Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2012outageCorporation

Knight Capital — $440 Million in 45 Minutes

Knight Capital Group lost $440 million in 45 minutes due to a deployment error that reactivated obsolete trading code on one of eight servers. No kill switch existed.

2 min read
Root Cause

When deploying new software for the SEC's Retail Liquidity Program, a technician failed to deploy to one of eight servers. That server still contained old code that, when triggered by the new system's flags, began executing a retired high-volume trading strategy — buying high and selling low at enormous speed.

Aftermath

Knight Capital was effectively bankrupted and acquired by Getco LLC within months. The SEC investigation report became a case study in deployment process failures. The incident accelerated industry adoption of automated deployment verification and kill switches.

The Incident

On August 1, 2012, Knight Capital Group — one of the largest market makers in the United States — began trading at 9:30 AM using newly deployed software for the SEC's Retail Liquidity Program. Within 45 minutes, the firm had accumulated $7 billion in unintended positions, resulting in a loss of $440 million. The company's stock dropped 75% and Knight was acquired by Getco LLC within months.

The Root Cause

Knight's deployment process required manually copying new software to each of eight production servers. A technician failed to deploy to one server. That server still contained old code — a retired trading strategy called "Power Peg" that had been decommissioned years earlier but never removed from the codebase.

The new software used a flag that, in the current system, activated the Retail Liquidity Program logic. On the one un-updated server, the same flag activated the old Power Peg strategy. Power Peg was designed to aggressively accumulate positions — buying at the ask and selling at the bid. It did exactly what it was designed to do, at enormous speed, losing money on every trade.

Knight had no kill switch. By the time engineers identified the problem, the damage was done.

The Pattern

Dead code is not dead. It is dormant. A flag that means one thing in new code can mean something entirely different in old code that was never removed. Knight's failure was not a single error — it was the intersection of manual deployment, retained dead code, flag reuse, and the absence of a kill switch. Any one of these, addressed, would have prevented the catastrophe.

Why It Matters

Knight Capital is the canonical example of why deployment processes must be automated, verified, and reversible. It is also the canonical example of why dead code must be removed, not just abandoned. Code that "isn't running" can start running when the conditions change. And when it does, it runs with the same authority as the code you intended to deploy.

Techniques
deployment errordead code reactivation