Man, the amount of things that went wrong here - Not removing dead code - Re-using old feature flag (wtf were they thinking) - No deployment review and validation that proper code was deployed on all servers - No post-deployment monitoring - No observability /traceability metrics? (They couldn't immediately pinpoint that one server making way more trades than it was suppose to?) - No Kill switch Any one of these in place would have prevented the whole thing or minimised the damage

This is why you need a physical kill switch, something that blows up your server room.

Imagine hundreds of millions of dollars are being dumped every 10 minutes while you try to debug your deployment in prod. jesus christ

Imagine getting an email saying something is wrong and seeing this much happen and not immediately killing the system

I myself work as a System Engineer in a HFT company. Whenever there are any discussions regarding Risk Management, almost every time we get to hear about Knight Capital's incident

Article: "DevOps is broken!" Also Article: "Nothing about this is DevOps!"

U never ever ever reuse the same opcode for a new functionality ever.. never ever ever ever ever!!!!!! If you remove and deprecate you throw an error of sorts... But never ever ever repurpose an API endpoint!!!!!!

I worked at a bank a few years ago, and the team I was on had a completely manual deployment process. We had a round robin table of who would be in charge that week and they would have to go around through all the sub teams and collect a list of manual instructions. And this was never prepared ahead, you really had to fight tooth and nail to get those instructions. We'd then wrap all up and send it off to the 1 and only 1 prod support guy that had been on the team longer than I was in the industry. Eventually that guy turned 56 and it scared the hell out of management, and they blocked the entire team from deploying anything. I was leaving the bank at that time so I don't know how it worked out, but every now and then I wake up in a cold sweet thinking about it.

What's the worst thing that could happen... *Siphons the entire AWS account

At that stage, I would just walk into the server room with a flame thrower and burn it down after around 10 minutes of this

I have a close family member who works high up in data architecture at a major bank. You would not believe how batshit their dev processes are.

I remember reading a story about it few years ago, the real lesson here is: never "repurpose a flag".

Infinite loop + high speed trading, what could go wrong? I think the problem was they didn’t have any anomaly detection and mitigation. A bad deployment caused this but the rollback made it worst, sometimes you can’t test for every scenario hence why you need anomaly detection and kill switches.

Normally you do have to pay good money for a power pegging but $400 million is probably a bit steep

As a DevOps engineer, this story shows exactly why you need good DevOps, or at the very least good engineers that can do good DevOps.

I remember hearing about this when I was working at a finance company back in the day and I couldn't believe it. Every time I see this article I still read it, despite knowing the history already because it's just so damn funny. Who doesn't love a story with a protagonist called power peg?

"The code that that was updated repurposed an old flag that was used to activate the Power Peg functionality" The article covers the deployment part but this is it's craziest thing. For such impactful functionality, they should have just deleted everything and reused nothing.

DevOps is shorthand for "job security"

Automating deployment can also automatically deploy errors, introduce new errors, or be done in an environment who's state no longer represents the tested state in a critical way. Mistakes anywhere along the process can always happen and human supervision is always required to make sure things are going right and if not, to react to the unforeseen/unhandled situation promptly.

I knew it was a scam when I was on a team where they had hired a DevOps specialist who didn't know how to code so nothing was automated, deploying just meant copying individual files to the server and restarting.

Realistically their most inexcusable failing was not having a post deployment review to make sure everything was good (all servers in expected state), etc. There are always gonna be suboptimal processes, and things that are manual that shouldn't be, and sometimes not enough staff on the team, or management won't pay for X tool, or whatever, but the one thing you can ALWAYS do is a proper checklist of what was supposed to be done, and making sure it got done.

"Bankrupt In 45 minutes from every single solitary individual in our company being a monumental idiot"

Best outro yet. "The name is.... The PowerPegeagen"

Having worked with software where mistakes could potentially cause similar sized losses, I was always a bit amazed at how small the team was (3 people) and how little management cared to take extra precautions. At least I had pushed to get some good automated tests, and we did end up putting some other procedures in place over time, but it really felt like we were just lucky that nothing too bad ended up happening before we got a more safe setup in place.

Being able to roll back on a moment's notice seems to be pretty important, huh.

