A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency

An anonymous reader quotes a report from Quartz: In the aftermath of an erroneous missile warning that terrified Hawaiians on Saturday (Jan. 13), the state's emergency management agency has come under increased scrutiny, from the poor design of the software that enables alerts to a particularly slapdash security measure by one of its employees. Old photos from the Associated Press inside the agency's office appear to show an unspecified password on a yellow Post-It note, stuck to a computer monitor. The image, which shows operations manger Jeffrey Wong standing in front of the computer, was taken in July and appeared in articles published at the time about the agency's preparedness in the face of a nuclear threat. The agency verified that the password is indeed real but wouldn't go into specifics on what program the password was supposed to be used for.

Really bad security

[nospam007]

"yellow Post-It note, stuck to a computer monitor."

Everybody knows real security can only be had by posting it under the keyboard, where nobody can photograph it.
Duh!

Re: Really bad security

[Nidi62]

Write a fake password on the front of the post it attached to the monitor and the real password on the back of the note

Re:Really bad security

[The-Ixian]

Time to move it to the fake rock outside your cube...

Re:Really bad security

[ShanghaiBill]

David Ige, the governor of Hawaii has said this has been a "learning experience" for everyone involved, that it will not turn into a witch hunt, and no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

Re:Really bad security

[jader3rd]

no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

There can be accountability besides firings. Being excluded from promotion decisions could be one of them.

Re:Really bad security

[ShanghaiBill]

There can be accountability besides firings.

Perhaps. But is a ballistic missile attack response team really the right career for someone that requires a lot of on-the-job training?

Being excluded from promotion decisions could be one of them.

Well, if they screw up the response to a real ballistic missile attack, then sure, delaying their promotion would be warranted.

Perhaps it is time to question whether we should even have state-level bureaucrats assigned to ballistic missile response. Shouldn't that be something handled at the Federal level? The is especially true for Hawaii, which has near Louisiana levels of corruption and incompetence.

Re:Really bad security

[tlhIngan]

David Ige, the governor of Hawaii has said this has been a "learning experience" for everyone involved, that it will not turn into a witch hunt, and no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

You're falling into the "we must fire someone for accountability" trap.

That leads to basically incompetents running your ship - if everyone is deathly afraid of losing their job for making a mistake, you end up with a corporate culture of timidity, cover your ass and hiding mistakes.

The modern method is not to fire the person who pushed the button, but to find out the true reason. This is often' called "The Five Whys" because it literally asks Why over and over again.

Like in this case, given what we know.

Why was a missile alert called? Because someone clicked the link to send it.
Why did they click that link? Because they clicked the wrong link - they meant to click the one that produced a test message instead.
Why did they click the wrong link? Because the links were presented as an unsorted list, with the test links appearing on some events ahead of the real link, and sometimes afterwards.
Why did they click the wrong link? Because when you're looking at a huge list of unsorted links, you tend to focus on the one that matches what you're wanting even though it may not be exactly what you're looking at.
Why didn't the software confirm? The software did confirm - it merely asked if they wanted to send the message out.
Why didn't he click no? Because the software didn't tell him what link he clicked, just if he was sure. (E.g., you close an app with a dozen documents open, and all you get is "Save file?" instead of it actually telling you what file to save).

Well, there's something you need to fix - the UI sucks and it's really only an accidental mis-click away from saying the president is dead to missiles have been launched.

So the UI has two problems with it - a huge nasty list of unsorted messages that really should be put in order somehow. And perhaps a big ass button that selects test messages from actual messages. And a confirmation dialog that actually confirms what you are going to send. Perhaps if it was a real message, it would ask first "The message you are sending is not a test message. Click OK to continue and have your supervisor access his console to do same" as well as "Send the non-test message 'Missiles are incoming'?"

Firing someone over mistakes doesn't ensure mistakes don't happen (because the person who learned from it will no longer be present). It instills a culture of fear - that if they click the wrong link, they can get fired. So what would take a few minutes now takes 10 people and an hour because the person who is to send the message has to check multiple times they're clicking the right thing. And the underlying cause won't get fixed, leading to more errors in the future

And imagine if (heaven forbid) a real event happens. You have 5 minutes before missiles hits. Do you want 4 of them to be wasted because the person at the desk responsible for sending it to triple check that yes, that's really the intent because if oh my god if there aren't any missiles I'm going to get fired?

It's why no one was fired for Amazon AWS going down last year, or when GitHub suffered a massive meltdown - errors were made, but the root cause turned out to be an opportunity for human error to do bad things accidentally.

https://en.wikipedia.org/wiki/...

Far too often the question asked is "Who" as if firing that person to make a point will fix the problem. It is the dominant question if you want to assign blame and move on, and it is politically popular among the people who are looking for someone to hang. But it turns out doing so doesn't fix underlying structural issues, it just covers it up.

