
Morris Worm Incident Report #1 (1988) [pdf] - emhart
http://foofus.com/amuse/public/Morris_Worm_Incident_Report_1.pdf
======
jgrahamc
I remember this very well because I'd had JANet/Internet access since 1986 and
was using Internet system daily at the time and for a period we had no
Internet access. That didn't matter that much because I just couldn't access
various Usenet newsgroups and anonymous FTP servers.

I remember thinking it was totally awesome.

Awesome because it was a demonstration of the power of this individual and
what could be done with software and got me thinking seriously about computer
security. A year later I opted to stay at university and do a doctorate in
computer security.

That doctorate brought me into contact with RTM's father who was a terribly
decent chap also named Robert. He used to come to the place I was with his
wife. The first time I met him I misheard his wife's name as "Alice" (instead
of "Anne"). I mistakenly thought that that they were the Alice and Bob in all
cryptographic examples.

~~~
Zenst
Yes I think we all recall it. What I found funny was that his farther was head
or very high up with the NSA at the time.

But he was just playing what if and old school hacking with no intention of
causing what he did, though he did badly think thru what he was playing around
with. but we all make mistakes playing and learning, though usualy less
public.

------
alayne
I was a teenager when this happened. RTM's worm probably started a number of
security careers and brought career peak levels of excitement to many of the
people involved with analysis. I remember being absolutely astonished that
someone writing computer programs could cause such a commotion. Some people
must have realized that it was a good thing that awareness was raised. I have
a hard time putting much stock in the pretend damage estimates.

~~~
brianberns
I was a college graduate with a degree in Computer Science and a dim awareness
of the Internet. I remember being astonished to see an article about my
esoteric field of work on the front page of the Washington Post, and wondered
if maybe it wouldn't stay esoteric much longer.

~~~
flomo
I'd just started college and witnessed some of the havoc. Suddenly the
Internet was a big topic of discussion, at least among the engineering
students, everyone wanted to get email addresses and so on. It suddenly was in
everyone's consciousness, but it was another 2-3 years before you could easily
get 'on' the Internet.

------
lawnchair_larry
Does anyone know what came of this awful cyber terrorist? Given what we wanted
to do Aaron Swartz, and what we are going to do to Weev, this guy should be
facing capital punishment by comparison.

 _Edit: Haha, downvoted already. I'm kidding of course. I am a fan of rtm, and
the eponymous worm._

~~~
DanBC
<http://news.ycombinator.com/item?id=5078424>

Swartz, RTM, sure, but Weev? You can't seriously put weev in that list.

~~~
lawnchair_larry
You can put him in that list only if you look at his crime objectively, and
divorce that from the person you don't like. Which is an important thing to do
when handing out justice.

Downloading and deleting a list of emails is not worse than spreading an
internet-crippling worm. Nobody can make that argument with a straight face.

------
DanBC
Here are some other writeups:

Here's Eugene Spafford's write up:
([http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&...](http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&context=cstech))

Page 26

> However. at a recent meeting, Professor Rick Rashid of Carnegie-Mellon
> University was heard to claim that Robert T. Morris, the alleged author of
> the Wann, had revealed the jingerd bug to system administmtivc staff at eMU
> well over a year ago.

Here's Seely's "Tour of the Worm"
([http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-...](http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-
RTMworm-89.html))

> These notes describe how the design of TCP/IP and the 4.2BSD implementation
> allow users on untrusted and possibly very distant hosts to masquerade as
> users on trusted hosts. [Robert T. Morris, "A Weakness in the 4.2BSD Unix
> TCP/IP Software"]

Here's Mark W. Eichin's and Jon A. Rochlis' "With Microscope and Tweezers"
(<http://www.mit.edu/~eichin/virus/main.html>)

~~~
alayne
Spafford's write up is such a hoot. He complains about suboptimal file
descriptor closing. Clearly, whoever wrote that worm (that targeted VMS and
Unix in one worm, used numerous exploits, probabilistic replication, and
required 40 pages of analysis) was some kind of mentally-challenged
individual. Terrible, terrible ad hominems.

------
SimHacker
I was up late hacking during the night it happened, and was getting really
pissed off how slow the system (a Vax 8600) was running, because sendmail was
going ape-shit!

Anybody else remember when Jordan Hubbard tried to see what happened when he
rwall'ed to a wildcard yp net group that included every computer in
/etc/hosts? He received a whopping 743 email messages in response to it! "One
of the people who received my message was Dennis Perry, the Inspector General
of the ARPAnet (in the Pentagon), and he wasn't exactly pleased. (I hear his
Interleaf windows got scribbled on)"

<http://catless.ncl.ac.uk/Risks/4.73.html#subj10.1>

------
andyjohnson0
I remember at the time reading usenet postings about the worm as it spread,
and I got the impression that for a couple of days many people really didn't
know what was happening. The response was very improvised. I was an intern at
IBM in 88-90, and all gateways between IBM's internal network (VNET at the
time) and the internet were cut without warning - even though I doubt that IBM
had many VAXes or Sun3s.

