

Super Bowl Wi-Fi password credentials broadcast in pre-game security gaffe - morphics
http://www.zdnet.com/super-bowl-wi-fi-password-credentials-broadcast-in-pre-game-security-gaffe-7000025865/

======
salgernon
Years ago, a pbs documentary (coocoos egg?) interviewed Richard stallman. He
was standing in front of a whiteboard with "prep.ai.mit.edu" user "rms" pw
"rms".

Of course I tried it, of course it worked. There was a nice "motd" to the
effect: be cool, don't break stuff.

I'm sure this breach was nowhere near as deliberate.

~~~
jcurbo
From
[http://en.wikipedia.org/wiki/Richard_Stallman](http://en.wikipedia.org/wiki/Richard_Stallman)
(source is Steven Levy's book _Hackers_ )

As a hacker in MIT's AI laboratory, Stallman worked on software projects such
as TECO, Emacs for ITS, and the Lisp machine operating system (the CONS of
1974-1976 and the CADR of 1977-1979—this latter unit was commercialized by
Symbolics and LMI starting around 1980). He would become an ardent critic of
restricted computer access in the lab, which at that time was funded primarily
by the Defense Advanced Research Projects Agency. When MIT's Laboratory for
Computer Science (LCS) installed a password control system in 1977, Stallman
found a way to decrypt the passwords and sent users messages containing their
decoded password, with a suggestion to change it to the empty string (that is,
no password) instead, to re-enable anonymous access to the systems. Around 20%
of the users followed his advice at the time, although passwords ultimately
prevailed. Stallman boasted of the success of his campaign for many years
afterward.[15]

~~~
notimetorelax
These days he'd run afoul of computer fraud act or something like that.

~~~
lanstein
[http://www.lightlink.com/spacenka/fors/](http://www.lightlink.com/spacenka/fors/)

------
misnome
Absolutely hilarious. Obviously, if you allow the TV cameras inside your
"Secret, First-of-it's kind Command Centre", it might be good practice to make
sure you don't have any wall-sized notes with your password scribbled on it.

------
hawkharris
There's a widespread misconception that cryptic, hard-to-remember passwords
are more secure. That's why people do foolish things such as displaying
credentials on mega-TV screens. Forget words. Use memorable, _unique_ phrases.

It's not a new concept, but it's worth repeating, considering that we're still
using the term "password" in 2014.

[http://www.codinghorror.com/blog/2005/07/passwords-vs-
pass-p...](http://www.codinghorror.com/blog/2005/07/passwords-vs-pass-
phrases.html)

~~~
drdaeman
You're right. But it just reminded me of this fact:

"Most people use passwords. Some people use passphrases. Bruce Schneier uses
an epic passpoem, detailing the life and works of seven mythical Norse
heroes."

Jokes aside, I'd really prefer if we'd ignore passwords and passphrases (and
passpoems) altogether, leaving them for emergencies, and generally switch to
keypairs and, preferably, hardware security tokens.

~~~
mkaito
What exactly is keeping the world from turning a regular flash drive into a
security token, and actually using it?

~~~
drdaeman
Not flash token but a proper HSMs.

They're quite common. Many laptops have TPM modules, popular SoCs (like nVidia
Tegra) have them too, and most modern motherboards at least have a socket for
one. Yet, the only use of them I've ever seen is validating the boot chain's
integrity.

Also, USB tokens are not common in users' possession, but if necessary I
believe you could get one within a day.

It just need a little push from software vendors. Imagine your OS or browser
says "Hey, do you want to secure your credentials? Here's how...". Or just
start with an option "use hardware security token" somewhere under settings -
while of less impact than active suggestion, it will still strike users
curiosity and start things moving bit by bit.

------
mjn
Weird, that portion of the screen looks more like something out of a Hollywood
hacker film than something I'd imagine in real life. I'm trying to imagine
what circumstances would result in that particular panel, plaintext password
and all, ending up broadcast on a wall.

~~~
erichurkman
I'm pretty sure that screen is just running Notepad, with the default font
size blown up.

A lot of staffers are likely in and out of that room in the weeks leading up
to today, with the instructions probably posted by some exhausted sysadmin
being asked "how to I get on the wifi again?" for the thousandth time.

~~~
na85
This is the most likely explanation

------
jrs235
If I were malicious I would setup a wifi network with the same name and
password in the vicinity... I wonder if anyone else thought the same or did.

------
tjohns
For a venue this large, I don't understand why they wouldn't be using
WPA2-Enterprise with a RADIUS server, so employees log onto the network with
their own (unique) credentials. Ideally paired with machine certificates.

~~~
icebraining
Maybe they are? The leaked info did have a username, which are not used with
WPA-PSK. So those might be the credentials of a specific user.

------
bitsteak
Playing devil's advocate here. What harm was done by this? Was it really
deserving of a news article and, further, a post on Hacker News? Now, maybe if
there is a company out there working to replace or revolutionize passwords...
otherwise I just don't see the point of this story.

~~~
andyhmltn
>What harm was done by this?

Plenty. Anybody with ill intentions could set up a similar wifi network or
tamper with the existing one and suddenly thousands of people's
traffic/passwords are all being sent via MITM.

------
DigitalSea
This kind of reminds me of the time Prince William's publicity visit to an RAF
base in 2012 accidentally revealed a password on a piece of paper stuck up on
the wall, it was in pictures broadcast and published everywhere. Having said
that, the leaking of Wifi details in the grand scheme of things isn't all too
bad as other things that could have been leaked.

------
amiracle
So they posted the video online, [http://www.cbsnews.com/news/super-bowl-
xlviii-security-insid...](http://www.cbsnews.com/news/super-bowl-xlviii-
security-inside-the-events-secret-command-center/) , and at 1:23 you see the
screenshot, but now they blurred out the password.

------
jaimebuelta
Has this really been on TV? I mean, I've only seen that image, which doesn't
look like the most clear image even, and using Photoshop won't be that
difficult... Is there any video of that part?

(Sorry, but I tend to be skeptical about this kind of thing)

~~~
amiracle
Yes, I took the screen shot and here is the link to the story.
[http://www.cbsnews.com/news/super-bowl-xlviii-security-
insid...](http://www.cbsnews.com/news/super-bowl-xlviii-security-inside-the-
events-secret-command-center/)

------
harshreality
What a horrible password. 12 characters, 2 common English words (w/ common
transformations) separated by a punctuation mark.

They would have been better off using 12 random lowercase letters. It would
have more entropy and be easier to type on mobile devices.

~~~
Steko
Somehow I don't think maximizing entropy was their intention.

What they really shouldn't have done is put it on a screen that was broadcast
on national tv.

------
ZanyProgrammer
It looks like Windows Server 2008 possibly? Something reasonably modern with
the traditional start button?

~~~
himal
Or a normal desktop version with the classic windows theme.

