18 October 2019

What is the most sophisticated piece of software ever written?

Buckle in.

The most sophisticated software in history was written by a team of people whose names we do not know.

It’s a computer worm. The worm was written, probably, between 2005 and 2010.

Because the worm is so complex and sophisticated, I can only give the most superficial outline of what it does.

This worm exists first on a USB drive. Someone could just find that USB drive lying around, or get it in the mail, and wonder what was on it. When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC. It has at least three ways of trying to get itself to run. If one way doesn’t work, it tries another. At least two of these methods to launch itself were completely new then, and both of them used two independent, secret bugs in Windows that no one else knew about, until this worm came along.

Once the worm runs itself on a PC, it tries to get administrator access on that PC. It doesn’t mind if there’s antivirus software installed — the worm can sneak around most antivirus software. Then, based on the version of Windows it’s running on, the worm will try one of two previously unknown methods of getting that administrator access on that PC. Until this worm was released, no one knew about these secret bugs in Windows either.

At this point, the worm is now able to cover its tracks by getting underneath the operating system, so that no antivirus software can detect that it exists. It binds itself secretly to that PC, so that even if you look on the disk for where the worm should be, you will see nothing. This worm hides so well, that the worm ran around the Internet for over a year without any security company in the world recognizing that it even existed.

The software then checks to see if it can get on the Internet. If it can, it attempts to visit either http://www.mypremierfutbol.com or http://www.todaysfutbol.com . At the time, these servers were in Malaysia and Denmark. It opens an encrypted link and tells these servers that it has succeeded in owning a new PC. The worm then automatically updates itself with the newest version.

At this point, the worm makes copies of itself to any other USB sticks you happen to plug in. It does this by installing a carefully designed but fake disk driver. This driver was digitally signed by Realtek, which means that the authors of the worm were somehow able to break into the most secure location in a huge Taiwanese company, and steal the most secret key that this company owns, without Realtek finding out about it.

Later, whoever wrote that driver started signing it with secret keys from JMicron, another big Taiwanese company. Yet again, the authors had to figure out how to break into the most secure location in that company and steal the most secure key that that company owns, without JMicron finding out about it.

This worm we are talking about is sophisticated.

And it hasn’t even got started yet.

At this point, the worm makes use of two recently discovered Windows bugs. One bug relates to network printers, and the other relates to network files. The worm uses those bugs to install itself across the local network, onto all the other computers in the facility.

Now, the worm looks around for a very specific bit of control software, designed by Siemens for automating large industrial machinery. Once it finds it, it uses (you guessed it) yet another previously unknown bug for copying itself into the programmable logic of the industrial controller. Once the worm digs into this controller, it’s in there for good. No amount of replacing or disinfecting PCs can get rid of the worm now.

The worm checks for attached industrial electric motors from two specific companies. One of those companies is in Iran, and the other is in Finland. The specific motors it searches for are called variable-frequency drives. They’re used for running industrial centrifuges. You can purify many kinds of chemicals in centrifuges.

Such as uranium.

Now at this point, since the worm has complete control of the centrifuges, it can do anything it wants with them. The worm can shut them all down. The worm can destroy them all immediately — just spin them over maximum speed until they all shatter like bombs, killing anyone who happens to be standing near.

But no. This is a sophisticated worm. The worm has other plans.

Once it controls every centrifuge in your facility… the worm just goes to sleep.

Days pass. Or weeks. Or seconds.

When the worm decides the time is right, the worm quietly wakes itself up. The worm randomly picks a few of those centrifuges while they are purifying uranium. The worm locks them, so that if someone notices that something is wrong, a human can’t turn the centrifuges off.

And then, stealthily, the worm starts spinning those centrifuges… a little wrong. Not a crazy amount wrong, mind you. Just, y’know, a little too fast. Or a little too slow. Just a tiny bit out of safe parameters.

At the same time, it increases the gas pressure in those centrifuges. The gas in those centrifuges is called UF6. Pretty nasty stuff. The worm makes the pressure of that UF6, just a tiny bit out of safe parameters. Just enough that the UF6 gas in the centrifuges, has a small chance of turning into rock, while the centrifuge is spinning.

Centrifuges don’t like running too fast or too slow. And they don’t like rocks either.

The worm has one last trick up its sleeve. And it’s pure evil genius.

In addition to everything else it’s doing, the worm is now playing us back a 21-second data recording on our computer screens that it captured when the centrifuges were working normally.

The worm plays the recording over and over, in a loop.

As a result, all the centrifuge data on the computer screens looks completely fine, to us humans.

But it’s all just a fake recording, produced by the worm.

Now let’s imagine that you are responsible for purifying uranium using this huge industrial factory. And everything seems to be working okay. Maybe some of the motors sound a little off, but all the numbers on the computer show that the centrifuge motors are running exactly as designed.

Then the centrifuges start breaking. Randomly, one after another. Usually they die quietly. Rarely though, they make a scene when they die. And the uranium yield, it keeps plummeting. Uranium has to be pure. Your uranium is not pure enough to do anything useful.

