Also, like a toddler, the Internet's knees were closer to the ground than they are today :-)
I was at Sun at the time and it was an interesting story but you could have completely disconnected Sun from the "internet" (which was being serviced at the time by a single T-1 line, 1.544Mbps baby!) for two or three days and it wouldn't have been the end of the world, and it would not have cut into sales. Due to some better configuration defaults, the impact of the worm on Sun was minimal.
At the time of the Morris worm, there was a single T1 line running across the bay (between Mt. View and Milpitas.) The line to sun-arpa was a 56k link.
The only real 'protection' was that ip_forwarding was set to 0.
nope. The T1 (to the Internet) came in when we connected to BARRnet.
SWAN got T1s (Dallas, D.C., Boston) about the same time.
Then RMTC came on-line with a T1, and Denver-Dallas, and Chicago-Dallas got T1s. Then the SWAN 'ring' got a pair of T1s. The cross-bay link went to a DS3. Lots of offices got upgraded to 10BaseT in the form of AT&T's "starnet" offering.
"We didn't believe that Morris intended to cause harm or damage," Rasch says. In his view, Morris was "motivated mainly by curiosity and by a desire to show that he could do it."
On the other hand, the Justice Department worried that "if the government treated this as a misdemeanor, a trivial offense, that others would go out and do it," Rasch said. "You had conduct that was planned, premeditated, that was deliberate, over periods of months, that caused massive disruption and expense to a wide number of different individuals." That required a response, the government believed.
So Morris was charged with a single felony count. Rasch says Morris could have been charged with a separate felony for each of the thousands of computers the worm infected. But the lawyer and his colleagues believed that would be overkill. "I don't believe that you over-prosecute someone to send a message," Rasch says. "I don't believe in the head-on-a-stake theory of prosecution."
----
Is that not a contradiction, he seems to be saying that they chose felony over misdemeanor not because of him but to set an example, then goes on to say that they don't do that sort of thing?
There is a subtle distinction between making an example and setting a precedent. It is crucial here. By prosecuting as a felony, they set legal precedent. By making it a single felony, they showed leniency to the offense in question.
> Is that not a contradiction, he seems to be saying that they chose felony over misdemeanor not because of him but to set an example
He's saying that the felony charge was driven by the objective characteristics of the act -- both the deliberation and the impact -- and that going for a lesser charge given those facts would have sent an undesirable message, but that -- given that the intent was not to cause harm -- prosecuting beyond the single felony charge to send a "tough on computer crime" message was not justified.
The contradiction you are finding is because you are creating overly broad extreme generalities from Rasch's description of balancing different factors.
I like how they spin it in Robert Morris profile on the YC page: "In 1988 his discovery of buffer overflow first brought the Internet to the attention of the general public." (http://ycombinator.com/people.html)
Hijacking the thread a little: one of the weird timeline things I'm a little obsessed with is the gap between the Morris Worm and the first "modern" stack overflow.
As near as I can tell, Thomas Lopatic kicked off the era of modern memory corruption exploits in February 1995 with his HPUX NCSA httpd overflow. That was followed shortly by 8lgm's Sendmail 8.6.12 syslog() stack overflow, which 8lgm created a small mania about by explaining roughly how the bug worked but not publishing the exploit, which meant every amateur vulnerability researcher at the time (myself included) spent a couple weeks figuring it out for ourselves.
1988 to 1995 is a long time! During that period, near as I can tell, nobody published or even referenced a modern memory corruption flaw ("modern" meaning "allowed you to upload code into a remote system"; there were overflows prior to 1995, but they worked by overwriting variables in memory to alter program logic). Why did Morris have this technique back in 1988? (Besides the obvious reason). Why did nobody extend the work between '88 and '95? The whole Internet was vulnerable to this bug! And that timeframe was the hacker renaissance; it corresponds to the Sun Devil raids and the LoD/MoD war.
I have read about LoD/MoD, 8lGm etc..it seemed that low hanging fruit was probably the reasoning right? I mean, there were probably so many systems you could access through stupid bugs, that delving deep into SO wasn't necessary?
Maybe. But there was low-hanging fruit well into the late '90s (and remember that SQL Injection, the "ultimate" low-hanging fruit, is also a late '90s bug) --- but after the 8lgm stack overflow mania, there was a decisive shift towards using memory corruption to take over machines directly, rather than (say) overwriting strategic files on target systems with NFS bugs.
Very True. Smashing the stack for fun and profit? That was the first interaction I had with more advanced techniques anyways. I read it as a soph/freshman in HS (97 or so I think)? Timing seems to be close. That could account for the explosion at least; I don't have any theories on the "dead" period.
I'm happy to give Elias credit for a big part of the shift, but the reality is that first x86 exploit was published well before that Phrack article, and people quickly repurposed it. (I'm a little biased here, since the author of that exploit is a partner of mine).
The vulnerability research community in 1995 was very close-knit (not tiny, but you could fit them in a hotel banquet hall for Summercon), and they worked pretty quickly to educate each other about the attack.
I'm sure the whole pirating of games during the C64 days would have touched upon memory corruption, so whilst not in the context we think of today it is certainly older area than we think.
For what it's worth, the prosecutor in this case (Mark) is the former coworker who I've mentioned on here a few times as having prosecuted the FBI case against my dad (small world).
It is a little disconcerting to wonder that if the same case happened today, would it result in a katamari of charges meant to steamroll RTM?
Definitely an interesting story. One connection I never made before was that 1) the worm gave computer security a shot in the arm and 2) Morris's father was a computer security expert. I'm sure it's completely unrelated, but an interesting coincidence.
There was definitely speculation at the time that Morris the elder was the source of the DES encryption code in the worm. I can't google up any references, but I distinctly recall that idea bandied about.
His father authored the relevant unix manual IIRC (they used to be a bunch of binders above a unix hackers desk usually shipped from whoever sold you the system.) I also had in my head that his father was the likely source of the wizard password backdoor in sendmail.
I remember as a freshman in college, only armed with my knowledge of game programming in Z80/M68K assembly (no idea of Unix or internet beyond Usenet), finding out about this shortly after it happened, printing everything I could about it, and reading these pages over and over as if it was the most amazing technothriller ever written. Files that still exist after you delete them? Executable content in email headers?
It's probably the single most fascinating event in my personal history with computers.
Actually true story, my future mother-in-law called me because she could not reach her daughter on the phone (no cell phones then) and knew we "somehow" knew what each other was up to.
So I'm holding the phone to my ear and I can see she is logged in to the system and I say "Oh I see her, I'll just finger her to see if she is awake."
I am pretty sure the next sound I heard on the telephone resulted from it being dropped from standing height and having the handset bounce on the floor. It was my first experience with the less than desirable consequences of re-using English words to describe network interactions.
The worm could have been much more virulent had the author been more experienced or less rushed in his coding
It's a common misconception things go viral due to some sort of premeditative planning "over a period of months". New ideas start fledgling, because that's what it means for ideas to be new. They don't have concrete form in the beginning. Even the person having them can't tell what they can lead to.
Rushing the worm was crucial in making it work. It was more important to see if it had any chance of working. It couldn't have happened had Morris not been rushed, opening doors to a new research field and medium to the general public.
Interesting that the main character in the movie Hackers - Dade Murphy - may well have been inspired, at least in part, on the Morris Worm story. I've never heard any official commentary to this effect, but it seems plausible.
The defendant, Dade Murphy, who calls himself "Zero Cool", has repeatedly committed criminal acts of a malicious nature. This defendant possesses a superior intelligence, which he uses to a destructive and antisocial end. His computer virus crashed one thousand five hundred and seven computer systems, including Wall Street trading systems, single handedly causing a seven point drop in the New York Stock Market
The SUN workstation-wielding guy in the lab next door to me got hit by this, though we were unscathed. Periodically you could hear him yelling through the wall.
Amusingly (in hindsight), I had recently cleaned up a bunch of virus-choked PCs in some student labs and because of this fell under departmental suspicion (very briefly) of having something to do with these new problems. From then on I left such thankless scut work to someone else.
Another interesting -though brief- account appears in the epilogue of Cliff Stoll's "Cuckoo's Egg" (itself a classic tale from the early Internet days).
I was an intern at IBM at the time, at a site that was fortunate to have internet access. I remember people being annoyed because the security people severed all internet gateways.
A good technical article is "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988" [1] which was published soonafter.
All I'll say is, I was "there" (meaning affected).
It was also amusing watching the news reports at the time. I remember one of the nightly "world news" shows (ABC, iirc) having it right up front and the anchor and reporter trudging their way through the story, trying to explain this "Internet" thing.
Having been born the same year as this worm's release, I love reading about these moments in internet history. When I read that Paul Graham and Morris later went on to found Y-Combinator (why didn't I know that already?) I was so excited I shouted at my computer.
It's probably worth mentioning that Morris is now a mild mannered (and talented) MIT professor in the Computer Science department. The word on the street was that he did _not_ want to talk about this chapter of his life.
And many years later we had email viruses bringing the internet to its knees, notably the LoveBug virus which we were the first to stop at MessageLabs.
Now it's all just DDoS. Far scarier, and a lot less fun.
I agree he deserves a pardon. A lot of law and public acts seem to be "signaling," e.g. it's OK to do this and not-OK to do that. Temporarily coming down hard on someone to signal that people should NOT do what he did is OK; it makes equal sense, once the threat has passed (and that specific one has been replaced by new threats), to pardon the person and recognize they were made an example of -- for good reason at the time, but no longer.
Contrast this to what they wanted to do to the hackers in the Slatella/Quitner book.
I was at Sun at the time and it was an interesting story but you could have completely disconnected Sun from the "internet" (which was being serviced at the time by a single T-1 line, 1.544Mbps baby!) for two or three days and it wouldn't have been the end of the world, and it would not have cut into sales. Due to some better configuration defaults, the impact of the worm on Sun was minimal.