The sheer WTF-ness of that is astonishing.

The more I find out about the Cold War, the more I'm surprised we made it through.

Were the Other Guys as stupid?

I'm not religious, but our having survived the Cold War may be the best possible argument for the existence of God. Hard to explain otherwise. I mean, what are the odds?

When Star Trek did that in a self-destruct sequence I couldn't believe it; but it looks like Roddenberry got that one right, too.

Much as I enjoy glorying in other people's stupidity, there is only one voice saying this about the bomb codes, even the Guardian article points out that another expert thinks claimant is wrong about it. So until there is confirmation from some other ex-launch-officer, I think I will have to consider this one unproven.

Why on earth are we still here?

Miramon 6, Bellovin agrees that something was set to all zeros. From his own page he links to Blair without any hint of disagreement.

I don't understand what distinction Bellovin is making. My best guess, based on reading his work, but not explicitly said there and completely inconsistent with the quote in the Guardian, is that there was a code not intended as protection through a secret, but protection from an accident, such as when a plane crashes containing a bomb. Perhaps the code affected the timing of the explosion.

Those codes were the Permissive Action Link, not the codes authorizing launch. The United States lends certain NATO members nuclear weapons, currently with Belgium, Germany, Italy, Netherlands and Turkey participating IIRC Under this program the weapons were based in the host country under American custody and control, and when both the US and the host country agreed to a nuclear strike the US would release the weapons and the host country would launch them. At some point the US realized that perhaps they needed a stronger safeguard than a teenager with a carbine to prevent a hostile takeover of the bombs and came up with PAL. To my knowledge once instituted PAL locks had sensible codes once they were implemented overseas.
However, things were different inside the US. USAF always objected to anything that could delay a launch, including anything that added possible points of failure. Therefore, they had all PAL locks set to all zeroes through at least the 70s.

If it makes anyone feel better, the UK version of PAL was basically bicycle locks. When they had them, that is. Submarine captains can launch under their own recogizance if they have support of the crew.

This doesn't surprise me at all. I've been in charge of tech support for companies where all the clients left the original Administrator password set to default. I've also seen an alarming number of places where I've worked as a developer with this was standard as well.

When I was in college I had a mailbox in the Student Center. Some 7 or 8 years after I graduated, I was on campus and decided, on a lark, to try the old combination to my old mailbox. It still worked. I would be willing to bet that if I were to try it again now*, it would still work.

This is a security issue. Not a major one, but still. They should reset those box combinations whenever a student leaves.

* I still remember the combination. I'm not sure of the box number any more, but if I were standing in front of that rank of boxes, I'll bet I'd be able to recall which one it was.

Bellovin seems to be saying that the initial purpose of PALs (the devices with the eight-digit lock codes) was to prevent the launch of missiles stationed outside the U.S. Given the quote below, my guess is that Bellovin actually disagreed only about whether the 00000000 codes in the U.S. were unknown to the military's civilian superiors.

Despite that, they didn't deploy PALs that quickly. In 1974, when an armed quarrel broke out between two members of NATO (presumably Greece and Turkey, though the reference doesn't say), the Secretary of Defense learned that many tactical nukes were not equipped with PALS [R04]. Worse yet, he learned that some military commanders of these nations wanted those nukes.... It took two more years before PALs were completely deployed. Even then, the Pentagon dithered; at ICBM silos within the U.S., the "secret unlock code" was set to 00000000.

(Ellipses in the original. And 00000000 there is the link to Blair that Douglas Knight mentioned, but it doesn't seem to work at the moment.)

If anything, this gives me more shivers than before. "Why, our electronic account at the local branch bank was never supposed to be password protected! We only put a password on the Chicago account because Aunt Pat and Uncle Robin were getting divorced and we were afraid one of them would clean out the account to hire a lawyer..."

Serge Broom @ 3: AFAICT(*), the Other Guys had an even more tangled bureaucracy -- or perhaps it was a sort of governance-by-fear (in which referring an action to someone else, who would refer it ..., was safer than acting), depending on which period you're looking at.
      IIRC, the other Stan Lee suggested that some Russian missiles were liquid fueled, which would have added lag time; I have no idea whether this was ever true.

(*) even by dismissing a large fraction of what I read as visibly biased

possibly for trivial raw HTML? There's leftover steamed broccoli with sherry vinaigrette....

9
Some of the software at work we left our personal passwords set to the default. Mostly it was because we had so many other passwords to deal with, and that piece of software was for tracking the work packages, so we were in and out all the time. (Everyone had a different account - I had a lot of accesses, but most of it I didn't need at all.)

