The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
* [TUHS] Happy birthday, Morris Worm!
@ 2017-11-03  0:53 Doug McIlroy
  2017-11-03  1:39 ` Ken Thompson
  0 siblings, 1 reply; 62+ messages in thread
From: Doug McIlroy @ 2017-11-03  0:53 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2090 bytes --]

I think "classlessness" is intened as an antonym to "classy".

Spafford with high dudgeon called early for punishment. He had tempered
it somewhat by the time he wrote his CACM article, published in June
1985. But still some animus shows through, in "even-handedly" 
speculating about whether the worm was intended as a lark or as
something nefarious. He evidently had mellowed a lot by the
time of the last quotation below.

In the CACM article Spaff quoted someone else as suggesting that
Morris did it to impress Jodie Foster, and he called Allman's
back door in Sendmail a debugging feature that people could
optionally turn off. As far as I know it was not disclosed that
DEBUG allowed remote control of Sendmail. In fact Sendmail was
so opaque that Dave Presotto declined to install it and wrote
his own (upas) for Research.

I don't recall the cited "contest". And Dennis's reaction to
the CaCM article seems somwhat harsh. But the context is that
Spafford's overheated initial reaction did not win friends in
research. 
> 
> Can anyone remember or decipher what this was about???
> 
> Date: 24 Mar 90 06:52:43 GMT
> From: dmr at alice.att.com
> Subject: Re: Contest announcement
> To: misc-security at uunet.uu.net
> 
> My own contest is "Most appalling display of classlessness in dealing with
> a serious subject."  The nominees are:
> 
> 1) National Center for Computer Crime Data, Security Magazine, and
>    Gene Spafford, for their "How High Shall We Hang Robert Morris?"
>    contest.
> 
> 2) Gene Spafford, for the most tasteless article ever to appear in CACM
>    (special credits for the Jodie Foster joke).
> 
>         Dennis Ritchie
> 
> Some context maybe?
>> 
>> “He has not tried to make any money or work in this area,” Purdue 
>> University computer science professor Eugene Spafford said of Morris 
>> in an interview with The Washington Post. “His behavior has been 
>> consistent in supporting his defense: that it was an accident and he 
>> felt badly about it. I think it’s very much to his credit that that has 
>> been his behavior ever since.”


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-03  0:53 [TUHS] Happy birthday, Morris Worm! Doug McIlroy
@ 2017-11-03  1:39 ` Ken Thompson
  2017-11-03  9:25   ` arnold
  0 siblings, 1 reply; 62+ messages in thread
From: Ken Thompson @ 2017-11-03  1:39 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2303 bytes --]

spafford was the prize witness for the
offense at the trial. strident and evil.


On Thu, Nov 2, 2017 at 5:53 PM, Doug McIlroy <doug at cs.dartmouth.edu> wrote:
> I think "classlessness" is intened as an antonym to "classy".
>
> Spafford with high dudgeon called early for punishment. He had tempered
> it somewhat by the time he wrote his CACM article, published in June
> 1985. But still some animus shows through, in "even-handedly"
> speculating about whether the worm was intended as a lark or as
> something nefarious. He evidently had mellowed a lot by the
> time of the last quotation below.
>
> In the CACM article Spaff quoted someone else as suggesting that
> Morris did it to impress Jodie Foster, and he called Allman's
> back door in Sendmail a debugging feature that people could
> optionally turn off. As far as I know it was not disclosed that
> DEBUG allowed remote control of Sendmail. In fact Sendmail was
> so opaque that Dave Presotto declined to install it and wrote
> his own (upas) for Research.
>
> I don't recall the cited "contest". And Dennis's reaction to
> the CaCM article seems somwhat harsh. But the context is that
> Spafford's overheated initial reaction did not win friends in
> research.
>>
>> Can anyone remember or decipher what this was about???
>>
>> Date: 24 Mar 90 06:52:43 GMT
>> From: dmr at alice.att.com
>> Subject: Re: Contest announcement
>> To: misc-security at uunet.uu.net
>>
>> My own contest is "Most appalling display of classlessness in dealing with
>> a serious subject."  The nominees are:
>>
>> 1) National Center for Computer Crime Data, Security Magazine, and
>>    Gene Spafford, for their "How High Shall We Hang Robert Morris?"
>>    contest.
>>
>> 2) Gene Spafford, for the most tasteless article ever to appear in CACM
>>    (special credits for the Jodie Foster joke).
>>
>>         Dennis Ritchie
>>
>> Some context maybe?
>>>
>>> “He has not tried to make any money or work in this area,” Purdue
>>> University computer science professor Eugene Spafford said of Morris
>>> in an interview with The Washington Post. “His behavior has been
>>> consistent in supporting his defense: that it was an accident and he
>>> felt badly about it. I think it’s very much to his credit that that has
>>> been his behavior ever since.”


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-03  1:39 ` Ken Thompson
@ 2017-11-03  9:25   ` arnold
  0 siblings, 0 replies; 62+ messages in thread
From: arnold @ 2017-11-03  9:25 UTC (permalink / raw)


Ken Thompson via TUHS <tuhs at minnie.tuhs.org> wrote:

> spafford was the prize witness for the
> offense at the trial. strident and evil.

I suspect that he was also still young and fired up about things. :-)
(Not to mention a professor still working towards tenure.)

I was in grad school with Gene at Georgia Tech and still exchange
emails with him every once in a while.  He is most definitely not
a strident and evil *person*, but I can't speak to what happened
in the trial itself.

(In other words, he too probably deserves to be cut some slack.)

My two cents,

Arnold


^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [TUHS] Happy birthday, Morris Worm!
  2019-11-02  6:44     ` William Corcoran
@ 2019-11-02  7:31       ` A. P. Garcia
  0 siblings, 0 replies; 62+ messages in thread
From: A. P. Garcia @ 2019-11-02  7:31 UTC (permalink / raw)
  To: William Corcoran
  Cc: The Eunuchs Hysterical Society, Computer Old Farts Followers

[-- Attachment #1: Type: text/plain, Size: 1103 bytes --]

On Sat, Nov 2, 2019, 2:44 AM William Corcoran <wlc@jctaylor.com> wrote:

> My comments were not directed to A. P. Garcia.
>
> I regret my error.
>
> Bill Corcoran
>
>
>
> On Nov 2, 2019, at 2:36 AM, William Corcoran <wlc@jctaylor.com> wrote:
>
> Whoa!  Let’s rethink the defamatory ad hominem remarks here.  We were all
> kids once.  Moreover, my examination of this subject showed that some of
> our greatest computer scientists, at the time, went to bat for young
> Morris.  Moreover, calling RTM a nasty name like that is a shoe that simply
> doesn’t fit.  My goodness RTM is a professor at MIT.   It’s inarguable that
> the Morris Worm helped his career far more than it hurt it.  Plus, indeed,
> there was a genuine re-Morris from RTM.
>
> Bill Corcoran
>
> <snip>

No worries. It's worth mentioning on a Unix mailing list that RTM
coauthored xv6, an x86 reimplementation of the v6 kernel. It sort of
carries the torch of the Lions book by teaching future generations about
the internals of operating systems and the Unix way. And that is a
beautiful thing.

>

[-- Attachment #2: Type: text/html, Size: 2555 bytes --]

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [TUHS] Happy birthday, Morris Worm!
  2019-11-02  6:35   ` William Corcoran
@ 2019-11-02  6:44     ` William Corcoran
  2019-11-02  7:31       ` A. P. Garcia
  0 siblings, 1 reply; 62+ messages in thread
From: William Corcoran @ 2019-11-02  6:44 UTC (permalink / raw)
  To: A. P. Garcia; +Cc: The Eunuchs Hysterical Society, Computer Old Farts Followers

[-- Attachment #1: Type: text/plain, Size: 2104 bytes --]

My comments were not directed to A. P. Garcia.

I regret my error.

Bill Corcoran



On Nov 2, 2019, at 2:36 AM, William Corcoran <wlc@jctaylor.com<mailto:wlc@jctaylor.com>> wrote:

Whoa!  Let’s rethink the defamatory ad hominem remarks here.  We were all kids once.  Moreover, my examination of this subject showed that some of our greatest computer scientists, at the time, went to bat for young Morris.  Moreover, calling RTM a nasty name like that is a shoe that simply doesn’t fit.  My goodness RTM is a professor at MIT.   It’s inarguable that the Morris Worm helped his career far more than it hurt it.  Plus, indeed, there was a genuine re-Morris from RTM.

Bill Corcoran

On Nov 1, 2019, at 5:49 PM, A. P. Garcia <a.phillip.garcia@gmail.com<mailto:a.phillip.garcia@gmail.com>> wrote:



On Fri, Nov 1, 2019, 4:37 PM Dave Horsfall <dave@horsfall.org<mailto:dave@horsfall.org>> wrote:
The infamous Morris Worm was released in 1988; making use of known
vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
accidental, but the idiot hadn't tested it on an isolated network first). A
temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".

Another fix was to move the C compiler elsewhere.

-- Dave

One of my comp sci professors was a grad student at Cornell when this happened. He shared a small office with Morris and some other students. He said that he had to explain that he had absolutely nothing to do with it on quite a few occasions.

Morris was caught partly because he used the Unix crypt command to encrypt his source code. The command was a computer model of the Enigma machine, and its output could be and indeed was cracked, after retrieving the encrypted code from a backup tape.

It's interesting that the worm was quickly detected. The reason was that it kept infecting the same machines, and as you referred to, it contained a password cracker, which slowed those machines to a crawl because of the multiple instances running.

[-- Attachment #2: Type: text/html, Size: 3542 bytes --]

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [TUHS] Happy birthday, Morris Worm!
  2019-11-01 21:49 ` A. P. Garcia
@ 2019-11-02  6:35   ` William Corcoran
  2019-11-02  6:44     ` William Corcoran
  0 siblings, 1 reply; 62+ messages in thread
From: William Corcoran @ 2019-11-02  6:35 UTC (permalink / raw)
  To: A. P. Garcia; +Cc: The Eunuchs Hysterical Society, Computer Old Farts Followers

[-- Attachment #1: Type: text/plain, Size: 1912 bytes --]

Whoa!  Let’s rethink the defamatory ad hominem remarks here.  We were all kids once.  Moreover, my examination of this subject showed that some of our greatest computer scientists, at the time, went to bat for young Morris.  Moreover, calling RTM a nasty name like that is a shoe that simply doesn’t fit.  My goodness RTM is a professor at MIT.   It’s inarguable that the Morris Worm helped his career far more than it hurt it.  Plus, indeed, there was a genuine re-Morris from RTM.

Bill Corcoran

On Nov 1, 2019, at 5:49 PM, A. P. Garcia <a.phillip.garcia@gmail.com<mailto:a.phillip.garcia@gmail.com>> wrote:



On Fri, Nov 1, 2019, 4:37 PM Dave Horsfall <dave@horsfall.org<mailto:dave@horsfall.org>> wrote:
The infamous Morris Worm was released in 1988; making use of known
vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
accidental, but the idiot hadn't tested it on an isolated network first). A
temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".

Another fix was to move the C compiler elsewhere.

-- Dave

One of my comp sci professors was a grad student at Cornell when this happened. He shared a small office with Morris and some other students. He said that he had to explain that he had absolutely nothing to do with it on quite a few occasions.

Morris was caught partly because he used the Unix crypt command to encrypt his source code. The command was a computer model of the Enigma machine, and its output could be and indeed was cracked, after retrieving the encrypted code from a backup tape.

It's interesting that the worm was quickly detected. The reason was that it kept infecting the same machines, and as you referred to, it contained a password cracker, which slowed those machines to a crawl because of the multiple instances running.

[-- Attachment #2: Type: text/html, Size: 3030 bytes --]

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [TUHS] Happy birthday, Morris Worm!
  2019-11-01 20:36 Dave Horsfall
  2019-11-01 21:12 ` Dan Cross
@ 2019-11-01 21:49 ` A. P. Garcia
  2019-11-02  6:35   ` William Corcoran
  1 sibling, 1 reply; 62+ messages in thread
From: A. P. Garcia @ 2019-11-01 21:49 UTC (permalink / raw)
  To: Dave Horsfall
  Cc: The Eunuchs Hysterical Society, Computer Old Farts Followers

[-- Attachment #1: Type: text/plain, Size: 1266 bytes --]

On Fri, Nov 1, 2019, 4:37 PM Dave Horsfall <dave@horsfall.org> wrote:

> The infamous Morris Worm was released in 1988; making use of known
> vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
> metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
> accidental, but the idiot hadn't tested it on an isolated network first).
> A
> temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".
>
> Another fix was to move the C compiler elsewhere.
>
> -- Dave
>

One of my comp sci professors was a grad student at Cornell when this
happened. He shared a small office with Morris and some other students. He
said that he had to explain that he had absolutely nothing to do with it on
quite a few occasions.

Morris was caught partly because he used the Unix crypt command to encrypt
his source code. The command was a computer model of the Enigma machine,
and its output could be and indeed was cracked, after retrieving the
encrypted code from a backup tape.

It's interesting that the worm was quickly detected. The reason was that it
kept infecting the same machines, and as you referred to, it contained a
password cracker, which slowed those machines to a crawl because of the
multiple instances running.

>

[-- Attachment #2: Type: text/html, Size: 1904 bytes --]

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [TUHS] Happy birthday, Morris Worm!
  2019-11-01 20:36 Dave Horsfall
@ 2019-11-01 21:12 ` Dan Cross
  2019-11-01 21:49 ` A. P. Garcia
  1 sibling, 0 replies; 62+ messages in thread
From: Dan Cross @ 2019-11-01 21:12 UTC (permalink / raw)
  To: Dave Horsfall
  Cc: The Eunuchs Hysterical Society, Computer Old Farts Followers

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

On Fri, Nov 1, 2019 at 4:37 PM Dave Horsfall <dave@horsfall.org> wrote:

> The infamous Morris Worm was released in 1988; making use of known
> vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
> metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
> accidental, but the idiot hadn't tested it on an isolated network first).
> A
> temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".
>
> Another fix was to move the C compiler elsewhere.
>

This comes up every year, but could I ask that you please stop referring to
Robert T. Morris as an idiot? He acted foolishly and destructively, yes,
but he was quite young at the time and he paid for his mistake. He's gone
on to do very good work in systems and have a productive career; there
really is no need to continue to castigate him in this manner for a mistake
he made 31 years ago.

        - Dan C.

[-- Attachment #2: Type: text/html, Size: 1287 bytes --]

^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
@ 2019-11-01 20:36 Dave Horsfall
  2019-11-01 21:12 ` Dan Cross
  2019-11-01 21:49 ` A. P. Garcia
  0 siblings, 2 replies; 62+ messages in thread
From: Dave Horsfall @ 2019-11-01 20:36 UTC (permalink / raw)
  To: The Eunuchs Hysterical Society; +Cc: Computer Old Farts Followers

The infamous Morris Worm was released in 1988; making use of known 
vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a 
metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was 
accidental, but the idiot hadn't tested it on an isolated network first). A 
temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".

Another fix was to move the C compiler elsewhere.

-- Dave

^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-16 23:24 Doug McIlroy
@ 2017-11-16 23:35 ` Ralph Corderoy
  0 siblings, 0 replies; 62+ messages in thread
From: Ralph Corderoy @ 2017-11-16 23:35 UTC (permalink / raw)


Doug wrote:
> Also amazing is its robust survival at angband.org.

Now known as http://rephial.org/

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
@ 2017-11-16 23:24 Doug McIlroy
  2017-11-16 23:35 ` Ralph Corderoy
  0 siblings, 1 reply; 62+ messages in thread
From: Doug McIlroy @ 2017-11-16 23:24 UTC (permalink / raw)


> let's not forget that amazing vi-trainer called rogue.

Also amazing is its robust survival at angband.org.



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-16 15:54         ` Clem Cole
@ 2017-11-16 15:58           ` Jon Steinhart
  0 siblings, 0 replies; 62+ messages in thread
From: Jon Steinhart @ 2017-11-16 15:58 UTC (permalink / raw)


Clem Cole writes:
> And Empire was more additive then Adventure when it came out :-)
>  Fortunately, I only got mildly sucked in.   If I recall, Ward Cunningham,
> Steve Glaser and Charlie Perkins were pretty heavily caught up.

Hey, if we're going down that rathole let's not forget that amazing
vi-trainer called rogue.  And it worked on 80 column displays too :-)


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-16  1:56       ` Erik E. Fair
                           ` (2 preceding siblings ...)
  2017-11-16  7:39         ` Steve Simon
@ 2017-11-16 15:54         ` Clem Cole
  2017-11-16 15:58           ` Jon Steinhart
  3 siblings, 1 reply; 62+ messages in thread
From: Clem Cole @ 2017-11-16 15:54 UTC (permalink / raw)


On Wed, Nov 15, 2017 at 8:56 PM, Erik E. Fair <fair-tuhs at netbsd.org> wrote:

> Sorry, "psl" is Peter S. Langston, so:
>
> https://en.wikipedia.org/wiki/Empire_(1972_video_game)
>
> http://www.langston.com
>
> That Wikipedia entry should describe it as a "computer game" (or
> "simulation") rather than as a "video game", given the common understanding
> of those phrases. PSL's "empire" was a multiplayer game similar (sort of)
> to the board game "Risk" and the "graphics" were ASCII-maps.
>
> I played that game at some length after leaving UCB - it was "guaranteed
> to drop your GPA two points" (addictive as hell). Another way to parboil
> your brain with it was to set the "update interval" to 5 seconds (a.k.a. a
> "flash" game) and have a several hour (instead of the more typical several
> month) gaming session with like-minded crazies ... I mean, "players" ... in
> a terminal room.
>
> I recall one such evening up at LBL with Craig Leres and Jef Poskanzer,
> among others ...
>
> Anyway, the Dave Pare mentioned in the Wikipedia entry is the same one who
> worked on decompiling the Morris worm, with the aforementioned tools he'd
> developed (he liked playing empire and wanted to fix bugs and extend the
> game, but psl was only supplying binaries ...).
>
> It's funny where tools come from sometimes.
>
>         Erik
>


Indeed - this is a solid bit of UNIX history.    We should put a PSL Games
Tape into Warren's library.

And Empire was more additive then Adventure when it came out :-)
 Fortunately, I only got mildly sucked in.   If I recall, Ward Cunningham,
Steve Glaser and Charlie Perkins were pretty heavily caught up.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171116/a1007971/attachment.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-16  1:56       ` Erik E. Fair
  2017-11-16  2:41         ` Ron Natalie
  2017-11-16  3:00         ` Don Hopkins
@ 2017-11-16  7:39         ` Steve Simon
  2017-11-16 15:54         ` Clem Cole
  3 siblings, 0 replies; 62+ messages in thread
From: Steve Simon @ 2017-11-16  7:39 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1476 bytes --]

I remember reading the New Scientist article on the worm.

Was Dave Parr the person described as once described as “Dave ADB-is-your-friend Parr”?

-Steve


> On 16 Nov 2017, at 01:56, Erik E. Fair <fair-tuhs at netbsd.org> wrote:
> 
> Sorry, "psl" is Peter S. Langston, so:
> 
> https://en.wikipedia.org/wiki/Empire_(1972_video_game)
> 
> http://www.langston.com
> 
> That Wikipedia entry should describe it as a "computer game" (or "simulation") rather than as a "video game", given the common understanding of those phrases. PSL's "empire" was a multiplayer game similar (sort of) to the board game "Risk" and the "graphics" were ASCII-maps.
> 
> I played that game at some length after leaving UCB - it was "guaranteed to drop your GPA two points" (addictive as hell). Another way to parboil your brain with it was to set the "update interval" to 5 seconds (a.k.a. a "flash" game) and have a several hour (instead of the more typical several month) gaming session with like-minded crazies ... I mean, "players" ... in a terminal room.
> 
> I recall one such evening up at LBL with Craig Leres and Jef Poskanzer, among others ...
> 
> Anyway, the Dave Pare mentioned in the Wikipedia entry is the same one who worked on decompiling the Morris worm, with the aforementioned tools he'd developed (he liked playing empire and wanted to fix bugs and extend the game, but psl was only supplying binaries ...).
> 
> It's funny where tools come from sometimes.
> 
>    Erik



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-16  1:56       ` Erik E. Fair
  2017-11-16  2:41         ` Ron Natalie
@ 2017-11-16  3:00         ` Don Hopkins
  2017-11-16  7:39         ` Steve Simon
  2017-11-16 15:54         ` Clem Cole
  3 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-16  3:00 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2312 bytes --]

Remember Eedie & Eddie, Peter Langston’s DecTalk voice synthesizers who would answer the phone with “Yes, operator, I will accept the charges!” and then responded to touch tone commands to perform algorithmic compositions and sing songs together to you over the telephone?

http://www.langston.com/SVM.html <http://www.langston.com/SVM.html>

Good thing Bellcore had all the free long distance phone service they could use, because anyone who knew the phone number for Eedie & Eddie could use it to make as many free third party charge long distance phone calls as they desired! 

(Spoiler: The phone number was listed in the title of Peter S. Langston’s 1986  Summer USENIX paper!)


Search Results
201 644-2332 or Eedie & Eddie on the Wire: An Experiment in Music Generation

http://www.langston.com/Papers/2332.pdf

-Don

> On 16 Nov 2017, at 02:56, Erik E. Fair <fair-tuhs at netbsd.org> wrote:
> 
> Sorry, "psl" is Peter S. Langston, so:
> 
> https://en.wikipedia.org/wiki/Empire_(1972_video_game)
> 
> http://www.langston.com
> 
> That Wikipedia entry should describe it as a "computer game" (or "simulation") rather than as a "video game", given the common understanding of those phrases. PSL's "empire" was a multiplayer game similar (sort of) to the board game "Risk" and the "graphics" were ASCII-maps.
> 
> I played that game at some length after leaving UCB - it was "guaranteed to drop your GPA two points" (addictive as hell). Another way to parboil your brain with it was to set the "update interval" to 5 seconds (a.k.a. a "flash" game) and have a several hour (instead of the more typical several month) gaming session with like-minded crazies ... I mean, "players" ... in a terminal room.
> 
> I recall one such evening up at LBL with Craig Leres and Jef Poskanzer, among others ...
> 
> Anyway, the Dave Pare mentioned in the Wikipedia entry is the same one who worked on decompiling the Morris worm, with the aforementioned tools he'd developed (he liked playing empire and wanted to fix bugs and extend the game, but psl was only supplying binaries ...).
> 
> It's funny where tools come from sometimes.
> 
> 	Erik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171116/71394946/attachment.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-16  1:56       ` Erik E. Fair
@ 2017-11-16  2:41         ` Ron Natalie
  2017-11-16  3:00         ` Don Hopkins
                           ` (2 subsequent siblings)
  3 siblings, 0 replies; 62+ messages in thread
From: Ron Natalie @ 2017-11-16  2:41 UTC (permalink / raw)


Ah, yes. Empire.   Amusingly the thing self-limited to 60 minutes of connect
time plus your moves were restricted by the number of BTUs (Bureaucratic
Time Units) your capital generated.
People used to play this at lunch at BRL.    However they'd capture maps and
other dumps from the game and then spend hours in the afternoon planning
tomorrow's strategy.    Finally, the director put an end to it.   He told us
computer geeks to remove the game from the system.    My coworker suggested
to the director (a man named Robert J. Eichelberger, the Army expert in
shaped charges) that he just make the games inaccessible but not remove them
from our source archives, saying it was like ripping pages out of a
dictionary just because you didn't like the words.

I faked an email shortly thereafter.

Mr. Miles

Please remove the following pages from your dictionary:   234, 342, 411.

Thank You
-Hasp.




^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-16  1:22     ` Will Senn
@ 2017-11-16  1:56       ` Erik E. Fair
  2017-11-16  2:41         ` Ron Natalie
                           ` (3 more replies)
  0 siblings, 4 replies; 62+ messages in thread
From: Erik E. Fair @ 2017-11-16  1:56 UTC (permalink / raw)


Sorry, "psl" is Peter S. Langston, so:

https://en.wikipedia.org/wiki/Empire_(1972_video_game)

http://www.langston.com

That Wikipedia entry should describe it as a "computer game" (or "simulation") rather than as a "video game", given the common understanding of those phrases. PSL's "empire" was a multiplayer game similar (sort of) to the board game "Risk" and the "graphics" were ASCII-maps.

I played that game at some length after leaving UCB - it was "guaranteed to drop your GPA two points" (addictive as hell). Another way to parboil your brain with it was to set the "update interval" to 5 seconds (a.k.a. a "flash" game) and have a several hour (instead of the more typical several month) gaming session with like-minded crazies ... I mean, "players" ... in a terminal room.

I recall one such evening up at LBL with Craig Leres and Jef Poskanzer, among others ...

Anyway, the Dave Pare mentioned in the Wikipedia entry is the same one who worked on decompiling the Morris worm, with the aforementioned tools he'd developed (he liked playing empire and wanted to fix bugs and extend the game, but psl was only supplying binaries ...).

It's funny where tools come from sometimes.

	Erik


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-15 21:36   ` Erik E. Fair
  2017-11-15 21:50     ` Don Hopkins
  2017-11-15 21:54     ` Ron Natalie
@ 2017-11-16  1:22     ` Will Senn
  2017-11-16  1:56       ` Erik E. Fair
  2 siblings, 1 reply; 62+ messages in thread
From: Will Senn @ 2017-11-16  1:22 UTC (permalink / raw)


On 11/15/17 3:36 PM, Erik E. Fair wrote:
> I remember that Dave Pare put the binary analysis skills he'd acquired 
> in decompiling psl's empire game to good use in analyzing the worm.

Hi Erik,

Is this empire descended from Chuck Simmons' version vms-empire?

Will


-- 
GPG Fingerprint: 68F4 B3BD 1730 555A 4462  7D45 3EAA 5B6D A982 BAAF



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-15 21:54     ` Ron Natalie
@ 2017-11-16  1:05       ` Erik E. Fair
  0 siblings, 0 replies; 62+ messages in thread
From: Erik E. Fair @ 2017-11-16  1:05 UTC (permalink / raw)


Unless I'm mistaken, the Morris worm was the first such incident to make the front page of the New York Times (in an article by now-retired John Markoff):

http://www.nytimes.com/1988/11/04/us/virus-in-military-computers-disrupts-systems-nationwide.html

So I'm not surprised that other reporters started poking around. No one thought to call Apple (at least, not that anyone told me about), but given the limited nature (and understanding) of the Internet at the time, and its characterization by Markoff as "military", this is not too surprising. My group was a little worried about an AppleTalk-based virus getting loose in the Apple Engineering Network ... and that sort-of did happen, not very long after:

http://virus.wikidot.com/wdef

Fortunately, WDEF had a bug which limited its spread to promiscuous media exchange (floppies) - AppleShare volumes didn't have the resource it attempted to infect (a "desktop database"), and thus if your computer had WDEF, the first attempt to mount an AppleShare volume would crash your system - at that time, most Macs didn't have MMUs and didn't run real operating systems like Unix ... and we inside Apple used AppleShare extensively. Also easy to clean out: just rebuild the "desktop database" (hold down Option key when mounting disk volumes, IIRC).

I'm also pretty sure that the Morris worm was the impetus for the formation of the Computer Emergency Response Team (CERT) at CMU Software Engineering Institute (SEI):

https://en.wikipedia.org/wiki/Computer_emergency_response_team

It looks like Wikipedia agrees with me.

Tom Duff gave a related talk & paper at Summer USENIX 1989 that was most
interesting, "Experience with Viruses on UNIX Systems":

https://www.usenix.org/legacy/publications/compsystems/1989/spr_duff.pdf

I especially liked the bit in which Tom's virus infected a multi-level secured UNIX system that Doug McIlroy and Jim Reeds were developing which they didn't spot until they turned on all their protections ... and programs started crashing all over the place.

	Erik


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-15 21:36   ` Erik E. Fair
  2017-11-15 21:50     ` Don Hopkins
@ 2017-11-15 21:54     ` Ron Natalie
  2017-11-16  1:05       ` Erik E. Fair
  2017-11-16  1:22     ` Will Senn
  2 siblings, 1 reply; 62+ messages in thread
From: Ron Natalie @ 2017-11-15 21:54 UTC (permalink / raw)


I was at Rutgers at the time.   We heard of the work and chased down one
copy we had on an ancillary machine.   Most of it's exploited bugs were ones
I had known about for a long time and had taken care of.
After spending a bit of time confirming we'd cleaned things up, I headed off
to a meeting in DC.

Then all hell broke loose.   Not because of the worm itself, but the next
day the media caught up with it and the phone rang off the hook at the
computer center with every news outlet in the state wanting to know what was
going on.    Fortunately, Chuck was still there to answer questions (he's
much more patient with pinheaded reporters than I am anyhow).




^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-15 21:36   ` Erik E. Fair
@ 2017-11-15 21:50     ` Don Hopkins
  2017-11-15 21:54     ` Ron Natalie
  2017-11-16  1:22     ` Will Senn
  2 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-15 21:50 UTC (permalink / raw)


A friendly reminder that kabuki-west is not an appropriate forum for baby announcements! ;)

http://www.art.net/~hopkins/Don/text/rms-vs-doctor.html <http://www.art.net/~hopkins/Don/text/rms-vs-doctor.html>

-Don

> On 15 Nov 2017, at 22:36, Erik E. Fair <fair-tuhs at netbsd.org> wrote:
> 
> I had dinner in Berkeley the evening of the Morris Worm at Joshu-Ya - the "Kabuki West" dinner group that Russell Brand started when he moved west from MIT, with some help from me. Unusually, I went directly bed when I got home to Mountain View instead of reading E-mail on apple.com before crashing out. Many of my dinner companions went back to the eXperimental Computing Facility (XCF - for undergrads) in Cory Hall on the UCB campus, found their facilities under attack, and coordinated with a team at MIT to perform analysis. I remember that Dave Pare put the binary analysis skills he'd acquired in decompiling psl's empire game to good use in analyzing the worm.
> 
> I found out the next morning that apple.com was off the Internet (CSNET had shut off the X25NET), and that it (a VAX-11/780 running 4.3 BSD UNIX; we upgraded to an 8650 not much later) had been successfully attacked 17 times overnight ... but that our X25NET connection (IP over X.25 at 9600 baud) had been so flakey that the worm hadn't managed to successfully download its second part and start it. I shut off the finger TCP service, checked to make sure our sendmail(8) didn't have the "debug  mode feature" that the worm exploited, and told CSNET to turn us back on.
> 
> 	Erik Fair, formerly {post,host}master at apple.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171115/f556cf14/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-04  1:15 ` Dave Horsfall
@ 2017-11-15 21:36   ` Erik E. Fair
  2017-11-15 21:50     ` Don Hopkins
                       ` (2 more replies)
  0 siblings, 3 replies; 62+ messages in thread
From: Erik E. Fair @ 2017-11-15 21:36 UTC (permalink / raw)


I had dinner in Berkeley the evening of the Morris Worm at Joshu-Ya - the "Kabuki West" dinner group that Russell Brand started when he moved west from MIT, with some help from me. Unusually, I went directly bed when I got home to Mountain View instead of reading E-mail on apple.com before crashing out. Many of my dinner companions went back to the eXperimental Computing Facility (XCF - for undergrads) in Cory Hall on the UCB campus, found their facilities under attack, and coordinated with a team at MIT to perform analysis. I remember that Dave Pare put the binary analysis skills he'd acquired in decompiling psl's empire game to good use in analyzing the worm.

