

25 years ago this week, the Morris Worm brought the Internet to its knees - binarybits
http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/?hn

======
ChuckMcM
Also, like a toddler, the Internet's knees were closer to the ground than they
are today :-)

I was at Sun at the time and it was an interesting story but you could have
completely disconnected Sun from the "internet" (which was being serviced at
the time by a single T-1 line, 1.544Mbps baby!) for two or three days and it
wouldn't have been the end of the world, and it would not have cut into sales.
Due to some better configuration defaults, the impact of the worm on Sun was
minimal.

~~~
gonzo
At the time of the Morris worm, there was a single T1 line running across the
bay (between Mt. View and Milpitas.) The line to sun-arpa was a 56k link.

The only real 'protection' was that ip_forwarding was set to 0.

~~~
ChuckMcM
Wow, I never realized it went to Milpitas, for some reasons I was thinking it
connected back into or Stanford and was routed out from there.

~~~
gonzo
nope. The T1 (to the Internet) came in when we connected to BARRnet.

SWAN got T1s (Dallas, D.C., Boston) about the same time.

Then RMTC came on-line with a T1, and Denver-Dallas, and Chicago-Dallas got
T1s. Then the SWAN 'ring' got a pair of T1s. The cross-bay link went to a DS3.
Lots of offices got upgraded to 10BaseT in the form of AT&T's "starnet"
offering.

I left after that.

------
corin_
_" We didn't believe that Morris intended to cause harm or damage," Rasch
says. In his view, Morris was "motivated mainly by curiosity and by a desire
to show that he could do it."

On the other hand, the Justice Department worried that "if the government
treated this as a misdemeanor, a trivial offense, that others would go out and
do it," Rasch said. "You had conduct that was planned, premeditated, that was
deliberate, over periods of months, that caused massive disruption and expense
to a wide number of different individuals." That required a response, the
government believed.

So Morris was charged with a single felony count. Rasch says Morris could have
been charged with a separate felony for each of the thousands of computers the
worm infected. But the lawyer and his colleagues believed that would be
overkill. "I don't believe that you over-prosecute someone to send a message,"
Rasch says. "I don't believe in the head-on-a-stake theory of prosecution."_

\----

Is that not a contradiction, he seems to be saying that they chose felony over
misdemeanor not because of him but to set an example, then goes on to say that
they don't do that sort of thing?

~~~
samatman
There is a subtle distinction between making an example and setting a
precedent. It is crucial here. By prosecuting as a felony, they set legal
precedent. By making it a single felony, they showed leniency to the offense
in question.

------
azov
I like how they spin it in Robert Morris profile on the YC page: " _In 1988
his discovery of buffer overflow first brought the Internet to the attention
of the general public._ "
([http://ycombinator.com/people.html](http://ycombinator.com/people.html))

~~~
tptacek
Hijacking the thread a little: one of the weird timeline things I'm a little
obsessed with is the gap between the Morris Worm and the first "modern" stack
overflow.

As near as I can tell, Thomas Lopatic kicked off the era of modern memory
corruption exploits in February 1995 with his HPUX NCSA httpd overflow. That
was followed shortly by 8lgm's Sendmail 8.6.12 syslog() stack overflow, which
8lgm created a small mania about by explaining roughly how the bug worked but
not publishing the exploit, which meant every amateur vulnerability researcher
at the time (myself included) spent a couple weeks figuring it out for
ourselves.

1988 to 1995 is a long time! During that period, near as I can tell, nobody
published or even referenced a modern memory corruption flaw ("modern" meaning
"allowed you to upload code into a remote system"; there were overflows prior
to 1995, but they worked by overwriting variables in memory to alter program
logic). Why did Morris have this technique back in 1988? (Besides the obvious
reason). Why did nobody extend the work between '88 and '95? The whole
Internet was vulnerable to this bug! And that timeframe was the hacker
renaissance; it corresponds to the Sun Devil raids and the LoD/MoD war.

~~~
makerops
I have read about LoD/MoD, 8lGm etc..it seemed that low hanging fruit was
probably the reasoning right? I mean, there were probably so many systems you
could access through stupid bugs, that delving deep into SO wasn't necessary?

~~~
tptacek
Maybe. But there was low-hanging fruit well into the late '90s (and remember
that SQL Injection, the "ultimate" low-hanging fruit, is also a late '90s bug)
--- but after the 8lgm stack overflow mania, there was a decisive shift
towards using memory corruption to take over machines directly, rather than
(say) overwriting strategic files on target systems with NFS bugs.

