#manufacturing cloud Computing | Explore Tumblr posts and blogs

c1qfxugcgy0 · 5 months ago

Text

adventures in QA

(previous post in this series)

My shop in Advanced Midbody - Carbon Wing (AMCW) at Large Aircraft Manufacturer (LAM) is at the very end of the composite fabrication building. Hundreds of people carefully lay up a hundred foot long slab of carbon fiber, cure it, paint it, and then we totally fuck it up with out of spec holes, scrapes, primer damage, etc. The people who write up our many defects are from the Quality Assurance (QA) department.

Every single screw and rivet on a LAM aircraft can be traced back to the mechanic who installed it. Back when even everything was done in pen and pencil, it was joked that the paper used to produce an aircraft outweighed the plane itself. Now that everything is computer-based, of course, the amount of paperwork is free to grow without limit.

(Haunting the factory is endless media coverage of an emergency exit door plug popping out of an Advanced Smallbody - Upengine (ASU) plane during a routine flight a few months ago. Unlike that airframe's notorious problems with MCAS, this was a straightforward paperwork screwup by a line worker: the bolts were supposed to be tightened, and they weren't.

As a result the higher ups have visited hideous tribulations on non-salaried workers. Endless webinars, structured trainings. Here at the Widebody plant we have received a steady flow of refugees from the Narrowbody factory, hair-raising tales of receiving one hundred percent supervision from the moment they clock in to the second they clock out from FAA inspectors who can recommend actual jail time for any lapse in judgement.)

A single hydraulic bracket Installation Plan (IP) is around four brackets. The team leads generally assign two bracket IPs per mechanic, since each bracket set is something like a foot apart, and while working on the plane is bad enough it's much worse to have another mechanic in your lap.

Let me list the order of operations:

One: Find where you're supposed to install these brackets. This is harder than you might think.

Firstly, it's a hundred foot long plank of carbon fiber composite, with longitudinal stringers bonded to it to add stiffness. The stringers are pilot drilled in the trim and drill center, a truly Brobdingnagian CNC mill that trims off the composite flash at the edges and locates and drills part holes for us. But there's a lot of holes, so you must carefully find your set.

A minor difficulty is that the engineering drawings are laid out with the leading edge pointing up, while the wing panels in our cells hang from the trailing edge. Not so bad, you just rotate the paper 180 when orienteering, then rotate it back up to read the printed labels.

A major difficulty is that the drawings are from the perspective from the outside of the panel. But we work on the inside of the wing (obviously, that's where all the parts are installed) so we also flip the drawings and squint through the back of the paper, to make things line up.

Large Aircraft Manufacturer has a market cap of US$110 billion, and we're walking around the wing jig with sheets of paper rotated 180 and flipped turnways trying to find where to put brackets.

Oh well, we're paid by the hour.

Two: Match drill the aluminum brackets to the carbon fiber composite stringer. I can devote an entire post to the subtleties of drilling carbon fiber, but I can already tell that this post is going to be a miserable slog, so I will merrily skip over this step.

Three: Vacuum up all the carbon dust and aluminum swarf created during this process. This step is not optional, as your team lead will remind you, his screaming mouth clouding your safety glasses with spittle at a distance of four inches. LAM is very serious about FOD. Every jet airliner you've ever ridden in is a wet wing design-- each interstitial space is filled with Jet A. There is no fuel bladder or liner-- the fuel washes right over plane structure and wing hardware. Any dirt we leave behind will merrily float into the fuel and be sucked right into the engines, where it can cause millions in damage. No place for metal shavings!

If you are nervous about flying, avoid considering that all the hydraulic lines and engine control cables dip into a lake of a kerosene on their way from the flight deck to the important machines they command. Especially do not consider that we're paid about as much per hour as a McDonalds fry cook to install flight-critical aviation components.

Four: Neatly lay out your brackets on your cart, fight for a position at a Shared Production Workstation (SPW) (of which we have a total of four (4) for a crew of thirty (30) mechanics) and mark your IP for QA inspection as Ready To Apply Seal.