Lee @10 -- back in high school I memorized the serial number on the padlock for my locker one year (school supplied). They gave it to someone else the following year -- and of course, the combination wasn't changed as they were not set up to make that easy.

I haven't checked the POBox combination I used to have in Berkeley for far too many years since I let it lapse. But I do believe the USPS is actually pretty good about changing them (on minimal evidence like seeing people working there changing combinations).

If you see a door-handle lock with five buttons in a vertical row, try (2 and 4 simultaneously), 3.

When I was in high school, we had dial-up modem access to a PDP-11 at the university, with one shared account per high school. One day DEC added a "remove all the files in your account" feature, and within a week they'd had to disable it, because half the schools using the computer had wiped their accounts. (Fortunately we weren't one of them, and there was so little disk storage available to us that most of our programs were kept on paper-tape anyway, but still...)

While the ICBMs had a trivial code, at least they required two people to simultaneously turn keys, so it took more than one idiot to start a war.

Serge @3: no, the other guys were not that stupid. They had no permissive action links at all.

Instead of trying to rely on a dodgy combination lock, their nukes were secured by detachments of KGB troops with automatic weapons and orders to shoot the launch crew if they tried to launch without authorization. They also served to guard the weapons and crews, but were not themselves able to launch the weapons.

As the KGB and regular armed forces cordially hated each other ...

NB: the business about the PAL code being 00000000 came out in the late 90s, if I remember correctly, but is only just now making news headlines in the mass media.

Here is an archive of Blair's original article from 2004. Here or here is his article from 1977 that doesn't mention all 0s, but does complain that the Minuteman codes are too widely spread and asserts that PALs just aren't being used, which may be code for the other point.

Charlie @18, Teresa says "recently reported in The Guardian and Gizmodo," but it's only Gizmodo that's recent; the Guardian link is from 2004, immediately after the Blair article above. I think Blair is the original source and this came out 10 years ago, not 15. If you have a source from the 90s, I'd like to see it, if only because, as Miramon says, it would be nice to have another source.

Bill@17,

Yeah, and if 2/4 + 3 doesn't work, and you're at a school or research institution of some kind, try 3+1+4 or 3/1+4. Pi for the win. But I haven't seen one of those 5-button locks in a long time now. Do they still exist anywhere?

But I haven't seen one of those 5-button locks in a long time now. Do they still exist anywhere?

As recently as 2004, which was the last year I worked for them, my old place of employment had one on the parking lot stairwell door that gave direct entry into our office, so that employees could come and go at all hours of the night (some projects required very late hours) without having to worry about the building's outer door into the common lobby &etc.

Five buttons in a vertical line, and the combo was always (X+Y), A, B.

They did not change the combination every time someone left the company. But they did change it every time someone left under acrimonious circumstances. You knew that someone had left under acrimonious circumstances because there would be an email sent out that said something like, "Yesterday was so-and-so's last day here. We wish them well and will miss them. By the way, the new stairwell combination is..."

Miramon @19 - my daughter's preschool has one of the 5-button locks on the door to the building. It is not set to one of the number codes discussed here, though if you are pattern-minded it would be fairly easy to discover. The challenge is that they've got 100 or so parents who need to remember it, so it can't be too tricky. The purpose is really more to delay people without business in the building until a staff member could hear the attempts and come to the door.

for too many links. the best linked is in my name.

Someplace I have a photo I took of an ATM keypad. The keypad is used only for PIN entry. The 1 2 3 and 4 are worn, the others not. Left to choose their own combination, most people do a bad job.

Back in my IBM VM/CMS days, the documentation read as if the admin account had to be MAINT with password CPCMS. We were good: MAINT did not even exist on our systems as an account. Later, on Windows, we used to rename the real builtin Administrator account, and provide a dummy one with no privileges.

I bought a used car with keyless entry: there's a factory code that cannot be reset or disabled. Not worried, particularly, but it's poor practice.

Charlie's #18 is actually about as good as security can be made. It's a various of the man and a dog method - the man is there to feed the dog, the dog is there to keep the man away from the system.

Quite a few missile systems needed fueling, including the British Blue Steel. So, when I saw the missiles under the bomber, engine starters hooked up, it was Cold War theater, because they were not ready to go on three minute warning, at least, not to go for real. I don't know if the physics package was loaded, I seriously doubt it would have been. Hopefully they had at least a bicycle lock for open day protecting the warheads. Likely a large and unfriendly guard, someplace not open to the public.

The RC church nearest my granny's house has one of those five-button locks on the main door. It mostly seems to get used during late-night or overnight vigils.

