"Say you're a Karen without saying you're a Karen" - robot woman's voice

Bro you weren't a team player. Didn't you hear, real men only fix after production

Classic Señor dev

ZII. Zero is initialization. Controlled failure vs uncontrolled failure

@@MrDragonorp TAF - Test After Failure

Only through the tireless efforts of countless engineers correcting other people's stupidity (and sometimes their own) does the world make it through another day without disaster.

If only things were about you know quality, and truth... instead of "who can get the most attention the fastest."

that's exactly what I was thinking, indeed

working in IT and working in multibillion security company is different.

I'm working in IT and I'm everyday amazed how far we've made it without the modern civilization folding on itself. Being part of that clusterf%ck in the belly of the beast is equally awesome and terrifying.

I always copy the entire path of the existing code into a -bak or -date directory, then run the new code in place to test it on one production level server, before deploying it to the rest of the servers. That way in can use scp to copy the old working coy back if things really go belly up. But I guess when they rely on automation and all kinds of layers of abstraction between them and the code, they cannot do it that simply and easily.

Of course they cannot (simply) test their code in production level environments. Corporations have made un-maintainability into an art form, where a single deployment-step is so automated, but requires so many manual steps as well, that no single person can ever deploy anything easily. And when you are new to the organization, and learned for the first time how insanely convoluted their deployment process is, you undoubtedly asked "why!?". But as always the answer is "has grown historically" (legacy). And by that time you entered the organization, it would take weeks or months to re-implement this insane architecture into something which can actually be deployed in a sane manner. But we all know to never touch a running system. Even if it's a running nuclear bomb close to detonation.

@@PhilLesh69 have you heard about Git?

So what’s up with the whole Diddy thing?

I don’t see many engineers on LinkedIn with more than a year or two of experience at a company before they move on. It took me a few months to understand our codebase and with all of the reorgs and compounding layers of rotating management it made it difficult for anyone to sit and focus on much of anything for very long.

Chad

Real web devs fix in production.

Holy fuck I haven't laughed this hard at a comment in months

As a developer i like to watch ci/cd on the toilet too 😂 it really helps me to not sit too much in the toilet

Giga Chad!

Even upgrading to c++23 will work instead of changing whole code to rust.

​@@ashwithchandra2622wait until c++60, safe memory edition.

​@@ashwithchandra2622works! but fails in prod😢.

​@@ashwithchandra2622, how? What is so special about CPP 23

@@ashwithchandra2622 what feature of c++23 will make it immune to null pointer de-referencing?

it certainly killed the sub guy...

Wait until you find out that his last name was *Rush.* 😮

I bet he thought the same thing

Jeff made that joke in a vid right after that disaster already. If you enjoyed this, go back and watch that.

Stockton Rush

Crack up, like it👍😆

Lololol

@@smithwillnot good luck i know you will do a better job, test check, test check, test check, lol

@@smithwillnot oh i forgot disable automatic updates on any OS before you send out the updated patches ha ha,

Don't forget to test in production on a Friday and have another job on standby!

The best code is the Friday 5 minute before go home time is the best code

The competent folks are on summer vacation

F yeah Ianit ever ncode nerd Litrealy never coded in my life BUT I KNOW DONT UPDATE ON FRIDAY

At 5:30 PM😂😂😂

actually real men don't test their code at all, they just push their code and wait for a scream test

*pushes code in production* *crash*

"This works, but it shouldn't." and that's where you ask for your friend's device

Don't feel attacked, writing your own to-do app is a right of passage

and way faster than the rollback :D

Smooth

Doubt

Impossible

@@DylanEdd_1 Considering the BSOD, is automated rollback even possible?

There is nothing funny about nuclear war.

That got me rolling too😅

I thought I got the joke... until I actually did and was like "wait a minute..."

