Let me preface this with the observation that the old saying “Time flies when you are having fun” may not be applicable in this instance. That said, for those of us of a certain age and/or who have a passion for Internet history, November 2 is an important date. As noted in the headline, this year the date marked the 25th anniversary of the Morris Worm.
“What is that?” For those unfamiliar, the Morris Worm was the first well-publicized computer virus that not only hit the Internet, but crippled it significantly. It derives its name from then Cornell University student Robert Tappan Morris, who wrote it.
Picture of Professor Robert Tappan Morris courtesy MIT (News - Alert)
And, while he subsequently was convicted of computer fraud and has thoroughly rehabilitated his reputation as a respected associate professor of computer science at MIT, at 6 p.m. on Nov. 2, 1988, he launched his worm, which disabled approximately 10 percent of all Internet-connected systems at the time. What is amazing considering how far we have come is that the 10 percent number was roughly about 60,000 machines. These were primarily in academic settings and were mostly comprised of Sun 3 systems and Digital VAX computers running BSD Unix—two big names in computing that are no longer with us.
The Morris Worm was not built with malicious intent, but more as an experiment that unfortunately exceeded expectations in its ability to self-replicate. It exploited known weaknesses in common utilities including sendmail, which is email routing software, and Finger, a tool that showed which users were logged on to the network, and for several days brought the Internet to a crawl. It actually crashed many infected machines, and caused the U.S. Department of Defense to unplug from their Internet gateways. It caused the kind of panic in the Internet world that Orson Welles’ famous “Halloween War of the Worlds” caused 75 years ago.
Over the years, Morris has said his intent was not to cause damage but was rather to try to size the Internet. He might not even be so infamous if not for the fact that this little intellectual adventure became a major what we now would classify as a Denial of Service (DoS) attack, were it not for a minor issue with the spreading mechanism.
The worm could have determined whether to invade a new computer by asking if there was already a copy running. A simple “yes” when asked would have ended the spread of the virus. Morris, smart fellow that he was, directed the worm to copy itself even if the response is "yes", one out of seven times. Without this knowledge on an appropriate counter-measure, replication literally went viral, including infecting the same machines multiple times. Morris remarked, in what really is very applicable to events of our times, that he "should have tried it on a simulator first."
I remember writing about all of this at the time and making fun of the fact that those who had the capability to remediate the problem could not communicate with each other, which is why it took many days to restore the Internet to its natural state. The reason was most of the experts communicated via email and did not have an address book with the telephone numbers of their colleagues. My point back then was that the Internet, while interesting for communicating, was not a compelling a tool as picking up the phone and that would likely be the case for a very long time. Let’s just say I do not make those kinds of predictions any more.
On this anniversary, the question as to whether we learned anything from the exposure and damage of the Morris Worm is relevant. Many in our industry who look at the history say that because the Internet community was so small at the time it took many years for the incident to go from being mildly interesting to being a cause of alarm, particularly for commercial entities and the mass market. In terms of investments in security solutions they have a point, and it did take a series of major hacks in the 1990s to create the anti-virus, anti-malware, firewall, VPN, encryption, etc. environment of today. Ironically it is an environment now being termed unsuitable to meet the sophistication, frequency and malevolence of today’s attacks.
It is safe to say that what we have learned is that even what might be seen as “ethical hacking” has significant unintended -- as well as intended -- consequences. It is also fair to say that information security has gone from a minor concern of enterprises and government to the very top of the threat list. As a result of identity theft, the recent headlines, crashes of our own personal computers and increasingly our mobile devices, we, too, have become sensitized to the need for protection.
I would say that a celebration is in order to honor this anniversary, but it is not one where congratulations are in order. Maybe it would just be a good day to make sure all of you protective software is up-to-date.