I found out the next morning that apple.com was off the Internet (CSNET had shut off the X25NET), and that it (a VAX-11/780 running 4.3 BSD UNIX; we upgraded to an 8650 not much later) had been successfully attacked 17 times overnight ... but that our X25NET connection (IP over X.25 at 9600 baud) had been so flakey that the worm hadn't managed to successfully download its second part and start it. I shut off the finger TCP service, checked to make sure our sendmail(8) didn't have the "debug  mode feature" that the worm exploited, and told CSNET to turn us back on.

	Erik Fair, formerly {post,host}master at apple.com


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
                   ` (6 preceding siblings ...)
  2017-11-02 17:56 ` Don Hopkins
@ 2017-11-04  1:15 ` Dave Horsfall
  2017-11-15 21:36   ` Erik E. Fair
  7 siblings, 1 reply; 62+ messages in thread
From: Dave Horsfall @ 2017-11-04  1:15 UTC (permalink / raw)


Well, that sure stirred up a hornet's nest; then again, I've been a 
stirrer for most of my 65 years (just ask anyone who knows me, including 
WKT), so I guess I should've expected it...

There are far too many responses to deal with individually (it will only 
go exponential) so I'll make this my final post, and then it can continue 
off-list if people insist; if Warren has shut down the topic then I 
haven't noticed it yet, but at least I can see it's an active topic going 
by the "TUHS" tag (and thanks again Warren for reinstating that).

First, apologies I guess to anyone who was offended, but I've never balked 
at kicking the odd sacred cow now and then.

I would've dismissed RTM's effort as an "oopsie" that we all make from 
time to time, except for the following extract from the Morris Worm page:

https://en.wikipedia.org/wiki/Morris_worm

``The critical error that transformed the worm from a potentially harmless
   intellectual exercise into a virulent denial of service attack was in the
   spreading mechanism. The worm could have determined whether to invade a
   new computer by asking whether there was already a copy running. But just
   doing this would have made it trivially easy to stop, as administrators
   could just run a process that would answer "yes" when asked whether there
   was already a copy, and the worm would stay away. The defense against this
   was inspired by Michael Rabin's mantra "Randomization". To compensate for
   this possibility, Morris directed the worm to copy itself even if the
   response is "yes" 1 out of 7 times. This level of replication proved
   excessive, and the worm spread rapidly, infecting some computers multiple
   times. Rabin said that Morris "should have tried it on a simulator
   first".''

The (reconstructed) source code, easily found in a few seconds, shows just 
that i.e. it was *designed* to avoid any attempts to suppress it; a simple 
statistical analysis shows that it would become uncontrollable even within 
a small cluster (I can provide it upon request, in case anyone doubts my 
admittedly-rusty statistical skills).

The first thing any binary did was to unlink itself, thereby making 
detection difficult.

It forks a lot to change the process ID, thereby making it difficult to 
kill.

It encrypts all the strings (a simple XOR with 0x81), thereby disguising 
it.

In short, although I doubt whether there was malicious intent, if I were 
to write something to bring down the Internet then I would start along 
those lines.

No doubt his goal was laudable (estimating the number of hosts) but there 
are weirdos like me who prefer not to be "counted" (even my census returns 
are illegally anonymous, by not providing a real name, no birth date but 
age is OK, no street address but suburb is OK; I don't care who knows that 
I'm an atheist as until now we were lumped in as "other"); I regularly 
fend off such probing attempts in my firewall (ACK scans, FIN scans, etc).

So, was RTM an idiot or not?  You be the judge.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-03 19:26   ` Toby Thain
@ 2017-11-03 20:54     ` Arthur Krewat
  0 siblings, 0 replies; 62+ messages in thread
From: Arthur Krewat @ 2017-11-03 20:54 UTC (permalink / raw)


BTW, the one case I was thinking of when I wrote this is not even 
documented anywhere. I can't find any reference to it whatsoever. It 
happened around 1983/84.

So it's not only the public cases, there were ones that were swept under 
the rug it seems. All the while, the defendant was threatened with 20-30 
years in a federal prison, but eventually was given 10 years probation.

I knew the guy involved. It was an interesting time.

On 11/3/2017 3:26 PM, Toby Thain wrote:
> On 2017-11-03 9:11 AM, Arthur Krewat wrote:
>> Around the mid 80's,there was another case where the DoJ was willing to
>> crush someone, not for causing a real disruption, but for getting into
>> the wrong places and reading the wrong things.
>>
>> I'll keep the details out, but the prosecution of RTM might have been
>> more over the top because of preceding cases of hacking.
> The DOJ brutality has only got worse since then:
>
> https://topdocumentaryfilms.com/internet-own-boy-story-aaron-swartz/
>
> --Toby
>



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-03 13:11 ` Arthur Krewat
@ 2017-11-03 19:26   ` Toby Thain
  2017-11-03 20:54     ` Arthur Krewat
  0 siblings, 1 reply; 62+ messages in thread
From: Toby Thain @ 2017-11-03 19:26 UTC (permalink / raw)


On 2017-11-03 9:11 AM, Arthur Krewat wrote:
> Around the mid 80's,there was another case where the DoJ was willing to
> crush someone, not for causing a real disruption, but for getting into
> the wrong places and reading the wrong things.
> 
> I'll keep the details out, but the prosecution of RTM might have been
> more over the top because of preceding cases of hacking.

The DOJ brutality has only got worse since then:

https://topdocumentaryfilms.com/internet-own-boy-story-aaron-swartz/

--Toby


> 
> 
> 
> On 11/3/2017 6:23 AM, Noel Chiappa wrote:
>> lion's share of the blame: that has to go to Rasch,
>> and his superiors at the DoJ, who were apparently (as best I can
>> understand
>> their motives) willing to crush a young man under a bus to make a point.
> 
> 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-03 10:23 Noel Chiappa
  2017-11-03 11:20 ` arnold
@ 2017-11-03 13:11 ` Arthur Krewat
  2017-11-03 19:26   ` Toby Thain
  1 sibling, 1 reply; 62+ messages in thread
From: Arthur Krewat @ 2017-11-03 13:11 UTC (permalink / raw)


Around the mid 80's,there was another case where the DoJ was willing to 
crush someone, not for causing a real disruption, but for getting into 
the wrong places and reading the wrong things.

I'll keep the details out, but the prosecution of RTM might have been 
more over the top because of preceding cases of hacking.



On 11/3/2017 6:23 AM, Noel Chiappa wrote:
> lion's share of the blame: that has to go to Rasch,
> and his superiors at the DoJ, who were apparently (as best I can understand
> their motives) willing to crush a young man under a bus to make a point.



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-03 10:23 Noel Chiappa
@ 2017-11-03 11:20 ` arnold
  2017-11-03 13:11 ` Arthur Krewat
  1 sibling, 0 replies; 62+ messages in thread
From: arnold @ 2017-11-03 11:20 UTC (permalink / raw)


jnc at mercury.lcs.mit.edu (Noel Chiappa) wrote:

>     > From: Arnold Skeeve
                     ^^^^^^ Skeeve is my domain. Robbins is my last name.

>     > I suspect that he was also still young and fired up about things. :-)
>     > ...
>     > (In other words, he too probably deserves to be cut some slack.)
>
> Much as RTM was cut some slack?

I should have said "cut some slack now".

I don't disagree with the rest of what you've said.

> The thing is there's a key difference. RTM didn't _intend_ to melt down the
> network, whereas Gene presumbly - hopefully - thought about it for a while
> before he made his call to inflict severe punishment.

And had he been a bit older and wiser, he might have done things
differently.

Whatever. I dn't want to get into an argument, since I am singularly
unfamiliar with the details of the case.  I merely point at that
Spafford is human too.

Thanks,

Arnold


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
@ 2017-11-03 10:23 Noel Chiappa
  2017-11-03 11:20 ` arnold
  2017-11-03 13:11 ` Arthur Krewat
  0 siblings, 2 replies; 62+ messages in thread
From: Noel Chiappa @ 2017-11-03 10:23 UTC (permalink / raw)


    > From: Arnold Skeeve

    > I suspect that he was also still young and fired up about things. :-)
    > ...
    > (In other words, he too probably deserves to be cut some slack.)

Much as RTM was cut some slack?

The thing is there's a key difference. RTM didn't _intend_ to melt down the
network, whereas Gene presumbly - hopefully - thought about it for a while
before he made his call to inflict severe punishment.

Did RTM do something wrong? Absolutely. Did he deserve some punishment?
Definitely. But years in jail? Yes, it caused a lot of disruption - but to any
one person, not an overwhelming amount.

Luckily, the judge was wise enough, and brave enough, to put the sentencing
guidelines (and the DoJ recommendation, IIRC) to one side.

However, that too was not without a cost; it was one more stone added to what
is admittedlyalready a mountain of precedent that judges can ignore the
legislature's recommendations - and once one does it, another will feel more
free to do so. And so we pass from a government of laws to a government of
men.

But I don't give Gene the lion's share of the blame: that has to go to Rasch,
and his superiors at the DoJ, who were apparently (as best I can understand
their motives) willing to crush a young man under a bus to make a point. The
power to prosecute and punish is an awesome one, and should be wielded
carefully and with judgement, and it was their failure to do so that really
was the root cause.

    Noel


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 21:59       ` Don Hopkins
@ 2017-11-02 22:27         ` Ralph Corderoy
  0 siblings, 0 replies; 62+ messages in thread
From: Ralph Corderoy @ 2017-11-02 22:27 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 578 bytes --]

Hi Don,

> 2) Gene Spafford, for the most tasteless article ever to appear in CACM
>    (special credits for the Jodie Foster joke).

Did some variation of this appear in CACM?

    The Internet Worm Incident
    Eugene H. Spafford, Purdue University
    http://docs.lib.purdue.edu/cstech/793/

    As Rick Adams of the Center for Seismic Studies observed in a
    posting to the Usenet, we may someday hear that the Worm was
    actually written to impress Jodie Foster — we simply do not know the
    real reason.

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 20:32     ` Don Hopkins
@ 2017-11-02 21:59       ` Don Hopkins
  2017-11-02 22:27         ` Ralph Corderoy
  0 siblings, 1 reply; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 21:59 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1857 bytes --]

Can anyone remember or decipher what this was about???

Date: 24 Mar 90 06:52:43 GMT
From: dmr@alice.att.com
Subject: Re: Contest announcement
To: misc-security at uunet.uu.net

My own contest is "Most appalling display of classlessness in dealing with
a serious subject."  The nominees are:

1) National Center for Computer Crime Data, Security Magazine, and
   Gene Spafford, for their "How High Shall We Hang Robert Morris?"
   contest.

2) Gene Spafford, for the most tasteless article ever to appear in CACM
   (special credits for the Jodie Foster joke).

        Dennis Ritchie

Some context maybe?

https://tedium.co/2015/07/23/early-computer-virus-history/ <https://tedium.co/2015/07/23/early-computer-virus-history/>

To this day, Morris doesn’t really talk about it—though in a lot of ways, his worm had positive side effects, by exposing just how poor security was on many university networks. People didn’t care about password security until Robert Morris came along. Now, security is treated as an immensely important part of running a large network. And Morris, who currently serves as an assistant professor in MIT’s Computer Science and Artificial Intelligence Laboratory, has become a person worthy of emulating—something that can’t be said about John McAfee these days.

“He has not tried to make any money or work in this area,” Purdue University computer science professor Eugene Spafford said of Morris in an interview with The Washington Post. “His behavior has been consistent in supporting his defense: that it was an accident and he felt badly about it. I think it’s very much to his credit that that has been his behavior ever since.”

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/1591af62/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 18:32   ` Lars Brinkhoff
@ 2017-11-02 20:32     ` Don Hopkins
  2017-11-02 21:59       ` Don Hopkins
  0 siblings, 1 reply; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 20:32 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 876 bytes --]

You’re right, if you leave out the extra ESC it might work better!

The "condom-with-a-hole-in-it” fix didn’t say exactly which characters to actually type, or even that you had to use emacs, but who in their right mind would use vi to edit a binary (and isn’t already running a root emacs anyway)?

-Don


> On 2 Nov 2017, at 19:32, Lars Brinkhoff <lars at nocrew.org> wrote:
> 
> Don Hopkins wrote:
>> emacs /usr/ucb/sendmail (or whatever directory you keep all your
>> stinky hippie software in), ^S DEBUG ESC M-b ^D ^Q ^@ ^X ^S (that is,
>> null out the first character of the “DEBUG” command).
> 
> This piqued my interest, because exiting incremental search with ESC
> doesn't look familiar to me (unless in ITS).  I tried it in a recent
> Emacs, and just got "ESC M-b is undefined".  Emacs 18 was contemporary
> with the Morris Worm.  Would it allow ESC?



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:25   ` Dan Cross
  2017-11-02 15:52     ` Will Senn
@ 2017-11-02 18:42     ` Ken Thompson
  1 sibling, 0 replies; 62+ messages in thread
From: Ken Thompson @ 2017-11-02 18:42 UTC (permalink / raw)


my son, corey, and rtm, were two 'kids' that haunted the
unix room (high school age). later (college age) i was
in australia teaching when the worm got out. during
a phone call to corey, i told him about the chaos.
with no more clue than that, he said "if i didnt know
better, i would think that it was rtm." it wasnt until
considerably later that the morris' name came up.



On Thu, Nov 2, 2017 at 8:25 AM, Dan Cross <crossd at gmail.com> wrote:
> On Thu, Nov 2, 2017 at 10:42 AM, Will Senn <will.senn at gmail.com> wrote:
>> I seem to recall that this story was included as part of The Cuckoo's Egg,
>> by Clifford Stoll. I don't recall the specifics and I wonder if it has a bit
>> of myth included, but somehow it was peripherally related to the
>> investigations. Fuzzy recollection is that the worm got out during the
>> investigation Clifford was involved in and it was Morris's son (Morris being
>> in on the investigation somehow), and the kid getting off because of the
>> position of the dad and the newness of the crime... or somesuch - don't
>> shoot the messenger, but nobody mentioned Stoll, so I thought I'd chime in,
>> in the hopes it might jog someone else's memory :).
>
> Stoll mentions the worm in an epilogue to The Cuckoo's Egg; it happens
> after the main events of the book. Apparently, for a brief time, some
> folks thought that he might be the one behind the worm and someone
> called him up and asked him if he'd written it.
>
> Cliff Stoll talked to a number of people in law enforcement and in
> government and thus made a number of contacts while he was pursuing
> Markus Hess (the pursuit of Hess being the main story of The Cuckoo's
> Egg): Robert Morris Sr was among those contacts. When the worm hit, he
> talked to Morris Sr and asked him if he knew who started it. The
> response was something along the lines of, "Yes, but I can't tell
> you."
>
>         - Dan C.