​@@ImperativeGames So you say. I find it hilarious! 😅😎

In 2021 my previous employer invited a pair of supposed doctors to tell us with a straight face that we would literally all be dead in five years if we didn't get the experimental injection. 2026 confirmed!

My Class Portrait!

F!

I would pay for it.

HR

Search “Bret Hart null pointer” and you’ll find it.

So are all devices that used Crowdstrike unusable now and need a fresh windows install?

​@@WhiteSharks-wz6knNot really, just boot into safe mode and get rid of the borked driver. This is sure going to be annoying for the IT team if they need physical access to do it, and don't forget this must be done for EVERY DEVICES.

​@WhiteSharks-wz6kn No. Just need to delete the latest Crowdstrike driver. Usually 2 major steps. A) Either get the specific encryption key access to the company laptop/desktop first or go straight into safe mode. B) Go to the command prompt and delete the latest Crowdstrike driver file (c-00000291*.sys). FYI... I work in IT. Out team of 13 had to go through this process for 700+ employee laptops 💻 on Friday. Some old and some new. Interesting stories to tell at a bar or on Reddit.

@@akin242002 What everyone hears: "Delete the latest Crowdstrike driver file (c-00000291*.sys)." What every malware author hears: "Delete all CrowdStrike files (c-00*.sys).".

the existence of project managers is often an organizational failure

"The company I work for has under 200 employees, under 30 devs, ..." FYI - The number zero (two places) is compatible with that sentence structure.

I heard from one employee that there's no automated testing. Also, this update was flagged to pass all canary testing at individual companies and to deploy everywhere immediately. And the driver itself is flagged that if it fails during boot Windows shouldn't disable it and boot anyway. The file that caused the crash was all zeros content. This is either intentional and someone shorted a lot of stock, or it's criminally negligent.

​@@JxHI'd be highly impressed if zero devs managed to pull off that much procedure.

worked at a place that had 15 "QA" that all they did was click on the functionality, didn't even read the code, send it to the client to click around and than push to production, worst company I've ever worked at, fuck those guys - when I raised this issue I was fired withing 2-3 weeks!

​@@reverse_shell.asm.sh.exe1 Dodged a bullet in my book. I hope you are well in another firm now. 😊

idk I like the point of where this was done on purpose to practice for a real event

I mean, if the driver was writen in Rust then it would crash anyway, since Rust by default crashes on memory unsafety. The c++ code already checked for null pointer as mentioned in the last twitter thread in the video.

"The idea that a rust enthusiast would "prove a point" is the most believable thing in the world." Well, other than what actually happened

​@@rj7250a I feel like a kernel driver should probably have a panic handler that unloads or maybe restarts the driver with a count of number of retries. That way any unrecoverable errors (bar compiler bugs/unsafe block promises not being kept) will not bring down the system

@@minerscale I see you don't know much about writing kernel-mode stuff. Unlike a userspace application, nothing is tracked in kernel space, so there's no way to know how to "restart" or unload the offending driver... or anything that has been commingled with it. You have to the driver's shutdown and exit code; once it's done anything "bad", none of its data structures can be trusted, and by extension, the entire kernel, as in ring 0 it could've messed with literally anything.

That got created right after the incident. But it's gold. 😂

One could say it was...Titanic.

"Everyone has a QA system, but not everyone has a production system"

I don't always test my code, but when I do, I do it in production...

@@seanburke424 That saying doesn't make sense to me.

Crowd strike crashed linux a few months back crash Microsoft now it's Macs turn dun dun dun🤪🤪

it's such an insufficient explanation, a null pointer dereference is a symptom not the root cause.

Ianit ever ncode nerd Litrealy never coded in my life BUT I KNOW DONT UPDATE ON FRIDAY😊

They must now sit in the comfy (gamer) chair.

LOL! This has been a problem since the late 1970s. and it STILL IT!!! OMG!!!!

Again, it was not a null pointer, there was a null check in the code.

underrated 😂

😅😂😅

Pure GOLD

Please share a link to it!!!

