Slashdot Mirror
A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency (qz.com)
An anonymous reader quotes a report from Quartz: In the aftermath of an erroneous missile warning that terrified Hawaiians on Saturday (Jan. 13), the state's emergency management agency has come under increased scrutiny, from the poor design of the software that enables alerts to a particularly slapdash security measure by one of its employees. Old photos from the Associated Press inside the agency's office appear to show an unspecified password on a yellow Post-It note, stuck to a computer monitor. The image, which shows operations manger Jeffrey Wong standing in front of the computer, was taken in July and appeared in articles published at the time about the agency's preparedness in the face of a nuclear threat. The agency verified that the password is indeed real but wouldn't go into specifics on what program the password was supposed to be used for.
"yellow Post-It note, stuck to a computer monitor."
Everybody knows real security can only be had by posting it under the keyboard, where nobody can photograph it.
Duh!
There was no password!!!
The weakest security is always the human involved.
IMHO people posting, sharing or otherwise exposing passwords, should be written up, and eventually fired.
What is the point of a password that is out in the open like this? Are passwords that hard to remember?
I wanna run away screaming!
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
... the mainframe, all programs and all desktops.
Mistaken alerts in Hawaii and in Japan are looking less, and less like accidents. And more like probes and tests of readiness.
warningpoint2 also sounds like the system name as well.
publishing photographs of the insides emergency management and civil defense facilities isn't such a hot idea either. Information wants to be free.
Joshua gets into the system that can fire nuclear missiles
I almost got a blowjob once.
Alas, that too was a false alarm.
.
The horses and Jeffrey Wong are sharing the same manger.
Was the password "12345" to match his luggage too?
Where can I buy Post-It with pre-printed passwords? That would save me so much time.
For no particular reason, at a previous job, I kept a brightly colored Postit stuck to my monitor with a random string written on it. It wasn't the password to anything. And now, for no particular reason, I've shared it with all of you.
Not one of the red and green buttons with the word "test" and "alarm"?
Someone has to use the computer with a pw and select test or alert from a GUI?
A test is selected every shift? Is the alarm so easy to select in the GUI too? Any "Sure?" on the GUI to confirm alarm was selected and not the much used test?
Domestic spying is now "Benign Information Gathering"
how about fixing the Poor UI when you change the password system as well.
https://www.theinquirer.net/in...
A password on a yellow post-it note!! Haven't they ever heard of green or pink or light-blue post-it notes or whatever?!
The password's been changed to "Warmingpoint3" now, so don't bother trying the old one, it won't work.
Oh my god Oh my god Oh my god!!! They managed to get a photo of the secret password that was written on the super-secret Post-It-Note that was secretly affixed on the front of the terminal of our hyper-ultra-secret nuclear-threat-preparedness system! We’re soooooo totally screwed now!
strange game... the only way to win is to not play
That password is for the honeypot...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
n/t
Have gnu, will travel.
I just use correct battery horse staple for everything. That way I don't have to mess around with insecure post-its.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I learned in the Air Force in the seventies that security is impossible to expect from your average American. They just don't get it, no matter how hard you try to explain it to them. Americans are just not afraid of things they should be afraid of, and not suspicious of people and things they should be suspicious of. They don't feel endangered. And it is very hard to make them feel so.
E Proelio Veritas.
When companies force you to change your password every 60 or 90 days "just because" and require the new password to be substantially different than their previous password people start writing them down.
I never understood the thought behind forcing a password change because you've had your password for X days.
Zoom and enhance
I know that a medical company IT staff I know, they go around (due to HIPAA reasons) making sure if people leave their desk they lock the screen on their workstation. He told me more than once, they found post it notes with a password. What they would do is go in and change the password, locking them out, then wait for them to call the help desk. Then they'd get ONE warning not to do it again, or be fired. NO ONE in a corporate world should be allowed to keep a password on a post it note.
i would not worry guys, i watched what they had installed in that computer in the video on youtube the other day, and there was the icon for malwarebytes antimalware, so hey at least it wasnt kaspersky, so thats a relief right?
I bet it was the Wong password
Or perhaps we're ignoring the inherent insecurity of current cell networks. Granted, an alert like this is most likely akin to a broadcast radio alert, but we're still ignoring cell security.
