A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency

An anonymous reader quotes a report from Quartz: In the aftermath of an erroneous missile warning that terrified Hawaiians on Saturday (Jan. 13), the state's emergency management agency has come under increased scrutiny, from the poor design of the software that enables alerts to a particularly slapdash security measure by one of its employees. Old photos from the Associated Press inside the agency's office appear to show an unspecified password on a yellow Post-It note, stuck to a computer monitor. The image, which shows operations manger Jeffrey Wong standing in front of the computer, was taken in July and appeared in articles published at the time about the agency's preparedness in the face of a nuclear threat. The agency verified that the password is indeed real but wouldn't go into specifics on what program the password was supposed to be used for.

Really bad security

[nospam007]

"yellow Post-It note, stuck to a computer monitor."

Everybody knows real security can only be had by posting it under the keyboard, where nobody can photograph it.
Duh!

Re:Really bad security

[ShanghaiBill]

David Ige, the governor of Hawaii has said this has been a "learning experience" for everyone involved, that it will not turn into a witch hunt, and no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

Re:Really bad security

[ShanghaiBill]

There can be accountability besides firings.

Perhaps. But is a ballistic missile attack response team really the right career for someone that requires a lot of on-the-job training?

Being excluded from promotion decisions could be one of them.

Well, if they screw up the response to a real ballistic missile attack, then sure, delaying their promotion would be warranted.

Perhaps it is time to question whether we should even have state-level bureaucrats assigned to ballistic missile response. Shouldn't that be something handled at the Federal level? The is especially true for Hawaii, which has near Louisiana levels of corruption and incompetence.

Re:Really bad security

[tlhIngan]

David Ige, the governor of Hawaii has said this has been a "learning experience" for everyone involved, that it will not turn into a witch hunt, and no one will lose their job. In other words, there will be no accountability or consequences, and the same serially incompetent bozos will remain in charge.

You're falling into the "we must fire someone for accountability" trap.

That leads to basically incompetents running your ship - if everyone is deathly afraid of losing their job for making a mistake, you end up with a corporate culture of timidity, cover your ass and hiding mistakes.

The modern method is not to fire the person who pushed the button, but to find out the true reason. This is often' called "The Five Whys" because it literally asks Why over and over again.

Like in this case, given what we know.

Why was a missile alert called? Because someone clicked the link to send it.
Why did they click that link? Because they clicked the wrong link - they meant to click the one that produced a test message instead.
Why did they click the wrong link? Because the links were presented as an unsorted list, with the test links appearing on some events ahead of the real link, and sometimes afterwards.
Why did they click the wrong link? Because when you're looking at a huge list of unsorted links, you tend to focus on the one that matches what you're wanting even though it may not be exactly what you're looking at.
Why didn't the software confirm? The software did confirm - it merely asked if they wanted to send the message out.
Why didn't he click no? Because the software didn't tell him what link he clicked, just if he was sure. (E.g., you close an app with a dozen documents open, and all you get is "Save file?" instead of it actually telling you what file to save).

Well, there's something you need to fix - the UI sucks and it's really only an accidental mis-click away from saying the president is dead to missiles have been launched.

So the UI has two problems with it - a huge nasty list of unsorted messages that really should be put in order somehow. And perhaps a big ass button that selects test messages from actual messages. And a confirmation dialog that actually confirms what you are going to send. Perhaps if it was a real message, it would ask first "The message you are sending is not a test message. Click OK to continue and have your supervisor access his console to do same" as well as "Send the non-test message 'Missiles are incoming'?"

Firing someone over mistakes doesn't ensure mistakes don't happen (because the person who learned from it will no longer be present). It instills a culture of fear - that if they click the wrong link, they can get fired. So what would take a few minutes now takes 10 people and an hour because the person who is to send the message has to check multiple times they're clicking the right thing. And the underlying cause won't get fixed, leading to more errors in the future

And imagine if (heaven forbid) a real event happens. You have 5 minutes before missiles hits. Do you want 4 of them to be wasted because the person at the desk responsible for sending it to triple check that yes, that's really the intent because if oh my god if there aren't any missiles I'm going to get fired?

It's why no one was fired for Amazon AWS going down last year, or when GitHub suffered a massive meltdown - errors were made, but the root cause turned out to be an opportunity for human error to do bad things accidentally.

https://en.wikipedia.org/wiki/...

