Just after lockdown, our boss sent an important message in our general chat, tagging everyone with @channel. While reading the message one of my cats jumped on my keyboard and managed to spam '+enter maybe fifty times to all 400+ currently reading the channel in a few seconds. Don't think Slack has any kind of rate limiting..? It was also impossible for me to delete the messages, as they jumped up and down when people started reacting, making me misclick loads of times. It was funny.
"Please don't reply to all@company.com it goes to everyone"
Each person in the mail list is convinced they need to send a reply to that mail informing everyone that the others should not reply to this email address, otherwise how would everyone know they're not supposed to reply to that email.
I believe that BCC can actually act as an active suppressor of reply-all storms even after they've started. i.e., reply-all to the storm in progress, but BCC the big list.
Each person who would send a reply-all does it in response to SOME message. If it happens to be your BCC, their message doesn't perpetuate the storm.
The BCCs would act as a kind of neutron absorber to dampen runaway reactions. Or like a trap-neuter-release program for cats.
Could be fixed by a good product manager or UX designer in Outlook team: instead of leaving CC field available for editing and BCC hidden, always ask about the intention and then show either of them.
BCC is broken in gmail. It lists the bcc’ed recipients for all to see. All other email systems I’ve used understand the “B” stands for “blind” and don’t let other recipients see the BCC list.
No it doesn't. I and others have used it many times, and it does not actually do that.
When you receive mail that you've been BCC'd on, it does attempt to figure out what address was used to get it to you, and displays that as a BCC (useful if it came to you via a mailing list that was BCC'd), so perhaps you're confusing that for showing the addresses of everyone to everyone, which isn't the case.
Race conditions start it. The first 100 people get the message when it is sent, realize it is a mistake and decide they need to warn everyone, so they hit send almost exactly at the same time so none knew about the other. The next 1000 don't look for previous replies, but otherwise do the same thing. Then the next 1000 are annoyed by all the duplicate messages and it doesn't occur to them that they are making it worse.
I think people are trained to respond to everything, even if its a quick note to say thank you. This is especially the case if its a personal sounding email from someone important. After that its just a matter of forgetting to pay attention to the address bar before hitting reply, possibly with a shortcut but more likely just going on autopilot and clicking things.
Changing the send action to Ctrl-Enter (or maybe it was Shift-Enter?) helps with this. It also helps prevent accidental yubikey posts and is good for when you need to write up multiline posts.
Reminds me of Molly guards. I would dearly love to track down who it originated from! Internet lore stops at referencing a programmer whose young daughter Molly kept pressing the on/off button. http://www.catb.org/jargon/html/M/molly-guard.html
> Reminds me of Molly guards. I would dearly love to track down who it originated from!
The following is from https://ws.engr.illinois.edu/sitemanager/getfile.asp?id=540 , [U of I] Department of Computer Science, Alumni News, Winter 2001, Vol 2 No 7, page 14. Judy Tolliver editor. The winning google search was "illinois.edu" molly guard ibm button.
Mollyguard? - Ed Krol explains
Ed Krol explains the origins of the word Mollyguard, which dates back to 1982, like this: “I was concerned with the Cyber [mainframe], and right behind the Cyberconsole was an IBM 4341—a nondescript, singularly unimpressive, desk-sized grey machine. The only thing about it was that on one side was a big red switch—kid-sized, about 2 inches wide. The switch was like the emergency OFF switch, and if you pulled it you actually had to call an IBM engineer to come in and reset it. There was some crisis on the Cyber, and I was babysitting that day, and so I took my daughter Molly in to work with me. I said, ‘You play with your trucks on the floor while I work,’ and she saw this amazing big red thing and gave it a yank and turned it off. You weren’t supposed to do that to those big machines at the time. Our computer center director then had little plexiglas flaps installed so that you had to lift the flap up before you could pull the switch. Charley [Kline] named them Mollyguards to protect them from Molly. It was a funny play on words, too, because molybdenum is a slippery element and there used to be a grease called Molygard.”
Krol, BS 73, is now assistant director of CCSO, and Kline, BS84, MS 86, who was a student hourly at the time, is now principal research programmer at CCSO. Molly Krol is a senior at Luther College in Iowa.
It was Kline who submitted the word Mollyguard to the Jargon File, a collection of computer slang from various technical cultures begun by Raphael Finkel at Stanford in 1975. Here is how it appears on this list, mirrored on many Web sites:
molly-guard /mol’ee-gard/ n.
