
The screen that set off the ballistic missile alert on Saturday - robin_reala
https://twitter.com/CivilBeat/status/953127542050795520
======
whatever_dude
It's easy to see how this is bad, and I bet dozens of designers are now
creating alternatives for their dribble and Twitter appreciation, but the
problem is probably what led to this, not this specifically. I can see it: a
contractor started with a link that triggers a push notification, then someone
requested another link, then another, then it grew from there, never having
the ability to stop and rethink this from a design standpoint since it would
require more work, more training, more money.

The problem is not knowing (or having someone who knows) how to design
something better, it's treating good design as a priority. It rarely happens.

~~~
crispyambulance
It looks like quite a normal UI from an "internal" government or enterprise
application point of view.

In this case, the citizens of Hawaii paid for the bad system design with 48
minutes of existential horror.

But these kinds of mistakes happens ALL THE TIME with "enterprise
applications." Oracle has similar horrendous UX for their EBS (Enterprise
Business Suite), so does SAP, Siemens, etc. People regularly make costly
mistakes in shipping and receiving, purchasing and manufacturing because they
have to deal with shitty confusing applications that look just like that
screenshot.

Totally not surprising that the internal application for public emergencies
has the same awfulness as PTO request.

I expect the same employee in Hawaii fumbled the UI on their "time off
request" for psychiatric counseling too.

~~~
jrockway
I don't know. The interface could be better, but a different interface
wouldn't necessarily stop someone who's confused from sending the wrong alert.
How many times do you see a dialog box and click "yes" without even reading
it? I do it all the time, and it's usually fine... except sometimes I think
"wait, what did I just agree to!?" Someone under pressure to get that drill
going can easily make the same mistakes, no matter what hoops you make them
jump through. Someone who thinks they read the text but didn't comprehend it
can easily click through just about anything.

In the end, the correct process is probably have two people activate the
alert, so that two people have to independently not read the dialog boxes or
whatever to send a false alarm. But maybe that doesn't work either, I haven't
done any research to that effect and don't really know.

On some level, I like the interface. There is a list of possible alerts, and
you click the one you want to send to send it. It's just that it doesn't
account for the possibility that the user doesn't ACTUALLY want to send the
one they clicked. The same problem exists with any powerful tool. Hammers
don't check that you're hammering a nail and not your thumb. Cars don't ask
"there appears to be a pedestrian, are you sure you meant 'accelerate' and not
'brake'?" With great power comes great responsibility.

~~~
unit91
> How many times do you see a dialog box and click "yes" without even reading
> it?

A simple fix would be to use a tried and true method that's been effective for
decades. Have different popups that read

 _Type "REAL WORLD" to send this alert._

and

 _Type "DRILL" to send this alert._

~~~
merb
this would probably be a bad design aswell. because if a real missle treat
happens I would need to get out the warning as fast as possible. the best way
would've been a second page with a big button and huge warnings.

~~~
CamperBob2
You were modded down, but I agree. Contrary to popular opinion, "duck and
cover" is not just psychological pacification. It _will_ save lives if worst
comes to worst. Literally every millisecond counts when issuing a warning of
this nature.

So, yes, bring up a huge flashing red warning dialog with a single
confirmation step. And make it easy to issue a retraction.

------
joshstrange
The thing that annoys me most about this situation is people complaining about
how long it took to send out the "Sorry, there was no missile" message. Just
as I expected these were hard-coded messages that were sent out by a button
(link) click and not a free-form text area. There are many (good) reasons you
want your program set up this way (let's ignore the rest of the terrible UI/UX
for now).

It makes complete sense to me that given a spec of "make a button send this
specific text" you would end up with this. So it's very easy to send the
initial message but sending a custom follow up requires contacting someone
with access to the underlying system who can send a custom message.

In the same way that I may give internal users the ability to fire off
SPECIFIC (maybe with placeholders) push notifications with the press of a
button but not custom messages. Sure my underlying infrastructure can handle
custom messages but the UI for such a feature does not exist (or at least is
not available to the person who might have the ability to send preset
messages).

All in all this was terrible for the people in Hawaii, no doubt. That said I
WANT my missile alert system to be easy to activate to give people the most
time I can to prepare. The best fix for this (yes a new UI/UX would be best
but let's be realistic on how much time/energy they are willing to spend on
this) would be a scary looking alert confirmation dialog of "Are you sure you
want to send this alert to the whole state?" and maybe have to type a
confirmation string.

