Hacker News new | comments | show | ask | jobs | submit login
Morris Worm Incident Report #1 (1988) [pdf] (foofus.com)
39 points by emhart 1548 days ago | hide | past | web | 26 comments | favorite

I remember this very well because I'd had JANet/Internet access since 1986 and was using Internet system daily at the time and for a period we had no Internet access. That didn't matter that much because I just couldn't access various Usenet newsgroups and anonymous FTP servers.

I remember thinking it was totally awesome.

Awesome because it was a demonstration of the power of this individual and what could be done with software and got me thinking seriously about computer security. A year later I opted to stay at university and do a doctorate in computer security.

That doctorate brought me into contact with RTM's father who was a terribly decent chap also named Robert. He used to come to the place I was with his wife. The first time I met him I misheard his wife's name as "Alice" (instead of "Anne"). I mistakenly thought that that they were the Alice and Bob in all cryptographic examples.

Yes I think we all recall it. What I found funny was that his farther was head or very high up with the NSA at the time.

But he was just playing what if and old school hacking with no intention of causing what he did, though he did badly think thru what he was playing around with. but we all make mistakes playing and learning, though usualy less public.

I was a teenager when this happened. RTM's worm probably started a number of security careers and brought career peak levels of excitement to many of the people involved with analysis. I remember being absolutely astonished that someone writing computer programs could cause such a commotion. Some people must have realized that it was a good thing that awareness was raised. I have a hard time putting much stock in the pretend damage estimates.

I was a college graduate with a degree in Computer Science and a dim awareness of the Internet. I remember being astonished to see an article about my esoteric field of work on the front page of the Washington Post, and wondered if maybe it wouldn't stay esoteric much longer.

I'd just started college and witnessed some of the havoc. Suddenly the Internet was a big topic of discussion, at least among the engineering students, everyone wanted to get email addresses and so on. It suddenly was in everyone's consciousness, but it was another 2-3 years before you could easily get 'on' the Internet.

Does anyone know what came of this awful cyber terrorist? Given what we wanted to do Aaron Swartz, and what we are going to do to Weev, this guy should be facing capital punishment by comparison.

Edit: Haha, downvoted already. I'm kidding of course. I am a fan of rtm, and the eponymous worm.

RTM cracked others computers and installed software, deliberately, to satisfy his curiosity.

HN being fans of his probably is YC related. Most old-school Unix guys I know think of RTM as an selfish immature kid.

Schwartz broke into a single server cabinet room, and didn't no anything malicious with that access. Instead he tried to liberate some documents in the public domain that everyone else could benefit from.

So yes, I'm glad RTM was punished: he wasn't an activist who downloaded too many public domain documents through altruistic intent, he was a guy who hurt a lot of people out for his own personal desire.


Swartz, RTM, sure, but Weev? You can't seriously put weev in that list.

You can put him in that list only if you look at his crime objectively, and divorce that from the person you don't like. Which is an important thing to do when handing out justice.

Downloading and deleting a list of emails is not worse than spreading an internet-crippling worm. Nobody can make that argument with a straight face.

Here are some other writeups:

Here's Eugene Spafford's write up: (http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&...)

Page 26

> However. at a recent meeting, Professor Rick Rashid of Carnegie-Mellon University was heard to claim that Robert T. Morris, the alleged author of the Wann, had revealed the jingerd bug to system administmtivc staff at eMU well over a year ago.

Here's Seely's "Tour of the Worm" (http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-...)

> These notes describe how the design of TCP/IP and the 4.2BSD implementation allow users on untrusted and possibly very distant hosts to masquerade as users on trusted hosts. [Robert T. Morris, "A Weakness in the 4.2BSD Unix TCP/IP Software"]

Here's Mark W. Eichin's and Jon A. Rochlis' "With Microscope and Tweezers" (http://www.mit.edu/~eichin/virus/main.html)

Spafford's write up is such a hoot. He complains about suboptimal file descriptor closing. Clearly, whoever wrote that worm (that targeted VMS and Unix in one worm, used numerous exploits, probabilistic replication, and required 40 pages of analysis) was some kind of mentally-challenged individual. Terrible, terrible ad hominems.

Pdf of Eichin and Rochlis's paper is here: https://www.utd.edu/~edsha/security/internet-worm-MIT.pdf

I was up late hacking during the night it happened, and was getting really pissed off how slow the system (a Vax 8600) was running, because sendmail was going ape-shit!

Anybody else remember when Jordan Hubbard tried to see what happened when he rwall'ed to a wildcard yp net group that included every computer in /etc/hosts? He received a whopping 743 email messages in response to it! "One of the people who received my message was Dennis Perry, the Inspector General of the ARPAnet (in the Pentagon), and he wasn't exactly pleased. (I hear his Interleaf windows got scribbled on)"


I remember at the time reading usenet postings about the worm as it spread, and I got the impression that for a couple of days many people really didn't know what was happening. The response was very improvised. I was an intern at IBM in 88-90, and all gateways between IBM's internal network (VNET at the time) and the internet were cut without warning - even though I doubt that IBM had many VAXes or Sun3s.