~~~
makerops
Very True. Smashing the stack for fun and profit? That was the first
interaction I had with more advanced techniques anyways. I read it as a
soph/freshman in HS (97 or so I think)? Timing seems to be close. That could
account for the explosion at least; I don't have any theories on the "dead"
period.

~~~
tptacek
I'm happy to give Elias credit for a big part of the shift, but the reality is
that first x86 exploit was published well before that Phrack article, and
people quickly repurposed it. (I'm a little biased here, since the author of
that exploit is a partner of mine).

The vulnerability research community in 1995 was very close-knit (not tiny,
but you could fit them in a hotel banquet hall for Summercon), and they worked
pretty quickly to educate each other about the attack.

~~~
hect0r
Interesting. Who published it prior to Aleph One?

------
m0nastic
For what it's worth, the prosecutor in this case (Mark) is the former coworker
who I've mentioned on here a few times as having prosecuted the FBI case
against my dad (small world).

It is a little disconcerting to wonder that if the same case happened today,
would it result in a katamari of charges meant to steamroll RTM?

------
makerops
If you are interested in this type of stuff, this is a good, free book:

[http://www.gutenberg.org/ebooks/4686](http://www.gutenberg.org/ebooks/4686)

"Underground: Hacking, madness and obsession on the electronic frontier"

~~~
endgame
There's a good section on the Morris worm at the back of "The Cuckoo's Egg",
too.

~~~
mindcrime
Also in "Cyberpunk: Outlaws And Hackers On The Computer Frontier"[1]

[1]: [http://www.amazon.com/CYBERPUNK-Outlaws-Hackers-Computer-
Fro...](http://www.amazon.com/CYBERPUNK-Outlaws-Hackers-Computer-
Frontier/dp/0684818620)

------
jere
Definitely an interesting story. One connection I never made before was that
1) the worm gave computer security a shot in the arm and 2) Morris's father
was a computer security expert. I'm sure it's completely unrelated, but an
interesting coincidence.

[http://en.wikipedia.org/wiki/Robert_Morris_(cryptographer)](http://en.wikipedia.org/wiki/Robert_Morris_\(cryptographer\))

~~~
jpmattia
> _I 'm sure it's completely unrelated_

I'm less sure. Does RTM frequent these boards?

His father authored the relevant unix manual IIRC (they used to be a bunch of
binders above a unix hackers desk usually shipped from whoever sold you the
system.) I also had in my head that his father was the likely source of the
wizard password backdoor in sendmail.

Anyway, would love to know for sure.

~~~
mindcrime
_Does RTM frequent these boards?_

Assuming this is the real rtm, then he has an account, but he doesn't comment
very often.

[https://news.ycombinator.com/threads?id=rtm](https://news.ycombinator.com/threads?id=rtm)

------
NAFV_P
_Curiosity killed the code-monkey_

Sorry I had to have a peak, I think this is where you can find the source code
for the worm:

[http://ftp.cerias.purdue.edu/pub/doc/morris_worm/](http://ftp.cerias.purdue.edu/pub/doc/morris_worm/)

The first thing I noticed is it's written in K&R C, the ANSI standard came a
year later.

------
DanBC
The RTM worm had a 350 word dictionary. I wonder how much damage could be done
with the same 350 word dictionary today?

There's an analysis that got posted to HN here
[https://news.ycombinator.com/item?id=5302924](https://news.ycombinator.com/item?id=5302924)

------
ProAm
Is this the same Paul Graham or just a coincidence?

~~~
binarybits
The same. I mention YC at the end.

~~~
ProAm
Yeah I tried to delete the comment, I posted only halfway through. It was a
good read.

------
Jare
I remember as a freshman in college, only armed with my knowledge of game
programming in Z80/M68K assembly (no idea of Unix or internet beyond Usenet),
finding out about this shortly after it happened, printing everything I could
about it, and reading these pages over and over as if it was the most amazing
technothriller ever written. Files that still exist after you delete them?
Executable content in email headers?

It's probably the single most fascinating event in my personal history with
computers.

------
msh
Is this why HN is unstable, somebody is trying to take revenge on the 25th
anniversary. ;)

~~~
matznerd
Remember, remember, the second of November...

------
codezero
I really miss finger. It was quite a novelty.

~~~
ChuckMcM
Actually true story, my future mother-in-law called me because she could not
reach her daughter on the phone (no cell phones then) and knew we "somehow"
knew what each other was up to.

So I'm holding the phone to my ear and I can see she is logged in to the
system and I say "Oh I see her, I'll just finger her to see if she is awake."

