Off by one
The fencepost error. You counted the posts and forgot the gaps. One iteration too many, one too few — and the array reaches into nothing.
A missing hyphen. A two-digit year. A single over-read byte. The most famous software failures ever shipped were rarely complicated — they were small mistakes given an enormous stage.
Every legendary bug started as one line that looked completely fine.
Screen-printed from the logbook
The fencepost error. You counted the posts and forgot the gaps. One iteration too many, one too few — and the array reaches into nothing.
Tony Hoare called it his billion-dollar mistake. A reference that points at nothing — dereferenced anyway, somewhere far from where you wrote it.
Two threads, one resource, no lock. Correct ten thousand times in a row — then catastrophic on the run nobody can reproduce.
It vanishes the moment you look. Add a print statement and it's gone; attach a debugger and the program behaves perfectly. Then ship, and it's back.
Every icon gets the silkscreen treatment. This is the real logbook page — "First actual case of bug being found" — with the moth Grace Hopper's team taped in, screen-printed until it's a legend.
Original photograph: U.S. Naval History & Heritage Command (NH 96566-KN) · public domain.
A moth jams a relay inside the Harvard Mark II. Operators tape it into the logbook: "First actual case of bug being found." The word was already slang — now it had a corpse.
Hardware · the original bugA single missing overbar in a handwritten guidance equation sends the Venus probe off course. Range safety destroys it 293 seconds after launch. Arthur C. Clarke called it "the most expensive hyphen in history."
Transcription · $18.5MA race condition in a radiation-therapy machine delivers doses a hundred times too high. The screen reads MALFUNCTION 54. Six patients are harmed; several die. Software safety stops being theoretical.
Race condition · fatalA grad-student experiment reproduces faster than intended and clogs roughly a tenth of the early internet. The first worm to make headlines — and the first felony conviction under the new computer-fraud law.
Self-replication · ~6,000 hostsFive missing entries in a lookup table make Intel's flagship chip divide certain numbers slightly wrong. A math professor notices. Intel recalls the silicon — a hardware bug, costed at roughly $475 million.
Lookup table · $475M recallA 64-bit velocity is crammed into a 16-bit integer; it overflows. Reused code from Ariane 4 never needed the larger range. The rocket self-destructs 37 seconds after liftoff, taking four satellites with it.
Integer overflow · 37 secondsOne team works in pound-seconds, the other in newton-seconds. Nobody converts. The orbiter dips too low into the Martian atmosphere and is never heard from again. $327 million, lost to units.
Unit mismatch · $327MDecades of saving two bytes by storing years as "99" meet the year 2000. The feared collapse mostly doesn't happen — because an army of programmers spent years on the most boring, most important fix in history.
Date overflow · the quiet saveA deploy reuses an old flag and wakes dead code on one of eight servers. In 45 minutes the trading firm fires millions of unintended orders and loses about $440 million. It does not survive the week.
Dead code · $440M in 45 minA missing bounds check in OpenSSL lets anyone ask the server to read past the buffer and hand back whatever memory is next door — keys, passwords, anything. It had been live for two years before anyone noticed.
Buffer over-read · CVE-2014-0160A developer unpublishes an eleven-line package in a naming dispute. Half of JavaScript depends on it transitively. Builds break across the planet over a function that pads a string. Modern software, in one screenshot.
Dependency · 11 linesA logging library helpfully evaluates a string — so logging the wrong text runs attacker code. One line, buried in a dependency of a dependency, and every team patches through the same December weekend.
Injection · CVE-2021-44228A faulty content update ships to millions of Windows machines and blue-screens them in unison. Airports, hospitals, banks and checkout lines freeze together. Production, it turns out, is the gallery wall.
Bad update · ~8.5M machinesSend one forged header — x-middleware-subrequest — and Next.js believes its own auth middleware already ran. Login walls, route guards, redirects: skipped. The framework behind a huge slice of the modern web had shipped a skeleton key to its own front door.
Nobody broke the framework — they walked in through an OAuth grant. A compromised third-party AI tool handed a ShinyHunters-linked crew the keys to Vercel's internal systems: source code, API keys, 580 employee records, posted for $2 million. The supply chain became the front door.
OAuth supply chain · April 2026A quiet February backend change re-opened public-project chats. For 48 days, any free account could read other builders' source code, database credentials, and AI conversations. The biggest vibe-coding leak yet — patched for new projects while the old ones stayed wide open.
BOLA · 48 days · 2026The eternal bug. It runs perfectly on the laptop where it was born and nowhere else. No repro, no trace, no end. Every generation rediscovers it, and every generation thinks it's the first.
Environment drift · foreverSome bugs are events. Others are species — the same shape, recurring forever, in every language ever written.
Languages die. Frameworks rot. Whole companies disappear. But a good bug story gets told forever — at standups, in postmortems, on a logbook page taped shut in 1947. To err is human; to reproduce, divine.