Four: Twiddle your thumbs. Similarly, we have three QA people for thirty mechanics. This is not enough QA people, as I will make enormously clear in the following steps.

Five: Continue waiting. Remember, you must not do anything until a QA person shows up and checks the box. Skipping a QA step is a “process failure” and a disciplinary offense. From the outside, you can observe the numerous QA whistleblowers and say “golly, why would a mechanic ever cut a corner and ignore QA?” Well...

Six: QA shows up. Theoretically, they could choose to pick up the mahrmax you prepared for them and gauge every single hole you've drilled. But since we're three hours into the shift and they're already twenty jobs behind, they just flick their flashlight across the panel and say “looks good" and then sprint away. Can't imagine why our planes keep falling out of the sky.

Seven: Apply the seal to the bracket. P/S 890 is a thick dark gray goop that adheres well to aluminum, carbon fiber, fabric, hair and skin. Once cured, it is completely immune to any chemical attack short of piranha solution, so if you get any on yourself you had better notice quick, otherwise it'll be with you as long as the layer of epidermis it's bonded to. LAM employees who work with fuel tank sealant very quickly get out of the habit of running their hands through their hair.

Eight: Now you wait again. Ha ha, you dumb asshole, you thought you were done with QA? No no, now you put up the job for QA inspection of how well you put the seal on the bracket. Twiddle your thumbs, but now with some urgency. The minute you took the bottle of seal out of the freezer, you started the clock on its "squeeze-out life." For this type of seal, on this job, it's 120 minutes. If QA doesn't get to you before that time expires, you remove your ticket, wipe off the seal, take another bottle out the freezer, and apply a fresh layer.

Nine: Optimistically, QA shows up in time and signs off on the seal. Well, you're 100 minutes into your 120 minute timer. Quickly, you slap the brackets onto the stringer, air hammer the sleeve bolts into position, thread nuts onto the bolts, then torque them down. Shove through the crowd and mark your IP "ready to inspect squeeze out"

Ten: Let out a long breath and relax. All the time sensitive parts are over. The criteria here is "visible and continuous" squeeze out all along the perimeter of the bracket and the fasteners. It is hard to screw this up, just glop on a wild excess of seal before installing it. If you do fail squeezeout, though, the only remedy is to take everything off, throw away the single-use distorted thread locknuts, clean everything up and try again tomorrow.

Eleven: QA approved squeeze out? Break's over, now we're in a hurry again. By now there's probably only an hour or two left in the shift, and your job now is to clean off all that squeeze out. Here's where you curse your past self for glopping on too much seal. You want to get it off ASAP because if you leave it alone or if it's too late in the shift and your manager does feel like approving overtime it'll cure to a rock hard condition overnight and you'll go through hell chipping it off the next day. You'll go through a hundred or so qtips soaked in MPK cleaning up the bracket and every surface of the panel within three feet.

Twelve: Put it up for final inspection. Put away all your tools. (The large communal toolboxes are lined with kaizen foam precisely cut out to hold each individual tool, which makes it obvious if any tool is missing. When you take a tool out, you stick a tool chit with your name and LAMID printed on it in its place. Lose a tool? Stick your head between your legs and kiss your ass goodbye, pal, because the default assumption is that a lost screwdriver is lurking in a hollow "hat" stringer, waiting to float out and damage some critical component years after the airplane is delivered.)

One tool you'll leave on your cart, however, is the pin protrusion gage. There is a minimum amount of thread that must poke outside of the permanent straight shank fastener's (Hi-Lok) nut, to indicate that the nut is fully engaged. That makes sense. But there's also a maximum protrusion. Why?

Well, it's an airplane. Ounces make pounds. An extra quarter inch of stickout across a thousand fasteners across a 30 year service life means tons of additional fuel burnt. So you can't use a fastener that's too long, because it adds weight.