~~~
ghaff
>maybe have to type a confirmation string

Having to type out YES or some phrase is a fairly common "Are you really sure
you want to do this??" sort of thing. I gather they're also looking at
requiring a second person's confirmation which, if practical and very unlikely
to make it impossible to send any message, seems reasonable as well.

~~~
Pulcinella
I think I have read some research in healthcare field that such confirmations
aren’t s helpful as you would think.

One reason of course is a combination of alarm fatigue and the fact that
software has trained people to just always click yes when an annoying pop up
appears.

Another is that people will think the have already clicked the correct thing
button. So it’s less “Oh a confirmation box has appeared, let me confirm that
I pressed the correct button” and more “stupid computer, of course I clicked
the right button, that’s what I want to do!” without realizing they did in
fact accidentally click the wrong button.

~~~
christophilus
Having to type "YES" or "ALERT" would be useless, I agree. But having to type:
"SEND A REAL ALERT" or something like that would _probably_ be reasonably
useful. The way GitHub prompts me before deleting a repo is a good example of
a useful prompt. The text I have to type is the name of the repo being
deleted.

------
andrepd
Yikes. Now consider this: this is the design for the missile warning system.
It is possible, even likely, that some missile _launch_ system has similar
catastrophic UI.

How we've not wiped ourselves off by accident so far is a miracle.

~~~
escapecharacter
Relevant Far Side comic:
[https://i.imgur.com/AosYvGn.jpg](https://i.imgur.com/AosYvGn.jpg)

~~~
itronitron
The designer of that control could have simplified things by just labeling the
states as "ON" and "OFF"

------
bogomipz
What is the provenance of this image? How do we know this is real? While UI/UX
designers are falling all over themselves with their meme fest I didn't see
any reference for the source of this image.

If you read the Washington Post account, it says the interface was a drop down
menu of which this picture is not of. See:

[https://www.washingtonpost.com/news/post-
nation/wp/2018/01/1...](https://www.washingtonpost.com/news/post-
nation/wp/2018/01/14/hawaii-missile-alert-how-one-employee-pushed-the-wrong-
button-and-caused-a-wave-of-panic)

And perhaps not surprisingly some news outlets are using an unverified image
from a tweet as a news story.

~~~
notatoad
"This is real. provided by the office of the governor in hawaii"

[https://twitter.com/CivilBeat/status/953270472820457472](https://twitter.com/CivilBeat/status/953270472820457472)

------
sjs382
[https://blog.codinghorror.com/the-opposite-of-fitts-
law/](https://blog.codinghorror.com/the-opposite-of-fitts-law/)

    
    
      In the cockpit of every jet fighter is a brightly painted
      lever that, when pulled, fires a small rocket engine
      underneath the pilot's seat, blowing the pilot, still in
      his seat, out of the aircraft to parachute safely to
      earth. Ejector seat levers can only be used once, and
      their consequences are significant and irreversible.
    
      Applications must have ejector seat levers so that users
      can "occasionally" move persistent objects in the
      interface, or dramatically (sometimes irreversibly)
      alter the function or behavior of the application. The
      one thing that must never happen is accidental
      deployment of the ejector seat.
    
      The interface design must assure that a user can never
      inadvertently fire the ejector seat when all he wants to
      do is make some minor adjustment to the program.

~~~
cstross
To underline this, here's what happens when something goes wrong with an
ejector seat:

[http://www.bbc.co.uk/news/uk-england-
lincolnshire-37475298](http://www.bbc.co.uk/news/uk-england-
lincolnshire-37475298)

We probably won't ever know how many people died as a direct result of the
Hawaii BMD mis-alert, but I'd be surprised if the number was non-zero (think
in terms of car crashes, stress-aggravated cerebrovascular accidents, and so
on).

Similarly, consider the warning signage deployed around high tension
electrical substations, and the consequences of ignoring it or failing to
understand its significance.

The point is, in these types of situation bad design can kill, and we need to
design accordingly and unambiguously.

~~~
Clubber
>but I'd be surprised if the number was non-zero (think in terms of car
crashes, stress-aggravated cerebrovascular accidents, and so on).

I'm assuming you meant you'd be surprised if that number was zero. It's
awfully hard to, in good faith, directly associate a message with a death. I
mean if you wanted to make it seem bigger than it was, you could associate any
crash or heart related death that happened in that 38 minute (?) period as
directly a result of the warning, but I don't think that would be in good
faith.

~~~
TheOtherHobbes
It shouldn't be hard to check if there's a spike in mortality above the median
background around the period of the test.

