Around 8:05 a.m., the Hawaii emergency employee initiated the internal test, according to a timeline released by the state. From a drop-down menu on a computer program, he saw two options: “Test missile alert” and “Missile alert”. He was supposed to choose the former; as much of the world now knows, he chose the latter, an initiation of a real-life missile alert.
“In this case, the operator selected the wrong menu option,” HEMA spokesman Richard Rapoza told The Washington Post on Sunday.
A dropdown menu with just two options. That’s incredibly bad user interface design.
“A dropdown menu with just two options. That’s incredibly bad user interface design.”
Why? The mistake is just as likely to occur if they were radio buttons, or two regular buttons.
At the very least there should have been a “Are you really, really f*cking sure that you want to choose that option?????” dialog box
Edited 2018-01-15 22:31 UTC
That plus a whole bunch of sirens and flashing lights^aEUR|
…and someone to independently confirm the choice.
Stanislav Petrov made a better job at missile attack testing.
That was kind of the issue. Too many sirens and flashing lights.
There are better ways of mitigating against this. Separating live and drill functionality effectively in the UI being the obvious.
However, in a real emergency, adding multiple levels of confirmation, as is often suggested, may delay getting a warning out – which itself may cost lives.
Messageboxes as safety gates should be assumed to be useless. No one reads, if the default button is set to the OK option it is very easy to dismiss them, and no one reads.( https://www.joelonsoftware.com/2000/04/26/designing-for-people-who-h… )
The fact that the system can be triggered by something as simple as a single user clicking on a menu is abhorrent. Having the real option anywhere near the testing option is equally awful. At the very least it should take two people entering in their private security credentials to trigger something that would affect the mental and physical stress level the entire populace of a state.
I think every UX designer should read that link and have the contents imprinted into their brain. Anyone paid attention to Microsoft’s Windows and Office error messages lately? Talk about wordy and completely uninformative!
</OT>
It could have been avoided by having the test program in a completely different window. Barring that, at least have them in separate menus, one for testing and one for live. Having them in the same menu, one above the other, is just asking for trouble. One pixel separates a test from a real alert. That’s unacceptable.
Don’t think so; in general, if you miss-click a (radio) button you don’t select anything, with the drop down menu chances are you’ll select the other than intended option.
Which is besides the point: it is a silly design choice because it turns what should be a simple single click into multiple clicks and multiple instances where your attention is drawn away to deal with the interface as opposed to dealing with which of the two options to select.
Edited 2018-01-16 00:50 UTC
Dropdown menus are just bad in general. They obscure what the possible selections could be, then after a user clicks to expose the list, all choices appear visually equalized. After the user clicks, the list is again collapsed and the selected option is no longer at the same location the user clicked on.
At least with a group of radio buttons, users can see all options at once, developers can show each option differently by using different colors or fonts or adding verbiage, and clicking on a given option does not change the visuals of what was just selected under the mouse.
The massive screw up here though, is the lack of a confirmation dialog requiring some kind of override to be typed in before proceeding.
Surely, systems like this should require more than one person to make the “not a drill” choice.
I don’t think I want my early warning system reliant upon a committee for me to get an early warning.
A better system would be to default to test mode, and when “not a drill” mode is selected, THEN you put up the warning prompt, requiring the operator to re-enter a code being displayed on the screen.
Doesn’t even need to be a complicated code (2-3 digits even), just something that forces the operator to read the prompt carefully.
Two people is not a committee.
Further, yes you actually want some thought out decision before triggering the alarm. If it were you, you’d have set off a conflict in this scenario https://en.wikipedia.org/wiki/1983_Soviet_nuclear_false_alarm_incide… . We can’t bet on there always being a level headed person to avert these incidents.
Yet another story about the fuckup of a country that is the USA. Let’s keep it focused on non-USA themes, thanks.
We already get enough news coverage of the USA.
But Hawaii isn’t a part of the USA (you’d have to live there to know the joke)
And, somewhere else, on another computer, there is the matching application with another drop-down menu :
[x] Test Nuclear missile launch (alt-t)
[ ] Nuclear missile launch (alt-n)
No, its probably
[x] Test Not launching nuclear missile (alt-n)
[ ] Total Nuclear missile launch (alt-t)
Edited 2018-01-16 15:26 UTC
Or just use a separate TEST environment for this kind of testing actions completely separated from PROD environment to which only trained technicians with proper authorization have access.
Edited 2018-01-16 15:47 UTC
was this not the “trained technicians with proper authorisation”? Otherwise there is not really a point of daily accessing and testing the system, no?