It's called Making of WrestleMania: The Arcade Game it's on YT

Some memes never get old

worked this year in a company that had their QA not look at the code at all, have them just test the functionality by clicking shit on the website, than send to the client (which doesn't understand code) to test it by also clicking shit around and if QA and the client said ok it was pushed to production.. Once I said code needed to be reviewed I lasted another 2-3 weeks before getting fired! fuck those guys, I hope that reporting their asses actually made something happen, but I doubt it

Interned on a major national telcom company as a Security Business Partner, the company had quite a rigid pentesting system where every new system or update requires a form that requires 2 written signatures, one from the higher ups of the cybersec team that confirms that the new asset is good to go for prod and one from the dev team. Turns out some dev teams (the company had multiple dev teams for different projects) just pushed to prod anyway without ever having this signed form or even requesting the cybersec team for one.

It's still a more robust system than most software companies employ these days. Somehow Agile is thought to mean in a lot of teams, it if compiles, it's good to go.

or having universal automatic updates pushed to your machine.

So you want Norton, and McAfee, and Kaspersky, and CrowdStrike, and ... ALL installed at once ?

@@JxH More like some companies use product A, other companies use product B, not a single using all at once. To use an agricultural analogy, you want a security polyculture, as monoculture is vulnerable to disease.

@@lachlanmckinnie1406 The great clownstrike famine of `24.

m try

Wouldn't be surprised to see that happening just in 2024 itself

😮! well not that 😮

Funny how that only happens to government systems

or Secret Service internal communication history was lost during Crowdstrike situation... as they say: don't let crisis go to waste...

don't tell me they are going to fly a plane straight to a server and blame the asians and their budhism...

Because afterwards he was fired for not being a team player.

And a few rogue bank traders

what do you think? we are in the Agile era now. Fail fast, fail often, QA is not needed.

QA costs money and companies are loath to part with the money for proper QA. Better to let the customers/clients do the testing for them as it's cheaper.

More that they know how to talk. The distance one can get simply by confidantly bullshitting your way through life is incredible.

I'm convinved that people need to be a certain level of psychopath to be "leaders" and it has nothing to do with their competence

Does anyone remember on what basis Israel chose their first king? ... That guy would look good in a crown

The thing to understand is that the C level doesn't work for the company or for the customers. They work for the shareholders. So CEOs who make obviously and openly stupid decisions outwardly are often just in effect cooking their books by sacrificing everything else to cut expenses and deliver a quarterly return. And then they bail with a great resume and a bunch of money before everything implodes. Or sometimes even after it implodes, because shareholders don't care and can easily move on to the next legacy brand with their gains. They know when to get out. This practice of corporate looting that pervades America started pretty much with Jack Welch who gutted GE while managing to earn an entire cult following for doing so.

@@XIIchiron78Someone that gets it.

Yeah. From reflex, I compared it to that disaster when explaining to others.

@@csibesz07 crowdstrike is now blaming businesses for not having disaster recovery!

replaced with slaves.

Also done in India in a “low cost engineering center”. Lunch time Friday roll out of updates…

@@allangibson8494Hopefully after this fiasco and trump’s being president, the damn suits can stop outsourcing important shits

Not true a misconfigured config file yaml json toml files regularly cause parsing crashes however it’s unacceptable that a tool like this isn’t resilient to fail safely and gracefully. It’s running as the windows root or in the 0 layer perhaps it crashed it detected itself as a threat or the Os ? Unsure but static config can definitely causes crashes unsure why the bsod was happening unless the OS runtime requires this service to be running or fail this way which would be weird.

One level’s data is another level’s code, sometimes.

​@@AIrtfical it's exactly what you said actually. The program forces itself as a requirement for windows to be functional

@@AIrtfical It's a boot-start driver. If any boot-start driver experiences an unhandled exception, the entire boot sequence fails. If Windows detects and disables a bad boot-start driver (I don't know if it can), the system would be running (yay), but it would violate company policy by running without a required software (uh-oh).