Statistical significance will depend on the size of the spike.

~~~
Clubber
Ya, but like you said, it would have to be a significant spike, particularly
for a 38 minute window. I haven't heard anything reported.

------
tarmstrong
This is a great teaching moment for anyone who works in UX or observability,
but it's worth keeping in mind that the FCC's Public Safety and Homeland
Security Bureau (who operate the Emergency Alert Service (EAS)) has a yearly
operating budget of around $17MM this year. The system itself was launched in
1997.

This is a legacy software (and hardware!) system with a relatively small
budget and number of employees that needs to coordinate with other large
organizations (FEMA, HI-EMA, NOAA, etc.). I think the most interesting lessons
to learn from this have to do with long term software maintenance. I'm sure
folks at the FCC/*EMA knew that this UI was janky but why did they not have
the budget/power to fix it? How do we ensure that the public sector can
benefit from the technical advances that most people on hacker news take for
granted? Curious to hear from folks with experience in relevant parts of the
government.

~~~
Chaebixi
> I think the most interesting lessons to learn from this have to do with long
> term software maintenance.

Yes! And with re-engineering too! When you redevelop a system, you need to
build up historical knowledge of its antecedents, and teach it to the current
operators and maintainers. You shouldn't just start from scratch from the
requirements.

In this case, there was an _even older_ legacy system that had a similar
incident in 1971, which they then mitigated. Apparently that lesson was lost.

[http://conelrad.blogspot.com/2010/09/code-word-
hatefulness-g...](http://conelrad.blogspot.com/2010/09/code-word-hatefulness-
great-ebs-scare.html):

> …In the past three tapes, one for the test and two for actual emergencies,
> were hanging on three labeled hooks above the transmitter… In the future
> only the test tape will be left near the transmitter. The two emergency
> tapes [will be] be sealed in clearly marked envelopes and placed inside a
> nearby cabinet.

------
vardump
UI crudeness is one thing.

What I wonder about is whether those links generate HTTP GET-requests. Links
do so by default.

If so, just need internal web spider or overzealous web browser prefetcher,
and one day Hawaii might have a lot of false alerts going on...

GET-requests are not supposed to have side effects, like alerting a whole
state.

When you have side effects, HTTP verb should be something else, like POST.

Of course, it's possible there's Javascript handler behind those links that
generates a HTTP POST request. Overall appearance of the page does suggest
otherwise.

I wonder how the confirmation page (if any) behaves and looks like...

~~~
bfrydl
You're assuming a lot here. This might not even be an HTML page. It used to be
fairly common in Windows UIs to have underlined blue clickable text in native
applications.

~~~
vardump
Well, all I know it looks like an unstyled web page. We can just guess indeed.

Oh, and their display mode is set incorrectly. It's clearly non-native
resolution (blurry text, bilinear "zooming" performed by the display, while
individual pixels are in sharp focus) and wrong aspect ratio (the font appears
too wide).

Perhaps 1024x768 on a display with 1920x1080 native resolution. Or something
similar.

------
ryandvm
I'm looking forward to news stories about the Great Hawaiian Baby Boom in a
few months...

But seriously, as an occasional government contractor, this does not surprise
me at all. This is par for the course on government software projects. Nobody
gets fired for adding just one more menu item. Besides, good luck pushing a
complete redesign through in a reasonable amount of time/money. With the
bloated teams and processes they use, that would take years. Sadly, this is
probably the "new" version anyway.

------
uptown
"Days after Hawaii alert gaffe, Japan issues false alarm about a missile
launch"

[https://www.reuters.com/article/us-northkorea-missiles-
japan...](https://www.reuters.com/article/us-northkorea-missiles-japan/days-
after-hawaii-alert-gaffe-japan-issues-false-alarm-about-a-missile-launch-
idUSKBN1F514S)

~~~
jim_dow_jones
Wow, that's a pretty big coincidence. What would be the purpose of both states
intentionally setting off false alarms?

~~~
giarc
>intentionally

No one intentionally set off these alarms.

~~~
jim_dow_jones
You are correct. There is no current reporting that claims these were set off
intentionally. However, I'm curious if there could be a valid motive for both
states to purposely set off these false alarms. It does seem like a pretty big
coincidence that both states happen to get these false alarms in relatively
short time frame. I have already seen conspiracy posts making claims about
these alarms being purposely set off, but they never provide a motive. Just
curious if anyone can think of a valid one.

