Held For Ransom
At first I thought it was my fault. Although this blog is pretty simple technically—text and pictures and essentially no HTML gymnastics that are the mark of a "modern" web site, I am afflicted with a bit of a computer infrastructure. I host this site on my own server, and I had another, older server that I used for random activities. This older server was compromised* by what I must now assume is the same software that this weekend grabbed the headlines by shutting down the British national health system, and a host of other major sites. (Until North Korea launched yet another ballistic missile. They can't even leave the headlines alone.)
I thought the compromise was my fault because I did something unusual on the server a week or so ago. I try to practice safe hex, and what I did was anomalous for me, but not particularly risky. Nonetheless, when I discovered all the server files had been encrypted, I had to assume that I was responsible for opening it to malware. I feel much better now, since the rest of the world is suffering far more than I. (Schadenfreude alights more often than one assumes, although, perhaps, less often than one might hope.) When I saw that all my files had sprouted what appeared to be random expansions that could only be cryptographic, I spent a few minutes looking for the ransom instructions, found them, and shut down the server. What little concern I had that my files had been stolen by the malware evaporated on Friday when I read that this was a world-wide phenomenon and far larger fish than I were involved. I'm just an amoeba or, perhaps, a small colony phytoplankton, in this war.
Did I Say War?
I suppose so. It seems like one, and it will certainly get worse, possibly verging on apocalyptic. But that's not what I'm writing about. When I read what happened (and what is expected to continue tomorrow, Monday), my first realization was that my ransomware attack was only half my fault. How so? My infected server was using unsupported software - Windows Server 2003. But Microsoft could have patched the software had it chosen to do so. They knew of the flaw and fixed it in March for more recent operating system software. They allegedly offered a patch for Windows XP just yesterday, although when I tried to update an XP machine using the normal process there was no evidence of its availability.
Could they have offered a patch for XP and Server 2003? Yes. There was no technical impediment such as lack of awareness of the flaw to their doing so. Could they have predicted the damage caused by the ransomware? Almost certainly the dimensions, although perhaps not the details. I'm sure Microsoft is aware that there are millions of "legacy" computers running these older operating systems.
Should Microsoft Have Offered a Patch?
We now head into the imponderable realm where philosophy, law, duty, and greed intersect. I'm not comfortable in that realm. I'm blessed and cursed with the unfortunate ability to see problems from multiple sides, and taking Microsoft's side briefly, they could (and no doubt will in the coming days) argue that if they had to continue support, it would affect their competitiveness and morale. They would have to open a dungeon to incentivize the poor programmers to continue work on Windows 98 and NT. They will argue, correctly, that everyone running this software is well aware that it is obsolete and unsupported. On the other hand, they will be chuckling to each other about how many millions of software upgrades will be sold in the next few days, and watching anxiously as their stock price equilibrates between the extra sales and the "reputational cost" and almost inevitable government investigation.
PRE-UPDATE: Microsoft Closing Stock Price For the Coming Week
|Last Week's Close||Monday||Tuesday||Wednesday||Thursday||Friday|
Is the table already filled in? You're not keeping up with the RIKLblog! You may have missed a timely review of the Samsung S8+ and DeX dock and possibly another banana-related item.
It will take a more sophisticated ethicist than I to explore the ramifications of this episode. Just as with terrorism, of which this computer attack is an example, there will be plenty of consensus that something must be done and little idea of what or how. Is it any wonder that I stick to (sometimes literally) pastry and, occasionally, bananas?
POST-UPDATE: One week later, it looks like the commotion has subsided and we're on to new depredations by terrorists, politicians, and other forces for evil in society. Microsoft stock suffered neither boon nor bust, and life goes on.