[University of Illinois] A shield to prevent tripping of some Big Red Switch by clumsy or ignorant hands. Originally used for the plexiglass covers improvised for the BRS on an IBM 4341 after a programmer’s toddler daughter (named Molly) frobbed it twice in one day. Later generalized to covers over stop/reset switches on disk drives and networking equipment. In hardware catalogues, you’ll see the much less interesting description “guarded button.” n
Heh. I have prior art (1966). I was four. My dad was working on a ground-support trailer for the Sergeant surface-to-surface missile. He went in on a Saturday for some testing, and took us along. And there was this big red button....
(It wasn't the launch button; it was the emergency shutdown button, which would have cost them an hour to restart everything. When they're there on a Saturday. I was exiled to the parking lot for the duration.)
A long long time (~30 years) ago I was at a customer site and the meeting room I was in had a huge server sitting in the corner. It had a design that looked like it had a door on the front (like some Suns) with a button to unlock.
I was left by myself for a bit and went across to look at the server and open the door - only after I pressed the button did I realise that it was the on/off switch rather than a door open.
I hastily switched it back on and made it back to my seat before before anyone came to the room to check what had happened to their server!
I remember a story about someone pushing TheBigRedButton but realized what they had done before releasing it. The poor soul had to stand there and not release the button while others were scrambling to get the system into a state where it could lose power safely.
Edit: this is back when on/off really meant on or off with respect to power :)
Speaking of sheer curiosity and poor impulse control: during the big Dotcom bubble, the startup where I worked suddenly had its servers taken offline when there was an unscheduled power outage at the colo facility.
Apparently two dimwits from another tenant were onsite tending to their rack when they saw the big red buttons on the wall spaced ten feet apart, and wondered what they would do when you held them down simultaneously.
Turns out, they did precisely what the not-so-little signs said they would.
At our workplace it is standard & strictly enforced (called out) policy to lock your screen before leaving your computer unattended. For me this has become an automatic action.
I think USSTRATCOM could benefit from the same policy.
We have the same policy, but I must confess to not follow it when working from home. On the other hand, I live alone and all entrances to my home are always locked.
On the third hand, having a very young child anywhere near my work computer unsupervised would be the stuff of nightmares..
Assuming it's a toddler, it's not at all a given that they were far enough away that it'd have made a difference. The keystrokes in that tweet are mostly clustered relatively close together in two groups - this looks like a kid got both hands on the keyboard and hammered a couple of times. Might well have e.g. just been lifted up on their parents lap for a moment, only for the parent to get e.g. distracted by a phone call.
That is the first thing I thought, if we are to trust this info then the issue that stands out is not that a toddler did it, it's why the hell wasn't it locked in the first place.
I worked in far less sentitive settings, but all these IP policies pretty much engrain this in my mind. Locking before moving away from my desk is muscle memory by now.
>it's why the hell wasn't it locked in the first place.
A second child is my guess. Or they were still in the room but inattentive. That kind of muscle memory would trigger when you're leaving your work area, and when working from home that would probably expand to your whole office.
My local credit union uses a USB device (IR sensor?) that detects how close to the computer the user is, if they walk away the computer automatically locks.
Surprised those devices aren't in more widespread usage.
It probably goes by RSSI. You might not be able to get "out of range" to the point where the connection is terminated, but the desktop can (poorly) approximate distance by measuring received signal strength.
Yes, but this is human factors, isn't it? Logging out and back in has friction. It's natural that people will do it [EDIT will not log out or lock when needed]. We need a lower friction method to log off and in again, or to at least lock the computer for a few minutes.
Locking computers while away in a locked office is like using PRs on a high trust team.
I’m not arguing against it, but it’s one of the earliest deep feelings I had about office policies.
Locking the screen in a high trust environment communicates and disturbs the vibes. Should work be high trust? Plenty of people would leave my body in a dumpster for saying yes. I’d trust a co-worker before a girlfriend though (ie. Pre-marriage, non-contractial partner). I can follow policy as it relates to contractual home partners.
> Locking computers while away in a locked office is like using PRs on a high trust team.
In our office it is encouraged because we work on projects for multiple different clients. In some cases competing clients and we are required to partition the knowledge internally. Even if it isn't quite that serious we try to keep detailed information about the project inside the project team.
> Locking computers while away in a locked office is like using PRs on a high trust team.
Making sure I follow. You're saying 'trust' within your team meaning they have all good intentions and 'trust' meaning they never overlook anything or make a mistake.
For years, this was the case for me under penalty of termination. Now I always lock my screen although I work from home and nobody except me has physical access to my computer.
