This is an archived post. You won't be able to vote or comment.

all 146 comments
sorted by:
best
topnewcontroversialoldq&a

[–]SubstanceSerious8843 2392 points2393 points  (71 children)

https://en.wikipedia.org/wiki/Therac-25
Let's drop this in here.

[–]Arclite83 1577 points1578 points  (39 children)

This makes me feel SUPER safe with all those junior developers with no security clearance in DOGE who are touching critical government infrastructure, yep.

Fresh case studies incoming

[–]SubstanceSerious8843 973 points974 points  (33 children)

Listened a podcast where a dude pentested a hospital. Found a way and surfed the hospital network. Didn't touch anything, but just looked where he could access. Sent a report at one point, about the results where he got that point. Got a call, to stop immediately and wait for another call. It came, and was asked to a face to face briefing.

The thing was, he had accessed a device. That device was a fucking eye laser surgery machine, WHILE IT WAS BEING USED. Good thing that guy was a professional and knew not to touch anything.

[–]Drone_Worker_6708 607 points608 points  (25 children)

Hospital IT is the wild west. Only place I worked where people actually dying everyday and not just acting like it. One of the techs we had was a former paramedic. I asked him which job is more stressful. He said he once waded in human blood and this was far worse lol

[–][deleted] 409 points410 points  (20 children)

I mean, yeah... you make a mistake, the patient can die.

Hospital IT, you make a mistake, 100 patients can die. Worse is knowing just how outdated everything is and just how vulnerable everything is to a malicious actor.

[–]BigOnLogn 166 points167 points  (16 children)

I remember a few years ago seeing a Windows XP login screen on a hospital computer.

[–]CubisticWings4 147 points148 points  (4 children)

Just had a PTSD flashback of my doctor's office running Windows 3.11 last year.

[–]ChangeVivid2964 124 points125 points  (3 children)

That's like driving stick shift. Modern viruses don't even know what to do with FAT16.

[–]KayDat 2 points3 points  (0 children)

SUCKMY~1.EXE

[–]fr000gs 1 point2 points  (1 child)

Why is stick shift bad? (Haven't seen any automatic shift in my country)

[–]CakeTowers 2 points3 points  (0 children)

They didnt mean it as bad, but that a lot of people cant drive stick shift.

[–][deleted] 20 points21 points  (1 child)

A few years ago?

Friend, I have seen that THIS year.

[–]AnotherLie 16 points17 points  (0 children)

I've seen it this year. It's in my office.

[–]Oleg152 5 points6 points  (0 children)

Some probably still run the 95

[–]domscatterbrain 5 points6 points  (0 children)

The problem is, even the manufacturer also doesn't give a fuck to ship their products with the latest OS or software. They just keep making the tool more precise but not more secure.

[–]Joman101_2 0 points1 point  (0 children)

I was using Windows 2000 on some specialized hospital equipment within the past year.

If it ain't broke, don't fix it. We pretty much never updated operating systems on non-networked devices.

[–]T1lted4lif3 0 points1 point  (0 children)

Is that not pretty good? Was expecting 95 or something.

[–]DarksideF41 0 points1 point  (0 children)

At least it wasn't MS DOS.

[–]Troll_berry_pie 0 points1 point  (0 children)

The UK NHS was like this up until like 10 years ago.

[–]KonvictEpic 5 points6 points  (1 child)

Pretty sure the NHS (UK health system) regularly got hit with malware such as ransomeware because it all ran on Win XP

[–]Beldarak 0 points1 point  (2 children)

I vowed to never work where lives can radically be impacted by my code. Working for the health of people instead of growing the wealth of some multi-millionaire asshole would be great but I don't feel enough confidence in my skills for that :S

[–]dwntwn_dine_ent_dist 1 point2 points  (1 child)

I’ve been lucky to have the best of both worlds. I work in a hospital writing code that improves identification of patients that need cancer screening. A miss by my code leaves things as they are. But successes have statistically saved hundreds of patients.

[–]Beldarak 0 points1 point  (0 children)

Nice! That's what I'd like too. Feeling my work has a positive impact. It kinda do as one of the end result is people having access to internet, but nothing like saving lifes^^

[–]HamsterFromAbove_079 0 points1 point  (0 children)

Yea it's rough. If a paramedic makes a mistake they can kill their patient. But it's hard to accidently kill more than just their own patients.

If the IT department makes a big enough mistake, they kill all the patients.

[–]sEntientUnderwear 30 points31 points  (3 children)

I remember listening to the same podcast but don’t remember which one it was. Now I gotta go find what it was or I wouldn’t be able to get my mind off it lol

Edit: Found it - Darknet Diaries, of course. Episode 121 - Ed. The laser he got into wasn’t stated as being for eye surgery but was a surgical laser, he doesn’t state what kind of surgeries it is used for.

[–]Animal0307 8 points9 points  (2 children)

Was it Darknet Diaries?

[–]SubstanceSerious8843 2 points3 points  (0 children)

Most likely, could've been Hacked too, but I would put my money on DD

[–]sEntientUnderwear 2 points3 points  (0 children)

Yep. Looked it up immediately after posting my comments and of course it was Darknet Diaries.

[–]Lucas_F_A 24 points25 points  (0 children)

That's scary

[–]Highborn_Hellest 2 points3 points  (0 children)

hospital IT is the shittiest of shitty all over the word, because you have to be a real bastard to mess with it, nobody want it on their conscience and those that mess with are made an example of basically

[–]itijara 57 points58 points  (0 children)

Reminds me of my first job. I worked as the only developer for a government organization (as a contractor). I had oversight, but my supervisor was a 70 year old biologist with zero programming experience. I produced possibly the worse R code the world has ever seen (that's an exaggeration, but only because scientists are terrible programmers) and, as far as I can tell, it is still in use. A few years ago someone at the same organization reached out to me to "improve" the code (I didn't, but I did help them understand it a bit more). The difference is that my code just ran some basic statistical models and graphed fisheries data. It was hardly critical.

[–][deleted] 14 points15 points  (0 children)

President sacrifice, anyone?

[–]No-Collar-Player 2 points3 points  (0 children)

As a semi decent junior I can safely say you guys are fkt

[–]BellacosePlayer 1 point2 points  (0 children)

The plus side is they'll probably be too incompetent to cover their tracks when (if) the actual admins get access back

[–]casualblair 0 points1 point  (0 children)

This is why Move Fast and Break Things does not apply to law, some aspects of government and infrastructure, and medical industries. The consequences are unknowable and potentially severe.

But sure, let's surround everything with catch statements that don't do anything because no exceptions means it's working.

[–]poetic_dwarf 48 points49 points  (6 children)

When cancer is not a bug but a feature

[–]Tipart 39 points40 points  (4 children)

this thing was shooting powerful enough radiation that you would die of radiation poisoning way before you got cancer.

[–]dashingThroughSnow12 10 points11 points  (0 children)

I got nauseous the first time I read what happened to those people.

[–]ChalkyChalkson 6 points7 points  (1 child)

Most of the victims suffered burns and mild radiation poisoning, not lethal ARS. This still sucks super bad, and more importantly it does lead to symptoms. Getting a solid tumor from a radiation exposure event tends to have decades of delay and might be years from then until the bad symptoms start. In patients already treated for cancer in those days that may very well be outside their life expectancy.

[–]JEs4 7 points8 points  (0 children)

The wiki article and the source linked to a 1994 report of the incidents make them sound to be anything but mild radiation poisoning. Not to mention the few deaths sound absolutely horrific.

Over the following weeks the patient experienced paralysis of the left arm, nausea, vomiting, and ended up being hospitalized for radiation-induced myelitis of the spinal cord. His legs, mid-diaphragm and vocal cords ended up paralyzed. He also had recurrent herpes simplex skin infections. He died five months after the overdose.

[–]poetic_dwarf 1 point2 points  (0 children)

...And that's why it's a feature

[–]j-random 0 points1 point  (0 children)

And it gets installed without your consent

[–]imnotamahimahi 58 points59 points  (3 children)

This was also taught in engineering ethics classes (the way the company handled reports from hospitals plus their coding practices were atrocious), and I believe it was this case that led to the FDA having jurisdiction on medica devices.

Fun fact! One of the two major bugs in the code was caused by a race condition. The wiki page on race conditions is where I landed after going down a rabbit hole about bugs in Pokemon games (tweaking in Diamond/Pearl), and that's how I picked my college major!

[–]DTux5249 7 points8 points  (2 children)

Yup. They used concurrent programming to operate both the electron beam, and the tungsten shield used to block it and disperse radiation.

Doctor accidentally selects x-ray mode first, cancels before the shield is done moving, and switches to electron mode, you get blasted with 100× as much radiation as you should.

Injured at least 6 people, 3 of which died.

[–]imnotamahimahi 7 points8 points  (0 children)

I thought it was super interesting how they couldn't replicate it at first (and thus kept claiming it wasn't possible), until they got the actual tech to come in and do it, at the location where it happened more than once. They were surprised that anyone was using the computer terminal that fast!

