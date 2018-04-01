Software Bug Behind Biggest Telephony Outage In US History (bleepingcomputer.com) 65
An anonymous reader writes: A software bug in a telecom provider's phone number blacklisting system caused the largest telephony outage in US history, according to a report released by the US Federal Communications Commission (FCC) at the start of the month. The telco is Level 3, now part of CenturyLink, and the outage took place on October 4, 2016.
According to the FCC's investigation, the outage began after a Level 3 employee entered phone numbers suspected of malicious activity in the company's network management software. The employee wanted to block incoming phone calls from these numbers and had entered each number in fields provided by the software's GUI. The problem arose when the Level 3 technician left a field empty, without entering a number. Unbeknownst to the employee, the buggy software didn't ignore the empty field, like most software does, but instead viewed the empty space as a "wildcard" character. As soon as the technician submitted his input, Level 3's network began blocking all incoming and outgoing telephone calls — over 111 million in total.
Check the spec - perhaps it was by design or not called out to ignore empty entries?
A null/blank input taken as a wildcard is certainly not a feature.
Even labeling that as a mere bug is putting it mildly. More like gargantuan fuck-up.
It is often useful to be able to enter regular expressions for filters. And an empty regexp without anchoring matches everything. That's a feature, not a bug. But it is only okay to design it that way if you can safely presume that anyone who will ever add a filter understands regular expressions, or will look it up before attempting to add a filter.
Slightly safer (but only slightly) is to always add ^$ anchors, so empty fields only match empty entries.
But safest is to presume that users don't grok regul
It is often useful to be able to enter regular expressions for filters. And an empty regexp without anchoring matches everything. That's a feature, not a bug. But it is only okay to design it that way if you can safely presume that anyone who will ever add a filter understands regular expressions, or will look it up before attempting to add a filter. Slightly safer (but only slightly) is to always add ^$ anchors, so empty fields only match empty entries.
Given how easy it is to write a non-empty regular expression that matches everything it would seem far more sensible to me to treat an empty regex field as "regex off / match nothing" rather than "match everything".
" You're not supposed to give wrong input, even accidentally!"
I guess you never had a complaint from a user that your program behaved erratically, each time the secretary put heavy binders _on_ the keyboard?
It could be either, just depends on what the original spec said. I would find it useful to be able to cover an entire set of numbers simply by leaving them blank, very similar to eg. IP addresses. Even in some configuration files, you can type in 10/8 and it will recognize it as being "10.0.0.0/8".
No, if the spec said it was supposed to be a wildcard, then someone should have strongly questioned this. Ie, a bug in the spec. A dev saying "I just follow orders" isn't a good excuse. That's like saying you're just a programmer and thinking isn't a part of the job.
Re:Bug or feature? (Score:4, Interesting)
Not even close. Under law, a professional is a professional and that ties to responsibility for actions. That design was professionally criminally negligent and should be treated as such, with the penalty to reflect the harm causes and that means possible custodial sentence along with a massive fine. Let's not get freaky on the custodial sentence though, probably sufficient to let them 'cool their jets' with no more than a 90 day sentence if no one died but at least 30 days, sort of put the wind up them, focus their attention, remind them there are real penalties for being a crap professional, being in a role you should not be in. If anyone dies though, manslaughter charges.
Find those individually responsible fine them, let them feel the weight of a custodial sentence, 30 days and fine the company much more. Custodial sentences should be the norm for criminal negligence as a professional, start licensing coders because of the harm they can cause. Differing grades, low grade licences for low risk work, high grade licences for high risk work. If you do not force them to do a good job, they will continue to do a shitty job, with a meh, someone else's problem for the shitty work the coder has done.
Why are you blaming the programmer? The feature must have been designed; did the design call for empty being interpreted as a wildcard? It must have been tested; something as important as this has a testing budget associated with it, surely? Some company executive must have signed off on it. There will have been a formal handover from development to production. Did the programmer have the power to correct the design? Did he have the power to enforce testing? Did he have the power to stop deployment? Or was
Why are you blaming the programmer? The feature must have been designed; did the design call for empty being interpreted as a wildcard?