When companies demand you change your password often that is one of the few sane ways to remember your password. (The other is an incrementing number on an otherwise unchanged password).
This is for initial login, once you are in you should be using a password manager, but until you type that initial password you can't get to the manager. (Never put work logins into your personal password manager!)
People might balk, but it's no joke how many actions a toddler can trigger on an unattended Macbook. They have a preternatural ability to drag, delete and find the text inputs.
My wife recently left the computer unattended and the chair unflipped for 30 seconds. I come into the room and see our almost-2yo daughter handling the keyboard and the mouse like a pro. Despite never doing anything with a computer before.
Toddlers are truly keen observers. You think they're just trying to smash a toy or eat their picture book, but they're constantly watching everything. In the recent months I had a whole lot of stories that follow the pattern of "how in hell did you know these items belong together?!". There are moments when I wonder if toddlers have a secret worldwide community, and communicate with each other while parents are asleep...
(Also our cat learned to use our daughter as a distraction sometimes, making her noisy so that we vacate the kitchen, while it runs in to snatch our dinner...)
> I had a whole lot of stories that follow the pattern of "how in hell did you know these items belong together?!"
Do share! This is interesting for two reasons: how adult and toddler perception might differ, and how we design everyday objects to be maybe discoverable to a toddler.
In my experience, toddlers do not have a need for discoverability of everyday things, as they don't seem to figure objects out on their own, beyond trying to push, pull, bite or throw them - but they do pay close attention to what others do with various objects and try to replicate the behavior.
So, for instance, my daughter figured out twisting and untwisting of bottle caps in a manner of days, and it was a clear progression from observing us handling various bottles, trying it on the same bottles she saw us use, and then picking up on some pattern (round shape? grooves?) and trying to unscrew new things - but only ones that fit the pattern.
Or the other day she escaped into the kitchen while my wife was unloading the dishwasher, silently grabbed a fruit peeler and an apple, approached my wife and tried to peel the apple herself. We've maybe ever used the peeler once in our daughter's presence, but that was enough for her to both associate the two objects and remember how one is operated on the other. I'm not sure if this was goal-oriented behavior (i.e. whether she wanted to eat an apple) or just "look at me, I'm doing the same as you".
> In my experience, toddlers do not have a need for discoverability of everyday things, as they don't seem to figure objects out on their own, beyond trying to push, pull, bite or throw them
Toddlers are preternaturally patient - they will try all possible combinations of push, pull, bite and/or throw until they find a combination that works.
Also, they can easily transfer skills that may not be seem related to an adult - I encouraged a toddler to understand how carseat buckle works (they wanted to "help"): unfortunately, those skills are directly transferable to defeating buckle-based child-proofing products <facepalm>
> (Also our cat learned to use our daughter as a distraction sometimes, making her noisy so that we vacate the kitchen, while it runs in to snatch our dinner...)
In between all the worry and crying, life with a toddler is one rolling comedy show! I have to consciously stop myself from talking about it, because I realize it's super-boring to anyone who isn't a parent.
Beware of young children... and facetious colleagues. Have been the victim and perpetrator a few times. My favorite was to change the screen saver to a BSOD screenshot and watch the reaction of the colleague when he walks back to his desk.
True story: I once did this[0] to a friend of mine (who at the time was also my boss) on his Ubuntu desktop. I later asked him about it since he never said anything. Turns out he just thought his Linux Desktop was being stupid again, used the control sequence bring up the terminal, and just did his work in there.
[0] It was a little different. I set the screenshot as the background and hid everything and removed all panels and whatnot.
It's funny how serious twitter and facebook has become even for governments. In my location, highest order politicians use it as a channel to provide important declarations/news and the media cites those in serious tone. Shouldn't governments use their own web sites and services for all official communication?
> Turns out their Twitter manager left his computer unattended, resulting in his "very young child" commandeering the keyboard.
Ignorance of the law does not excuse one from its consequences. For such a serious violation of 18 U.S.C. § 1030 I fully expect the child to be put in solitary confinement for the entire duration of nap time.
This actually highlights one of my griefs with the twitter webclient: hotkeys without modifiers keys. E.g. on twitter.com, "n" opens the popup to create a new tweet. I'm not sure if there are valid accessibility reasons for this (in this case, all is fine), but at least I found this behaviour more annoying than useful.
It is not due to accessibility as far as I know. It might be useful for people with bad hand mobility, but it is annoying for screen reader users, because SR-s have different input modes and this works in only one of them.
Similar if you think you've focused the search box in Thunderbird, and then spend the next 5 minutes trying to figure out what actions the word you typed before realizing your mistake did, and how to undo them.