Yeah the UI is garbage but that doesn't excuse operator error.
Welp, I don't think I will be able to change your mind, but there are at least two schools of thought here, yours:
1. If something bad happens, whip everyone involved until they cannot stand any longer, then fire them, ensuring this never happens again,
Or,
2. Ask why this happened, don't assign blame, then work through the problem to find the root cause, then fix that problem so that it never happens again.
NASA determined that humans fail at pretty much everything about 3% of the time on the ISS and have built in all sorts of checks and balances to account for this. If the ISS blows up, everyone shares the blame, and responsibility for keeping that from happen again. If you assume from the get-go that humans are capable of being 100% infallable 24/7/365, even when they're sleep deprived from a) having a baby b) insomnia from a divorce c) hung over from a bachelors party etc etc then yes your system sounds great as there's no chance anything can ever go wrong and it's just their fault for being a bad person and they should feel bad.
Option 1 is both overly optimistic going in, and highly negative on the resolution side - nobody worth anything will stick around for long; option 2 assumes the worst going in and looks for a positive solution coming out. People tend not to quit out of frustration quite so often in scenario 2.
moox. for a new generation.
The more passwords the harder to crack.
"Chris also appears to have echolalia, a common symptom of autism. This means that he constantly repeats phrases from his favorite television shows, movies and video games, regardless of whether they fit the current situation."
I don't know if it's true or not but I heard a story that the only time Harry Houdini couldn't pick a lock to escape from a jail cell was when the deputy didn't actually lock the lock. That story inspired me a long time ago to hang yellow sticky notes on my monitor with what appear to be passwords written on them. Everything from "secret123" to "p455w0rd". I crack me up.
Liberals call everyone Nazis yet they are the closest thing to it.
Option 1 doesn't even solve the problem, it hides it temporarily. Only option 2 prevents it from happening again.
If the solution to an error relies on fallible humans just "being more careful", the error is virtually guaranteed to happen again.
You're the editor of that newsletter, "How To Be Perfect And Never Make Mistakes", aren't you? May I please subscribe to it?
-=This sig has nothing to do with my comment. Move along now=-
See the map on the lower-right display? The sticky note obviously contains the master password for all of North Korea.
See , removing people making a single error from chain of command or skilled work, means your hierarchy and your worker NEVER learn from their error. The one replacing them will have heard of the error, maybe laugh at it, but most of the time they did not LEARN of it, The one which got burned by it, on the other hand, will remember a long time. Experience is also learning from error. By cutting out people which did error, you are not enhancing your process, hierarchy and worker, on the contrary.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
This is why I keep my passwords in my "password suitcase", where it is encrypted until unlocked for use. (This way I only have to remember a single master password. It's the same numeric 5-digit code as on my other luggage...)
Something you don't have anymore, something you forgot, and something you ate.
Or something like that.
Jan. 16, Juche 107 (2018) Tuesday
American Gangsters Running Amuck to Spoil Significant Event of Korean Nation
The U.S. ruling quarters are viciously scheming to spoil the significant event of the Korean nation.
It was at a dazzling speed that the Democratic People's Republic of Korea (DPRK) has emerged a strategic state acknowledged by the world with the accomplishment of the great historic cause of completing the national nuclear force. The new policy for improved north-south relations, announced on the New Year's Day in this country, turned the swirling trend of the situation toward the direction of detente, peace and improvement of ties.
Thanks to the initiative proposal and active measures taken by the DPRK, successful north-south high-level talks were held at Panmunjom to delight all Koreans and this opened up the first breakthrough toward the improvement of the ties.
But the present ruling quarters in the U.S. are behaving mischievous, following with uneasiness the progress made in the spirit of By Our Nation Itself.
When the historic New Year Address was made public in the DPRK, there heard from the U.S. political circle such rubbish as "tactic of opening to the south and shutting out the U.S.", "act of driving a wedge" between the south Korea and the U.S. and such remarks that north Korea can again opt for additional missile "provocation" at the end of Olympics.
