Molly guard in reverse (unsung.aresluna.org)
186 points by surprisetalk a day ago
0xbadcafebee 14 hours ago
In DevOps (and Lean, TPS) the more advanced form of this is the Poka-Yoke (https://en.wikipedia.org/wiki/Poka-yoke). Poka-yokes don't just add safety, they also guide the human away from making a mistake.
The canonical example is the automatic shift knob in a car. The shift knob is designed to 1) prevent you from accidentally shifting all the way back into reverse without pressing the shift button, and 2) prevents you from leaving park or neutral without depressing the brake pedal. This way you don't damage the drivetrain or accidentally cause the car to roll forward/backward.
Poka-yoke is a form of defensive design (https://en.wikipedia.org/wiki/Defensive_design). For a beautiful example of defensive design, see the average electric kettle. If water boils over the top it won't short the device, if it boils dry it'll stop operating, the handle and body are plastic to prevent burning yourself, the handle is ergonomic to make carrying 1.5L of sloshing boiling water not cause you to spill it, the cord is detached from the kettle so you don't yank the cord and spill the boiling water, the switches are located on the bottom away from hot steam, and the lids usually lock while in operation, again to prevent damage from spillage or steam. It's the simplest and safest possible way to boil water, and it's $20.
graypegg 5 hours ago
The example that comes to my mind is lockout tags. [0] It usually means temporarily jamming up a specific control marked as the lockout/ignition/energizing control while you're working on some big and gnarly machine. There's a bunch of regulation around the specifics of what that control has to prevent if not activated/lockedout, but usually it's a dirt-simple breaker switch or hydraulic valve, controlling whatever the main source of energy into the machine is. The ones with holes are for padlocks that everyone will lock padlocks onto so you have a count of who's still "down there".
If you ever URGENTLY needed to start a machine, and you knew it was safe to do so, the average shop gremlin could always break the tag and start it since they're normally made of craptacular plastic or thin sheet metal... but it's easily enough friction to make you rethink what you're doing. Never known anyone that's ever had to break a tag like that.
vharuck 7 hours ago
My favorite example of poka-yoke is when the pieces and hardware in build-it-yourself furniture kits won't fit anywhere except the correct places: two screws only have the same width if they're interchangeable, wood bars refuse to go in unless facing the right direction, etc.
JoshTriplett 14 hours ago
There's a great piece of software called "molly-guard", which intercepts calls to "poweroff" and "reboot" and similar. It checks if it's being invoked via an SSH session, and if so, it asks you to type the name of the system you're shutting down. That way, you never accidentally shut down a remote server when you meant to shut down your own system (or a different server).
kqr 13 hours ago
I once accidentally rebooted the reverse proxy for all our production traffic. We got some very quiet two minutes while it came back up.
After that we installed molly-guard with a check for the number of active connections. Made it painless to reboot standby proxies and difficult to reboot active ones.
(We also instituted pairing on production proxy maintenance. I'm not a fan of pair programming but pair maintenance is great.)
I like telling junior hires about this incident because it teaches them that (a) anyone can make mistakes, (b) even serious mistakes usually aren't that dangerous, (c) you can learn a lot from mistakes with the right mindset, (d) we cannot prevent mistakes but with the right system design we can reduce their consequences.
tetha 10 hours ago
> (We also instituted pairing on production proxy maintenance. I'm not a fan of pair programming but pair maintenance is great.)
It's a great opportunity to share knowledge and techniques and I very much recommend doing so. It's an important way to get people familiar and comfortable with what the documentation says. Or, it's less scary to failover a database or an archiving clutser while the DBA or an archive admin is in a call with you.
Also reminds me of an entirely funny culture shock for a new team member, who was on a team with a much worse work culture and mutual respect beforehand. Just 2-3 months after she joined, we had a major outage and various components and clusters needed to be checked and put back on track. For these things, we do exactly this pilot/copilot structure if changes to the system must go right.
Except, during this huge outage, two people were sick, two guys had a sick kid, one guy was on a boat on the northern sea, one guy was in Finland and it was down to 3 of the regulars and the junior. Wonderful. So we shoved her the documentation for one of the procedures and made her the copilot of her mentor and then we got to work, just calmly talking through the situation.
