BORED), and.... surprise, it worked on the first go. Found out it was tied to the arcade machine when I inadvertently closed the door and tried to open it again later.
Man, that game kicked all of the ass.
>Don't be. I'm a microbiologist and personally I think all this noise about bioweapons is a lot of nonsense.
Mother Nature's bioweapons did a devastating job on the native populations of the Americas when the Europeans arrived.
If reports are true, an accidental release of weaponized Soviet smallpox killed several vaccinated people at Aralsk in 1971. The reports may not be true -- Dr. Donald Henderson(*) is skeptical and he knows smallpox well.
Bioweapons are bad candidates for military weapons because they're hard/impossible to control once released. Artillery shells go exactly where they're told and don't mutate in midair. Generals don't like *uncontrollable* destruction. Terrorists might.
(*)Leader of the worldwide effort that eradicated smallpox last century. Deserves a statue for winning the war against a virus which had killed more people than Stalin, Hitler and Pol Pot put together.
From page 164 of The Glossary of Slashdot, 2003 Edition:
Gee, you KNOW alot.
Having worked in this field I'll tell you:
1. A civilian is never allowed in a live LCC.
2. The crew is sealed in the live LCC's.
3. To get access to a live LCC is much more then cutting the chain link.
4. Even if you got into one, you need to get into two to do anything.
5. Nevermind the hoards of SP's and armed Helicopters descending around you.
6. While crew members can send messages between LCCs (and I believe between bases, I can't recall) these messages are not and can not be EAM's which are only sendable from the NCA via special terminals.
7. Even if you could send the EAM, who would believe an order coming from the wrong originator.
8. The comm systems in question are not as stupid as e-mail, they are part of a dedicated MLS (b3) system.
9. Nuclear command and control has always relied on personal responsibility, do you think nuclear submarine commanders or the alert bomber force can/could not just decide to launch, or are you deluded enough to think they have some crm114 gizmo that overrides them?
In my place of business I'd have no problem with a null password if all access to the server required two trusted administrators with keys that are kept stored in seperate combination locked safes. In fact, a password beyond the assertion of two trusted people would be stupid, and if you don't trust the people allowing them access to the keys would also be stupid.
Your scenario would be something like this:
1. Something needs done to the server, so you call the CIO
2. He gives you and your other Sys Admin a one-time password for the server.
3. You two go open your safes with your combos (each of you only know one of these combos)
4. You remove your keys and open the server locks.
5. You enter the password you got from the CIO
6. You do your business, and relock the server
7. You put your keys away
Damn, I'd hate to work in your shop. Most of us only have trusted sys admins and single passwords.
Dan
Including the Kremlin.
Computers are useless. They can only give you answers.
-- Pablo Picasso
I worked with the Minuteman Missile System for eight years. I was a member of a three man Combat Targeting Team. Our task was aiming the missile and selecting the targets by programming the onboard computer.
A lot of really strange things can happen in the military involving authentication, encrypting and decrypting information and in the whole target selection process itself.
Perhaps one of the weirdest occurences that I was personally aware of was when a missile dropped off of "Strategic Alert" (Green Status). There was a two man team of airmen checking out a communications problem in an adjoining building.
Another team arrived on site and entered into the launch facility and saw that the Nuclear Warhead was missing. Needless to say this scurried people from all over with all kinds of alerts being issued... Losing a nuclear weapon was pretty much frowned upon, needless to say.
It turned out that the warhead had fallen off of the missile to the bottom of the launch tube 100 feet below.
The problem was traced to a fuse being changed on the communication box in the soft support building with a screwdriver rather than a fuse puller.
There was a undetected defect in the onboard computer which combined with the shorting of the communications fuse caused the computer to send the "Fire Retro rockets" signal to the RV (nuclear reentry vehicle)
Another time I was programming the computer with its needed information when some "never seen before" status lights lit. D-1 and D-3 which if I remember correctly was "Launch Commanded" and "Launch in Progress".
Normally an individual has to look up these codes in a reference manual. Being the nerd I was back then, I had memorized all of the codes. So I had only a few seconds to react and I proceeded to pop some circuit breakers that would shutdown parts of the operation in case the status was real.
Our job was not to troubleshoot any further at that point so I never found out whether the computer was intending on really launching or if there were two defective lamp drivers.
Of course there is a policy that two trained people always had to be present (two man concept) to ensure that nothing illegal was attempted.
The members of the targeting team were always armed while couriering and programming the launch codes and other vital information into the missile.
And in the end, the love you take is equal to the love you make
Steve Bellovin has a fascinating page on the subject here
The quote at the beginning has become one of my favourite metaphors for describing a process that should be close to impossible:
"Bypassing a PAL should be, as one weapons designer graphically put it, about as complex as performing a tonsillectomy while entering the patient from the wrong end."
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
In short, perhaps if someone could gain access to a capsule they could have commanded a lauch, but they'd have had to subvert 2 complete LCC crews to command an immediate launch, and that's just not likely, even if the PALs were not active. One LCC could not command an immediate launch, and would have been overriden by the other capsules in the flight had it attempted to. As discussed above, penetrations of the control center or the actual missile facility could not yield results before an overwhelming response ended the threat. The way we were watched (and the capsule crews were more watched than we were) I doubt four people so profoundly without anyone noticing.
As for the "bad guys" gaining access to a warhead from the missile site... not a chance. First, to do that they'd have to penetrate the missile facility (not less than 12 hours work) without setting off any alarms and without any of the heavy equipment being noticed be the frequent roving patrols. Penetrating the LCC would not give anyone "access" to the warheads, as the LCC did not control the locks at the missile site, they just monitored them.
The only significant risk of the warhead falling in the "wrong hands" was during transport, and I can speak from personal experience that those movements were exceptionally well prepared monitored, and armed, with air support close by at all times.
Confined though we are, infinity dwells within.