~~~
olfactory
Some possible motives:

\- To allow authorities to listen for "chatter" from NK military deployed in
Hawaii who might have been ready to carry out some action if an attack were
launched, but who would not likely have been told when it would occur.

\- To watch how NK responds internally to the idea that the US might be
launching a counter-strike. Things like escape routes, comms, etc., could be
observed via sigint.

\- To create a "path" for the public to think about this kind of thing. It's
been years since anyone in the US (public or media) has had to think about
incoming missile attacks. The false alarm gives all the reporters an excuse to
read up on the history, to issue warnings about lack of preparedness, etc.
This means that in the event of an actual attack the information mechanisms
will all work more smoothly. It's a dress rehearsal so that everyone is not
stuck like a deer in the headlights if an attack occurs.

\- The false alarm could have been triggered by someone on the payroll of NK.
Note that the main goal of the military is to inspire fear, not to actually
kill people.

------
ryandetzel
I bet it works in ie6.

Is this design horrible? yes. Is this out of the ordinary? Absolutely not.
This is very common UX for systems designed 5+ years ago and there are still
systems designed today that look like this.

This is an alert system, now picture your surgeon or air traffic control using
something like this...

~~~
shuntress
There is nothing wrong with the way it _looks_

The problem is that two drastically different interactions are too easy to
interchange by mistake.

This application could easily look-and-feel the same while having much a
better user experience.

------
douglasheriot
If that’s the user interface, I can hardly imagine what’s underneath. Is this
thing actually secure with properly designed two-factor authentication, etc.
Or a weak password and a PHP script and some rubbish like that?…

~~~
brewdad
That's probably why they released this cropped screenshot. It wouldn't
surprise if the site is accessible on the public web and secured with a weak
password that must be changed weekly.

------
mannykannot
While we are bikeshedding this, let's give some thought to the possibility of
sending a test message when a real one is called for - and in the tsunami
warning system as well, as I certainly hope it has more real events than does
the nuclear missile one.

------
DanBC
Human Factors is becoming more well known, especially in health care.

This screen is scary. Now imagine drugs used during surgery that look almost
identical.

Here are some exampels:

[https://twitter.com/EzDrugID/status/933871776152543233](https://twitter.com/EzDrugID/status/933871776152543233)

[https://twitter.com/EzDrugID/status/850259195618131968](https://twitter.com/EzDrugID/status/850259195618131968)

It's frustrating that we know this is a source of human error and that we're
still doing it.

~~~
fredley
I wouldn't call it a source of human error, but it's a huge amplifier for it.
It adds massively to the cognitive overhead of performing and monitoring
tasks.

------
ghaff
And I would hope that the people (here) who have been calling for the employee
who messed up to be drawn and quartered for "pressing the wrong button" might
reconsider after seeing this.

------
jonwachob91
What stands out to me the most is lack of standard naming conventions...

> 1\. TEST Message

>> DRILL - PACOM (CDW) - STATE ONLY

>>> Amber Alter DEMO TEST

Design aside, a standard naming convention would have gone a long way.

~~~
scrumper
And that's likely one of the only things that could be easily fixed, too. The
ordering of those links likely isn't changeable without going into the guts of
some upstream monster system (preventing those categorized redesigns that some
have suggested). But a simple text label change would seem to be easier.

------
mindcrash
As a designer 2 things going through my mind since the moment the story broke
the EMS system fired a statewide alert due to a wrongly clicked HI element:

1) How in the name of everything holy did this monstrosity of an interface for
such an important system get approved in the first place?

2) Given a monstrosity of a interface: Why are there, apparently, ZERO
safeguards in place to make sure the human error rate at least has a HUGE
chance to get close to zero?

------
pavement
Holy shit. That is not even a "pull down menu" as previously reported.

Good to know. This means that in Hawaii, you should only think about taking
action if the magic _FALSE ALARM_ notice never appears.

If the _FALSE ALARM_ notice doesn't appear within an hour, it might just be
that the false alarm guy is on lunch break. If it doesn't appear in 8 hours,
it might mean that a shift change occurred without proper hand-off. If it
fails to appear in 24 hours, a nuclear attack might actually be imminent, and
you should check other sources, to determine if the alarm was, in fact, real.

