Backdoor in XZ Utils That Almost Happened

Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it.

Programmers dislike doing extra work. If they can find already-written code that does what they want, they’re going to use it rather than recreate the functionality. These code repositories, called libraries, are hosted on sites like GitHub. There are libraries for everything: displaying objects in 3D, spell-checking, performing complex mathematics, managing an e-commerce shopping cart, moving files around the Internet—everything. Libraries are essential to modern programming; they’re the building blocks of complex software. The modularity they provide makes software projects tractable. Everything you use contains dozens of these libraries: some commercial, some open source and freely available. They are essential to the functionality of the finished software. And to its security.

You’ve likely never heard of an open-source library called XZ Utils, but it’s on hundreds of millions of computers. It’s probably on yours. It’s certainly in whatever corporate or organizational network you use. It’s a freely available library that does data compression. It’s important, in the same way that hundreds of other similar obscure libraries are important.

Many open-source libraries, like XZ Utils, are maintained by volunteers. In the case of XZ Utils, it’s one person, named Lasse Collin. He has been in charge of XZ Utils since he wrote it in 2009. And, at least in 2022, he’s had some “longterm mental health issues.” (To be clear, he is not to blame in this story. This is a systems problem.)

Beginning in at least 2021, Collin was personally targeted. We don’t know by whom, but we have account names: Jia Tan, Jigar Kumar, Dennis Ens. They’re not real names. They pressured Collin to transfer control over XZ Utils. In early 2023, they succeeded. Tan spent the year slowly incorporating a backdoor into XZ Utils: disabling systems that might discover his actions, laying the groundwork, and finally adding the complete backdoor earlier this year. On March 25, Hans Jansen—another fake name—tried to push the various Unix systems to upgrade to the new version of XZ Utils.

And everyone was poised to do so. It’s a routine update. In the span of a few weeks, it would have been part of both Debian and Red Hat Linux, which run on the vast majority of servers on the Internet. But on March 29, another unpaid volunteer, Andres Freund—a real person who works for Microsoft but who was doing this in his spare time—noticed something weird about how much processing the new version of XZ Utils was doing. It’s the sort of thing that could be easily overlooked, and even more easily ignored. But for whatever reason, Freund tracked down the weirdness and discovered the backdoor.

It’s a masterful piece of work. It affects the SSH remote login protocol, basically by adding a hidden piece of functionality that requires a specific key to enable. Someone with that key can use the backdoored SSH to upload and execute an arbitrary piece of code on the target machine. SSH runs as root, so that code could have done anything. Let your imagination run wild.

This isn’t something a hacker just whips up. This backdoor is the result of a years-long engineering effort. The ways the code evades detection in source form, how it lies dormant and undetectable until activated, and its immense power and flexibility give credence to the widely held assumption that a major nation-state is behind this.

If it hadn’t been discovered, it probably would have eventually ended up on every computer and server on the Internet. Though it’s unclear whether the backdoor would have affected Windows and macOS, it would have worked on Linux. Remember in 2020, when Russia planted a backdoor into SolarWinds that affected 14,000 networks? That seemed like a lot, but this would have been orders of magnitude more damaging. And again, the catastrophe was averted only because a volunteer stumbled on it. And it was possible in the first place only because the first unpaid volunteer, someone who turned out to be a national security single point of failure, was personally targeted and exploited by a foreign actor.

This is no way to run critical national infrastructure. And yet, here we are. This was an attack on our software supply chain. This attack subverted software dependencies. The SolarWinds attack targeted the update process. Other attacks target system design, development, and deployment. Such attacks are becoming increasingly common and effective, and also are increasingly the weapon of choice of nation-states.

It’s impossible to count how many of these single points of failure are in our computer systems. And there’s no way to know how many of the unpaid and unappreciated maintainers of critical software libraries are vulnerable to pressure. (Again, don’t blame them. Blame the industry that is happy to exploit their unpaid labor.) Or how many more have accidentally created exploitable vulnerabilities. How many other coercion attempts are ongoing? A dozen? A hundred? It seems impossible that the XZ Utils operation was a unique instance.

Solutions are hard. Banning open source won’t work; it’s precisely because XZ Utils is open source that an engineer discovered the problem in time. Banning software libraries won’t work, either; modern software can’t function without them. For years, security engineers have been pushing something called a “software bill of materials”: an ingredients list of sorts so that when one of these packages is compromised, network owners at least know if they’re vulnerable. The industry hates this idea and has been fighting it for years, but perhaps the tide is turning.

The fundamental problem is that tech companies dislike spending extra money even more than programmers dislike doing extra work. If there’s free software out there, they are going to use it—and they’re not going to do much in-house security testing. Easier software development equals lower costs equals more profits. The market economy rewards this sort of insecurity.

We need some sustainable ways to fund open-source projects that become de facto critical infrastructure. Public shaming can help here. The Open Source Security Foundation (OSSF), founded in 2022 after another critical vulnerability in an open-source library—Log4j—was discovered, addresses this problem. The big tech companies pledged $30 million in funding after the critical Log4j supply chain vulnerability, but they never delivered. And they are still happy to make use of all this free labor and free resources, as a recent Microsoft anecdote indicates. The companies benefiting from these freely available libraries need to actually step up, and the government can force them to.

There’s a lot of tech that could be applied to this problem, if corporations were willing to spend the money. Liabilities will help. The Cybersecurity and Infrastructure Security Agency’s (CISA’s) “secure by design” initiative will help, and CISA is finally partnering with OSSF on this problem. Certainly the security of these libraries needs to be part of any broad government cybersecurity initiative.

We got extraordinarily lucky this time, but maybe we can learn from the catastrophe that didn’t happen. Like the power grid, communications network, and transportation systems, the software supply chain is critical infrastructure, part of national security, and vulnerable to foreign attack. The US government needs to recognize this as a national security problem and start treating it as such.

This essay originally appeared in Lawfare.

Tags: , , , , , , , , , , , ,

Posted on April 11, 2024 at 7:01 AM158 Comments

Comments

Anonymous April 11, 2024 7:32 AM

Doesn’t “supply chain” imply you pay someone to get something in return? No one’s paying anyone.

And it’s not your supply chain, it’s a guy’s code. His.

Simon Tatham April 11, 2024 8:41 AM

A “national security” single point of failure? Critical “national” infrastructure?

Surely “global” in both cases? The victims of the attack wouldn’t just have been the USA. Likely the USA weren’t even the only intended victims of the attack.

Who? April 11, 2024 8:59 AM

@ Bruce

Programmers dislike doing extra work. If they can find already-written code that does what they want, they’re going to use it rather than recreate the functionality. These code repositories, called libraries, are hosted on sites like GitHub.

It is not so simple as just lazy development. Most of that code has passed years, even decades, of audits and patching on production environments. It is better using a code that has been tested on real production environments than writing something new from scratch.

Winter April 11, 2024 9:08 AM

Programmers dislike doing extra work. If they can find already-written code that does what they want, they’re going to use it rather than recreate the functionality.

I wholeheartedly support @Who?

Most of that code has passed years, even decades, of audits and patching on production environments.

I would even go further. Most of the value of a code base is in the debugging that it has received.

Battle-tested trumps shiny-new.

As Brian Kernighan put it:

“Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.”

Winter April 11, 2024 9:10 AM

@Chris Becke

Do we really believe that this was the first such attack to succeed?

No. At least, I have yet to see a comment claiming to believe this.

Erdem Memisyazici April 11, 2024 9:18 AM

That’s not how any of this works.

In open source often a contributor is from the organization using the project. This gives the organization some access and control and often those are decent programmers.

When government is using an open source product they do what is called a code review where every line of code is scrutinized by a team of security experts before the library is used and only stable versions are utilized. Deemed safe versions are posted on a list for everyone else to use.

There are periodic vulnerability advisories issued again by the IT security department on more recent versions of open source products, what CVEs are out there etc.

Article reads like click-bait.

Who? April 11, 2024 9:28 AM

@ Bruce

Like the power grid, communications network, and transportation systems, the software supply chain is critical infrastructure, part of national security, and vulnerable to foreign attack. The U.S. government needs to recognize this as a national security problem and start treating it as such.

I hate to say it, but the answer to this question is something you do not want to hear. The only answer is supporting open source and free software developers around the world. Pay them for the work they are doing building the pillars of our cyberinfrastructure.

And I am saying paying them, not U.S. developers, but to anyone that develops software around the world, so people gets motivated to continue their work.

jefferson April 11, 2024 10:06 AM

@ Winter:

Battle-tested trumps shiny-new.

…but it’s easy to confuse mere existence with a “battle”. Lots of people have used the xz library, but that doesn’t mean it’s come “under attack”. It probably has, but I don’t really know. There’s likely a lot of stuff that’s been floating around GitHub for a decade or more, and might even look very professional, but is obscure enough that nobody’s seriously considered security.

A project by “some guy” can look a lot like an open-source project by a team of top programmers from a major company. In either case, they’re usually very clear they have no responsibility whatsoever to anyone. If someone finds the code and decides to use it in an important product, that user should take some responsibility.

Who? April 11, 2024 10:15 AM

How many other coercion attempts are ongoing? A dozen? A hundred? It seems impossible that the XZ Utils operation was a unique instance.

Another question that should be answered is how many coercion attempts have been successful and we do not know it.

TimH April 11, 2024 10:37 AM

@jefferson:

If

    someone

finds the code and decides to use it in an important product, that

    user

should take some responsibility.

If your

    someone

regards themselves as a

    user

, then they’ll consider themselves a victim of any security issues in their library code, and won’t take responsibility.

Yog April 11, 2024 10:51 AM

This incident also illustrates the dangers in making security critical software like OpenSSH vulnerable to attack by adding local patches which drag in a lot of less rigorously developed libraries. This is what Red Hat, Debian and their derivatives did. OpenSSH itself is not at fault. Other Linux distributions like Alpine, Slackware, Void and Gentoo along with the BSDs, which didn’t add the offending patches, were not vulnerable.

The monoculture which has absorbed most of the Linux world must share some of the blame here, by providing a single point of failure on a massive scale.

Clive Robinson April 11, 2024 10:54 AM

@ Bruce,

Your paragraph,

“The fundamental problem is that tech companies dislike spending extra money even more than programmers dislike doing extra work. If there’s free software out there, they are going to use it—and they’re not going to do much in-house security testing. Easier software development equals lower costs equals more profits. The market economy rewards this sort of insecurity.”

Encapsulates most of the problem, but leaves out a couple of things.

Firstly the original driver of these problems,

“Time to Market”

The argument via the observing of the likes of Microsoft was “competition killing” by being “first out the door” and as a few around here who were there can confirm in Microsoft’s case their software was rarely if ever all there or all functional and promised fixes never happened and became

“A wish for a future release”.

Secondly as I mentioned to @Winter just the other day Microsoft was a thief in all sorts of ways. Much of their code was actually stolen or taken from other places.

courts even eventually found them guilty of doing so. Yet Microsoft carried on.

After all why spend money on what is “market research” just steal it from your competitors work.

Courts even eventually found Microsoft guilty of doing so.

Yet Microsoft carried on, thus the question,

“Why?”

The simple answer is because Microsoft knew that the time to court and final judgment was usually measured in years. With two sometimes three product cycles a year the offending code/ideas could be sufficiently sanitised, and the competitor in effect put out of business in that time.

So to compete with Microsoft you either had to be too niche or play the sane game as Microsoft. So we have the industry the way Microsoft wanted it because the legal process is at best defective when it comes to time.

But an important point to note is nobody pays for breakages with software. Microsoft drove the faux-lease idea to avoid any liabilities for there bad code.

The only real way to stop this nonsense or at least put a drag on it is “consumer liability” legislation. If Microsoft have to pay for breakages they cause then they will take more care than they ever have done.

How you get past the faux-clauses in the EULA’s and over paid corporate lawyers is another matter. Which in times past legislators were happy to find solutions for. But now with billion dollar corporate lobbying…

Stéphane Bortzmeyer April 11, 2024 11:39 AM

You say “coercion” and “They pressured Collin to transfer control over XZ Utils”. This suggest malevolent force but it seems that the xz maintainer was quite happy to receive a seemingly friendly offer for assistance, and gave access to Jia Tan happily. That’s something awful about this attack: it was disguised as help.

postscript April 11, 2024 11:41 AM

I would also like to see companies that use open-source products pay the developers. But, would that have helped in this situation? Any project, paid or not, could be vulnerable to social engineering-type attacks, especially with an adversary that is willing to spend years building credibility.
I’d like to see a fund that not only compensates developers and contributors, but also pays bug bounties. They already reneged on the log4j fund so I don’t hold out much hope.

Stéphane Bortzmeyer April 11, 2024 11:43 AM

@postscript Remember also that many free software developers do not WANT to be paid, or, more precisely, do not want the hassles associated with it: processes, reporting, instructions, etc. Many free software developers do it because they enjoy the freedom of working as they want, something that may not be possible if there were some money sent.

Winter April 11, 2024 11:56 AM

@jefferson

Lots of people have used the xz library, but that doesn’t mean it’s come “under attack”.

xz Is not the right example for this. The malware was discovered by someone who was timing execution at ms scale. That shows real thorough testing.

But there are indeed millions of single/dual developer project with few users. NPM has well known horror stories around such projects.

JonKnowsNothing April 11, 2024 12:15 PM

@All

re: software bill of materials

SBOM went into the dumpster with limited release notes and cryptic bug fix statements.

Consider the M$ Patch Tuesday. It lists some information but only AFTER it installs. The contents are cryptic. The bug fixes sometimes referred to as BUG FIXES or SECURITY UPDATES.

Along with M$ Patch Tuesday comes all the other patches and update for software installed or archived on the system. Software you have never activated but still gets a patch Just In Case.

There isn’t any way for an end user, even programmers, to know whats built in the download. There are specialist programmers who can manage the update process for enterprise systems, reviewing what’s allowed and what isn’t. (btdt)

With the current methodology you really haven’t any choice: take the patch-update or don’t.

Similar known hacks happen in device drivers, gpu drivers and system components. People who need a driver update because their system is Not-WAI will download stuff in hopes of a fix.

RL tl;dr

Long ago, I was playing a new game on a laptop. Like all modern video games it was a color animated game. Other players would comment about the beautiful landscape, but the landscape looked geometric to me. They would comment on the color of the plants, all the plants on my system looked like black silhouettes. I played this way for several years.

Then I got a new system and BOOM the landscape rendered into mountains, hills and plains. The plants rendered into colorful flowers, trees and shrubs.

The old rendering was due to a incompatibility in the game graphics engine and the video graphics driver in the laptop (there was no fix). The new rendering used the same game graphics engine but had a new GPU and driver set (rebuilt code base).

Many games still use:

* Visual C++ redistributables packages from 2005, 2010, and the bundle containing 2015, 2017, 2019, and 2022

It’s not enough to dump upgrades or dump legacy items. As mentioned, many software programs have years of development riding on top of code they do not have access to or is not maintained.

In a recent post there was discussion about WikiP Editors, Edit Wars, Hot Topics, Orphaned Pages. This is a similar issue.

note: You don’t need to have a health crisis to have someone else snag your code or post. It’s part of the hand-me-down code-topic process, sometimes called Knowledge Transfer.

Clive Robinson April 11, 2024 12:24 PM

@ Morley, ALL,

Re : It ain’t what you do but the way that you do it.

I think I’ll buy more emergency food and water.

Buying in ready prepared will only serve you once… Then what?

If you want to stay in the game of life you need to know as a minimum how to

“Grow, hunt, cook, can, and store.”

Your food, and,

“Collect, harvest, filter, and make potable”

Your water.

For both you need to know how to get sufficient energy to do some of the steps, and there ain’t many trees in the city.

Otherwise it’s “EndEx” before you get out of round one.

Just saying there’s a lot you need to known and have had good practice at.

Just remember that even with a lifetime of experience early American Settlers did not really live that long, and about 1/3rd died before they made it to twenty…

Clive Robinson April 11, 2024 12:51 PM

@ Yog

Re : The prey is usually innocent.

“OpenSSH itself is not at fault.”

That depends on your view point.

To the hunter it was the prey and usually the prey is fairly innocent.

But consider what the predator is actually doing,

“Obtaining a resource with minimal risk or effort”

Therefore it can be argued that the weak or poorly defended are going to be the predator’s “low hanging fruit”.

Therefore it can be further argued that OpenSSH was just one of several resources that met the predator’s need, but OpenSSH had the lowest effort, risk, reward.

Thus the follow on question is,

“Was OpenSSH weak or poorly defended?”

To which the answer is,

“In this predators eyes, yes or they would have attacked else where.”

You or I as will others might think “Why not XXX” but we don’t know what is in the predators mind.

Also the predator might be part of a team that have attacked other resources as well as a broad multipoint attack strategy. With other resources already attacked, and defeated, but not yet discovered.

As is said around here from time to time,

“Attribution is hard very hard”

With the implicit rider of,

“and oft impossible to get right”

In part because we can not get into the predators mind or environment…

Clive Robinson April 11, 2024 1:17 PM

@ Who?, Winter, ALL,

Re : Not all parts are interchangeable.

