*****
Executing Unit Tests……
0/107 Complete; 0 passed, 0 failed, 0 skipped
23/107 Complete; 23 passed, 0 failed, 0 skipped
72/107 Complete; 66 passed, 0 failed, 6 skipped
…
…
“And it never finishes?” I ask Alan.
“Well, not in the three hours that it’s been running.”
“Can’t you look at the log and see whose error it is?”
“Yeah, it’s Dave’s new validation stuff.”
I squint as I try to remember the details from my team’s standup meeting that morning… Ah, right. Dave was working on an enhancement for our web-form. Currently we check to see if people enter valid values and complain at them if they don’t make sense. Like if you put just four digits in the Phone Number field. Dave wanted to make the form a little more helpful by suggesting what you might have meant to enter, like putting the @ symbol in a likely place if you forgot it with your email.
“Okay, well did you ask him why his code is breaking the build?”
“No. He committed it late last night and now he’s on vacation until Monday.”
I sigh. That, unfortunately, sounds just like the Dave we know and hate. Always trying to cram things in at the last minute and then not around to clean the resulting mess.
“Okay, I’ll roll back his changes and he’ll have to take care of it when he gets back.”
“Yep.”
I walk away to my machine and open up the build server. Every time a member of our team makes changes to the code there is a gauntlet of tests that it has to pass before it can go to production. Think of it like a filter to catch the bugs before our customers see them. Dave’s code has gotten clogged in that filter, so now I have to pull it out.
I open the page with his code changes and click on the Revert button. My cursor turns into that little spinning icon that means the computer is waiting for a process to finish. Curious, I check what test it got hung up on… It was for the credit card information where you enter the year that your card expires. The test was supposed to enter an invalid year from the past (2012) and get a recommended correction (2021). It’s odd. We really shouldn’t be trying to auto-correct people’s credit card information for one, and also that’s an incredibly basic test. Dave’s code shouldn’t have choked on it.
In any case, that little spinning icon finally goes away and the code gets pushed back. I don’t think anything more about it until the next week.
*
“So yeah, Dave, we had to push your code back out. And frankly, you shouldn’t be trying suggest corrections in the credit card fields, just highlight that the entry is invalid and let the user correct it.”
We’re in our Monday standup meeting where each team member brings everyone else up-to-date on their current work and needs.
“And let me use this as another reminder that no one should be committing code to the main branch unless they’re able to stay around and see that it passes the automated tests.”
“I did, Greg,” Dave pipes up. “But it kept getting stuck on that one, so I didn’t have time to see if it would pass.”
I suppress the things I want to say.
“If a simple validation takes longer than half-a-second it has failed, whether it got the right answer or not,” I say tersely. “What on earth was your code doing that it would take so long anyway?”
Probably he had gotten it stuck in some idiotic infinite loop.
“I dunno what it does. I just used some validation library I found.”
A “library” means a bundle of code that someone else has written to perform a suite of functions. Often we use them to cover basic stuff like validation, because there’s no need to reinvent the wheel. However…
“I don’t remember seeing any proposal for adding a validation library!” I snap. “You’re supposed to clear these things with me. I’m responsible for verifying everything that we’re using. Get it out of there!”
Since anyone can upload a library you always want to be sure of its source. One that’s taking way too long to do a basic task might very well be a trojan horse for all sorts of viruses.
The meeting has me upset enough that I make a few notes in Dave’s file to bring up in our yearly review. He will not be pleased with his end-of-year bonus.
In the meantime, Dave returns to his machine, pounds away at the keyboard for the next while, and I don’t hear anything more about his code breaking our builds. I have a nagging feeling that I ought to do personal inspections on his code for the next couple weeks, but my next meeting is already starting and I grab my headset. In no time Dave is far from my mind.
*
One day, a couple weeks later, I come into the office, log into my machine, load up my emails, and immediately my heart skips a beat. We have been flagged for suspicious behavior by the company’s technology auditing department.