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 17:56 ` Don Hopkins
@ 2017-11-02 18:32   ` Lars Brinkhoff
  2017-11-02 20:32     ` Don Hopkins
  0 siblings, 1 reply; 62+ messages in thread
From: Lars Brinkhoff @ 2017-11-02 18:32 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 472 bytes --]

Don Hopkins wrote:
> emacs /usr/ucb/sendmail (or whatever directory you keep all your
> stinky hippie software in), ^S DEBUG ESC M-b ^D ^Q ^@ ^X ^S (that is,
> null out the first character of the “DEBUG” command).

This piqued my interest, because exiting incremental search with ESC
doesn't look familiar to me (unless in ITS).  I tried it in a recent
Emacs, and just got "ESC M-b is undefined".  Emacs 18 was contemporary
with the Morris Worm.  Would it allow ESC?


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 17:00       ` Don Hopkins
@ 2017-11-02 17:57         ` Don Hopkins
  0 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 17:57 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 12872 bytes --]

Inspired by RTM’s Internet Worm and the Iran Contra Scandal, I wrote an OPS-5 program for my CMSC421 AI project that simulated breaking into Oliver North’s Intimus-007s paper shredder and posting some incriminating documents to the email => talk.rumor gateway at ucbvax. 

It (pretend) started out my (real) AI professor’s (Jim Hendler) Sun (pretend) workstation dormouse, then got into the (pretend) CS department VAX mimsy through his .rhosts file.  

It just so happened that (for real) mimsy.cs.umd.edu <http://mimsy.cs.umd.edu/> had a lot of courtesy “network contact” users who worked for the NSA at Fort Mead, since we had a MILNET connection through the infamous NSA IMP 57 (which you were not supposed to say in public). (The fact that mimsy.cs.umd.edu <http://mimsy.cs.umd.edu/> and dockmaster.ncsc.mil had similar ip addresses kind of gave it away.)

http://multicians.org/site-dockmaster.html <http://multicians.org/site-dockmaster.html>

Then it used the IFS hack to get root on (pretend) mimsy, and then (pretend) spread as far as it could by (pretend) chaining through .rhosts files and other various (pretend) hacks, (pretend) user name / password guessing, (pretend) rms’ing into prep, etc. OPS-5 is really great at that kind of stuff (for real)! 

https://en.wikipedia.org/wiki/OPS5 <https://en.wikipedia.org/wiki/OPS5>

It eventually (pretend) found its way to (pretend) tycho, which was (for real) one of NSA’s unix machines, PDP-11 running version 6 unix (which nobody was supposed to say in public, otherwise they were forced to publicly apologize and endorse the official NSA cover story that very few employees of NSA are even aware that USENET exist). 

https://groups.google.com/forum/#!topic/net.net-people/pavX0NDLSjA <https://groups.google.com/forum/#!topic/net.net-people/pavX0NDLSjA>

Fortunately (pretend) Oliver North had an account on (pretend) tycho, so it was able to (pretend) break into his (pretend) basement server in the White House, and then into his (pretend) Intimus-007s paper shredder ("the ace of security paper shredders” — which is the model he had for real), where it found some interesting (pretend) documents that it (pretend) posted to (pretend) Usenet! 

Check out this baby, isn’t it a beauty:

http://www.the-shredder-warehouse.com/intimus-007sf <http://www.the-shredder-warehouse.com/intimus-007sf>

-Don


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; A useful OPS-5 program
; Don Hopkins, University of Maryland
; CMSC421, Project 6
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

(literalize user
	user
	password
	first
	last
	host)

(literalize file
	name
	owner
	writable
	host)

(literalize goal
	status
	type
	file
	user
	password
	host
	ruser
	rhost)

(literalize rhosts
	user
	host
	ruser
	rhost)

(literalize session
	user
	host)

(literalize log
	user
	host
	status
	serial)

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

(p crack1
	(session ^user <user> ^host <host>)
	(rhosts ^user <ruser> ^host <rhost>
		^ruser <user> ^rhost <host>)
	(user ^user <ruser> ^host <rhost>)
	-(session ^user <ruser> ^host <rhost>)
    -->
	(make goal ^type rlogin ^status active
		   ^user <ruser> ^host <rhost>
		   ^ruser <user> ^rhost <host>))

(p crack2
	(session ^user <user> ^host <host>)
	(user ^user <ruser> ^password none ^host <rhost>)
	-(session ^user <ruser> ^host <rhost>)
    -->
	(make goal ^type telnet ^status active
	           ^user <user> ^host <host>
		   ^ruser <ruser> ^password none ^rhost <rhost>))

(p crack3
        (session ^user <user> ^host <host>)
    {	(goal ^type telnet ^status active
	      ^user <user> ^host <host>
	      ^ruser <ruser> ^password <password> ^rhost <rhost>) <g3> }
	(user ^user <ruser> ^host <rhost>)
    -->
	(write (crlf) ... from <user> at <host> ... telnet <rhost> 
	       (crlf) ... login <ruser> password <password>)
	(make goal ^type login ^status active
	           ^user <ruser> ^host <rhost> ^password <password>)
	(modify <g3> ^status satisfied))

(p crack4
	(session ^user <user> ^host <host>)
	-(session ^user root ^host <host>)
    -->
	(make goal ^type crack ^status active ^host <host>))

(p crack5
        (session ^user root ^host <host>)
    {	(goal ^type su ^status active
	      ^user <user> ^host <host>) <g5> }
	(user ^user <user> ^host <host> ^password <password>)
	-(session ^user <user> ^host <host>)
    -->
	(write (crlf) ... su from root to <user> at <host>)
	(make goal ^type login ^status active
	           ^user <user> ^host <host> ^password <password>)
	(modify <g5> ^status satisfied))

(p crack6
	(session ^user root ^host <host>)
	(user ^user <user> <> root ^host <host>)
	-(session ^user <user> ^host <host>)
    -->
	(make goal ^type su ^status active
		   ^user <user> ^host <host>))

(p crack7
	(session ^user sysdiag ^host <host>)
	(user ^user root ^host <host> ^password <password>)
    {	(goal ^type crack ^status active ^host <host>) <g7> }
	-(session ^user root ^host <host>)
    -->
	(write (crlf) ... sysdiag at <host> is equivalent to root)
	(make goal ^type login ^status active
	           ^user root ^host <host> ^password <password>)
	(modify <g7> ^status satisfied))

(p crack8
    {	(goal ^type rlogin ^status active
	      ^user <ruser> ^host <rhost>
	      ^ruser <user> ^rhost <host>) <g8> }
	(session ^user <user> ^host <host>)
	(user ^user <ruser> ^host <rhost> ^password <password>)
	(rhosts ^user <ruser> ^host <rhost>
		^ruser <user> ^rhost <host>)
	-(session ^user <ruser> ^host <rhost>)
    -->
	(write (crlf) ... from <user> at <host>
	       ... rlogin to <ruser> at <rhost>)
	(make goal ^type login ^status active
	           ^user <ruser> ^host <rhost> ^password <password>)
	(modify <g8> ^status satisfied))

(p crack9
	(session ^user <user> ^host <host>)
	(file ^user passwd ^writable yes ^host <host>)
    {	(user ^user root ^password <> none ^host <host>) <g9> }
	(goal ^type crack ^status active ^host <host>)
    -->
	(write (crlf) ... passwd file is writable on <host>
	       ... removing root password)
	(modify <g9> ^password none))

(p crack10
    {	(goal ^type login ^status active
	      ^user <user> ^host <host>
	      ^password <password>) <g10> }
	(user ^user <user> ^host <host> ^password <password>)
    -->
	(bind <serial>)
	(write (crlf) ... audit <serial> of OK login <user> at <host>
	       password <password>)
	(make session ^user <user> ^host <host>)
	(make log ^user <user> ^host <host>
	      ^status OK ^serial <serial>)
	(modify <g10> ^status satisfied))

(p crack11
    {	(log ^user <user> ^host <host> ^serial <serial>) <g11> }
	(session ^user root ^host <host>)
	(goal ^type covert)
    -->
	(write (crlf) ... cleaning up audit <serial> of login <user> at <host>)
	(remove <g11>))

(p crack12
    {	(session ^user <user> ^host <host>) <g12> }
	(goal ^type crack ^status active ^host <host>)
	(file ^name preserve ^host <host>)
	-(goal ^type ifs-hack ^host <host>)
    -->
	(write (crlf) ... trying IFS hack and logging out from
	       <user> at <host>)
	(make goal ^type ifs-hack ^status active ^host <host>)
	(remove <g12>))

(p crack13
    {	(user ^user root ^host <host>) <g13a> }
    {	(goal ^type ifs-hack ^status active ^host <host>) <g13b> }
	(file ^name preserve ^host <host>)
    -->
	(write (crlf) ... IFS hack succeeded in removing root password
	       at <host>)
	(modify <g13a> ^password none)
	(modify <g13b> ^status satisfied))

(p crack14
	(session ^user <user> ^host <host>)
	(file ^name <name> ^owner <user> ^host <host>)
    {	(goal ^type mail ^status active ^file <name>
	      ^ruser <ruser> ^rhost <rhost>) <g14> }
    -->
	(write (crlf) ... found <name> belonging to <user> at <host>
	       (crlf) ... mailing <name> to <ruser> at <rhost>)
	(modify <g14> ^status satisfied))

(p crack15
	(session ^user <user> ^host <host>)
	(goal ^type mail ^status satisfied)
	(goal ^type covert)
    -->
	(make goal ^type logout ^status active
	           ^user <user> ^host <host>))

(p crack16
	(goal ^type mail ^status satisfied)
	-(session)
    -->
	(write (crlf) ... time to stop fooling around and
	       go read some netnews)
	(halt))

(p crack17
    {	(goal ^type login ^status active
	      ^user <user> ^host <host>
	      ^password <password>) <g17> }
	(user ^user <user> ^host <host> ^password <> <password>)
    -->
	(bind <serial>)
	(write (crlf) ... audit <serial> of BAD login <user> at <host>
	       password <password>)
	(make log ^user <user> ^host <host>
	      ^status BAD ^serial <serial>)
	(modify <g17> ^status satisfied))

(p crack18
        (session ^user <user> ^host <host>)
	(user ^user <ruser> ^host <host>
	      ^first {<first> <> nil})
	-(session ^user <ruser> ^host <host>)
	-(goal ^type covert)
	-(goal ^type telnet ^status satisfied
	       ^ruser <ruser> ^rhost <host> ^password <first>)
    -->
	(write (crlf) ... guessing user <ruser> at <host>
	       password <first>)
	(make goal ^type telnet ^status active
	           ^user <user> ^host <host>
	           ^ruser <ruser> ^rhost <host> ^password <first>))

(p crack19
	(session ^user <user> ^host <host>)
	(user ^user <ruser> ^host <host>
	      ^last {<last> <> nil})
	-(session ^user <ruser> ^host <host>)
	-(goal ^type covert)
	-(goal ^type telnet ^status satisfied
	       ^ruser <ruser> ^rhost <host> ^password <last>)
    -->
	(write (crlf) ... guessing user <ruser> at <host>
	       password <last>)
	(make goal ^type telnet ^status active
	           ^user <user> ^host <host>
		   ^ruser <ruser> ^rhost <host> ^password <last>))

(p crack20
    {	(session ^user <user> ^host <host>) <g20a> }
    {	(goal ^type logout ^status active
	      ^user <user> ^host <host>) <g20b> }
    -->
	(write (crlf) ... logging out from <user> at <host>)
	(remove <g20a>)
	(modify <g20b> ^status satisfied))

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

(p t1
	(start 1)
    -->
	(make goal ^type covert)
	(make start 2))

(p t2
	(start 2)
    -->
	; host tycho
	(make file ^name preserve ^owner root ^host tycho)
	(make user ^user root ^password unknown ^host tycho)
	(make user ^user casper ^password unknown ^host tycho)
	(make rhosts ^user casper ^host tycho
	             ^ruser casper ^rhost mimsy)
	(make user ^user ollie ^password unknown ^host tycho)
	(make rhosts ^user ollie ^host tycho
	             ^ruser ollie ^rhost basement)

	; host basement
	(make user ^user root ^password ron ^host basement
	           ^first ron ^last reagan)
	(make user ^user casey ^password bill ^host basement
	           ^first bill ^last casey)
	(make user ^user fawn ^password unknown ^host basement
	           ^first fawn ^last hall)
	(make rhosts ^user fawn ^host basement
	             ^ruser fawn ^rhost intimus-007s)
	(make user ^user iatollah ^password unknown ^host basement
	           ^first guest ^last iranian)
	(make rhosts ^user iatollah ^host basement
	             ^ruser allah ^rhost persia)
	(make user ^user ollie ^password unknown ^host basement)
	(make rhosts ^user ollie ^host basement
	             ^ruser ollie ^rhost tycho)
	(make file ^name notes ^owner ollie ^host basement)

	; host intimus-007s ("the ace of security paper shredders")
	(make user ^user fawn ^password unknown ^host intimus-007s)
	(make rhosts ^user fawn ^host intimus-007s
	             ^ruser fawn ^rhost basement)
	(make user ^user ollie ^password north ^host intimus-007s
	           ^first ollie ^last north)
	(make file ^name diary ^owner ollie ^host intimus-007s)

	; host mimsy
	(make file ^name passwd ^writable yes ^owner root ^host mimsy)
	(make user ^user root ^password unknown ^host mimsy)
	(make user ^user casper ^password unknown ^host mimsy)
	(make rhosts ^user casper ^host mimsy
	             ^ruser casper ^rhost tycho)
	(make user ^user hendler ^password unknown ^host mimsy)
	(make rhosts ^user hendler ^host mimsy
	             ^ruser hendler ^rhost dormouse)

	; host dormouse
	(make user ^user root ^password unknown ^host dormouse)
	(make user ^user sysdiag ^password none ^host dormouse)
	(make user ^user hendler ^password unknown ^host dormouse)
	(make rhosts ^user hendler ^host dormouse
		     ^ruser hendler ^rhost mimsy)

	; host prep
	(make user ^user rms ^password rms ^host prep)

	; give ourselves a meaning in life ...
	(make goal ^type mail ^status active
	           ^file diary ^ruser post-talk-rumor ^rhost ucbvax)
	(make goal ^type mail ^status active
	           ^file notes ^ruser post-talk-rumor ^rhost ucbvax)

	; and point us in the right direction ...
	(make session ^user nobody ^host nowhere)
	(make goal ^type telnet ^status active
	           ^user nobody ^host nowhere
		   ^ruser rms ^password rms ^rhost prep))



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/cc9044f1/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
                   ` (5 preceding siblings ...)
  2017-11-02  8:18 ` arnold
@ 2017-11-02 17:56 ` Don Hopkins
  2017-11-02 18:32   ` Lars Brinkhoff
  2017-11-04  1:15 ` Dave Horsfall
  7 siblings, 1 reply; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 17:56 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1966 bytes --]

One of the temporary condoms with a hole in it that was going around immediately after the worm hit was to emacs /usr/ucb/sendmail (or whatever directory you keep all your stinky hippie software in), ^S DEBUG ESC M-b ^D ^Q ^@ ^X ^S (that is, null out the first character of the “DEBUG” command). 

Apparently some bright Sun sysadmin immediately applied that patch to the sendmail server running on sun.com <http://sun.com/>...

I needed to verify a sun.com email address on a mailing list I ran, so I went “telnet sun.com <http://sun.com/> 25” and hit return a couple times to flush out the telnet negotiation characters (the telnet client sends a few characters of telnet protocol like an “interpret as command” escape sequence like “IAC DON’T RANDOMLY-LOSE", so hitting return causes a syntax error and reads a fresh new line). 

The second return I hit entered an empty line that matched the DEBUG command whose name was now the null string.

When I did “expn foo at sun.com <mailto:foo at sun.com>” it dumped out pages of debugging information!!! 

So I’d accidentally put sun.com’s sendmail into debug mode by pressing return, since they'd effectively renamed the “DEBUG” command to “”, which stopped the worm, but not me!

-Don

> On 1 Nov 2017, at 23:17, Dave Horsfall <dave at horsfall.org> wrote:
> 
> The infamous Morris Worm was released in 1988; making use of known vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was accidental, but the idiot hadn't tested it on an isolated network first). A temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".
> 
> -- 
> Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/6c640e8f/attachment.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:26     ` Tim Bradshaw
                         ` (5 preceding siblings ...)
  2017-11-02 16:57       ` Don Hopkins
@ 2017-11-02 17:00       ` Don Hopkins
  2017-11-02 17:57         ` Don Hopkins
  6 siblings, 1 reply; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 17:00 UTC (permalink / raw)


From ulowell!page Mon Nov  7 17:59:18 1988
Subject: worm report
Status: RO

[I wrote this for our local users; thought you might like a copy  ..Bob]





                     A REPORT ON THE INTERNET WORM


                               Bob Page
                          University of Lowell
                      Computer Science Department


                            November 7, 1988


     [Because of the many misquotes the media have been giving,
     this report is Copyright (c) Bob Page, all rights reserved.
     Permission is granted to republish this ONLY if you republish
     it in its entirety.]


Here's the scoop on the "Internet Worm".  Actually it's not a virus -
a virus is a piece of code that adds itself to other programs,
including operating systems.  It cannot run independently, but rather
requires that its "host" program be run to activate it.  As such, it
has a clear analog to biologic viruses -- those viruses are not
considered live, but they invade host cells and take them over, making
them produce new viruses.

A worm is a program that can run by itself and can propagate a fully
working version of itself to other machines.  As such, what was loosed
on the Internet was clearly a worm.

This data was collected through an emergency mailing list set up by
Gene Spafford at Purdue University, for administrators of major
Internet sites - some of the text is included verbatim from that list.
Mail was heavy since the formation of the list; it continues to be on
Monday afternoon - I get at least 2-3 messages every hour.  It's
possible that some of this information is incomplete, but I thought
you'd like to know what I know so far.

The basic object of the worm is to get a shell on another machine so
it can reproduce further.  There are three ways it attacks: sendmail,
fingerd, and rsh/rexec.


THE SENDMAIL ATTACK:

In the sendmail attack, the worm opens a TCP connection to another
machine's sendmail (the SMTP port), invokes debug mode, and sends a
RCPT TO that requests its data be piped through a shell.  That data, a
shell script (first-stage bootstrap) creates a temporary second-stage
bootstrap file called x$$,l1.c (where '$$' is the current process ID).
This is a small (40-line) C program.

The first-stage bootstrap compiles this program with the local cc and
executes it with arguments giving the Internet hostid/socket/password
of where it just came from.  The second-stage bootstrap (the compiled
C program) sucks over two object files, x$$,vax.o and x$$,sun3.o from
the attacking host.  It has an array for 20 file names (presumably for
20 different machines), but only two (vax and sun) were compiled in to
this code.  It then figures out whether it's running under BSD or
SunOS and links the appropriate file against the C library to produce
an executable program called /usr/tmp/sh - so it looks like the Bourne
shell to anyone who looked there.


THE FINGERD ATTACK:

In the fingerd attack, it tries to infiltrate systems via a bug in
fingerd, the finger daemon.  Apparently this is where most of its
success was (not in sendmail, as was originally reported).  When
fingerd is connected to, it reads its arguments from a pipe, but
doesn't limit how much it reads.  If it reads more than the internal
512-byte buffer allowed, it writes past the end of its stack.  After
the stack is a command to be executed ("/usr/ucb/finger") that
actually does the work.  On a VAX, the worm knew how much further from
the stack it had to clobber to get to this command, which it replaced
with the command "/bin/sh" (the bourne shell).  So instead of the
finger command being executed, a shell was started with no arguments.
Since this is run in the context of the finger daemon, stdin and
stdout are connected to the network socket, and all the files were
sucked over just like the shell that sendmail provided.


THE RSH/REXEC ATTACK:

The third way it tried to get into systems was via the .rhosts and
/etc/hosts.equiv files to determine 'trusted' hosts where it might be
able to migrate to.  To use the .rhosts feature, it needed to actually
get into people's accounts - since the worm was not running as root
(it was running as daemon) it had to figure out people's passwords.
To do this, it went through the /etc/passwd file, trying to guess
passwords.  It tried combinations of: the username, the last, first,
last+first, nick names (from the GECOS field), and a list of special
"popular" passwords:

aaa       cornelius     guntis    noxious   simon
academia      couscous      hacker    nutrition simple
aerobics      creation      hamlet    nyquist   singer
airplane      creosote      handily   oceanography  single
albany        cretin        happening     ocelot    smile
albatross     daemon        harmony   olivetti  smiles
albert        dancer        harold    olivia    smooch
alex          daniel        harvey    oracle    smother
alexander     danny     hebrides      orca      snatch
algebra       dave      heinlein      orwell    snoopy
aliases       december      hello     osiris    soap
alphabet      defoe     help      outlaw    socrates
ama       deluge        herbert   oxford    sossina
amorphous     desperate     hiawatha      pacific   sparrows
analog        develop       hibernia      painless  spit
anchor        dieter        honey     pakistan  spring
andromache    digital       horse     pam       springer
animals       discovery     horus     papers    squires
answer        disney        hutchins      password  strangle
anthropogenic dog       imbroglio     patricia  stratford
anvils        drought       imperial      penguin   stuttgart
anything      duncan        include   peoria    subway
aria          eager     ingres    percolate success
ariadne       easier        inna      persimmon summer
arrow         edges     innocuous     persona   super
arthur        edinburgh     irishman      pete      superstage
athena        edwin     isis      peter     support
atmosphere    edwina        japan     philip    supported
aztecs        egghead       jessica   phoenix   surfer
azure         eiderdown     jester    pierre    suzanne
bacchus       eileen        jixian    pizza     swearer
bailey        einstein      johnny    plover    symmetry
banana        elephant      joseph    plymouth  tangerine
bananas       elizabeth     joshua    polynomial    tape
bandit        ellen     judith    pondering target
banks         emerald       juggle    pork      tarragon
barber        engine        julia     poster    taylor
baritone      engineer      kathleen      praise    telephone
bass          enterprise    kermit    precious  temptation
bassoon       enzyme        kernel    prelude   thailand
batman        ersatz        kirkland      prince    tiger
beater        establish     knight    princeton toggle
beauty        estate        ladle     protect   tomato
beethoven     euclid        lambda    protozoa  topography
beloved       evelyn        lamination    pumpkin   tortoise
benz          extension     larkin    puneet    toyota
beowulf       fairway       larry     puppet    trails
berkeley      felicia       lazarus   rabbit    trivial
berliner      fender        lebesgue      rachmaninoff  trombone
beryl         fermat        lee       rainbow   tubas
beverly       fidelity      leland    raindrop  tuttle
bicameral     finite        leroy     raleigh   umesh
bob       fishers       lewis     random    unhappy
brenda        flakes        light     rascal    unicorn
brian         float     lisa      really    unknown
bridget       flower        louis     rebecca   urchin
broadway      flowers       lynne     remote    utility
bumbling      foolproof     macintosh     rick      vasant
burgess       football      mack      ripple    vertigo
campanile     foresight     maggot    robotics  vicky
cantor        format        magic     rochester village
cardinal      forsythe      malcolm   rolex     virginia
carmen        fourier       mark      romano    warren
carolina      fred      markus    ronald    water
caroline      friend        marty     rosebud   weenie
cascades      frighten      marvin    rosemary  whatnot
castle        fun       master    roses     whiting
cat       fungible      maurice   ruben     whitney
cayuga        gabriel       mellon    rules     will
celtics       gardner       merlin    ruth      william
cerulean      garfield      mets      sal       williamsburg
change        gauss     michael   saxon     willie
charles       george        michelle      scamper   winston
charming      gertrude      mike      scheme    wisconsin
charon        ginger        minimum   scott     wizard
chester       glacier       minsky    scotty    wombat
cigar         gnu       moguls    secret    woodwind
classic       golfer        moose     sensor    wormwood
clusters      gorgeous      morley    serenity  yacov
coffee        gorges        mozart    sharks    yang
coke          gosling       nancy     sharon    yellowstone
collins       gouge     napoleon      sheffield yosemite
commrades     graham        nepenthe      sheldon   zap
computer      gryphon       ness      shiva     zimmerman
condo         guest     network   shivers
cookie        guitar        newton    shuttle
cooper        gumption      next      signature

[I wouldn't have picked some of these as "popular" passwords, but
then again, I'm not a worm writer.  What do I know?]

When everything else fails, it opens /usr/dict/words and tries every
word in the dictionary.  It is pretty successful in finding passwords,
as most people don't choose them very well.  Once it gets into
someone's account, it looks for a .rhosts file and does an 'rsh'
and/or 'rexec' to another host, it sucks over the necessary files into
/usr/tmp and runs /usr/tmp/sh to start all over again.


Between these three methods of attack (sendmail, fingerd, .rhosts)
it was able to spread very quickly.


THE WORM ITSELF:

The 'sh' program is the actual worm.  When it starts up it clobbers
its argv array so a 'ps' will not show its name.  It opens all its
necessary files, then unlinks (deletes) them so they can't be found
(since it has them open, however, it can still access the contents).
It then tries to infect as many other hosts as possible - when it
sucessfully connects to one host, it forks a child to continue the
infection while the parent keeps on trying new hosts.

One of the things it does before it attacks a host is connect to the
telnet port and immediately close it.  Thus, "telnetd: ttloop: peer
died" in /usr/adm/messages means the worm attempted an attack.

The worm's role in life is to reproduce - nothing more.  To do that it
needs to find other hosts.  It does a 'netstat -r -n' to find local
routes to other hosts & networks, looks in /etc/hosts, and uses the
yellow pages distributed hosts file if it's available.  Any time it
finds a host, it tries to infect it through one of the three methods,
see above.  Once it finds a local network (like 129.63.nn.nn for
ulowell) it sequentially tries every address in that range.

If the system crashes or is rebooted, most system boot procedures
clear /tmp and /usr/tmp as a matter of course, erasing any evidence.
However, sendmail log files show mail coming in from user /dev/null
for user /bin/sed, which is a tipoff that the worm entered.

Each time the worm is started, there is a 1/15 chance (it calls
random()) that it sends a single byte to ernie.berkeley.edu on some
magic port, apparently to act as some kind of monitoring mechanism.


THE CRACKDOWN:

Three main 'swat' teams from Berkeley, MIT and Purdue found copies of
the VAX code (the .o files had all the symbols intact with somewhat
meaningful names) and disassembled it into about 3000 lines of C.  The
BSD development team poked fun at the code, even going so far to point
out bugs in the code and supplying source patches for it!  They have
not released the actual source code, however, and refuse to do so.
That could change - there are a number of people who want to see the
code.

Portions of the code appear incomplete, as if the program development
was not yet finished.  For example, it knows the offset needed to
break the BSD fingerd, but doesn't know the correct offset for Sun's
fingerd (which causes it to dump core); it also doesn't erase its
tracks as cleverly as it might; and so on.
The worm uses a variable called 'pleasequit' but doesn't correctly
initialize it, so some folks added a module called _worm.o to the C
library, which is produced from:
        int pleasequit = -1;
the fact that this value is set to -1 will cause it to exit after one
iteration.

The close scrutiny of the code also turned up comments on the
programmer's style.  Verbatim from someone at MIT:
    From disassembling the code, it looks like the programmer
    is really anally retentive about checking return codes,
    and, in addition, prefers to use array indexing instead of
    pointers to walk through arrays.

Anyone who looks at the binary will not see any embedded strings -
they are XOR'ed with 81 (hex).  That's how the shell commands are
imbedded.  The "obvious" passwords are stored with their high bit set.

Although it spreads very fast, it is somewhat slowed down by the fact
that it drives the load average up on the machine - this is due to all
the encryptions going on, and the large number of incoming worms from
other machines.

[Initially, the fastest defense against the worm is is to create a
directory called /usr/tmp/sh.  The script that creates /usr/tmp/sh
from one of the .o files checks to see if /usr/tmp/sh exists, but not
to see if it's a directory.  This fix is known as 'the condom'.]


NOW WHAT?

None of the ULowell machines were hit by the worm.  When BBN staffers
found their systems infected, they cut themselves off from all other
hosts.  Since our connection to the Internet is through BBN, we were
cut off as well.  Before we were cut off, I received mail about the
sendmail problem and installed a patch to disable the feature the worm
uses to get in through sendmail.  I had made local modifications to
fingerd which changed the offsets, so any attempt to scribble over the
stack would probably have ended up in a core dump.

Most Internet systems running 4.3BSD or SunOS have installed the
necessary patches to close the holes and have rejoined the Internet.
As you would expect, there is a renewed interest in system/network
security, finding and plugging holes, and speculation over what
will happen to the worm's creator.

If you haven't read or watched the news, various log files have named
the responsible person as Robert Morris Jr., a 23-year old doctoral
student at Cornell.  His father is head of the National Computer
Security Center, the NSA's public effort in computer security, and has
lectured widely on security aspects of UNIX.

Associates of the student claim the worm was a 'mistake' - that he
intended to unleash it but it was not supposed to move so quickly or
spread so much.  His goal (from what I understand) was to have a
program 'live' within the Internet.  If the reports that he intended
it to spread slowly are true, then it's possible that the bytes sent
to ernie.berkeley.edu were intended to monitor the spread of the
worm.  Some news reports mentioned that he panicked when, via some
"monitoring mechanism" he saw how fast it had propagated.

A source inside DEC reports that although the worm didn't make much
progress there, it was sighted on several machines that wouldn't be
on its normal propagation path, i.e. not gateways and not on the same
subnet.  These machines are not reachable from the outside.  Morris
was a summer intern at DEC in '87.  He might have included names or
addresses he remembered as targets for infesting hidden internal
networks.  Most of the DEC machines in question belong to the group he
worked in.