“Most of that code has passed years, even decades, of audits and patching on production environments. It is better using a code that has been tested on real production environments than writing something new from scratch”

And thereby hangs a myth.

From a physical engineering perspective, most engineers know that there are “systems” and “sub systems”. They do not solve the same problems, thus the properties of sub systems have to be considered within any new system not just dropped in.

A nylon gear might be great to adjust a trim flap on a drone. Being better because it’s not brass or steel thus lighter. But would you use the same nylon gear in the engine drive? Probably not, because although it can do the job, it’s failure mode is significantly different and is very much more critical. Thus you go for the heavier part with better failure characteristics.

The fact a software sub system works fine in half a dozen or more other systems is really not a “recommendation” for new systems that are different in all sorts of ways.

System complexity makes a mockery very fast of the “battle hardened” notion.

Worse all to many of these sub systems are used because they have the kitchen sink thrown in.

In order to be “popular” they have to be,

“All things to all men”

And that really is stupid from a security perspective because it opens up the vulnerability potential by the unwarranted increase in complexity…

denton scratch April 11, 2024 2:40 PM

@Erdem Memisyazici

“When government is using an open source product they do what is called a code review where every line of code is scrutinized by a team of security experts before the library is used and only stable versions are utilized.”

Do you seriously believe that? I suspect you may be being sarcastic. Or maybe you’ve never been close to a government software procurement exercise. Good programmers – “experts”, in your words – don’t work for the government, because they can earn twice as much elsewhere.

Governments aren’t good at running major software projects for this reason. Civil servants are awful at project management, so budgets for government software projects balloon; and then the project fails anyway, and the ballooned budget has to be written off.

Farming the project out to a contractor doesn’t work either. Just look at Fujitsu and the Post Office. Government involvement made that much worse, because of the number of government software projects in the pipeline that were to be handled by Fujitsu (formerly ICL, the UK government computing “champion”). A commercial software buyer would have cancelled the contract around 2004, but successive governments couldn’t do that.

For much the same reason, legislation on software is nearly always misconceived and harmful; there are few software experts in the civil service.

denton scratch April 11, 2024 2:45 PM

@Yog

“This is what Red Hat, Debian and their derivatives did.”

Debian, in particular, has form for this kind of unwarranted meddling with upstream’s code.

Peter S. Shenkin April 11, 2024 2:47 PM

On April 6, I wrote, on X:

The XZ debacle makes it appear as if the very existence and practice of open-source software has resulted in the largest accumulation of technical debt the world has ever known or will know, all behind our backs. “Having seen one tiger in the woods”, etc.

To my surprise, I’ve not seen any responses, pro or con.

Sam April 11, 2024 3:01 PM

Yep, huge problem. I programmed for 10+ years with the last few in a 5 man shop. We created and supported insurance software. It’s insane to think we could do any kind of security review of our dependecies, beyond a look at ‘are enough other developers using this library to make it maintained and not abandonware in the near term future’.

All libraries – anything from UI to framework libs to single sign on security libraries were downloaded from Nuget / npm / other package managers with an implicit trust that they weren’t compromised or malicious. Many of these were made by independent or small teams of programmers.

The amount of brain power audit the code bases for vulnerabilities down to bits is unfathomable.

If I need a car to get me ( or my code base ) from A to B, there’s no way I can afford to audit the car down to pistons and tie rods and ABS electronics.

Winter April 11, 2024 4:43 PM

@Clive

But would you use the same nylon gear in the engine drive?

Software is not nylon, nor brass.

Software cannot be designed to have an operating temperature or strength to weight ration. Debugging before and after release is unavoidable and essential.

New nylon is good and reliable, new code is neither.

Qu April 11, 2024 6:07 PM

Considering the authorities granted to surveil and protect critical infrastructure, I can imagine many open source maintainers would be extremely uncomfortable being subject to any such targeted surveillance.

JonKnowsNothing April 11, 2024 8:50 PM

@All

re: Plethora of options, Dearth of scope

Another aspect of the overall problem is the sheer number of items in Open Source available. There are loads of options and loads of similar functions.

Programmers often use the 5-Cow version of a program (for those that remember tucow shareware downloads (1)). Like the star rating at Amz, the more cows a shareware item had, the more trustworthy the download appeared. Some folks only went by the number of cows without considering any other aspect of the download.

Open source is a more convoluted version of load-n-pray because you don’t really know whats in the pkg and you don’t really know if it works until you try it out. The costs if it’s a bust is lost project time or a load of malware.

Programmers don’t like to redo-do-overs, so once they decide 4Cows is enough and it worked at “their previous employer”, they will pull the same item again and again and again.

This makes them vulnerable to all sorts of site spoofing (fauxcows) and the unintended or intended coding errors from fauxcow copies.

Purchasing code has the same problems. Expensive libraries and stacks that do not work out of the box and require previous experience on fixing the seriously and vendor ignored errors in the source.

Worse, some vendors or sources only shovel OBJ code for elcheapo, if you want editable source text you have to fork over a lot more moolah.

===

(1)
ht tps:/ /en.wikipedia.org/wiki/Shareware

  • Shareware is a type of proprietary software that is initially shared by the owner for trial use at little or no cost.

Types of shareware

Trialware
Freemium
Adware
Crippleware
Donationware
Nagware
Postcardware

name.withheld.for.obvious.reasons April 11, 2024 10:33 PM

One more example of the value of promoting diverse and divergent sources of code components not readily abused in a systemic environment with large homogeneous installations and interconnects.

Functional relays, as used in aerospace applications, go a far way in stunting cataclysmic types of breaches and security events. No amount of sandboxing replica codec engines will protect against a sufficiently developed monocode platform (whether hardware or software–or both).

Clive Robinson April 11, 2024 11:19 PM

@ Winter, JonKnowsNothing, ALL,

Re : It’s Crapware you want.

“Debugging before and after release is unavoidable and essential.”

Debugging if done properly is only required to be done “pre-release”.

Code with bugs after release is “Crapware” and our host points this out with,

“The fundamental problem is that tech companies dislike spending extra money even more than programmers dislike doing extra work. If there’s free software out there, they are going to use it—and they’re not going to do much in-house security testing. Easier software development equals lower costs equals more profits. The market economy rewards this sort of insecurity.”

He’s been a lot less polite about it in the past, and with good reason.

For years I’ve written code “as an engineer” for embedded systems that used “Masked Programmed” microcontrollers. Some of it is still out there running continuously without power cycle or reset year after year, and has been for well into four decades. Some of it controls very valuable plant equipment that if it fails could have global economic effects.

The thing about “masked programmed” and similar is code could not be changed and you payed a lot of money upfront for a production run of microcontrollers.

As the reality of the engineers mantra (based on the NASA saying) has it,

“Bugs are not an option”

That was the norm in the industry back then and in some places still is. Then in the mid to late 1980’s the likes of Microsoft decided otherwise and started shipping “Crapware”.

Slowly that Microsoft mantra of,

“Just ship the S41t”

Nonsense walked back via the use of Flash ROM into embedded systems…

The result is that now crackers can change embedded code from the other side of the world and create havoc and have done…

Thanks to basic management greed and stupidity, cranking the handle on “neo-con mantras of neoliberalism”.

Will you fly on an aircraft that has “Patch Tuesday” fitted as standard so they can “Just ship the Sh1t” for a few dollars more?

Because that is what your statement excuses.

There is a rumour that the DoJ and FBI are looking into Boeing because of that “Just ship the S41t” mentality in management. Prompted by the deaths in the hundreds and multiple critical aircraft failures costing hundreds of millions if not more.

Winter April 12, 2024 1:15 AM

@Clive

Debugging if done properly is only required to be done “pre-release”.

Obviously not. Even NASA code has bugs.

NASA’s options are limited after a probe has left the planet, so they use many other strategies to prevent disaster due to bugs.

Also, NASA does make code changes after launch. NASA needs such strategies anyway as radiation ensures that bug free code can get bugs in space.

However, your claim is easy to prove. Just show us non-trivial codebases that were bug free on release. It would be nice if we were to know how it was achieved and verified.

bl5q sw5N April 12, 2024 2:35 AM

Programs need to be designed for their problem environment, task to be performed, and data structures; and then written to instantiate that design. It seems more typical on the contrary that we don’t have a good idea of what we are trying to do, and the implementation is something half unknown that is not even that.

“The beginning of wisdom for a programmer is to recognize the difference between getting [the] program to work and getting it right. … a program which does work is not necessarily right. It may still be wrong because it is hard to understand; or because it is hard to maintain as the problem requirements change; or because its structure is different from the structure of the problem ; or because we cannot be sure that it does indeed work.” – M A Jackson

“Our objective above all has been to create programs which are self-evidently correct. … we cannot afford any significant probability that our program contains a logic error. All the logic errors must have been eliminated during the design process.

“We cannot hope to find logic errors by testing. Logic errors are concerned with combinations of circumstances, and there are too many combinations to test. Instead of testing we must think and plan and design so that testing becomes unnecessary.” – M A Jackson

“Never trust a system that seems to be working” – Alan Turing.

bl5q sw5N April 12, 2024 2:50 AM

Apologies, the quote attributed to Alan Turing in my above post should have been attributed to Foone Turing.

JonKnowsNothing April 12, 2024 3:28 AM

@ bl5q sw5N, @Clive, @Winter, All

re: Programs need to be designed for their problem

There is a huge chasm between “design for their problem” and actually having a “design that solves the problem”.

This is a large aspect of what fails in program usage. Marketing has a lot to say about this along with the Leave Nothing On The Table approach to project development.

  • Design v Solve

They are not mutually inclusive. It’s more of a Venn diagram overlap between the concepts.

This concept is followed by “design is not the same as what can be implemented or executed”. It may look good on paper but it doesn’t work in real application.

  • Amz AI powered cashier free shops Grab and Walk Out failure

The design looked great, the investors chucked money at Bezos who burned it up on a rocket ship, but the reality was a failure in what was implemented. The execution of the implementation of the fancy design did not result in the expected outputs. There were too many Ohs and Naughts that was not evident on the design board.

Problems and errors, which may not have the same definition, follow complex or even simple programs.

Some of the most tested software and hardware systems are the ones used for space missions (may not include bezos-elmusko space efforts). The post-crash analysis shows how the implementation did not match the design which did not actually solve the specified problem.

===

Mars lander failures. Note the sections that have root cause analysis explanations.

ht tps://en .wikipe dia.org/wiki/Schiaparelli_EDM

  • Schiaparelli EDM (Italian: [skjapaˈrɛlli]) was a failed Entry, Descent, and Landing Demonstrator Module (EDM) of the ExoMars programme—a joint mission of the European Space Agency (ESA) and the Russian Space Agency Roscosmos.[4] It was built in Italy and was intended to test technology for future soft landings on the surface of Mars.
  • An investigation that concluded in May 2017 identified four “root causes for the mishap […]: Insufficient uncertainty and configuration management in the modelling of the parachute dynamics which led to expect much lower dynamics than observed in flight; Inadequate persistence time of the IMU [Inertial Measurement Unit] saturation flag and inadequate handling of IMU saturation by the GNC [Guidance Navigation and Control]; Insufficient approach to Failure Detection, Isolation and Recovery and design robustness; Mishap in management of subcontractors and acceptance of hardware.”

ht tps://e n.wiki pedia.org/wiki/List_of_missions_to_Mars

Check mission success v failure and failure analysis.

htt ps:/ /en.wik ipedia.org/wiki/Mars_2

  • The Mars 2 was an uncrewed space probe of the Mars program, a series of uncrewed Mars landers and orbiters launched by the Soviet Union beginning 19 May 1971. The Mars 2 and Mars 3 missions consisted of identical spacecraft, each with an orbiter and an attached lander.

htt ps://en.wikipe dia.org/wiki/Mars_2#Entry,_descent,_and_crash_landing

  • The descent module separated from the orbiter on 27 November 1971 about 4.5 hours before reaching Mars. After entering the atmosphere at approximately 6 km/s, the descent system on the module malfunctioned, possibly because the angle of entry was too steep. The descent sequence did not operate as planned and the parachute did not deploy.[4] The descent module became the first man-made object to impact the surface of Mars. The exact crash site is unknown, but it is estimated to be at 45°S 313°W.[3][5] Attempts to contact the probe after the crash were unsuccessful.

Mike April 12, 2024 4:01 AM

Unfair language.

The phrase “programmers dislike doing extra work” is grossly unfair. The correct and accurate statement would be “programmers strive to not repeatedly re-invent the wheel”.

The way you have written this makes it sound like all programmers are lazy and they are responsible for this type of exploit being possible. You know well Bruce that this is far from the truth but your choice of expression ends up being pejorative towards programmers.

Winter April 12, 2024 5:47 AM

@Mike

The phrase “programmers dislike doing extra work” is grossly unfair. The correct and accurate statement would be “programmers strive to not repeatedly re-invent the wheel”.

Otaku Quotes – “Laziness is the mother of human progress”

wiredog April 12, 2024 5:47 AM

“It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. ”

It’s been written up in the Washington Post, the New York Times, and even The Economist (which also noted that closed source software from the likes of Microsoft has frequent security problems). It’s gotten a lot of attention. Whether that attention will last is another question…

IIRC, the Economist article even mentioned the classic XKCD cartoon: https://m.xkcd.com/2347/

cybershow April 12, 2024 5:56 AM

Hopefully it’s not annoying if I respost this analysis I wrote last week
that comes to some similar but slightly different conclusions than Bruce.

Poison Code

There is definitely a complex balance to be struck between the
(positive) freedom and independence of anyone to write code for
any use, and the (negative) freedom users should have from
malware and bugs. My concern is that no single/few too-powerful
entities presume ti be arbiters of trust relations that underpin the
supply chain. More democracy and public involvement is needed, and the
burden of provenance needs to be distributed somehow.

Ben April 12, 2024 6:03 AM

A minor point, but you say “foreign actor”, but do we know that for sure?

Our own governments quite like the idea of backdoors, after all.

ResearcherZero April 12, 2024 6:08 AM

Doing extra is inefficient not necessarily lazy. It depends on how you look at and address the problem.

Resources and time are also a constraint to the types of processes that can be put in place. If it is a single soul that is responsible, a production chain is not feasible. Process control and auditing more difficult. Time management and setting limits are then crucial.

An open source project maintained by a few people hardly has the resources to manage a large complex project, while running background checks and supervision of every contributor. If a core maintainer is incapacitated, the load increases.

Even departments with greater resources have gaps in process.

‘https://securityboulevard.com/2024/04/cisa-russian-hackers-stole-emails-between-u-s-agencies-and-microsoft/

tfb April 12, 2024 6:26 AM

@Who

You are completely right that the ‘programmers dislike doing extra work’ comment is silly: writing reusable code aka libraries is kind of the whole point of programming. And without such code large programming systems would simply not be possible at all. Indeed it’s easy to see that if you consider just the time taken to type in a series of systems of linearly increasing size then unless you reuse code this becomes quadratic in the final system’s size, unless you reuse code. And that’s just typing them in: that’s the easy bit.

But there’s a caveat:

Most of that code has passed years, even decades, of audits and patching on production environments.

That’s true only if the code is not being actively developed. If you rely on some library which has not changed in a long time then you can rely on it behaving the same way as it always did (bugs included). If people are making changes to it, even if those changes are ‘small’, then you can’t: the foundation you think is made of concrete turns out to be made of jelly.

So I think a desirable thing would be for people to be willing to say that ‘this thing is finished now: it does what it needs to do and any future changes to it will be only fixes for demonstrated bugs with really careful test cases’.

That’s never going to happen, of course, for a lot of reasons this margin is too small to contain.

tfb April 12, 2024 6:33 AM

@Erdem Memisyazici

When government is using an open source product they do what is called a code review where every line of code is scrutinized by a team of security experts before the library is used and only stable versions are utilized. Deemed safe versions are posted on a list for everyone else to use.

On exactly what planet do you live? I mean, really? Because no, they do not. And yes, I have worked for government. Indeed in one such role I left because I could not face the appalling security nightmare which was their system (I am a coward, but I also know I did not have the political skills to deal with it without losing my temper in a bad way).

Emoya April 12, 2024 8:15 AM

@All

Everyone here agrees that current processes are lacking/broken and that significant challenges must be overcome to resolve these issues.

At their heart, these issues are a matter of economics, expectation, and culture.

Non-trivial software is hard, nowhere near the magnitude of cryptography, but well beyond the average person’s capabilities, and even seasoned software engineers do not always fully understand what makes the individual components that make up larger systems tick, relying instead on established algorithms, libraries, subsystems, etc., that have a track record of working well.

Cryptographic algorithms have laser-focused functional and security goals, are founded in theory and mathematical principles, and are (should be) implemented such that their theoretical security is minimally compromised. However, this does not prevent an otherwise secure implementation from being utilized in an insecure manner.

Secure software is beyond hard, being nigh impossible. While a cryptographic algorithm’s attack surface is compact and well-defined by design, software can be sprawling, and minimizing the attack surface is not even a thought in the heads of most programmers. To make matters worse, software is never done. It continues to be enhanced and (hopefully) improved over time, often across any number of managers, engineers, and developers, who may or may not have any knowledge of or experience with previous iterations of the system.

