Code Graveyards: Welcome, Bad Actors
January 3, 2025
Did you know that the siloes housing nuclear missiles are still run on systems from the 1950s-1960s? These systems use analog computers and code more ancient than some people’s grandparents. The manuals for these codes are outdated and hard to find, except in archives and libraries that haven’t deaccessioned items for decades. There’s actually money to be made in these old systems and the Datosh Blog explains how: “The Hidden Risks of High-Quality Code.”
There are haunted graveyards of code in more than nuclear siloes. They exist in enterprise systems and came into existence in many ways: created by former IT employees, made for a specific project, or out-of-the-box code that no one wants to touch in case it causes system implosion. Bureaucratic layers and indecisive mentalities trap these codebases in limbo and they become the haunted graveyards. Not only are they haunted by ghosts of coding projects past, the graveyards pose existential risks.
The existential risks are magnified when red tape and attitudes prevent companies from progressing. Haunted graveyards are the root causes of technical debt, such as accumulated inefficiencies, expensive rewrites, and prevention from adapting to change.
Tech developers can avoid technical debt by prioritizing simplicity, especially matching a team’s skill level. Being active in knowledge transfer is important, because it means system information is shared between developers beyond basic SOP. Also use self-documenting code, understandable patterns for technology, don’t underestimate the value of team work and feedback. Haunted graveyards can be avoided:
“A haunted graveyard is not always an issue of code quality, but may as well be a mismatch between code complexity and the team’s ability to grapple with it. As a consultant, your goal is to avoid these scenarios by aligning your work with the team’s capabilities, transferring knowledge effectively, and ensuring the team can confidently take ownership of your contributions.”
Haunted graveyards are also huge opportunities for IT code consultants. Anyone with versatile knowledge, the right education/credentials, and chutzpah could establish themselves in this niche field. It’s perfect for a young 20-something with youthful optimism and capital to start a business in consulting for haunted graveyard systems. They will encounter data hoarders, though.
Whitney Grace, January 3, 2024
Point-and-Click Coding: An eGame Boom Booster
November 22, 2024
TheNextWeb explains “How AI Can Help You Make a Computer Game Without Knowing Anything About Coding.” That’s great—unless one is a coder who makes one’s living on computer games. Writer Daniel Zhou Hao begins with a story about one promising young fellow:
“Take Kyo, an eight-year-old boy in Singapore who developed a simple platform game in just two hours, attracting over 500,000 players. Using nothing but simple instructions in English, Kyo brought his vision to life leveraging the coding app Cursor and also Claude, a general purpose AI. Although his dad is a coder, Kyo didn’t get any help from him to design the game and has no formal coding education himself. He went on to build another game, an animation app, a drawing app and a chatbot, taking about two hours for each. This shows how AI is dramatically lowering the barrier to software development, bridging the gap between creativity and technical skill. Among the range of apps and platforms dedicated to this purpose, others include Google’s AlphaCode 2 and Replit’s Ghostwriter.”
The write-up does not completely leave experienced coders out of the discussion. Hao notes tools like Tabnine and GitHub Copilot act as auto-complete assistance, while Sourcery and DeepCode take the tedium out of code cleanup. For the 70-ish percent of companies that have adopted one or more of these tools, he tells us, the benefits include time savings and more reliable code. Does this mean developers will to shift to “higher value tasks,” like creative collaboration and system design, as Hao insists? Or will it just mean firms will lighten their payrolls?
As for building one’s own game, the article lists seven steps. They are akin to basic advice for developing a product, but with an AI-specific twist. For those who want to know how to make one’s AI game addictive, contact benkent2020 at yahoo dot com.
Cynthia Murrell, November 22, 2024
Big Tech and Their Software: The Tent Pole Problem
May 1, 2024
This essay is the work of a dumb dinobaby. No smart software required.
I remember a Boy Scout camping trip. I was a Wolf Scout at the time, and my “pack” had the task of setting up our tent for the night. The scout master was Mr. Johnson, and he left it us. The weather did not cooperate; the tent pegs pulled out in the wind. The center tent pole broke. We stood in the rain. We knew the badge for camping was gone, just like a dry place to sleep. Failure. Whom could we blame? I suggested, “McKinsey & Co.” I had learned that third-parties were usually fall guys. No one knew what I was talking about.
Okay, ChatGPT, good enough.
