Morris Worm Incident Report #1 (1988) [pdf]

I remember this very well because I'd had JANet/Internet access since 1986 and was using Internet system daily at the time and for a period we had no Internet access. That didn't matter that much because I just couldn't access various Usenet newsgroups and anonymous FTP servers.<p>I remember thinking it was totally awesome.<p>Awesome because it was a demonstration of the power of this individual and what could be done with software and got me thinking seriously about computer security. A year later I opted to stay at university and do a doctorate in computer security.<p>That doctorate brought me into contact with RTM's father who was a terribly decent chap also named Robert. He used to come to the place I was with his wife. The first time I met him I misheard his wife's name as "Alice" (instead of "Anne"). I mistakenly thought that that they were the Alice and Bob in all cryptographic examples.

I was a teenager when this happened. RTM's worm probably started a number of security careers and brought career peak levels of excitement to many of the people involved with analysis. I remember being absolutely astonished that someone writing computer programs could cause such a commotion. Some people must have realized that it was a good thing that awareness was raised. I have a hard time putting much stock in the pretend damage estimates.

Does anyone know what came of this awful cyber terrorist? Given what we wanted to do Aaron Swartz, and what we are going to do to Weev, this guy should be facing capital punishment by comparison.<p><i>Edit: Haha, downvoted already. I'm kidding of course. I am a fan of rtm, and the eponymous worm.</i>

Here are some other writeups:<p>Here's Eugene Spafford's write up: (<a href="http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&#38;context=cstech" rel="nofollow">http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&...</a>)<p>Page 26<p>&#62; However. at a recent meeting, Professor Rick Rashid of Carnegie-Mellon University was heard to claim that Robert T. Morris, the alleged author of the Wann, had revealed the jingerd bug to system administmtivc staff at eMU well over a year ago.<p>Here's Seely's "Tour of the Worm" (<a href="http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-RTMworm-89.html" rel="nofollow">http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-...</a>)<p>&#62; These notes describe how the design of TCP/IP and the 4.2BSD implementation allow users on untrusted and possibly very distant hosts to masquerade as users on trusted hosts. [Robert T. Morris, "A Weakness in the 4.2BSD Unix TCP/IP Software"]<p>Here's Mark W. Eichin's and Jon A. Rochlis' "With Microscope and Tweezers" (<a href="http://www.mit.edu/~eichin/virus/main.html" rel="nofollow">http://www.mit.edu/~eichin/virus/main.html</a>)

I was up late hacking during the night it happened, and was getting really pissed off how slow the system (a Vax 8600) was running, because sendmail was going ape-shit!<p>Anybody else remember when Jordan Hubbard tried to see what happened when he rwall'ed to a wildcard yp net group that included every computer in /etc/hosts? He received a whopping 743 email messages in response to it! "One of the people who received my message was Dennis Perry, the Inspector General of the ARPAnet (in the Pentagon), and he wasn't exactly pleased. (I hear his Interleaf windows got scribbled on)"<p><a href="http://catless.ncl.ac.uk/Risks/4.73.html#subj10.1" rel="nofollow">http://catless.ncl.ac.uk/Risks/4.73.html#subj10.1</a>

I remember at the time reading usenet postings about the worm as it spread, and I got the impression that for a couple of days many people really didn't know what was happening. The response was very improvised. I was an intern at IBM in 88-90, and all gateways between IBM's internal network (VNET at the time) and the internet were cut without warning - even though I doubt that IBM had many VAXes or Sun3s.<p>I'd also read Neuromancer the previous summer and me as a twenty-year-old thought this was all rather exciting...

Immediately after the Morris worm hit, somebody posted a patch to edit the sendmail binary, to keep it from switching into debug mode, and that was to patch the "DEBUG" command by replacing the "D" with a null. It certainly stopped the worm, but at what cost?<p>Well in my usual day-to-day mailing list administration, I telnet'ed to sun.com 25 to validate some email addresses, and pressed return a couple time to clear out the telnet protocol negotiation characters. Then I EXPN'ed an email address, and it dumped out a shitload of debugging information!<p>Turns out that "patch" to sendmail just turned the "DEBUG" command into the "" command, which I had entered by pressing return a few times at the beginning of the session!<p>I reported it to postmaster@sun.com and they closed that particular hole. Lesson: Don't just blindly apply binary patches you see on the net to system programs, without thinking about them first.

I was reading this just last week for fun, can't remember why :)<p>Worm source code: <a href="http://www.foo.be/docs-free/morris-worm/worm/" rel="nofollow">http://www.foo.be/docs-free/morris-worm/worm/</a><p>Mailing list from 1988: <a href="http://securitydigest.org/phage/bythread" rel="nofollow">http://securitydigest.org/phage/bythread</a>

With some elite shell scripts to boot. It's nice to know that if your primary skills in 1988 were UNIX, C, and shell scripting, should you be magically transported 25 years into the future, those same abilities would allow you to feed a family of four in 2013.

How the hell has no-one mentioned Clifford Stoll's "The Cuckoo's Egg" yet? <a href="http://www.amazon.com/dp/1416507787" rel="nofollow">http://www.amazon.com/dp/1416507787</a>

Give it a rest! Why can't some people around here give RTM some slack? It was a long time ago. Time has show RTM to be super smart and successful, but dredging up this one inflammatory incident ever few weeks and posting it ON HIS SITE is just pathetic karma whoring.<p>How about next time we discuss his more amazing accomplishments like the continuation passing framework he developed for ViaWeb, or his efforts at YC, or his work developing and maintaining this very site?

What is this?