The Morris Worm

    Robert Tappan Morris, the son of Bell Labs researcher and National Security Agency (NSA) computer specialist and cryptographer Robert ‘Bob’ Morris, was born in November of 1965 in rural New Jersey.  Bob and his wife Anne were pragmatists, growing their own food when it became expensive, preferring to use hand-me-down appliances and repair them instead of purchasing new ones, and accepting television into the living room after determining their then six year-old daughter to be “mass-culture ‘illiterate’” (Hafner & Markoff, 1995, p.272). Young Robert read voraciously, finishing the complete Lord of the Rings trilogy in third grade, and distinguished himself in school: a slump in grades correctly attributed to boredom was remedied by having him skip fifth grade entirely.  Robert continued to excel academically, and soon became interested in his father’s line of work, especially what we might now term ‘systems security.’ As a teenager, his study of the Unix operating system lead him to uncover a flaw that allowed privileged access to one machine to provide privileged access to any networked machine.  After exploring a little, he told the Bell scientists about his discovery and they fixed the vulnerability.

Robert attended Harvard University, where he majored in Computer Science, but spent much more time working on projects of his own, and developing his Unix knowledge than he did on his school work.  During his time at Harvard, Robert earned a reputation. Beyond being known as one of the few people that seemed to actually enjoy reading Unix operating manuals, Robert was known as a something of a prankster.  One April fool’s day Robert modified the network login such that it appeared to users that the Harvard network had reverted to an antiquated version of its operating system. On another occasion, after noticing how often people mistyped ‘mail’ as ‘mial’, he wrote some code to launch a game when ‘mial’ was typed, instead of the expected response of ‘no such program’ (Hafner & Markoff, 1995).

Jumping ahead to 1988, Bob had moved from Bell labs to direct the NSA’s National Computer Security Center, and Robert was just beginning his graduate studies at Cornell University.  At Cornell, Robert continued to pour over the Unix manuals and source code, discovering several new bugs. He was particularly excited about a bug in the ftp program which allowed arbitrary files to be read or written on a remote machine.  At the same time, the notion of viruses was entering the public sphere; the September 26th, 1988 edition of Time was devoted to the idea (Mello, 1993, p.262).  In this atmosphere, and given the bug he’d found in ftp, as well as bugs in fingerd, rexecd and sendmail, Robert began writing what was to become one of the most famous programs in the history of computing, what would later be termed the ‘Morris Worm’.  It should be noted, as was pointed out by many experts at the time, that though Robert and his friends referred to his program as a virus, and though it was also commonly referred to as such in the media, it was in fact a worm (Seeley, 1988).

On the evening of November 2nd, Robert finished modifying his program, remotely accessed a machine at the MIT Artificial Intelligence Laboratory, and from it executed his program.  Through a combination of poor choices regarding reinfection rates and the presence of bugs, the worm spread much faster than he seems to have anticipated (Spafford 1988) (Santoro et al. 1989).   By late that night, Robert was aware he had done something serious, and contacted his closest friends back at Harvard. Robert gave them instructions on how to stop the worm, but these needed to be transmitted using the Internet, which was by this point too bogged down to get the information to the right people (Hafner & Markoff, 1995, p.304).  By the morning of the 3rd, the Internet community was reeling. Initially, 6,000 hosts are thought to have been infected, though this number appears to have little validity beyond a wild guess (Graham 2018). A later estimate based on a survey of computer centers conducted by a Harvard researcher found that between 1,000 and 3,000 computers were likely infected (US GAO, 1989).

Over the next two days, experts across the country worked to decompile and reverse engineer the code, eventually uncovering the vulnerabilities that the program exploited, and releasing patches to address them.  The Defense Department was particularly worried that the program contained some kind of destructive capacity - such as file deletion - and the discovery of a timed portion of code sent the reverse-engineers into a frenzy until it was determined that there was in fact no portion of the program that modified files on infected hosts beyond what the program needed to propagate itself (Hafner & Markoff, 1995, p.309).

When the dust settled, the US General Accounting Office - which was commissioned by Congress to investigate the impact of the event - estimated that the worm caused dollar losses between $100,000 and $10 million.  However the amount of time the report devotes to covering costs is relatively small compared to the amount of time it spends speculating on the implications of the incident: the real impact. As the first Internet-wide security event, it plainly revealed the dangers of the ad-hoc way the network was managed, and the dangers inherent to its decentralized nature.  These problems principally manifested themselves in the lack of a central command structure for dealing with network-wide problems, and the related difficulty of distributing critical information like patches (US GAO, 1989). Writing less than a month after the incident, and after having studied the response and the program itself, Eugene Spafford of Purdue University went out of his way to underscore how the decentralized nature of the the Internet, and the open nature of both it and Unix aided the spread of the worm while at the same time allowing it to be defeated fairly quickly (Spafford 1988).