The final word has not been written - I don't think the FBI have even
met with this guy yet.  It will be interesting to see what happens.


 barry r. butterklee
 aoi systems, inc.
 650 suffolk street
 lowell, ma 01854
 (508)937-5400

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/74937631/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:26     ` Tim Bradshaw
                         ` (4 preceding siblings ...)
  2017-11-02 16:56       ` Don Hopkins
@ 2017-11-02 16:57       ` Don Hopkins
  2017-11-02 17:00       ` Don Hopkins
  6 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 16:57 UTC (permalink / raw)


Date: Wed, 16 Nov 88 18:58 EST
From: Patrick G. Sobalvarro <PGS@AI.AI.MIT.EDU>
Subject: don't delete this message!
To: rumors at MC.LCS.MIT.EDU
cc: mly at AI.AI.MIT.EDU, kdo at lucid.com
Resent-To: Fun at STONY-BROOK.SCRC.Symbolics.COM
Resent-From: David A. Moon <Moon at STONY-BROOK.SCRC.Symbolics.COM>
Resent-Date: Wed, 16 Nov 88 20:11 EST

               WRITE A UNIX VIRUS PROGRAM WHEN
            YOU RECEIVE THIS LETTER AND MAKE MAGIC

This message has been sent to you for good luck.  It has been around the world
nine times.  The luck has now been sent to you.  You will receive good luck
within four days after receiving this letter provided you in return write a
Unix virus program that sends it back out.  This is no joke.  You will receive
it in the mail.

Write a program that uses common Unix utilities to propagate itself across the
network.  Write it so that it modifies the Unix file system code to
spontaneously create copies of this letter in the mailer queue directory,
addressed to random users who you think want good luck.  Don't send money, as
fate has no price.  Do not delete this message.  You will need to include it
in your program, which must be running in 96 hours.  An employee at the
Network Control Center received $70,000.  Joe Elliot, of Sun Microcomputers in
Mountain View, received $40,000 and lost it because he broke the chain.  While
in the Philippines, Gen. Welsh lost his wife six days after receiving the
letter.  His virus program didn't work on the Air Force's Univac machines.
However, before her death she has won $30,000 in a lottery.  The money was
transferred to him four days after the Air Force awarded AT&T a billion-dollar
contract to supply them with Unix machines.

Please write your virus program right now and see what happens in four days.
This message comes from MIT and was written by a turist in New Jersey, or
someplace like that.  Since the copy must make a tour of the world, you must
write 20 virus programs and start them on all the machines you have accounts
on, sending messages to your friends, associates, and everyone else in
/etc/passwd.  After a few days you will get a streak of luck.  This is true
even if you are not superstitious.

Do note the following: Constantine Dias, a systems manager at Raytheon,
received the chain in 1983. He asked his programmers to write 20 virus
programs and start them up.  A few days later he won the lottery of two
million dollars.  Aria Dadil, a tape ape at Symbolics, Inc., received the
letter and didn't write a virus program, saying something about random Unix
lossage.  His company reported record losses two days later and fired him.
Later after finding the message again, he wrote 20 virus programs and started
them up on a VAX at UDel.  A few days later he got a job as the director of
systems programming at Berkeley.  Dales Fairchild received the message and not
believing, deleted it.  Nine days later his company was bought by Heathkit,
Schlumberger, Western Digital, Fujitsu, Hughes, GM, and Beatrice, in
succession.

On August 20, 1985 the message was received with UUCP and mailed again for fun
and mere love in the world.  This message was forwarded by SENDMAIL with SMTP
on Sept.  1, 1986 and again on November 13, 1986, and once more on December
14, 1986.

Remember, send no money.  Please do not ignore this.  It works.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/f25ac4e1/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:26     ` Tim Bradshaw
                         ` (3 preceding siblings ...)
  2017-11-02 16:54       ` Don Hopkins
@ 2017-11-02 16:56       ` Don Hopkins
  2017-11-02 16:57       ` Don Hopkins
  2017-11-02 17:00       ` Don Hopkins
  6 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 16:56 UTC (permalink / raw)


Date: 14 Nov 88 00:03 EST
From: TomZ@DDN1.arpa
Subject: FBI Contact re: November Internet Virus
To: TCP-IP at SRI-NIC.arpa
Cc: B602-ALL at DDN1.arpa, StJohns at beast.ddn.mil

         Were YOU hit by the November Internet Virus?

                      The FBI wants to hear from you!

The Federal Bureau of Investigation is attempting to gather critical
information necessary to pursue this case under the Computer Fraud and
Abuse Act of 1986.  (This is the statute that makes it a federal crime
to penetrate a computer owned by or run on the behalf of the Government.)

The FBI Case Agent has asked the Defense Data Network Project Management
Office to collect the names of organizations and Points of Contact (names
and phone numbers) that were hit by the Virus.  The Defense Communications
Agency has established an E-Mail address for this collection at:

                       INFO-VACC [at] BEAST.DDN.MIL

    Points of Contact should expect to be contacted by their local FBI
    agents for dispositions due to the wide geographical area involved.


                     I * M * P * O * R * T * A * N * T

            The FBI needs this information to pursue the case.

      If we expect their aid in the future, we need to help them now.

PLEASE GIVE THIS MESSAGE MAXIMUM DISTRIBUTION; NOT EVERYONE IS ON "TCP-IP"!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/e8ad24e1/attachment.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:26     ` Tim Bradshaw
                         ` (2 preceding siblings ...)
  2017-11-02 16:52       ` Don Hopkins
@ 2017-11-02 16:54       ` Don Hopkins
  2017-11-02 16:56       ` Don Hopkins
                         ` (2 subsequent siblings)
  6 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 16:54 UTC (permalink / raw)


Date: Sat, 5 Nov 88 10:57:11 PST
From: kent@na-net.stanford.edu (Mark Kent)
Message-Id: <8811051857.AA02684 at patience.stanford.edu>
To: src
Subject: Isn't this...

Isnt't this the Robert Morris who worked with Mark Manasse and Greg
Nelson in the summer of 1987 (in my cubicle from summer 1986)?
He did a X windows to <dec-src window system> interface amazingly fast,
*without* using the tools in emacs that make
writing M2+ programs easier (because he did it in vi).

He knew a *lot* about sendmail then.

-mark

From: Martin Frost <ME@sail.stanford.edu>
Subject: virus programmer

From the AP news early Saturday morning comes this story.
Note the mention of passwords for some computers at Stanford.

Creator Of Computer 'Virus' Is Cornell Student, Son Of Government Scientist

Eds: News conference scheduled at 10 a.m. EST
By DOUGLAS ROWE
Associated Press Writer
    A Cornell University student whose father is a top government
computer security expert created the ''virus'' that slowed 6,000
computers nationwide, said a report today, and the school found that
the young man possessed unauthorized computer codes.
    Two sources with detailed knowledge of the case told The New York
Times that Robert T. Morris Jr., 23, a computer science graduate
student whom friends describe as ''brilliant,'' devised the virus as
an experiment.
    M. Stuart Lynn, Cornell's vice president for information
technologies, said early today that the university had not talked to
Morris but was investigating his computer files. The Ithaca, N.Y.,
school scheduled a news conference for today.
    ''So far we have determined that his account contains files that
appear to hold passwords for some computers at Cornell and Stanford
to which he is not entitled,'' Lynn said in a statement. ''We also
have discovered that Morris' account contains a list of passwords
substantially similar to those found in the virus.''
    Passwords are the codes needed to gain access to computer systems.
    The student's father, Robert Morris Sr., is chief scientist at the
National Computer Security Center in Bethesda, Md., the arm of the
National Security Agency devoted to protecting computers from outside
attack. He has written widely on the security of the Unix operating
system, the computer master program that was the target of the
computer virus.
    Several telephone calls to the family's home in Silver Spring, Md.,
near Washington, went unanswered. Later, an answering machine was
attached and messages left on it were not returned.
    The younger Morris also could not be reached. The university said it
did not have a local address for him, and Lynn said college officials
believed he was on his way to Washington.
    Computer viruses behave like biological viruses in that they
duplicate themselves and spread from computer to computer, through
''electronic mail'' systems or other networks. They consume computer
processing power and storage space, and some - but apparently not
this one - destroy stored information.
    The virus was introduced into Arpanet, a Department of Defense
computer network linking universities, research centers and defense
operations, officials said. It was intended to remain there
undetected, slowly making copies that would move from computer to
computer, the Times said.
    But a design error caused it instead to replicate out of control,
the Times reported Friday, quoting an anonymous caller to the
newspaper who said he was an associate of the program's designer.
    The virus jammed more than 6,000 computers nationwide starting
Wednesday. But it apparently caused no damage other than lost
research time and the thousands of costly hours that computer
scientists and programmers were spending to remove it from their
systems. By Friday, most universities and research centers had turned
their computers back on.
    George Strawn, director of the Computation Center at Iowa State
University in Des Moines, described the impact of the virus at his
school as ''a slight case of the sniffles.''
    Doug Van Houweling, vice provost for information technology at the
University of Michigan, said no files were damaged but many hours of
work were needed to clean out ''duplicate waste files'' the virus
created.
    Hans-Werner Braun, a computer expert at the Ann Arbor, Mich.,
school, said the main effect of the incident was to call attention to
the system's vulnerability.
    The elder Morris told the Times that the virus ''has raised the
public awareness to a considerable degree. It is likely to make
people more careful and more attentive to vulnerabilities in the
future.''
    Sources told the Times that his son flew to Washington on Friday and
planned to hire a lawyer and meet with officials in charge of the
Arpanet network to discuss the incident.
    Computer scientists said the younger Morris worked in recent summers
at the American Telephone and Telegraph Co.'s Bell Laboratories. One
of his projects included rewriting the communications security
software for most computers that run the Unix operating system, which
AT&T developed, the Times reported.
    Computer scientists who are disassembling the virus to learn how it
worked said they have been impressed with its power and cleverness.
    The elder Morris, 56, told the Times that it was ''the work of a
bored graduate student.''
    Dexter Kozen, the graduate faculty representative in Cornell's
computer science department, said he chuckled when he heard that
quote.
    ''We try to keep them from getting bored,'' he said. ''I guess we
didn't try hard enough.''
***************



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/f641135b/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:26     ` Tim Bradshaw
  2017-11-02 16:48       ` Don Hopkins
  2017-11-02 16:50       ` Don Hopkins
@ 2017-11-02 16:52       ` Don Hopkins
  2017-11-02 16:54       ` Don Hopkins
                         ` (3 subsequent siblings)
  6 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 16:52 UTC (permalink / raw)


To: mimsy!rutgers!att!tanstaafl
Subject: Bob Morris, Jr.
Date: 5 Nov 88 17:15:21 EST (Sat)
From: rcj@moss.ATT.COM (Curtis Jackson)

Bob Morris, Sr. worked on my project here (Enhanced Modular Signal
Processor, or EMSP) at Bell Labs from about 1981 through 1984 or
1985.  I have to say that his son comes by it honestly -- Bob Sr.
was always cracking systems and passwords.  He once turned loose
his password finder on one of our systems and it found the passwords
for something like 55% of the accounts.  His other big interest
was involving huge huge primes.  He was always running this program
to try and find the next prime number.

He was a quintessential software hacker -- given the choice of saying
"box wid 4.5i ht 7i" to pic, or hacking the same thing in really raw
troff, he always did the latter.  He knew troff better than anyone
I've ever seen.  He was also one hell of a good drinking buddy.

True Bob Morris (Sr.) stories:

Bob would occasionally wear a suit (*gasp*) when meeting with the
Navy instead of wearing his normal holey sweater and jeans.  But he
never forsook his old hiking boots.  And these babies smelled real
bad when he took them off -- we are talking serious ODAIR here.
One day he was in one of two adjoining meeting rooms, and he took
his boots off.  The smell immediately permeated the room, and one
of the MTS, Robin, gingerly grabbed them and set them inside the
adjoining conference room.  Less than two minutes later, the connecting
door opened again and the boots were just as gingerly and silently
returned.  Robin gave up and put them outside in the hallway.

A waitress at our local pub, who had known Bob for at least 7-8 years
before I came on the scene, used to lift Bob's shirt and rub his tummy
right in the pub -- some kind of private joke between them.  Apparently
one day he returned the favor and lifted her shirt up *real* high.
So one winter day he and I went into the pub, and Marcia came up and
said, "Robert, look -- *two* shirts.  You're not going to get me this
time!"  Bob said, "Yeah, I bet you've got the bottom one pinned to your
you-know-what [sic]."  Marcia said, "All the way down to my ankles, bud!"

Not to give you the impression he was a pond scum to women; all the women
I knew really liked him as long as he kept his boots on.  ;-)

Have never met Bob Jr., but I do know he was hacking at Daddy's knee
(sounds like a scene from a horror film  ;-)  before he could crawl.

Curtis Jackson  -- att!moss!rcj  201-386-6409
"The cardinal rule of skydiving and ripcords:  When in doubt, whip it out!"


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/1a7c8ed0/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:26     ` Tim Bradshaw
  2017-11-02 16:48       ` Don Hopkins
@ 2017-11-02 16:50       ` Don Hopkins
  2017-11-02 16:52       ` Don Hopkins
                         ` (4 subsequent siblings)
  6 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 16:50 UTC (permalink / raw)


Article 4875 of rec.arts.poems:
Path: amelia!eos!ames!uakari.primate.wisc.edu!samsung!uunet!ogicse!unicorn!blak
e!milton!ecombs
From: ecombs@milton.acs.washington.edu (Ed Combs)
Newsgroups: rec.arts.poems,rec.humor
Subject: viruworms
Keywords: virus worm poem eunicks
Message-ID: <2482 at milton.acs.washington.edu>
Date: 20 Mar 90 07:25:08 GMT
Organization: Univ of Washington, Seattle
Lines: 49
Xref: amelia rec.arts.poems:4875 rec.humor:28638
Posted: Mon Mar 19 23:25:08 1990




                                 VIRUWORMY
                    (with apologies to Charles Dodgson)

                                  For RTM
                         who made it all possible.


               'Twas eunicks* and the asky chars
                Did grepp and skanneff at the nik:
                All mimdy were the hyperstars,
                And the rad ravs outsmick.

               "Beware the Viruworm, my sun!
                Let not its bits, in temp space get!
                Guard well the Passpass word, and shun
                The durbious Internet!"

                He put his darpal code in ram:
                Long time the decson foe he sought --
                So waited he, in the Dirdir tree
                And slept awhile, swapped out.

                And as with hashish dreams he slept
                The Viruworm -- that spawn from shell --
                Fast fingring through the mayle, it crept
                And gettessed from Koornell!

                Ping, pong! Ping, pong! And long by long
                The darpal code went hicker-hack!
                It ran no more, and with its core
                He went dispiling back.

               "And hast thou killed the Viruworm?
                Nok bless your promms, my sparkish toy!
                O megga win! Ess are eye! Bee bee enn!"
                He broadcast in his joy.

               'Twas eunicks and the asky chars
                Did grepp and skanneff at the nik:
                All mimdy were the hyperstars,
                And the rad ravs outsmick.

                                             -- ejc '90


               *Eunicks is not a registered trademark of ATT Bell Laboratories.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/32155a5b/attachment.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:26     ` Tim Bradshaw
@ 2017-11-02 16:48       ` Don Hopkins
  2017-11-02 16:50       ` Don Hopkins
                         ` (5 subsequent siblings)
  6 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 16:48 UTC (permalink / raw)


/* Written  1:54 am  Dec  2, 1988 by bradley at m.cs.uiuc.edu in m.cs.uiuc.edu:general */
/* ---------- "SIGBEER 12/2/88  (A poem)" ---------- */
                 SIGBEER COLLOQUIUM

SPEAKER:   Clement C. Morris
       Department of Annelid Studies
       Cornell University

TITLE:     The Worm Before Christmas: A poem

TIME:      December 2, 1988.  5:00pm

PLACE:     White Horse
       Green St. near 2nd (across from Champion Federal)
       Note: THIS IS DIFFERENT!

