DEV Community: Alex P

How a Metric Mix-Up Burned $327 Million

Alex P — Sat, 04 Apr 2026 14:03:25 +0000

A spacecraft traveled 670 million kilometers, but died at the very end because of a misunderstanding between two lines of code

In September 1999, an ambitious NASA mission to Mars ended in a disaster that went down in history as a huge management failure. The most expensive “lost in translation” mistake in history turned a science probe into a spectacular but useless meteor

The main problem with the Mars Climate Orbiter (MCO) was a communication gap between two teams of developers. The contractor, Lockheed Martin, built the thruster control software (SM_FORCES) using the imperial system (pound-force seconds). However, the navigation team at NASA JPL expected the data to be in the metric system (newton-seconds), as stated in the Software Interface Specification (and in the science!)

Because of this, sending raw numbers without converting them led to completely unmet expectations in the code. The navigation software assumed the data was in the correct metric format, but the values were fundamentally unequal and desperately needed to be converted

It is ironic and dangerous that the United States is one of the few countries in the world (along with Liberia and Myanmar) that has not officially adopted the metric system. While the global science community has used the metric system for decades, using pounds and inches in an interplanetary mission showed a severe lack of system awareness

Just a small reminder from a school:

Physics made the situation even worse. The spacecraft’s asymmetric solar array created a twisting force from solar wind pressure. To stay stable, the system had to fire its thrusters much more often than originally planned. Every time it did this, it sent bad data to the navigation computer, where the force was 4.45 times weaker than it should have been (the ratio of a pound to a newton). This error, which might have gone unnoticed, built up to critical levels because the maneuvers happened so often

# Python pseudo-code showing the fatal out-of-sync issue 
# between Lockheed Martin (ground software) and NASA JPL (navigation)

# ---------------------------------------------------------
# Contractor module (Lockheed Martin) - Uses imperial system
# ---------------------------------------------------------
def calculate_small_forces(thrust_time_sec):
    # Developer uses pound-force (lbf)
    thrust_lbf = get_raw_thruster_force() 

    # data without conversion for data_from_amd_file
    return thrust_lbf * thrust_time_sec 

# ---------------------------------------------------------
# Navigation module (NASA JPL) - Expects metric system (SI)
# ---------------------------------------------------------
def update_spacecraft_trajectory(data_from_amd_file):
    # JPL is sure it gets data exactly in newton-seconds (N-s)
    impulse_newton_seconds = data_from_amd_file 

    # 1 lbf = 4.45 N, so navigation thinks the thrust is 4.45 times weaker
    current_trajectory.altitude -= apply_orbital_mechanics(impulse_newton_seconds)

    """
    RESULT: Ground computers heavily underestimated the braking force
    In reality, the spacecraft was flying lower and lower towards the planet
    """

Catastrophic Consequences

On September 23, 1999, the spacecraft began its manoeuvre to enter orbit

The navigators expected it to pass at an altitude of 226 km, with the absolute minimum survival height being 80 km

But because of the built-up error, the probe hit the atmosphere at just 57 km

The spacecraft was instantly destroyed by aerodynamic stress and burned up

Damage in numbers and facts:

$327.6 million - the total cost of the MCO program (including $193.1M to build it, $91.7M to launch it, and $42.8M for operations)
Science failure: The MCO probe was supposed to act as the main data relay for the next spacecraft, the Mars Polar Lander (MPL). Sadly, just a couple of months later, the MPL also crashed during landing due to a different software bug (the engines shut off too early). This made 1999 one of the worst years in the history of Mars exploration

Lessons for the IT Industry

Strict typing for physical values and clear naming Never use raw types (double, float) for measurements. Use Value Objects (like NewtonSecond or PoundSecond classes) so the compiler stops you from mixing units. For example, some programmers in financial banks create their own Money types or separate UserId and CompanyId types so they don’t accidentally add different currencies or confuse a user with a company. If strict types are impossible, arguments and methods must clearly state the unit in their name: for example, calculateThrustInNewtons instead of calculateThrust
Integration testing is not just a bunch of Unit tests Each team tested their own code perfectly, but nobody checked how the data flowed together in a real end-to-end scenario (E2E). E2E tests and long simulations with real data exchange files are the only ways to catch hidden errors that build up over time and don’t show up in short, isolated tests
Investigate all anomalies deeply Any time a system acts differently than expected, it must be studied immediately. JPL navigators actually noticed strange things a week before the crash: the spacecraft needed path corrections too often, and its approach speed didn’t perfectly match the model. These “quiet alarms” were ignored. Remember: if reality differs from your monitoring by even a fraction of a percent, it is a reason to pull the emergency brake, not just hope for the best