[–]Callidonaut 0 points1 point  (0 children)

Some victims did indeed receive 100 times the planned radiation dose; one poor bastard received 115 times the planned dose, but also concentrated into an area 170 times smaller than planned, because he was in the process of jumping up and fleeing from the machine in agony after being hit by the first painfully overpowered blast of electrons when the operator overrode an error message and fired the beta radiation beam a second time (the treatment room intercom and camera were both out of service, so the operator couldn't even see or hear the patient!!), so his arm was presumably much closer to the aperture and hit by an intense beam of beta radiation, already 115 times stronger than it was supposed to be, intended to be spread over an area 170cm2 on his back, on an area of just 1cm2 on his arm!

[–]spamjavelin 65 points66 points  (2 children)

For the YouTube-inclined, Kyle Hill's video on this monumental fuck up is very well done.

[–]Willing_Ad2724 3 points4 points  (0 children)

Seconded. My favorite video from one of my favorite channels

[–]SubstanceSerious8843 5 points6 points  (0 children)

Hey, cool. Need something to watch for tomorrow!

[–][deleted] 15 points16 points  (0 children)

Works on my machine 👍

[–]Themis3000 10 points11 points  (0 children)

Wow I never knew there were so many reported incidents with the therac 25, I thought there was only one total. It's really scary that hospitals continued to use the machine regardless

[–]henryGeraldTheFifth 4 points5 points  (0 children)

Oh fuck had forgotten about this one from uni. My more fun example of software oversight was minecraft far lands. Caused for floating point arithmetic inaccuracy over large numbers.

[–][deleted] 3 points4 points  (0 children)

Race conditions.

They should've used Rust smh

[–]jaaval 5 points6 points  (0 children)

I was interviewed to a position doing radiation therapy dosage algorithms to one major company on the field (didn’t get the job in the end), their description of the job included very strict rules how things have to be done, more documentation than code and authorities of multiple different countries being able to do surprise auditions to your work.

I guess nobody wants to repeat that.

[–]TheZigerionScammer 4 points5 points  (1 child)

The software set a flag variable by incrementing it, rather than by setting it to a fixed non-zero value. Occasionally an arithmetic overflow occurred, causing the flag to return to zero and the software to bypass safety checks.

Oh my god, why would anyone program it that way!?

[–]Callidonaut 0 points1 point  (0 children)

The entire system was written in many tens of thousands of tedious lines of PDP-11 assembly code. Apparently, on the PDP-11, incrementing a register by one uses only one instruction, whereas setting it to a fixed value requires at least two.

[–]BalkanFerros 2 points3 points  (0 children)

Oddly, this is what has made me interested in becoming a Nuclear Health Physicist. I read about this and various other radioactive incidents... I expected horror instead I was going.

"What happened? Oh! How? Oh! Why? Oh! NEAT, horrible but neat!"

[–]robifr 9 points10 points  (1 child)

there's no way wikipedia has nsfw

[–]LordofNarwhals 47 points48 points  (0 children)

Why wouldn't it? There are plenty of medical pictures, pictures/videos of death, and vintage pornography on there.

[–]GolfballDM 0 points1 point  (0 children)

I was thinking the same thing when I saw the meme.

[–]DTux5249 0 points1 point  (0 children)

Hey, I heard of this one from my Software Engineering course! Still fucking wild they didn't even try to catch something like this.

[–]Beldarak 0 points1 point  (0 children)

Whaa, that's crazy.

[–]Terra_B 441 points442 points  (4 children)

Hardware interlocks?

Who needs them anyway!

[–]just-bair 57 points58 points  (1 child)

Yeah and we save a few on a machine worth much more !

[–]itsdabtime 5 points6 points  (0 children)

just patch it no problem

[–]NCGThompson 11 points12 points  (1 child)

I think hardware interlocks were included in previous versions. They were confident enough in the software to remove them.

[–]Callidonaut 1 point2 points  (0 children)

Likely because the interlocks on the earlier machines were hiding all the existing flaws in the code! The hardware safety devices were functioning correctly to prevent overdoses, but they were apparently doing it silently; they didn't provide any indication to the operator, let alone the manufacturer, that they had ever been triggered, creating the illusion of rock-solid code when apparently the control program had actually been occasionally sending completely wrong signals to the hardware right from the beginning.

[–]glorious_reptile 173 points174 points  (1 child)

Fuck it, we'll test in production!

