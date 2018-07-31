Let me start by saying that my understanding has evolved. One of the things that I worked on was the Multics system administration facilities -- and they were quite elaborate. They had many commands and tech manuals describing how to use all those commands, and we built a special-purpose subsystem with different commands for the system administrators and another set of different commands for the system operators. Remember when systems had operators who were trained to operate the computer, instead of having everyone operate their own computers with no training at all?

It was big mistake, in retrospect. It used to be that after the Multics operating system crashed -- in large part due to the hardware, which was much less reliable than it is now -- the operator would have to go through a very complex set of recovery steps to get the system back up and all the files happy again. Over time, we realized that every place where the operator had to make a choice and type the right thing was a chance for them to type the wrong thing. Over time, we evolved to a thing where -- when the system crashed -- you said start it up again, and if it turned out that you had to run some recovery step, the system would decide whether or not to do it, and we designed the recovery steps so they could run twice in a row with no negative effect. We aimed toward a completely lights-out, 'no chance for mistakes' interface.