I am pretty sure the next sound I heard on the telephone resulted from it
being dropped from standing height and having the handset bounce on the floor.
It was my first experience with the less than desirable consequences of re-
using English words to describe network interactions.

~~~
codezero
This is great! Obviously if it had a different, whizbang name, it may have
caught on, right? :)

------
read
_The worm could have been much more virulent had the author been more
experienced or less rushed in his coding_

It's a common misconception things go viral due to some sort of premeditative
planning "over a period of months". New ideas start fledgling, because that's
what it means for ideas to be new. They don't have concrete form in the
beginning. Even the person having them can't tell what they can lead to.

Rushing the worm was crucial in making it work. It was more important to see
if it had any chance of working. It couldn't have happened had Morris not been
rushed, opening doors to a new research field and medium to the general
public.

Who could have simulated that?

------
mindcrime
Interesting that the main character in the movie _Hackers_ \- Dade Murphy -
may well have been inspired, at least in part, on the Morris Worm story. I've
never heard any official commentary to this effect, but it seems plausible.

 _The defendant, Dade Murphy, who calls himself "Zero Cool", has repeatedly
committed criminal acts of a malicious nature. This defendant possesses a
superior intelligence, which he uses to a destructive and antisocial end. His
computer virus crashed one thousand five hundred and seven computer systems,
including Wall Street trading systems, single handedly causing a seven point
drop in the New York Stock Market_

------
jmervin
25 years, no way!

The SUN workstation-wielding guy in the lab next door to me got hit by this,
though we were unscathed. Periodically you could hear him yelling through the
wall.

Amusingly (in hindsight), I had recently cleaned up a bunch of virus-choked
PCs in some student labs and because of this fell under departmental suspicion
(very briefly) of having something to do with these new problems. From then on
I left such thankless scut work to someone else.

Another interesting -though brief- account appears in the epilogue of Cliff
Stoll's "Cuckoo's Egg" (itself a classic tale from the early Internet days).

------
andyjohnson0
I was an intern at IBM at the time, at a site that was fortunate to have
internet access. I remember people being annoyed because the security people
severed all internet gateways.

A good technical article is "With Microscope and Tweezers: An Analysis of the
Internet Virus of November 1988" [1] which was published soonafter.

[1]
[http://www.mit.edu/people/eichin/virus/main.html](http://www.mit.edu/people/eichin/virus/main.html)

------
kfcm
Where have the years gone?

All I'll say is, I was "there" (meaning affected).

It was also amusing watching the news reports at the time. I remember one of
the nightly "world news" shows (ABC, iirc) having it right up front and the
anchor and reporter trudging their way through the story, trying to explain
this "Internet" thing.

------
pvnick
Having been born the same year as this worm's release, I love reading about
these moments in internet history. When I read that Paul Graham and Morris
later went on to found Y-Combinator (why didn't I know that already?) I was so
excited I shouted at my computer.

~~~
jpmattia
I remember shouting at my computer 25 years ago, as someone who had to clean
up. Glad to hear he went on to good things though.

------
jacobkg
It's probably worth mentioning that Morris is now a mild mannered (and
talented) MIT professor in the Computer Science department. The word on the
street was that he did _not_ want to talk about this chapter of his life.

------
baudehlo
And many years later we had email viruses bringing the internet to its knees,
notably the LoveBug virus which we were the first to stop at MessageLabs.

Now it's all just DDoS. Far scarier, and a lot less fun.

------
michaelstewart
Interesting how the journalist's name is Timothy B. Lee.

~~~
AceJohnny2
Why is that? EDIT: derp, I never made the association with Tim Berners Lee
before...

I recognize his name from Ars Technica, where he contributed, in my eyes, to
the high value of the news site by writing about tech policy.

[http://arstechnica.com/author/timothy-b-
lee/](http://arstechnica.com/author/timothy-b-lee/)

~~~
binarybits
Thanks!

------
mappum
Does this mean YC will start accepting malicious startups? Something like a
marketplace for 0days?

------
xpop2027
Great read

------
amerika_blog
I agree he deserves a pardon. A lot of law and public acts seem to be
"signaling," e.g. it's OK to do this and not-OK to do that. Temporarily coming
down hard on someone to signal that people should NOT do what he did is OK; it
makes equal sense, once the threat has passed (and that specific one has been
replaced by new threats), to pardon the person and recognize they were made an
example of -- for good reason at the time, but no longer.

Contrast this to what they wanted to do to the hackers in the Slatella/Quitner
book.