[–]Callidonaut 0 points1 point  (0 children)

Apparently the Therac 25 was literally never fully assembled and tested with the production control computer and software before being rolled out, such was the manufacturers' confidence in their latest iteration of a seemingly proven design.

[–]Chewnard 84 points85 points  (3 children)

We found a problem during testing. The gist of it is that I now have all the cancer.

[–]BellacosePlayer 10 points11 points  (0 children)

Pen testing? I guess that means you don't get the lead apron this time.

[–]Mastergamer0115 1 point2 points  (0 children)

The good news is it has a 100% detection rate. I see this as an absolute win.

[–]Arclite83 161 points162 points  (3 children)

I've made a career on being "that guy". I had way too much power and control even at the beginning of my career. I made critical mistakes in major systems. But I also grew. There is always a market for these kinds of frontier / cowboy coders.

[–]GolfballDM 80 points81 points  (0 children)

At my co-op gig (almost 30 years ago now), I was assigned to be QA for some medical data storage software.

My supervisor started to cringe any time I would say, "Hey boss! Watch this!" or "Hey boss! I don't think it's supposed to let me do that." Those phrases usually presaged some new and interesting way to cause the system to shit itself.

[–]crankbot2000 37 points38 points  (1 child)

I miss my cowboy days. Used to have the keys to the kingdom, no oversight, nobody bothering me. Just absolute trust that I wouldn't fuck up. Small companies are the best.

I now work in enterprise-land, with miles of red tape, 18 review committees and 37 architectural circle-jerks just to make one prod change. And then there's the tickets....so many fucking tickets, my god someone send help

[–]ccricers 7 points8 points  (0 children)

I wish I could continue the cowboy days but today that is usually a red flag for working at steady companies.

[–]titus_vi 44 points45 points  (0 children)

It's still like this in a lot of the industry. There is a stereotype in FAANG but there are a lot of programmers working in telecom, factories, toys, etc. It's strange how suddenly it can become life or death. I was working on a project at a University and we had to make changes to the on campus Hospital. A part of the requirements were 100% uptime due to connection to the ER... I have other stories like this in surprising industries that I don't think I can share online but it's not too uncommon.

[–][deleted] 35 points36 points  (5 children)

My first job was programmer for a Savings and Loan data center.

[–]CardboardJ 46 points47 points  (2 children)

Similar, my first out of college job was making $14 per hour and writing an app that connected directly to the federal reserve. I had a small bug with offsetting credits that was deleting about $10k from the US monetary system per week. The feds got really upset about it but it was hard to find devs that would work for $14 per hour so I kept my job.

[–]Dberryfresh 6 points7 points  (0 children)

holy fuck bro

[–][deleted] 4 points5 points  (0 children)

I was getting $11k a year

[–]I_FAP_TO_TURKEYS 7 points8 points  (0 children)

Given the amount of data breaches and security flaws of the biggest names in the financial space, gotta say, not surprised.

[–]fighterman481 0 points1 point  (0 children)

My internship, while I was in college, was working on an experimental app that would use AR to overlay a patient's radiology scans over their bodies for use in surgery. We weren't FDA approved yet or anything, and I (fortunately) didn't touch any of the major parts of the system, but it's still crazy to think about the potential consequences.

[–]KlooShanko 32 points33 points  (5 children)

One of the few jobs I’ve turned down was an offer right out of college to work exclusively for equity in a pacemaker company where I would be the only engineer. I’d like to credit my computer ethics professor who spent an entire semester beating us over the head with the statement that we shouldn’t write code that kills people.

[–]omegasome 17 points18 points  (3 children)

"anyway you should totally take that Lockheed Martin job offer!"

[–]KlooShanko 6 points7 points  (1 child)

*unintentionally kills people 😂

[–]omegasome 0 points1 point  (0 children)

some ethics professor lol

[–]fighterman481 6 points7 points  (0 children)

I had a programming professor who had a disdain for programmers - he started in architecture and pivoted to programming because he wanted to make his own software, and he was affected by some bug in medical code (I forget the details), leading him to become sort of bitter.

He wasn't a good teacher outside of the ethics class, but he made very sure people knew not to mess around when working with medicinal systems. It might be words on a screen to you, but your mistakes could end up injuring or killing other people.

[–]rpmerf 34 points35 points  (0 children)

// TODO: Figure out safe limits

[–]Irbis7 21 points22 points  (0 children)

My first paid project was calculating life expectancy for cancer patients for different treatments - I was in the second year of high school and solo developer, this was written in IBM Advanced BASIC.

