aethervision Jan 24, 2024
ploum

When I graduated as an engineer, a friend told me "How do you feel entering a plane when you know that people like us build it".

I’ve worked several years in the automotive industry and saw how software was done there.

When the 737-MAX crashed, I entered into the rabbit-hole and built a really good understanding of the software issue.

The results are:

- I don’t board a boeing plane anymore.
- I avoid cars as much as I can.
- I be sure to recommend cars with the less possible software.

Jan 24, 2024 at 9:54amWeb
Show threadPierreJan 24, 2024
@ploum why ? :)
Show threaddaniel daimiao chenJan 24, 2024
@panegyrique @ploum I originally want to ask why ,especial the part of software … after second thoughts, I think it is because the degree of complexity exceeds the limit of human’s rigor.
Show threadWorikJan 24, 2024

@Danieldaimiaochen @panegyrique @ploum

> the degree of complexity exceeds the limit of human’s rigor.

It can. But we know how to build robust reliable software systems

But they are much more expensive than half hearted rubbish with a nice UI

Show threadtntJan 24, 2024
@ploum Watch a bunch of the Mentour Pilot videos .... then you won't want to board airbus either 😅
Show threadploumJan 24, 2024

@tnt : I admit that there’s no particular reason why Airbus would be better.

But the 737-MAX decision to decide to fix the structural imbalance resulting from bigger engines with a software messing with pilot’s control in order to not have to go to the certification process of a new plane is completely criminal.

While everything else I saw in the automotive industry was pure incompetence (to a level that no coder can even imagine)

Show threadThe Penguin of EvilJan 24, 2024

@ploum @tnt Sadly some of us can and did see into the automotive world, and whilst it was dire, it was actually a lot better than most software 8(

A certainly large automotive company some years back said Tesla was doomed because a tech company learning how to make cars was much harder than a car company learning to do software. Tesla were like "watch this space", although the cybertruck does appear to be a valiant attempt to prove the car company right.

Show threadferricoxideJan 24, 2024
@etchedpixels @ploum @tnt

There's more than a few reasons that the ASICs in cars are a couple generations behind "latest".
Show threadMartin JostJan 24, 2024
@ploum @tnt
And then - as far as I understood - use one pivot tube to measure airspeed for that
I always assumed for critical sensors there are (at least) three for a 2 out of 3 majority decision(?)
Show threadNot a Spring OnionJan 24, 2024

@godot @ploum @tnt

Aside from "You can have a lamp in the cockpit that tells you if MCAS is engaging (also a button), but it costs extra".

People buying airplanes: Extra costs? Hell no.

Show threadploumJan 24, 2024

@godot @tnt : pivot tubes also fail. Even when there’s three of them.

https://en.wikipedia.org/wiki/Air_France_Flight_447

Air France Flight 447 - Wikipedia

Show threadtntJan 24, 2024
@ploum @godot Or somehow you forget to remove all the "Remove Before Flight" covers from them. See Malaysia Airlines Flight 134 .
Show threadHabrokJan 24, 2024
@godot @ploum @tnt This detail to me sounded suspiciously like "if we use more than one sensor, then the system could be viewed as safety-relevant with all the consequences like certification, mandatory pilot training etc., so it's better if we only attach one sensor."
Show threadMartin JostJan 24, 2024
@Habrok42 @ploum @tnt This also shows the airspeed to the.pilot. MCAS or not: In my understanding this is security relevant. [But I'm no airplane expert - can someone better on the matter comment?]
Show threadHabrokJan 24, 2024
@godot @ploum @tnt Yes, the pitot tubes and the sensors for the angle of attack are security relevant and therefore redundant sensors are mounted. Autopilot and other systems can use all the sensors and normally indicate if the values of the sensors differ too much so the flight crew can work out which sensor is faulty and should be disabled. But MCAS only used one AoA sensor, trusted this one blindly and could not be switched to another sensor.
Show threadvriesk (Jan Srz)Jan 24, 2024
@ploum @tnt I keep on wondering though - if the issue was about ground clearance (was it?), why didn't they just extend the landing gear?
Show threadTimo GeuschJan 24, 2024
@vriesk @ploum @tnt That has certification implications and may require pilot training. One of the big selling points of the Max series was that Boeing apparently promised that pilots wouldn’t need additional training and certification for the new models.
Show threadploumJan 24, 2024

@tgeusch @vriesk @tnt : which is the criminal part. Trying to workaround physics with software.

And, guess what, those planes are now back flying with what seems to be only cosmetic changes.

It’s cheaper to have some crashes than do proper fixes when you are too big to fail.

Show threadRAOFJan 25, 2024

@tgeusch @vriesk @ploum @tnt Specifically, my understanding was that they didn't have room to extend the landing gear - they fold into the midline of the plane with barely enough room for a significant structural component between them, and they can't be moved further out on the wings without getting into the engine thrust.

“You don't have to train a specific set of pilots for the MAX” was a worthwhile goal. It just should have been abandoned once it became obvious that it was impossible to do safely.

Show threadHadiJan 24, 2024
@tnt @ploum now you are talking about incompetency in automotive industry, not its software particularly. Maybe you should recommend no car in your third point above.
Show threadMalteJan 24, 2024
@tnt @ploum I actually find that, on the contrary, his videos give a really good understanding of all the safety measures in place in aviation, and how thoroughly these accidents are investigated and improvements are implemented.
Show threadNot a Spring OnionJan 24, 2024

@tnt @ploum
At least (IIRC), airbus has more of a "final decision lies with the pilot" approach, not "final decision lies with the software".

See also the boeing "touchdown sensor bug" where pilots can't break because the software is not sure if the plane is actually on the ground.

Show threadMartin 🧀Jan 24, 2024
@ploum "our entire field is bad at what we do, and, if you rely on us, everyone will die"
https://xkcd.com/2030/
Voting Software

xkcd
Show threadL-)Jan 24, 2024
@mart_e I had the same XKCD pop into mind. Thnx for looking it up 😅 @ploum
Show threadploumJan 24, 2024
@dosch @mart_e : https://ploum.net/xkcds-law/index.html
XKCD’s law

XKCD’s law par Ploum - Lionel Dricot.

Show threadMalteJan 24, 2024
@ploum In the case of cars, not sure how many accidents are caused by software (probably depends if you're counting distraction by shitty UIs), but I'd say buying an old car with worse safety features just because of the software would be a pretty bad idea (think passive safety, traction control, airbags, anti-lock brakes).
Show threadWildduckJan 24, 2024

@MalteH @ploum I think the sweet spot is around 2005-2010? You get the troubles of finding replacement parts after a while+cost😟.
I've been car free for some years now and I work in the railway industry. Boy we've got enough problems already to wish software doesn't get to far but I don't see why we would be spared, with the usual 25y delay on car/aviation industry.

Did you see the story of a manufacturer creating false failures on its trains to get maintenance contract? https://www.railway-technology.com/news/the-story-of-the-great-polish-train-hack/

The story of the great Polish train hack 

Polish rolling stock company Newag has alleged its train systems were illegally hacked, making four of its trains unsafe.

Railway Technology
Show threadUsama Khan ❇️Jan 24, 2024
@Wildduck @MalteH @ploum 
Show threadWildduckJan 24, 2024
@usamainsights @MalteH @ploum yep, fun times!
Show threadmjfgatesJan 24, 2024
@MalteH @ploum My car is twenty years old and has all those. We're seriously contemplating putting about twenty thousand dollars into it, which would leave us with a new 2004 vehicle for about half the price of a current model with all the touchscreen nonsense.
Show threadGerard Cunningham ✒️Jan 24, 2024
@ploum
Reminded of an old UCD Engineering maxim.
"I'll stand over any building you design. But I wouldn't stand under it."
Show threadMoving PicturesJan 24, 2024
@ploum Try looking at building plans created by engineers sometime...
Show threadalex  now on shonk.phite.roJan 24, 2024
@ploum a teacher told me that when he was in university his class had to build a bus and ride it around

the teacher asked him: "aren't you afraid it will break down and crash?"