What would you do, if you were running that uranium enrichment facility? You’d check everything over and over and over, not understanding why everything was off. You could replace every single PC in your facility if you wanted to.

But the centrifuges would go right on breaking. And you have no possible way of knowing why.

And on your watch, eventually, about 1000 centrifuges would fail or be taken offline. You’d go a little crazy, trying to figure out why nothing was working as designed.

That is exactly what happened.

You would never expect that all those problems were caused by a computer worm, the most devious and intelligent computer worm in history, written by some incredibly secret team with unlimited money and unlimited resources, designed with exactly one purpose in mind: to sneak past every known digital defense, and to destroy your country’s nuclear bomb program, all without getting caught.

To have one piece of software do any ONE of those things would be a small miracle. To have it do ALL of those things and many more, well…

… the Stuxnet worm would have to be the most sophisticated software ever written.

16 October 2017

Rubber duck debugging

Today I spent an hour trying to figure out why "the system" was behaving a particular way.  My conclusion was that it was impossible based on the code.  Eventually I decided to call over an experience colleague as another pair of eyes.  Just 30 seconds in to explaining the issue I figured out what was wrong.  To which my colleague said you didn't need me you just needed a rubber duck!


15 August 2017

Diffuse an argument by asking what the other person wants from it


14 July 2017

The Joel on Software Discussion Group - Why I Hate Frameworks

The Joel on Software Discussion Group - Why I Hate Frameworks

I'm currently in the planning stages of building a hosted Java web application (yes, it has to be Java, for a variety of reasons that I don't feel like going into right now). In the process, I'm evaluating a bunch of J2EE portlet-enabled JSR-compliant MVC role-based CMS web service application container frameworks.

And after spending dozens of hours reading through feature lists and documentation, I'm ready to gouge out my eyes.

Let's pretend I've decided to build a spice rack.

I've done small woodworking projects before, and I think I have a pretty good idea of what I need: some wood and a few basic tools: a tape measure, a saw, a level, and a hammer.

If I were going to build a whole house, rather than just a spice rack, I'd still need a tape measure, a saw, a level, and a hammer (among other things).

So I go to the hardware store to buy the tools, and I ask the sales clerk where I can find a hammer.

"A hammer?" he asks. "Nobody really buys hammers anymore. They're kind of old fashioned."

Surprised at this development, I ask him why.

"Well, the problem with hammers is that there are so many different kinds. Sledge hammers, claw hammers, ball-peen hammers. What if you bought one kind of hammer and then realized that you needed a different kind of hammer later? You'd have to buy a separate hammer for your next task. As it turns out, most people really want a single hammer that can handle all of the different kinds of hammering tasks you might encounter in your life."

"Hmmmmmm. Well, I suppose that sounds all right. Can you show me where to find a Universal Hammer."

"No, we don't sell those anymore. They're pretty obsolete."

"Really? I thought you just said that the Universal Hammer was the wave of the future."

"As it turns out, if you make only one kind of hammer, capable of performing all the same tasks as all those different kinds of hammers, then it isn't very good at any of them. Driving a nail with a sledgehammer isn't very effective. And, if you want to kill your ex-girlfriend, there's really no substitute for a ball-peen hammer."

"That's true. So, if nobody buys Universal Hammers anymore, and if you're no longer selling all those old-fashioned kinds of hammers, what kinds of hammers do you sell?"

"Actually, we don't sell hammers at all."


"According to our research, what people really needed wasn't a Universal Hammer after all. It's always better to have the right kind of hammer for the job. So, we started selling hammer factories, capable of producing whatever kind of hammers you might be interested in using. All you need to do is staff the hammer factory with workers, activate the machinery, buy the raw materials, pay the utility bills, and PRESTO...you'll have *exactly* the kind of hammer you need in no time flat."

"But I don't really want to buy a hammer factory..."

"That's good. Because we don't sell them anymore."

"But I thought you just said..."

"We discovered that most people don't actually need an entire hammer factory. Some people, for example, will never need a ball-peen hammer. (Maybe they've never had ex-girlfriends. Or maybe they killed them with icepicks instead.) So there's no point in someone buying a hammer factory that can produce every kind of hammer under the sun."

"Yeah, that makes a lot of sense."

"So, instead, we started selling schematic diagrams for hammer factories, enabling our clients to build their own hammer factories, custom engineered to manufacture only the kinds of hammers that they would actually need."

"Let me guess. You don't sell those anymore."

"Nope. Sure don't. As it turns out, people don't want to build an entire factory just to manufacture a couple of hammers. Leave the factory-building up to the factory-building experts, that's what I always say!!"

"And I would agree with you there."

"Yup. So we stopped selling those schematics and started selling hammer-factory-building factories. Each hammer factory factory is built for you by the top experts in the hammer factory factory business, so you don't need to worry about all the details that go into building a factory. Yet you still get all the benefits of having your own customized hammer factory, churning out your own customized hammers, according to your own specific hammer designs."