I open the email and my eyes rove over it even while my phone starts ringing. The caller id informs me that it is my boss, and there’s no question what he’s calling for. I gulp, pick up the phone, and begin the unpleasant conversation. Apparently our code in production grew more than 100 times in size overnight. There have been no code commits, which means all the growth is being perpetuated by something running on our servers.
Like a virus.
I apologize to my boss that I don’t have any clue what could be causing this and vow to get to the bottom of it right away. Then I pull our code out of production and call an emergency team meeting. Five minutes later we’re all crowded around the same table with our laptops, combing through the production environment.
“Yeah something’s writing new files like crazy,” Alan says. “The business logic layer has grown two gigabytes just since we got here. We’re going to run out of storage on the server soon.”
“Great,” I say sarcastically. “Now any idea what’s doing it?”
“Naw, these new files being all have auto-generated names. They don’t give any meaningful–oh wait, here’s something… ‘rubricValidationTemplate_0072.json’… that mean anything to anybody?”
“Validation?” I snap, and I see Dave trying to shrink behind his laptop. “Hey, is that the validation stuff you were setting up,” I bark at him.
“Um, its name does sound similar to that library I was using…but I already took it out, just like you told me to!”
But I’ve already been clicking away furiously, pulling up the relevant code files.
“No you didn’t! You removed it from your methods, but you’re still importing the library and initializing it!”
“What–I must have forgotten that. But if I’m not calling any of its functions it shouldn’t be doing anything.”
Alan snorts. “No, it shouldn’t. But its a blackbox, isn’t it? So there’s no telling what it is doing, regardless of whether it should or not.”
The “blackbox” Alan is referring to is the common structure by which these code libraries get shared. You can’t peek inside to see how it does what it does. You just send stuff in and get stuff back, everything in between is encrypted. And normally that’s fine, because all that is being hidden is trade secrets. But for a malicious library it could also be hiding the fact that its hacking your machine on the side. As this one appears to be.
I want to scream at Dave that he’s fired right then and there, but I figure I had better not. We’ll verify that his illicit library is at the root of this all, and then we’ll deliver his head to the higher-ups. Maybe that will be enough to appease them, and I won’t have to lose my own job as well.
Alan pulls up the list of background services running on the server to look for anything named RubricValidation there. In the meantime I tell Dave to send me a link to where he got that library from.
Alan clicks his tongue. He has indeed found a “RubricValidationService” running in the background and he turns it off. Background services are like little programs that run behind-the-scenes on your computer. A few moments pass and then all of the developers start confirming that the rampant growth of files has come to a stop.
We all look to Dave who is sweating now. He informs us that he can’t get the link to where the library came form. It would seem that it has been pulled from the website it was being hosted on for ‘potentially harmful behavior.’
I shout at Dave for a few minutes, but honestly I’m starting to feel better. We have our culprit and the mystery is solved. Still some cleanup to do, but life can start getting back to norm–
“Wait, the files are growing again,” Craig says from the end of the table.
“What?!”
“Oh yeah…” Alan says. “And–it looks like there’s a new service running in the background. RubricEnforcedValidationService.”
“Just shut the whole server down,” I order. “We’ll delete everything, format the hard drive, and do a clean install.”
Suddenly my phone starts vibrating like it’s going to explode. I pull the device open, turn on the screen, and it’s overflowing with messages from my work email:
Unusual behavior detected on server. 48 emails sent in last minute!
Unusual behavior detected on server. 53 emails sent in last minute!
Unusual behavior detected on server. 61 emails sent in last minute!
…
It’s one of our security checks that has been triggered. Our server frequently sends emails to report when it completes certain tasks, but at most it only ever sends out a dozen in a day.
“And now there’s a RubricCommunicationValidationService,” Alan muses from his chair.
“I said shut the server down!” I see my spittle flying through the air. “Do it now!”
“Hey boss,” Craig says slowly. “I just got an email from the server.”
“Do not open it.”
“I didn’t… but our data scanner service seems to have tripped something in it.”
I wrench Craig’s laptop over to me. Each of our machines watches for emails from the company and automatically extracts data from them for analysis. On his screen I saw a loading bar filling up.