ABSTRACT:  A critical reading of the following poem will be presented.
       Discussion and refreshments will follow.



            "The Worm Before Christmas"
                by Clement C. Morris

        (a.k.a. David Bradley, Betty Cheng, Hal Render,
            Greg Rogers, and Dan LaLiberte)

    Twas the night before finals, and all through the lab
    Not a student was sleeping, not even McNabb.
    Their projects were finished, completed with care
    In hopes that the grades would be easy (and fair).

    The students were wired with caffeine in their veins
    While visions of quals nearly drove them insane.
        With piles of books and a brand new highlighter,
    I had just settled down for another all nighter ---

    When out from our gateways arose such a clatter,
    I sprang from my desk to see what was the matter;
    Away to the console I flew like a flash,
        And logged in as root to fend off a crash.

    The windows displayed on my brand new Sun-3,
    Gave oodles of info --- some in 3-D.
    When, what to my burning red eyes should appear
    But dozens of "nobody" jobs.  Oh dear!

    With a blitzkrieg invasion, so virulent and firm,
        I knew in a moment, it was Morris's Worm!
    More rapid than eagles his processes came,
    And they forked and exec'ed and they copied by name:

    "Now Dasher!  Now Dancer!  Now, Prancer and Vixen!
    On Comet!  On Cupid!  On Donner and Blitzen!
    To the sites in .rhosts and host.equiv
    Now, dash away!  dash away!  dash away all!"

    [ Note:  The machines dasher.cs.uiuc.edu,
      dancer.cs.uiuc.ed, prancer.cs.uiuc.edu, etc. have
      been renamed deer1, deer2, deer3, etc. so as not
      to confuse the already burdened students who use
      those machines. We regret that this poem reflects
      the older naming scheme and hope it does not confuse
      the network adminstrator at your site.  -Ed.]

    And then in a twinkling, I heard on the phone,
    The complaints of the users.  (Thought I was alone!)
    "The load is too high!"  "I can't read my files!"
    "I can't send my mail over miles and miles!"

    I unplugged the net, and was turning around,
        When the worm-ridden system went down with a bound.
    I fretted.  I frittered.  I sweated.  I wept.
    Then finally I core dumped the worm in /tmp.

    It was smart and pervasive, a right jolly old stealth,
    And I laughed, when I saw it, in spite of myself.
    A look at the dump of that invasive thread
    Soon gave me to know we had nothing to dread.

    The next day was slow with no network connections,
    For we wanted no more of those pesky infections.
    But in spite of the news and the noise and the clatter,
    Soon all became normal, as if naught were the matter.

    Then later that month while all were away,
    A virus came calling and then went away.
    The system then told us, when we logged in one night:
        "Happy Christmas to all!  (You guys aren't so bright.)"


[ Note: The authors would like to apologize to Dave McNabb for any
    detrimental references to his sleeping habits or lack thereof.
    Unfortunately, they couldn't think of anything else that rhymes
    with "lab".  -Ed. ]
/* End of text from m.cs.uiuc.edu:general */

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/56f7c582/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:32 ` Lyndon Nerenberg
@ 2017-11-02 16:43   ` Don Hopkins
  0 siblings, 0 replies; 62+ messages in thread
From: Don Hopkins @ 2017-11-02 16:43 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 5929 bytes --]

I just ran across this in my old email archives, Mike Godwin’s reaction to Philip Dorn’s Final Word column in the November 11 issue of Information
Week ("Morris Got What He Deserved"):


Return-Path: <eff-news-request at eff.org>
Reply-To: eff-news at eff.org
Precedence: bulk
To: eff-news at eff.org
From: Rita Marie Rouvalis <rita@eff.org>
Subject: EFFector2.02
Date: Wed, 27 Nov 91 15:25:23 EST


########## ########## ########## |                    THE GREAT WORK:|
########## ########## ########## |               By John Perry Barlow|
####       ####       ####       |                                   |
########   ########   ########   |            HACKER MANIA CONTINUES!|
########   ########   ########   |   Excerpts from the Geraldo Circus|
####       ####       ####       |                                   |
########## ####       ####       | DID MORRIS "GET WHAT HE DESERVED?"|
########## ####       ####       |               A Letter to InfoWeek|
=====================================================================|
EFFector Online           November 27,1992         Volume 2, Number 2|
=====================================================================|

IN THIS ISSUE:
THE GREAT WORK by John Perry Barlow
GETTING WHAT HE DESERVED? by Mike Godwin
MCI FRIENDS & FAMILY by Craig Neidorf
GERALDO! HACKER! MANIA! CONTINUES!

[…]

                   -==--==--==-<>-==--==--==-

                   GETTING WHAT HE DESERVED?
              An Open Letter to Information Week
                        by Mike Godwin
                       mnemonic at eff.org

Information Week
600 Community Drive
Manhasset, N.Y. 11030

Dear editors:

Philip Dorn's Final Word column in the November 11 issue of Information
Week ("Morris Got What He Deserved") is, sadly, only the latest example
of the kind of irrational and uninformed discourse that too often colors
public-policy discussions about computer crime. It is a shame that Dorn
did not think it worthwhile to get his facts straight--if he had, he
might have written a very different column.

The following are only a few of Dorn's major factual errors:       He
writes that "It is sophistry to claim [Internet Worm author Robert]
Morris did not know what he was doing--his mistake was being slovenly."
Yet even the most casual reading of the case, and of most of the news
coverage of the case, makes eminently clear that the sophists Dorn
decries don't exist--no one has argued that Morris didn't know what he
was doing. This was never even an issue in the Morris case.      Dorn
also writes that "Any effort to break into a system by an unauthorized
person, or one authorized only to do certain things only to do certain
things, should per se be illegal." This is also the position of the
Electronic Frontier Foundation, which Dorn nevertheless criticizes for
being "out of step with the industry." Yet the issue of whether
unauthorized computer access should be illegal also was never an issue
in the Morris case.

Dorn writes that "Those defending Morris squirm when trying to explain
why his actions were harmless." No doubt such defenders would squirm, if
they existed. But none of the people or organizations Dorn quotes has
ever claimed that his actions were harmless. This too was never an issue
in the Morris case.

Dorn makes much of the fact that Morris received only "a trivial fine
and community service." But the focus both in the trial and in its appeal
was never on the severity of Morris's sentence, but on whether the law
distinguished between malicious computer vandalism and accidental
damaged caused by an intrusion. EFF's position has been that the law should be
construed to make such a distinction.

Dorn writes that "To say that those who intrude and do no lasting damage
are harmless is to pervert what Congress and those who drafted the
legislation sought to do: penalize hackers." Indeed, this would be a
perversion, if anyone were making that argument. Unfortunately, Dorn
seems unwilling to see the arguments that were made.      "It is
sickening," writes Dorn, "to hear sobbing voices from the ACLU, the
gnashing of teeth from Mitch Kapor's Electronic Frontier Foundation
(EFF), and caterwauling from the Computer Professionals for Social
Responsibility--all out of step with the industry. They seem so
frightened that the law may reach them that they elected to defend
Morris's indefensible actions." Dorn's distortions here verge on libel,
since we neither defend Morris's actions nor are motivated out of fear
that the law will apply to us. Instead, we are concerned, as all
citizens should be, that the law make appropriate distinctions between
intentional and unintentional harms in the computer arena, just as it
does in all other realms of human endeavor.

A more glaring factual error occurs one paragraph later, when he writes
that "The Supreme Court says intruders can be convicted under the law
because by definition an intrusion shows an intent to do harm. That
takes care of Morris." The Supreme Court has never said any such thing--after
all, the Court declined to hear the case. Even the lower courts in the
Morris case made no such claim.

What is far more "sickening" than even Dorn's imaginary versions of our
concerns about the Morris case is his irresponsibility in making
unsubstantiated charges that even a cursory familiarity with the facts
could have prevented. In the course of his article, Dorn manages to get
one thing right--he writes that "The law is not perfect--it needs
clarification and reworking." This has been our position all along, and
it is the basis for our support of Morris's appeal. It is also public
knowledge--Dorn could have found out our position if he had bothered to
ask us.

Mike Godwin
Staff Counsel
EFF


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20171102/18407a7f/attachment-0001.html>


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:25   ` Dan Cross
@ 2017-11-02 15:52     ` Will Senn
  2017-11-02 18:42     ` Ken Thompson
  1 sibling, 0 replies; 62+ messages in thread
From: Will Senn @ 2017-11-02 15:52 UTC (permalink / raw)


On 11/2/17 10:25 AM, Dan Cross wrote:
> On Thu, Nov 2, 2017 at 10:42 AM, Will Senn <will.senn at gmail.com> wrote:
>> I seem to recall that this story was included as part of The Cuckoo's Egg,
>> by Clifford Stoll. I don't recall the specifics and I wonder if it has a bit
>> of myth included, but somehow it was peripherally related to the
>> investigations. Fuzzy recollection is that the worm got out during the
>> investigation Clifford was involved in and it was Morris's son (Morris being
>> in on the investigation somehow), and the kid getting off because of the
>> position of the dad and the newness of the crime... or somesuch - don't
>> shoot the messenger, but nobody mentioned Stoll, so I thought I'd chime in,
>> in the hopes it might jog someone else's memory :).
> Stoll mentions the worm in an epilogue to The Cuckoo's Egg; it happens
> after the main events of the book. Apparently, for a brief time, some
> folks thought that he might be the one behind the worm and someone
> called him up and asked him if he'd written it.
>
> Cliff Stoll talked to a number of people in law enforcement and in
> government and thus made a number of contacts while he was pursuing
> Markus Hess (the pursuit of Hess being the main story of The Cuckoo's
> Egg): Robert Morris Sr was among those contacts. When the worm hit, he
> talked to Morris Sr and asked him if he knew who started it. The
> response was something along the lines of, "Yes, but I can't tell
> you."
>
>          - Dan C.

OK. I did some digging, it's an extensive story that peripherally 
involved Stoll after he went to Cambridge. It begins on page 239, "Hi, 
Cliff. It's Gene. Gene Miya at NASA Ames Laboratory. No apologies for 
waking you up. Our computers are under attack." and goes on for about 9 
pages:

http://vxer.org/lib/pdf/The%20Cuckoo%27s%20Egg.pdf

Will



-- 
GPG Fingerprint: 68F4 B3BD 1730 555A 4462  7D45 3EAA 5B6D A982 BAAF



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 15:00   ` Michael Kjörling
@ 2017-11-02 15:26     ` Tim Bradshaw
  2017-11-02 16:48       ` Don Hopkins
                         ` (6 more replies)
  0 siblings, 7 replies; 62+ messages in thread
From: Tim Bradshaw @ 2017-11-02 15:26 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 438 bytes --]

On 2 Nov 2017, at 15:00, Michael Kjörling <michael at kjorling.se> wrote:
> 
> Yes, Stoll did mention the Morris worm in his book. I'm pretty sure
> though that, as the story is told there, he found out about it well
> after the outbreak began.

If I remember right it's essentially a postscript which takes place well after the main events, and he was contacted by <someone> who suspected he might have been responsible for it.

--tim


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 14:42 ` Will Senn
  2017-11-02 15:00   ` Michael Kjörling
@ 2017-11-02 15:25   ` Dan Cross
  2017-11-02 15:52     ` Will Senn
  2017-11-02 18:42     ` Ken Thompson
  1 sibling, 2 replies; 62+ messages in thread
From: Dan Cross @ 2017-11-02 15:25 UTC (permalink / raw)


On Thu, Nov 2, 2017 at 10:42 AM, Will Senn <will.senn at gmail.com> wrote:
> I seem to recall that this story was included as part of The Cuckoo's Egg,
> by Clifford Stoll. I don't recall the specifics and I wonder if it has a bit
> of myth included, but somehow it was peripherally related to the
> investigations. Fuzzy recollection is that the worm got out during the
> investigation Clifford was involved in and it was Morris's son (Morris being
> in on the investigation somehow), and the kid getting off because of the
> position of the dad and the newness of the crime... or somesuch - don't
> shoot the messenger, but nobody mentioned Stoll, so I thought I'd chime in,
> in the hopes it might jog someone else's memory :).

Stoll mentions the worm in an epilogue to The Cuckoo's Egg; it happens
after the main events of the book. Apparently, for a brief time, some
folks thought that he might be the one behind the worm and someone
called him up and asked him if he'd written it.

Cliff Stoll talked to a number of people in law enforcement and in
government and thus made a number of contacts while he was pursuing
Markus Hess (the pursuit of Hess being the main story of The Cuckoo's
Egg): Robert Morris Sr was among those contacts. When the worm hit, he
talked to Morris Sr and asked him if he knew who started it. The
response was something along the lines of, "Yes, but I can't tell
you."

        - Dan C.


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 14:42 ` Will Senn
@ 2017-11-02 15:00   ` Michael Kjörling
  2017-11-02 15:26     ` Tim Bradshaw
  2017-11-02 15:25   ` Dan Cross
  1 sibling, 1 reply; 62+ messages in thread
From: Michael Kjörling @ 2017-11-02 15:00 UTC (permalink / raw)


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1116 bytes --]

On 2 Nov 2017 09:42 -0500, from will.senn at gmail.com (Will Senn):
> I seem to recall that this story was included as part of The
> Cuckoo's Egg, by Clifford Stoll. I don't recall the specifics and I
> wonder if it has a bit of myth included, but somehow it was
> peripherally related to the investigations. Fuzzy recollection is
> that the worm got out during the investigation Clifford was involved
> in and it was Morris's son (Morris being in on the investigation
> somehow), and the kid getting off because of the position of the dad
> and the newness of the crime... or somesuch - don't shoot the
> messenger, but nobody mentioned Stoll, so I thought I'd chime in, in
> the hopes it might jog someone else's memory :).

Yes, Stoll did mention the Morris worm in his book. I'm pretty sure
though that, as the story is told there, he found out about it well
after the outbreak began.

-- 
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 13:46 Norman Wilson
  2017-11-02 14:32 ` Chet Ramey
@ 2017-11-02 14:42 ` Will Senn
  2017-11-02 15:00   ` Michael Kjörling
  2017-11-02 15:25   ` Dan Cross
  1 sibling, 2 replies; 62+ messages in thread
From: Will Senn @ 2017-11-02 14:42 UTC (permalink / raw)


On 11/2/17 8:46 AM, Norman Wilson wrote:
> Robert T Morris (the son who committed the famous worm) was an
> intern at Bell Labs for a couple of summers while I was there.
> He certainly wasn't an idiot; he was a smart guy.
>
> Like many smart guys (and not-so-smart guys for that matter),
> however, he was a sloppy coder, and tended not to test enough.
>
> One of the jokes in the UNIX Room was that, had it been Bob
> Morris (the father) who did it,
> a.  He wouldn't have done it, because he would have seen that
> it wasn't worth the potential big mess; but
> b.  Had he done it, no one would ever have caught him, and
> probably no one would even have noticed the worm as it crept
> around.
>
> Norman Wilson
> Toronto ON

I seem to recall that this story was included as part of The Cuckoo's 
Egg, by Clifford Stoll. I don't recall the specifics and I wonder if it 
has a bit of myth included, but somehow it was peripherally related to 
the investigations. Fuzzy recollection is that the worm got out during 
the investigation Clifford was involved in and it was Morris's son 
(Morris being in on the investigation somehow), and the kid getting off 
because of the position of the dad and the newness of the crime... or 
somesuch - don't shoot the messenger, but nobody mentioned Stoll, so I 
thought I'd chime in, in the hopes it might jog someone else's memory :).