Space requires perfect interfaces. The story of the MCO is a painful reminder that even the most complex and advanced system will fall apart if its parts speak different languages

HE WANTED TO MEASURE THE INTERNET, BUT ENDED UP BREAKING IT AND MAKING HISTORY

Alex P — Sun, 29 Mar 2026 11:58:47 +0000

HE WROTE A SCRIPT OUT OF PURE CURIOSITY. BUT HE ENDED UP CRASHING 10% OF THE WORLD'S INTERNET, CAUSING MILLIONS OF DOLLARS IN DAMAGE, AND BECOMING THE FIRST PERSON EVER CONVICTED OF COMPUTER FRAUD

Robert Tappan Morris, a student at Cornell University, didn’t want to be an evil hacker. He just wanted to see how big the internet was. However, because of one tiny mistake in his code, his harmless experiment turned into an unstoppable digital disaster

THE STORY OF THE “GREAT WORM”

It was 1988. The internet (then called ARPANET) was a small, closed club for universities, research centers, and the military. It was built on trust - nobody expected an attack from their own colleagues

On November 2, 1988, 23-year-old Robert Morris launched a program to count all the computers connected to the internet. The program (later called the “Morris Worm”) spread by using known weaknesses in network tools like sendmail and fingerd, as well as weak passwords

The idea was smart: the worm enters a server, checks if it is already infected, and if not, it copies itself and looks for new targets. It didn’t delete files or steal data. It was supposed to be completely harmless

But Morris thought of a problem: what if smart system admins set up a fake signal that says “I’m already infected” to protect their servers? To get around this, Morris added a rule: 1 out of every 7 times, the worm should ignore the server’s answer and infect it anyway

This was the fatal mistake!

A 1-in-7 chance (about 14%) was way too high. The worm started infecting the same computers over and over again. Each new copy created more processes, eating up all the memory and CPU power. Thousands of servers simply froze and crashed. Out of the 60,000 computers on the internet at the time, about 6,000 went down

In a panic, Morris tried to send an anonymous message explaining how to stop the worm. But the internet was so clogged that the message never arrived. Finally, following the advice of his father (who happened to be a top cybersecurity expert at the NSA), Robert turned himself in. The damage was estimated to be between $100,000 and $10,000,000. Morris got a light sentence: 3 years of probation, 400 hours of community service, and a $10,050 fine

LESSONS LEARNED BY THE TECH INDUSTRY

Trust is a bad security plan. The Morris Worm proved that the internet was no longer a safe place. Systems had to be built assuming the network is hostile
The birth of CERT. Right after the attack, the government funded the first Computer Emergency Response Team (CERT) to coordinate responses to future cyber attacks
The danger of exponential growth. Even harmless code can become a weapon if a bug causes an endless loop or uncontrolled copying
Security by default. The worm used a flaw in sendmail because the program was shipped with a “debug” mode left on. This taught developers a hard lesson about turning off testing features before releasing software

Today, Robert Morris is a respected professor at MIT and a co-founder of the famous startup accelerator, Y Combinator

THE SOURCE CODE AND THE FAMOUS BUG

The original code was reverse-engineered back in 1988. Today, you can find its source code in historical archives on GitHub

PSEUDOCODE OF THE FATAL ERROR

The whole disaster happened because the creator was too paranoid and misunderstood probability. In simple terms, the worm’s logic looked like this:

import random

# This logic runs INSIDE the new worm process AFTER it has successfully
# infected, compiled, and started itself on the target server

def logic_inside_new_worm_process():
    # STEP 1: The infection has ALREADY happened
    # The server has already spent CPU/RAM to receive and launch this process

    # The worm checks if another copy is already running on this machine
    # (usually by trying to connect to a specific local socket/port)
    already_infected = check_for_other_copies_locally()

    if already_infected:
        # THE FATAL BUG:
        # Morris was paranoid that system administrators would "fake" an
        # infection by running a dummy process to trick the worm into leaving