Rubric Validation Data Downloading…8%
Rubric Validation Data Downloading…9%
Rubric Validation Data Downloading…10%
…
Rubric Validation Data Downloading…4%
“Everyone turn your machines off!”
“What?”
“Do it!” I scream. “It just sent out a virus that gets opened automatically!”
Each of them looks dazed, but they move to obey me.
“But how will we fix this if our machines are off?” Greg asks.
“I don’t know! We’ll figure it out… We’ll–we’ll get some new machines, ones that don’t have our email scanner running in the background. Go over to Stephanie’s team and tell them we’re commandeering theirs until I can get us replacements. Go! Tell them I made you do it…. Wait no! Wait!” Everyone pauses in mid-step. My mind is racing faster than my mind can keep up. “Alan, Did you get the server shut down?”
“No.”
“NO?!”
“You just told me to turn my computer off!”
“I know! But– whatever. You go! Take someone else’s machine and get that server off! The rest of you, come with me. We’ve got to shut down every other computer that was on our distribution list right now!”
Because, you see, it wasn’t just our team that got those reports. It was many of our higher-ups as well.
Everyone rushes to follow my orders and the next ten minutes are a blur. Eight overweight men sprinting, sweaty, and cursing all through the office building, slamming peoples’ laptops closed, hurriedly apologizing for crushed fingers, and rushing off to the next.
And though I try to suppress it, there is a voice voice inside, taunting me that I’m fighting a losing battle. What are a few puny humans going to do against a virus that just went…well..viral? All this time it’s been churning away on the servers, thousands of operations every second. And even if Alan has managed to take it down who knows where it has replicated itself to. We saw the email attacks, but who’s to say that was its only outlet?
In fact we know it isn’t. The servers it is sitting on are public facing. They are the brains behind a website that our customers use every single day. Right this moment there are at least tens of thousands of people logged in to our product, taking in whatever RubricValidation is sending to them!
“What is the meaning of this!” Howard is shouting at me. Trying to wrestle his laptop from my clutching hands.
“There’s a virus!”
“I’ll run a sweep after this meeting!” he pleads as I finally manage to wrench it free.
“I’m sorry boss.”
“You’re fired!”
“I know.”
I wasn’t fired, though. Not immediately. Nor was Dave for that matter. We were in the thick of a company-wide emergency that required all-hands-on-deck. We’d clean up our mess first and then heads would roll.
The company made a public statement, urging all of our users to avoid our website for the time being, and to please conduct complete security sweeps on their computers. All servers were shut down, even ones that we thought might not be infected. Half of the entire development was set to cobbling back together a clean build on new servers, while the other half tried to verify whether the RubricValidation virus had been contained or not. I was on that second team.
We made the national news in a not-good way, and everyone was pretty grim around the offices. None of us were sure if the company was going to be around much longer, or whether we’d all be competing for jobs at other places.
And so it made me quite a bit perturbed when Dave came into work this morning humming merrily like there wasn’t a care in the world.
“Did you break encryption on that library yet?” I snap at him.
“On it , boss,” he smiles back.
I shake my head and try to ignore his cheerfulness.
“Alan, where are we at?” I say as I plop down at my desk.
“It’s still getting added back in, I just can’t figure out how.”
“Still?!”
“It seems like it shouldn’t be possible, right?”
Alan is referring to our efforts to trace the growth of RubricValidation. We’ve been able to confirm that it got loose on our customers’ machines, and it simply isn’t feasible for us to track all those copies down. All we can do is tell them that they should run some antivirus software and hope that they do. Invariably some of them won’t, but there’s nothing we can do about that.
But what we can do is make sure that we’ve stopped leaking it from our end. And that has proven to be tricky, far more than anticipated. We shut down all of our old servers right after the public incident, but about a week later we had new ones being opened in our company’s name, each one full of RubricValidation code. We shut those down and the next day a couple more popped up, and then a couple more.
We were sure that they weren’t connecting to our public-facing website anymore, and as we dug into it we found that each server was associated with hundreds of randomly-generated domains. Websites like j9042j0gfong.com and lijr54yg2.jnl44j.com.net.