Far too often the question asked is "Who" as if firing that person to make a point will fix the problem. It is the dominant question if you want to assign blame and move on, and it is politically popular among the people who are looking for someone to hang. But it turns out doing so doesn't fix underlying structural issues, it just covers it up.

Re:Really bad security

[ihavnoid]

I second this. I work for a big company designing high-tech products. Never did I see anybody get fired because they made a fatal mistake which cost the company massive loss. I believe this is perfectly normal in this industry - we learn from the mistake, figure out how to prevent that in the future, and move on.

Actually, you might be grateful if you are fired. What usually happens after a royal screw-up is that the person usually will need to take some responsibility and will be the person who will do all the work to make it right. Not only to jump in and fix the problem, but also participate in all sorts of investigations, inquiries, report-writing, etc. I already feel pretty sorry about that operator since he will get interviews/meetings/questioning with all sorts of three-leter agency investigators who will be disappointed and would want to go through every single action that person took that day, having him/her go through all the horror that he experienced again and again.

That alone is already a deterrent painful enough to make people think twice before doing something risky.

Re:The weakest security

[michiganbob]

What is the point of a password that is out in the open like this? Are passwords that hard to remember?

Actually, yes. When your password must contain upper and lower-case letters, at least one number, a special character, must be at least 12 characters long, must be changed every 3 months, and cannot be a variation of or contain any previous password. That's when you get yellow sticky notes on the monitor.

Re:The weakest security

[Cro+Magnon]

Particularly when you have 50 such passwords.

That's bad, but

[RightwingNutjob]

publishing photographs of the insides emergency management and civil defense facilities isn't such a hot idea either. Information wants to be free.

That leads us to a fundamental question

[geantvert]

Where can I buy Post-It with pre-printed passwords? That would save me so much time.

Re:The weakest security

So much so that the latest NIST recommendations are that you Should NOT impose composition rules and you Should NOT require the password is changed frequently. It's better to train employees to come up with memorable secure passwords (which don't require hard to remember composition rules https://xkcd.com/936/) and use things like password managers and 2FA.

Re:The weakest security

[SirGarlon]

Are passwords that hard to remember?

Once you start requiring them to be 12 characters long, and contain at least one uppercase character, one lowercase character, one numeral, and one Egyptian hieroglyph they are.

By the way, those complexity rules have been officially withdrawn by NIST. In fact, TFA is an instance of the very problem that drove the rule change. Now all we have to do is spend 20 years undoing the damage of the old, stupid, complexity rules.

It's changed now, so don't bother trying it.

[kimgkimg]

The password's been changed to "Warmingpoint3" now, so don't bother trying the old one, it won't work.

Re:The weakest security

[msauve]

Unfortunately, common sense and authoritative recommendations often succumb to security theater. Like proverbial lemmings. Real quote: "we need to adhere to standards that our customers, the market and other auditory bodies follow."

It would be funny if not so possibly tragic.

[Sqreater]

I learned in the Air Force in the seventies that security is impossible to expect from your average American. They just don't get it, no matter how hard you try to explain it to them. Americans are just not afraid of things they should be afraid of, and not suspicious of people and things they should be suspicious of. They don't feel endangered. And it is very hard to make them feel so.

Re:Full of shit

[Hadlock]

Yeah the UI is garbage but that doesn't excuse operator error.
 
Welp, I don't think I will be able to change your mind, but there are at least two schools of thought here, yours:
 
1. If something bad happens, whip everyone involved until they cannot stand any longer, then fire them, ensuring this never happens again,
 
Or,
 
2. Ask why this happened, don't assign blame, then work through the problem to find the root cause, then fix that problem so that it never happens again.
 
NASA determined that humans fail at pretty much everything about 3% of the time on the ISS and have built in all sorts of checks and balances to account for this. If the ISS blows up, everyone shares the blame, and responsibility for keeping that from happen again. If you assume from the get-go that humans are capable of being 100% infallable 24/7/365, even when they're sleep deprived from a) having a baby b) insomnia from a divorce c) hung over from a bachelors party etc etc then yes your system sounds great as there's no chance anything can ever go wrong and it's just their fault for being a bad person and they should feel bad.
 
Option 1 is both overly optimistic going in, and highly negative on the resolution side - nobody worth anything will stick around for long; option 2 assumes the worst going in and looks for a positive solution coming out. People tend not to quit out of frustration quite so often in scenario 2.