This protocol ensures that archaeologists will receive a valid record,
omitting the false alarm notice in the rocks on the other side. Eventual
consistency ensures that before the archaeological record is written, a false
alarm notice will appear, if the alarm was indeed false. In all other cases,
the alarm is effectively revealed to history to be a true alert, at some point
in the future, as yet to be determined.

~~~
delecti
I suspect you're joking, but an actual ICBM attack would have likely struck
before the false alarm message was issued.

There was a 38 minute delay before the false alarm message:
[https://www.washingtonpost.com/news/posteverything/wp/2018/0...](https://www.washingtonpost.com/news/posteverything/wp/2018/01/16/the-
good-news-about-hawaiis-false-alarm)

Meanwhile an ICBM would likely impact less than 35 minutes after launch:
[https://en.wikipedia.org/wiki/Intercontinental_ballistic_mis...](https://en.wikipedia.org/wiki/Intercontinental_ballistic_missile#Flight_phases)

------
betolink
\- How much for that antimissile program? $100 billion? what? it may not
work?!! mmm OK I'll take 2!

\- How much for a new web interface? 1k?! what?! that's outrageous!! just add
another link, it will be fine.

------
candiodari
Reminds me of this pixar movie:
[https://www.youtube.com/watch?v=LVLoc6FrLi0](https://www.youtube.com/watch?v=LVLoc6FrLi0)

------
crististm
In the defence of those that made the UX, this is version 1. Or prototype. Or
something they paid a ten year old with candies to make...

Or they don't get it and they are hopeless.

No, they do get it. The DRILL link is one row away from non-DRILL link to
avoid incorrect dispatching. In the mean time you can ponder if you need to
announce a tsunami.

~~~
t3f
>In the mean time you can ponder if you need to announce a tsunami.

I would suggest that recent history [1] has shown we can have a 30m-2h
warning, and that isn't good enough.

[1]
[https://en.wikipedia.org/wiki/2004_Indian_Ocean_earthquake_a...](https://en.wikipedia.org/wiki/2004_Indian_Ocean_earthquake_and_tsunami#Signs_and_warnings)

------
bactrian
It’s almost so bad (even for gov work) that one wonders if it wasn’t designed
like this recently as an excuse to run this “false alarm” exercise.

This is the kind of thing we would want the gov to do and lie to us about
because most people can’t handle the truth.

“Put the links really close to tether so we can use that as an excuse.”

------
booleandilemma
“The BMD False Alarm link is the added feature to prevent further mistakes”

This is a joke right?

It’s only going to make recovering from a mistake easier, it’s not going to
prevent anything.

~~~
triangleman
YES after you get past the mind-blowing photo, the twitter post is also
extremely messed up.

------
zelos
More importantly - what about the reverse case? Presumably someone issuing a
_real_ ballistic missile warning is doing so while terrified and in a hurry.
The consequences of pressing the "This is a drill" button in that case are a
lot worse than this.

~~~
abecode
Actually from some of the interviews with Hawaiians on NPR, it seemed like
people didn't know what to do when waiting for an incoming ballistic missile.
So it seems like even in the case where there is a real threat, the usefulness
of the message is questionable if people aren't trained about what to do when
waiting for a missile.

------
PKop
Probably the worst UX design (considering the context and the stakes) I've
ever seen.

How could multiple people accept this as the interface? Put it on a separate
page! Have an explicit confirmation dialog, or 3 of them. At the very least
maybe it's own section with some padding...

Ridiculous.

~~~
jcranmer
An ICBM will land about 30 minutes after it launches. At those kinds of
timescales, every delay you put in somebody's path to issue the warning, even
a few seconds, is going to be a cost measured in lives.

How many people are you willing to kill to reduce the risk of a false alarm?

~~~
vonmoltke
> An ICBM will land about 30 minutes after it launches. At those kinds of
> timescales, every delay you put in somebody's path to issue the warning,
> even a few seconds, is going to be a cost measured in lives.

Actually, considering that timescale and all the variables involved in
detection and tracking a few seconds is less than the margin of error for
predicting the warhead's arrival. While the goal should obviously be to get a
(valid) warning to the public as quickly as practical, the "every second
counts" mantra in this situation is overly dramatic. In fact, I think it is
even counterproductive because it can lead to a "better safe than sorry"
attitude that triggers unnecessary false alarms.

> How many people are you willing to kill to reduce the risk of a false alarm?

Depends. How many people might die in a false alarm? How many people might die
if they stop trusting the alert system and fail to properly react to a true
alarm?

~~~
talmand
Since this was a false alarm, how many people died? What was the damage? I've
yet to hear of any details like that.

------
dictum
Related reading list:

[https://www.amazon.com/Design-Everyday-Things-Revised-
Expand...](https://www.amazon.com/Design-Everyday-Things-Revised-
Expanded/dp/0465050654)

[https://www.amazon.com/Dont-Make-Think-Revisited-
Usability/d...](https://www.amazon.com/Dont-Make-Think-Revisited-
Usability/dp/0321965515)

------
fallingfrog
Hopefully the UI for actually launching the nukes is at least a little
better...

------
jv22222
It’s just like how in Aliens vs Monsters when they gave the president of the
united states two big red buttons right next to each other:

1: Launch nuclear attack

2: Make coffee

------
gveiga
This fumble just shows once again how ux design continues to be lacking in 80%
of the world apps - the ones used inside companies
[https://medium.com/@goncaloveiga/what-hawaiis-emergency-
aler...](https://medium.com/@goncaloveiga/what-hawaiis-emergency-alert-
reveals-about-enterprise-app-ux-590d33a022e1)

------
alex_duf
If this is true, It's a miracle mistakes aren't made more often...

------
code_duck
The WaPo reports it was from an interface with a drop-down menu.

“Around 8:05 a.m., the Hawaii emergency employee initiated the internal test,
according to a timeline released by the state. From a drop-down menu on a
computer program, he saw two options: “Test missile alert” and “Missile
alert.” He was supposed to choose the former; as much of the world now knows,
he chose the latter, an initiation of a real-life missile alert.”

[https://www.washingtonpost.com/news/post-
nation/wp/2018/01/1...](https://www.washingtonpost.com/news/post-
nation/wp/2018/01/14/hawaii-missile-alert-how-one-employee-pushed-the-wrong-
button-and-caused-a-wave-of-panic/)

~~~
jandrese
Rule of thumb with tech reporting is that the reporters always get the details
wrong. Nothing shatters the illusion like watching a story where you know the
actual facts of the case and seeing just how much they get wrong.

~~~
jacobush
Rule of thumb with reporting

------
peterbraden
One problem with interfaces like this is that they are an abjection of
ownership. The situation probably doesn't warrant a dedicated designer, and
the developer who make it, probably thought 'I'm not a designer, that will
do'.

The amount of times I've heard 'Just add a button to do it' from 'backend
developers'..

The point is, software is there to serve a user, and if you can't envisage the
user using the software, then you don't understand the requirements. It's not
a design question.

Too much responsibility is deferred as 'design' when it's actually a
fundamental part of solving the problem at hand.

Not that design isn't also important, but the perception that usability ==
design needs to change.

------
Kesty
Next outrage is when we will find out how much this technological masterpiece
actually costed.

------
krapp
I remember when former threads about this came up, some people were certain
that it was _impossible_ that a mistake like this could come down to "pushing
the wrong button," because surely there would be safeguards and sanity checks
in place.

Ironically, moving the ballistic missile alert to an actual physical button
separate from everything else would have been better than... this. This looks
like it's literally just an HTML page on an internal network. Do they send the
alert command through the query string or something?

------
MicroBerto
For those of you who don't believe a _single_ thing we're being told about
this situation -- including this screenshot -- just know that you're not
alone.

You don't need to question the narrative publicly like some of us do, but it's
always good to keep an open mind about everything we're told, and sadly, that
means considering the possibility that there have been more lies than truths
told since Saturday.

Hopefully someday we'll get the real story, but I have a very hard time
believing that this is it.

~~~
Cthulhu_
Are you suggesting that there may have been a real attack but it's being kept
quiet (by idk, the Deep State, lizard people, round-earth conspiracists, etc?)

~~~
MicroBerto
Not at all, and I take offense to what you are suggesting - that anyone who
questions the 'official' story automatically believes in lizard people or
whatnot.

I find it sad that people have been conditioned to lump anyone who questions
such a messed up narrative in with nonsense like that.

Let's not act as if we've never been lied to before. We have reached a very
low point in both credibility and transparency, and just because I have
serious doubts about this story doesn't mean I'm a flat earther or whatever
else you're insinuating. Let's be mature here.

~~~
mulmen
You offer no reason to doubt the official story though. If you don't present
us with new information you're either pointing out the obvious or advocating
nonsense.

------
kinkrtyavimoodh
To me, the biggest surprise is that this alert system actually worked.
Whenever I set up sensing / monitoring systems for my web services, I often
wonder if it _really_ will work.

------
stef25
Plenty of this type of insanity in "Command and Control"

------
megaman22
Holy hell... I was expecting some old ncurses mainframe design with shitty
interface, but if it's just an href... seems like it'd be trivial to hack and
cause havoc

~~~
Karunamon
I really, _really_ hope there’s no JS on that page. Because if there is, given
the poor design, it’s probably vulnerable to XSRF.

Gives a whole new meaning to critical vulnerabilities. Sheesh.

~~~
astura
XSRF has nothing to do with JavaScript.

A site is vulnerable to XSRF if it doesn't use tokens when performing critical
operations, critical operations are (usually) performed using HTTP POST, which
can be done via form submission... token generation and validation is done
server side...

You can perform a successful XSRF attack in a browser with javascript
completely disabled.

~~~
Karunamon
Wait, so what am I thinking of? The phenomena where if you can get a website
to display output of your choosing in a non sanitized way, you can abuse that
to cause code to be executed by the user.

~~~
catmanjan
XSS (cross site scripting)

------
wambotron
I've worked at quite a few companies in my time, and almost all of them have
complete garbage for their internal tools. It's always perceived as "something
we need, but it doesn't matter what it looks like" \-- but this shows exactly
why it _does_ matter. I actually prefer working on internal tools if given the
opportunity, because I get to talk directly with most of, if not all, of the
users and get real, continuous feedback.

------
avenoir
This is just my observation, but this is what you get when software is used in
such critical situations and yet the entire software engineering/development
field is completely non-standardized and practically the wild west. Again,
this is my opinion, which I know a lot of people disagree with, but we're
going to keep coming up against this kind of stuff until software developers
become licensed and accountable for their designs.

~~~
triangleman
YES once again we learn the hard way that this is the only "engineering" field
in which its practitioners are not licensed, certified, belong to a
professional organization with safe harbor protections, and so on.

------
jwmullally
Fix proposal subthread. Can we harness HN collective intelligence to vote up
some good suggestions?

Instructions:

* Reply with your suggested fix to this comment. (That way we can vote equally between suggestions, instead of having them being scattered throughout the thread).

* First line is simple one-line summary, optionally followed by a blank line then some exposition.

Example:

\----------

Simple fix: Seperate links into 2 color coded sections, TEST and ACTIVE

Put each set of links into seperate divs, with different background colors or
striped backgrounds.

~~~
jwmullally
Simple fix: Seperate links into 2 color coded sections, TEST and ACTIVE

Put each set of links into seperate divs, with different background colors or
striped backgrounds. As is, these different links are mixed up together making
them accident prone. Undoubtedly a mini development boondoggle will result
over this incident, in the meantime the above fix is easy and satisifies the
real requirement.

Already suggested here:
[https://news.ycombinator.com/item?id=16158252](https://news.ycombinator.com/item?id=16158252)

------
robertcope
They probably paid a million dollars for that system, too.

~~~
cube00
That's just the annual support fee.

------
nwhatt
Lots of money to be made in "Enterprise" software, and even bigger amount of
impact to be made by having smart developers working in the space.

I'm not really sure where the problem lies, partly economics, and part lack of
specialized knowledge. In this case that knowledge might be laws around AMBER
alerts, how to respond to an RFP for such a system, or even just not knowing
that such systems need to built.

------
razorunreal
There are plenty of possible charity improvements, but I think anyone who has
accidentally sent an email should understand what this really needs: A
countdown timer in the 10-30 second range with a clear, bold description of
what it will do, and a cancel button. There should be no way to skip the
timer. I'd be amazed if no one said "wait, shit" within 10 seconds of clicking
the wrong link.

------
foobaw
This is crazy. I used to work on the engineering-side of this on phones
(CMAS). The amount of requirements from the government and the carriers for
the UI/UX were ridiculous (how the messages are precisely displayed to the
users, requirements regarding data scenarios). To give an example, it took
about 300 hours to verify each release.

How is it possible that they don't have standards while the OEMs do?

------
syphilis2
I think I'm the only person who saw it and thought it was fine. It's a list of
clearly labeled text links, very clear very simple. There are some changes
that could be made to separate drills/tests from real events (or a different
naming convention), but I'm surprised to see many people call a single page
text list "terrible UI".

~~~
giarc
It's all about context. It might be fine if that's a list of your website
bookmarks and if you click the wrong one you just click a different one. But
when the consequences of clicking the wrong one are such high magnitude, it's
bad design.