In this day and age, pretty much every start-up requires the incorporation of software to some extent for success, and the “fail fast” approach is the only way to launch. It is impractical to expect any new idea not originating from an established tech giant to be able to produce something meaningful and gain traction with little-to-no resources. Pump out an MVP (minimum viable product), do their very best to keep it afloat, addressing any issues along the way, and refining the product to appeal to as many customers/users as possible. This is driven by those who control the flow of money, whether private investors, government initiatives, or other. Once the concept is proven viable, iterate endlessly.

It is also the expectation of customers that a system do everything they can imagine that it should. The more feature-rich a product is, the more successful it is likely to be, even if the majority of features are only used by a few. If your solution does not do X but a competing solution does… customer lost. There is very little loyalty in today’s culture, it’s always on to the next shiny object.

For decades, software has been a relatively inexpensive creative outlet for anyone with an idea or solution to a problem, some of the greatest advancements coming from bedroom or basement developers. This would not be possible if all software is overburdened by regulation, or development tools are only made available to those whose thinking has already been bound within boxes through “training”. Everyone who is a problem-solver and programmer-at-heart knows that, with adequate time and resources, they feel they could produce something new or better than what already exists. Whether or not their belief in themself is well-founded should not deter an attempt, as no one can predict the value of the outcome.

Should there be some well-established standards regarding software in certain use cases? Absolutley! Security, infrastructure, government, healthcare, or any other realm where a significant number of people may be negatively impacted through a single point of failure should be subjected to rigorous scrutiny. However, the expectations in such circumstances must be appropriately adjusted from the outset or these projects will be stillborn.

I’m sure that everyone else can think up numerous other reasons why things have evolved into the state they are. It does not matter how bad this problem currently is or how bad it can be imagined to become, unless the underlying drivers are addressed, it will continue, and any patchwork attempt to fix it will inevitably lead to unintended consequences, potentially with worse ramifications.

Clive Robinson April 12, 2024 8:49 AM

@ Winter, ALL,

Re : Pulling tricks to force an outcome.

“However, your claim is easy to prove. Just show us non-trivial codebases that were bug free on release. It would be nice if we were to know how it was achieved and verified.”

That falls into the dirty tricks / strawman debating tactics… So “naughty naught”, and you know it from previous postings on this blog.

@ ALL,

To understand why it is a dirty trick, I was very specifically talking about emgedded systems and masked programmed microcontrollers back before Flash ROM.

Such code was never “open source” and written under “employment” and a that entails the very least of ehich is “Non Disclosure Agrements”(NDA’s) that are legal gag orders that carry significant civil damages.

So showing a “non trivial codebase” even from forty years ago is by no means “easy to” do. Even if the employing company nolonger exists the codebase is an “asset with value” which means somebody owns it, and are legally required to “Defend Ownership” as we know from “Patent Trolls” such people are “unreasonable” in their behaviours.

But note the “It would be nice if we were to know how it was achieved and verified.”

Another little dirty trick, note the open ended “verified” that allows @Winter to “cherry pick” what favours his argument…

As for the “achieved” back in the 1980’s I wrote a hundred and seventy page book on the subject as part of my employment (With MSI), about the subject and it’s use as a methodology / tool. So whilst I can get away with things in “more general terms” being specific will tread on some bodies asset toes, and I really do not want to find out how Trollish their nature is. South Korea has some of the worst and broadest “industrial espionage” laws on the planet and they are not shy about using them as several Israeli and Pakistani “engineers” have found to their cost.

Winter April 12, 2024 9:11 AM

@Clive

That falls into the dirty tricks / strawman debating tactics… So “naughty naught”, and you know it from previous postings on this blog.

Nope, just normal empirical science.

If you think something is possible, you only have to show one demonstration to prove your position.

The opposite is not the case. Not being able to demonstrate an example does not prove anything, most certainly not my point.

But until I see an example, or see really good reasons why it should believe it, I choose to stick with: It is not possible.

Reader April 12, 2024 11:13 AM

What is the equivalent of the FBI for being aware of this stuff?
Does it have a presence in meatspace?

Clive Robinson April 12, 2024 11:19 AM

@ JonKnowsNothing,

re: Programs need to be designed for their problem

‘There is a huge chasm between “design for their problem” and actually having a “design that solves the problem”.’

And so much more…

First of is trying to identify the problem. All to often this is more than a “Task of Hercules”.

Usually made worse by “software people” insufficiently good to actually write software in management and marketings eyes pretending that they know how to “distill out the requirments”

As both you and I know from past experience and anyone reading up on the Fujitsu / UK PO disaster called Horizon, such people can not tell which end of the stick has been stuck in the “scat pile” even in a brightly lit room, and worse realise from long experience tell that it has been pulled out by the clean end thus handed to them at the dirty end thus making them at best dirty handed.

Thus these “experts” are at best “cack handed” and best avoided.

This issue was well known about in the early 1980’s and written up in “Soft Systems Design” (later “Soft Systems Methodology”(SSM). Although work pertaining to it had started seventy or more years ago[1]. The problem,

“talking and listening to users”

Showed up the almost complete inability of those supposedly learning about user requirements. Thus they inevitably fell back on the dictatorial,

“We know best and will tell you that when ever you disagree with us”.

So the specifications were based on information gathered by the equivalent of “Emperor dictate not employee needs”. So not just were the specifications incorrect, the results from that point on were almost irrelevant to the actual “problem” and “solution”

However “the software guys” got to do what they wanted to do, not what needed to be done…

It’s one of the reasons why well over 90% of these style of systems fail in multiple major ways.

One study suggests that the failure rate is actually about 100%… But they get made not to be failures by changing the requirements or specifications retrospectively.

I’ve talked about how to be a “Major Project King” by jumping ship about 1/3rd of the way through… Then if the project fails you blame those who remained for,

“Not following your glorious plan”

And in the unlikely event the project succeeds you then claim it was because those who remained,

“Followed your glorious plan”

Either way you win, but by then it’s probably three or four project jumps behind you, so you’ve plenty else to talk up.

The thing is you get away with it because the management who you “bedazzled with bovine scat” dare not call the project a failure for various “bonus” and “share vesting” reasons.

In fact if you are sneaky enough you can get them to give you glowing recommendations…

A great way up the greasy pole if you are prepared to be sufficiently sociopathic about it[2]

[1] One of those most into the history of Soft Systems Design was Peter Checkland who has written a couple of books and considerable number of research papers. You can read more with the fairly lengthy, turn of the century,

Soft Systems Methodology: A Thirty Year Retrospective – Better Evaluation

https://www.betterevaluation.org/sites/default/files/ChecklandSSM.pdf

[2] Speaking of the Post Office and other senior roles look into the employment history of “Adam Crozier”

https://en.m.wikipedia.org/wiki/Adam_Crozier

And all the disasters that mysteriously followed him…

You might see where I crystallized my thinking (at one point he and I lived not very far from each other and a legal friend lived almost next door to him).

Mark T Yoshikawa April 12, 2024 12:57 PM

Thank you for all your efforts! The mention of a BOM or Bill Of Materials made me think of GUAC (https://guac.sh/). Graph for Understanding Artifact Composition. I suspect that there are many such efforts going in and needed for both IT and OT.

JonKnowsNothing April 12, 2024 1:21 PM

@Clive, All

re: “the software guys” got to do what they wanted to do, not what needed to be done

In projects both large and small, part of the design failure comes from the marketing end of the stick that promotes

  • We have something already built, off the shelf that will do what you want
  • We can make some modifications to fit your requirements

This works whether it’s Fujitsu selling their Horizon accounting package as a POS system, or a developer pulling down some source code for a Load N Pray project making modifications to shoehorn the code toward solving the design.

So, various pre-made systems are sold and re-sold with the Customization Team making it fit or trying to make it fit.

In catastrophic failure conditions, there is a underlying incompatibility between the code base, the design and the actual problem, that the Customization Team cannot resolve. Mutually exclusive design selections and a failure to solve the requirements.

  • Getting 90% of the requirements is not what was in the contract

Especially when the remaining 10% of requirements are the most mission critical ones.

There are a few responses to this problem

  • Propose to complete rewrite of the entire system at zero-cost to the customer

  • Milk the Customization Change Orders for all they can get

It is the latter that companies select. They know they are going to get into a difficult and long legal problem. They know they can get Cash Today and maybe not have to worry about Cash 20yrs later.

This of course, implies Good Faith in the original design, that the mission critical items could and would be met by making a few tweaks the program. This is not always the case.

  • People hear what they want to hear.

RL tl;dr

A software sales presentation proposal to move from existing ProductA to ProductB seemed interesting. ProductB had more actual solutions but the problem was the databases were not equivalent in setup or structure.

ProductB would require a full rework of data definitions and the creation of a one-time-conversion program. The purchasing company wanted ProductB to do this conversion as part of the purchase contract.

It came down to the words

* database, customization, conversion

Different people in the room came away with different interpretations regarding “who was going to do this”.

* No where did ProductB say, “we will do it”, they only said a “conversion can be done”.

* No where did ProductB say, “we will remap your existing database”, they only said “remapping can be done”.

* No where did ProductB say, “we will provide the Customization Team to remap your existing database and do the conversion for you at no additional cost”, they only said a “Customization Team is needed”.

Lots of managers came away thinking ProductB would do all the work, for free, in a timely fashion.

Clive Robinson April 12, 2024 3:19 PM

@ Winter,

“…just normal empirical science.”

Nope not even close.

You are trying it on with a variation of,

“Can God make a Rock bigger than he can roll?”

After a moments thought anyone half way sensible will realise it’s “a rigged question” where no matter what is answered it will be both right and wrong at the questioners choice.

So on that score, you’ve been uncovered thus the answer you get would be the equivalent of,

“May the Devil take his own on a hell of a trip.”

Anonymous April 12, 2024 4:31 PM

This isn’t something a hacker just whips up. This backdoor is the result of a years-long engineering effort. The ways the code evades detection in source form, how it lies dormant and undetectable until activated, and its immense power and flexibility give credence to the widely held assumption that a major nation-state is behind this.

I don’t understand this “widely held” assumption. Can anyone explain why only a nation-state can and would want to pull off a secretive and sophisticated years-long engineering effort? Don’t many private entities, and even individuals, have such capacity?

JonKnowsNothing April 12, 2024 5:05 PM

@Anonymous, All

re: Can anyone explain why only a nation-state could do this?

Hmmm for starters:

There is scope of the attack. Many systems interplaying with other systems. Some expert programmers can know a lot, but also finite amount, of ultra details in complex systems. The hack cuts across a lot of areas, which implies more than one developer.

Within that scope, folks generally need to earn a living. Open Source or not, people need to buy stuff, like food. So a bunch of folks, independently wealthy, with enough know-how over a lot of areas, either have membership in an Austerity Mens Club or someone is paying them to do this. There are lots of both.

To test and hide the intricacies of such development and deployment with redundancies creating a zombie-type program can be done by many hacking crime organizations. Krebs on Security (1) has lots of profiles and details about how such organizations work. There are a lot of these folks too; who are not out to make the internet a better place.

Between nation-state and criminal organizations there is a hallmark difference. The hacker types really enjoy trolling about their activities. It’s a challenge and ego boost for them to announce “I did it”; they do not usually announce “We did it”.

The ones keeping quiet signed NDA with NatSec, 3L, Military, and various police agencies that are regional or global in scope. Their motives are varied.

It’s the quiet ones that shout: Nation State.

===
1)

ht tps://krebs onsecurity.com/

Clive Robinson April 12, 2024 5:24 PM

@ Anonymous, ALL,

“I don’t understand this “widely held” assumption. Can anyone explain why only a nation-state can and would want to pull off a secretive and sophisticated years-long engineering effort? Don’t many private entities, and even individuals, have such capacity?”

There are two things to consider,

1, Resources in
2, Value out.

Prof Ross J. Anderson classified the first into three basic levels or classes with the third level being “State or equivalent”.

The second is a scale from quick grab crooks through to State types involved with “Advanced Persistent threat”(APT) that sits there for years, without making it’s presence known. Governments are usually after different types of info to corporates. Corporates want ROI fairly promptly, Governments value secrecy maintained above all else. Thus whilst corporate behaviour shows up in “public space” fairly rapidly, Government tries to be never seen.

If you use the two scales as a graph you get low resource fast return at the bottom left which is usually petty cyber-crooks. At the top right you have high resource long term return. This is almost certainly espionage activities. However the longer the return time the more likely it is to be “state” than “corporate”.

Hope that helps give you a mental image to answer the question.

OpenSourceDarkSide April 12, 2024 6:57 PM

I will make two comments:

1- This is the dark side of open source. I started my career as a technologist -I have done a bunch of other things besides programming- in the late 1990s at a time when most enterprise software was proprietary. Open source was then in its infancy. Established players like Microsoft warned about the security threats of using open source.

2- We are at a point of no return. In the last 10 years or so, every software project I have contributed to has heavily used open source in one way or another. I don’t see the practice of software engineering going back to what it was like when I started. Technologists have more power now than then and no competent technology wants to go back to a time when all the power was at the hands of senior management.

I prefer not to give specific examples in order to maintain my anonymity but if you are a provider of software, the solution is to do due diligence with respect to the open source libraries you use and only use those that have the widest acceptance possible and whose maintenance is at the hands of a top corporation with a stake in the game.

What this means in practical terms is that a package XZ Utils should not be maintained by some solitary programmer in his or her spare time. It should be maintained by a paid developer working for Google, Meta or the like.

Without economic incentives, voluntary work only goes so far.

Stephen April 12, 2024 8:28 PM

@Erdem Memisyazici:

When government is using an open source product they do what is called a code review where every line of code is scrutinized by a team of security experts before the library is used and only stable versions are utilized. Deemed safe versions are posted on a list for everyone else to use.

I have worked in US government software development for over 10 years and at literally no point has this ever occurred.

The most scrutiny ever applied to a software package is Red Hat signing it.

Languages with their own package management (JS, PHP, etc) might as well be the Wild West.

lurker April 12, 2024 9:03 PM

@Winter, @Clive Robinson

@Clive

Debugging if done properly is only required to be done “pre-release”.

Obviously not. Even NASA code has bugs.

NB: “if done properly”
Assuming no software is ever bug-free, the problem reduces to one of adequate training and use of checklists. This has greatly reduced the failure rate for air transport, and is now being successfully introduced in medicine.

The aim should be to reduce remaining bugs to trivial. An obfuscated binary blob in a test file is not a trivial bug.

Clive Robinson April 12, 2024 9:40 PM

@ lurker, Winter, ALL,

“Assuming no software is ever bug-free”

Is an incorrect assumption

It turns on what you call software.

Take a simple “state machine” where every state and transition is coded then it will be “bug free”.

Especially as with DSP code it does not change it’s behaviour on any value of input.

The basic definition for a bug can be seen as “state or transition ambiguity”. This can only occur under certain circumstances (which I’m not going to list here, as you can look them up easily enough).

Laborious as it is, code up everything using simple state machines and you have the base for bug free code.

The reason most of these libraries are defective is that,

“To be all things to all men”

They chuck everything including the kitchen sink in. Thus the complexity is unnecessarily high and ambiguous states are effectively guaranteed.

The trick to making large systems out of simple state machines is almost identical to designing “secure systems hardware” which I’ve described before, but simplistically it works by,

1, Strong segregation.
2, Communications choke points that,
3, Are strongly mandated.

The problem for most programmers is they don’t like “errors and exceptions” handling. In part because in just about every high level language and OS the “abstraction” tends to force “left to right thinking” and any exception and many errors needlessly get thrown, to the “Blue Screen of Death”(BSoD). So the code is in no way “fault tolerant” when in fact it could be made so fairly easily (not to differently to the way you keep database integrity).

None of this stuff is new, and has been well known since the 1960’s.

Another issue is that many software developers are by nature “artisans” not “engineers” this is not helped because management mistakenly see them as “10x Programmers” because they only see “delivery dates” not the veritable tsunami of “technical debt” they not only create but “walk away from”.

Now if this conversation runs the way it has in the past, those who should know better but don’t will fire up their keyboards jump in and make the same old pointless arguments.

bl5q sw5N April 12, 2024 10:06 PM

Re:You can’t really write bugs free programs.

Actually you pretty well can, and your creative problem solving is enhanced, using Jackson’s approach [1] (personal long experience).

But … true story related by a legendary system admin. She and a colleague were installing computer center hardware. As there were two kinds of electricity everything was color coded for its proper power. The colleague was about to connect a cable to power and she queried him had he checked the coding.

  • Yes.
  • Check it again.
  • I know what I’m doing, I’m looking at the color codes now, it’s fine.

… Loud bang and loss of magic blue smoke.

Moral – you can be blind while absolutely sure you see and know what you’re doing.