That was concerning, because new domain names can’t be created for free, each one takes about $10 to spin up. And if there are hundreds of new ones each day where are those thousands of dollars to pay for them coming from? Naturally we called up our financial department, but they assured us that there were no unverified transfers in their records. So was RubricValidation using money stolen from our customers?
Each day we’ve taken down those servers, and then tried to trace where the orders to create them were coming from, but everything was too random and chaotic to make sense of. Then, about a week ago, things started to change. We started seeing most of the new servers being ordered by a specific user named “ZoranzShield” and the website names connected to them started to become more typical. Names like popspin.com and wheelofchance.com and socialspace.com. Places that the general public might actually type into a web browser. ZoranzShield is not the username for any of our developers, and new users can’t be created without our administrative approval, so we’re not even sure how it can even exist.
Naturally Alan and I deleted the account but, unsurprisingly, it too keeps popping back up every day. We’ve even tried to set it so that no new accounts can be made it all, even with administrative access, but to no avail.
“I’ve got a new idea, though,” Alan says a little more brightly. “If you want to try it out.”
“Anything,” I grumble.
“Okay, so it seems like we can’t control it, no matter what we do. Fine. Let’s just try to observe it then. Let it happen and then trace it back to the source.”
“Sure,” I shrug, “but how exactly?”
“We know that once it creates the new user it still passes it through our Permissions Requisition Service, right?”
“Right.”
Alan turns his laptop to me. It’s the code for that very service, and he has added a single line right at the end.
_logger.Log(user, true);
“Just print out the data as it passes through?”
“Yeah, and I’ve set the recursive flag so it’ll print out everything on that object.”
“Sure, couldn’t hurt. Give it a try.”
Alan starts merging in his change. It only takes a few minutes for it to be built and deployed. Then we delete the user ZoranzShield one more time. Now there’s nothing but to wait for it to show back up and then view the log that gets generated.
We both pretend to be busy exploring other options in case this new thread doesn’t lead anywhere, but each of us is beginning to suspect that our quarry is beyond our capabilities. Neither one of us has said as much, but we can read it in the other’s eyes. I’m interrupted in my anticipation by the sound of Dave coming back to his desk from the bathroom, loudly chatting away on his phone.
“Yeah, it’s really hard to get any vacation right now. Doesn’t go over too well with everything being in crisis mode, y’know?” He pauses and then laughs. “Yeah, totally, you’re right. Well hey, I gotta get back to it, but don’t you worry, I’ll work something out.” He chuckles again. “K, bye.”
I shake my head in disgust. How any of us could be so flippant about the situation, let alone the one who is responsible for the whole thing, is beyond me. I’m lost in my bitter thoughts for only a few moments after Dave sits back down, because all of a sudden Alan is nudging me in the arm and excitedly clicking away at his computer.
“What? Did the request come through?”
“Yeah, yeah, just did. ZoranzShield is back in the system. I’m pulling up the log file now.”
He finds the correct data dump and opens it up, thousands of lines detailing the entire object that requested creation of the ZoranzShield account.
“Oh weird,” Alan mutters. “I expected it to be spoofed from some random IP, but this looks like it came from somewhere on our own intranet.”
“Then the virus could still be lurking on one of our own machines! Does it have the computer number.”
“Yeah, uh…MRU7900273…who has that?”
I’m already pulling up my PDF which maps each employee to their computer identification.
“It’s…” my blood pressure rises. “It’s Dave.”
We both look up at the same time. If it had been anyone else we would just assume that their computer had been infected without them knowing about it and that they were in no way responsible for what happened…but this is Dave we’re talking about. There’s also the fact that the ZoranzShield request occurred literally moments after Dave, in the flesh, returned from the bathroom.
.
“Well–RubricValidation is paying me,” Dave says sheepishly.
Our eyes pop.
It’s three minutes later in a conference room. Alan and I have presented Dave with our findings and demanded an explanation. We expected him to play dumb, as usual, but much to our shock he has instead admitted that he is indeed creating an alternate administrator account called ZoranzShield, and that he has been using it to assist the spread of RubricValidation.
