Yes, Hawaii emergency management stuck a password on a sticky note

A false alarm about a ballistic missile; a panic-stricken populace running for cover; the governor and the FCC chief dissing your agency’s lack of safeguards or process controls; and just to add a dash of ludicrous to the unsavory dish that is this week, a conspiracy theory about how these “accidental” missile alerts aren’t really accidents at all.

Wow. Could things possibly get any worse for the people over at the Hawaii Emergency Management Agency (HI-EMA)?

Why, yes! The worsitude comes in the flimsiest but all too familiar of forms: a yellow sticky note, spotted in an Associated Press photo from July, at the agency’s headquarters at Diamond Head, bearing a password and stuck to a computer screen. While there’s a press photographer in the room, obviously.

Richard Rapoza,a spokesman for HI-EMA, told Hawaii News Now that the password is authentic and was actually used for an “internal application.”

Rapoza wouldn’t say what application the password would unlock, but he doesn’t think it’s in use any more, and heck, although leaving passwords in plain sight isn’t the best approach to security, it wasn’t a big-deal piece of software, he said:

It wasn’t for any major piece of software.

Rapoza has a lot on his plate, particularly when it comes to questions about the retro user interface that’s getting the blame for the “oops!” missile alert click. For those of us who are curious about the continuing angst over the interface, the EMA released a photo of it on Monday, showing that there was no wrong button pushed. It was just a wrong line on a screen, two lines up from the right line, differentiated only by altitude and the word “Drill.”

…and then on Tuesday, the EMA said no, no, no, that image was sent in error. That’s not it at all. It’s a false-alarm image. But no, sorry, we can’t provide you with an actual photo of the actual interface, though we can tell you it includes a drop-down menu.

Well, it’s nice to hear that somebody decided not to send an image of the actual interface.

But honestly, a sticky note photo blunder? Really? Are we going to have to send Prince William over to have a talk with you, HI-EMA?

Wills does, after all, have experience with credentials posted in the background. It happened when he was a search and rescue helicopter pilot for the Royal Air Force (RAF) and journalists did a “day in the life of” in 2012.

If the prince is busy, maybe we could send over Owen Smith, the UK Labour Party politician. He might have some good advice: in September 2016, login details for his campaign’s phone bank were tweeted out to thousands with yet another “helloooooooo, what’s that in the background?” photo.

Or hey, how about Luiz Dorea, head of security at the 2014 World Cup? There was a lovely photo taken of Dorea in the state-of-the-art security center for the games, with its giant video wall and staff hard at work, and the Wi-Fi SSID and password showing up loud and proud on the big screen behind him… Right underneath the secret internal email address used to communicate with a Brazilian government agency.

If none of these sticky-note experts can spare the time to fly to Hawaii, that’s OK. We can guess what advice they’d have to offer, anyway. It’s actually pretty simple: Don’t write down passwords in public places. Don’t put them on sticky notes, don’t write them on white boards, and you can just skip right on over the skywriting.