I thought about the tent pole failure, the miserable camping experience, and the need to blame McKinsey or at least an entity other than ourselves. The memory surfaced as I read “Laws of Software Evolution.” The write up sets forth some ideas which may not be firm guidelines like those articulated by the World Court, but they are about as enforceable.
Let’s look at the laws explicated in the essay.
The first law is that software is to support a real-world task. As result (a corollary maybe?) is that the software has to evolve. That is the old chestnut ““No man ever steps in the same river twice, for it’s not the same river and he’s not the same man.” The problem is change, which consumes money and time. As a result, original software is wrapped, peppered with calls to snappy new modules designed to fix up or extend the original software.
The second law is that when changes are made, the software construct becomes more complex. Complexity is what humans do. A true master makes certain processes simple. Software has artists, poets, and engineers with vision. Simple may not be a key component of the world the programmer wants to create. Thus, increasing complexity creates surprises like unknown dependencies, sluggish performance, and a giant black hole of costs.
The third law is not explicitly called out like Laws One and Two. Here’s my interpretation of the “lurking law,” as I have termed it:
Code can be shaped and built upon.
My reaction to this essay is positive, but the link to evolution eludes me. The one issue I want to raise is that once software is built, deployed, and fiddled with it is like a river pier built by Roman engineers. Moving the pier or fixing it so it will persist is a very, very difficult task. At some point, even the Roman concrete will weather away. The bridge or structure will fall down. Gravity wins. I am okay with software devolution.
The future, therefore, will be stuffed with software breakdowns. The essay makes a logical statement:
… we should embrace the malleability of code and avoid redesign processes at all costs!
Sorry. Won’t happen. Woulda, shoulda, and coulda cannot do the job.
Stephen E Arnold, May 1, 2024
Microsoft: Good Enough Just Is Not
September 18, 2023
Was it the Russian hackers? What about the special Chinese department of bad actors? Was it independent criminals eager to impose ransomware on hapless business customers?
No. No. And no.
The manager points his finger at the intern working the graveyard shift and says, “You did this. You are probably worse than those 1,000 Russian hackers orchestrated by the FSB to attack our beloved software. You are a loser.” The intern is embarrassed. Thanks, Mom MJ. You have the hands almost correct… after nine months or so. Gradient descent is your middle name.
“Microsoft Admits Slim Staff and Broken Automation Contributed to Azure Outage” presents an interesting interpretation of another Azure misstep. The report asserts:
Microsoft’s preliminary analysis of an incident that took out its Australia East cloud region last week – and which appears also to have caused trouble for Oracle – attributes the incident in part to insufficient staff numbers on site, slowing recovery efforts.
But not really. The report adds:
The software colossus has blamed the incident on “a utility power sag [that] tripped a subset of the cooling units offline in one datacenter, within one of the Availability Zones.”
Ah, ha. Is the finger of blame like a heat seeking missile. By golly, it will find something like a hair dryer, fireworks at a wedding where such events are customary, or a passenger aircraft. A great high-tech manager will say, “Oops. Not our fault.”
The Register’s write up points out:
But the document [an official explanation of the misstep] also notes that Microsoft had just three of its own people on site on the night of the outage, and admits that was too few.
Yeah. Work from home? Vacay time? Managerial efficiency planning? Whatever.
My view of this unhappy event is:
- Poor managers making bad decisions
- A drive for efficiency instead of a drive toward excellence
- A Microsoft Bob moment.
More exciting Azure events in the future? Probably. More finger pointing? It is a management method, is it not?
Stephen E Arnold, September 18, 2023
Popping Up a Level: Meta-Apps Are Becoming a Thing
August 24, 2022
A long time ago, I heard the word viewshed in a meeting in Crystal City. I liked it. Others did not. One interesting person chimed in and said, “Let’s pop up a level.” Then I heard “level up” as a way to rise above the fray or the mind numbing weirdness of many business meetings. More recently a person at a law enforcement conference use the phrase “meta-view.” The idea is that one needs to take a content object — say, a Facebook post — and think about the content in a broader way.
Each of these ideas suggest what a cranky Dr. Daphne Swartz called “getting lost in the weeds.” Dr. Swartz loved detail but she valued the ability to get untangled from weeds.