Kernel-level operations have to crash the system when encountering an error, because not crashing can lead to far worse outcomes when dealing with direct memory access. It is by design, and smart design at that. Now you can argue that not being able to boot without the faulty driver instantly after is not the smartest design, but that's on Crowdstrike for flagging their drivers are boot-start drivers.

darkest image☠

"...willing to die on that hill" 💀

@@kv4648 More like valley.

Thanks for context. I thought it was a nuke, rather than a sub. Too tired tonight, I guess.

Interesting

Classic small stick that holds the entire global infrastructure from collapse

wait wtf

This update was not "forced by Windows". It wasn't even done by Windows. CrowdStrike updated the rules itself.

The only lesson you need to learn, is to shut up and update your windows system as soon as possible or else we'll do it for you! - Microsoft.

He might as well retire after this.

@@libertybelllocks7476 , that's the problem: he probably will get hired as the CEO somewhere else if he wants to be. Give it a few years, and he'll be fine. Instead of, you know, being poor and unemployed, like he deserves.

He is the founder too

@@loggjohnable , which makes it even worse.

And yet they hired him for their C++ suite

Never a Friday you release

if ( nullptr == ptr) thou shall write, the unintended equal operator in comparison to avoid (those are called "Yoda conditions" btw.)

I think it was personal for the blonde in the background. 😂👌

Yeah, the problem seems to be that those staging/testing policies apply to new versions of the sensor, but not to the data definition files. Which might be ok in theory if they were actually bulletproof against bad data files. But no matter what, they shouldn't have sent out the update to all their clients at the same time. Even if they sent it to a few thousand and waited an hour before sending the rest, it probably would have been enough to prevent this huge disaster. Just bad policies on top of bad policies

It does make sense, they like to do test runs before the main event.

This is probably why conspiracy theories have the following they do, in the face of the more likely reality of incompetence.

Why not both?

@@KatR264 That's a significant part of the reason. People are distressed by chaos, so they look for patterns and signs to explain things away, and also enjoy feeling like they know more than others. Put those together and you get conspiracy theories that both explain chaos and strange events and let them feel superior for 'seeing the truth'.

Ww3

There are languages where that's far closer to truth. Of course some people complain bitterly when GHC says their program is incomplete rather than produce a broken executable. Ada in particular was designed with this goal, published in 1983, but it likely never will get the huge marketing campaigns Rust or Java enjoyed.

Also an IT professional. You must be very lucky and VERY sheltered, because way too much of the industry works like this nowadays. It's the kind of thing that happens when you let the normals worm their way in. They immediately make a run on all the leadership positions that all the competent staff don't want to have to do anyway, and then they start getting rid of every policy, procedure, and precaution that could potentially stand in the way of their yearly bonus. Eventually, that shit metastasizes all the way up to the C-Suite, and that's when the seriously unethical and even illegal shit starts happening. I just got kicked off a project this month due to refusing to perform a task that the customer leadership made an extremely public show of ordering us not to touch. The PR hire who was told to take it over waited for months for their leadership to be sequestered in a multi-week meeting, then went psycho on my entire department until my management gave in. There was never any complaint that I was wrong, that I caused any problems, or that I crossed any lines. The official reason is that I was "seen butting heads" too many times. Meanwhile, this guy has almost completely destroyed one application, and is very likely going to tank an upgrade for another, MUCH more vital one by the end of the year. tl;dr....Stay where you are. NEVER leave that company.

@@TheSacredDude Alas I retired from that job and no longer have to fight any of those battles

It's also crazy that apparently a lot of companies bought and deployed the CrowdStrike software without having their penetration testers penetration test it first. "Nah, the marketing guy from CrowdStrike said that they did that test." "Did you also ask whether their test was successful?" "Yes, but suddenly there were free bottles of Champagne and free ladies everywhere..."

he went malding?

