Hacker News new | past | comments | ask | show | jobs | submit login
U.S. Strategic Command response to FOIA request regarding gibberish tweet (twitter.com/mikaelthalen)
110 points by danso 7 months ago | hide | past | favorite | 119 comments

Just after lockdown, our boss sent an important message in our general chat, tagging everyone with @channel. While reading the message one of my cats jumped on my keyboard and managed to spam '+enter maybe fifty times to all 400+ currently reading the channel in a few seconds. Don't think Slack has any kind of rate limiting..? It was also impossible for me to delete the messages, as they jumped up and down when people started reacting, making me misclick loads of times. It was funny.


Ah! Reminds me of the good old 956th email about:

"Please don't reply to all@company.com it goes to everyone"

Each person in the mail list is convinced they need to send a reply to that mail informing everyone that the others should not reply to this email address, otherwise how would everyone know they're not supposed to reply to that email.

BCC is truly underutilized.

I believe that BCC can actually act as an active suppressor of reply-all storms even after they've started. i.e., reply-all to the storm in progress, but BCC the big list.

Each person who would send a reply-all does it in response to SOME message. If it happens to be your BCC, their message doesn't perpetuate the storm.

The BCCs would act as a kind of neutron absorber to dampen runaway reactions. Or like a trap-neuter-release program for cats.

Could be fixed by a good product manager or UX designer in Outlook team: instead of leaving CC field available for editing and BCC hidden, always ask about the intention and then show either of them.

BCC is broken in gmail. It lists the bcc’ed recipients for all to see. All other email systems I’ve used understand the “B” stands for “blind” and don’t let other recipients see the BCC list.

No it doesn't. I and others have used it many times, and it does not actually do that.

When you receive mail that you've been BCC'd on, it does attempt to figure out what address was used to get it to you, and displays that as a BCC (useful if it came to you via a mailing list that was BCC'd), so perhaps you're confusing that for showing the addresses of everyone to everyone, which isn't the case.

There is also a Reply-To header.

Why does that happen? I've seen it a few times and once it brought down exchange. Psychology study needed.

Psychology study needed.

My favourite is when people reply-all with “please remove me from this list”

Bonus points when those people hold technical positions in the organization.

Race conditions start it. The first 100 people get the message when it is sent, realize it is a mistake and decide they need to warn everyone, so they hit send almost exactly at the same time so none knew about the other. The next 1000 don't look for previous replies, but otherwise do the same thing. Then the next 1000 are annoyed by all the duplicate messages and it doesn't occur to them that they are making it worse.

The more technically literate users know exactly how reply-all and reply-all storms work... which makes it funny, so they do it.

My hypothesis is, the level of peoples education and intelligence are not correlated (ofcourse with exception of the technical and STEM fields).

People making mistakes when trying to do something outside their area of expertise is definitely not something that STEM professionals are immune to.

I think people are trained to respond to everything, even if its a quick note to say thank you. This is especially the case if its a personal sounding email from someone important. After that its just a matter of forgetting to pay attention to the address bar before hitting reply, possibly with a shortcut but more likely just going on autopilot and clicking things.

I'm not sure I agree. But why would that exception be "of course" anyway?

“of course with exception of the technical and STEM fields”

of course

Thank you, TIL :)

I wasn't correcting you, I was agreeing enthusiastically. And now I am ashamed for explaining myself.

Judging by the amount of Cat emoji reactions, I would go as far as saying your cat is a regular on that Slack channel :)

Changing the send action to Ctrl-Enter (or maybe it was Shift-Enter?) helps with this. It also helps prevent accidental yubikey posts and is good for when you need to write up multiline posts.

Just saying in case anyone wasn't already aware.

Thanks for the tip.

I wonder how many unfinished messages I’ll send before my muscle memory remembers I’ve switched?

Heh, yeah, I had a funny story about this:

I enabled a delay for gmail that from the moment I click send I have 10s to cancel the email and it let's me edit it.

Has been very useful so far.