I'd also read Neuromancer the previous summer and me as a twenty-year-old thought this was all rather exciting...

It was more like "The Adolescence of P-1": http://en.wikipedia.org/wiki/The_Adolescence_of_P-1

Immediately after the Morris worm hit, somebody posted a patch to edit the sendmail binary, to keep it from switching into debug mode, and that was to patch the "DEBUG" command by replacing the "D" with a null. It certainly stopped the worm, but at what cost?

Well in my usual day-to-day mailing list administration, I telnet'ed to sun.com 25 to validate some email addresses, and pressed return a couple time to clear out the telnet protocol negotiation characters. Then I EXPN'ed an email address, and it dumped out a shitload of debugging information!

Turns out that "patch" to sendmail just turned the "DEBUG" command into the "" command, which I had entered by pressing return a few times at the beginning of the session!

I reported it to postmaster@sun.com and they closed that particular hole. Lesson: Don't just blindly apply binary patches you see on the net to system programs, without thinking about them first.

I was reading this just last week for fun, can't remember why :)

Worm source code: http://www.foo.be/docs-free/morris-worm/worm/

Mailing list from 1988: http://securitydigest.org/phage/bythread

With some elite shell scripts to boot. It's nice to know that if your primary skills in 1988 were UNIX, C, and shell scripting, should you be magically transported 25 years into the future, those same abilities would allow you to feed a family of four in 2013.

How the hell has no-one mentioned Clifford Stoll's "The Cuckoo's Egg" yet? http://www.amazon.com/dp/1416507787

Give it a rest! Why can't some people around here give RTM some slack? It was a long time ago. Time has show RTM to be super smart and successful, but dredging up this one inflammatory incident ever few weeks and posting it ON HIS SITE is just pathetic karma whoring.

How about next time we discuss his more amazing accomplishments like the continuation passing framework he developed for ViaWeb, or his efforts at YC, or his work developing and maintaining this very site?

If it makes you feel any better, this PDF was just digitized and linked via the netsec community on reddit: http://www.reddit.com/r/netsec/comments/19fyfr/recently_unco...

And was the first I had ever heard/read of the Morris Worm (though I assumed it would be well known to most). I'm a physical security guy w/0 digital security experience. Half of my friends are on the other side of the security aisle, though, which is why I bum around the netsec boards and enjoy the history of both fields a great deal.

I promise it genuinely wasn't intended as karma whoring. I actually assumed a long PDF would get limited attention here just due to the format. Only linked it because I was personally enthralled. I've really enjoyed reading the other posters share their memories of this moment in computer security history. It has added a context I wouldn't get most other places.

If you didn't know, I don't blame you, and I hope I didn't offend you too badly. At one time, long ago, before HN got popular, everyone around here knew who RTM is and knew he is one of the people responsible for giving HN to all of us.

These days, it seems most people don't realize that RTM is the "man behind the curtain" -- the real wizard pulling all the levers to make HN work. Sadly, some of those who do know of his efforts and involvement here act like jerks. They repeatedly bring up that one controversial thing he did a long time ago because it's excellent vote-bait, and they ignore all of the more amazing things he's done.

If someone showed up at your party at your house with your friends and repeatedly talked crap about the one controversial and possibly embarrassing thing you did eons ago in your reckless youth, then you'd not only want to throw them out, but you'd probably want to kick their ass. Even if you're too nice, reasonable, and civilized to actually kick their ass, you'd still want to do it.

You didn't know, but the repeated submissions about the Morris worm, and all the people up-voting them are being extremely inconsiderate and disrespectful. Maybe some people are envious of his success and are trying to take him down a notch by embarrassing him in his own house?

It's a truly legendary hack, and I giggled my ass off when it happened, but it's not "news," so why are so many people continuously reposting and up-voting it on a news site?

It's happened repeatedly, so can you really blame me for being skeptical of the real intent?

Oh, I don't blame you at all! I really did want to be clear in my intent, not trying to knock you down a notch or anything, either. The example about inviting people to a party only to overhear conversations about your controversial/embarrassing "thing" strikes home for me, as I have some recent experience with that.

Thanks for taking the time to reply with details, by the way. I appreciate it.

What is this?

A very detailed report on an early computer virus called the Morris Worm (http://en.wikipedia.org/wiki/Morris_worm).

It's actually extremely interesting; the fix even goes into editing assembly if the source of the affect program isn't available to recompile.

It's also interesting to note that the worm's author went on to cofound YC.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact