
‘I Had A Funny Feeling in My Gut’ (1999) - tosh
http://www.washingtonpost.com/wp-srv/inatl/longterm/coldwar/shatter021099b.htm?noredirect=no
======
atemerev
Just in case — he didn’t have the authority to launch the missiles. His job
was to evaluate the situation and give the immediate report to the top of the
chain of command, if the situation is critical, and if they decide to
counterattack — relay their orders (and presumably some unlock codes) to
missile operators. In other words, he was at his place exactly because the
command authority didn’t trust the system enough to rely on automated reports,
and needed a human in the loop to make the interpretation for them.

He decided (correctly) not to relay anything to the higher ups. However, later
he was not commended for that, because his job was to make the call and tell
something like “I have an alert of five incoming Minuteman missiles — I am
sure though it is a false alarm from the new system”, instead of unilaterally
deciding to block the message. He was right not to escalate, but if he did, it
would not have immediately ended the world.

~~~
sciurus
According to the article, "the reports of a missile salvo were coming so
quickly that an alert had already gone to general staff headquarters
automatically".

~~~
tabtab
Re: _he didn’t have the authority to launch_

While true, if he _had_ claimed the missiles were real, those with authority
may have pushed The Big Button.

------
fjcp
Chilling story, the key point to me as a programmer is:

>According to Petrov and other sources, the false alarm was eventually traced
to the satellite, which picked up the sun's reflection off the tops of clouds
and mistook it for a missile launch. The computer program that was supposed to
filter out such information was rewritten.

Every programmer should read this as a reminder of how a software bug can have
catastrophic consequences. And I know it's hard, as deadlines come closer, the
time dedicated to find bugs drops accordingly.

~~~
yetihehe
It probably wasn't really a bug, but untested behaviour or designers didn't
think there could be such strong reflections from clouds. I suppose there
wasn't too much real data to test detection algorithms against.

~~~
hellbanner
Untested behavior leading to unexpected results.. is still a bug.

~~~
phendrenad2
Not a bug caused by programmers, but a bug caused by the domain experts who
wrote the specifications for the code. I doubt the programmers writing the
code were experts on cloud/satellite imagery interactions.

------
imglorp
We had some oopsies too, like the time someone left a training tape in the
machine. The UCUSA has a series of articles pleading for a more careful and
thoughtful response instead of this hair-trigger ten minute stuff, especially
in the new age of unstable leadership.

[https://blog.ucsusa.org/david-wright/nuclear-false-
alarm-950](https://blog.ucsusa.org/david-wright/nuclear-false-alarm-950)

~~~
tabtab
We are really lucky to be alive. Then again, if an event did trigger WW3, most
of us wouldn't be around to wonder what happened. It's sort of a variation on
the Anthropic Principle.

------
anonu
From a system's perspective: when you build a nuke early-warning system you
don't really have any good test cases to make sure your system actually works.
This guy erred on the side of caution.

~~~
atemerev
You have your own missiles (with dummy warheads) to check against. This is how
it is usually done.

~~~
codingdave
> This is how it is usually done.

Was that typical for testing in 1983? Or is that how systems are tested today?

------
muthdra
I remember reading this elsewhere and the russian official was quoted in the
lines of "It felt wrong cause if you wanna launch nukes, you launch them by
the hundreds".

~~~
VLM
Also if you want to do a sneak attack you don't start it with the weapon your
opponent can most easily detect.

So, the control center hasn't been taken out by a cruise missile and the
submarine pens are untouched and the bomber airfields check in as OK... it
just doesn't make sense as a sneak attack vector. Maybe every sub launched
cruise missile in the fleet failed to work; unlikely.

Something not declassified yet, but probably would clear up a lot of
confusion, is if the detector code was fooled by sunlight on clouds or
whatever, the trajectory solver likely came up with bizarre results like the
ICBM launch site was the center of Lake Michigan or downtown Chicago or the
trajectory of the other missile has a best fit predicted impact point of Ohio
or Mexico City.

They have plenty of practice analyzing the huge horizontal velocity vector of
normal spacecraft launches. A strange sunlight reflection would tend to have
zero horizontal velocity; the opfor seems to be bombing its own missile sites
by tossing the ICBM exactly straight up and down? That seems a little odd
unless someone's trying to set off a false flag leading to a real attack.

I would think it would be good defensive coding strategy to have different
teams write and deploy the detector code vs the trajectory analysis code, such
that if one messes up it really doesn't matter.

------
doctornemo
We need Petrov statues.

------
ausbah
This is what makes the MAD doctrine so scary in reality, little mishaps and
hiccups in a fallible system that could accidentally blow the world back to
the stone age.

------
jwilk
Archived copy without GDPR nag screen:

[https://web.archive.org/web/20180926083157/http://www.washin...](https://web.archive.org/web/20180926083157/http://www.washingtonpost.com/wp-
srv/inatl/longterm/coldwar/shatter021099b.htm)