Until she said "Wait". And some combined 40 - 50 years of experience stopped on a dime. There was a bit of confusion of how much that word weighed in the team, but she did correctly flag an inaccuracy in procedure we had to adress, which saved a few minutes of rework.
saaspirant 10 hours ago
I was using my company dev machine via Windows RDP remotely during Covid and installed Glasswire which by default blocks all traffic so I lost access. No one was there to uninstall it so I continued development in my personal machine.
magicalhippo 14 hours ago
Another fun one is disabling the network interface on a remote server. An acquaintance did that by mistake on a cloud VM running some core services, and the cloud provider had no virtual console for some reason. Ended up having to write off the VM and restore from backup. Fun day at the office.
adrian_b 12 hours ago
Long ago, I succeeded once to cut my own access through SSH to a remote server, after some firewall changes. That of course has required a long trip to the server, for physical access.
However that was good, because after that I have always been extra careful at any changes that could affect the firewall in any way. (That is not restricted to changes in firewall rules, because there are systems where the versions of the firewall program and of the kernel must be correlated, so an inconsistent update may make the firewall revert to its default state of denying all connections.)
kqr 12 hours ago
amluto 5 hours ago
Hah, I once did “netplan try” on a prototype production machine. The new config wasn’t quite right (although not catastrophic in any respect) so I told it to roll back. Bye bye new machine.
Fortunately this was an exercise and we had BMC access, so no big deal. Except that we got yet another datapoint suggesting that netplan is not a high quality piece of software.
tinyhitman 6 hours ago
> cloud provider had no virtual console for some reason.
Azure still hasn't got this. It has serial and does screenshots of the console, but no access to my knowledge.
amluto 5 hours ago
RadiozRadioz 10 hours ago
> There is no worse feeling for a programmer than waking up, walking up to the machine that was supposed to work through the night, and seeing it did absolutely nothing, stupidly waiting for hours for a response to a question that didn't even matter.
No, there's one worse feeling. Walking up to the machine that was supposed to work throughout the night, and seeing it had a surprise update that rebooted the system.
One of my favorite things about ditching Windows.
bityard 6 hours ago
This is no longer just a Windows feature. The same thing happened to me the other day on MacOS. They recently shipped a "background" update to fix a security issue and it quite unceremoniously rebooted the machine to apply the update.
masfuerte 6 hours ago
And it's why I don't use Ubuntu any more. I don't know if it still automatically updates and reboots, but neither do I care.
amarant 23 minutes ago
evanjrowley 15 hours ago
I'm reminded of this legendary HN comment: https://news.ycombinator.com/item?id=16530398
cortesoft 15 hours ago
I am confused by the second guy who was curious and punched the plastic lid… it says you have to hold the button down for 30 seconds, how did that happen?
charles_f 15 hours ago
The guard itself ends up pushing the button
jeremyw an hour ago
Lest anyone think it's just little kids that are mesmerized by the shiny red button; we were showing a potential graduate student around the compsci labs, and he walks over to an important server and simply turns it off. He could never quite explain his impulse to do so.
wibbily 13 hours ago
Fun: the “Molly” in question is Ed Krol’s daughter - he’s the guy who wrote the Whole Internet User’s Guide and Catalog.
canucker2016 7 hours ago
The wikipedia entry lists a reference explaining the history of mollyguard, along with a pic of Ed and little Molly, but an HN comment has the relevant text excerpt. see https://news.ycombinator.com/item?id=26633835
AnimalMuppet 7 hours ago
I was almost that kid.
My dad worked for Sperry Univac. For a while he was working on a ground-support trailer for the Sergeant surface-to-surface missile. He went in to work one Saturday for some kind of a major test. For some reason, he brought my mother and I along (maybe to give my mom a break). So this four-year-old (yours truly) goes into the trailer, and sees this bright red button...
It was not the launch button. It was the emergency shutdown button, which would have cost them an hour to bring the trailer back online. Someone stopped me before I actually pushed it, but still, this did not make me popular. What I remember from that day is actually the parking lot, because I spent far more time in the parking lot than in the trailer.
canucker2016 8 hours ago
Samsung learned about molly guards the hard way - recall of millions of products after accidental fires from people/pets activating the front-panel dials.
see https://arstechnica.com/tech-policy/2024/08/samsung-recalls-...
Luckily, there’s an easy solution recently devised that can prevent this safety hazard in homes across America, Samsung said. Customers concerned about unintentional activations can request free knob locks and covers that Samsung confirmed made it much harder to accidentally turn on the stove.
During the meeting, the CPSC shared data showing that across 338 incidents between January 1, 2018, and May 30, 2024, stoves from “ten specific manufacturers” were involved in fires causing 31 injuries and two deaths. Additionally, the CPSC had recorded “two other fatal incidents where a range was accidentally turned on when a knob was bumped, but the manufacturer is unknown.”
...Companies said the CPSC data would help them “fully understand the issues” and “make sure that reasonable and foreseeable circumstances would be addressed” without impacting compliance with the Americans with Disabilities Act.
9dev 7 hours ago
That's wild. In Europe, we generally only have front-facing dials, but either they have a built-in push to recess function, or they require some force to turn from their off position, and for the most part heat and mode are also two separate knobs where you'd need to turn both to engage.
I never heard of any related injuries over here.
stevage 9 hours ago
I feel like modern tv remotes are the opposite of this principle. It is often the case that almost every single button will when pushed in some way interrupt the current program, often jumping out to a different menu or changing to a different program or something. It makes handling the remote or trying to change the volume a fraught experience.
bookofjoe 7 hours ago
OMG you hit my third rail when it comes to the brain-dead-designed Apple TV remote. After using one for many years I STILL press the wrong button many times every day, and in the dark, since the buttons are NOT backlit, I routinely press an unintended button. I think the user interface designer was promoted to create the Vision Pro UI/UX which is even more dreadful.
jiehong 16 hours ago
Oh! Then perhaps the long press required for the iPhone’s action button to trigger is a Molly guard!
Also, perhaps `rm` should be molly guarded to move things to the trash on all systems by default, and delete only if forced to by a flag.
Note: I’d have expected Molly to be a cat, because they tend to be pretty good at disrupting things in my experience.
yjftsjthsd-h 14 hours ago
> Also, perhaps `rm` should be molly guarded to move things to the trash on all systems by default, and delete only if forced to by a flag.
Not all systems, but some (RHEL, I think?) default alias rm='rm -i', yes
fragmede 14 hours ago
disk space is cheap these days alias to mv to trash for an extra layer of protection.
Modified3019 15 hours ago
Seeing long presses implemented for those intermittent and irreversible actions in games is something I‘ve always appreciated. I often end up making errant inputs, especially on keyboards.
A guard I often make for myself is removing/disabling the delete key on my keyboard, and setting FN+Backspace to Delete with whatever control software is involved. I often then repurpose the delete key location to F2, which is typically used to “Edit” a spreadsheet cell or file name.
bookofjoe 7 hours ago
Red team demur: I HATE the iPhone's long press requirement to restart from off.
To me, a button that forces me to wait for an unknown and indeterminate period of time before functioning is a FAIL.
denkmoon 16 hours ago
rm has mollyguarding, that's why every invocation of rm you see on the internet is followed by -f
yjftsjthsd-h 14 hours ago
I think that may be a combination of (IMHO unfortunate) factors:
* Yes, on some systems rm is aliased to rm -i by default.
* Some scripts will use rm -f because normal rm returns an error if the target already doesn't exist but -f doesn't care.
* Finally, sometimes files are just ... I think it's being marked read-only that does it? I've hit this while trying to rm a git checkout; you actually do need to add -f sometimes to succeed. So if you just add -f then it'll always work.
clbrmbr 10 hours ago
I once was a communications contractor for the major NJ power utility. One of their long time field techs (let’s just refer to him as Mr. T) was giving a tour of a substation that was built from the looks of it in the 50s. I have, you see, this bad habit of leaning on things… well Mr. T, without missing a beat, slid his forearm between my hip and a faded green Bakelite knob, the kind that goes in and out rather than twisting. He informed me that if I had leaned any further I would have shut off half of Newark.
6031769 3 hours ago
Certainly sounds like he pitied the fool.
(sorry)
donut 14 hours ago
Sometimes a pop-up appears that I blindly accept because I happen to be typing something with spaces. Wish that button was protected somehow.
kqr 11 hours ago
Such pop-ups should never automatically get focused. The increase of them was why I switched away from Windows many years ago, and why I like to root my Android devices. It baffles me that focus-stealing notifications cannot be turned off in most OEM Androids.
csullivannet 8 hours ago
I think with power tools on Windows 11 at least it forces the privilege escalation window to pop under.
jiehong 16 hours ago
I do wish those were a thing on flat touch sensitive induction cooktops! (For all those pesky water droplets causing the cooktop to error out and turning itself off)
gib444 15 hours ago
I get annoyed even at the thought of those things! Had to use a few while travelling. Ugh!
BubbleRings 6 hours ago
Somebody make a keyboard where every key is a molly guard, where only one will open at a time, then make a fun video about it. And credit me for this stupid idea. Even though it wasn’t my idea.
itayd 14 hours ago
best molly-guard depicited in "The Good Place": https://www.youtube.com/watch?v=etJ6RmMPGko
meelford 11 hours ago
I personally know a guy who shut down an oil factory by pressing the molly guard button, just because the button looked interesting.
buf 14 hours ago
Fun random fact, Eventbrite was first a security company called Molly Guard. I spent years cleaning out the 'mg-' prefixes from the code.
hyperhello 16 hours ago
“Mollyguarding” sounds like a great derogation of unnecessary safety measures. Stop mollyguarding me!
Shadowmist 16 hours ago
I've been looking for this!
1970-01-01 5 hours ago
fainpul 14 hours ago
Just please don't start adding molly-guards to your software. The concept only makes sense in the physical world, e.g. where the "important button", that you might never have to press, needs to be in reach all the time. In software, there are better solutions.
hrmtst93837 7 hours ago
Spend a week with a self-service admin dashboard and you'll learn why software needs molly guards too, because one-click disasters are common online.
fainpul 6 hours ago
> In software, there are better solutions.
You missed the point. Most things can be solved better. For example with undo or "fake undo" based on a delayed action or many other solutions, depending on the individual problem. Just asking "are you sure?" or forcing the user to jump through some hoops is the laziest and least user friendly way.
fragmede 14 hours ago
my favorite Debian package is Mollyguard so when you shut down a server remotely via SSH it just checks the second time to make sure you really wanted to shut down that server and not your laptop.
fainpul 14 hours ago
"Are you sure?" type guards are not suitable for actions which the user does regularly. If a user repeats this action regularly, they quickly automate the thought process (i.e. don't give it any thought anymore) and it becomes useless.
kqr 11 hours ago
selfhoster11 13 hours ago
sixhobbits 13 hours ago
cynicalsecurity 7 hours ago
"Reverse Molly guard" is dead man's switch.
ogogmad 8 hours ago
This sounded at first like a mouth guard, to stop teeth grinding.
TiredOfLife 10 hours ago
Does the disk drive or sim card slot ejector really qualify as Molly Guard?
pocksuppet 10 hours ago
The guard is it being a tiny hole you have to find a tool to reach into, instead of a button.
davidshepherd7 13 hours ago
That page is copied verbatim from https://unsung.aresluna.org/molly-guard-in-reverse/ (which is linked at the top). The original page also has much better formatting.
dang 3 hours ago
Changed now from https://bookofjoe2.blogspot.com/2026/02/molly-guard.html above. Thanks!
clbrmbr 10 hours ago
@dang Can a moderator update the link? The original is much better and we shouldn’t promote the copyposter.
bookofjoe 3 hours ago
I just emailed a screenshot of this discussion to @dang.
I await his response.
bookofjoe 5 hours ago
Full disclosure: I posted the original and it disappeared from HN so fast it made my head spin.
Isn't it better that someone gave it a second chance, even if only by clicking a link?
MYEUHD 4 hours ago
albedoa 4 hours ago
bookofjoe 3 hours ago
BTW I agree about the formatting being much better. Alas, I'm limited to Google's primitive Blogger as a host so that's the best I can do.
batisteo 10 hours ago
…and Google-hosted.
bookofjoe 5 hours ago
Sorry about that.
Typepad, which hosted my original blog since August 24, 2004, on September 1, 2025 gave me 30 days notice that it would shut down at midnight September 30, 2025, making my roughly 40,000 (not a typo) past posts inaccessible.
I spent a frantic month trying about 10 blog hosts seeking one I, a card-carrying Technodolt, could actually use without a lot of pain.
The only one that came close was Google's Blogger.
Alas, it's horrible: janky, confusing, and always changing something I thought I'd finalized.
Oh well...