Reminds me of Molly guards. I would dearly love to track down who it originated from! Internet lore stops at referencing a programmer whose young daughter Molly kept pressing the on/off button. http://www.catb.org/jargon/html/M/molly-guard.html

> Reminds me of Molly guards. I would dearly love to track down who it originated from!

The following is from https://ws.engr.illinois.edu/sitemanager/getfile.asp?id=540 , [U of I] Department of Computer Science, Alumni News, Winter 2001, Vol 2 No 7, page 14. Judy Tolliver editor. The winning google search was "illinois.edu" molly guard ibm button.

Mollyguard? - Ed Krol explains

Ed Krol explains the origins of the word Mollyguard, which dates back to 1982, like this: “I was concerned with the Cyber [mainframe], and right behind the Cyberconsole was an IBM 4341—a nondescript, singularly unimpressive, desk-sized grey machine. The only thing about it was that on one side was a big red switch—kid-sized, about 2 inches wide. The switch was like the emergency OFF switch, and if you pulled it you actually had to call an IBM engineer to come in and reset it. There was some crisis on the Cyber, and I was babysitting that day, and so I took my daughter Molly in to work with me. I said, ‘You play with your trucks on the floor while I work,’ and she saw this amazing big red thing and gave it a yank and turned it off. You weren’t supposed to do that to those big machines at the time. Our computer center director then had little plexiglas flaps installed so that you had to lift the flap up before you could pull the switch. Charley [Kline] named them Mollyguards to protect them from Molly. It was a funny play on words, too, because molybdenum is a slippery element and there used to be a grease called Molygard.”

Krol, BS 73, is now assistant director of CCSO, and Kline, BS84, MS 86, who was a student hourly at the time, is now principal research programmer at CCSO. Molly Krol is a senior at Luther College in Iowa.

It was Kline who submitted the word Mollyguard to the Jargon File, a collection of computer slang from various technical cultures begun by Raphael Finkel at Stanford in 1975. Here is how it appears on this list, mirrored on many Web sites:

molly-guard /mol’ee-gard/ n.

[University of Illinois] A shield to prevent tripping of some Big Red Switch by clumsy or ignorant hands. Originally used for the plexiglass covers improvised for the BRS on an IBM 4341 after a programmer’s toddler daughter (named Molly) frobbed it twice in one day. Later generalized to covers over stop/reset switches on disk drives and networking equipment. In hardware catalogues, you’ll see the much less interesting description “guarded button.” n

Heh. I have prior art (1966). I was four. My dad was working on a ground-support trailer for the Sergeant surface-to-surface missile. He went in on a Saturday for some testing, and took us along. And there was this big red button....

(It wasn't the launch button; it was the emergency shutdown button, which would have cost them an hour to restart everything. When they're there on a Saturday. I was exiled to the parking lot for the duration.)

Ages ago, at a Big Data center. They stopped take your kid to work day for IT department.

Apparently large bright red button and 3 year olds don’t mix.

Much fun was not had.

A long long time (~30 years) ago I was at a customer site and the meeting room I was in had a huge server sitting in the corner. It had a design that looked like it had a door on the front (like some Suns) with a button to unlock.

I was left by myself for a bit and went across to look at the server and open the door - only after I pressed the button did I realise that it was the on/off switch rather than a door open.

I hastily switched it back on and made it back to my seat before before anyone came to the room to check what had happened to their server!

I remember a story about someone pushing TheBigRedButton but realized what they had done before releasing it. The poor soul had to stand there and not release the button while others were scrambling to get the system into a state where it could lose power safely.

Edit: this is back when on/off really meant on or off with respect to power :)

Speaking of sheer curiosity and poor impulse control: during the big Dotcom bubble, the startup where I worked suddenly had its servers taken offline when there was an unscheduled power outage at the colo facility.

Apparently two dimwits from another tenant were onsite tending to their rack when they saw the big red buttons on the wall spaced ten feet apart, and wondered what they would do when you held them down simultaneously.