        # To bypass this, he added a 1-in-7 chance to IGNORE the result:
        if random.randint(1, 7) == 1:
            # "I don't believe this is a real worm!"
            # The worm ignores the existing process and stays alive anyway
            stay_alive_and_continue_spreading()
        else:
            # Even if the 1-in-7 chance didn't hit, the worm didn't quit yet
            # It would "talk" to the other process and flip a coin (50/50 chance)
            # to decide which one of them should terminate
            if random.choice([True, False]):
                terminate_self()
            else:
                stay_alive_and_continue_spreading()
    else:
        # No other copy found; the machine is "fresh"
        stay_alive_and_continue_spreading()

THE RESULT:
Because the worm was constantly re-attacking the same servers, the 1-in-7 "stay alive" chance was hit repeatedly. Machines ended up with dozens of copies running simultaneously, eventually crashing the system (Denial of Service)

TIMELINE OF EVENTS

November 2, 1988: Deploys the worm from MIT. The ARPANET infection begins
November 3, 1988: Crashes around 6,000 computers, causing massive slowdowns. Experts at UC Berkeley and Purdue rush to reverse-engineer the code
November 1988: DARPA responds to the crisis by funding the first CERT
July 26, 1989: A federal grand jury indicts Morris
January 1990: Morris is found guilty

Youtube Overflow

Alex P — Sun, 15 Feb 2026 08:45:44 +0000

I have written about a case when some outdated software components were used for more modern conditions, and it led to the Ariane 5 crash. But this time I wrote about a simpler case

So, at the end of 2014, the video Gangnam Style reached the most views ever in the whole of YouTube history.
And suddenly the counter of views stopped on the number 2 147 483 647 (2^31)
The counter is literally broken

Initially, YouTube was developed via the Python language, which handles large numbers very well.
But the database MySQL isn't!
And if a number is defined like a signed int the value 2 147 483 647 is the maximum

Of course, YouTube's developers implemented a fix quickly, and now the max value for counters takes 64 bits. This number is so big, so it takes more than 4 billion years for mankind to reach the limit... I would like to live so long 🖖

A little demo of how it doesn't work for MySQL https://www.db-fiddle.com/f/uuVvjyPmCqyD3Mk38SCQhF/1

And what happens on the Python https://python-fiddle.com/?checkpoint=1771142861

It was so cool that Youtube's developers added the Easter egg on the video page that broke their counter
Unfortunately they have removed it, but some good persons kept the video for history

WAF Checker — Guess what? Someone is actually using it!

Alex P — Sat, 14 Feb 2026 21:00:57 +0000

It was a big surprise to see that people are actually using this project! Because of that, I decided to make it much better and more user-friendly

The most noticeable improvement is the complete redesign. The tool now looks more professional, includes a dark mode, and is much easier to navigate, just check it here:

Here is a summary of what else has changed in WAF Checker recently:

Batch Testing: You can now test up to 100 URLs at once
HTTP Protocol Manipulation: Added advanced tests for HTTP Verb Tampering, Parameter Pollution, and special headers (like X-HTTP-Method-Override) to find hidden bypasses
Smart URL Handling: The {PAYLOAD} placeholder can now be placed anywhere in the URL
New WAF Bypass Techniques:
- Added "support" for Base64 encoding (successfully bypasses NoSQL injection blocks)
- Updated the payload list with sensitive files and common system paths
Documentation Update: The README is now a complete guide covering all 19 attack categories and WAF detection tips for Cloudflare, AWS, and Akamai

The project is completely free. You can follow its development or suggest new ideas here: https://github.com/SecH0us3/waf-checker

Feel free to suggest more features in the Issues section

Ah, the link to project https://waf.secmy.app/ (no sms/registration/ads etc...)