I read “AnyMind Adds TikTok Shop, Yahoo Japan Shopping to Shop Management Platform.” The write up explains that a software application “allows online sellers to manage shops on different ecommerce platforms from a single base.”
Yep, this is a meta-app, and I think these will play an important part in how people interact with the datasphere. The idea is simplification. Like WeChat, some users value convenience and having certain routine tasks pushed into the background. Online merchants want to sell and collect money. Fooling around with housekeeping chores is akin to cleaning toilets at summer camp. Wow, fun.
The article points out:
AnyMind launched AnyX in April with a goal of combining management, optimization, and tracking across the growing number of ecommerce channels in the region. It also offers services such as analytics, conversational commerce, digital marketing, and logistics.
Several observations:
Today’s online giants may find themselves reduced to an icon in a meta-app
Successful meta-apps may be similar to TikTok-style videos, and no amount of quasi-alleged monopolistic behavior can stop the train unless the quasi alleged monopolies buy the meta-app outfits
An integration with a China-linked outfit like TikTok makes clear that national boundaries and maybe common sense are less important than making life into a giant customized convenience store in Osaka.
Net net: Worth watching this viewshed, level up, and meta app idea.
Stephen E Arnold, August 24, 2022
The Microsoft Supply Chain Works Even Better Going Backwards
March 4, 2021
Do you remember the character KIR-mit. He once allegedly said:
Yeah, well, I’ve got a dream too, but it’s about singing and dancing and making people happy. That’s the kind of dream that gets better the more people you share it with.
I am not talking about Jim Henson’s memorable character. That frog spelled its name Kermit. This is KIR-mit, an evil doppelgänger from another universe called Redmonium.
This KIR-mit is described in “Microsoft Is Using Known Issue Rollback (KIR) to Fix Problems Caused by Windows 10 Updates.” I learned that KIR
enables Microsoft to rollback changes introduced by problematic patches rolled out through Windows Update. KIR only applies to non-security updates.
Does the method expand the attack service for bad actors? Will weird calls to senior citizens increase with offers to assist with KIR-mit modifications? Will questionable types provide links to download KIRs which are malware? Yes, yes, and yes.
The article points out:
Known Issue Rollback is an important Windows servicing improvement to support non-security bug fixes, enabling us to quickly revert a single, targeted fix to a previously released behavior if a critical regression is discovered.
KIR is something users have said they wanted. Plus Microsoft has had this capability for a long time. I recall reading that Microsoft had a method for verifying the “digital birth certificate” of software in order to identify and deal with the SolarWinds-type of supply chain hack. I point this out in my upcoming lecture for a law enforcement entity. Will my audience find the statement and link interesting? I have a hunch the cyber officers will perk up their ears. Even the JEDI fans will catch my drift.
Just regular users may become woozy from too much KIR in the system. Plus, enterprise users will be “in charge of things.” Wonderful. Users at home are one class of customers; enterprise users are another. In between, attack surface the size of the moon.
Several questions:
- Why not improve the pre release quality checks?
- Why not adopt the type of practices spelled out by In Toto and other business method purveyors?
- Why not knock off the crazy featuritis and deliver stable software in a way that does not obfuscate, mask, and disguise what’s going on?
And the answers to these questions is, “The cloud is more secure.”
Got it. By the way a “kir” is a French cocktail. Some Microsoft customers may need a couple of these to celebrate Microsoft’s continuous improvement of its outstanding processes.
As KIR-mit said, “It’s about making people happy.” That includes bad actors, malefactors, enemies of the US, criminals, and Microsoft professionals like Eric Vernon and Vatsan Madhava, the lucky explainers of KIR-mit’s latest adventure.
Stephen E Arnold, March 4, 2021
Big Numbers But What Is the End Game for Software Quality?
January 11, 2021
I cannot define quality without context. Furthermore, I am skeptical of really big round numbers. How does two trillion sound? Pretty suspicious, right? How does $2.08 trillion sound? Much more credible, right? A report from upscale universities and a standards group offers up the $2.08 trillion number. My problem is that this number appears to be pulled from thin air, and it may be too small. In short, the cost risk of lousy software is under-stated.
Let’s be honest. Exactly how big is two trillion? I know from experience that big numbers are designed to impress, but the reality is that big numbers don’t do much more than cause a person to dis-associate from the main point.