"Well, that doesn't really..."

"I know what you're going to say!! ...and we don't sell those anymore either. For some reason, not many people were buying the hammer factory factories, so we came up with a new solution to address the problem."

"Uh huh."

"When we stepped back and looked at the global tool infrastructure, we determined that people were frustrated with having to manage and operate a hammer factory factory, as well as the hammer factory that it produced. That kind of overhead can get pretty cumbersome when you deal with the likely scenario of also operating a tape measure factory factory, a saw factory factory, and a level factory factory, not to mention a lumber manufacturing conglomerate holding company. When we really looked at the situation, we determined that that's just too complex for someone who really just wants to build a spice rack."

"Yeah, no kidding."

"So this week, we're introducing a general-purpose tool-building factory factory factory, so that all of your different tool factory factories can be produced by a single, unified factory. The factory factory factory will produce only the tool factory factories that you actually need, and each of those factory factories will produce a single factory based on your custom tool specifications. The final set of tools that emerge from this process will be the ideal tools for your particular project. You'll have *exactly* the hammer you need, and exactly the right tape measure for your task, all at the press of a button (though you may also have to deploy a few *configuration files* to make it all work according to your expectations)."

"So you don't have any hammers? None at all?"

"No. If you really want a high-quality, industrially engineered spice rack, you desperately need something more advanced than a simple hammer from a rinky-dink hardware store."

"And this is the way everyone is doing it now? Everyone is using a general-purpose tool-building factory factory factory now, whenever they need a hammer?"


"Well…All right. I guess that's what I'll have to do. If this is the way things are done now, I guess I'd better learn how to do it."

"Good for you!!"
Now that I'm the proud owner of my own general-purpose tool-building factory factory factory, I'm satisfied to know that it complies with the GPTBFFF 0.97 RC2 draft specification for tool-building factory factory factories.

Luckily, 70% of the workers in the Tool-Oriented Metafactory Union are certified against this version of the spec.

On the horizon is a competing standard, though: a very compelling metafactory technolgy called the UXCTBFFF (Universal Trans-Continental Tool Building FFF), which promises to unify the factory factory factory industry to comply with guidelines of countries that use both metric and standard tools.

My understanding is that there will be a service pack to my GPTBFFF 0.97 RC2 to bring it into nearly 95% compliance with the UXCTBFFF standard, just by creating an abstraction layer through its user interface.


Surely this new development will improve the quality of my spicerack (which I'll get around to building one of these days, as soon as I've got my factory factory factory all up and running, my labor force trained, my raw materials imported from Cambodia, etc).

12 June 2017

Saying no


16 September 2016


An oldie but a goodie, https://en.m.wikipedia.org/wiki/If%E2%80%94

IF you can keep your head when all about you
Are losing theirs and blaming it on you,
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or being lied about, don't deal in lies,
Or being hated, don't give way to hating,
And yet don't look too good, nor talk too wise:

If you can dream - and not make dreams your master;
If you can think - and not make thoughts your aim;
If you can meet with Triumph and Disaster
And treat those two impostors just the same;
If you can bear to hear the truth you've spoken
Twisted by knaves to make a trap for fools,
Or watch the things you gave your life to, broken,
And stoop and build 'em up with worn-out tools:

If you can make one heap of all your winnings
And risk it on one turn of pitch-and-toss,
And lose, and start again at your beginnings
And never breathe a word about your loss;
If you can force your heart and nerve and sinew
To serve your turn long after they are gone,
And so hold on when there is nothing in you
Except the Will which says to them: 'Hold on!'

If you can talk with crowds and keep your virtue,
' Or walk with Kings - nor lose the common touch,
if neither foes nor loving friends can hurt you,
If all men count with you, but none too much;
If you can fill the unforgiving minute
With sixty seconds' worth of distance run,
Yours is the Earth and everything that's in it,
And - which is more - you'll be a Man, my son!

04 August 2016

Use the AIM Method to Take Control of Your Happiness


Very important!

The AIM method is designed less to help you achieve something that will make you happy, and more to help you learn how to be happy no matter what.

  • Attention: Where you focus your attention is where your emotional energy goes. If you’re constantly seeking out things that stress you out—like hate-reading bad reviews for a movie you like or negatives news stories about a person you can’t stand—then you’ll train yourself to be unhappy. Instead, spend your time and attention on the things that make you happy.
  • Interpretation: Contrary to how we think, most things are really up for interpretation. Maybe your partner left the dishes out because they don’t value you enough to care, or maybe they just forgot. You can’t choose what happens, but you can choose your interpretations.
  • Memory: You can also choose which memories you focus on most. Many unhappy people choose to relive the bad memories over and over, constantly thinking about what they’d say to the person that hurt them or relishing how bad their life is now. If you want to be happy instead, focus on the positive memories you have and let the bad ones go.