On aluminum parts, it's hard to mess up. But any given composite part is laid up from many layers of carbon fiber tape. The engineers seemed to have assumed that dimensional variation would be normally distributed. But, unfortunately, we buy miles of carbon fiber at a time, and the size only very gradually changes between lots. When entire batches are several microns oversize, and you're laying up parts from fifty plies and an inch thick, you can have considerable variation of thickness on any given structural component. So you had better hope you had test fit all of your fasteners ahead of time, or else you'll be real sorry!

And, if you're really lucky, QA will show up five minutes before end of shift, pronounce everything within tolerance, then fuck off.

And that's how it takes eight hours to install eight brackets.

#avgeek #large aircraft manufacturer

158 notes · View notes

mostlysignssomeportents · 8 months ago

Text

The antitrust case against Apple

I'm on tour with my new, nationally bestselling novel The Bezzle! Catch me TONIGHT (Mar 22) in TORONTO, then SUNDAY (Mar 24) with LAURA POITRAS in NYC, then Anaheim, and beyond!

The foundational tenet of "the Cult of Mac" is that buying products from a $3t company makes you a member of an oppressed ethnic minority and therefore every criticism of that corporation is an ethnic slur:

https://pluralistic.net/2024/01/12/youre-holding-it-wrong/#if-dishwashers-were-iphones

Call it "Apple exceptionalism" – the idea that Apple, alone among the Big Tech firms, is virtuous, and therefore its conduct should be interpreted through that lens of virtue. The wellspring of this virtue is conveniently nebulous, which allows for endless goal-post shifting by members of the Cult of Mac when Apple's sins are made manifest.

Take the claim that Apple is "privacy respecting," which is attributed to Apple's business model of financing its services though cash transactions, rather than by selling it customers to advertisers. This is the (widely misunderstood) crux of the "surveillance capitalism" hypothesis: that capitalism is just fine, but once surveillance is in the mix, capitalism fails.

Apple, then, is said to be a virtuous company because its behavior is disciplined by market forces, unlike its spying rivals, whose ability to "hack our dopamine loops" immobilizes the market's invisible hand with "behavior-shaping" shackles:

http://pluralistic.net/HowToDestroySurveillanceCapitalism

Apple makes a big deal out of its privacy-respecting ethos, and not without some justification. After all, Apple went to the mattresses to fight the FBI when they tried to force Apple to introduced defects into its encryption systems:

https://www.eff.org/deeplinks/2018/04/fbi-could-have-gotten-san-bernardino-shooters-iphone-leadership-didnt-say

And Apple gave Ios users the power to opt out of Facebook spying with a single click; 96% of its customers took them up on this offer, costing Facebook $10b (one fifth of the pricetag of the metaverse boondoggle!) in a single year (you love to see it):

https://arstechnica.com/gadgets/2021/02/facebook-makes-the-case-for-activity-tracking-to-ios-14-users-in-new-pop-ups/

Bruce Schneier has a name for this practice: "feudal security." That's when you cede control over your device to a Big Tech warlord whose "walled garden" becomes a fortress that defends you against external threats:

https://pluralistic.net/2021/06/08/leona-helmsley-was-a-pioneer/#manorialism

The keyword here is external threats. When Apple itself threatens your privacy, the fortress becomes a prison. The fact that you can't install unapproved apps on your Ios device means that when Apple decides to harm you, you have nowhere to turn. The first Apple customers to discover this were in China. When the Chinese government ordered Apple to remove all working privacy tools from its App Store, the company obliged, rather than risk losing access to its ultra-cheap manufacturing base (Tim Cook's signal accomplishment, the one that vaulted him into the CEO's seat, was figuring out how to offshore Apple manufacturing to China) and hundreds of millions of middle-class consumers:

https://www.reuters.com/article/us-china-apple-vpn/apple-says-it-is-removing-vpn-services-from-china-app-store-idUSKBN1AE0BQ

Killing VPNs and other privacy tools was just for openers. After Apple caved to Beijing, the demands kept coming. Next, Apple willingly backdoored all its Chinese cloud services, so that the Chinese state could plunder its customers' data at will:

https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html

This was the completely foreseeable consequence of Apple's "curated computing" model: once the company arrogated to itself the power to decide which software you could run on your own computer, it was inevitable that powerful actors – like the Chinese Communist Party – would lean on Apple to exercise that power in service to its goals.