Turns out, they did precisely what the not-so-little signs said they would.

At our workplace it is standard & strictly enforced (called out) policy to lock your screen before leaving your computer unattended. For me this has become an automatic action.

I think USSTRATCOM could benefit from the same policy.

We have the same policy, but I must confess to not follow it when working from home. On the other hand, I live alone and all entrances to my home are always locked.

On the third hand, having a very young child anywhere near my work computer unsupervised would be the stuff of nightmares..

They are very fast if you walk away for a second.

Smashing keyboard is great fun.

One of my kids new favorite thing is to sneak into office and stay hidden. Usually I notice right away, but not always.

Assuming it's a toddler, it's not at all a given that they were far enough away that it'd have made a difference. The keystrokes in that tweet are mostly clustered relatively close together in two groups - this looks like a kid got both hands on the keyboard and hammered a couple of times. Might well have e.g. just been lifted up on their parents lap for a moment, only for the parent to get e.g. distracted by a phone call.

That is the first thing I thought, if we are to trust this info then the issue that stands out is not that a toddler did it, it's why the hell wasn't it locked in the first place.

I worked in far less sentitive settings, but all these IP policies pretty much engrain this in my mind. Locking before moving away from my desk is muscle memory by now.

>it's why the hell wasn't it locked in the first place.

A second child is my guess. Or they were still in the room but inattentive. That kind of muscle memory would trigger when you're leaving your work area, and when working from home that would probably expand to your whole office.

If by "strictly enforced" you mean a colleague will change your lock screen background to a goatse then that's how I learned.

My local credit union uses a USB device (IR sensor?) that detects how close to the computer the user is, if they walk away the computer automatically locks.

Surprised those devices aren't in more widespread usage.

Windows has something similar built in. It locks your pc whenever a paired Bluetooth device (eg your phone) goes out of range

There is nowhere I could go in my 2600 square foot house that would be far enough to cause my phone to go out of Bluetooth range of my desktop.

It probably goes by RSSI. You might not be able to get "out of range" to the point where the connection is terminated, but the desktop can (poorly) approximate distance by measuring received signal strength.

Man, you're lucky. My phone goes out of range seemingly randomly while I'm standing in front of the computer.

Yes, but this is human factors, isn't it? Logging out and back in has friction. It's natural that people will do it [EDIT will not log out or lock when needed]. We need a lower friction method to log off and in again, or to at least lock the computer for a few minutes.

On macOS I have a hot corner set to lock the screen and I use Touch ID to log back in. It’s basically seamless.

Touch ID is disabled via corporate policy. Locking the screen would result in many minutes of reconnecting to VPNs and setting up sessions.

Why does locking the screen disconnect you from the VPN?

There came a point when I stopped questioning.

Productivity is not a concern for many IT security managers.

I've always done this as well. It was policy at one finance job, and it just stuck after that.

Then I had an ex-girlfriend get quite upset with me for always locking my computers when I was away from them.

Locking computers while away in a locked office is like using PRs on a high trust team.

I’m not arguing against it, but it’s one of the earliest deep feelings I had about office policies.

Locking the screen in a high trust environment communicates and disturbs the vibes. Should work be high trust? Plenty of people would leave my body in a dumpster for saying yes. I’d trust a co-worker before a girlfriend though (ie. Pre-marriage, non-contractial partner). I can follow policy as it relates to contractual home partners.

> Locking computers while away in a locked office is like using PRs on a high trust team.

In our office it is encouraged because we work on projects for multiple different clients. In some cases competing clients and we are required to partition the knowledge internally. Even if it isn't quite that serious we try to keep detailed information about the project inside the project team.

> Locking computers while away in a locked office is like using PRs on a high trust team.

Making sure I follow. You're saying 'trust' within your team meaning they have all good intentions and 'trust' meaning they never overlook anything or make a mistake.

So as a result you don't do PRs?

For years, this was the case for me under penalty of termination. Now I always lock my screen although I work from home and nobody except me has physical access to my computer.

