Slashdot Mirror
Software Bug Behind Biggest Telephony Outage In US History (bleepingcomputer.com)
An anonymous reader writes: A software bug in a telecom provider's phone number blacklisting system caused the largest telephony outage in US history, according to a report released by the US Federal Communications Commission (FCC) at the start of the month. The telco is Level 3, now part of CenturyLink, and the outage took place on October 4, 2016.
According to the FCC's investigation, the outage began after a Level 3 employee entered phone numbers suspected of malicious activity in the company's network management software. The employee wanted to block incoming phone calls from these numbers and had entered each number in fields provided by the software's GUI. The problem arose when the Level 3 technician left a field empty, without entering a number. Unbeknownst to the employee, the buggy software didn't ignore the empty field, like most software does, but instead viewed the empty space as a "wildcard" character. As soon as the technician submitted his input, Level 3's network began blocking all incoming and outgoing telephone calls — over 111 million in total.
According to the FCC's investigation, the outage began after a Level 3 employee entered phone numbers suspected of malicious activity in the company's network management software. The employee wanted to block incoming phone calls from these numbers and had entered each number in fields provided by the software's GUI. The problem arose when the Level 3 technician left a field empty, without entering a number. Unbeknownst to the employee, the buggy software didn't ignore the empty field, like most software does, but instead viewed the empty space as a "wildcard" character. As soon as the technician submitted his input, Level 3's network began blocking all incoming and outgoing telephone calls — over 111 million in total.
It was Linux.
Check the spec - perhaps it was by design or not called out to ignore empty entries?
A null/blank input taken as a wildcard is certainly not a feature.
Even labeling that as a mere bug is putting it mildly. More like gargantuan fuck-up.
No, it's just a bug.
Not finding it during testing is the gargantuan fuck-up.
Check the spec - perhaps it was by design or not called out to ignore empty entries?
The "by design" part is slightly plausible. But "not called out"? I haven't yet met either a programmer or a tester who wouldn't have at least tried out the 'null entry' scenario and flagged it as a problem. Heck, one of the most basic tests is to check what happens in the case of empty fields. This smacks more of somebody higher up ignoring test results and/or good advice.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
I'm 99% sure they were using the Sonus EMS management software (L3 is a huge Sonus shop) to manage the PSX routing engine. The software works as longest match of the number. Since you have to always select the country, a blank entry would be treated as +1 and block everything after that or everything in the US.
It could be either, just depends on what the original spec said. I would find it useful to be able to cover an entire set of numbers simply by leaving them blank, very similar to eg. IP addresses. Even in some configuration files, you can type in 10/8 and it will recognize it as being "10.0.0.0/8".
Custom electronics and digital signage for your business: www.evcircuits.com
But "not called out"? I haven't yet met either a programmer or a tester who wouldn't have at least tried out the 'null entry' scenario and flagged it as a problem..
Have you never worked with offshore developers or testers? If it isn't itemized, they won't think to do it.
It is often useful to be able to enter regular expressions for filters. And an empty regexp without anchoring matches everything. That's a feature, not a bug. But it is only okay to design it that way if you can safely presume that anyone who will ever add a filter understands regular expressions, or will look it up before attempting to add a filter.
Slightly safer (but only slightly) is to always add ^$ anchors, so empty fields only match empty entries.
But safest is to presume that users don't grok regular expressions[*], and can only handle a case insensitive subset of DOS wildcards, without the special meaning of ? at the end.
[*]: The most common error I see is with IP address filters, where someone will enter a bare IP address in a regexp field, and then wonder why the 1.2.3.4 filter blocks 71.223.4.50
Not even close. Under law, a professional is a professional and that ties to responsibility for actions. That design was professionally criminally negligent and should be treated as such, with the penalty to reflect the harm causes and that means possible custodial sentence along with a massive fine. Let's not get freaky on the custodial sentence though, probably sufficient to let them 'cool their jets' with no more than a 90 day sentence if no one died but at least 30 days, sort of put the wind up them, focus their attention, remind them there are real penalties for being a crap professional, being in a role you should not be in. If anyone dies though, manslaughter charges.
Find those individually responsible fine them, let them feel the weight of a custodial sentence, 30 days and fine the company much more. Custodial sentences should be the norm for criminal negligence as a professional, start licensing coders because of the harm they can cause. Differing grades, low grade licences for low risk work, high grade licences for high risk work. If you do not force them to do a good job, they will continue to do a shitty job, with a meh, someone else's problem for the shitty work the coder has done.
Chaos - everything, everywhere, everywhen
Exactly. No matter what the interface says, something at a lower level should have at least made it explicit that 111 million numbers were about to be blocked and verified the intention. Even better though, it doesn't sound as if they new this interface even had a wildcard capability. The lower level should probably not even implement it. The interface is not the right location to preclude things like this from happening.
No, if the spec said it was supposed to be a wildcard, then someone should have strongly questioned this. Ie, a bug in the spec. A dev saying "I just follow orders" isn't a good excuse. That's like saying you're just a programmer and thinking isn't a part of the job.
1) There should have been a warning: "Do you want to block all calls?" If not, then require the employee to enter a phone number.
2) Or for a better solution, that form should not interpret a blank field as a wildcard. If all phone calls are to be blocked, then someone must sign on with a manager's user id, and fill out a special form that lets you block all phone calls.
It's a bug no matter what the spec says. Anything where you can shut down phone service for 110 million subscribers simply by hitting enter (without filling a field) isn't just a bug, it's a twelve-storey bug with a magnificent entrance hall, carpeting throughout, 24- hour portage, and an enormous sign on the roof, saying 'This Is a Massive Bug'.
Why are you blaming the programmer? The feature must have been designed; did the design call for empty being interpreted as a wildcard? It must have been tested; something as important as this has a testing budget associated with it, surely? Some company executive must have signed off on it. There will have been a formal handover from development to production. Did the programmer have the power to correct the design? Did he have the power to enforce testing? Did he have the power to stop deployment? Or was he just some underpaid wage slave who was paid by the hour to stamp out code as quickly as possible? Someone told by his manager he is just a warm body who can be replaced at a moment's notice? What was written in the user manual? Was there a procedure for blocking a number, and if so, was it followed? Was training given on how to use the software correctly? How can it be that the company has no liability, but somehow, someone who formed only a tiny part of the chain (and certainly not the best-paid part of it) should, according to you, now face prison time?
Why are you blaming the programmer? The feature must have been designed; did the design call for empty being interpreted as a wildcard?
Don't assume it was designed. It's amazing how much gets "designed" at implementation if something isn't expressly stated in the specification. The only thing we know is that we don't know who to blame.
That said the GP's assertion that someone should face prison time is completely stupid. Even by American "jail everyone for everything" standards.
Like any other doctor, lawyer, engineer AC?
Domestic spying is now "Benign Information Gathering"
Sanity checks would slow down local and federal law enforcement collect it all projects.
Domestic spying is now "Benign Information Gathering"
Ha ha. No, this is not just a bug. The fuckup goes much deeper than that. "An empty field acts as a wildcard" is the least of your problems. It may or may not be expected behaviour for a GUI. "Not finding it during testing" is par for the course for GUIs for this sort of thing. You're not supposed to give wrong input, even accidentally!
The real problem is thinking a GUI is appropriate to feed lists of boring numbers through. By hand, no less. It's way too easy to accidentally leave a field empty or --if it's a micro-managing form like windows IP address entry type things-- copy part of a numer in the wrong line, shift it a sub-field, or something else similarly silly.
What we have here is a mismatch between user interface and purpose, cooked up without thinking. This is the same mode that makes users stupid, but now it was the designer who wasn't thinking. The focus was on "getting some input fields done", not on "how will this be used and what might the consequences be?" The deeper problem is TFIing such lists. GUIs are entirely stupid for this.
Compare "here, have a GUI" with this sequence: Check the list then feed it to the system as a textfile. It gets queued. Then check the list as it appears in the system against your original list. The system probably should make explicit just what it will do with each entry, like "block one number" or "block a range of numers". Possibly have someone else look over the proposed actions. THEN activate it.
So the problem is that the workflow is entirely too stupid to live. And it was shaped into that form by a GUI.
Well I'm pretty sure the desired number was blocked, so I'd call that a win!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
That's why I think it may have been by design. Test a null entry, it does what it was supposed to - act as a wildcard...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
It is often useful to be able to enter regular expressions for filters. And an empty regexp without anchoring matches everything. That's a feature, not a bug. But it is only okay to design it that way if you can safely presume that anyone who will ever add a filter understands regular expressions, or will look it up before attempting to add a filter. Slightly safer (but only slightly) is to always add ^$ anchors, so empty fields only match empty entries.
Given how easy it is to write a non-empty regular expression that matches everything it would seem far more sensible to me to treat an empty regex field as "regex off / match nothing" rather than "match everything".
If it says "filter by" and you enter nothing you're saying filter by nothing, i.e. don't filter, i.e. give me everything.
Plenty of software works like that. Otherwise the user is going to have to enter * in 47 different fields.
Now if there's a minimum number of selections (filter by at least one of foo, bar and froblgobl) that should be enforced somewhere in the software, twice.
It was probably created by one of these full-stack unicorns I keep hearing about.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
30 days in jail is a huge deal. I wouldn't recommend it for something like this. With so many people living paycheck to paycheck that's enough time to get behind on rent/mortgage, losing your home and if your marriage/relationship wasn't that strong that's an easy separation/divorce.
You certainly wouldn't have a job after 30 days of not showing up, and your new job hunt doesn't happen while in jail.
I really don't think you understand what you are recommending. Especially since I don't see you linking to any clear documentation proving someone was criminally negligent. "Cool their jets" would be more like 3-5 days. 36 hours without freedom would definitely be noticed.
No, the outage began years ago when someone created a process in which a human being manually enters data directly into a production system.
I swear, if I had a nickel for every time a major fuckup was root caused to "human error in a process that should have never had a human factor to begin with", I could buy a house in the Bay Area.
In 1987 I had just taken a job at the local Telco and was hitting a steep learning curve. My experience to that point had been PC computers and networks, assembler, CBASIC dBase and the like. This was an IBM System/38 and their billing software used RPG/III, which was a real structured language unlike its spaghetti-GOTO RPG/II cousin, but aspects were still position sensitive and opcodes were silly-simple compared to languages with which I was familiar. It was more like assembler than anything else. Most data flows consisted of running commands that generated a relational input stream sort of like an SQL query, through simple RPG programs.
We had just installed an ITT 1210 switch and ITT had sent over a block of sample RPG code demonstrating how to parse the various fields and flags appearing on call tapes. My boss provided specs for the internal call ticket system they were using and the simple (!) task was to write a shim that generated a batch of call tickets from each tape. Pretty straightforward, tedious without being intricate. But one part of their code slapped me across the face when I examined it.
The tape recorded end time and call duration in whole seconds, call start time would need to be calculated. They had supplied a routine to do this but it didn't make any sense because I could see no modulo 60 arithmetic in it, they were applying the simple RPG subtraction opcode on the zoned fields. I spent the most mystified HOUR of my LIFE searching the language manuals for that surely described RPG's 'magic' ops for manipulating times and dates, which I assumed had to be there because IBM is GREAT and I am STUPID... finding none. Forced to conclude that I was looking at concept code that was dashed off hurriedly in two minutes I confronted my boss with it (and my solution) but it was a hard sell at first, because my boss was incredulous too.
<blink>down the rabbit hole</blink>
A null/blank input taken as a wildcard is certainly not a feature.
It usually is in filter boxes, isn't it?
Ezekiel 23:20
Who says it's a regexp?
It could just be one of those weakly typed kiddy languages and somebody typed == instead of ===.
No sig today...
Given how easy it is to write a non-empty regular expression that matches everything it would seem far more sensible to me to treat an empty regex field as "regex off / match nothing" rather than "match everything".
Yeah, but then you don't follow the rules for how regexps work. You have introduced a custom exception, which is almost always a bad thing in programming. You introduce complexity, have to maintain the exceptions through library changes, refactoring and rewrites, regression test them whenever anything that's interfacing change specs, and also (remember to) bring them over to new code when you want to avoid surprises.
Pre-populating any new field in an OR list with (?!), the common fail pattern, might be better. Also because it might make those who don't speak regular expressions stop and think.
Who says it's a regexp?
It could just be one of those weakly typed kiddy languages and somebody typed == instead of ===.
It certainly could be. But lots of carrier code is written in C and Erlang.
If I ran the risk of getting imprisoned for something as easy to mistype as the notorious "goto fail" I'd steer well clear of software development.
So these phone companies have the ability to block all incoming calls from a malicious phones. All these days... All the complaints about spam callers... About scam artists posing as IRS employees .... They had the ability to block them. But they never did. Bastards.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
America does not have jail for everyone for everything standard.
Usually if it looks like some ethnic minority is going to be on the receiving end, lots of internet warriors will post "jail time" posts. If it looks like it is going to be some white due the same posters will suddenly talk about onerous government tyranny, liberty and the founding fathers.
Mercifully the actual courts are saner. Not perfect. But not as bad as these internet trolls make them out to be.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The screw up wasn't this design decision. It was omitting basic double checks one should always have when making production changes, *especially* in a large environment like level 3. Where was the review by a second operator? Where was the warning "this change will block over $threshold numbers"? it is ridiculous that one person at one point could make a large scale change like this.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Find those individually responsible fine them, let them feel the weight of a custodial sentence, 30 days and fine the company much more.
When looking for the "individual responsible", don't forget to consider whomever set the budget and didn't provide for enough resource to create a design, review the design, create a prototype, test the prototype with real users, perform failure analysis, make changes to the design and prototype as necessary, test those changes, etc. The root cause of many software (or any project for that matter) failures is insufficient resources being applied to solve the problem. Granted you have to balance what you spend with what you get and no one can afford a perfect system, but the true responsibility for system failures lies with those who set that balance. In other words the person who picks two out of the "Cheap, fast, good - pick two" is the really the one responsible.
Yeah, but then you don't follow the rules for how regexps work. You have introduced a custom exception, which is almost always a bad thing in programming. You introduce complexity, have to maintain the exceptions through library changes, refactoring and rewrites, regression test them whenever anything that's interfacing change specs, and also (remember to) bring them over to new code when you want to avoid surprises.
I think you might be overthinking this. This is purely a UI behavior issue, nothing to do with changing how the regex function behaves; If you have a mandatory regex field in a multi-field form, don't accept an empty value. If you have an optional regex field in a multi-field form, then leaving it blank should disable the regex call.
Yes you have to remember the UI conventions you use, but you also have to remember things like checking for required fields so it's no more work than you should already be doing.
Making an unintuitive and mistake-prone UI just because it mirrors how an underlying function behaves is asking for trouble, as in this example.
But "not called out"? I haven't yet met either a programmer or a tester who wouldn't have at least tried out the 'null entry' scenario and flagged it as a problem..
Have you never worked with offshore developers or testers? If it isn't itemized, they won't think to do it.
And thus they need an army of project managers and QA. Because cheaper!
Does your country have a "Province, Prefecture, or Other Region" more general than city but more specific than a country? If so, that'd go in the State field. (Source: my experience integrating with postage software published by Endicia and UPS.) If the form states that the name or postal abbreviation of your province is invalid, then perhaps the business doesn't ship to your country.
No what it means is that you need to competent people, instead of brain dead biodrones. Obfuscating the function only reinforces bad thinking habits, which lead to mistakes in other areas
Well that's a really stupid attitude isn't it? Purposefully create a UI that can take an entire system down without warning or logical reason by leaving a field blank just so you can sit there and smugly wait for someone to inevitably trigger the trap you laid for them?
If you worked for me the person being fired would be you, not the person who left the field blank.
America does not have jail for everyone for everything standard.
You're either living in a bubble as to how your country works, or you're actually in a horrible shit hole of a country worse than other countries your president refers to as shit hole. https://en.wikipedia.org/wiki/...
And I've been to the USA, it's a lovely country so bubble it is. Step one is recognize you* have a problem.
*Well not you specifically, your country has a problem, but you really should know about this problem.