  1. Jackson, M. A. Principles of Program Design. Academic Press (1976).

JonKnowsNothing April 12, 2024 11:04 PM

@bl5q sw5N, All

re: magic blue smoke

RL tl;dr

I was installing a large network in an old (very old) building. While it might have passed current building codes de jure, de facto the wiring was crap. I carried with me several testers both for the network cables and the power outlets. One system seemed to belly up regularly. I got out my testers and found that even though the electrical company had certified it was correct, it wasn’t. They came back and fixed the wires. Without my testing the lines, that workstation was destined to be a poltergeist.

I was installing some mainframe components and I had to reroute some of the power and line boxes for it. I was in a remote site and on-the-phone with the mainframe boss. The install went ok until we reconnected the power boxes to the unit. The system flopped. We (meaning moi) swapped these units in different order than what was “the common preferred order of connection”. It was A=B, after the upgrade it was B=A. The power stability issue was not the problem that was expected.

And then there was a the time I got my hand stuck in a pc chassis with the power still connected and the system started to arc though my hand…

echo April 12, 2024 11:28 PM

I have a response to the topic and some of the comments and even went through a few drafts before deciding to say nothing and see what unfolded.

The topic is weak on the multi-domain security model. It’s not a solution. As for the loudest shoutiest comments they’re just, well, I think people can see for themselves. Developers need their voice heard and so far they have been silenced. This “one rule for them” punch down stuff doesn’t agree with me at all. And if people want more women in STEM, IT generally, and security there is no place for legacy politics and office politics.

Right! I’m staying out of it. It gives people a chance to see where the biggest conceptual and worldview problems are on their own.

Winter April 13, 2024 3:31 AM

@Clive

“Can God make a Rock bigger than he can roll?”

I don’t see the connection. You are not God and I do not ask for the impossible.

I claim black swans exist, and if asked, I can show you one. If someone claims fairies exist, I would like to be shown one before I believe it.

Is bugless software a black swan or a fairy?

@lurker

The aim should be to reduce remaining bugs to trivial. An obfuscated binary blob in a test file is not a trivial bug.

I could not agree more.

Winter April 13, 2024 5:49 AM

@bl5q sw5N

Actually you pretty well can, and your creative problem solving is enhanced, using Jackson’s approach [1]

Re:You can’t really write bugs free programs.

The proof of the pudding is in the eating.

I have seen quite a number of books arguing people can live anywhere from 150 years to forever, or how to prevent and cure cancer, any cancer. I believe it when I see it.

But maybe bug is too vague a word.

What I mean is “undocumented, unexpected, and unwanted behavior”. And bug-free I see as no such behavior seen in a certain number of enduser-years of application use in the field.

Winter April 13, 2024 5:56 AM

@Clive

Take a simple “state machine” where every state and transition is coded then it will be “bug free”.

A state machine with a memory is how you define a Turing Complete computer. That is the problem.

If you leave out the memory, you will have to move all knowledge into the states and are left with a one-trick pony.

Personally, I don’t find design bug-free state machines easier than bug-free software. But ymmv.

Clive Robinson April 13, 2024 12:53 PM

@ Winter,

“A state machine with a memory is how you define a Turing Complete computer. That is the problem.”

The memory in a state machine is part of it’s state.

Trying to claim it has “magic ju ju” as you are is kind of pointless.

Sorry but all your arguments like the nursery rhyme bucket “do not hold water”.

Winter April 13, 2024 1:04 PM

@Clive

The memory in a state machine is part of it’s state.

I seem to have been unclear.

If you link a state machine to read-write memory (RAM), you get a Turing Machine. If the memory is Ready Only (ROM), then it obviously is not.

Winter April 13, 2024 1:35 PM

@Clive

Re: Finite State Machine and Turing’s Automatic Device

Continued…

From the Stanford Encyclopedia of Philosophy
‘https://plato.stanford.edu/entries/turing-machine/

A Turing machine then, or a “computing machine* as Turing called it, in Turing’s original definition is a machine capable of a finite set of configurations q1,…,qn (the states of the machine, called m-configurations by Turing). It is supplied with a one-way infinite and one-dimensional tape divided into squares each capable of carrying exactly one symbol. At any moment, the machine is scanning the content of one square r which is either blank (symbolized by S0) or contains a symbol S1,…,Sm with S1=0 and S2=1.

bl5q sw5N April 13, 2024 2:44 PM

@ Winter

“undocumented, unexpected, and unwanted behavior”. And bug-free I see as no such behavior

Such absence is an effect of a correct program free of logical error, agreed. But such absence is not a proof of correctness.

Winter April 13, 2024 4:43 PM

@bl5q sw5N

But such absence is not a proof of correctness.

Indeed, but one of the things Mr Turing showed was that such proofs are not always possible. So I am willing to go for an empirical surrogate measure of “acceptable behavior”.

Clive Robinson April 13, 2024 5:20 PM

@ Winter,

You wanted to see a “fairy” not a “black swan”

Well,

“It is supplied with a one-way infinite and one-dimensional tape”

You let me know when you get shown an “infinite tape” in a “finite Universe”.

But just to remind you the Turing Engine when you boil it down is in reality just a finite mapping from it’s inputs to it’s outputs.

How you go about getting the mapping is in effect just a compression algorithm of the mapping.

So if your mapping is

F(X) : (X+2)

There are three basic ways to do it,

1, An infinite map.
2, Inc X twice.
3, Add 2 to X.

Of which the last will be the fastest and smallest user of memory.

44 52 4D CO+2 April 13, 2024 6:40 PM

The only reasons to assume “nation-state” are that petty criminals are too impatient to wait for the big score, or that criminal gangs are acting with at least tacit complicity from their host nation. This notion does not fit neatly with the current nature of near-instant communication among actors across the world.

A single criminal bitcoin payoff could easily afford years of salary for several individuals.

Any LEO could provide supervised room & board in exchange for charges dropped.

Worker-year hours is not a great metric, gini-adjusted worker-hours? Someone must have a better metric… But when “nation-state” resources is less than $1 USD, the “nation” part of the equation has lost all meaning

I’ll take it as a given that Lasse had no idea who Jia was other than a helpful contributor. Why should I think Jia had any idea who they were working for?

If the person(s) behind the Jia pseudonym never had access to the private key, there isn’t even a crime here beyond “conspiracy to” – and since it was thwarted first, there doesn’t seem to be any crime at all

Winter April 13, 2024 9:57 PM

@Clive

But just to remind you the Turing Engine when you boil it down is in reality just a finite mapping from it’s inputs to it’s outputs.

Re: Bug-free code.

With more states than can be addressed during the expected life-time of the universe, this type of “Finite State Machine” is exactly what we have now. In itself this “reality check” is no argument or recipe for the production of bug-free code. So, it does not change anything.

Therefore, my question remains, can you show me an example of a project with bug-free code on launch? Or ever?

Until then, I consider bug-free code part of the fairy category.

Clive Robinson April 14, 2024 7:20 AM

@ Winter,

Re : Binary Chop is but one.

“With more states than can be addressed during the expected life-time of the universe, this type of “Finite State Machine” is exactly what we have now.”

Actually the “count of states” is a false measure as you should know.

As for,

“Therefore, my question remains, can you show me an example of a project with bug-free code on launch? Or ever?”

Tell me how much excercis are you getting on “shifting your goal posts”?

Winter April 14, 2024 7:47 AM

@Clive

Actually the “count of states” is a false measure as you should know.

Debugging a Finite State Machine requires checking those state transitions. Or how do you debug a state machine? By treating it as a Stored Program computer?

Tell me how much excercis are you getting on “shifting your goal posts”?

I just ask you to demonstrate that it is possible to produce bug-free code on launch.

What better way to demonstrate there really do exist black swans, fairies, or bug-free programs than by showing one? I even relaxed the demonstration. Just a project in real use that had no bug reports for, say, two years after launch would do for me.

Why is this so difficult?

bl5q sw5N April 14, 2024 11:28 AM

Any program or state machine taken just as its code can be said to be bug free, because it implements correctly the “design” that it itself is.

To talk about bugs, logical error in the code, there has to have been given in advance a problem environment of data structures and problem to be solved that determines the program design. There is then a criterion for whether the program is logically correct.

The problem to be solved however may be asking a question that cannot be answered, à la Turing. It’s not the code’s fault you asked it to do something impossible.

In common practical situations the problem to be solved is solvable, and it’s totally possible to write a bugs free program, and this should be insisted on. We did it routinely (a scientifically oriented software department).

Winter April 14, 2024 11:59 AM

@bl5q sw5N

Any program or state machine taken just as its code can be said to be bug free, because it implements correctly the “design” that it itself is.

This used to be called The Microsoft Way:
It’s not a bug, it’s a feature

I know of no people who subscribe to this philosophy with the software they apply. But I am sure it makes for a great comedy line at CS conferences.

The problem to be solved however may be asking a question that cannot be answered, à la Turing.

That is why I defined bug as undocumented, unexpected, and unwanted behavior.

Not being able to do the impossible is entirely expected and, therefore, not a bug.

Winter April 14, 2024 12:47 PM

@bl5q sw5N

The problem to be solved however may be asking a question that cannot be answered, à la Turing.

Continued…

I certainly expect the “bug status” of a program to be one of those undecidable problems, at least for “general software programs”.

That is why I would go for a less stringent, empirical, definition of bug status.

bl5q sw5N April 14, 2024 1:03 PM

@ Winter

It’s not a bug, it’s a feature

More precisely, an undocumented feature 🙂

being able to do the impossible is entirely expected and, therefore, not a bug.

The referent was only mentioned so as to exclude certain kinds of program problems, to avoid an overbroad claim that a proper design process will always yield programs free of logical errors, in the usual practical world.

JonKnowsNothing April 14, 2024 1:45 PM

@bl5q sw5N, @Winter, All

re: undocumented feature

For QA departments there are numerous categories used to define “bugs”. Some of what you are discussing are different versions that end up in the “bug database”. They are all correctly in the database, no matter what nouns+verbs you give them.

These cascade on test into different levels of each mis-function with the worst category being “undocumented / unknown”. QA does the most it can attempting to find the “unknowns” but QA are not the programmers or designers. They can only test the exterior of a program, which may or may not reveal an interior flaw. They can only measure results based on design documents.

There are of course, engineering tests which are better designed to test the HW functions but they still end up with the same problem

  • QA cannot “see” the insides of code, they only test the outputs results

As has already been discussed many times there are the standard 4 tests

  • Known Knowns
  • Known Unknowns
  • Unknown Knowns
  • Uknown Unknowns

Having a program pass with * Known Knowns does not preclude any of the other 3 conditions.

It rarely means that companies fix the * Known Knowns unless something catastrophic happens. The vast majority of bugs in a database are “easy to fix” * Known Knowns. Not even maintenance programmers fix P4s; there are too many P2s and P1s hiding from public visibility but defined internally.

In practice, the more of type 1 and type 2 are in a program suite, the higher probability of type 3 and type 4 which might be found if anyone bothered to look for them.

While y’all are discussing the empirical probabilities of “infinite bugs v infinite no bugs”, a few adages for practical purposes.

  • iirc(badly) one of the major bug testing improvements that allowed M$ to produce Windows was a many node decision tree. If at any node, the code failed, all the code after that did not require testing because their root had already failed.

QA Teams outside of mega corps do not stop testing the trailing nodes. They look for all failures at every node. The risk is that they will have to repeat the tests after code changes (regression) but the benefit is they ID further failures in the path.

Project Planning Real Time:

  • Development is given 60% of the project time

  • QA is given 40% of the project time

  • Development of 90% of the project actually takes 90% of the project time

  • Development of the last 10% of the project takes another 90% of the allotted time

  • QA 40% is given to Development to finish the last 10% of the project

  • QA is now has 0% of the time before push to release

  • QA may or may not have 1-5% of their allotted time to test anything after release

  • Engineering always considers 100% of the project time to be 100% of programmer time.

This becomes a cascading failure when mandated specs require 120 days of zero failure RT testing.

Winter April 14, 2024 4:20 PM

@ bl5q sw5N

More precisely, an undocumented feature

It is like the definition of a “weed”:
A plant growing at a place where it is not wanted.

I call an “unexpected, unwanted undocumented” feature simply a bug. I didn’t chose it, I didn’t know it was there, and I don’t want it.

JonKnowsNothing April 14, 2024 4:47 PM

@Winter, @bl5q sw5N, All

re:
It is like the definition of a “weed”:
I didn’t chose it, I didn’t know it was there, and I don’t want it.

You might not have but there is every possibility that someone else did and planted it on purpose.

There are hidden features in many programs, some hooks for future development, some development items not yet turned on.

  • Your weed is someone else’s flower

Listen to the echoing mantra of “Someone else is doing that section”

The xy problem is that the people that put it in the code wanted it. It was not a weed to them. It was a feature, restricted in access, with full design development.

  • When is a weed a weed?
    • Not when you are rewilding…

Perhaps we need a different view of coding projects.

===

h ttps:/ /e n. wikipedia.org/wiki/Rewilding

  • Rewilding is a form of ecological restoration aimed at increasing biodiversity and restoring natural processes. It differs from other forms of ecological restoration in that rewilding aspires to reduce human influence on ecosystems.

One difficulty in rewilding projects is the delineation points selected

ht tps: //w ww.th eguardian.com/environment/2024/apr/04/we-need-to-accept-the-weeds-dutch-towns-compete-to-remove-the-most-garden-paving

  • ‘We need to accept the weeds’: the Dutch ‘tile whipping’ contest seeking to restore greenery

  • National competition has goal of helping Netherlands reach environmental targets by removing garden paving

ht tps://ww w.theguard ian.com/uk-news/2024/apr/12/rare-truffle-find-scottish-spruce-forest-sends-fungus-experts-alien-species-hunt

  • Rare truffle find in Scottish spruce forest sends fungi experts on alien species hunt

  • Chamonixia caespitosa, a mottled blue truffle normally found in the Alps and Scandinavia, has only been recorded once before in the UK, in north Wales, found during rewilding project in west Highlands while removing non-native Sitka spruce

Very pretty, very toxic, do not eat it.

ResearcherZero April 15, 2024 12:09 AM

“The operation exploited gaps in the reputation process and the absence of audits on released tarballs.”

The actor’s aimed for sustained access to the repository.

‘https://www.sentinelone.com/blog/xz-utils-backdoor-threat-actor-planned-to-inject-further-vulnerabilities/

Telltale signs you can look for:

https://www.reversinglabs.com/blog/xz-trojan-hack-highlights-software-supply-chain-risk-from-sock-puppets

build-to-host.m4

‘https://securelist.com/xz-backdoor-story-part-1/112354/

Rust developers should check for liblzma and liblzma-sys crates in their development environment.

https://blog.phylum.io/rust-crate-shipping-xz-backdoor/

Winter April 15, 2024 1:26 AM

@

Your weed is someone else’s flower

Very true.

But in my garden, I define what is a weed.

On my computer, I define what is a bug. If I acquire and use software, any unwanted behavior that was not part of the deal is a bug to me.

ResearcherZero April 15, 2024 1:33 AM

“they also had to tamper with the build process of the package. This they achieved by changing the source code inside the released tarball. These changes were never made in the source code hosted on GitHub, thus hiding them.”

… If you have full access to the repository, you can commit malicious code. That code can affect all users, not just people who use a release tarball.

“Git/GitHub release archives are not great for transparency for other reasons anyway. They aren’t fully reproducible: you can’t just run git archive on your machine and be guaranteed to get the same archive binary. All that Git guarantees is that you get the same file contents and modification times. It doesn’t guarantee an unambiguous representation in the archive format, and changes in the compression library can affect compressed archives. So while you can audit them, it’s not as straightforward as keeping a reference hash for the archive file.”

…”As far as I can tell, the xz project relied on manual auditing of release artifacts. And such review was probably cursory, given that the releases were prepared by one of the two active maintainers. The backdoor seems to have been engineered specifically to be hard to detect at this stage, but in the specific case of xz, the biggest problem seems that it’s critical piece of infrastructure that was maintained by a single overworked unpaid person until the malicious actor came along to ostensibly help.”

The fact that the xz backdoor was only present when building from a release tarball (and only when building those under certain conditions) was a deliberate choice from the author of the backdoor. The source code is visible to everyone, so if they had just committed the backdoor itself, it would have been detected and rejected immediately. So they took several steps to make the backdoor harder to detect…

‘https://security.stackexchange.com/questions/276340/why-did-the-xz-tools-attacker-put-so-much-effort-into-hiding-the-malware-when-th

ResearcherZero April 15, 2024 1:45 AM

“The XZUtils incident illustrate that tarballs with files that are not included in the git archive offer an opportunity to disguise malicious backdoors.”

Reproducing the released artifacts from the source code and recreating the full tarball…

‘https://www.linuxconsultant.org/simon-josefsson-reproducible-and-minimal-source-only-tarballs/

Winter April 15, 2024 2:04 AM

@JonKnowsNothing

Your weed is someone else’s flower

Continued …

But a bug in this discussion is any behavior the producer of the software explicitly or implicitly excludes.

JonKnowsNothing April 15, 2024 3:12 AM

@Winter, All

re: A bug by any other name…

@W: On my computer, I define what is a bug.