Didn’t NASA have to create a specific policy/procedure to keep cats from controlling space craft because of all the WFH during the pandemic?

What about the policy of yellow sticky note with the login details stuck on the laptop. I hear that's pretty trendy.

See it all the time on public transport ;)

When companies demand you change your password often that is one of the few sane ways to remember your password. (The other is an incrementing number on an otherwise unchanged password).

This is for initial login, once you are in you should be using a password manager, but until you type that initial password you can't get to the manager. (Never put work logins into your personal password manager!)

People might balk, but it's no joke how many actions a toddler can trigger on an unattended Macbook. They have a preternatural ability to drag, delete and find the text inputs.

My wife recently left the computer unattended and the chair unflipped for 30 seconds. I come into the room and see our almost-2yo daughter handling the keyboard and the mouse like a pro. Despite never doing anything with a computer before.

Toddlers are truly keen observers. You think they're just trying to smash a toy or eat their picture book, but they're constantly watching everything. In the recent months I had a whole lot of stories that follow the pattern of "how in hell did you know these items belong together?!". There are moments when I wonder if toddlers have a secret worldwide community, and communicate with each other while parents are asleep...

(Also our cat learned to use our daughter as a distraction sometimes, making her noisy so that we vacate the kitchen, while it runs in to snatch our dinner...)

> I had a whole lot of stories that follow the pattern of "how in hell did you know these items belong together?!"

Do share! This is interesting for two reasons: how adult and toddler perception might differ, and how we design everyday objects to be maybe discoverable to a toddler.

In my experience, toddlers do not have a need for discoverability of everyday things, as they don't seem to figure objects out on their own, beyond trying to push, pull, bite or throw them - but they do pay close attention to what others do with various objects and try to replicate the behavior.

So, for instance, my daughter figured out twisting and untwisting of bottle caps in a manner of days, and it was a clear progression from observing us handling various bottles, trying it on the same bottles she saw us use, and then picking up on some pattern (round shape? grooves?) and trying to unscrew new things - but only ones that fit the pattern.

Or the other day she escaped into the kitchen while my wife was unloading the dishwasher, silently grabbed a fruit peeler and an apple, approached my wife and tried to peel the apple herself. We've maybe ever used the peeler once in our daughter's presence, but that was enough for her to both associate the two objects and remember how one is operated on the other. I'm not sure if this was goal-oriented behavior (i.e. whether she wanted to eat an apple) or just "look at me, I'm doing the same as you".

> In my experience, toddlers do not have a need for discoverability of everyday things, as they don't seem to figure objects out on their own, beyond trying to push, pull, bite or throw them

Toddlers are preternaturally patient - they will try all possible combinations of push, pull, bite and/or throw until they find a combination that works.

Also, they can easily transfer skills that may not be seem related to an adult - I encouraged a toddler to understand how carseat buckle works (they wanted to "help"): unfortunately, those skills are directly transferable to defeating buckle-based child-proofing products <facepalm>

> (Also our cat learned to use our daughter as a distraction sometimes, making her noisy so that we vacate the kitchen, while it runs in to snatch our dinner...)

That's some Garfield quality action right there!

In between all the worry and crying, life with a toddler is one rolling comedy show! I have to consciously stop myself from talking about it, because I realize it's super-boring to anyone who isn't a parent.

I think I saw a documentary about that once... ;)


Beware of young children... and facetious colleagues. Have been the victim and perpetrator a few times. My favorite was to change the screen saver to a BSOD screenshot and watch the reaction of the colleague when he walks back to his desk.

My colleague took a screenshot of my desktop, then made it full screen. Took me an embarrassingly long time to figure out why my computer was frozen.

True story: I once did this[0] to a friend of mine (who at the time was also my boss) on his Ubuntu desktop. I later asked him about it since he never said anything. Turns out he just thought his Linux Desktop was being stupid again, used the control sequence bring up the terminal, and just did his work in there.

