Skip to content
Naked Security Naked Security

Yes, Hawaii emergency management stuck a password on a sticky note

... and nobody bothered to vet the photo taken of that sticky note and distributed by AP.

A false alarm about a ballistic missile; a panic-stricken populace running for cover; the governor and the FCC chief dissing your agency’s lack of safeguards or process controls; and just to add a dash of ludicrous to the unsavory dish that is this week, a conspiracy theory about how these “accidental” missile alerts aren’t really accidents at all.
Wow. Could things possibly get any worse for the people over at the Hawaii Emergency Management Agency (HI-EMA)?
Why, yes! The worsitude comes in the flimsiest but all too familiar of forms: a yellow sticky note, spotted in an Associated Press photo from July, at the agency’s headquarters at Diamond Head, bearing a password and stuck to a computer screen. While there’s a press photographer in the room, obviously.
Richard Rapoza,a spokesman for HI-EMA, told Hawaii News Now that the password is authentic and was actually used for an “internal application.”

Rapoza wouldn’t say what application the password would unlock, but he doesn’t think it’s in use any more, and heck, although leaving passwords in plain sight isn’t the best approach to security, it wasn’t a big-deal piece of software, he said:

It wasn’t for any major piece of software.

Rapoza has a lot on his plate, particularly when it comes to questions about the retro user interface that’s getting the blame for the “oops!” missile alert click. For those of us who are curious about the continuing angst over the interface, the EMA released a photo of it on Monday, showing that there was no wrong button pushed. It was just a wrong line on a screen, two lines up from the right line, differentiated only by altitude and the word “Drill.”
…and then on Tuesday, the EMA said no, no, no, that image was sent in error. That’s not it at all. It’s a false-alarm image. But no, sorry, we can’t provide you with an actual photo of the actual interface, though we can tell you it includes a drop-down menu.
Well, it’s nice to hear that somebody decided not to send an image of the actual interface.
But honestly, a sticky note photo blunder? Really? Are we going to have to send Prince William over to have a talk with you, HI-EMA?
Wills does, after all, have experience with credentials posted in the background. It happened when he was a search and rescue helicopter pilot for the Royal Air Force (RAF) and journalists did a “day in the life of” in 2012.
If the prince is busy, maybe we could send over Owen Smith, the UK Labour Party politician. He might have some good advice: in September 2016, login details for his campaign’s phone bank were tweeted out to thousands with yet another “helloooooooo, what’s that in the background?” photo.
Or hey, how about Luiz Dorea, head of security at the 2014 World Cup? There was a lovely photo taken of Dorea in the state-of-the-art security center for the games, with its giant video wall and staff hard at work, and the Wi-Fi SSID and password showing up loud and proud on the big screen behind him… Right underneath the secret internal email address used to communicate with a Brazilian government agency.
If none of these sticky-note experts can spare the time to fly to Hawaii, that’s OK. We can guess what advice they’d have to offer, anyway. It’s actually pretty simple: Don’t write down passwords in public places. Don’t put them on sticky notes, don’t write them on white boards, and you can just skip right on over the skywriting.


Security is so lax everywhere. No wonder everything is getting hacked. Pretty soon everyone will be hacked and the internet will be the biggest bust out of all time. All controls must be tightened up before it is to late.


Amen. I know security is improving incrementally, but it only seems linear while the hackers are progressing exponentially. When I started in tech the Internet was not universally available; to access remote servers, you dialed in and in some cases you got a call back to your land line phone number. Over the years as a tech I have seen so many passwords on sticky notes on monitors, it seems silly. Currently I’m preparing to do phishing test on staff to see how many will either give up their passwords or gladly load a virus on their computer or the network.


The hackers aren’t “progressing exponentially.” Sorry, that’s not true. (For example, most malware attacks these days require a whole sequence of steps; exploits are harder to find; users are getting happier about technologies they used to reject as annoying and unacceptable, such as 2FA.)
Yes, it’s an arms race. But I just don’t accept the “glass half empty” crowd that insists we are bound to lose in the long run. People were saying that in 1990 when viruses became a big thing, yet we have, if anything, tipped the balance more against the crooks these days.
Prepare for the worst, why not. But have a bit of optimism! Expect the best…


Unfortunately, the people in charge of tightening these controls will exist behind so much physical security that it will be a long time before anybody discovers their password is “#MAGA”
That will be when everything gets hacked.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!