The Massachusetts State Police (MSP) accidentally spilled some of its opsec onto Twitter on Tuesday night, uploading a screenshot that revealed browser bookmarks which included links to a collection of Boston’s left-wing organizations that the staties are keeping an eye on.
The Massachusetts State Police deleted a tweet featuring this image, highlighting the houses effected by a gas explosion on the map. Can you tell why it was deleted? The police were spying on Left-Wing groups which you can see on their favorited list. pic.twitter.com/EDUEk6zU0J— "this is their new hoax" 🤡 (@CollinFischer86) September 14, 2018
The tweeted screenshot showed that the MSP bookmarked activist groups, including MAAPB (Mass Action Against Police Brutality), COMBAT (the Coalition to Organize and Mobilize Boston Against Trump), and Resistance Calendar.
On Wednesday, MSP put out a statement about the bookmarks, saying that police have…
…a responsibility to know about all large public gatherings of any type and by any group, regardless of their purpose and position, for public safety reasons. We do not collect information about—nor, frankly, do we care about—any group’s beliefs or opinions.
In this case, as the Twitter responses show, the leak has riled people who are distrustful of police surveillance and its purportedly unbiased nature. But the leaked bookmarks would have been embarrassing no matter what they showed.
It’s embarrassing for the simple fact that it’s sloppy data handling, and it led to exposure of information that clearly wasn’t meant to be publicly shared: otherwise, one imagines, the MSP wouldn’t have felt the need to delete the revealing tweet.
Of course, the MSP is far from the only organization that’s let slip data not necessarily meant for public consumption.
The most recent example came in January, when, during a false alarm about an incoming ballistic missile, an Associated Press photo taken within headquarters at the Hawaii Emergency Management Agency (HI-EMA) showed a yellow sticky note, bearing a password and stuck to a computer screen – plain to see for one and all, including, obviously, a press photographer who’d go on to disseminate it worldwide.
Then too, there was Luiz Dorea, head of security at the 2014 World Cup. There was a lovely photo taken of Dorea in the state-of-the-art security center for the games, with its giant video wall and staff hard at work, and the Wi-Fi SSID and password showing up loud and proud on the big screen behind him… Right underneath the secret internal email address used to communicate with a Brazilian government agency.
This is the kind of thing that you need royalty to weigh in on, clearly. Specifically, Prince William. He should know: He has experience with credentials posted in the background. It happened when he was a search and rescue helicopter pilot for the Royal Air Force (RAF) and journalists did a “day in the life of” in 2012.
If the prince is busy, maybe we could send over Owen Smith, the UK Labour Party politician. He might have some good advice: in September 2016, login details for his campaign’s phone bank were tweeted out to thousands with yet another “helloooooooo, what’s that in the background?” photo.
The lesson here is drop-dead simple when it comes to passwords: Don’t write down passwords in public places. Don’t put them on sticky notes. Don’t write them on white boards.
Swap “password” for “any information showing up on your desktop that you don’t want the entire Twitter universe to see”, and you can guess what the lesson in this case is: crop that screen grab before you drop it.