he answered "that's if it starts in the first place"
Show threadgettie ( arc)     Jan 24, 2024
@ploum "if it's boeing I'm not going" lmao
Show threadFlorian Schroiff Jan 24, 2024
@ploum what are current cars with good physical controls and little software? Do they make those anymore?
Show threadCass AlexandruJan 24, 2024
@ploum management pays for expensive yet also badly implemented static analysis tools that check that code conforms to the golden calf of the Misra C standard, which obviously means it can't contain any errors 🤪
Show threadTeetering BulbJan 24, 2024
@ploum
Coming from embedded power electronics and PLC side, I concur this.
Show threadChris RealJan 24, 2024

@ploum

People in the future will view Internet of Things the way we view DAT and 8-track, but more tragically.

Show threadRaphaelJan 24, 2024
@ploum
I know SW in many cases is catastrophic.
Meanwhile, in Automotive, billions of safely driven kilometers, thousands of lives saved according to accident research and a space ship like interior and convenience stand against it.
How is it possible?
I guess a good verification and validation is one part, also market oversight and safety enforcement. But also the SW, different from other environments, is often exposed only to a very restricted set of conditions, so many flaws do not show up at all, and that is OK.
Any other thoughts?
@pluralistic
Show threadThe Penguin of EvilJan 24, 2024

@ploum Every computer security person I knows has no smart devices or appliances on their network. Same thinking same theory.

The car thing is becoming interesting - one of the reasons people are increasingly giving for avoiding an EV is privacy/software.

Show threadMs NgoJan 24, 2024
@etchedpixels @ploum Precisely. The new Volvo EV looked interesting & affordable, but when I found out it’s using mapping software from Google I noped right out of that idea.
Show threadMarginaliaJan 24, 2024

@ploum

I know for a fact large slices of the financial sector is powered by extremely janky software. It's damn miracle it works as well as it does.

Show threadMaciejJan 24, 2024
@ploum my colleague also work in testing of B. and this was his conclusion also. And it was before the software bug incident.
Show threadMoved to @[email protected]Jan 24, 2024

@ploum As a working software engineer, I worry more about the climate impact of my flight than the software, and as for cars, I worry more about distracted drivers than software bugs.

Sure, nearly all software has bugs, but most of the ones that really matter get fixed.

Software engineering is all about finding bugs, designing your tests and procedures to prevent the worst bugs, and figuring out how to fail safely if something goes wrong.

Obviously, that doesn't always happen. But it can.

Show threadMoved to @[email protected]Jan 24, 2024

@ploum That being said, I don't trust computerized voting machines either. Voting is unique: it's hard to test realistically, and if it goes wrong, it can spoil millions of people's lives.

As I see it, computerized counting of paper ballots may be the safest practical system for voting. (Because you can count them by hand if necessary. And because if you're trying to fudge the count, you have to make matching changes to both the computer and manual counts.)

Show threadNanounanueJan 24, 2024
@ploum mind to share your analysis or insights?
Show threadThomas UlichJan 24, 2024
@ploum Weinberg’s Law (1975):
If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.
Show threadCharlie BaloghJan 24, 2024

@ploum My favorite talk is "Preventing the collapse of civilization" by Jonathan Blow. It puts "software sucks in everything" which we all more or less feel into the really big picture of history and technology.

https://www.youtube.com/watch?v=ZSRHeXYDLko

Ironically, it was on a game developer conference. But the points he makes are still valid across the entire field.

Preventing the Collapse of Civilization / Jonathan Blow (Thekla, Inc)

YouTube
Show threadapgarciaJan 24, 2024
@ploum When a friend of mine was an engineering student, he was shown a printout of the the code for a roller coaster. It was in a large binder, and he said that the sheer bulk of it, with all the safety checks and such, made him feel better about riding roller coasters...
Show threadggdupontJan 24, 2024

@ploum worse than that: the 737-max was trusted by the FAA which is trusted by most aeronautical regulations agencies in the world (ie if FAA trust a plane, most agencies do not do extra assessments).

