This lecture emphasizes the importance of producing systems and software to consistently perform as expected. Engineering is a profession that in general has a stricter degree of professionalism. Bad engineering can kill people. It’s not just about producing something, but rather dealing with a fine line between production and adhering to constraints. Engineering projects entail formal specifications defined at the onset, and processes to manage projects towards completion.
Major Computer Bugs in the history of our field
This lecture covers some examples where there should’ve been more testing performed to proactively reduce chances of system failure. In each example, users were able to give inputs that were not tested and thus left vulnerabilities that could have created great harm.
The first bug was found in 1945 when engineers found a moth in Panel F, Relay #70 of the Harvard Mark II system.The computer was running a test of its multiplier and adder when the engineers noticed something was wrong. The moth was trapped, removed and taped into the computer's logbook with the words: "first actual case of a bug being found."
Fun fact: September 9 is Debugging Day
Therac 25 is a radiation therapy machine (a cancer zapper). 6 patients died from a bug in the system.
- June 1985 - Breast Cancer Treatment. between 10,000 and 20,000 rad
- July 1985 - Cervical cancer patient in Ontario, Canada. Died months later.
- December 1985 - Patient experienced burns needing skin grafts. in Washington.
- March 1986 - Back tumors in Texas. Died 5 months later.
- April 1986 - Skin Cancer patient. Died 3 weeks later.
- January 1987 - Final patient overdose.
- AECL the company who manufactured this machine initially denied the error
- They could not reproduce error
- “Malfunction 54” error message
- This message did not appear in manuals
- AECL explained that this means Therac-25 cannot tell if it was underdose or overdose of radiation
- Turns out to be both software and hardware issues.
- FDA declared the Therac-25 “defective”.
Observations from the investigation regarding the assembly code:
- Programmer had little experience coding for real-time systems
- There were few comments
- No proof that timing analysis had been performed
- A single programmer worked on variation from older versions. This programmer no longer worked for the company by the time investigation concluded and also could not be found
- These are all things that could have been mitigated.
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
User inputs can also create unintended consequences for web applications as well.
SQL Injection is a specific form of attack where one enters SQL code into an input field on a web form to gain control over the system. Please read [the document from CISA] that outlines some ways to mitigate the risk of sql injection attacks.
An examples of how SQL injection happens can be found at this page from InfoSec Institute This was a particularly noteworthy issue in 2013 with the health.gov website’s search box.
Communities of Practice
The best way to learn about the bleeding edge of technologies and stay current is to grow your social network. One way to meet new folks is by participating in communities of practice or following official organizations. Several are listed here. These are not the only groups that exist, just a small sampling of some very important ones related to web development.
National Institute of Standards and Technology (NIST)
This is an agency within the US Department of Commerce, whose mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology. Formerly known as the National Bureau of Standards (NBS) from 1901 to 1988, one of its current popular services is to provide the official U.S. time (https://www.time.gov). The organization produced a guide to a high-level overview of information security principles which serves as an introductory guide.
Open Web Application Security Project (OWASP)
The OWASP organization is a non-profit group of volunteers who work together to help create tools and documentation in the field of web application security. OWASP created a guide for developing a testing program, which they advise to test early and test often. In addition, they also advise to test multiple dimensions, not just the technical implementation.
Association for Computing Machinery (ACM)
World Wide Web Consortium (W3C)
Communication is very important in a technical field such as software development. Verbal and writing skills are both crucial. Several of these topics will be lectured about in more detail throughout the semester.
Read more on presentation skills.
- N. Leveson, "The Therac-25: 30 Years Later" in Computer, vol. 50, no. 11, pp. 8-11, 2017. doi: 10.1109/MC.2017.4041349