I think that definition is going to be problematic … unless you are The Trainman.

From The Matrix Reloaded (a fun view of program bugs)

The Oracle: … Look, see those birds? At some point a program was written to govern them. A program was written to watch over the trees, and the wind, the sunrise, and sunset. There are programs running all over the place.

The ones doing their job, doing what they were meant to do, are invisible. You’d never even know they were here.

But the other ones, well, we hear about them all the time. …. some program that’s doing something they’re not supposed to be doing.

So colloquially a bug is a program or system doing something it is not supposed to be doing.

Although there are some programs that are one ginormous bug set like M$ Windows. Given Patch Tuesday, it is clear that not much there is WAI.

===

h tt ps: / /en.wik iquote.org/wiki/The_Matrix_Reloaded

  • The Matrix Reloaded is a 2003 film, and the second film in The Matrix series.
  • Written and directed by Lilly Wachowski & Lana Wachowski

Winter April 15, 2024 3:47 AM

@JonKnowsNothing

I think that definition is going to be problematic

Not if the producer of the software claims their product behaves in the way I think it does. Then we publicly agree on what behavior is not a bug.

So colloquially a bug is a program or system doing something it is not supposed to be doing.

This is certainly true, but not a good basis for deciding whether a program is bug-free before we operationalize “supposed” in a useful way.

Although there are some programs that are one ginormous bug set like M$ Windows. Given Patch Tuesday, it is clear that not much there is WAI.

The question behind this thread is whether it is possible to produce bug-free code on launch of a software application. I think it is not possible. MS Windows most certainly is not a counter example to my opinion.

Clive Robinson April 15, 2024 5:18 AM

@ Winter, bl5q sw5N, JonKnowsNothing, ALL,

Re : It’s my bat and ball and I’m going home.

“On my computer, I define what is a bug.

Which is a pointless argument because no matter what I produce you will wave your arms and say “bug”.

Which is a road I suspected you were rapidly heading down.

If I acquire and use software, any unwanted behavior that was not part of the deal is a bug to me.”

You’ve fallen into the “Midis Touch” trap.

You say,

“I want every thing I touch to become gold”

And it gets delivered as to your wants…

Only your wants are ill thought out thus when your daughter becomes a statue and neither your food or water consumable and you are clearly going to die…

Then in your mind it’s somebody elses fault for delivering exactly what you actually asked for.

That is more than a little ego centric of you to put it politely.

You’ve already shown via the nylon gear example that either your knowledge is suspect, or you were hoping to argue falsely…

But we get down to based on your arguments as finally presented above that everything you acquire “is a bug”… If not now but in some future point when it does not do something you retrospectively think it should do, or worse does something you asked for but you did not think through.

That is not the basis for an equitable exchange of goods / value that is stable, but it is guaranteed to keep the legal brethren in Gulf Stream Jets etc, you embittered, or both.

hf April 15, 2024 5:41 AM

Whether or not this was a “foreign actor” depends on what country you are in.

If you are in the USA, it was probably a “domestic actor”, seeing that Jian Tan was working according to US timezones.
Whether or not a name sounds Chinese (committer) or Indian (the social engineering push) doesn’t mean much.
The NSA isn’t going to name their agents as “NSA-Agent04738”

hf April 15, 2024 5:53 AM

It’s not an attack on “software supply chain”.
XZ isn’t a supply chain, it’s a product, it’s the software itself and the guy who became maintainer of it himself.
A supply chain attack would be the packager or distributor or the server hosting it.

OpenSource developers aren’t your “supply chain”. That’s honestly a bit rude to imply.

You also forget that the backdoor only works if openssh got built with distributor packages linking it to libsystemd.
Which means that OpenSource was the solution here yet again. If you built and shipped OpenSSH as intended by its developers, the backdoor won’t work.
Why specific companies like RedHat (which is an NSA asset btw. that is running their xkeyscore servers) decide that they know better, is a question up to you.

So maybe its partly a “supply chain attack” after all and the NSA asset that linked openssh against libsystemd at the distributors level is part of it?
But that is a conspiracy theory for another time.

Winter April 15, 2024 5:55 AM

@Clive

Which is a road I suspected you were rapidly heading down.

You are looking desperate.

It is obviously what “undocumented, unexpected, and unwanted behavior” is in the context of software use. We are talking about bugs in the public eye where producers and users agree.[1] What I accept on my computer is not really relevant to this discussion.

If you are certain it is possible to produce bug-free software in the above sense but do not know of any examples where this has been demonstrated, just say so. Then try to convince us of the reasons why you are sure it is possible.

The fact that I am a Doubting Thomas is in no way a reason to change your believes.

Saying that it is possible and then refuse to point to examples with all kinds of flimsy excuses is just pathetic.

[1] If the producer disagreed, they would have documented the behavior.

Winter April 15, 2024 6:03 AM

@hf

XZ isn’t a supply chain, it’s a product, it’s the software itself and the guy who became maintainer of it himself.

But it is a supply chain attack. The attack was on OpenSSH, which does not even use XZ.

The attack is to System D which links both XZ and OpenSSH into a single memory space. This allows the XZ malware to attack functions inside OpenSSH, which is only possible because both are linked into the same runtime image.

The XZ library is clearly in the supply chain of System D, as is OpenSSH. I am certain the maintainer of XZ will agree as he has taken responsibility immediately and started to help control the situation and clean up the damage.

ResearcherZero April 15, 2024 8:43 AM

Does the hottest month on record have anything to do with the bugs in my supply jam?

What I am willing to agree on is that a long and sustained attack on a developer, followed by the hostile take-over of a project designed to also target other projects, is indeed a supply chain attack. The developer was maliciously targeted specifically for that purpose, and the attackers were preparing to introduce further vulnerabilities while maintaining access to the repository. They also did it in a manner that was very difficult to detect.

The entire operation would have required meticulous planning well in advance. This process once completed could have then provided further access to unrelated projects and resources.

ResearcherZero April 15, 2024 8:52 AM

supply chain (with crates)

‘https://blog.phylum.io/rust-crate-shipping-xz-backdoor/

hf April 15, 2024 8:59 AM

@Winter

I understand now how you get there. You say that xz got infested to target openssh in a finished distribution down the road.

But i don’t agree with this definition. Cause it makes the term pointless. Suddenly everything is a “supply chain attack”. If 7zip gets infested to target Windows, it’s a supply chain attack cause someone got to distribute and install it there first?

Anyway, the backdoor only works if the distributor patched openssh like this:
https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-9.8p1-systemd.patch
And this is clearly on a supply chain.
But nobody seems to assume that those patches are part of the backdoor, even thought that they were done by an NSA asset (RedHat).

A discussion that should be held, but that somehow doesn’t happen, should be about distributor patches. Do we really trust some random packager? I surely would prefer to get openSSH as intended by their developers, rather than a modified monster with 61 patches.
https://src.fedoraproject.org/rpms/openssh/tree/rawhide

Clive Robinson April 15, 2024 9:23 AM

@ ResearcherZero, ALL,

Re : Chain is one dimensional.

“… is indeed a supply chain attack.”

Actually no.

It’s not a “chain” but a “tree” when you think about it a bit further.

Like so many other things that go from the tangible physical objects we can see, to intangible informational objects few can even imagine let alone understand we get issues.

The reality is that “supply chains” are a notion based on finished physical items. The tree part is hidden behind the manufacture / assembly.

What information objects now allows is the manufacture / assembly on the end user system.

So there is not one supply chain but very many feeding in from all directions.

I fully expect “supply tree attacks” to become the norm very very quickly. And… In the process develop a complexity beyond what most can comprehend.

Please remember I am the equivalent of an “old war horse” and have been on the periphery of attacking computer systems since before it was a crime. In that time I’ve learnt a lot of things. But two of importance,

Firstly is the inability of the ICT industry to learn from it’s own mistakes.

Secondly is the inability of the white hat side of ICTsec to see “physical attacks” and then transpose them to “informational attacks”.

This second point is a major failing as the black hat side has no difficulty in doing this… They also learn the lessons most ICT industry players never do.

echo April 15, 2024 9:36 AM

Is this still rumbling on? Note the loudest voices are the ones who don’t have to do the work. Near zero references to anything outside of a monopolar security definition. Obviously not software developers (or project managers) in the real world. If you’re the kind of twit who wants every single theoretical risk for every line of code ever written mitigated down to zero you’re not the one signing the cheques. Want zero fault software? Go pay the six figures it takes to certify every time you change a single line plus you lose a finger every time you make a single mistake in your work. Oh, your work is perfect? Hah hah. That ain’t ever happening.

I’ll also repeat again there were only two lines possibly four which directly or indirectly touched upon the multi-domain security definition. A workplace involves more than just technical. It involves human rights and equality, economics, public policy, and the list goes on. All of those have a bearing on security.

You could delete all but six posts in this topic and lose nothing.

N.B. “Software developer” is more than the dehumanising “code monkey” which gets slung around far too often.

JonKnowsNothing April 15, 2024 11:58 AM

@ Winter, @bl5q sw5N, @Clive , ALL

re: “undocumented, unexpected, and unwanted behavior”

This definition will not fly either.

re: Personal Bug or unwanted behavior

@W you introduced the concept of a Personal Bug, something you personally did not like and therefore determined it was a malfunction. This is sometimes called the DWIM Principle – do what I mean.

Software doing something different is what makes new or upgraded software useful.

It’s also the source of great user dislike, because no one likes changes from something they know how to use, to an unknown and which “may or may not” be useful.

  • Very early in the Windows system, there was a calendar feature included. The next upgrade removed the calendar. People who relied on that calendar lost valuable information, contacts, tickle notices and appointments. The users did not realize that M$ would take away something that was previously provided.

So, was removal of the calendar a “bug”? It can be argued both ways.

re: Undocumented

This is a huge rabbit hole because there are tons of stuff that is not publicly documented and may not even be documented in engineering specs. Not every function call is documented. Often, only external calling functions are documented, where as, internal processing functions are not documented

  • I give you a way to call my function (X). Once you pass X to me, what and how I manipulate it is invisible to you until I return the result (Y). You only see the result of the function call.

re: unexpected

Bugs are the result of unexpected outputs, they can also result from unexpected inputs. They are the unexpected behavior of a system. However, from the thousands of bugs listed in a bug database they are not unexpected, they are known; they are not unexpected anymore, they are predictable.

  • Clicking THERE results in a BSOD

These bugs don’t even have a “why” because like many systems, most are so complex it is hard to find The Why anymore. The Restart Your System mantra has replaced The Why.

  • In my PVP game, we generically call a delay LAG. Technically lag is a specific aspect of delay but it’s used to describe anything from a slow update, rubberbanding, complete failure to process inputs to a Halt in all inputs and outputs, which atm requires you to crash the client to the desktop to resolve.

One question now, is this still “unexpected”? We know about it. We have a working solution, although not an elegant one. No critical infrastructure is affected by it. It’s well known among the players. Some players are able to take advantage of a Halt Condition because they are not in the Halted State. That last is tricky because you can become Halted just by proximity to another Halted player.

  • Would we rather this not happen? Youbetcha.
    • Will it be fixed? Never.

===

h ttp s:/ /en.wikipedia.org/wiki/DWIM

  • DWIM (do what I mean) computer systems attempt to anticipate what users intend to do, correcting trivial errors automatically rather than blindly executing users’ explicit but potentially incorrect input.

It is also used to express user frustration that the computer does not respond to what they want the system to do based on their actions.

  • I just want it to do X! (expletives deleted)

Winter April 15, 2024 12:24 PM

JonKnowsNothing

@W you introduced the concept of a Personal Bug, something you personally did not like and therefore determined it was a malfunction.

That should teach me not to get distracted as any sidestep can be used to derail the discussion.

What is a weed in my garden or a bug in my computer is a personal taste. The plant I buy or the program I install should behave as advertised so I can make an informed decision to plant or install it.

As such, a program should behave as documented and expected so I can select it and rest assured it won’t show unwanted behavior.

But I see there is a very strong desire to claim bug-free software is possible and should even be demanded, and an even stronger desire to avoid having to come up with any demonstration that this is also realized in the real world.

The longer this thread becomes, the more I get convinced that I was right and there is no example of non-trivial bug-free software, at least not at launch, but maybe neither after launch.

emily's post April 15, 2024 12:57 PM

@ JonKnowsNothing

DWIM is unsafe unless in the scope of a comefrom. See inverse goto and deja vu programming logic.

JonKnowsNothing April 15, 2024 1:02 PM

@ Winter, @bl5q sw5N, @Clive , ALL

re: bug free software: None

I concur from experience that I’ve never seen bug free software. I do not have a mathematical proof that it might not exist but from empirical experience there is always a bug, trivial to significant.

There is a legal phrase (USA) used by nearly every manufacturer about implied warranties. (1) which is to negate any non-contracted warranty condition.

  • disclaim the implied warranty of merchantability or fitness

This is where the bug infestation problem resides. As long as software and hardware vendors can exclude merchantability in the fine print, the bugs get a free forever home.

I have met developers who claim to write bug free code, however, what they really mean is that it complies without a halt on first run. It does not mean there are no bugs, errors, warnings on the compile, it only means the code doesn’t crash mid-way.

While I personally endeavor to write bug free, I do lots of testing to find them before I submit to the repository. QA could still find stuff that was broken, but the simple stuff was taken care of by my own testing. In no way did I ever write anything that was bug free on the first pass. Not even Hello World.

Software and hardware are sold with the same warranty as a horse. If you do not do a pre-purchase vet check with full veterinary work up (xrays, blood, genetics), you own it as soon as you hand over the funds. No matter what the seller claimed, it isn’t necessarily so, however, you own it anyway.

===

1)

h tt ps:/ /e n.w ikipedia.org/wiki/Merchantability

  • In common law jurisdictions, an implied warranty is a contract law term for certain assurances that are presumed to be made in the sale
    • disclaim the implied warranty of merchantability or fitness for purpose

Henrik Holst April 15, 2024 1:10 PM

@Erdem Memisyazici

any code review wouldn’t have found this particular attack because it wasn’t in the code, it only existed in a test file and in a automake m4 script file used during building (and only of building a RPM or DEB) and also the malicious versions of those files only existed in the tarball and not in the Github repo.

So it was designed to withstand a code review.

ResearcherZero April 15, 2024 6:54 PM

There is probably a thread on Redit for arguing over word definitions, and digital detox.

Winter April 16, 2024 1:13 AM

@JonKnowsNothing

I concur from experience that I’ve never seen bug free software. I do not have a mathematical proof that it might not exist but from empirical experience there is always a bug, trivial to significant.

This is a good summary too of my position in this matter.

disclaim the implied warranty of merchantability or fitness

I understood this to be a prerequisite for FLOSS to even exist. No FLOSS project can bear the cost of warranty.

JonKnowsNothing April 16, 2024 3:47 AM

@Winter, All

re: No FOSS project can bear the cost of warranty

Consider what the inverse of that statement means.

  • What is actually in a warranty?

That the item does what it is supposed to do, is not defined as a public danger (without explicit approvals), that it is not a fake or forged item.

Bypassing the warranty part permits all of the above to exist in the product. It’s why G$ M$ F$-M$ A$ and all the other companies use FOSS, because they do not have to pay a penny for it and they can avoid any responsibility for how their products actually function.

A Warranty allows redress for a malfunction, like returning the item, getting repair parts. Without a warranty, the consumer pays the price for shoddy goods. Companies get to pocket the profits and pay out nothing for “unexpected and undesired results” from the product. ( see ElMusko AI Cars legal challenges)

Warranties are insurance schemes, so they can be gamed too. They are never perfect protection from unsatisfactory goods. They are at best a toe-hold against poor products.

For physical goods, warranties provide redress for unexpected problems. Government agencies can order a product recall if something dangerous occurs with the product. Without a warranty or the ability to do a recall, software and hardware shoddy goods continue to flood the market and have done so for decades. (see USA Lemon Laws (1))

Currently, SW HW Product Recalls are handled by applying a patch if one is ever created. If a patch is never created we end up with faulty equipment and faulty software in a forever state. The consumer must buy a new product to get the latest patch, paying extra for something that should have been part of the product from the get go.

FOSS can sustain and support a warranty because the creators have better control over their product as it is supplied to the open market. Creators of shoddy goods (1cow) will fall out of favor. There isn’t any need for defending a warranty if the product is “as described”.

People rarely accept items that do not have a warranty or a product replacement policy. There is some hocus-pocus by the SW HW industry to appear to provide replacement policies but do not actually meet the requirements of such an exchange and are de facto new purchases.

Recently, a cargo bike had faulty weld on the frame. A cargo bike has a box on the front or back for hauling items or children which can be seated in them.(2)

Both warranty and product recalls have been made.

The company is recalling all of these and replacing them.

Imagine the level of bug and malfunction reduction if FOSS and Corporate software actually included full warranty and merchantability.

Warranties do not prevent malicious actions, they are intended to provide assurance the product works as advertised, puffery not withstanding, as long as they are not actually porkies.