Basically any aircraft that was first trusted in US by FAA is "as secure" as the boeing 737-max ;-)

The recent issues are changing this a bit, but slowly...

Show threadIvan Tsenov 🇧🇬 🇺🇦Jan 24, 2024
@ploum Around here we say "Knowing how good of an engineer I am, I'm afraid to go to a doctor"...
Show threadDeweyJan 24, 2024
@ploum years ago at the embedded systems conference a presenter on software quality asked the audience " if your team wrote the code for the airplane you flew here on, would you have boarded the plane?" One guy raised his hand. The presenter asked him what his team knew that no one else knew. He said if his team wrote the code you couldn't even turn on the plane let alone taxi and fly it so he would be perfectly safe boarding the plane.
Show threadSumukha SJan 24, 2024
@ploum That feels like a defeatist attitude. Aren’t airplanes more safer now than ever?
Show threadferricoxideJan 24, 2024
@ploum

My first job after college was processing paper-based maintenance-notices through an OCR system to create a hypertext book. We did this a couple times per week. Part of my job was to scan the OCR-captured content for obvious errors. That meant reading stuff that probably should have scared me from ever flying any passenger plane made by any company operating for any airline with US routes. Just a couple years later, I was making multiple flights per week as part of a job with a UNIX vendor.

/shrug Everything's a risk and you have to hope that the (typically very rare) projected incident-rates play in your favor.
Show threadAndrew ZonenbergJan 24, 2024

@ploum There really needs to be a new car company created from the ground up with minimalism and safety as core goals.

No data mining, no smart anything. Doesn't have LTE or a GPS or a single LCD panel. Anything that has to be computerized or fly by wire triple modular redundant including sensors, processors, and actuators.

Modern EV drive train.

Steering purely mechanical, direct linkage to wheels. Ditto for emergency brake.

Multi stage brake pedal: press a little bit and it triggers regenerative braking (under software control obvs) via redundant sensing. Press further and a mechanical / hydraulic linkage kicks on the normal brakes. Floor it fully and it hard cuts off the battery from the drive train as well just in case the motor controller went haywire.

Throw in all the sensors you want for improved situational awareness but don't connect to controls. Let the driver drive. There's a reason TCAS doesn't link to the autopilot or anything.

Show threadAndrew ZonenbergJan 24, 2024

@ploum I work in infosec and have looked at lots of automotive and some aviation software.

I commute to work on a bicycle.

Show threadknoopxJan 24, 2024
@ploum 20 years in the industry. all software is broken.
Show threadKimJan 24, 2024
@ploum my rav4 hybrids lease is coming due. Just going to buy it as the new RAV4 have too many subscriptions if you want to use it.
Show threadCedr\c Jan 24, 2024
@ploum En parlant de #Boeing
Boeing, chronique d’un crash industriel https://www.mediapart.fr/journal/international/240124/boeing-chronique-d-un-crash-industriel
Boeing, chronique d’un crash industriel

L’accident d’Alaska Airlines, dont un avion a perdu une porte en vol, est celui de trop pour le constructeur aéronautique. Le géant américain est à terre, et la confiance disparaît chez ses clients. Récit d’une destruction industrielle méthodique.

Mediapart
Show threadSid Sun 🏳️‍🌈Jan 24, 2024
@ploum reminds me of https://xkcd.com/2030/
Voting Software

xkcd
Show threadScott KnowlesJan 24, 2024
@ploum The one electronics on my 1991 VW Vanagon Syncro is Engine Control Unit (ECU). VW built them so they never fail. Mine's over 32 years and still working. The other is the radio, and the problem is Syncros weren't built for modern radios. You have buy one with removable face plate or install disconnect switch to radio. They have twin batteries, main when ignition is on, secondary when it's off. Newer radios won't trip solenoid to switch to secondary battery turning ignition off.