I find this incredibly useful. Why do I want to stretch my fingers to hit Alt or whatever when I can just hit "n"? I don't often have things randomly pressing things on my keyboard to cause issues.
I once accidentally triggered a yubikey HOTP into youtube, which has hotkeys like this. It didn't do anything crazy, but it did do some funny stuff (that I don't remember anymore.)
But joking aside, I doubt this was an actual password. Too many repeating characters and characters grouped close together. Like "ssaw" and that ";l;;". And no uppercase as some people have mentioned. Who mandates special characters but not uppercase or numbers? I've never seen a password policy doing that. Usually numbers and uppercase come first before specials are considered, due to regional keyboard differences that make special characters hard to find. Really sounds much more like a toddler at work to me like they say.
And really, this is twitter. Not a serious government system. Even if it was a password, people sending tweets tend not to be the ones pushing red buttons. Obligatory XKCD: https://xkcd.com/932/
Legally they have to reply in 20 days, though that's not exactly well enforced. One day is still quick, they were likely looking for a good outlet to announce what happened.
In this case, they sent a "press statement" response instead of a "FOIA response". The FOIA response would have been just the "there are no written records" part plus the boilerplate.
They realized that this is a press story about to blow up, and that if they don't make a statement the press will just write "USSTRATCOM TWEET RAISES HACKING FEARS. WERE WE ONE KEYSTROKE AWAY FROM GLOBAL THERMONUCLEAR WAR?" with a "We contacted USSTRATCOM but did not receive a response [in the 3 minutes between asking and posting]" so they made a statement.
The lack of a number or upper case letter means that it'd basically need to be an internal password, meaning US Strategic Command has some terrible security. I wish that made me think it was unlikely.
I'm over 100% confident that it is a password (a really sad one ofc). But that twitter just took focus when the child got to the keyboard. The child then typing without space or weird alt/ctrg/shift inputs and then press send. Under 0% probability.
TL:DR
twitter took focus when he typed the password and enter did send it. Everyone knows it.
Enter is new line on Twitter, and it takes like six hits of shift to get to tweet. Just tested it, but I have no idea if the screenshot would show if a third party client was used.
I think there’s a pretty good argument for that being the case, since they’re exposed to the public but you can’t phish what someone doesn’t have access to and it’s really hard to accidentally reference something classified if you don’t know it. The government usually doesn’t shy away from a bit of overhead to have firm separation between classified and unclassified systems.
Isn't "they" plural? It's just one person. "it" is actually gender-neutral, singular, and even shorter, but feels like it should only be used for objects and not people.
Turns out it's a "he", so if we are focused on technicalities I should have used that, but for some reason I can't edit the comment.
I don't believe there are no written records of the incident. What's making sure the gov is actually following the law and sends everything FOIA requires? Same for GDPR, nothing is stopping a company from sending me only some of the information
If this were a more serious incident, and there was more to investigate and lockdown, it seems much more likely that the STRATCOM info officers would wait, since a response isn't required until 20 business days. They gain absolutely nothing by responding within 12 hours with a cutesy public lie that has the risk of being unraveled by the "real" hacker.
The information is not just for the press and the public — every part of the government and the military not directly connected to STRATCOM would believe that the public explanation is correct, which is the last thing you'd want if there really were a security breach.
just logical. somebody somewhere send an email or chat message about this incident. for example the person who was in charge in twitter account could have sent a message to his manager saying “hey fyi my kid wrote sth on twitter”
> nothing is stopping a company from sending me only some of the information
If their database later leaks and shows that they had more info, they're in a world of hurt. The DPA will already be looking for an excuse to punish them (having a breach isn't punishable in itself), so they'll nail them to the wall for this.
If this was the orange man, it would be declared as an international crisis with some foreign agent 'hacking' us again narrative spun from a cauldron of internet lies.
Maybe those accounts should have a triple check password warning before they clumsily or have your child mistakenly tweet such things online. Unbelievable that Twitter still doesn't even have a check such as that for high profile accounts.
Downvoters: So we should not have extra tweet checks for high profile accounts who may have children or others clumsily or mistakenly tweet gibberish or nonsense on Twitter especially from an account that is responsible to '...deter strategic attack and employ forces, as directed, to guarantee the security of our Nation and our Allies.' [0]
Care to explain your reasons why for very important and verified official accounts part of the US Department of Defense or any other account that has a government-level responsibility 'thIs iS aLL coMPleTEly fINe'?
https://i.imgur.com/Sznqb4t.jpg