I learned about it at their 0700 weekday mass, where the lock combination was given out during the end-of-service announcements. Apparently their logic is that the occasional late-night rough customers the lock is meant to discourage are unlikely to attend early morning mass.

Teresa @25: related logic -- my home wifi network password is simply my land-line phone number. 11 digits. I'm ex-directory and hand out my cell number to businesses I deal with (to deter cold-calling by making it more expensive for them). So a rule of thumb is that anyone who knows my land line number and is in my flat is welcome to use the wifi, and has one less password/number to keep track of.

I deal with one of the 5-button locks on a daily basis: the main lab space where my Amazing Girlfriend and I have our desks is secured with one. I've found that I can identify any lab member by how they try to use the thing. $ADVISOR's unlocking procedure is particularly distinct. Other lab space is secured with a more (giggle, snort) modern variant: 0-9 numpad and/or a card reader for university IDs.

For some reason, I am reminded of Tom Lehrer's MLF Lullaby:

Sleep, baby, sleep, in peace may you slumber,
No danger lurks, your sleep to encumber,
We've got the missiles, peace to determine,
And one of the fingers on the button will be German.

Why shouldn't they have nuclear warheads?
England says no, but they are all soreheads.
I say a bygone should be a bygone,
Let's make peace the way we did in Stanleyville and Saigon.

Once all the Germans were warlike and mean,
But that couldn't happen again.
We taught them a lesson in nineteen eighteen,
And they've hardly bothered us since then.

So sleep well, my darling, the sandman can linger,
We know our buddies won't give us the finger.
Heil--hail--the Wehrmacht, I mean the Bundeswehr,
Hail to our loyal ally!
MLF
Will scare Brezhnev,
I hope he is half as scared as I.

Bill @ 17
Many years ago I was at a meeting on a college campus and needed to receive an urgent fax. It was after hours, and the fax machine was in a room locked with one of those (they're called Simplex locks). The secretary supporting the meeting bustled off to try to find someone who knew the code. I just started trying codes, and hit on the third try with (12)5. Said secretary was utterly boggled when she came back (not having found anyone) and I was already inside...

I've only ever seen one of the five-button locks -- it's at my workplace, and which three buttons are to be pushed (if not the order) is pretty obvious -- they're the three that are kept shiny by people pushing them all the time. By contrast, I've heard that the our previous premises had so many weird locking doors that people would frequently get trapped between two combination-lock doors, usually while trying to get to the washroom or something innocuous.

Pretty bad when the technology's so inconvenient that the users have to disable it to "do their jobs."

Reminds of me stuff Asimov and Clarke wrote.

Go on, Bob? Say more.

Yarrow, in #12, has already provided Steven M. Bellovin's page on Permissive Action Links.

Professor Bellovin has posted on Making Light from time to time.

Teresa, just to be polite: Feynman and the safes were at Los Alamos, New Mexico. Alamagordo was the test site, about 200 miles to the south, where the first nuclear bomb, Trinity, was detonated in July 1945.

(Speaking of Manhattan Project history, today is the 71st anniversary of the first controlled chain reaction at the University of Chicago. One of those Atomic Age facts I can't forget.)

We have the 5-button locks on both the front and back doors to our office - the back door requires a RFID card reader to get through door A, and (hopefully) different 5 button codes to get through to our office (door B) or the financial advisers next door (door C). The front door just has the lock for after-hours access, if the building is open and we're not, but usually you'd have to walk past at least 3 clusters of offices/cubes that have people in them building-open hours. It's not the best system, but we haven't had equipment or files wander off to parts unknown...OTOH, these days realtors carry most of our files electronically rather than paper.

It's always been somewhat amazing to me, given the documented rates of burnout in missileers, that we're still here.

I find a lot of the Cold War anecdotes both chilling and comforting. The chilling part is self-explanatory. The comforting part is that it appears that there was always someone on hand to say “I’m going to check this before I shoot back,” which suggests that there are enough sensible humans on the planet to be going on with (though more would always be nice).

Things seem to have changed a lot since the cold war, if this WIRED feature is to be believed: Death wears a Snuggie (on what it's like to work a Minuteman control room in the 21st century).

My apologies for joining this thread late. Let me clarify what I can.

First: there are three relevant web pages of mine on PALs: https://www.cs.columbia.edu/~smb/nsam-160, which gives background and links to Kennedy's original memorandum (along with the accompanying (and somewhat redacted) memorandum by his science adviser, Jerome Weisner); https://www.cs.columbia.edu/~smb/nsam-160/pal.html, my speculation on how PALs work; and https://www.cs.columbia.edu/~smb, the slides for a talk I've given on the subject (audio is at http://www.usenix.org/events/sec04/tech/mp3/bellovin.mp3, I think).