And I don't even think it's up for debate. If the design of the page just made
someone accidentally alert a whole state of an incoming missile, then it's
bad.

~~~
syphilis2
I think someone will always be able to click the wrong link, especially if
given the wrong information or confusing information "Give the message for
PACOM CDW, ... Oh sorry you did the DRILL PACOM, right?" The larger problem
was not having a quick system in place to redact an erroneous message.

But I've read a lot of suggestions like spreading items across multiple pages,
adding passwords, or big warning colors and lines around the live options that
are not just obfuscating/distracting/annoying but are bound to cause errors
and open the door for even worse design.

------
drake01
Found this on twitter:

If @Github would have built the Hawaii text alert service:
[https://twitter.com/mattiasgeniar/status/952929404925202432](https://twitter.com/mattiasgeniar/status/952929404925202432)

------
caio1982
Would this be, you know, by any chance, a Perl or PHP CGI bin triggered by an
intranet link?

------
kvhdude
I remember while rooting my samsung phone, i had to 'reset all settings'.
Settings to me means configuration options. Found out for the designer that
settings meant _all_ data!. Lost some family photos that were not backed up.

------
joering2
What I want to know, if there is come sort of confirmation window/popup as
step 2. That would make a big difference. Was that just plain wrong click, or
something more?

Btw: any idea what this application is? looks like a HTML page ?

------
freeelncer
Just redesigned that screen:
[https://news.ycombinator.com/item?id=16164497](https://news.ycombinator.com/item?id=16164497)

------
mosselman
They should have added the captcha's with the store fronts. That alert would
never get triggered unless it were truly needed. It would be 15 minutes late
though every time

------
hartator
I kind of agree that’s ugly and can be way better, but I don’t see how you can
make the confusion. One says drill, the other doesn’t. The guy should just get
fired.

------
bovermyer
This is why things like Code for America are so important.

------
rorykoehler
Why is the a manual UI to send out an incoming missile alert. Surely the alert
should be sent automatically when the anti-missile system is engaged?

~~~
JumpCrisscross
> _Surely the alert should be sent automatically when the anti-missile system
> is engaged?_

This is a civilian system. Detection and anti-ballistic missile systems are
military, specifically NORAD and the MDA. I agree that NORAD should have an
API, though I suspect integrating it with civil defense systems will result in
more such mistakes in the short run.

~~~
mulmen
If there is no existing integration then how does the civilian system operator
know to click this button?

------
timdeneau
Disturbing to see the control system for their emergency alert system is this
careless. This was human error? No shit.

------
Analemma_
Roman Mars at least must be psyched. Next week’s 99PI episode is practically
writing itself.

------
everdev
More spacing. Fixes all UIs.

------
m3kw9
Looks like someone’s homepage on Angelfire 25 years ago lol

------
aviv
What I find interesting is not this screenshot, but the fact that most
commenters here don't even question if we are being told the truth as to what
happened. Yet here we are talking about UI/UX.

~~~
mulmen
I don't see why we would doubt it, what do you believe happened? Can you
substantiate your belief?

------
icedchai
How much do you think the government contractor(s) who built this got paid?
My, and possible your, tax dollars at work...

------
anigbrowl
It's nice to be validated.

------
HenryBemis
I particularly liked the comment (apologies for the caps) "BAD DESIGN" ad
nauseum :)

------
jeffdavis
[https://xkcd.com/970/](https://xkcd.com/970/)

------
oliv__
Yikes... is this for real

------
senectus1
wow...

------
empath75
What kind of ux design is that???

------
jlebrech
a better terminal app:

PLEASE ENTER STATEWIDE WARNING CODE [ ]

then the operator types NUKEWARN or whatever in the box.

Much less error prone.

------
ourmandave
The scary thing to me is this system probably has full permissions on my
phone. =(

------
huffmsa
And if you think this is bad, just imagine what the Russians are running.

Probably a panel of unlabeled buttons

------
huffmsa
Lowest bidding contractor wins again.

------
singularity2001
Wait they are starting nuclear war from an IE browser with js enabled?

------
jlebrech
they use the mouse for something so alarming, also without a confirmation box?

a terminal based system would be better than this, how much did this system
cost?

------
matt4077
This is going to be in every single UI class curriculum, from now until
earth‘s destruction in nuclear armageddon.

~~~
zentiggr
And everyone required to sit through the mandatory class will be zoned out and
not even absorb the facts that aren't in the 10 question quiz at the end of
the section.

------
pcunite
If you believe this, I have a bridge I want to sell you.

------
lowbloodsugar
Alternatively, a foreign adversary is taking its hacking to the next level,
and this is damage control pretending that it's not. Advanced warships that
"accidentally" run into other ships. Paralyzing remote islands with missile
warnings. This is like the beginning of a Tom Clancy novel, and our cool,
calm, collected President with his military and CIA experience will see us
through.