Before the north-south high-level talks, the U.S. called them a trick to divide Seoul and Washington and weaken sanctions and pressure. It even began to spread the story that talks that can weaken the U.S.-led sanctions and pressure on the DPRK should never be allowed and that the improvement of the north-south relations is inseparable from the solution of the "north's nuclear issue" and, therefore, it can never be advanced separately, which came as a threat to the south Korean authorities.
As the DPRK's big magnanimity and good favor resulted in successful north-south high-level talks far beyond expectation, the U.S. authorities including Trump, hiding their upset mind, made a U-turn in their stand to describe them as the direct result of the unprecedented pressure on the DPRK put by the U.S., a daring act of attributing the result common to the north and the south to its "merit".
It is the bad habit of the U.S. to deliberately strain the situation on the Korean peninsula and check the improvement of the north-south ties while intervening in the internal issue of the Korean nation and instructing others to do this or that.
By nature, the U.S. dislikes to see the situation on the Korean Peninsula defused and the peaceful atmosphere created in Asia-Pacific. What is all the more dangerous is that the U.S. military actions are pursuant to the lunatic president's ignorance and frenzy, not prompted by any political demand and reasonable judgment.
The U.S. should be deliberate.
The U.S. styling itself the "super power" is being taken to the cliff of destruction led by the lunatic president whose thinking faculty is at the level of preschooler and who has the symptom of dementia.
The warmongers may storm us if they have certainty of handling the responsibility. This is the pluck of the DPRK, the world-level nuclear power and rocket power.
The U.S. nuclear carriers are just good prey for the Hwasong artillerymen of the DPRK who have already put Guam and even the U.S. mainland in their striking range.
Choe Kang Chol, Researcher of Institute of International Studies of Korea
I worked in a place with a security policy that included having somebody from IT walk through the offices looking for this kind of thing (e.g. Post-It notes under keyboards, on cube partitions, etc).
This, in a place that had been a division of another company until a week before my arrival there: so all the legacy systems of the previous corporation plus all the systems of the new corporation, many of them providing the same services.
And password policies like "you must change your password every six months, a password must contain at least one upper case letter, one lower case letter, one digit and one special character" of course, without telling us which special characters were allowed and which were not allowed. Oh, and you couldn't use a password that you had used in the previous 18 months.
So of course, remembering all these passwords was difficult. Some people resorted to Post-It notes, some to noting the passwords in a cellphone or a notebook. A notebook in a locked drawer, of course.
But if a Post-It note with a service name, login name and password was found during the security walk-through, it would be tried out... So guess what happened. People would write down spurious combinations of login name and password. Or write down a service name that didn't exist. The walk-through sometimes took a long time... so trying out the passwords was abandoned; the Post-It notes were simply confiscated and the person whose cube it was would get a new training requirement to follow, yet again, the IT Security Policy training course.
You would think that all three would be required to send out an emergency alert message.
Then in case of an actual emergency (say, when category 9 hurricane 'Zorro' hits Hawai in a couple of months), you'd be complaining that the alert wasn't sent because it relied on a complex validation procedure that required perfectly coordinated simultaneous action by 5 person, one of which was sick on that day, and the other lost his keyfob 12 months ago when his dog ate it.
That's the complex problem with emergency procedures, they need both at the same time be quick enough to execute in case of actual emergency, but have enough confirmation step to not be triggered by incident.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Let’s hope the UI the Trump’s yuge red button wasn’t designed by the same clown who did Hawaii’s warning system or it would have been the following pick list:
1) Order a big mac
2) Order a steak, crispy well done
3) Tweet about some movie actress not liking me
4) Tweet about Kim Jong-un’s dong
5) Tweet how all unfavorable news is fake news
6) Tweet about nuking North Korea
7) Pretend to nuke North Korea
8) Actually to nuke North Korea
9) Wish I could nuke North Korea
10) Tweet about how I could nuke North Korea
The confirmation message would be the same for all selections: “Do you want to complete the selected action Y/N?
I take it you've never pulled a 'push' door, have you?
What a fucking stupid response. If somebody finds a key for something that I own, my first response would be to change the lock... I certainly hope they have changed the password.
Oh yeah that's totally the same as an emergency alert for an incoming missile attack.
Only the State obtains its revenue by coercion. - Murray Rothbard