When the 2004 Guardian article came out, I exchanged some emails with Bruce Blair to clarify things. I think I understand the situation and the evolution.

Blair is considered utterly credible. He not only worked in a silo, he has since spent his professional career working for nuclear arms control, limitation, reduction, etc. This is his field; I'm an amateur historian at it. I've never heard anyone question his 00000000 story; Eric Schlosser, in his new book Command and Control, confirmed this with someone else.

The history of PALs is long and convoluted. The original motivation for real PALs (fine distinctions below) was, as I stated, to maintain effective US control over nuclear bombs. Sandia had developed a prototype around the same time that a Congressional investigating committee learned just how poor US control was over weapons effectively handed over to our NATO allies (the Tom Lehrer song is quite apt). PALs (especially the later ones accompanied by the tamper-resistant membrane) were intended to provide effective control to the US: attempting to bypass the PAL would disable the bomb.

The generals hated the idea, because it was one more thing that could fail. They were persuaded when they realized that this made forward deployment (especially in eastern West Germany) possible. While there was some element of distrust of the military in some quarters (Dr. Strangelove came out around this time; also see what Weisner says about "lone psychotics"), the documentary evidence is pretty clear that the 1962 motivation applied to NATO. In particular, if you look at Weisner's memo and Kennedy order, the largest deployment of PALs contemplated was for US and NATO forces throughout Europe. There is no mention of missiles (not that there were many then), nor of subs, US-based bombers, or the entire Pacific theater. The newer article that speaks of such as mandated by Kennedy's 1962 order is just wrong.

There remained opposition within the military even for this. Blair quoted to me a 1964 message from General Power to General Taylor complaining about the lack of trust of the military; Power, though, was described by a subordinate as more or less crazy. According to Schlosser, Power worked quite successfully to delay deployment of PALs.

Later, some sort of coded switch signal was ordered for the silos. This is what is technically known as a "use control system": it's a secure external way to arm the warhead, but it's not integral to the warhead itself; rather, it lets someone use that bomb in the way it was intended to be used: launched from a missile, dropped as a bomb, etc. I suspect that it works in the same way, by interrupting the circuit that charges the capacitor bank that actually fires the detonators, but I haven't seen anything definitive on that. (I should look again.) As best I can tell, use control systems do not include the tamper resistance stuff of true PALs -- if you were to raid a silo and steal a warhead, you would be able to use it. (This is my conclusion; Schlosser states the same thing.) Blair noted that while I was technically correct in distinguishing PALs from use control systems, in the silos the same coded switch system armed the warhead and the missile. His chronology, in a note to me, is "bomber use-control in the early 70s, subs beginning in 1997, and Minuteman/Titan beginning about 76/77". He said that in his public writing, he'd deliberately blurred the distinction, largely because it's subtle and not well known to the general public.

Given the downsizing of the US arsenal in recent decades, I suspect that most of the weapons in the active inventory now have real PALs. They've taken it a step further: apparently, there's some technology that Does Something to the plutonium if you try to bypass the PAL; supposedly, you can't even easily reuse the material in your own bombs (http://blogs.fas.org/security/2007/10/reliable_replacement_warhead_i/).

Another interesting question is how other countries' bombs are protected. Pakistan is a particularly worrisome case, since they seem to think (possibly correctly) that their stockpile is in greater danger of seizure by US commandos than by the Taliban. Many questions have been raised about Russia's weapons (Schlosser quote Blair as concurring with Charlie's #18 about the strength of their security posture). China asked the US for PAL technology; apparently, State Department lawyers concluded that this would be sharing nuclear weapon technology, which is a violation of the Non-Proliferation Treaty (private conversation between myself and Harold Agnew, the "intellectual godfather" of PALs). The UK, France, and Israel probably have decent procedural safeguards, and I suspect that the UK has access to PAL technology if it wants it. China, I suspect, uses the Soviet model. India? Pakistan? North Korea? Elbonia? Alabama? No clue.

And what kept World War III from starting? I've talked with historians who at least agree with the statement that it was the failure of US and Soviet counterintelligence that kept the peace. Each side had sufficiently good information on the other side's capabilities and plans that they never quite felt the need to strike preemptively to head off an imminent nuclear attack by the other side...

I haven't finished Schlosser's book yet; if I find anything new, I'll post an update.

Schlosser's book is hair-raising. And there is a general or some such bigwig quoted in it about the proof of a divine entity being the only reason there wasn't a horrible nuclear catastrophe in those years.