Don't assume it was designed. It's amazing how much gets "designed" at implementation if something isn't expressly stated in the specification. The only thing we know is that we don't know who to blame.
That said the GP's assertion that someone should face prison time is completely stupid. Even by American "jail everyone for everything" standards.
Re: (Score:3)
Check the spec - perhaps it was by design or not called out to ignore empty entries?
The "by design" part is slightly plausible. But "not called out"? I haven't yet met either a programmer or a tester who wouldn't have at least tried out the 'null entry' scenario and flagged it as a problem. Heck, one of the most basic tests is to check what happens in the case of empty fields. This smacks more of somebody higher up ignoring test results and/or good advice.
But "not called out"? I haven't yet met either a programmer or a tester who wouldn't have at least tried out the 'null entry' scenario and flagged it as a problem..
Have you never worked with offshore developers or testers? If it isn't itemized, they won't think to do it.
Software did what it was suppose to. (Score:5, Interesting)
I'm 99% sure they were using the Sonus EMS management software (L3 is a huge Sonus shop) to manage the PSX routing engine. The software works as longest match of the number. Since you have to always select the country, a blank entry would be treated as +1 and block everything after that or everything in the US.
The software works as longest match of the number.
Why?
Re:Software did what it was suppose to. (Score:4, Informative)
If you want to route all 212 area code numbers to a specific carrier you can just enter '212' and it will route them. If you want go do a NPA-NXX, just enter '212555'. Since it's longest match it will also work for a 'thousands block' (ie, 2125551) and even down to the individual number (2125551212). US numbers don't mean a whole lot, but in other countries they specify specific geographic regions, carriers or number types. The backend database takes longest match for the most flexibility and the EMS UI is nothing more than a glorified frontend directly to the DB. There's little business logic actually protecting you.
In a lot of cases, you want a wildcard match. I route a number of prefixes to different carriers with longer matches but I have a blank entry to default fall back directly to Level3 if I don't have any other carriers to handle calls.
Everyone who uses Sonus knows this is how it works. It sounds like they gave a task to someone and only trained them on one piece of data entry. The fact that 800 people had access to this highly specialized software without higher level tooling that adds in the required business logic is the terrifying piece.
If you want to route all 212 area code numbers to a specific carrier you can just enter '212' and it will route them. If you want go do a NPA-NXX, just enter '212555'. Since it's longest match it will also work for a 'thousands block' (ie, 2125551) and even down to the individual number (2125551212).
I may well be missing something, but I'm still not seeing why this scheme provides any benefit over one where you explicitly ask for a wildcard if that's what you want (using your examples, '212*' '212555*' or '212555????' and so on. A system where a blank entry means the rule will be applied to any and everything seems like it's just asking for the exact sort of trouble that arose here.
I may well be missing something, but I'm still not seeing why this scheme provides any benefit over one where you explicitly ask for a wildcard if that's what you want
Phone numbers are hierarchical and variable length (as opposed to e.g. IP addresses which are fixed length). a) The most common mistake to make is to route only a particular number or set of numbers as opposed to the hierarchy - using the shortest match by default avoids this mistake b) the routing algorithm used normally also works on a hierarchy, so a wildcard match apart from the end of the number can be very costly and unwise c) that's the way it's "always" been done and so doing something different wo
It's just the simplest, most brain-dead way to code it that supports any form of multiple-matching entries. Probably not coincidentally it is also the method that takes the least amount of server load while still supporting the ability to test for any partial or full string equality whatsoever. I highly doubt whoever wrote that code even spent enough time thinking about it to realize this would be an inherent weakness to such an approach. If they did, they certainly didn't expect it would be handed over
1) Warning or 2) Only manager can block all calls (Score:2)
1) There should have been a warning: "Do you want to block all calls?" If not, then require the employee to enter a phone number.
2) Or for a better solution, that form should not interpret a blank field as a wildcard. If all phone calls are to be blocked, then someone must sign on with a manager's user id, and fill out a special form that lets you block all phone calls.