===

1)

ht tps :/ /en .wikipedia.org/wiki/Lemon_law

  • Lemon laws are laws that provide a remedy for purchasers of cars and other consumer goods in order to compensate for products that repeatedly fail to meet standards of quality and performance. Although many types of products can be defective, the term “lemon” is mostly used to describe defective motor vehicles, such as cars, trucks, and motorcycles.

2)

HAIL Warning

ht tps:/ /ww w.thegua rdian.com/world/2024/apr/02/babboe-dutch-cargo-bike-firm-safety-recall

  • Dutch cargo bike firm recalls 22,000 cycles
  • approximately 22,000 cargo bikes are being recalled and replaced
  • All owners of these models will be offered a new (cargo) bike

Clive Robinson April 16, 2024 4:13 AM

@ Winter, JonKnowsNothing, ALL,

Re : Warranty on no sale.

“No FLOSS project can bear the cost of warranty.”

Not sure what the law is in the US, but in the UK software was simply treated like an image of an object.

That is like taking a photograph of a building or person in a public place.

Further if you did not sell the image then you were not liable for it (though you might be liable for defective materials you used to transfer the image).

As by and large images of objects did not cause harm this appeared sensible.

Software however is not exactly an image, but an image of a list of instructions.

Let’s say I drew up an artwork for a recipe for “Green Hemlock Soup” looking like an illuminated Medieval Manuscript. Yes very neo-art, but if someone actually followed the recipe and died?

What responsibility would I carry?

It’s where the question of intent arises. I could reasonably argue that I sold “art work” not a folio recipe instructions for murder / suicide.

But with software the intent is that of a folio from a recipe book, that is the instructions within be followed to the letter by a machine acting as an idiot savant.

Thus the question falls to one of if the intent was malicious or not. For a poisonous soup obviously, but what of say cookies with peanuts in?

Thus a balance of probability arises.

Which brings us around to the vexatious question of disclaimers…

I’ve seen this sort of legal logic play out with physical products, and to be honest those who make claim are put across as being “as dumb as a stump” or worse by their own legal team…

One case was for an advert for a water proof battery shaver. That showed the shaver dropped into a sink full of water and pulled out and used still wet. It was “argued” that someone of limited mental abilities would think that applied to all electric shavers including the non water proof 110V AC corded type…

The add got pulled as a result. Which is a bit awkward if your main selling feature is the fact your rechargable shaver is fully waterproof…

Winter April 16, 2024 4:51 AM

@Clive, JonKnowsNothing
re: No FOSS project can bear the cost of warranty

There are countries, eg, the EU, where there is a mandatory warranty for every product “sold”.

In the EU, a product must adhere to its CE marking and remain functioning for a “reasonable” period as expected for such a product. That is, a washing machine must function for years, a 1 euro flashlight for days/weeks. The seller, retailer, is responsible for the warranty.

Having to give a warranty would be a serious problem in the EU, and supposedly, other like jurisdiction.

FLOSS can get around this because:

  • It is not sold, that is, you can get your money back if it does not work
  • The user can get it fully audited if they need, ie, users should do due diligence
  • No one claims it will fit your needs, ie, no advertising

Clive Robinson April 16, 2024 5:28 AM

@ Winter, JonKnowsNothing,

Re : EU Country abusing sales process.

Thanks to @JonKnowsNothing linking to recent issues on “cargo bikes” being re-called for what appears to be unfounded reasons[1]

We find this appaling “protectionism” example from France,

https://www.theguardian.com/media/2020/jul/01/france-bans-dutch-bike-tv-ad-for-creating-climate-of-fear

[1] The argument appears to be that the authority has seen a very small number of complaints[2], then done the old “give us the documentation we demand or else” trick. See,

https://www.nvwa.nl/nieuws-en-media/actuele-onderwerpen/frequently-asked-questions-about-babboe-cargo-bikes

The question is “why?” Because typically such regulator behaviours are a sign of it being captured by vested interests. It’s an established fact that cargo-bikes that cost upto €10,000 are eating into the small car market for various good reasons and that means EU car makers are loosing out to them significantly (about 50% drop in France similar around London). Which means politicians get their chains pulled by the car lobby, and the politicians in turn pull the chains of overly obsequious regulators and the like.

[2] From what I can tell it appears that some people want a warranty for the liberty of smashing it up… All bike and motor vehicles for that matter break if you keep driving them into curb-stones, rocks, etc at speed, especially with excessive loads. You can not design a practical vehicle that is not going to be effected by this issue.

Winter April 16, 2024 5:38 AM

@Clive
Re: Baboo cargo bikes

That is a real danger.

Baboo bikes are used to transport children. Their frames have been reported to break during use causing dangerous situations.[1]

To make things much, much worse, Baboo employees hid faulty frames during a safety visiting from the official technical office charged with investigating these reports.

No, this is not an example of protectionism.

[1] If you can’t read it, look at the pictures
‘https://www.rtlnieuws.nl/onderzoek/artikel/5434314/tientallen-meldingen-over-breuken-babboe-bakfietsen-ook-met-letsel

Clive Robinson April 16, 2024 9:47 AM

@ Winter,

“No, this is not an example of protectionism.”

Read what I wrote again, I was speaking about the French banning of an advert as protectionism.

But

“If you can’t read it, look at the pictures”

I had to look at the pictures as lack of latin makes perceiving it dificult.

So starting with the first pair of pictures with the pink fluff trousers. That type of knee injury is all to common in those that ride bikes but generally seen in a worse condition when above 30kph. It’s on the outside of the knee and caused by a road slide, we used to call it “chicken leg road rash” and I’ve got equivalent scars on both my legs from a quarter century of two wheel riding and having motorists shove me off. On motorbikes it generally happens going around a corner with the back wheel loosing road contact and sliding out, or just taking the corner to fast, in the US they call it “knee knocking” in bike racing.

But take a look at the bike the first thing I see is the fact it’s neglected and not maintained and has not been for quite some time possibly “the last love it saw was in the bike store” when sold as new.

So any sign of stress failure from curb bumping and rock bouncing would have gone unnoticed for months or years.

Onto the second set. Well there is nothing to see of what actually broke, but again signs that it was not well maintained.

Onto the third set. Effectively it’s a bottom bracket suffering from metal fatigue. Importantly you can see that it took time to get like that and the rider should have been well aware of it weeks before. The most likely cause is curb bumping and rock bouncing again with a heavy load. Put simply the wheel base is very long so it’s the fulcrum principle. Your front wheel hits a rock/curb and has two choices the first is to fold/crumple but the second is to go up whilst the bottom bracket due to load inertia carries on heading for the rock the stress on that bend is significant. You see the same sort of failing on building site wheelbarrows where they load them up with too much weight, then take a run up to get up a slope etc.

Onto the forth set. Oh dear would you look at all that corrosion, that failing again “is a long time happening” and no maintenance even on the Bowden cables…

As for the “broken frames” at the works, the only frame we can see clearly shows no obvious breaks. All the different wheel sizes and types on the flat bed suggests that there are many different types of bikes they came from, with the fact they are mostly lying flat suggests they may not be “whole frames”. In fact the one on the flat bed to the left looks like it’s been bent in a road accident not suffered metal fatigue and unbolted and removed/replaced.

So whilst signs of owner/operator failure to maintain are very clear there is nothing really probative to a design or supply chain failure…

Sorry but that’s the short and the long of it.

Of the metal fatigue fractures, they are where I would expect them to be from such a design.

I will note it’s not a design type I’d buy because I’d expect the failures to happen on that single pipe design where they appear to have occurred.

But is that a “critical fault” no, not if the bike is properly used and maintained. Which I will note appears not to be the case with what is shown in the photos.

I’ve heard metal fatigue be called,

“Death by a thousand bends”

And it’s true, if those owner/operators had just wiped the frames down with a damp rag followed by a light oil rag then the early signs would have been spotted and dealt with quite safely. In aeronautical systems they call it “preventative maintenance” and all vehicle owners are expected to do it as standard to stop blowouts and similar issues. Because in the UK history has taught us “owners are lazy” the vehicle has to go through what is still called the “Ministry of Transport”(MoT) test. These long wheelbase bicycles with single spar designs should be tested likewise no matter who makes them, because like blond hair and blue eyes, laziness comes built in with a lot of humans.

Winter April 16, 2024 10:21 AM

@Clive
Re: Baboo

Maintenance

Bicycle maintenance has no influence on frame breaks. A bicycle frame should never break as that is a mortal danger. The quality of the frame is the main selling point of Dutch bicycles.

Note that the Dutch own 1.3 bicycles per capita (I own 2.5 bikes myself). Bicycle safety is a major point in the Netherlands. Frame breaks are so rare that I never heard anyone experiencing one.

Onto the second set. Well there is nothing to see of what actually broke, but again signs that it was not well maintained.

Maybe you should have a closer look. In the second pair of photos (linking to another article) the front of the frame is completely detached and lies on the ground. In the third photo you see the frame completely broken. The tube is half open. The fourth set shows a partially ripped frame tube.

Again, this should never happen.

Baboo has been very widely covered in the news after news broke about these frame breaks.

Winter April 16, 2024 10:56 AM

On topic again:

Open sourcerers say suspected xz-style attacks continue to target maintainers
Social engineering patterns spotted across range of popular projects
‘https://www.theregister.com/2024/04/16/xz_style_attacks_continue/

The OpenJS Foundation Cross Project Council, a policy and governance group within the OpenJS Foundation, recently received a series of suspicious emails it believes were an attempt to mess with one of the popular, unnamed JavaScript projects it hosts.

“The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).”

Here is the original blog:
‘https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

Clive Robinson April 16, 2024 2:54 PM

@ Winter,

“Bicycle maintenance has no influence on frame breaks. A bicycle frame should never break as that is a mortal danger.”

Every thing of more than a few molecules breaks eventually under flexure stress (unlike your notions on software bugs it is an immutable law of the universe). And so yes bicycle frames do break, I’ve had two do it to me on the bottom bracket on quite expensive bikes in my cycling career. As I’ve mentioned before I’ve also had a peddle snap off whilst going around Waterloo roundabout on the south side of the road bridge, in the early evening traffic which became one of the more memorable events of my life around 1AM in the morning. I used to do over 120 miles per day on one of the many push bikes I’ve owned over the years. And I miss being allowed to cycle rather more than most people can guess (to me it was a type of freedom that parachuters claim to feel briefly in free fall but for me that just went on and on).

The thing about metal fatigue especially from flexure is it shows up at the outer surface first and works inwards. On a painted surface of a tube it shows up quite some time before the part finally fails. Just wiping with a cloth should show it up.

Thus corrosion or rust is a sure indicator of where things are going to fail if not maintained in some way.

But there has always been a strong inverse correlation between maintenance and in service failure. It is after all why the aerospace industry has such an in-depth, time intensive and expensive “Preventative Maintenance”(PM) program. For some reason people get tetchy about bit’s of aircraft and their contents dropping on them from above at upto terminal velocity. Likewise those that form parts of the contents really don’t want to be bits that descend from above into free fall and terminal velocity.

It’s not just mechanical engineers that look for signs of corrosion when fault finding or doing PM electrical / electronic engineers do it as do all other engineers that I know of. Look up “magic smoke” or smell thereof as being one facet of this. It is after all famed enough for even mathematicians to know of,

https://xkcd.com/730/

I guess we can take it as read that your C.V. does not contain any practical engineering or science?

Winter April 16, 2024 3:36 PM

@Clive

This is a typical Dutch bike and their frames do not break:

‘https://media.npr.org/assets/img/2015/08/24/gettyimages-485069188_custom-df4f5ecf3ae23b8e8e4c4b914c058f0a9e4b4150-s1200-c85.webp

Clive Robinson April 16, 2024 6:16 PM

@ Winter,

“This is a typical Dutch bike and their frames do not break”

Just from that picture alone I can see three points where the frame has been weakened such that breakages will occur.

The easiest for you to see is where the straight riser from the bottom bracket, is joined to the curved riser. That join point will cause stress to be focused and micro fractures to form.

And before you witter on consider it’s a known failure mode, and has been for over forty years. It’s what caused the leg to come of the Alexander L. Kielland platform and became Norway’s worst maritime disaster killing 123 people in just a few minutes.

In memoriam,

Eternal Father, strong to save,
Whose arm hath bound the restless wave,
Who bids the mighty ocean deep,
Its own appointed limits keep.
O hear us when we cry to thee,
For those in peril on the sea.

lurker April 16, 2024 7:37 PM

@Clive Robinson, @Winter
“where the straight riser is joined to the curved riser …”

Sounds to me like gender discrimination: a suggestion that bikes designed as “Ladies” bikes might be more prone to fail than others. Failure at, or close to a join like that suggests to me

a) an incorrect metal/alloy has been used for the tubing, or

b) the welding technique is incorrect, excessively heating the tube and weakening it, or

c) there is a design fault (which could include both of the above).

NB Ladies bikes have been designed like this for more than a century with no ill effects. Perhaps the fairer gender are less likely to overload the frame, or go kerb-jumping.

With non- English/Dutch speaking persons generating the metallurgy compliance certificates on the far side of the planet, the Baboo incident could be a supply chain problem …

JonKnowsNothing April 16, 2024 9:05 PM

@lurker, @Clive, @Winter, All

re: bicycle geometry

Modern bikes have different geometry depending on use and gender. While it might set off a storm, male bodies are different in proportion than female bodies. Modern bikes have different leg to seat, back to handle bar, arm reach configurations depending on gender differences.

  • Men tend to have long torsos and short legs. Women have longer legs but their pelvic curve is different than men. The depth and width of the saddle twist (narrowest part) varies between men and women, and also by individual shapes.

The modern configuration of the geometry may not have the old traditional shapes. These are not Department Store bikes.

  • there is nothing worse than spending hours biking in the wrong bike-saddle with the wrong reach distance to the handle bars.

Adding on to those differences are alterations made for specific physical differences from the average. Seat size, handle bar height, handle bar shape, brake location all customizable by individual.

Any bike can have a frame failure. Bikes that get an annual maintenance check will have their frames inspected. Cyclists should inspect their bikes before and after a ride. Bikes last much longer when they are properly maintained and their chains cleaned after every outing and before use if they have been stored. The crank box is critical and a professional shop should take that apart and inspect the inner workings regularly.

Clive Robinson April 16, 2024 11:06 PM

@ lurker, ALL,

“Sounds to me like gender discrimination”

Not by me, or by most who have anything to do with bikes.

Though you are correct that even something like a century and a half ago women started riding bikes as essentially a form of freedom.

The problem was the “bone-shaker” was not exactly comfortable and Drs were advising men that their chances of becoming a father diminished. The basic inverted triangle though strong ment a lighter and stronger design and the “safety bike” with all it’s comfort features evolved.

The problem was that no matter which way you put it for women riding a bike ment wearing a hideous approximation to male britches but instead of leather were made of soft cloth but still incorporated certain women killing features (basically you do not want bundles of highly inflammable materials strapped around your legs and backside). And lets be honest britches have never been a fashion accessory for anyone irrespective of gender they made you look at best like a stable hand to fork out the muck… and anyone who can say “plus fours” or look at them with a straight face deserves an award for acting…

Women’s bikes developed in the Edwardian period and were a main stay of the Suffragette and other women’s movements including religious ones. Oh and the Drs were now advising women it would ruin their chances of becoming mothers as well as adding a whole load of imaginary diseases… Yup Drs can be seen as equal rights discriminators when it came to bicycles.

The changes to bike design were first accomodation for clothing by lowering the cross bar but this caused problems with brassed / silver soldered joints and the stem joints had to be increased in thickness. Whilst there were other mechanical differences the improvements due to metallurgy due to armament production and the fact women who made up the workforce had to be mobile caused other changes.

Thus changes to the visual appearance became possible including softer curves and thus became of more interest to the market.

Whilst little is taught about it right through untill the 1960’s women especially single women owe much of their changes in their life circumstances due to the push bike and two world wars making women on bikes not just “normal” but more importantly acceptable to all.

It became almost unthinkable for nurses and midwives not to ride around on bikes, and so they got one of the greatest pushes up in professional status and a solid foot hold into medicine with “practitioner” abilities. For some reason even into the 1970s Drs were still demonising bikes for both man and women.

As far as I’m aware there is no evidence they reduce your fertility and might well improve other aspects in that area.

Oh and the fact you are not lifting and dumping your body weight onto your hips, knees, ankles, and foot joints, is likely to help delay arthritis set in… Remember humans may walk upright but the mammalian skeleton was designed for four foot movement.

The thing that does suffer however is your spine for reasons that I’ll leave to others to explain.

Winter April 16, 2024 11:47 PM

@Clive, JonKnowsNothing, lurker
Re: gendered bikes

Interesting cultural history of bicycles

The reasons there are different bicycle frame shapes for males and females are, however, more prosaic.

Women used to wear skirts. Skirts don’t sit well with a cross bar. Skirts also don’t go wel with swinging your leg over the rear wheel.

As a result, most women are used to have a step through frame and are very uncomfortable with hoisting their leg over the rear wheel. But the same holds for men who, for whatever reason, do not want to hoist their leg over their bicycle.

Producing a safe step-through city bicycle frame that does not break during use is an engineering problem that has been solved a loooong time ago.

If you get around to looking at the frame of a Baboo cargo bicycle, you will see why that was a whole new engineering and QA challenge.
‘https://nltimes.nl/2024/02/27/babboe-recalls-city-mini-cargo-bikes-safety-concerns

JonKnowsNothing April 17, 2024 12:15 AM

@ Winter, @lurker, @Clive, ALL

re: Gender Bicycle Geometry

Modern bikes, especially well designed ones, which are primarily not Department Store Bikes, are designed for the correct bio-mechanics of men and women. The bio-mechanics of each gender is different (1).

Cargo bikes can be designed for specific genders and it is not One Size Fits All. Nor should anyone accept a One Size Fits All bike.

Modern bikes and bike clothing is designed by gender too. Women’s bike shorts are different than men’s bike shorts. It has to do with HooHaa issues for both sexes.

Bike geometry has nothing to do with skirts…

re: the thing that does suffer however is your spine

The forward position of road and racing bikes is set by wind resistance models. Same as for horse racing, jumping. Upright stance is particularly bad on the spine and is part of the Department Store bike One Size Fits All marketing schemes, which quickly turns into a major spinal operation if left too long. Parents buy upright seat bikes because they really do not know any better and the department stores are not going to tell them.

The forward stance on a bike is set for bio-mechanics. The majority of us who sat upright and peddled our way to school never learned any better and just hurt because that was how it was done.

One of the first things people learn when they go to a decent bike shop is that they have been doing it wrong for most of their lives. No one told us any better and the damage was done years earlier.

You need to re-learn how to use your body correctly and you need to have the geometry correct to minimize fatigue while biking. There are mitigations a bike shop can make for physical limitations and skeletal issues. Pain is not part of the program and is an indicator that something is not correct.

A good bike, good geometry, good design, be it a cargo bike, a road bike or a mountain bike can be ridden for hundreds of miles a day, up and down hills and mountains without discomfort.

  • Tired yes, discomfort no.

===

1) There is a spectrum under discussion about the scope and timing of these differences.

Winter April 17, 2024 12:21 AM

@JonKnowsNothing

Modern bikes, especially well designed ones, which are primarily not Department Store Bikes, are designed for the correct bio-mechanics of men and women. The bio-mechanics of each gender is different (1).

Nah, Dutch city bikes are designed for abuse:
‘https://bicycledutch.wordpress.com/wp-content/uploads/2019/11/autumn2019-02.jpg

Note, this is not uncommon.

Winter April 17, 2024 12:54 AM

@JonKnowsNothing

re: the thing that does suffer however is your spine

Curiously, when I had serious lumbago and could not stand or sit from pain, I was totally fine riding a city bike upright.

Which does not tell us anything about its long term effects. I assume the shape and orientation of the saddle matters a lot too.

JonKnowsNothing April 17, 2024 3:37 AM

@ Winter, @lurker, @Clive, ALL

re: bike design and bike geometry

There are a lot of different bike designs to achieve different needs. Some cargo bikes have a bin in the front, others a bin in the rear, others run saddle bags front and/or rear and others tow the bin by clamps to the main bike frame.

  • @W image shows a really dangerous overloaded bike and no bike helmets, not even on the children
  • @L image shows a bike with clearly bad geometry which can be seen in the handle bars

Bike geometry includes the distance and angle of the seat height, the type of seat and posture to the handle bars. Some “fashion bikes” have a totally different geometry not meant to be comfortable or stable for long rides.

Depending on your body size, the “seat height angle to the handle bars”, the “length of the reach” and “angle of hands-arms-shoulders” and “head and neck angle”, all affect your physical health and potential long term injuries.

The bike has to fit your needs but also has to fit your body.

A woman using a man’s bike doesn’t have a problem with the top tube, they have problems with the height and angle of the seat-to-handle-bar and more important the distance and angle of the hip-pelvic joint to the knee-ankle-foot.

  • the wrong angle impedes the ability to peddle efficiently

A man using a women’s bike will be canted over putting extra strain on their lower back because the reach distance is too short and the leg-knee-foot angle is wrong.

  • Wrong posture leads to severe back pain and damage to lower back

There are lots of different saddle formations and each has a benefit or mitigation to the basic seat design. It’s the most personal part of the bike. The type of saddle you select may change over time too. Some saddle types have known physical problems and riders who select that type generally mitigate the problems elsewhere in their kit.

  • A woman in forward posture on too narrow a seat will not have a happy ride

  • A man on too wide a seat will have their legs splayed too apart for their pelvic distance leading to hip and knee joint pain

Modern bicycle designs are lighter in weight so there is less to push, they have better gearing options so can you can peddle at a constant rate over different terrain, they have better brake systems less prone to catastrophic failure. Biking kit is designed to avoid chaffing, blisters and saddle sores.

===

ht tp s://e n.wikipedia.org/wiki/Bicycle_frame

ht tps:// en.wikipe dia.org/wiki/Bicycle_frame#Frame_geometry

ht tps:/ /en .w ikipedia.org/wiki/Bicycle_and_motorcycle_dynamics

h tt ps:/ /e n.wikipedia.org/wiki/Bicycle_geometry

htt ps:/ /en.w ikipedia.org/wiki/Bicycle_gears

Winter April 17, 2024 3:47 AM

@JonKnowsNothing

@W image shows a really dangerous overloaded bike and no bike helmets, not even on the children

That’s reality in the Netherlands. Add two shopping bags to the handles and that is seen too (could not find a picture). As a toddler, I was transported this way in both the front and the back seat (shifting with age).

Dutch city bikes are build for this use. Front seats must be able to carry up to 15 kg, back seats 22 kg (EN14344-norm [1]).

Bike helmets are not compulsory. For normal transportation, Dutch people hate them with a vengeance.

[1] ‘https://www.nen.nl/en/nen-en-14344-2022-en-297716

Clive Robinson April 17, 2024 6:15 AM

@ Winter, ALL,

Re : Dutch behaviour.

“Nah, Dutch city bikes are designed for abuse”

As has been observed above, apparently not this cargo bike design.

You can see that the design actually focuses the stressors at what are already weak points in the design, not disapates them across the design.

Worse is the fact, –as is all to often the case with vehicles,– people ignore,

Available energy E = K times V^2 velocity squared.

Worse the power which is what does the harm is energy in a time period. Thus the shorter the time, the greater the power thus harm. So we get the approximation of,

Harm ~= K times V^2/t

So in what were otherwise survivable vehicular accidents people die because the power flails, rips, and tears, body parts and impact effectively intensifies the power to do this many fold (think about a siege engine like a trebuchet or even throwing stick).

But whilst flesh bone and blood can regrow, in the bike design the damage accumulates over time.

Thus the design was the sum of it’s failings and repeated user abuse…

Winter April 17, 2024 7:59 AM

@Clvie

As has been observed above, apparently not this cargo bike design.

That is why the are all recalled and taken off the market.

JonKnowsNothing April 17, 2024 12:26 PM

@Winter, All

re: Bike helmets are not compulsory. For normal transportation, Dutch people hate them with a vengeance.

Just an FYI for some areas in the USA including my backward area of California, if that image was here, you can expect the following

  • the adult would be arrested
  • the children taken into protective services unless an acceptable family member could be found
  • there would be a large fine
  • there would be permanent child endangerment notations on the adult and the parents or guardians
  • there would be court hearings and reviews, you will need a lawyer and dealing with CPS is by all reports a nightmare.
  • Not much will happen to the groceries

It has not much to do with the cargo bike itself but how it is loaded and what the cargo is. No one here cares about the groceries.

Don’t even think you could get away with it, we got surveillance systems everywhere.

Part of the discussion about bicycle design is based on old memories:

  • I was transported this way

Learning to do better sometimes means putting a helmet on a child.

JonKnowsNothing April 17, 2024 1:13 PM

@Winter, All

re: Helmet rules

Just an adjunct to the topic of safety improvements and helmets, in the horse show world the use of helmets has created a great change in riding head gear.

Long ago it was just fashionable to wear a top hat or cowboy hat while riding, part of the dress codes of the period. During recent decades the increased mandatory use of crash helmets while riding passed through the “I hate them” to “Never get on a horse without one” phases.

When 3 point harness chin straps were required to secure that helmet remained in place during a fall, one might have thought the sky was falling because “fashion” was the foremost view:

  • You had to look posh and posh people don’t wear helmets and posh people don’t wear 3 point harness chin straps

Well much of that is behind us now and in competition people are required to wear helmets with 3 point harness. Some are required to wear equestrian body armor and emergency self inflating vests with back supports (1).

The fashionistas still have problems but many designs are now allowed and there are mitigations that make the clunk look less obvious.

  • Racing helmets, now many times more effective than a decade ago
  • Jumping, Eventing helmets and body armor reduce serious injuries
  • Dressage top hats (different crown height for men-women) can have a crash helmet under the exterior hat. Dressage now permits standard jumping-eventing helmets in competition.
  • Cross country riding, Cowboy sports can have a crash helmet built into the cowboy hat. You can’t tell it’s there.
  • 3 point harness design can be made of clear material so from a distance you cannot see it.

One of the most dangerous of rodeo sports Professional Bull Riding (2), used to have a no helmet needed rule. It was part of the machismo culture to get whacked in the head by a 2 ton bull’s head or horns with the expected trauma crushing the face.

After the PBR became “mainstream” all the riders had to switch to helmets. It took the riders a while to make the transition but they all did it. Later they added a frontal face shield cage.

The excitement wasn’t diminished at all.

===

1)

ht tps:/ /en.wi kipedia.org/wiki/Air_bag_vest

  • In horse riding, the device is worn over a standard padded vest and is automatically inflated by gas released from a carbon dioxide canister when a tether attached to the horse’s saddle is extended during a fall.

2)

h ttp s:// en .wi kipedia.org/wiki/Professional_Bull_Riders

ht tps:// en.wi kipedia.org/wiki/Bucking_bull

ht tps:/ /en.w ikipedia.org/wiki/Bodacious_(bull)

Winter April 17, 2024 1:57 PM

@JonKnowsNothing

Learning to do better sometimes means putting a helmet on a child.

Child mortality is lower in the Netherlands than in the USA (including California). The type of accidents you refer to are more rare than children killed by gunfire in the USA (per capita). Major cause of death of children in traffic are cars, not vicycles.

So, who do you want to teach security?

Clive Robinson April 17, 2024 4:41 PM

@ Winter, JonKnowsNothing,

Re : The device or it’s use.

“That is why the are all recalled and taken off the market.”

I spotted some of the design failures from just one or two not very good photos in a first glance.

OK I’m an “Engineer” and that sort of eye for issues is “part of the job spec” and comes with training, experience, and as our Host @Bruce used to say “thinking hinky”.

But what I saw is well known and understood not just in engineering design, but in approvals bodies, and codified in safety standards, almost as “basic requirements”.

So the question of,

“Why now?”

Arises, that is how did they get “put-on-the-market” not just in their country of origin, but all over the world?

As you’ve noted “putting on the market” has strong regulations in the EU[1].

Thus we move to the Who and What of the “3Ws questions” with,

“What or Who failed to pick up on the failings?”

Experience tells me that the answers may be a long time coming, especially when “long grass” is available.

[1] The basic rules and regulations framework can be found in what was one called “the blue book” and now for legal reasons is called the “blue guide”,

https://single-market-economy.ec.europa.eu/news/blue-guide-implementation-product-rules-2022-published-2022-06-29_en

A fun read it is not, but it does it’s best 😉

JonKnowsNothing April 17, 2024 5:24 PM

@Winter, All

re: Helmets save lives

You can argue and pull in every concept you can think of to justify No Helmet. There are a lot of people who consider helmets to be an invasion of personal space and personal choice. You are clearly in this grouping.

People who decide helmets are useless, use the same arguments about medicine, vaccines, seat belts and all the many safety measures that are used in goods, services and manufacturing.

Child mortality is a big bucket, just like adult mortality. Mortality is the reason someone dies. When they die their life expectancy drops to zero. Their actuarial table might have indicated they would have lived to 78-98yo but one bad fall changes the entire landscape forever.

We all witnessed this RT from 2019 through today. The same ol’ same ol’ reasonings haven’t changed. The fundamental condition hasn’t changed either.

Most accidents happen because of an external event. You might be the best bike rider in the Netherlands, with perfect balance, perfect timing, perfect pedal motion and lucky enough to have a custom built bike that allows you to maximize your ability. However, you are no match against the chaotic forces in a crash, and you are no match for a several ton vehicle swerving into your bike lane while riding an unbalanced, overloaded and poorly designed bike. You don’t even need the frame to crack first.

I would not trade your life for that scenario. Perhaps you should not trade yourself for it either.

  • “Wear a helmet” is like “Get a warrant”. Similar groups of people don’t want to do either.

Clive Robinson April 18, 2024 12:32 AM

@ JonKnowsNothing, Winter, ALL,

Re : Accidents do not happen lack of prevention does.

“Most accidents happen because of an external event.”

I’m known for saying,

“Accidents do not happen” or

“There are no such things as accidents.”

I’ve said it here, I’ve said it other places and though there has been disagreement my reasoning still holds because it’s based on the fundamental laws of nature.

What most call an accident I call an “inevitable result” of the laws of nature not being responded to within the laws of nature.

The laws of matter and motion are well established and have been repeatedly confirmed over several centuries

To prevent any “inevitable result” you have to add in energy in a known way. To do this you need,

1, Sufficient knowledge
2, Sufficient force
3, Sufficient time.

If you have insufficient of anyone of these items then the “inevitable result” happens calling it an “accident” does not change this.

Further consider,

“All actions have consequences” due to “Cause and effect” even though billions of years of time elapse as the quantity of matter / energy is bounded and unchanging.

It’s the basic premise of the “clockwork universe” and “theory” says we can work it backwards if and only if all the information is available.

But going back to the list, it can be shown that the third item “time” is the most important to have sufficient of.

All to often we do not have time to process the information available into knowledge and bring an appropriate force to bare for sufficiently long a time interval.

The thing about protective clothing is it gives the equivalent of both time and force from pre-knowledge. So it changes the “inevitable result” outcome even if it does not stop it happening.

I would not like to demonstrate it again, but three wet woollen blankets hung up loosely the right distance apart will bring the velocity of a military rifle bullet down from almost certainly dead to almost certainly alive but pissed off. Lightweight Body Armour uses the same process using layers of Kevlar and ceramic plates.

The trick is,

“Spreading the energy in both time and space”.

If you hold a medium sized apple in your hand you get about 1 Newton of downwards force it does not hurt you, take the apple up about 2m or 6ft and drop it, it will certainly hurt your hand unless you take certain precautions. If it hits a concrete floor from the same hight then the apple generally becomes “Clean up crew to aisle 13”.

Study how an experienced “catcher” avoids harm by “pulling in” it’s quite instructive if you have to design equipment packing or safety clothing etc. Remember the space you have for force energy absorption is “volumetric”…

Winter April 18, 2024 1:44 AM

@JonKnowsNothing

You can argue and pull in every concept you can think of to justify No Helmet. There are a lot of people who consider helmets to be an invasion of personal space and personal choice. You are clearly in this grouping.

Sorry, this is not America.

First, the number of preventable deaths in this category is miniscule, much less than 1 in a million people [1]. Then, the resistance has nothing at all to do with Live Free Or Die.

Cycling is a major means of transportation for short distances. These bike trips are functional, shopping, school, play, going downtown, in short, everything in a 5km radius (40% of all short trips). Helmets must be carried around or stored while doing the thing you were using the bike for. The helmet will mess up your hair and when stolen or lost, you will have to walk home.

The result, people will not take a bike but rather switch to another means of transportation. Most likely, a car. Polls show that a sizeable fraction of cyclists would consider switching to other means of transport.

As cars kill most people in traffic, more cars means more accidents and more victims, eg, cyclists wearing a helmet.

Lawmakers were sensitive to the reasoning that the benefits of compulsory helmets might be offset by the increase of accidents and other health problems due to the increased use of motorized transport.

So, no Freedom involved.

[1] 16 Children 0-11 died in all traffic accidents combined in 2022 on a population of 18 million.
‘https://www.rijkswaterstaat.nl/wegen/wegbeheer/onderzoek/verkeersveiligheid-en-ongevallencijfers/actuele-verkeersongevallencijfers

Clive Robinson April 18, 2024 3:14 AM

@ Winter,

Re : Who kills on the road.

“As cars kill most people in traffic”

The figures for London UK the last time I looked indicated that the largest number of deaths to cyclists was lorry drivers “turning left” unsafely.

Further “figures” compiled from “official figures” indicated a significant number of the lorries were from Europe and East of it.

I don’t know what the figures now are post Brexit as most London Road news in the past year has been about the “Ultra Low Emission Zone”(ULEZ) which frankly bores me senseless,

https://www.bbc.co.uk/news/uk-england-london-64798395

Unless it’s changed in the last couple of decades, Amsterdam had a fairly restrictive set of rules about cars.