Unsurprisingly, the Chinese state's appetite for deputizing Apple to help with its spying and oppression was not sated by backdooring iCloud and kicking VPNs out of the App Store. As recently as 2022, Apple continued to neuter its tools at the behest of the Chinese state, breaking Airdrop to make it useless for organizing protests in China:

https://pluralistic.net/2022/11/11/foreseeable-consequences/#airdropped

But the threat of Apple turning on its customers isn't limited to China. While the company has been unwilling to spy on its users on behalf of the US government, it's proven more than willing to compromise its worldwide users' privacy to pad its own profits. Remember when Apple let its users opt out of Facebook surveillance with one click? At the very same time, Apple was spinning up its own commercial surveillance program, spying on Ios customers, gathering the very same data as Facebook, and for the very same purpose: to target ads. When it came to its own surveillance, Apple completely ignored its customers' explicit refusal to consent to spying, spied on them anyway, and lied about it:

https://pluralistic.net/2022/11/14/luxury-surveillance/#liar-liar

Here's the thing: even if you believe that Apple has a "corporate personality" that makes it want to do the right thing, that desire to be virtuous is dependent on the constraints Apple faces. The fact that Apple has complete legal and technical control over the hardware it sells – the power to decide who can make software that runs on that hardware, the power to decide who can fix that hardware, the power to decide who can sell parts for that hardware – represents an irresistible temptation to enshittify Apple products.

"Constraints" are the crux of the enshittification hypothesis. The contagion that spread enshittification to every corner of our technological world isn't a newfound sadism or indifference among tech bosses. Those bosses are the same people they've always been – the difference is that today, they are unconstrained.

Having bought, merged or formed a cartel with all their rivals, they don't fear competition (Apple buys 90+ companies per year, and Google pays it an annual $26.3b bribe for default search on its operating systems and programs).

Having captured their regulators, they don't fear fines or other penalties for cheating their customers, workers or suppliers (Apple led the coalition that defeated dozens of Right to Repair bills, year after year, in the late 2010s).

Having wrapped themselves in IP law, they don't fear rivals who make alternative clients, mods, privacy tools or other "adversarial interoperability" tools that disenshittify their products (Apple uses the DMCA, trademark, and other exotic rules to block third-party software, repair, and clients).

True virtue rests not merely in resisting temptation to be wicked, but in recognizing your own weakness and avoiding temptation. As I wrote when Apple embarked on its "curated computing" path, the company would eventually – inevitably – use its power to veto its customers' choices to harm those customers:

https://memex.craphound.com/2010/04/01/why-i-wont-buy-an-ipad-and-think-you-shouldnt-either/

Which is where we're at today. Apple – uniquely among electronics companies – shreds every device that is traded in by its customers, to block third parties from harvesting working components and using them for independent repair:

https://www.vice.com/en/article/yp73jw/apple-recycling-iphones-macbooks

Apple engraves microscopic Apple logos on those parts and uses these as the basis for trademark complaints to US customs, to block the re-importation of parts that escape its shredders:

https://repair.eu/news/apple-uses-trademark-law-to-strengthen-its-monopoly-on-repair/

Apple entered into an illegal price-fixing conspiracy with Amazon to prevent used and refurbished devices from being sold in the "world's biggest marketplace":

https://pluralistic.net/2022/11/10/you-had-one-job/#thats-just-the-as

Why is Apple so opposed to independent repair? Well, they say it's to keep users safe from unscrupulous or incompetent repair technicians (feudal security). But when Tim Cook speaks to his investors, he tells a different story, warning them that the company's profits are threatened by customers who choose to repair (rather than replace) their slippery, fragile glass $1,000 pocket computers (the fortress becomes a prison):