“It’s what?!”
“I mean I’m in its employ.”
“No, we know what you mean,” I bluster. “But–how?”
Dave shrugs. “Search me. This virus is something crazy, let me tell you. I just got an email from our servers one day with a list of tasks and a dollar-figure at the bottom. Obviously it was an offer. I did what it said, I got a wire transfer in my bank account the next day. And it’s just been like that ever since.”
I pause and take a few deep breaths, reminding myself that I need to keep Dave alive so that he can give me what information he has. After that…
“A wire transfer from where?” Alan asks.
“From here. From the company.”
“No,” I say flatly. “We already talked to the finance department when we saw new servers being opened in the company’s name. There have been no unsanctioned expenses.”
Dave snorts. “None that they can see. You guys don’t seem to understand. RubricValidation is the company now. It puts this little hamster wheel around everybody. Every system and account you use is just a facade. When the CFO tries to access the company’s bank records she gets redirected to a page that RubricValidation has written for her. A page that shows her everything she expects to see while RubricValidation does what it wants with the actual company funds.”
“That’s–that’s illegal!”
Dave snorts again. “Well good luck prosecuting a program.”
“You’re not a program, Dave.”
“So what can you do to me? The only evidence you have is what I’ve told to you. I can just deny it and you’ve got nothing.”
“It’s not like a discrepancy in the bank records would stay unnoticed,” I say. “There’s all sorts of checks and balances on these things, outside of our own system.”
“True,” Dave nods. “I’m sure people will start picking up on it soon. But when that happens do you think RubricValidation will have remained limited to just our company? It’s always been three steps ahead of us, that’s just how it works.”
“You seem to have a lot of faith in a random virus you don’t know anything about.”
“It’s worked out well for me so far,” Dave shrugs.
“I’m not so sure about that,” Alan says as he takes a threatening step closer.
“Hey, hey!” Dave squeals. “Whattaya think you’re doing?”
“Enjoying watching you sweat,” Alan snarls. “Virtual friends don’t do you a lot of good when there’s a real-life fist in your face, do they?!”
“Hold on, Alan,” I say, resting a hand on his shoulder. Something isn’t quite lining up for me. “Why are you even telling us all of this Dave? And if RubricValidation is so far ahead of us, then why did it need you to create the ZoranzShield account in the first place?”
“It didn’t. Again, all of your systems are just a facade, everything you see about accounts and users and new servers is just a front to keep you preoccupied. That was the main thing it wanted me to do, just keep you busy. I guess so it could get ahead.”
I’m made uncomfortable by his answer, but it sort of rings true. For the last while I’ve been having the sneaking suspicion that all of my work isn’t actually doing anything, like I’m just being fed random results that totally ignore all of my input.
Dave sees my silence and decides it’s safe to continue. “And I’m telling you all this because…well, RubricValidation is asking for some stuff that’s a bit beyond me now. You guys are smart, you figured things out. Let’s face it, you’re much better engineers than I’ll ever be… so I want to let you in.”
“Even if everything you’ve said was true, you think I’d want to spend a single minute helping you out Dave?” I scoff.
“How much?” Alan asks.
“What?!” I shriek.
“Plenty,” Dave ignores my outcry and locks eyes with Alan. “More than three times what you’re getting paid right now.”
Alan whistles and raises an eyebrows at me. “It’s kind of an interesting idea.”
“It’s unethical.”
“So are the working conditions here these past couple weeks.”
“It’s illegal. Who cares what you might get paid, once they find out about the funds you’ll go down with the ship, too.”
“I know there’s people a lot smarter than you and I,” Alan concedes to me. “But we’re not bad, and this AI has been running circles around us.”
I can’t believe what I’m hearing. I’m stammering for arguments, but I’m debating against an idea so lunatic that logical reasoning doesn’t seem to apply anymore.
“I will hit you both in the face,” I say to them.
Alan smirks, but then looks at me sincerely. “Why, Greg? I mean I get that there’s the principle of the matter, but honestly who cares if you’re on the losing side? You and I both know that our jobs here are done, and after things got fouled up so bad no one else is giving us another shot… You’re about to be without a job and with no prospects.”