JonKnowsNothing April 18, 2024 3:26 AM

@Winter, All

re: all the old Helmets are a Nuisance arguments you can buy

I really like this reason, so profound

  • The helmet will mess up your hair

Do try to enumerate more. I’ve heard most of them, maybe you can come up with a new one. So far your list is of petty old excuses.

  • Freedom from messy hair

Winter April 18, 2024 5:37 AM

@JonKnowsNothing

The helmet will mess up your hair

That is what women (mostly) tell as a reason to not use motorbikes with compulsory helmet. Especially when they plan to go out later in the day. Or when they are on their way to an event.

But the main reason is simply that a helmet is yet another accessory to lug around and worry about losing when going shopping or to school or to your sports training or swimming lessons or performance or wherever you go.

And if your child loses her/his helmet at school, you can get into your car to pick them, and their bike, up (if you have a car).

Btw, children walk or bicycle to school in the Netherlands (the girl in first picture I linked to was reported to go to her first highschool class).[1]

[1] This is her sister cycling to school, same time:
‘https://images0.persgroep.net/rcs/hf5N21IQ4aGEY0imQzHG5H4lDtM/diocontent/110314562/_fitwidth/694/

Winter April 18, 2024 5:50 AM

Sorry, link mangled in last post:

Re: All Dutch children cycle to school if they can, generally without a helmet.

‘https://www.vorsten.nl/app/uploads/sites/2/2015/08/amalia-school.jpg

‘https://www.vorsten.nl/app/uploads/sites/2/2017/08/ANP210817052-1.jpg

PS: I hadn’t actually posted the other “link” I referred to.
If you want to know more, use a reverse image search.

JonKnowsNothing April 18, 2024 11:10 AM

@Winter, All

re: Helmets save lives

All of your posts and supports for No Helmet have been encountered many times before, in many contexts, and in many countries.

So rather than further engage on this topic I would suggest you educate yourself on the hows and whys of how each of the No Helmet arguments failed.

  • Helmets save lives

It’s that simple.

Winter April 18, 2024 12:22 PM

@JonKnowsNothing

Helmets save lives

There are many things that save lives. But there are costs too, always. Saving lives one way might harm in other ways.

In the grand scheme of things, cities are saver, cleaner, and healthier when everyone cycles instead of drives cars. More cars means more accidents and more fatalities. So anything that reduces cycling and increases car traffic means more fatalities and more pollution.

Now we have this policy proposal that protects cyclists but drives many cyclists into switching to using a car. Would this increase or decrease the number of accidents and fatalities?

Also, what is to gain? The Netherlands has 3.8 fatalities per 100,000 inhabitants, 4.7 per billion vehicle km. This is considerably worse than the UK.

But the numbers for the USA are 12.9 and 8.3.[1] What if we copy these California helmet policies and end up with California traffic fatality rates?

But all this is idle speculation.

The Dutch do not want bike helmets, yet. Things are changing with ebikes. Older people (70+, even 80+) start cycling again with ebikes. They go 25 km/h, but their reaction time is not up to that anymore and they fall down worse. So we see more older people using bike helmets.

But still no inclination to make them compulsory.

[1] ‘https://en.m.wikipedia.org/wiki/List_of_countries_by_traffic-related_death_rate

Clive Robinson April 18, 2024 9:11 PM

@ emily’s post, JonKnowsNothing, Winter, ALL,

The delightful motorbike image you link to, has the rider wearing a certainly more solid helmet than those that cyclists tend to wear[1] these days.

But is still not “full face” protecting the face and importantly the lower jaw and thus endangering the neck and risking “internal decapitation”.

There are two times in my life when I’ve received significant injury to my face and lower jaw bone (I’ve mentioned them before).

The first when being at the start of “serious sports cycling” in my much younger days four decades ago The second when attacked nearly a quarter of a century ago. Both happened early in the morning when on my way to work…

The first happened when I was cycling as hard as possible down an incline into a bus stop layby that also acted as a protected slip way onto a very busy main road. Which you had to enter fast, as it had a speed limit of 80kph, which you probably know is used by many motorists as a “minimum speed” guidance indicator…

So I was almost standing on the pedals as I drove power in and was thus doing a little under 50kph. When I saw out of the corner of my left eye a flash of something red in a parabolic arc that bounced up into my front wheel. The next thing I remember was coming around lying on my right side with lorry wheels thundering just a half dozen inches or so behind my head.

The traffic stopped because the driver of a children’s mini-bus had stopped with hazard lights on and got out on the passenger side to help me. I staggered to my feet and looked down at my expensive but now mangled beyond repair road racer. The forks were colapsed back into the frame and had twisted it, the front wheel was almost banana shape, and there firmly lodged in the wheel and forks was a cricket ball…

I kind of came out of the trance like state because the man was handing me white man sized paper tissues that just turned blood red as I touched them to my chin and dissolved into a pulpy mess. He pulled out a fist sized wadge from the box and I pressed it against my chin and it too went blood red and soggy. It was then I realised I had a bit of a bleeding problem… I still can not remember exactly what was said but I tried telling him I lived just back up the slope and around the corner but I was not making sense. He gave me the rest of the tissues and helped me get the wreck of the bike up onto my shoulder. I got back to the house and got met by the lodger who took one look at me and said he was driving me to hospital…

My brain was not really working and I miss directed him several times. Any way we got there and he went and contacted my sister and I got wheeled into the serious part of A&E without having to answer any questions. On examining me the nurse put three fingers of her hand into my mouth and out the underside of my chin whilst trying to clean out the remains of the tissues. Yup the flesh had been ripped back from the point of the jaw toward the neck and you could have dropped a large egg through the hole…

Anyway they X-Rayed me pumped me full of anti-tetinus and other injections and enough local anesthetic to drop a horse, before slowly stitching me up. To cut out the dull bits I also got iodine in all the wounds, then gentian violet on the scrapes and grazes and generous amounts of cotton wool and sticking tape on top and two bottles of “happy tablets” and some new anti-biotics with instructions about no cheese or alcohol. And told to “go home”… As work was closer and just a handful of bus stops away I went to work… Due to the happy tablets” I was not noticing how oddly I was being treated… untill I got into the head of the depts secretaries office to apologise for being late for work… She gave me one of those looks you see in 1960’s horror movies and yes her hand did go to her mouth… Don the head of the Dept came out of his office told me I was making the place look untidy and to “don’t be a bl@@dy idiot” and “go home”. On realising I had to take several busses he got one of the other members of staff to drive me home… When I got to looked in a bathroom mirror… Well whilst I’ve never been a pretty sight, I was very definitely abusing the privilege that day… Lets just say I’d have been beaten in a beauty contest by a zombie with festering plague sores.

People have occasionally asked why I had a Klingon Style beard, well shaving along the under chin scars even with an electric razor is painful. Also the tearing of the flesh means loss of under chin support so an odd looking “double chin” that is just well unattractive in a pelican like way… Now I’m old enough to rock the 365-Santa or ZZ-Top look 😉

Any way the point is if I’d been wearing a 1970’s cycle helmet, it would probably have broken my neck…

P.S. I never found out what idiots were whacking cricket balls around at 7:30 on a workday morning. But I did get to shout at the house owner.

[1] Lets just say that certain types of cyclist helmets always remind me of Babylon 5,

https://www.youtube.com/watch?v=9houp7vkOio

But with a few extra bits on top to cover the bald spot 😉

JonKnowsNothing April 19, 2024 12:52 AM

@Clive, @ emily’s post, Winter, ALL

re: t “full face” protecting the face and importantly the lower jaw

The design and application is not yet consistent across sports. Some sports require lower jaw protection, often motorized sports, sometimes downhill cycling. Skiing has had this for a while but there were a lot of complaints (see Netherlands) about it.

Horse sports, like Eventing are beginning to consider this as cross country jump fence falls can have serious injuries. There is a lot of modern protection for the horse.

A common error in the USA is having the wrong helmet style and shape for the activity. They see common design elements but do not fully understand the types of crashes the helmets are intended to protect.

  • Bike helmets are more forward on the head with less neck protection. They are often worn looser fitting.
  • Jumping helmets have deeper neck protection and sit straight up the head with the front covering the forehead. The 3point harness is tight. The helmet should not slip at all on the head. (1)

Both helmets are designed to protect from forward falls.

  • Bike riders often catapult over their handle bars, directly onto the pavement. Which is why they break their collarbone and shoulders.

  • Horse riders mostly come off sideways and fall on their backs, so the back of the head is better protected. If you are wearing body armor or air inflation vest, you get a cushion for your back, spine, hips (depends on the vest). Jump falls come in all sorts of ways but one of the worst is a catapult rotational fall where you and the horse are launched head first over the fence and the horse lands on the rider. The entire ensemble needs to work to protect from the direct damage of landing 15ft from the take off zone doing 20-30mph and then having 1,500 lbs land on top of you.

There are still many safety improvements needed.

===

1) Horse helmets have a safety rating and date of manufacture. When selecting a helmet verify it has the latest safety rating and the certification period has not expired.

MarkH April 19, 2024 2:07 AM

A group of neurologists and trauma surgeons drawn from some of the leading hospitals in the Netherlands [Arsten voor Veilig Fietsen, or Doctors for Safe Cycling] are calling on people to wear helmets while cycling, saying it will lead to a reduction in deaths resulting from brain injuries.

From their figures, I estimate that Netherlands suffers about 50 brain injuries per 100,000 population per year that would have been prevented by use of ordinary bike helmets (imperfect as they are).

On the scale of easily preventable public health calamities, that’s pretty bad — comparable to that country’s rate of smoking-induced lung cancers.

Winter April 19, 2024 2:08 AM

@emily’s post

Those women are missing a fashion opportunity.

I see, but I doubt very much these will become popular at indoor gatherings.

@JonKnowsNothing

Helmets save lives

This is certainly true, but should be weighted against other factors.

Falls kill more people in the USA than motor-vehicles.[1] This is especially so for older people. The cause of death is mainly head trauma.[2]

Helmets save lives. To be safe, wear a helmet during walking, also indoors. Especially when using stairs.

[1] ‘https://injuryfacts.nsc.org/all-injuries/deaths-by-demographics/deaths-by-age/data-details/

[2] ‘https://pubmed.ncbi.nlm.nih.gov/15062950/

Winter April 19, 2024 2:18 AM

@MarkH

From their figures, I estimate that Netherlands suffers about 50 brain injuries per 100,000 population per year that would have been prevented by use of ordinary bike helmets (imperfect as they are).

Indeed.

But if you dive into the numbers, these are mainly older users of eBikes and younger users of eBikes that have removed the speed limiting features of their eBike to ride 50+ km/h on a bike designed for 25 km/h.

Older people are starting to wear bike helmets on eBikes. The racing eBikes popular with young people are removed from the market or will get classified under the motorbikes with compulsory helmets.

JonKnowsNothing April 19, 2024 2:58 AM

@Winter, All

re: the Helmets are coming

I am sure you are being facetious but really just in case you are not…

  • To be safe, wear a helmet during walking, also indoors.

There are many people who do wear helmets because they have neurological problems and balance problems. They wear them precisely because they tend to topple over.

Stairs are a huge hazard at any time. Something to be avoided however, architects still design stairs for buildings and homes.

USA has Americans with Disabilities Act and public buildings have to have ramps and alternative doors for people with mobility problems. Homes can be designed with No Step Entry and No Step Showers along with many other safety items like grab bars where ever you need them, even throughout the house.

  • [helmets] these will become popular at indoor gatherings

At some parties they are very much in vogue. USA, helmets have all sorts of designer colors and decals and stick-on that do not alter the function of the helmet but make them a bit more fun for the wearer. Plastic Green Mohawk Faux Hairstyle glue-ons are popular.

Around here, young cyclists sport their green plastic Mohawk helmets with no embarrassment. All their friends wear them too. Peer support works.

Clive Robinson April 19, 2024 3:50 AM

@ Winter, emily’s post, ALL,

@emily’s post, perhaps slightly tongue in cheek said,

“Those women are missing a fashion opportunity.”

@Winter, responded to that with,

“I see, but I doubt very much these will become popular at indoor gatherings.”

To which I counter,

“masquerade ball masks and gowns”

These are a known social phenomena, and their history is long.

I will not attempt to go into the sociology and anthropology etc[1] as there are books on the subject just as “social rituals” wrapped around “mating rituals” alone.

But the point is unlikely as some things sound they can oft happen and “become things”. Consider the modern madness that is “speed dating” as another example of the,

“Unlikely, that has become.”

Effect. Also known to some as,

“Thur’s nowt as queer as folk”

Which has an equally complex history and change of meanings.

[1] Though I will note, people should consider the rise of the faux-beauty-spot. Which came from the scars of the “plague” in Europe.

Winter April 19, 2024 4:34 AM

@JonKnowsNothing

I am sure you are being facetious but really just in case you are not…

Yes, I was.

I want to put attention to the downside of “safety measures”. Changing your behavior to reduce risks can be a burden. Wearing helmets while riding a motorcycle has a different cost-benefit tradeoff than wearing a helmet when walking the stairs or driving a car.[1]

So the question becomes: Why singling out cyclists while more lives would be saved when, eg, older people walking stairs or those inside a car would wear helmets.

[1] ‘https://www.crawfordlegal.com/blog/2016/06/should-we-wear-helmets-in-the-car/

Finally, it’s been pointed out that over a million people pass away in the world every year from car accidents. There is a lot of pressure on people to wear helmets on bikes, roller skates, skateboards, and other such devices, but far fewer people are killed in these accidents. The pure stats suggest that more needs to be done to protect motorists.

MarkH April 19, 2024 5:50 AM

Even if 90% of recent Netherlands bicycle accident brain injuries are associated with motorized bikes, that leaves about 1000 per year — in a country with fewer people than at least ten of the world’s megacities — with permanent impairments to their quality of life.

Perhaps a “social Darwinist” would say that brains too poor to choose simple safety equipment aren’t worthy of protection.

In professional auto racing, drivers have whine, moaned and bleated against almost every enhancement to safety equipment. A few years after it’s made mandatory, most of those whiners would tell you it’s an insane risk NOT to use it.

MarkH April 19, 2024 5:52 AM

I should have clarified, 1000 per year with brain injuries from riding pedal-powered bikes.

Winter April 19, 2024 6:24 AM

@MarkH

I should have clarified, 1000 per year with brain injuries from riding pedal-powered bikes.

But the article (and their website) say:
‘https://road.cc/content/news/dutch-neurologists-call-cyclists-wear-helmets-286871

Highlighting particular concerns regarding the safety of children and e-bike riders, they pointed out that “serious brain injury is the leading cause of death in cyclists,” and claim that wearing a cycle helmet “reduces the risk of serious brain injury by 60 per cent and fatal brain injury by 71 per cent.”

It is mostly children and e-bikes. That has indeed been in the news quite a lot as e-bikes are responsible for the increase in cyclist fatalities in the last few years.

But, as mentioned at the end of the article:

Opponents of helmet compulsion point out, among other things, that research on their efficacy is inconclusive and that they are only safety rated to provide protection from a fall while not moving on the bike, and certainly not for a collision involving a motor vehicle.

They also insist that the deterrent to cycling that any move towards helmet compulsion has been found to bring about in jurisdictions where they have been made compulsory is outweighed by the wider public health and environmental benefits of getting more people riding bikes, particularly for short trips.

As the English-language website Dutchnews.nl points out, speaking last year, Wim Bot of the Dutch cycling union Fietsenbond, said: “It is a bad idea. Just promoting the idea that helmets should be worn strengthens the idea that cycling is not a safe activity in itself.”

JonKnowsNothing April 19, 2024 11:14 AM

@Clive, @ Winter, emily’s post, MarkH, ALL

re: Helmets as analogy to Sports Enhancements

The Olympics are coming, whether we want them to or not; they are coming.

The Olympics bring with them the never ending issue of Sport Enhancement. It’s a complex topic that has an easy to understand code name: Doping

Along with Sports Enhancements (aka Doping) is the more hidden issue of technological “doping” advancements. Both computer and medicine. Top athletes get access to top of the line bio-mechanical training, diet, and specialized equipment all designed for the purpose of giving an “advantage” within defined amounts.

Of the many issues in this category, one currently making the news is: Enhanced Marathon Runners Shoes. These shoes allow the runner to run faster by many seconds than they could do previously. It’s not a tiny improvement, it’s huge change in “winning times”. Only the most elite of athletes get these shoes for the purpose of being “on the podium”.

An old, quasi hidden issue in these types of sports is “money doping”. It’s been a long, slow and uneven development between “amateur and professional”, with many twists in definition by specific sports federation rules on which side of the ledger you are on. “Money doping” comes in a variety of forms from direct cash, to sponsorship, to national team allowances and access to “tech doping” equipment. It’s all a bit of slight of hand, pretty open, but no one is peeking.

A current proposal is to pay “the podium winners” a cash reward. It may not seem like a big deal, but income makes a difference, in how much time you can spend doing “the sport” rather than promoting “commercial cereal boxes”.

The Helmet issue actually tracks all of these issues. Nearly every variation has been proposed or countered in each of these categories.

  • Blood Doping, Tech Doping, Money Doping

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.