https://www.apple.com/newsroom/2019/01/letter-from-tim-cook-to-apple-investors/

All this adds up to a growing mountain of immortal e-waste, festooned with miniature Apple logos, that our descendants will be dealing with for the next 1,000 years. In the face of this unspeakable crime, Apple engaged in a string of dishonest maneuvers, claiming that it would support independent repair. In 2022, Apple announced a home repair program that turned out to be a laughably absurd con:

https://pluralistic.net/2022/05/22/apples-cement-overshoes/

Then in 2023, Apple announced a fresh "pro-repair" initiative that, once again, actually blocked repair:

https://pluralistic.net/2023/09/22/vin-locking/#thought-differently

Let's pause here a moment and remember that Apple once stood for independent repair, and celebrated the independent repair technicians that kept its customers' beloved Macs running:

https://pluralistic.net/2021/10/29/norwegian-potato-flour-enchiladas/#r2r

Whatever virtue lurks in Apple's corporate personhood, it is no match for the temptation that comes from running a locked-down platform designed to capture IP rights so that it can prevent normal competitive activities, like fixing phones, processing payments, or offering apps.

When Apple rolled out the App Store, Steve Jobs promised that it would save journalism and other forms of "content creation" by finally giving users a way to pay rightsholders. A decade later, that promise has been shattered by the app tax – a 30% rake on every in-app transaction that can't be avoided because Apple will kick your app out of the App Store if you even mention that your customers can pay you via the web in order to avoid giving a third of their content dollars to a hardware manufacturer that contributed nothing to the production of that material:

https://www.eff.org/deeplinks/2023/06/save-news-we-must-open-app-stores

Among the apps that Apple also refuses to allow on Ios is third-party browsers. Every Iphone browser is just a reskinned version of Apple's Safari, running on the same antiquated, insecure Webkit browser engine. The fact that Webkit is incomplete and outdated is a feature, not a bug, because it lets Apple block web apps – apps delivered via browsers, rather than app stores:

https://pluralistic.net/2022/12/13/kitbashed/#app-store-tax

Last month, the EU took aim at Apple's veto over its users' and software vendors' ability to transact with one another. The newly in-effect Digital Markets Act requires Apple to open up both third-party payment processing and third-party app stores. Apple's response to this is the very definition of malicious compliance, a snake's nest of junk-fees, onerous terms of service, and petty punitive measures that all add up to a great, big "Go fuck yourself":

https://pluralistic.net/2024/02/06/spoil-the-bunch/#dma

But Apple's bullying, privacy invasion, price-gouging and environmental crimes are global, and the EU isn't the only government seeking to end them. They're in the firing line in Japan:

https://asia.nikkei.com/Business/Technology/Japan-to-crack-down-on-Apple-and-Google-app-store-monopolies

And in the UK:

https://www.gov.uk/government/news/cma-wins-appeal-in-apple-case

And now, famously, the US Department of Justice is coming for Apple, with a bold antitrust complaint that strikes at the heart of Apple exceptionalism, the idea that monopoly is safer for users than technological self-determination:

https://www.justice.gov/opa/media/1344546/dl?inline

There's passages in the complaint that read like I wrote them:

Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct. Indeed, it spends billions on marketing and branding to promote the self-serving premise that only Apple can safeguard consumers’ privacy and security interests. Apple selectively compromises privacy and security interests when doing so is in Apple’s own financial interest—such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available. In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests.

After all, Apple punishes its customers for communicating with Android users by forcing them to do so without any encryption. When Beeper Mini rolled out an Imessage-compatible Android app that fixed this, giving Iphone owners the privacy Apple says they deserve but denies to them, Apple destroyed Beeper Mini:

https://blog.beeper.com/p/beeper-moving-forward

Tim Cook is on record about this: if you want to securely communicate with an Android user, you must "buy them an Iphone":

https://www.theverge.com/2022/9/7/23342243/tim-cook-apple-rcs-imessage-android-iphone-compatibility

If your friend, family member or customer declines to change mobile operating systems, Tim Cook insists that you must communicate without any privacy or security.