Steven M. Bellovin @38: Your comment about failures of counter-intelligence helping keep the peace reminds me of an assertion by Louis Fry Richardson (maybe in Statistics of Deadly Quarrels?) that wars only occur when the two sides have different beliefs about the likely outcome of the war. If both sides have sufficient data and knowledge to accurately predict the outcome, a negotiated peace is much more likely.

So intelligence might be a force for stability, and counter-intelligence a force for instability?

Thank you, Dr. Bellovin.

As I recall, the British system, at least for their submarine deterrent, was "The honour of a Royal Navy officer would never allow them to launch a nuclear missile without sufficient reason. No need for further safeguards."

But I wonder if anyone has confirmation of that?

Any given security measure needs to be matched to the threat profile it's meant to protect against. That's not just a matter of "strong enough to defend against an attack", you also have to make sure the security allows normal use of whatever.

That's why a lot of places use those 5-button locks -- their threat model is casual intrusion and perhaps excessive traffic. But if the doors become too much hassle to the people who actually do need to use them, people will start leaving them propped them open, which is worse than "closed but unlocked".

Similarly, many have locks that can be picked with a hairpin or opened with a common master key -- again, the threat level is casual snooping, basically by a co-worker or visitor. But the company does need to get into them if somebody loses a key....

People are actually pretty good about doing that matching (sometimes they take a while to get it right)¹, and by the Cold War there were "security professionals" around who could do it up front. In fact, a facility's security measures may well provide intelligence about exactly what their threat model is.

And if the only real point of the PAL's was to make sure that a US missile located in, say, West Germany couldn't be fired without US permission, well yeah, then the US-based missiles would likely have no code. AIUI, the threat model there was "if the other guys launch, you have 17 minutes to spot the launch, decide to retaliate, and get your birds in the air before you and your base get destroyed".

¹ Though of course they can get blindsided by new techniques or technology.

Steven @ 38. Thanks for the explanation. Vastly clearer and far more convincing than the Guardian article.

@ 31/32: I can't think offhand of a cite for those two authors, but other authors have played with the idea; cf the scene in MacLean's Missing Man, in which somebody "helpfully" disables an interlock on a pressurized elevator (thus wrecking the underwater city it connects to), or Russell's "Study in Still Life", in which the requisition system is both insanely difficult and corrupted, so someone figures out a way add corruption to cancel out the effect of the original corruption and get the corrupter in trouble.

Bill Higgins @ 34: I should have spotted that; my father taught at Los-Alamos-the-school, and I've long regretted that Feynman's memoir came out after my father's death -- Los-Alamos-the-lab was Not His Department during the war, so he knew only what anyone else knew (i.e., nothing until several years later) about what went on there.

Dave Harmon @42

Of course, the trouble is that security changes over time, and sometimes information about how systems are actually deployed isn't complete.

My initial thought was much like yours: "Well, if PALs are meant to keep otherwise cleared allied military personnel who are MEANT to be at the launch consoles from pushing the button when we don't want them to, that's fine." And of course it is.

But there's a longer-term threat that someone will be reworking the security setup and will think "Ah, but I don't need to worry about Threat X because they might get access to the consoles but they won't have the PAL codes."

A combination lock, the code for which isn't in the bunker, is a very versatile security measure. Just because it was originally deployed for a very specific reason doesn't mean it won't be expected to prevent all kinds of other problems in the future, but to do that it needs to be deployed properly.

CHip @ 44: "cf the scene in MacLean's Missing Man"

I thought of exactly the same sequence in that book. What a remarkable sequence! All those people convinced they personally knew what little tweak needed applied, right now, to their carefully constructed environment.

(Someone else had her on the brain lately.)

John -- to be fair, they were under stress. (Details redacted in case anyone hasn't read the book; the mess is a chain of circumstances that requires many of the preceding pages.) OTOH, I have my doubts how cool/calm/collected someone who had been just told to Press The Button would be....

This all brings to mind the article in The Atlantic years ago where the reporter talked to members of the launch crews at the silos and was told that instead of four guys with launch keys it would take only two guys, two sidearms, two spoons, and two long pieces of string to launch missiles. (Seems folks underground got bored during chow once and played "what if.") Cue lots and lots of references to Seven Days in May.

In the last chapter of Rachel Maddow's Drift, she tells in detail of nuclear bombs we've had oopsies with, some of whose armed warheads have gone off.

Yes, really.

She mentions that the U.S. is considered more cautious than other countries with nuclear capability.

One year my father worked on a project involving sfin and arming devices for airborne missiles. The design spec said the missile had to fall for m seconds and spin up to n rpm before arming - that's because they frequently fall off the pylon onto the deck or runway.
(I suspect that it's a design spec that's relatively recent, although my father was doing this in the late 1970s.)