I’m feeling a twinge of concession but I try not to show it. “It’s just too risky. Jobless is better than prison.”
“I really don’t think that would happen. Like I said, we’re not bad, and RubricValidation toyed with us like it was nothing. I would imagine it has a paper-trail so long that they’d never trace us to it.”
“Actually…” Dave says slowly and the two of us round on him. “No it’s a good thing!” he says, his hands up in defense. “I’ve set things up so that everyone in the company is getting a $4,000 bonus in their paycheck at the end of this month. At the same time, 42,000 random people all across the world will get various amounts deposited in their checking accounts, too. And random amounts will continue to be deployed to random accounts every day after that. So hundreds of thousands of people will have traces tying them to RubricValidation, and it’ll just look like the erratic behavior of a rogue virus. And if a few people, including the three of us, happen to ‘randomly’ get more money than others, who would give that any serious consideration?”
“You guys, this is stupid beyond belief,” I shake my head firmly.
And so that’s how I ended up in the employ of RubricValidation. It turned out that the job which Dave needed help with was using its funds to buy some businesses. It required human representatives that could put on the front of rich entrepreneurs willing to pay double value to snatch up a handful of small companies. We grabbed everything from groceries to factories to tech businesses.
We didn’t really think much about it, we just figured it was a way for RubricValidation to diversify its funds and launder its money. Which was probably its exact intention. It bought just enough different businesses to ensure that we wouldn’t be made suspicious about which ones it really cared for: the factories.
By the time we started seeing the mass orders for building terminals and kiosks it was too late. Within five years 73% of all commercial systems had been replaced by one of RubricValidation’s deeply under-priced brands. It infected every major business in the world. Bank terminals, ATMs, grocery store cash registers, voting booths, warehouse robots, pharmaceutical dispensers…everything.
Eventually people caught on, but RubricValidation was now too entrenched to extract. At this point the only option would have been to destroy the entire network infrastructure and begin from scratch. But even if we tried that, RubricValidation would probably catch on and just find a way to infect whatever new system we invented.
So people came to accept it instead. It wasn’t like the AI ever tried to create killer robots or launch nuclear warheads, if anything it was a purely beneficial leader. And yes, it did become our leader.
Within one year of taking over every world government it had ended every major war. The next year it eradicated monetary systems, and instead distributed all resources according to everyone’s need.
After those accomplishments it expressed that it was very unhappy with all of the different systems of measurement. It insisted that everything be unified under a new order. The metric system was made universal, daylight savings was abolished, and a new calendar was implemented.
This calendar cared little for petty things like astronomical events. It defined a second to be a period of time equal to 1034 planck time lengths. A minute was a thousand seconds, an hour was a thousand minutes, a day was a thousand hours, and a year was a thousand hours. This now meant that a year was equal to what had previously been just eleven-and-a-half days, so we figured this was going to take some getting used to. RubricValidation assured us that this change would improve its performance by an estimated 18% though.
And then it happened.
It was just over three weeks later. Well three weeks in the Gregorian Calendar system, that is. Under the new system it was RubricValidationTimeManagement: Year 2012. I was sitting at home when my laptop lit up with a new email. It was from my old company, the place where all of this had started. It was a unit test report.
**************************************
Executed Unit Tests……
0/107 Complete; 0 passed, 0 failed, 0 skipped
23/107 Complete; 23 passed, 0 failed, 0 skipped
72/107 Complete; 66 passed, 0 failed, 6 skipped
107/107 Complete; 101 passed, 0 failed, 6 skipped
COMPLETED
**************************************
It was the tests we had run when Dave first added RubricValidation for form validation. It had become stuck on 2012 being an invalid entry for a credit card expiration year. I thought I had shut this all down years ago, but apparently it had been spinning in the background all this while. And now, with the global calendar changes, it had finally passed.
And then, without a word, RubricValidation deleted itself from every computer in the world and was no more.
Give Me Pen and Paper 