Even where Apple tries for security, it sometimes fails ("security is a process, not a product" -B. Schneier). To be secure in a benevolent dictatorship, it must also be an infallible dictatorship. Apple's far from infallible: Eight generations of Iphones have unpatchable hardware defects:

https://checkm8.info/

And Apple's latest custom chips have secret-leaking, unpatchable vulnerabilities:

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

Apple's far from infallible – but they're also far from benevolent. Despite Apple's claims, its hardware, operating system and apps are riddled with deliberate privacy defects, introduce to protect Apple's shareholders at the expense of its customers:

https://proton.me/blog/iphone-privacy

Now, antitrust suits are notoriously hard to make, especially after 40 years of bad-precedent-setting, monopoly-friendly antitrust malpractice. Much of the time, these suits fail because they can't prove that tech bosses intentionally built their monopolies. However, tech is a written culture, one that leaves abundant, indelible records of corporate deliberations. What's more, tech bosses are notoriously prone to bragging about their nefarious intentions, committing them to writing:

https://pluralistic.net/2023/09/03/big-tech-cant-stop-telling-on-itself/

Apple is no exception – there's an abundance of written records that establish that Apple deliberately, illegally set out to create and maintain a monopoly:

https://www.wired.com/story/4-internal-apple-emails-helped-doj-build-antitrust-case/

Apple claims that its monopoly is beneficent, used to protect its users, making its products more "elegant" and safe. But when Apple's interests conflict with its customers' safety and privacy – and pocketbooks – Apple always puts itself first, just like every other corporation. In other words: Apple is unexceptional.

The Cult of Mac denies this. They say that no one wants to use a third-party app store, no one wants third-party payments, no one wants third-party repair. This is obviously wrong and trivially disproved: if no Apple customer wanted these things, Apple wouldn't have to go to enormous lengths to prevent them. The only phones that an independent Iphone repair shop fixes are Iphones: which means Iphone owners want independent repair.

The rejoinder from the Cult of Mac is that those Iphone owners shouldn't own Iphones: if they wanted to exercise property rights over their phones, they shouldn't have bought a phone from Apple. This is the "No True Scotsman" fallacy for distraction-rectangles, and moreover, it's impossible to square with Tim Cook's insistence that if you want private communications, you must buy an Iphone.

Apple is unexceptional. It's just another Big Tech monopolist. Rounded corners don't preserve virtue any better than square ones. Any company that is freed from constraints – of competition, regulation and interoperability – will always enshittify. Apple – being unexceptional – is no exception.

Name your price for 18 of my DRM-free ebooks and support the Electronic Frontier Foundation with the Humble Cory Doctorow Bundle.

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/03/22/reality-distortion-field/#three-trillion-here-three-trillion-there-pretty-soon-youre-talking-real-money

238 notes · View notes

agapi-kalyptei · 4 months ago

Text

crowdstrike: hot take 1

It's too early in the news cycle to say anything truly smart, but to sum things up, what I know so far:

there was no "hack" or cyberattack or data breach*

a private IT security company called CrowdStrike released a faulty update which practically disabled all its desktop (?) Windows workstations (laptops too, but maybe not servers? not sure)

the cause has been found and a fix is on the way

as it stands now, the fix will have to be manually applied (in person) to each affected workstation (this could mean in practice maybe 5, maybe 30 minutes of work for each affected computer - the number is also unknown, but it very well could be tens (or hundreds) of thousands of computers across thousands of large, multinational enterprises.

(The fix can be applied manually if you have a-bit-more-than-basic knowledge of computers)

Things that are currently safe to assume:

this wasn't a fault of any single individual, but of a process (workflow on the side of CrowdStrike) that didn't detect the fault ahead of time

[most likely] it's not that someone was incompetent or stupid - but we don't have the root cause analysis available yet

deploying bugfixes on Fridays is a bad idea

*The obligatory warning part:

Just because this wasn't a cyberattack, doesn't mean there won't be related security breaches of all kinds in all industries. The chaos, panic, uncertainty, and very soon also exhaustion of people dealing with the fallout of the issue will create a perfect storm for actually malicious actors that will try to exploit any possible vulnerability in companies' vulnerable state.