I'd also read Neuromancer the previous summer and me as a twenty-year-old
thought this was all rather exciting...

~~~
SimHacker
It was more like "The Adolescence of P-1":
<http://en.wikipedia.org/wiki/The_Adolescence_of_P-1>

------
SimHacker
Immediately after the Morris worm hit, somebody posted a patch to edit the
sendmail binary, to keep it from switching into debug mode, and that was to
patch the "DEBUG" command by replacing the "D" with a null. It certainly
stopped the worm, but at what cost?

Well in my usual day-to-day mailing list administration, I telnet'ed to
sun.com 25 to validate some email addresses, and pressed return a couple time
to clear out the telnet protocol negotiation characters. Then I EXPN'ed an
email address, and it dumped out a shitload of debugging information!

Turns out that "patch" to sendmail just turned the "DEBUG" command into the ""
command, which I had entered by pressing return a few times at the beginning
of the session!

I reported it to postmaster@sun.com and they closed that particular hole.
Lesson: Don't just blindly apply binary patches you see on the net to system
programs, without thinking about them first.

------
paracyst
I was reading this just last week for fun, can't remember why :)

Worm source code: <http://www.foo.be/docs-free/morris-worm/worm/>

Mailing list from 1988: <http://securitydigest.org/phage/bythread>

------
sabalaba
With some elite shell scripts to boot. It's nice to know that if your primary
skills in 1988 were UNIX, C, and shell scripting, should you be magically
transported 25 years into the future, those same abilities would allow you to
feed a family of four in 2013.

------
lotsofcows
How the hell has no-one mentioned Clifford Stoll's "The Cuckoo's Egg" yet?
<http://www.amazon.com/dp/1416507787>

------
jcr
Give it a rest! Why can't some people around here give RTM some slack? It was
a long time ago. Time has show RTM to be super smart and successful, but
dredging up this one inflammatory incident ever few weeks and posting it ON
HIS SITE is just pathetic karma whoring.

How about next time we discuss his more amazing accomplishments like the
continuation passing framework he developed for ViaWeb, or his efforts at YC,
or his work developing and maintaining this very site?

~~~
emhart
If it makes you feel any better, this PDF was just digitized and linked via
the netsec community on reddit:
[http://www.reddit.com/r/netsec/comments/19fyfr/recently_unco...](http://www.reddit.com/r/netsec/comments/19fyfr/recently_uncovered_in_a_dusty_file_cabinet_in_my/)

And was the first I had ever heard/read of the Morris Worm (though I assumed
it would be well known to most). I'm a physical security guy w/0 digital
security experience. Half of my friends are on the other side of the security
aisle, though, which is why I bum around the netsec boards and enjoy the
history of both fields a great deal.

I promise it genuinely wasn't intended as karma whoring. I actually assumed a
long PDF would get limited attention here just due to the format. Only linked
it because I was personally enthralled. I've really enjoyed reading the other
posters share their memories of this moment in computer security history. It
has added a context I wouldn't get most other places.

~~~
jcr
If you didn't know, I don't blame you, and I hope I didn't offend you too
badly. At one time, long ago, before HN got popular, everyone around here knew
who RTM is and knew he is one of the people responsible for giving HN to all
of us.

These days, it seems most people don't realize that RTM is the "man behind the
curtain" -- the real wizard pulling all the levers to make HN work. Sadly,
some of those who do know of his efforts and involvement here act like jerks.
They repeatedly bring up that one controversial thing he did a long time ago
because it's excellent vote-bait, and they ignore all of the more amazing
things he's done.

If someone showed up at your party at your house with your friends and
repeatedly talked crap about the one controversial and possibly embarrassing
thing you did eons ago in your reckless youth, then you'd not only want to
throw them out, but you'd probably want to kick their ass. Even if you're too
nice, reasonable, and civilized to actually kick their ass, you'd still want
to do it.

You didn't know, but the repeated submissions about the Morris worm, and all
the people up-voting them are being extremely inconsiderate and disrespectful.
Maybe some people are envious of his success and are trying to take him down a
notch by embarrassing him in his own house?

It's a truly legendary hack, and I giggled my ass off when it happened, but
it's not "news," so why are so many people continuously reposting and up-
voting it on a news site?

It's happened repeatedly, so can you really blame me for being skeptical of
the real intent?

~~~
emhart
Oh, I don't blame you at all! I really did want to be clear in my intent, not
trying to knock you down a notch or anything, either. The example about
inviting people to a party only to overhear conversations about your
controversial/embarrassing "thing" strikes home for me, as I have some recent
experience with that.

Thanks for taking the time to reply with details, by the way. I appreciate it.

------
elijahmurray
What is this?

~~~
pkill17
A very detailed report on an early computer virus called the Morris Worm
(<http://en.wikipedia.org/wiki/Morris_worm>).

It's actually extremely interesting; the fix even goes into editing assembly
if the source of the affect program isn't available to recompile.

~~~
dsrguru
It's also interesting to note that the worm's author went on to cofound YC.