Re:Really bad security

[rtb61]

The real ballistic appropriate ballistic missiles response, bend over and kiss you arse goodbye, because fucker, you are going to kill you one way or another. No such things as one going off, one goes off, they all go off, no one can take any chance of being the one not to fire, so they all go, targeting everyone because even if you had none and fired none, those that fired and were fired upon, can not leave you to take over, that insanity goes with the territory of nuclear insanity. The insanity of believing you can survive, make no mistake you are dead if not immediately than within a short time there after.

Tsunami and hurricane warning sure, nuclear war warning, why fucking bother, seriously, who the fuck wants to die of old age in a hole in the ground, knowing that's all there is a whole in the ground you have already buried yourself it. Far smarter to immediately reach for that special joint you have been saving.

Re:Really bad security

[ihavnoid]

I second this. I work for a big company designing high-tech products. Never did I see anybody get fired because they made a fatal mistake which cost the company massive loss. I believe this is perfectly normal in this industry - we learn from the mistake, figure out how to prevent that in the future, and move on.

Actually, you might be grateful if you are fired. What usually happens after a royal screw-up is that the person usually will need to take some responsibility and will be the person who will do all the work to make it right. Not only to jump in and fix the problem, but also participate in all sorts of investigations, inquiries, report-writing, etc. I already feel pretty sorry about that operator since he will get interviews/meetings/questioning with all sorts of three-leter agency investigators who will be disappointed and would want to go through every single action that person took that day, having him/her go through all the horror that he experienced again and again.

That alone is already a deterrent painful enough to make people think twice before doing something risky.

Re:Really bad security

Dude, did you see the "GUI" they are using? You can tell what has happened just by looking at the result.
(Image of the GUI is a bit down in the article.)

The reason this bullshit happened is because the person leading the development didn't have the competence needed to judge the state of the system or he didn't get the funding needed to finish the project.

You can tell just by looking at it that someone programmed the backend and made it work, and to test the system he spent 5 minutes to make a web-page that sent a test-signal.
When the backend worked he demonstrated the system for his boss that didn't listen to all that technical mumbo jumbo and just saw a button click and a correct response and decided that the project was done.
No proper GUI was ever developed.
Over the time new links were added to the test-page just to be able to send other messages but they were just added to the list in no particular order.

This isn't an operator error. In a sharp situation where the operator is stressed there is a high probability that even a competent person would pick the wrong message.
This is purely a development error and since the backend apparently works very well and clearly no-one spent even a day on building a GUI it is clearly a project management or funding issue.

Re:Really bad security

[cyberchondriac]

OTOH, clearly this facility is also run like a newbie help desk, keeping critical passwords on post-its stuck to a monitor and then allowing a photograph to be taken and released to the public on top of that. Sure the alert interface sucked, but that's obviously not the only problem here. You'd really think people in those positions there would have better training in security and a less casual attitude.

Re:The weakest security

[michiganbob]

What is the point of a password that is out in the open like this? Are passwords that hard to remember?

Actually, yes. When your password must contain upper and lower-case letters, at least one number, a special character, must be at least 12 characters long, must be changed every 3 months, and cannot be a variation of or contain any previous password. That's when you get yellow sticky notes on the monitor.

warningpoint2 also sounds like the system name

[Joe_Dragon]

warningpoint2 also sounds like the system name as well.

Re:warningpoint2 also sounds like the system name

[AHuxley]

Really smart network designers put all kinds of stickers and words, terms all over their place of work so that anyone visiting can see the thinking around the design of the network.
Everything on display all connects back to a honeypot.

Re:The weakest security

[Cro+Magnon]

Particularly when you have 50 such passwords.

That's bad, but

[RightwingNutjob]

publishing photographs of the insides emergency management and civil defense facilities isn't such a hot idea either. Information wants to be free.

Re:The weakest security

[pz]

Are something (fingerprint).
Have something (RFID badge).
Know something (unique-to-user pass phrase).

You would think that all three would be required to send out an emergency alert message.

Re:The weakest security

[arth1]

Particularly when you have 50 such passwords.

And that's when people ask for bigger monitors, to hold all the stick-it notes.

That leads us to a fundamental question

[geantvert]

Where can I buy Post-It with pre-printed passwords? That would save me so much time.

Re:The weakest security

So much so that the latest NIST recommendations are that you Should NOT impose composition rules and you Should NOT require the password is changed frequently. It's better to train employees to come up with memorable secure passwords (which don't require hard to remember composition rules https://xkcd.com/936/) and use things like password managers and 2FA.

Re:The weakest security

[SirGarlon]

Are passwords that hard to remember?

Once you start requiring them to be 12 characters long, and contain at least one uppercase character, one lowercase character, one numeral, and one Egyptian hieroglyph they are.