Please define highly trained technician : trained as in “when your chain of command gives you the OK do not press the TESTING button but the PRODUCTION button” or trained on need to know basis..which is crap
> A dropdown menu with just two options. That’s incredibly bad user interface design.
Any sane UI designer would have put there at least a dozen of random ineffective and/or buggy options.
Thus the odds of triggering an unwanted action become much lower.
With the odds of triggering a wanted action under stress becoming much lower as well due to muscle memory.
Ideally, there would have been a setting in the configuration which would put the system into test mode, and the operators would be able to run a drill without any change in workflow.
If this was just a diagnostic test, there should have been a diagnostics section in settings which allows for kicking off various health checks.
Edited 2018-01-16 04:19 UTC
It’s not bad UI design to have both options in the same menu. Adding a confirmation dialog isn’t a great fail-safe either. However, having the user enter a keyword to confirm a real alert would greatly decrease the chance of this happening, if not eliminate it completely.
People select things on accident. They click yes/ok out of habit. But they don’t accidentally type in confirmation keywords.
Especially if those keywords aren’t simple yes. I’ve seen a dialog which selected different keywords randomly. So you had to carefully read the question to know what to type for confirmation.
Probably a $1m project. Whoever signed off on the interface should be handing in their resignation. Not necessarily the developers fault in my opinion. There are dozens of competent ways to chose between those two “modes/operations”. Looks like they didn’t choose any of those. I can only sympathise with the locals, particularly those with anxiety and conditions that are most susceptable or venerable. Absolutely unacceptable for something like that to happen.
That’s a bit extreme, …and absurd. People are allowed to make mistakes, even if people temporarily shit their pants over it. But to suggest someone should lose their job over this? Come on. Do you honestly believe that or are you just going along with the current `outrage` culture we’re suffering from?
I think you’re allowed to get outraged when someone almost accidentally starts a nuclear war.
Just one problem, that’s not what happened, not even in the most remote way. Further, making those kinds of baseless & ridiculous claims doesn’t help because along with people dumb enough to say them, there are people dumb enough to believe them.
Yes | No
Simply to options. No severe action should be triggered by just on click!
If a rocket is heading towards you, would you prefer a committee, or an application where you have to click and confirm multiple times? Or would you prefer a really quick action so you make a slightly better chance of surviving?
I would say: the for-real application and the test application should be separated. With a nasty red background for the real application.
If a rocket is heading towards you, two extra seconds to type in a keyword won’t make one bit of difference to the outcome. No, you would not want a system which took minutes to confirm, but a couple seconds isn’t going to get you away from ground zero.
Few seconds might make a difference for missile defense system though…
zima,
For intercontinental missiles, hopefully you can detect the launch and give humans much more than a couple of seconds to react. But hypothetically if we were being attacked from close neighbors (mexico, canada, cuba, etc), then what good does it do to have humans in the loop at all? I’m not saying automated missile defense system don’t make mistakes, but I’m genuinely asking, if an automated system determines a missile attack is imminent and every second counts, then what can a human possibly do in those few seconds that the machine hasn’t already been programed to determine automatically? Get confirmation of a higher officer? That sounds good but where is *he* going to get information from? If there is a secondary detection system and the human’s orders are to enforce “if A and B, then launch”, then frankly having a human in the loop doesn’t help. If the human’s orders are to “use discretion”, then what is he supposed to do with that discretion? On what basis would he ignore the automated system at the last second? Sure, it could be a civilian plane (*) but how would it be anything other than “luck” for a human to make the right call in going against the automation? I don’t know how these military missile defense systems work in practice, if someone can explain it to me, please do!
* There’s actually some controversy this may have happened to a TWA-800 flight that exploded near NYC. Witnesses claim seeing a missile while the official government investigation claimed it was a spontaneous explosion in the fuel tanks:
https://en.wikipedia.org/wiki/TWA_Flight_800#Controversy
Making things even more suspicious is that the FBI chemists did initially report traces of explosives before closing the investigation saying ” “no evidence has been found which would indicate that a criminal act was the cause of the tragedy of TWA flight 800.” After which the NTSB took over the investigation.
https://en.wikipedia.org/wiki/Louis_Freeh#TWA_Flight_800
I have no idea which is true, if a military missile did accidentally shoot down the plane, it wouldn’t surprise me if the federal government covered it up. It’s also interesting to note that the FBI’s statement does not actually deny a missile (if you read it with the understanding that a military accident isn’t the same thing as a criminal act). It’s one of those controversies that never dies, like the JFK assassination.
Anyways, coming back to the topic of the emergency broadcast system, what they ended up doing is having two people acknowledge the alert before it gets sent out. This should theoretically improve accuracy overall and cut down on both false positives and false negatives (ie “I thought I send the alert, but didn’t realize it was in ‘test mode'”).