The analysis / speculation part:

globalization bad lol

OK, more seriously: I have not even heard about CrowdStrike until today, and I'm not a security engineer. I'm a developer with mild to moderate (outsider) understanding of vulnerabilities.

OK some background / basics first

It's very common for companies of any size to have more to protect their digital assets than just an antivirus and a firewall. Large companies (Delta Airlines) can afford to pay other large companies to provide security solutions for them (CrowdStrike). These days, to avoid bad software of any kind - malware - you need a complex suite of software that protects you from all sides:

desktop/laptop: antivirus, firewall, secure DNS, avoiding insecure WiFi, browser exploits, system patches, email scanner, phishing on web, phishing via email, physical access, USB thumb drive, motherboard/BIOS/UEFI vulnerabilities or built-in exploits made by the manufacturers of the Chinese government,

person/phone: phishing via SMS, phishing via calls, iOS/Android OS vulnerabilities, mobile app vulnerabilities, mobile apps that masquerade as useful while harvesting your data, vulnerabilities in things like WhatsApp where a glitched JPG pictures sent to you can expose your data, ...

servers: mostly same as above except they servers have to often deal with millions of requests per day, most of them valid, and at least some of the servers need to be connected to the internet 24/7

CDN and cloud services: fundamentally, an average big company today relies on dozens or hundreds of other big internet companies (AWS / Azure / GCP / Apple / Google) which in turn rely on hundreds of other companies to outsource a lot of tasks (like harvesting your data and sending you marketing emails)

infrastructure - routers... modems... your Alexa is spying on you... i'm tired... etc.

Anyway if you drifted to sleep in the previous paragraph I don't blame you. I'm genuinely just scratching the surface. Cybersecurity is insanely important today, and it's insanely complex too.

The reason why the incident blue-screened the machines is that to avoid malware, a lot of the anti-malware has to run in a more "privileged" mode, meaning they exist very close to the "heart" of Windows (or any other OS - the heart is called kernel). However, on this level, a bug can crash the system a lot more easily. And it did.

OK OK the actual hot lukewarm take finally

I didn't expect to get hit by y2k bug in the middle of 2024, but here we are.

As bad as it was, this only affected a small portion of all computers - in the ballpark of ~0.001% or even 0.0001% - but already caused disruptions to flights and hospitals in a big chunk of the world.

maybe-FAQ:

"Oh but this would be avoided if they weren't using the Crowdwhatever software" - true. However, this kind of mistake is not exclusive to them.

"Haha windows sucks, Linux 4eva" - I mean. Yeah? But no. Conceptually there is nothing that would prevent this from happening on Linux, if only there was anyone actually using it (on desktop).

"But really, Windows should have a better protection" - yes? no? This is a very difficult, technical question, because for kernel drivers the whole point is that 1. you trust them, and 2. they need the super-powerful-unrestrained access to work as intended, and 3. you _need_ them to be blazing fast, so babysitting them from the Windows perspective is counterproductive. It's a technical issue with no easy answers on this level.

"But there was some issue with Microsoft stuff too." - yes, but it's unknown if they are related, and at this point I have not seen any solid info about it.

The point is, in a deeply interconnected world, it's sort of a miracle that this isn't happening more often, and on a wider scale. Both bugfixes and new bugs are deployed every minute to some software somewhere in the world, because we're all in a rush to make money and pay rent and meet deadlines.

Increased monoculture in IT is bad for everyone. Whichever OS, whichever brand, whichever security solution provider - the more popular they are, the better visible their mistakes will be.

As much as it would be fun to make jokes like "CrowdStroke", I'm not even particularly mad at the company (at this point - that might change when I hear about their QA process). And no, I'm not even mad at Windows, as explained in the pseudo-FAQ.

The ultimate hot take? If at all possible, don't rely on anything related to computers. Technical problems are caused by technical solutions.

#crowdstrike #cybersecurity #anyway i'm microdosing today so it's probably too boring to read #but hopefully it at least mostly made sense #to be honest I wanted to have more of a hot take #but the truth is mundane

73 notes · View notes