[0] It was a little different. I set the screenshot as the background and hid everything and removed all panels and whatnot.

Heh heh. That is a very Linux story.

A broken screen image is another good one. To hear someone come back from break and start loudly asking "WTF?" will never not be funny.

It's funny how serious twitter and facebook has become even for governments. In my location, highest order politicians use it as a channel to provide important declarations/news and the media cites those in serious tone. Shouldn't governments use their own web sites and services for all official communication?

It's not like governments don't also have their own websites.

This is just the 21st century version of governments communicating via newspaper, radio, and television.

> Shouldn't governments use their own web sites and services for all official communication?

Yes they should. Much more official than a 'Twitter account'.

> Turns out their Twitter manager left his computer unattended, resulting in his "very young child" commandeering the keyboard.

Ignorance of the law does not excuse one from its consequences. For such a serious violation of 18 U.S.C. § 1030 I fully expect the child to be put in solitary confinement for the entire duration of nap time.

Certain privileges shall be ripped off, such as using a pacifier.

This actually highlights one of my griefs with the twitter webclient: hotkeys without modifiers keys. E.g. on twitter.com, "n" opens the popup to create a new tweet. I'm not sure if there are valid accessibility reasons for this (in this case, all is fine), but at least I found this behaviour more annoying than useful.

It is not due to accessibility as far as I know. It might be useful for people with bad hand mobility, but it is annoying for screen reader users, because SR-s have different input modes and this works in only one of them.

Similar if you think you've focused the search box in Thunderbird, and then spend the next 5 minutes trying to figure out what actions the word you typed before realizing your mistake did, and how to undo them.

I find this incredibly useful. Why do I want to stretch my fingers to hit Alt or whatever when I can just hit "n"? I don't often have things randomly pressing things on my keyboard to cause issues.

How often do you tweet?!

I once accidentally triggered a yubikey HOTP into youtube, which has hotkeys like this. It didn't do anything crazy, but it did do some funny stuff (that I don't remember anymore.)

Folks at Elastic have a shirt that looks something like that. Someone’s kid sent a gibberish company wide email like that.

5 years later... "Daddy wants to tell you a story about something you did when you were very young"

I love how the report says the child „took advantage“ of the situation

OMG they tweeted the launch codes!

But joking aside, I doubt this was an actual password. Too many repeating characters and characters grouped close together. Like "ssaw" and that ";l;;". And no uppercase as some people have mentioned. Who mandates special characters but not uppercase or numbers? I've never seen a password policy doing that. Usually numbers and uppercase come first before specials are considered, due to regional keyboard differences that make special characters hard to find. Really sounds much more like a toddler at work to me like they say.

And really, this is twitter. Not a serious government system. Even if it was a password, people sending tweets tend not to be the ones pushing red buttons. Obligatory XKCD: https://xkcd.com/932/

"In a telework status". So, working from home? It annoys me when people use unnecessarily technical vocabulary.

Makes them feel more important.

I didn’t realize FOIA requests were ever turned around so quickly (though I assume this isn’t the norm)

It happens more than you might think.

If it’s a request without privilege risk, workloads aren’t crazy and the requestor writes them well, same day service happens.

Writing these things is like a grant, there’s an art.

Legally they have to reply in 20 days, though that's not exactly well enforced. One day is still quick, they were likely looking for a good outlet to announce what happened.

In this case, they sent a "press statement" response instead of a "FOIA response". The FOIA response would have been just the "there are no written records" part plus the boilerplate.

They realized that this is a press story about to blow up, and that if they don't make a statement the press will just write "USSTRATCOM TWEET RAISES HACKING FEARS. WERE WE ONE KEYSTROKE AWAY FROM GLOBAL THERMONUCLEAR WAR?" with a "We contacted USSTRATCOM but did not receive a response [in the 3 minutes between asking and posting]" so they made a statement.

Reminds me of the time my 2 year old daughter sent my lawyer a bunch of kissy face emojis. I think my lawyer believed me that it wasn't actually me...

