Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2003outagePublic

The Northeast Blackout — When the Alarms Went Silent

A race condition in GE's XA/21 energy management software silently disabled the alarm system at FirstEnergy, leaving operators blind as cascading power failures affected 55 million people across the northeastern US and Canada.

2 min read
Root Cause

A race condition in the alarm and logging software caused it to stall without displaying errors. With no alarms, operators were unaware that overloaded lines were sagging into trees and tripping offline. The cascade spread across the grid in under 3 minutes.

Aftermath

55 million people without power. Estimated $6-10 billion in economic losses. Led to mandatory reliability standards for the North American power grid and established the principle that monitoring system failures must be treated as critical alarms themselves.

The Incident

On August 14, 2003, at approximately 4:10 PM EDT, a cascading failure in the electrical grid left 55 million people across the northeastern United States and southeastern Canada without power. It was the largest blackout in North American history.

The Root Cause

The cascade began with a software bug. General Electric's XA/21 energy management system — used by FirstEnergy, the utility at the origin of the cascade — contained a race condition in its alarm and logging software. The race condition caused the alarm system to stall and stop processing new alarms. Critically, the failure was silent — no error was displayed. The operators' screens showed a normal system.

While the alarms were silently offline, a sequence of preventable events unfolded: power lines in Ohio, overloaded and heated by high demand, sagged into untrimmed trees and tripped offline. Each tripped line shifted load to remaining lines, which then overloaded and tripped. The operators — who would normally have seen alarms for each line trip — saw nothing.

By the time anyone realized what was happening, the cascade had spread across eight states and Ontario. The entire propagation took approximately three minutes.

Why It Matters

A monitoring system that fails silently is worse than no monitoring system at all. With no monitoring, operators know they're blind and act accordingly. With monitoring that has silently failed, operators believe they're informed when they're not. They make decisions based on the absence of alarms — interpreting silence as safety — when silence actually means the alarm system is dead.

Techniques
race conditionsilent failurecascading failure