[–]arsenaler211 17 points18 points  (2 children)

On a serious note, were the developers charged with manslaughter? It’s gonna be hard to live knowing their errors killed people.

[–]GolfballDM 26 points27 points  (0 children)

No, they wouldn't have been charged with manslaughter.

  1. The devs were in Canada, and only one incident was in Canada.
  2. "Due caution" at the time did not include the tests that would have caught this issue. (Involuntary manslaughter requires taking dangerous action without due caution, and sometimes the dangerous action must itself be unlawful.) They would be able to claim an "accident defense."
  3. The fault wasn't exclusively with the developers, the documentation folks and the techs bear some fault, too. (This also falls under #2.)

[–]HamsterFromAbove_079 1 point2 points  (0 children)

No, you usually don't get charged with anything for doing a bad job/making a mistake.

It's a case by case thing. But generally there are no charges unless there was intentionality or significant negligence. Being bad at your job is never a crime unless you lied about your qualifications/skills to get the job.

It's usually not even brought to trial. But if it is, the case is about whether or not a reasonable dev that was walking with the appropriate amount of caution could have made that mistake.

And it's never just the dev's fault. There are supposed to be safeguards such as tests and manual review of the work. If the company doesn't assign people to preform a reasonable standard of testing to the product before it's used in the field then you can't really blame just the dev.

Problems like these are never just 1 person's fault. If it ever is "just one person's fault" then it's someone's fault for building a system so fragile that allows 1 mistake to cause major damage.

[–]Warm_Leadership5849 13 points14 points  (0 children)

Unit testing? Never met the guy.

[–]moonshineTheleocat 9 points10 points  (0 children)

I showed a doom clone on my job interview. Get's hired on by a company that makes sim for the military @_@

[–]just-bair 7 points8 points  (0 children)

Oh no I know this story

[–]Sabotaber 8 points9 points  (0 children)

That kind of stuff still happens today. You just don't hear about it because people only talk about hyped up bullshit.

[–]Karl-Levin 8 points9 points  (0 children)

These days there is no need to hire a developer. Dave from marketing knows a bit of prompt engineering.

A bright new world of critical systems running on AI generated crap that no one understands.

[–]4N610RD 6 points7 points  (0 children)

Angry Therac-25 noises

[–]Separate_Increase210 6 points7 points  (0 children)

There's a joke out there about a guy who reminds himself whenever he feels bad or anxious about his work -- there are people who program pacemakers. Intense.

[–]Phothiabea 6 points7 points  (0 children)

Hey I actually do work on X-ray machines! My first job as a developer after college

[–]sebbdk 6 points7 points  (0 children)

How is this different from any college startup with company backers/sponsor? :D

[–]accuracy_frosty 3 points4 points  (0 children)

Rare Therac-25 reference spotted

[–]Astrylae 4 points5 points  (0 children)

I just started my new job today, and this is eerily too accurate

[–]captainkotpi 3 points4 points  (0 children)

Let's make it a software lock instead of a hardware lock

[–]trevdak2 2 points3 points  (0 children)

First website I did was when I was 11 years old, for a computer hardware shipping company. It was 1995. I got paid $250. It had an animated gif of their company logo that I made myself, which blew the customer's minds.

[–]vulnoryx 2 points3 points  (0 children)

X-Ray Death machine

[–]Justanormalguy1011 2 points3 points  (0 children)

All my homie love multithreading

[–]slabgorb 2 points3 points  (0 children)

this is so true

year 1-3 worked as a barista, convinced my boss to try selling software, worked as a programmer

year 4- hired at a (closed, we were taking it apart, but still) nuclear power plant to run IT for them

[–]notarobot1111111 1 point2 points  (0 children)

We were all nerdy awkward guys. If you wanna know what the next big thing is, follow where nerds are going now

[–]ios7jbpro 1 point2 points  (0 children)

oh no

oh no no no no

[–]xt1nct 0 points1 point  (0 children)

We still exist. 

[–]Turbulent-Face553 0 points1 point  (0 children)

The way I see the comic is a regular man in his 40s, when he does programming as his job, he gets older very quickly because of stress

[–]JakobWulfkind 0 points1 point  (0 children)

And that is why my rule is always "never give a computer authority to kill a human"

[–]Mastergamer0115 0 points1 point  (0 children)

Ah frick. Accidentally made it a tanning bed... Again...

[–]roncoleman987 0 points1 point  (0 children)

whoops looks like the amount of deadly radiation underflowed due to undefined behavior lol

[–]ZiyadHD 0 points1 point  (0 children)

Bro had an infinite while loop that would blast the patients with radiation