By the way, those complexity rules have been officially withdrawn by NIST. In fact, TFA is an instance of the very problem that drove the rule change. Now all we have to do is spend 20 years undoing the damage of the old, stupid, complexity rules.

Re:The weakest security

[bondsbw]

And who is to say that a sticky note is that bad? How many passwords are just saved in some plain text file or email?

At least physical access is required to obtain the password, which is probably securely restricted to people you know and trust. Sticky notes are pretty much hacker-proof.

It's even better if you lock your sticky notes in a drawer, to avoid accidents like in TFA.

It's changed now, so don't bother trying it.

[kimgkimg]

The password's been changed to "Warmingpoint3" now, so don't bother trying the old one, it won't work.

Re: The weakest security

[TuringTest]

The weakest security is always the human involved.

That's true. It's also the reason why password setups and protocols should be made as easy and enjoyable to use as humanly possible.

If you build a password system that's hard to use, hard to remember, and force the user top jump through hoops, you're putting a lot of strain over the weakest link in the system. I.e., you're making the system brittle and easy to hack.

Re:So its a desktop?

[vux984]

Apparently real and test were two adjacent entries in a drop down list; and then there was a confirmation box "Are you sure?"

Seems like an easy issue to fat-finger, especially if you get the same confirmation box with either selection.

Yesterday I had to make a dash for the printer to cancel a job because "Print" and "Edit" are adjacent in the right click context menu for the windows desktop.

(Really... does anyone really need one-click print without opening the document first, that they even need a right click print context menu item?? I've always wondered about why its there.)

Re:The weakest security

[msauve]

Unfortunately, common sense and authoritative recommendations often succumb to security theater. Like proverbial lemmings. Real quote: "we need to adhere to standards that our customers, the market and other auditory bodies follow."

It would be funny if not so possibly tragic.

[Sqreater]

I learned in the Air Force in the seventies that security is impossible to expect from your average American. They just don't get it, no matter how hard you try to explain it to them. Americans are just not afraid of things they should be afraid of, and not suspicious of people and things they should be suspicious of. They don't feel endangered. And it is very hard to make them feel so.

Often it's the companies fault

[PA23]

When companies force you to change your password every 60 or 90 days "just because" and require the new password to be substantially different than their previous password people start writing them down.

I never understood the thought behind forcing a password change because you've had your password for X days.

Re:The weakest security

[mcl630]

And if your system has any type of variation on "can not contain any previous password", it has to store your passwords in plaintext somewhere, which is another huge security issue.

No it doesn't... you can store previous password hashes and when the user attempts to change their password you compare the hash of the new password to the old hashes. No need to store plaintext at all.

Re:Full of shit

[Hadlock]

Yeah the UI is garbage but that doesn't excuse operator error.
 
Welp, I don't think I will be able to change your mind, but there are at least two schools of thought here, yours:
 
1. If something bad happens, whip everyone involved until they cannot stand any longer, then fire them, ensuring this never happens again,
 
Or,
 
2. Ask why this happened, don't assign blame, then work through the problem to find the root cause, then fix that problem so that it never happens again.
 
NASA determined that humans fail at pretty much everything about 3% of the time on the ISS and have built in all sorts of checks and balances to account for this. If the ISS blows up, everyone shares the blame, and responsibility for keeping that from happen again. If you assume from the get-go that humans are capable of being 100% infallable 24/7/365, even when they're sleep deprived from a) having a baby b) insomnia from a divorce c) hung over from a bachelors party etc etc then yes your system sounds great as there's no chance anything can ever go wrong and it's just their fault for being a bad person and they should feel bad.
 
Option 1 is both overly optimistic going in, and highly negative on the resolution side - nobody worth anything will stick around for long; option 2 assumes the worst going in and looks for a positive solution coming out. People tend not to quit out of frustration quite so often in scenario 2.

Re: The weakest security

[houghi]

3 months? Once had a place where it had to be done weekly. And obviously people have to have one for every website. Often with logins tha are different as well.

And no, a password manager can not be used everywhere.

Password policy is basically blameshifting to the enduser.

Fast reaction

[DrYak]

You would think that all three would be required to send out an emergency alert message.

Then in case of an actual emergency (say, when category 9 hurricane 'Zorro' hits Hawai in a couple of months), you'd be complaining that the alert wasn't sent because it relied on a complex validation procedure that required perfectly coordinated simultaneous action by 5 person, one of which was sick on that day, and the other lost his keyfob 12 months ago when his dog ate it.

That's the complex problem with emergency procedures, they need both at the same time be quick enough to execute in case of actual emergency, but have enough confirmation step to not be triggered by incident.

Re:Full of shit

[coofercat]

I take it you've never pulled a 'push' door, have you?