That’s the major flaw in “The Cost of Poor Software Quality in the US: A 2020 Report.” The numbers can be dismissed because software engineers, technical experts, and teenaged wizards laboring in the vineyards of the Google have created a bit of a problem.
What do I mean? I will try to answer this question, after looking at several points set forth in the 46 page document.
First, the report informs me that software quality is bound up with Covid. Yeah, fine. Site5.com, a hosting provider, offered this argument to me when their servers crashed for the sixth time in the last eight weeks. Sorry, Covid is not software unless one considers IBM’s assertion that supercomputers in Tennessee would identify drugs likely to deal with Covid? How is that working out exactly? The cost? Let’s make up some numbers?
Second, there are apparently four categories of crappy software that impose costs. These are, and I quote:
- Cost of unsuccessful IT / software projects
- Cost of poor quality in legacy systems
- Cost of operational software failures
- Cost of cybersecurity and technical debt.
The point about failed projects seems obvious. However, what about failed projects in US, state, country, and local governments systems. What is failure? What is the cost of a life when law enforcement systems cannot communicate and exchange information in near real time? Was that number included? And what about the cost of software which seems to work but levies a massive cost upon users? What’s the “cost” of phone home software or malware not detected by software systems purpose built to detect cyber breaches?
Let’s think about legacy systems at the IRS, those which manage air line reservations and flight control data, and the IBM machines chugging along in large financial institutions. Not only have the big academic brains and the whiz kids failed to create reliable methods for migrating or remediating legacy software, there has been virtually zero progress in the last few decades on using automated mechanisms for improving legacy code. Want an example? How about the failure of New Jersey to have sufficient COBOL programmers to deal with the mess in the state’s labor-related systems.
And those operational failures. It is easy for Amazon to assert that outage X cost us Y in sales. But what about the costs of delayed flights because the systems supporting the Chicago ARTCC functions go down or the rail freight routing systems hiccups and puts tens of thousands of empty freight cars in Texas. What’s the cost of Gmail outage? What’s the cost of glitch in the SWIFT financial system and its impact on a small business awaiting confirmation of a successful financial transaction.
Now we come to the cost of the cybersecurity thing. What’s the cost of the SolarWinds’ misstep? My hunch is that the number is very big, possibly equivalent to the economy of a pick up truck filled with mid sized EC countries GDP. And then the report addresses technical debt, I noted this statement:
In 2018, we reported the amount of software technical debt in the US was approximately $1.145 trillion, which represented just the debt principal without accumulated interest. At that time, we assumed a code growth rate of 35 billion LOC per year, projecting that there would be 1.455 trillion LOC worldwide (US share of 31%). We have since seen that code growth is now up to ~100 billion new LOC per year, or ~7% growth per year. Projecting those figures to 2020, and assuming that very little code has since been retired, there would now be 1.655 trillion LOC worldwide and 513 billion in the US. The US figure for technical debt in 2020 would therefore be $1.31 trillion.
Many numbers which ignore the dependent consequences of software which is either not maintained, maintained at the lowest possible cost, or just not maintained. Isn’t legacy software a component of technical debt? In fact, each day forward for an outfit like Google, the firm’s technical debt goes up. Modern software is often a combination of:
- Undocumented or poorly document software fixes
- Software wrappers which minimize the issues with flawed legacy code well enough to move on … until the next issue arises
- Minimal changes made by contractors who are alleged specialists in legacy code or marginalized code
- Changes introduced by essentially unmanaged, security free offshore “experts.”
But the numbers look interesting and big.
Read the report yourself and answer these questions:
- How much does the report understate the fully loaded cost of lousy software?
- Why is lousy software produced by graduates of prestigious institutions the norm?
- What is the definition of lousy software? (The VC who makes money thinks whatever software is deployed as a zippy Azure security solution is just the greatest thing since sliced bread.)
What’s the fix?
Well, that’s the problem, isn’t it? There is none. There are free hacking courses, junior college Zoom courses, and fora available via interesting Web sites accessible via Tor or i2p. Certifications are possibly helpful if there are national standards. You know. Like the outstanding standards for USB support or the brilliant smart software which is amply documented in Weapons of Math Destruction.
That’s the point. Lousy software has “eaten the world.” There are fix skirmishes. Sometimes the fix wins and sometimes it doesn’t.