By the morning of November 5th, the New York Times had determined Robert to be the author of the worm, and ran an article titled Author of Computer ‘Virus’ Is Son Of N.S.A. Expert on Data Security.  The night before, Robert had travelled home to meet with his parents and pursue legal advice.  Within days, Robert had legal representation, but it would be three years before he a would be sentenced and lose his appeal.  Having been found guilty on one felony count of violating the Computer Fraud and Abuse Act (CFAA), Robert was fined $10,000, and sentenced to three years probation and 400 hours of community service.

The case was far from trivial however, as it was the first jury test of the CFAA which had only been enacted in its then current form in 1986.  Resoundingly, the case demonstrated that for a successful CFAA prosecution it was not necessary to show that a defendant intended to cause damage, or mens rea (Mello, 1993, p.270).  The case was also widely considered to have brought to light a schism in the Computer Science and Internet communities.  It was thought that one camp saw Robert’s action - though perhaps somewhat botched - as having been generally positive for the community by driving home the importance of security.  Bob Morris, for example, had been writing and giving talks for years trying to draw attention to what was perceived by some as a potentially catastrophic lack of interest in security.  Among those who in some way lent their support to Robert during the trial were Ken Thompson, Fred Grampp, Doug McIlroy and Jim Reeds, all of Unix fame (Hafner & Markoff, 1995, p.336).

The supposed alternative camp consisted of people who saw Robert’s actions as inherently criminal and dangerous.  Some thought that he should serve some jail time, at least in part to dissuade others from similar acts. A false, but widely cited remark typifies this position, and the degree to which the division in the community was blown out of proportion.  Purdue’s Spafford - who after the worm’s release became an ethicist and toured the US lecturing on computer security and ethics - was misrepresented in an Association for Computing Machinery (ACM) article as having said that any technology firm that hired Robert should be boycotted (Hafner & Markoff, 1995, p.346) (Spafford, 1991).  As a member of the Computer Science community, this stood in stark contrast to the much more moderate line being taken by the likes of Thompson.

This confusion, abundant differing opinions regarding Robert’s criminality or lack thereof, and the general lack of consensus as to what the Computer Science community felt about it underlines the reason that the ‘Morris Worm’ became so famous.  The story of modern computer security, for many intents and purposes, starts with Robert T. Morris. Within days, his worm brought computer security into the mainstream in a way that years of his father’s traditional evangelizing had been unable to.

In language which wholly debunks the apocryphal anger Spafford felt toward Robert after the worm incident, Spafford, in a 2008 interview with Network World remarked “I think [Robert] should even be considered for a pardon because since then he's done nothing in his career to take advantage or to gain stature from the incident. He was contrite. . . . He has gone on to have a productive career." (Marsan, 2008)  Following the worm debacle, Robert went on to co-found Viaweb - which was purchased by Yahoo for $49 million and rebranded ‘Yahoo! Store’ - and Y-Combinator, earn his Ph.D from Harvard and become a tenured professor of Electrical Engineering and Computer Science at MIT (Quistgaard, 1998).

References

• Graham, Paul. 2005. "The Submarine". paulgraham.com http://www.paulgraham.com/submarine.html#f4n
• Hafner, K., & Markoff, J. (1995). Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York: Simon & Schuster.
• Marsan, Carolyn. 2008. "Where Is Robert Morris Now?". Network World. https://www.networkworld.com/article/2268914/lan-wan/where-is-robert-morris-now-.html.
• Quistgaard, Kaitlin. 1998. "Yahoo Buys Portal-Puzzle Piece". WIRED. https://www.wired.com/1998/06/yahoo-buys-portal-puzzle-piece/.
• Santoro, Thomas, M. Stuart Lynn, Ted Eisenberg, Don Holcomb, Juris Hartmanis, and David Gries. 1989. "The Cornell Commission: On Morris And The Worm". Ithaca, NY.
• Seeley, Donn. 1988. "A Tour Of The Worm". Cs.Unc.Edu. http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-RTMworm-89.html.
• Spafford, Eugene. 1988. "The Internet Worm Program: An Analysis". West Lafayette, Indiana: Purdue University.
• Spafford, Eugene. 1991. “Three Letters on Computer Security and Society”. West Lafayette, Indiana: Purdue University.
• Susan M. Mello, "Administering the Antidote to Computer Viruses: A Comment on United States v. Morris," Rutgers Computer & Technology Law Journal 19, no. 1 (1993): 259-280
• U.S. Government Accounting Office. Computer Security: Virus Highlights Need for Improved Internet Management.  GAO/IMTEC-89-57. Washington, DC, 1989.