The canonical example is the automatic shift knob in a car. The shift knob is designed to 1) prevent you from accidentally shifting all the way back into reverse without pressing the shift button, and 2) prevents you from leaving park or neutral without depressing the brake pedal. This way you don't damage the drivetrain or accidentally cause the car to roll forward/backward.
Poka-yoke is a form of defensive design (https://en.wikipedia.org/wiki/Defensive_design). For a beautiful example of defensive design, see the average electric kettle. If water boils over the top it won't short the device, if it boils dry it'll stop operating, the handle and body are plastic to prevent burning yourself, the handle is ergonomic to make carrying 1.5L of sloshing boiling water not cause you to spill it, the cord is detached from the kettle so you don't yank the cord and spill the boiling water, the switches are located on the bottom away from hot steam, and the lids usually lock while in operation, again to prevent damage from spillage or steam. It's the simplest and safest possible way to boil water, and it's $20.
If you ever URGENTLY needed to start a machine, and you knew it was safe to do so, the average shop gremlin could always break the tag and start it since they're normally made of craptacular plastic or thin sheet metal... but it's easily enough friction to make you rethink what you're doing. Never known anyone that's ever had to break a tag like that.
After that we installed molly-guard with a check for the number of active connections. Made it painless to reboot standby proxies and difficult to reboot active ones.
(We also instituted pairing on production proxy maintenance. I'm not a fan of pair programming but pair maintenance is great.)
I like telling junior hires about this incident because it teaches them that (a) anyone can make mistakes, (b) even serious mistakes usually aren't that dangerous, (c) you can learn a lot from mistakes with the right mindset, (d) we cannot prevent mistakes but with the right system design we can reduce their consequences.
It's a great opportunity to share knowledge and techniques and I very much recommend doing so. It's an important way to get people familiar and comfortable with what the documentation says. Or, it's less scary to failover a database or an archiving clutser while the DBA or an archive admin is in a call with you.
Also reminds me of an entirely funny culture shock for a new team member, who was on a team with a much worse work culture and mutual respect beforehand. Just 2-3 months after she joined, we had a major outage and various components and clusters needed to be checked and put back on track. For these things, we do exactly this pilot/copilot structure if changes to the system must go right.
Except, during this huge outage, two people were sick, two guys had a sick kid, one guy was on a boat on the northern sea, one guy was in Finland and it was down to 3 of the regulars and the junior. Wonderful. So we shoved her the documentation for one of the procedures and made her the copilot of her mentor and then we got to work, just calmly talking through the situation.
Until she said "Wait". And some combined 40 - 50 years of experience stopped on a dime. There was a bit of confusion of how much that word weighed in the team, but she did correctly flag an inaccuracy in procedure we had to adress, which saved a few minutes of rework.
Fortunately this was an exercise and we had BMC access, so no big deal. Except that we got yet another datapoint suggesting that netplan is not a high quality piece of software.
However that was good, because after that I have always been extra careful at any changes that could affect the firewall in any way. (That is not restricted to changes in firewall rules, because there are systems where the versions of the firewall program and of the kernel must be correlated, so an inconsistent update may make the firewall revert to its default state of denying all connections.)
https://entropicthoughts.com/locking-yourself-out-with-firew...
Azure still hasn't got this. It has serial and does screenshots of the console, but no access to my knowledge.
No, there's one worse feeling. Walking up to the machine that was supposed to work throughout the night, and seeing it had a surprise update that rebooted the system.
One of my favorite things about ditching Windows.
see https://arstechnica.com/tech-policy/2024/08/samsung-recalls-...
Luckily, there’s an easy solution recently devised that can prevent this safety hazard in homes across America, Samsung said. Customers concerned about unintentional activations can request free knob locks and covers that Samsung confirmed made it much harder to accidentally turn on the stove.
During the meeting, the CPSC shared data showing that across 338 incidents between January 1, 2018, and May 30, 2024, stoves from “ten specific manufacturers” were involved in fires causing 31 injuries and two deaths. Additionally, the CPSC had recorded “two other fatal incidents where a range was accidentally turned on when a knob was bumped, but the manufacturer is unknown.”
...Companies said the CPSC data would help them “fully understand the issues” and “make sure that reasonable and foreseeable circumstances would be addressed” without impacting compliance with the Americans with Disabilities Act.
I never heard of any related injuries over here.
My dad worked for Sperry Univac. For a while he was working on a ground-support trailer for the Sergeant surface-to-surface missile. He went in to work one Saturday for some kind of a major test. For some reason, he brought my mother and I along (maybe to give my mom a break). So this four-year-old (yours truly) goes into the trailer, and sees this bright red button...
It was not the launch button. It was the emergency shutdown button, which would have cost them an hour to bring the trailer back online. Someone stopped me before I actually pushed it, but still, this did not make me popular. What I remember from that day is actually the parking lot, because I spent far more time in the parking lot than in the trailer.
Also, perhaps `rm` should be molly guarded to move things to the trash on all systems by default, and delete only if forced to by a flag.
Note: I’d have expected Molly to be a cat, because they tend to be pretty good at disrupting things in my experience.
Not all systems, but some (RHEL, I think?) default alias rm='rm -i', yes
A guard I often make for myself is removing/disabling the delete key on my keyboard, and setting FN+Backspace to Delete with whatever control software is involved. I often then repurpose the delete key location to F2, which is typically used to “Edit” a spreadsheet cell or file name.
To me, a button that forces me to wait for an unknown and indeterminate period of time before functioning is a FAIL.
* Yes, on some systems rm is aliased to rm -i by default.
* Some scripts will use rm -f because normal rm returns an error if the target already doesn't exist but -f doesn't care.
* Finally, sometimes files are just ... I think it's being marked read-only that does it? I've hit this while trying to rm a git checkout; you actually do need to add -f sometimes to succeed. So if you just add -f then it'll always work.
(sorry)
You missed the point. Most things can be solved better. For example with undo or "fake undo" based on a delayed action or many other solutions, depending on the individual problem. Just asking "are you sure?" or forcing the user to jump through some hoops is the laziest and least user friendly way.
This means a properly configured mollly-guard is invisible for routine actions but kicks in only when a genuine mistake is suspected because the operation would cause some sort of meaningful loss. That way, users aren't trained to ignore it.
That's clever. This is what I meant when I wrote, that software allows for better solutions.
I discussed this also here:
>> At 08:56 a ‘Trade Limit Warning’ pop-up alert appeared within PTE. This presented the trader with 711 warning messages, consisting of hard block and soft block messages, listed in a single alert where only the first 18 lines of alerts were immediately visible unless the person who received the alert scrolled down. The trader did not appreciate their inputting error and overrode all of the soft warnings in the pop-up.
> You get 711 alerts, you only see 18 of them, you are like “ehh 18 alerts is pretty much the normal number,” you override them all without reading.
I await his response.
Isn't it better that someone gave it a second chance, even if only by clicking a link?
A traditional link blog would highlight a short excerpt so that the reader might be encouraged to click through to the full piece.
>your behavior is weird and hostile actually
Look in the mirror.
>A traditional link blog would highlight a short excerpt so that the reader might be encouraged to click through to the full piece.
Mine is not a "traditional link blog" nor has it ever been since its inception on August 24, 2004. You're the first person I've known to use the phrase "traditional link blog." I like it! Maybe you should start one.
Typepad, which hosted my original blog since August 24, 2004, on September 1, 2025 gave me 30 days notice that it would shut down at midnight September 30, 2025, making my roughly 40,000 (not a typo) past posts inaccessible.
I spent a frantic month trying about 10 blog hosts seeking one I, a card-carrying Technodolt, could actually use without a lot of pain.
The only one that came close was Google's Blogger.
Alas, it's horrible: janky, confusing, and always changing something I thought I'd finalized.
Oh well...