The report makes a big deal about numbers. These are the result of spreadsheet fever induced with long Excel sessions. The issue is that the number of two trillion is too small. And the academics yapping about quality. Check out what your students do when unbounded by ethical constraints?
Stephen E Arnold, January 11, 2021
Technical Debt with Cats: Lots of Cats
October 29, 2020
Cats are fine. Lots of cats can trigger a different reaction. I liked “Technical Debt: Why It’ll Ruin Your Software.” I ignored the cats and focused on the information payload of the article. The author does a good job of explaining what a number of people [a] ignore, [b] do not understand, and [c] miss the connection with cost and time over-runs.,
I circled three items in the write up:
First, I circled this passage:
The moment John chose the faster and easiest solution for him was the moment that the Technical Debt was inserted in the code.
The idea is that in order to “get ‘er done,” the Corona virus of cost, complexity, and chaos was let loose. The “faster and easiest” method is everywhere. Like a person with an addiction the individual will not admit, there is no single step toward remediation. The remediators will use the same method.
Second, I noted this diagram:
The chart makes clear what people under pressure often ignore. Costs are rising, and they may not be controllable. How much change has the core of Google search undergone in the last 20 years. Who wants to dig into the guts and deal with some of the interesting problems which exist? Answer: No one who wants a promotion and a chance to start a VC firm.
Third, the future is smart software:
In a realistic and respectable world, machines should take care of these situations, and not us.
Yep, and software will be just wonderful.
Stephen E Arnold, October 29, 2020
Snap: Has the Company Provided a Glimpse of the Future of Software?
August 14, 2020
A brief write-up at MakeUseOf alerts us to a novel approach to applications: “Snap Minis Are Bite-Sized Apps You Use in Snapchat.” Writer Dave Parrack tells us:
“These are miniature apps created by third-party developers that you can use in Snapchat without ever leaving the [Snapchat] app. Which could make Snapchat a solid choice for more than just teenagers. … The apps are all built directly into Snapchat using HTML5. This means you don’t have to leave the comfort of Snapchat to use them, they’re guaranteed to work for all users on all devices, and they don’t even need installing.”
Navigate to the post for details on how to use this feature in Snapchat, what Snap Minis are currently available, and which are in the works. Personally, we are more interested in the tactic itself. Parrack notes:
“This is part of a major effort by Snapchat to encourage developers to give users more to do inside Snapchat. Which should boost levels of engagement. The developers also gain access to millions of users who may then be tempted to install their full-featured apps. Making it a win-win for both parties. Snap clearly wants to make Snapchat a ubiquitous app you cannot afford not to have installed on your phone. Even if you aren’t interested in seeing what you would look like as a pug.”
Will Snapchat succeed in achieving ubiquity? Perhaps. Either way, the app-within-an-app concept offers new angles for platforms and developers alike.
Cynthia Murrell, August 14, 2020
Microsoft: Good Enough Is Not the Standard We Need
May 25, 2020
Imagine the topic options swirling around this weekend: A mass marketish iPhone jailbreak procedure, Amazon allegedly selling to blacklisted companies, Joe Rogan either pulling off the podcast coup of the year or falling into the black hole of irrelevance.
What catches DarkCyber’s eye?
Microsoft Acknowledges Internet Error in Windows 10 Cumulative Update KB4535996
Three points related to the allegedly accurate statement.
First, the problem affects some WFHers. Those are people who need the Internet to do work and get paid. Bad.
Second, the problem originated in February 2020, and it is only now (May 24, 2020) being “acknowledged.”
Third, Microsoft fouled up its magical online upgrade process.
So what?
Microsoft is gung-ho on the cloud, its “building” for the future, its reinvention of apps, and its partner flogging.
Maybe the company should consider that good enough is not good enough.
Even Amazon — a firm with some issues — steps up and says, “Hey, our vaunted speedy delivery is going to work like a horse drawn cart now.”
Microsoft appears to have embraced its good enough, and it is not.
I am tired of going to my office which has Linux, Mac, and Windows machines. There I see the Windows machine waiting for me to enter a secret code or press a button to update. Yesterday one of these machines reported that it couldn’t reach my Microsoft account?
These guys are going to do warfighting?
Good enough is not. Not for Google, not for Facebook, not for Amazon, and not for Microsoft.
Good enough. Does that mean excellence today?
Stephen E Arnold, May 25, 2020