Are you sure he didn't get that from writing C code? So he wrote C++ while he still had some hair left.

He put his hair into c++

Very relatable

@@javabeanz8549nah, I’m pretty sure it was the ++ that did it.

When their business model is entirely predicated on claiming they're less incompetent than the vendors of actually needed software on the same system, and will cover for those, this level of incompetence is gross negligence at best.

Blahahah

why hospitals and airlines dont run arch, is mind-boggling.

Dude, me too!

“It runs on my machine”

I test in prod btw

Now switch to rust and that won't happen 🤣

@@Caellyan Switch to rust and your program wont compile

@@FemboyCatGaming better not to compile, than to compile and have things break in unforeseeable ways

@@DankMemes-xq2xm rusts borrowing and shadowing system is far more convoluted then c pointers

I shudder at the day I let politicians describe how my code needs to be written. Yikes on that whole concept.

@@tetrahedrontri thankfully in the USA they've decided that judges are more important than experts when it comes to this kind of thing. Wouldn't want people knowledgeable in a field to make decisions in it.

​@@NoConsequenc3 This saddens me cuz most congress results are not consulted before with a task-force of experts. Also why license to a game sux than buying it steam vs Gog. Bruce Willis (lack of reference of an old article, prolly mads up but made headline anyway because of lack of cross checking vs ahoy physical games videos)

Extra detail: most development on digital laws are from the states - that Bruce Willis iTune article lawyer called for making arguments on that article or any licence to a game instead of owning the game case. I think from Eurogamer, but I know it from a hyperlink rabbit hole from chrome suggestions

But it's not just their negligence, it's also on the heads of people running those systems. When you have a critical system, one of the things you control is updates. Because every update is a potential disaster. Back at university, we had a simple rule - if your code crashes, you're finished; zero points. Never assume anything. Just because a specification says that you'll receive two integers doesn't mean that you'll always receive two integers. Always fail gracefully. There should be no input that causes your program to crash.

Also, rolling it out on a Friday. Programmer sins check list completed.

That's an artifact of the 90's an the bane of MSFT support - Gots to luv us some 3rd Party drivers - THEY SUCK.

it's worse than that. the entire organization is based around maximizing profit without putting in the work.

😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅

You need to test the hell out of any changes to the codebase if a failure can wipe out millions of computers. Human eyes on a PR are not enough

It's probably a 20 year old pile of shit, with high turn-over, nobody wants to maintain old crap.

There probably was a problem report, but management couldn't read it because their account didn't have access because they reduced the number of licenses for the tool because it was too expensive.

Nuclear war.

The living will envy the dead.

AI is here. Most or all of humanity is about to become obsolete. Hell, even worse - they're just competition.

@@XIIchiron78 No it isn't, those are just next-word or next-pixel predictors. They don't understand anything and they're definitely not thinking. There's no "they" there to do the thinking. These are just glorified calculators. You could build one from vacuum tubes.

Dave discussed two "Rings", 0 and 1. Here it's four "Rings", 0 to 3.

@@JxHWhile technically x86 has four security rings, in practice most operating systems use just two. Ring 0 for the kernel and Ring 3 or occasionally Ring 1 for all user code.

I think he meant 2036, because there's a meme of "AUGUST 12 2036, HEAT DEATH OF THE UNIVERSE!"

​@@LuxuriantCarrotAUGUST 1 2036, THE HEAT DEATH OF THE UNIVERSE!

The dev shouldn't be punished. This sort of failure is an institutional one not an individual one.

the dev probably already got fired.. now, I have no idea if he'll get sued as well and if a judge would understand it

Nah the higherups 100% threw him under the bus.

When you push code to production on a Friday without peer review/QA process, you deserve to be fired.

This is actually the big argument against simulation theory-an environment of that complexity running any length of time at all wouldn’t have glitches, it’d have bricked by now.