There are probably security implications of this, but all said I like it. It reminds me we're all human, even the agency in charge of nukes.

revealing critical password and blaming your child, classic, fantastic

The lack of a number or upper case letter means that it'd basically need to be an internal password, meaning US Strategic Command has some terrible security. I wish that made me think it was unlikely.

I'm over 100% confident that it is a password (a really sad one ofc). But that twitter just took focus when the child got to the keyboard. The child then typing without space or weird alt/ctrg/shift inputs and then press send. Under 0% probability.

TL:DR twitter took focus when he typed the password and enter did send it. Everyone knows it.

Enter is new line on Twitter, and it takes like six hits of shift to get to tweet. Just tested it, but I have no idea if the screenshot would show if a third party client was used.

nvm then, i don't use twitter, only irssi on gentoo,

take a look at some footage of my workplace: https://www.youtube.com/watch?v=gosChU94UCc&list=UUxt6g0bywt...

You would think that Strategic Command would be the experts on two-person approvals to avoid accidents.

And there are those who say investigative journalism is dead.

If I was Twitter manager for the US Strategic Command, my screen would lock 1 second after my ass leaves the chair.

It's just a Twitter account. He/She might not even have a security clearence.

I think there’s a pretty good argument for that being the case, since they’re exposed to the public but you can’t phish what someone doesn’t have access to and it’s really hard to accidentally reference something classified if you don’t know it. The government usually doesn’t shy away from a bit of overhead to have firm separation between classified and unclassified systems.

Or just "They", which is both shorter and actually gender-neutral.

Isn't "they" plural? It's just one person. "it" is actually gender-neutral, singular, and even shorter, but feels like it should only be used for objects and not people.

Turns out it's a "he", so if we are focused on technicalities I should have used that, but for some reason I can't edit the comment.

"They" has been used as singular for centuries.

That's my new password.

Why is this on HN?

I don't believe there are no written records of the incident. What's making sure the gov is actually following the law and sends everything FOIA requires? Same for GDPR, nothing is stopping a company from sending me only some of the information

If this were a more serious incident, and there was more to investigate and lockdown, it seems much more likely that the STRATCOM info officers would wait, since a response isn't required until 20 business days. They gain absolutely nothing by responding within 12 hours with a cutesy public lie that has the risk of being unraveled by the "real" hacker.

The information is not just for the press and the public — every part of the government and the military not directly connected to STRATCOM would believe that the public explanation is correct, which is the last thing you'd want if there really were a security breach.

Do you have a reason to doubt the respondents in this particular case?

just logical. somebody somewhere send an email or chat message about this incident. for example the person who was in charge in twitter account could have sent a message to his manager saying “hey fyi my kid wrote sth on twitter”

> nothing is stopping a company from sending me only some of the information

If their database later leaks and shows that they had more info, they're in a world of hurt. The DPA will already be looking for an excuse to punish them (having a breach isn't punishable in itself), so they'll nail them to the wall for this.

This seems the modern equivalent of a “numbers station”. Sending an encoded message to an embedded asset somewhere in the world.


That's what I think it is. If you throw it in a cryptogram solver you can get, "Q Acquitted".

If this was the orange man, it would be declared as an international crisis with some foreign agent 'hacking' us again narrative spun from a cauldron of internet lies.

Maybe those accounts should have a triple check password warning before they clumsily or have your child mistakenly tweet such things online. Unbelievable that Twitter still doesn't even have a check such as that for high profile accounts.

Downvoters: So we should not have extra tweet checks for high profile accounts who may have children or others clumsily or mistakenly tweet gibberish or nonsense on Twitter especially from an account that is responsible to '...deter strategic attack and employ forces, as directed, to guarantee the security of our Nation and our Allies.' [0]

Care to explain your reasons why for very important and verified official accounts part of the US Department of Defense or any other account that has a government-level responsibility 'thIs iS aLL coMPleTEly fINe'?

[0] https://www.stratcom.mil/About

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact