| |
|
H. S. Teoh
| On Fri, Jul 26, 2024 at 06:42:55AM +1200, Richard (Rikki) Andrew Cattermole via Digitalmars-d wrote:
> On 25/07/2024 6:48 PM, Walter Bright wrote:
> > I used to spend /weeks/ trying to find memory corruption bugs. Today it's a few seconds. Seg faults are a great gift!
>
> Right up until they bring down 8.5 million computers world wide, and impact almost everyone on the planet.
>
> We got lucky this time, that there is an "easy" fix to get these machines working again.
>
> It does not matter that there probably won't be a CVE from this outage.
>
> Fact is, some data was sourced, that was not validated before access that could have been caught before a world wide outage that took out _hospitals_.
Fact is, reading in a file and casting the contents into a pointer without prior verification is a very unwise thing to do. No amount of language features will save you from the consequences. Somebody has to write the code to verify the data before acting on it. If nobody wrote the verification code, whether program segfaults, continues silently and corrupts data, formats the harddrive, or launches nuclear missiles, is really just secondary.
Also, the fact that one tiny flaw like this can bring down half the computers across the whole world is another major lesson that people don't seem to be learning from. Basically, the OS is a single point of failure; when it fails, you're up the creek without a paddle. Maybe it's time somebody pulled a Walter to design fault-resistant redundant OS instances, airplane-style. :-P
At the very least, OS upgrades should be handled much more conservatively than they are right now. For example, the patched OS should be something separate from the running OS; it should be brought up separately before the old OS retires itself and hands over control. Easier said than done, of course, but given what has happened, people really need to be thinking about this seriously.
Another factor is, push updates are evil. What really ought to have happened is that an update notification should have been sent, and the admins should have approved it before it was actually installed. (After testing the patch in a controlled environment, before pushing it out to live systems.) But I'm probably barking up the wrong tree here... people these days are all gung-ho about fully unattended upgrades and fully automated everything, who needs anybody to check the sanity of an upgrade. Well, we're staring at the consequences of this attitude right now.
T
--
Век живи - век учись. А дураком помрёшь.
|