A missile launched from a submarine off the coast of US would give similarly short reaction time as those launched from, say, Canada (especially Canada! ) But yes, automation in missile defense systems is a delicate issue… especially since for example anti-ICBM ring around Moscow has, AFAIK, also nuclear-tipped missiles (I’ve seen once on Youtube a test launch of one, obviously with inert warhead; quite impressive, reached 50km in a few seconds)
Then there’s the rumoured “Dead Hand” system, which would launch Soviet/Russian arsenal automatically if their leadership got decapitated…
Isn’t any act which resulted in many deaths, including accidents, a criminal act / cause for criminal investigation at your place?
zima,
Not when caused by the military. Even when the manning videos leaked showing non-accidental bloodshed of civilians by troops, it was an internal mater and there wasn’t a criminal case that I’m aware of. Ironically it’s often the whistleblowers who have the most to fear (dishonorable discharges, retaliation, imprisonment, etc). Sometimes it seems that government cares more about protecting it’s image than pursuing justice.
North Korean leadership certainly seems paranoid and vangeful enough (and secretive) to have such contingencies, but I doubt they’re ~automatic (considering the miniscule size of their nuclear arsenal and limited deployment capabilities, it probably wouldn’t be worth the trouble); more likely are plans for their conventional forces (I heard they have tons of artillery aimed at Seul…), if the leadership was taken out …though perhaps written orders aren’t even necessary, they would fight regardless / Juche is basically a religion…
Hm, odd. At least at my place there was one prominent case, brought to civilian court by civilian prosecutor, after some troops deployed to Afghanistan shelled a village where they were suspecting Taliban, with civilian casualties. Though who knows what our current government, and “reformed” by it judiciary system, would do if similar case were to surface now…
if they are really separated, how can you be sure that what you test each day really works in case you ever need it?
No production channel should be active unless approved by those that understand the risks.
Otherwise mistakes like will happen all the time.
The only one responsible for this is the senior who designed the system and backend processes.
In reality however they usually go towards juniors that are simply not prepared for these consequences.
As some have pointed out, this is not bad design. What’s bad is that selections with serious consequences would require serious confirmations, like, e.g., requiring two password-confirmed authorizations from two users, or something similar.
“A dropdown menu with just two options. That’s incredibly bad user interface design.”
<Looks around at the aging, non-responsive, non-secure-connection based OSAlert design…>
Yet at least OSAlert asks you if you really, really, want to downvote a comment from that “dropdown menu with just six options”.
Now you have it. The next time such an alarm comes up, people will just ignore it. Well done!
At least, in general.
Nothing worse than trying to make use of your modern computer system with loads of memory, built for multitasking, only to get a popup with an important decision, only to click on it when you were about to click on whatever else you were doing. The popup will then close, leaving it as a mystery as to what mutation you actually performed to your system.
Come one UX library authors – remove this atrocity from your libraries to prevent other developers from doing harm!
Facebook and Slashdot both do this.
This night on visiting Facebook I wanted to click the field where you can write something new but the content of the page refreshed and suddenly I had activated some use profile picture to login or whatever it said. I have no fucking clue how to remove that. There was no option from that there or a Cancel or a link or such.
On Slashdot similarly I may check for replies and see the headlines and try to click one just to have that part pushed down with an ad resulting in a clicked ad instead.
Maybe these “intelligent” browsers shouldn’t start showing things in at-least until they know where on the page the content will be. Then again with java-scripts and shit maybe that’s hard. So don’t design user-interfaces in it?
And now Firefox will start pre-fetching webpages which tab you simply drag your pointer over …
Menu –> Missile Alert System
Pop-Up:
Radio Buttons: [Test] [Real] (default to test)
[Button – Send Alert] (default)
[Button – Cancel]
————-
To test: Select Alert System then press [enter]
Real: Select Alert System then select [real] then press [enter]
This would minimize the chance of a sending a real alert by accident.
In case if a real select, you should have the user enter their password to verify that person selecting the option is the same as the person who signed on to the computer. (basically the same as requesting “su” permission to change system settings).
Ok the test was successful, it worked better than anyone could have anticipated. It exposed a weakness and design flaw. What failed was the president, if this would have happened under any other president it would have never been taken so serious.
The two options should be named
^aEURoeTesting Alert System^aEUR
and
^aEURoeKiss Your Ass Goodbye^aEUR
Then again I write this in Firefox in Windows 10 where the window buttons are minimize, maximize/windowize, close and where a right click on a tab is a bunch of choices from a drop down list.
In Opera given even tabs you may close tabs rather than switching between them or whatever it is which is happening.
So it’s not uncommon.