There is always a kill switch. It is called forcefully unplugging the 8th computer with Power Peg from the electricity net.

At my workplace we have a replication of our production environment (sandpit) which as devs we deploy to and tested before devops deploys the same changes to production. Last year the person who did the deploys to sandpit left and I took over. The process was a list of different steps that all needed to be done correctly and as someone with adhd I can't get that right all the time/often. As it was a sandpit environment the only harm it caused was the ridiculous amount of delays in getting it all working but it drove me up the wall. I was able to convince my boss to give me the time to completely overhaul the process so that it is now just a simple one line command. We haven't had a single deploy issue since and also the DevOps team loves me now because it made their lives easier.

Imagine blaming “DevOps” when you still copying those files manually which is against DevOps’s principle itself

"Terraform deez nuts" After dealing with this M$ piece of .... every day, I cannot agree more

The irony here is that the issue was caused precisely because of a lack of DevOps procedures…

I fail to see how the title of the article matches what was discussed. DevOps has always pushed for automated deployment processes (or at least as automated as humanly possible) to limit human error. In other words, the idea has been to apply some Dev processes to the Operations process. NOT to replace operations with developers NOR to is it to make the operations team into a development team. Like Agile, the original ideas behind DevOps have been hijacked by managers and companies to get what they want from it rather than actually apply the benefits within those ideas. Nor have either of those ideas ever meant to be "This is the only way to do this" kind of attitude.

"repurposed a flag" ... WTF would you do that!? lol

I worked on a high speed ad bidder around ten years ago. The kill switch was literally the first thing we built.

Cash equivalents = LIBOR bonds and short term US bonds (typically < 1yr), i.e. bonds of AAA rated countries with near to no interest rate risk

I love this new "Humorous Energetic Sports Commentator, But For Obscure Coding Topics" genre

Imagine being the poor dude who forgot to copy paste the new files to the 8th server.

This is a new record for how hard i've laughed with prime. I can't even type...I may die of laughter whilst typing this on my inadequate keyboard.

even if you automate the automation can also create its own problem. its like using triggers in a database where you forget it eventually.

Even at Pixar they were able to call the TI department and ask them to unplug the servers right now! to prevent continuously deleting of the assets, didn't help much, but they were able to do that

2:13 that made me get a laughter for a few minutes. Man you made my day

Can't recall when and who, but there was some broker who's software developers didn't realize that bid and offer means the reverse in stonk trading.

The tism is really firing in this video .. I love it

I remember once asking "What's the worst that can happen?", and then proceeded to be in pain for the next two years

Extremely high level - Market making are the people that exchange stocks for cash. They give the market liquidity.

Automation is the core principle of DevOps and The statement "Copying the code to the 8th server (Seems manual to me)" itself kills the concept of DevOps principles. The symbol of DevOps "Infinity loop" itself shouts "Automation!". Guess the "Tech"nician failed to understand that. The article seems to have been written in 2014. I won't be surprised if that's what people understood by DevOps at that time. And if observability part is not taken care, it doesn't matter if the deployments are manual / automated, it is just a ticking time bomb.

What's mind-boggling to me is how Knight was still able to be acquired at $1.4 billion despite this fiasco.

The "term of art" is change control.

"PowerPegAgen" might be the best one yet. 😂

Modulo on an incremental user id is such a genius way to select a subset of deterministic experiment subjects. My grug brain would of just picked a random value and stored it for every hit of a common endpoint if the user hadn't been either selected or not selected prior.

CI/CD is one Part of DevOps. mainly stand DevOps for automatisation, thats why CI/CD often will be said. But it a little bit more. Like the goal to reduce human action to minimum or test to make sure you don't deoploy crap Program who developer fucked it up. kind like those things...

Hey ThePrimegen, I don't know if you read the comments... But we would definitely love a talk about how the implemented the kill switch, what it means, and how it would work in case of a real code-red situation. Love your content !

"No written procedures that required such a review." I'm sorry, but having no procedures for somebody replacing code on servers is just asking for an Office Space 2.0. The amount of power those "technicians" had....

this flash crash story is well known in the finance/trading circles, I think there was also a book written about it and similar cases of flash crashes

In Dairy Farm in Asia, we own most of the 7Eleven stores, and when we release updates to the 7Eleven Servers and POS, we do the slow clap, 1 store, then 5 stores, then stores in a region, then global. That is our procedure. we don't want to stop all the stores taking money in a single moment, and if crowdstrike happened, would be a nightmare, luckily, all out servers and pos terminals are Linux.

market making is done by HFT(high frequency trading) hence provide liquidy. These system trades billions of time in a day hence they buy low and sell high more like 1cent per trade hence they make money.

There is always a kill-switch. It's called pulling the plug. If there's no plug, grab the scissors.

I'm a DevOps working for big company. This article is actually good example why you have to use CI/CD / DevOps practices (call it whatever you like, but in the end it's just engineers with specific mindset and responsibilities). Also, I worked for companies that had a low quality DevOps teams consistent of folks from India (in Bay Area, CA)...and that was a disaster. They were doing everything manually on Windows servers...So, even if you got a DevOps team it doesn't mean you have a right people with right skills. You want to follow all Automation, DevOps, CI/CD best practices, not just have a useless DevOps team

Its rare for a financial brokerage system not to have a Halt (or kill switch). ....really rare (and not to have a cluster backup). P.S. Don't forget that no matter how much you plan, even a robot can be told to do deployment wrong. You need a kill switch and a backup cluster (for rolling back).

This sounds like a lack of devops to me. Super poor observability around deployments, too many manual steps to deploy, insufficient monitoring of the system, sounds like this was inevitable tbh.

We're just publishing new pages from a CMS and we have checkboxes all the way through making sure nothing broke. One would think a mission critical system like this would have a deployment session similar to a rocket launch.

"TerraForm deez nutz" right off the bat lmao

This is low-key your best video yet. 😂

0:19 A wild arch user appears! Wild arch user used "I USE ARCH BTW!"... It was completely expected!

"the only blame on the engineers is that they didnt push hard enough" no. Obviously i have no inside knowledge here, but lets assume the worst case scenario. In that case: They are to blame for not removing unused code. They are to blame for repurposing an old feature flag instead of using a new one. They are to blame for not building in a kill switch into either of the features.

I like how every other day Prime seems to wake up and choose violence against me specifically

This is a perfect example of why DevOps and following strict release procedures is crucial.

This article is kinda sus. The whole incident is being used to "sell" the concept of devops and continuous delivery, as if it was the "technicians" (classic sysops practitioners) fault that the company went bankrupt. "hey guys, if only you automated your delivery, you wouldnt have gone 400 million dollars into debt!" The reality is its obvious that the software culture of that organization was painfully unhealthy. No amount of devops practices would save it, because they'd just end up making reliable repeatable deployments that lost hundreds of millions of dollars. It is not sysops fault that - they used bad practice in repurposing an old flag - they refactor their code halfway - they have no ability to sanity check their deployment - they have no ability to verify the deployed version - they have no ability to turn off the said system The biggest red flag really is that this is a trading company with hundreds of millions in cash and apparently the people budget of their CORE SERVICE isnt big enough for a second guy. I wouldn't be surprised if these trader techbros assigned the intern to do it. Their whole job is to game the money market, and when their game is based on bad (company) mechanics its the "technicians" fault because they didnt "follow latest devops" or something. Yeah, no.

Like the kill switch. I bought a plunger for my toilet 3 years ago. Haven't used it yet but I'm ever so thankful that it's there as an emergency option.

*Unloads 10 rounds from workplace carry into servers* "You're welcome"

i dont get it, there is nothing to do with devops in the article

I definitely could be slow on this one but I feel like they may have had a kill switch. There was a few hundred mil traded by 9:32 and it seems they ignored the emails. I feel like HFT is just so fast the kill switch would have to be automated based on a trigger they had probably built into the other 7 parts. Once you push $3B in notional value up 10% you're kind of screwed even if you get out immediately.

I add a second issue, dont repurpose flags, the old code wouldnt trigger , or even cause a crash

The devastation when it when from a one server pegging to a all hands on deck 8 server pegging

The real heroes of this story is the previous engineers that named the replaced software Power Peg, thereby setting up the perfect cherry to this masterpiece of ridiculous f-ups.

NDC conferences has a good talk on this I believe

The title ks very misleading: most of the way Knight handked things is counter to DevOps orinciples.

0:43 associating Continuous Delivery with Dave Farley was the best joke i’ve heard so far. 😂 but be careful, you are becoming associated with regex licensing and some Rust things 😂

@1:30 Amusingly, market making is neither particularly risky nor illegal.

If you’re not confident enough to delete vestigial deprecated code, it means you don’t know how your code works and you’re too cheap/lazy to do anything about it. It’s not surprising that blackbox code did something unexpected. If it’s your personal blog then fine. But high frequency trading systems subject to the wrath of angry rich Wall Street folk?

Manually deploying code to servers isn't devops. It's just ops. Write some shit to automate that and run tests on results then we can talk.

I became an SRE last year. Never heard of the position before. It didn't take me a month to hate it. It took me 9 months to finally get moved back to SDET.

That's one of the best opening salvoes I've seen aimed at the amalgam known as YT comments

Imagine having your company destroyed by something called the 'power peg'

Oh good grief. You know how there's Development and Operations? DevOps is the practice of Development and Operations working together. Techniques like CI/CD are methods by which Development and Operations can work together. *Anything else* is FAKE. Especially if you have a separate "DevOps Team". This isn't even a secret. Most companies are doing some bullshit they "call" DevOps but has nothing to do with DevOps. Of course it's FAKE!

i traded that day, we were getting information from floor traders about what was happening, it was one of the most crazy day i ever traded. Started even before open. We had guys locked cause mad margin calls on the system. $50 stocks showing for dollars etc. It was just like constant selling or constant buying and watching it on level 2 was crazy, only other time seen that was on purpose when MS tried to support FB ipo, but it was supporting, this algo was selling or buying it. but in 75 stocks and any direction, just crazy. It was notable cause it was same mm and same amount usually, just blocks of stock for sale or buying, same amounts.

This was one of the funniest thing I have come across in 2023. Hilarious and scary.

That was probably the best bed time story I've ever heard.

That is the greatest Story of all time!!!!

I remember when this happened, a brand new High Frequency Trading shop that blew up on day 1.

0:00 DevOps doesn't exist 6:05 this is why you don't manually deploy at that level if you have hundreds of millions of dollars of assets figure out how to **automate** it pay somebody pay two people

This seems related to a lack of controls like alerts / logging. Automated deployment will fix copy paste errors but not necessarily mitigate. Code will go wrong, it matters how quickly you can fix it.

Whenever you find yourself saying "What could possibly go wrong?" instead say "Let's just do it and be legends." You'll feel better about the results.

This development process was an obvious ticking time bomb. It went off in 2012, but if it didn't then, it would have sometime between then and now

cash equivalent is something that is very liquid, high demand and hence you can sell instantly for cash, usually it is short term assets.

I'm seeing a common theme in the comments. "Why couldn't they just walk in and kill the servers?". If you're a high frequency trader, you can't afford to host your own servers. All the high frequency traders lease space in a shared computer room inside the NYSE. This is because high frequency traders want to get their trading information as instantaneously as possible. If somebody else hosts their servers in an office a mile away, it's the equivalent of getting the newspaper a day late. They're trading on old information. That being said, there should have been some remotely activated shutdown command.

this is why you shadow test THIS IS WHY YOU SHADOW TEST

"pay somebody to automate it!" -- you mean like a devops engineer? 😂😂😂😂

This isn't a failure of the DevOps philosophy. This is just sheer stupidity.

Come on a couple of things here: 1. Deployment day and no one cares to check that everything seems ok (I mean its High Frequency Trading - not your personal myspace page) 2. They took down the servers that were deployed correctly, but not the faulty one - how? 3. Delete old code 4. They re-used the flag that was used in the power peg code - why and couldn't you find a new better name?! 5. You didn't check that a counter for the parent order existed? That seems like a reasonable edge case unittest

They changed the code in all the servers, nobody said like: “why don't we just stop every server and diagnose the issue in offline mode?”