My new post about software error and spaceship disaster https://yoursec.substack.com/p/ariane-5-launch-disaster-because

Alex P — Tue, 27 Jan 2026 19:24:11 +0000

Ariane 5 launch disaster because code issues - by Alex P

The catastrophic failure of the Ariane 5 (flight 5), happened on 4 June 1996, is the example how a software error based on data-types, led to the real destruction of the spaceship and huge financial loss.

yoursec.substack.com

WAF Checker: False Positive Test

Alex P — Wed, 04 Jun 2025 03:56:17 +0000

This tool supports now False Positive Test - checks if your WAF incorrectly blocks legitimate traffic. This helps ensure your security doesn't interfere with normal users

Free WAF Checker: Major improvement

Alex P — Mon, 02 Jun 2025 17:55:40 +0000

Hi there, so as a continued, I have improved WAF Checker tool, and you may check your website free, without SMS & registration 🖖

https://waf.secmy.app/

WAF Checker: A Simple Web Tool for Testing Your Web Application Firewall

Alex P — Thu, 29 May 2025 18:58:13 +0000

Recently, I came across a bash script that checks the effectiveness of a Web Application Firewall (WAF). While it was useful, I wanted a bit more flexibility and the ability to add my own custom checks. I also wasn’t comfortable running a random bash script from the internet on my machine – even in a container. So, I decided to create this small web app, which allows not only me, but also you, to easily test how well your WAF is working.

WAF Checker is a simple, user-friendly service that lets you test your web application firewall against common attack payloads (like SQLi, XSS, Path Traversal, Command Injection, SSRF, NoSQLi, and LFI) using various HTTP methods. You just enter your target URL, select the HTTP methods you want to test, and get a clear, color-coded summary of the results. Just go and try https://waf.secmy.app/

If you’re interested in the latest techniques for bypassing WAF rules, I recommend checking out waf-bypass.com – it’s a great resource for staying up to date with new evasion methods and research.

Feel free to use this tool to test your own WAF and contribute ideas or improvements!

I have published new post about how to Check yourself in data breaches and what to do with this information https://yoursec.substack.com/p/check-yourself-in-data-breaches

Alex P — Sun, 04 May 2025 18:04:28 +0000

Star Wars Day - May 4

Alex P — Sun, 04 May 2025 13:16:12 +0000

A long time ago, in a data center far, far away…

Hello, today is a Star Wars Day, but my blog is about information technologies

Someone says, that it’s possible to watch Star Wars story by telnet:

telnet towel.blinkenlights.nl
starwars

But looks like it does not work already, anyway - I have found that it exists as a html: just visit the website asciimation.co.nz:

And the Google’s performance:

PS: I do not know, how to insert video here, so look at by yourself or go on my original post

National Space Day: May 2

Alex P — Sat, 03 May 2025 07:27:24 +0000

Let’s celebrate this Space Day and review your disk’s space of your laptop

It’s easy todo with ncdu

Just install and run:

# macos
brew install ncdu

# linux ubuntu
apt install ncdu

# linux fedora
dnf install ncdu

# run
ncdu .

Demo:

Video demo look at original page here https://yoursec.substack.com/p/national-space-day-2025-05-02

World Password Day

Alex P — Thu, 01 May 2025 10:15:18 +0000

Today is World Password Day - Celebrated Every First Thursday in May

In the past, early operating systems (mainly mainframes) that used password protection stored passwords in plain text. The password files could be printed, and people would leave jokes in each other's home directories

Today, systems only store password hashes, but many data breaches, weak hashing algorithms, rainbow tables, or even dictionary brute force attacks combined with insecure application design still pose a threat to data security

That's why on World Password Day, it's important to remember how to use passwords correctly:

1️⃣ Each website or service should have its own unique password

2️⃣ Passwords should not be simple – ideally, they should be so complex that you can't remember them

3️⃣ You should use a password manager to help with this

4️⃣ Don't rely only on passwords – use 2FA (two-factor authentication) when possible

5️⃣ Regularly change passwords for accounts where it's the only security factor and there's no protection against brute force attacks

Check the quality of your "favorite password" here: https://haveibeenpwned.com/Passwords

Also check if your accounts have been involved in data breaches and sign up for alerts: https://haveibeenpwned.com/

A password manager will help generate the strongest passwords. To find the perfect password manager for you, visit: https://passwordmanager.com/

By the way – password managers can also help you share important documents securely

And password managers will proactively notify you about data breaches

PS: Ideally, we should move away from passwords where possible in favor of more secure authentication methods, but there are areas where only passwords can be used, such as: password-protected documents, archives, Wi-Fi routers, home security cameras, or even your phone

For more information: https://www.techradar.com/pro/live/world-password-day-2025-all-the-news-updates-and-advice-from-our-experts
And https://www.hivesystems.com/blog/are-your-passwords-in-the-green