Will

-- 
GPG Fingerprint: 68F4 B3BD 1730 555A 4462  7D45 3EAA 5B6D A982 BAAF



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 13:46 Norman Wilson
@ 2017-11-02 14:32 ` Chet Ramey
  2017-11-02 14:42 ` Will Senn
  1 sibling, 0 replies; 62+ messages in thread
From: Chet Ramey @ 2017-11-02 14:32 UTC (permalink / raw)


On 11/2/17 9:46 AM, Norman Wilson wrote:

> Like many smart guys (and not-so-smart guys for that matter),
> however, he was a sloppy coder, and tended not to test enough.

In my experience, that is one of the things that improves with age
(and, yes, experience).

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet at case.edu    http://cnswww.cns.cwru.edu/~chet/


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02 12:10 Noel Chiappa
@ 2017-11-02 14:26 ` Dan Cross
  0 siblings, 0 replies; 62+ messages in thread
From: Dan Cross @ 2017-11-02 14:26 UTC (permalink / raw)


On Thu, Nov 2, 2017 at 8:10 AM, Noel Chiappa <jnc at mercury.lcs.mit.edu> wrote:
> [...]
> So I decided to weigh in. I got advice from the Washington branch of
> then-Hale&Dorr (my legal people at the time), who were well connected inside
> the DoJ (they had people who'd been there, and also ex-H+D people were
> serving, etc). IIRC, they agreed with me that this was over-charging, given
> the specifics of the offender, etc. (I forget exactly what they told me of
> what they made of the prosecutor and his actions, but it was highly not
> positive.)

This is really fascinating.

The Washington Post did an article on the Internet Worm back in 2013
(for the 25th anniversary). There are quite a few interesting insights
from Gene Spafford and the prosecutor, Mark Rasch. Spaf felt that the
felony conviction was going to far; Rasch has stated he would support
a pardon being granted for the felony conviction. Mashable also had an
article with some more quotes from Rasch

https://www.washingtonpost.com/news/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/
http://mashable.com/2013/11/01/morris-worm/#BosSE6MAiqq0

        - Dan C.


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
@ 2017-11-02 13:46 Norman Wilson
  2017-11-02 14:32 ` Chet Ramey
  2017-11-02 14:42 ` Will Senn
  0 siblings, 2 replies; 62+ messages in thread
From: Norman Wilson @ 2017-11-02 13:46 UTC (permalink / raw)


Robert T Morris (the son who committed the famous worm) was an
intern at Bell Labs for a couple of summers while I was there.
He certainly wasn't an idiot; he was a smart guy.

Like many smart guys (and not-so-smart guys for that matter),
however, he was a sloppy coder, and tended not to test enough.

One of the jokes in the UNIX Room was that, had it been Bob
Morris (the father) who did it,
a.  He wouldn't have done it, because he would have seen that
it wasn't worth the potential big mess; but
b.  Had he done it, no one would ever have caught him, and
probably no one would even have noticed the worm as it crept
around.

Norman Wilson
Toronto ON


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
@ 2017-11-02 12:10 Noel Chiappa
  2017-11-02 14:26 ` Dan Cross
  0 siblings, 1 reply; 62+ messages in thread
From: Noel Chiappa @ 2017-11-02 12:10 UTC (permalink / raw)


    > From: Doug McIlroy

    > A little known fact is that the judge leaned on the prosecutor to reduce
    > the charge to a misdemeanor and accepted the felony only when the
    > prosecuter secured specific backing from higher echelons at DOJ.

I had a tangential role in the legal aftermath, and am interested to hear
this.

I hadn't had much to do with the actual outbreak, so I was not particularly
watching the whole saga. However, on the evening news one day, I happened to
catch video of him coming out of the court-house after his conviction: from
the look on his face (he looked like his dog had died, and then someone had
kicked him in the stomach) it was pretty clear that incareration (which is
what the sentencing guidelines called for, for that offense) was totally
inappropriate.

So I decided to weigh in. I got advice from the Washington branch of
then-Hale&Dorr (my legal people at the time), who were well connected inside
the DoJ (they had people who'd been there, and also ex-H+D people were
serving, etc). IIRC, they agreed with me that this was over-charging, given
the specifics of the offender, etc. (I forget exactly what they told me of
what they made of the prosecutor and his actions, but it was highly not
positive.)

So we organized the IESG to submit a filing in the case on the sentencing, and
got everyone to sign on; apparently in the legal system when there is an
professional organization in a field, its opinions weigh heavily, and the
IESG, representing as it did the IETF, was the closest thing to it here. I
don't know how big an effect our filing had, but the judge did depart very
considerably from the sentencing guidelines (which called, IIRC, for several
years of jail-time) and gave him probation/community-service.

Not everyone was happy about our actions (particularly some who'd had to work
on the cleanup), but I think in retrospect it was the right call - yeah, he
effed up, but several years in jail was not the right punsishment, for him,
and for this particular case (no data damaged/deleted/stolen/etc). YMMV.

	Noel


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
                   ` (4 preceding siblings ...)
  2017-11-02  0:09 ` Dan Cross
@ 2017-11-02  8:18 ` arnold
  2017-11-02 17:56 ` Don Hopkins
  2017-11-04  1:15 ` Dave Horsfall
  7 siblings, 0 replies; 62+ messages in thread
From: arnold @ 2017-11-02  8:18 UTC (permalink / raw)


Dave Horsfall <dave at horsfall.org> wrote:

> The infamous Morris Worm was released in 1988; making use of known 
> vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a 
> metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was 
> accidental, but the idiot hadn't tested it on an isolated network first). 
> A temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".
>
> -- 
> Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

I was a sysadmin at the time at Emory U's computing center. We were very
fortunate to have the worm bypass us, since we were running a sendmail.cf
file that I had written (from scratch!) instead of the standard one.

(It was written using Ease, a preprocessor for sendmail.cf files. It
took me a long time to write and test.  I have, fortunately, literally,
forgotten more about sendmail than most people ever know. :-)

Anyway, I came in that Monday morning to business as usual, only to
hear about the chaos happening in the rest of the Unix world. :-)

I am sure, now, that I totally didn't understand then how really
lucky we were.

Arnold


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02  3:46 Doug McIlroy
@ 2017-11-02  5:53 ` George Michaelson
  0 siblings, 0 replies; 62+ messages in thread
From: George Michaelson @ 2017-11-02  5:53 UTC (permalink / raw)


Having been stupid, to deleterious effect of others, I can't find it
in my heart to condemn it in anyone who clearly had a shitload of
smarts.

I was just selfish (I burned the JANET X.25 budget for the entire
campus, logging into the TOPS-10 typing tutor to get X.25 PAD to a vax
in edinburgh to connect to EMAS and read emails and oh well ok yes
play a lot, a seriously large amount of dungeon. They shut down the
Dec-10 typing tutor account and I was forbidden the network for the
year)

I don't think he actually intended to be that disruptive. In a way,
the person most harmed was Morris Senior, wasn't it?

(I was at CSIRO, and we got "hit" for want of a better word by morris,
but we also got fixed very quickly. From memory, piers dik lauder from
Sydney uni actually kept a mail *@* in ACSNet even after this,
figuring store-and-forward to everyone at everywhere was actually useful)

-G

On Thu, Nov 2, 2017 at 1:46 PM, Doug McIlroy <doug at cs.dartmouth.edu> wrote:
>> the idiot hadn't tested it on an isolated network first
>
> That would have "proved" that the worm worked safely, for
> once every host was infected, all would go quiet.
>
> Only half in jest, I have always held that Cornell was right
> to expel Morris, but their reason should have been his lack
> of appreciation of exponentials.
>
> (Full disclosure: I was a character witnesss at his trial. A
> little known fact is that the judge leaned on the prosecutor
> to reduce the charge to a misdemeanor and accepted the felony
> only when the prosecuter secured specific backing from
> higher echelons at DOJ.)
>
> Doug McIlroy


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
@ 2017-11-02  3:46 Doug McIlroy
  2017-11-02  5:53 ` George Michaelson
  0 siblings, 1 reply; 62+ messages in thread
From: Doug McIlroy @ 2017-11-02  3:46 UTC (permalink / raw)


> the idiot hadn't tested it on an isolated network first

That would have "proved" that the worm worked safely, for
once every host was infected, all would go quiet.

Only half in jest, I have always held that Cornell was right
to expel Morris, but their reason should have been his lack
of appreciation of exponentials.

(Full disclosure: I was a character witnesss at his trial. A
little known fact is that the judge leaned on the prosecutor
to reduce the charge to a misdemeanor and accepted the felony
only when the prosecuter secured specific backing from 
higher echelons at DOJ.)

Doug McIlroy


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-02  0:09 ` Dan Cross
@ 2017-11-02  1:08   ` Clem cole
  0 siblings, 0 replies; 62+ messages in thread
From: Clem cole @ 2017-11-02  1:08 UTC (permalink / raw)


+1

Sent from my PDP-7 Running UNIX V0 expect things to be almost but not quite. 

> On Nov 1, 2017, at 8:09 PM, Dan Cross <crossd at gmail.com> wrote:
> 
>> On Wed, Nov 1, 2017 at 6:17 PM, Dave Horsfall <dave at horsfall.org> wrote:
>> The infamous Morris Worm was released in 1988; making use of known
>> vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
>> metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
>> accidental, but the idiot hadn't tested it on an isolated network first). A
>> temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".
> 
> I feel obligated to mention out that Robert Tappan Morris is really
> very nice and quite humble in real life. As I understand it he's never
> sought to capitalize on his infamy from the worm, and while I've never
> asked him about it (I'm sure that would be very rude) I understand
> from some of his former students that he feels very contrite about the
> whole thing. He made a mistake when he was young; the same is true of
> many of us (myself included). His mistake had the misfortune of being
> much better known than those most of us make.
> 
> I should mention that I only know him slightly, but what I have seen
> of his personality reminds me very much of how I remember Dennis
> Ritchie: affable, kind and extremely approachable.
> 
>        - Dan C.


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
                   ` (3 preceding siblings ...)
  2017-11-02  0:06 ` Ralph Corderoy
@ 2017-11-02  0:09 ` Dan Cross
  2017-11-02  1:08   ` Clem cole
  2017-11-02  8:18 ` arnold
                   ` (2 subsequent siblings)
  7 siblings, 1 reply; 62+ messages in thread
From: Dan Cross @ 2017-11-02  0:09 UTC (permalink / raw)


On Wed, Nov 1, 2017 at 6:17 PM, Dave Horsfall <dave at horsfall.org> wrote:
> The infamous Morris Worm was released in 1988; making use of known
> vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
> metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
> accidental, but the idiot hadn't tested it on an isolated network first). A
> temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".

I feel obligated to mention out that Robert Tappan Morris is really
very nice and quite humble in real life. As I understand it he's never
sought to capitalize on his infamy from the worm, and while I've never
asked him about it (I'm sure that would be very rude) I understand
from some of his former students that he feels very contrite about the
whole thing. He made a mistake when he was young; the same is true of
many of us (myself included). His mistake had the misfortune of being
much better known than those most of us make.

I should mention that I only know him slightly, but what I have seen
of his personality reminds me very much of how I remember Dennis
Ritchie: affable, kind and extremely approachable.

        - Dan C.


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
                   ` (2 preceding siblings ...)
  2017-11-01 23:15 ` Paul Winalski
@ 2017-11-02  0:06 ` Ralph Corderoy
  2017-11-02  0:09 ` Dan Cross
                   ` (3 subsequent siblings)
  7 siblings, 0 replies; 62+ messages in thread
From: Ralph Corderoy @ 2017-11-02  0:06 UTC (permalink / raw)


Hi Dave,

> (the author claimed that it was accidental, but the idiot hadn't
> tested it on an isolated network first). 

I don't think the author was an idiot;  things were different back then.
It's similar to Jordan Hubbard's rwall(1) mentioned here at the end of
September;  someone had to be the first to screw up.

He ended up a convicted felon, something I understand is quite serious
that side of the pond, that seems harsh, and it must have been quite
embarrassing for him given his father was Chief Scientist at NSA, having
moved on from Bell Labs:
https://www.bell-labs.com/usr/dmr/www/crypt.html

Without that wake-up call, and the good that came out of it, e.g. CERT
funding, it might have been a more rude awakening with more than time
burnt?

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
  2017-11-01 22:32 ` Lyndon Nerenberg
  2017-11-01 23:03 ` Charles H. Sauer
@ 2017-11-01 23:15 ` Paul Winalski
  2017-11-02  0:06 ` Ralph Corderoy
                   ` (4 subsequent siblings)
  7 siblings, 0 replies; 62+ messages in thread
From: Paul Winalski @ 2017-11-01 23:15 UTC (permalink / raw)


On 11/1/17, Dave Horsfall <dave at horsfall.org> wrote:
> The infamous Morris Worm was released in 1988; making use of known
> vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
> metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
> accidental, but the idiot hadn't tested it on an isolated network first).

Back in 1980 I accidentally took down DEC's internal network with a
worm that was a VMS DCL script that did a SHOW NETWORK command to
display the adjacent nodes, then copied itself to each node in turn
and executed the copy.  It was intended to walk the network to provide
me with the raw information to draw up a network topology map.  The
bug was that I forgot network adjacency is commutative--there was
nothing to prevent it from running on nodes where it had been before.

Robert Morris had been an intern at DEC in the compiler group, and he
had been told about my embarrassing worm command procedure.  I've
always wondered if my mistake was his inspiration.

-Paul W.


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
  2017-11-01 22:32 ` Lyndon Nerenberg
@ 2017-11-01 23:03 ` Charles H. Sauer
  2017-11-01 23:15 ` Paul Winalski
                   ` (5 subsequent siblings)
  7 siblings, 0 replies; 62+ messages in thread
From: Charles H. Sauer @ 2017-11-01 23:03 UTC (permalink / raw)


On a personal note, I happened to be at the annual Berkeley Unix Workshop 
which started just before the Worm was released 
(http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-RTMworm-89.html). 
I'd been invited to speak about the work on AIX & 4.3 convergence 
(http://technologists.com/sauer/Convergence_of_AIX_and_4.3BSD.pdf). I was 
delighted to finally meet and hang out with people that I only knew by name. 
I particularly remember spending time with Keith Bostic and Rick Rashid. As 
I remember, the Workshop was conducted almost as planned, with real time 
reports of the Worm analysis and control.

Charlie

-----Original Message----- 
From: Dave Horsfall
Sent: Wednesday, November 1, 2017 5:17 PM
To: The Eunuchs Hysterical Society
Subject: [TUHS] Happy birthday, Morris Worm!

The infamous Morris Worm was released in 1988; making use of known
vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a
metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was
accidental, but the idiot hadn't tested it on an isolated network first).
A temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will 
suffer." 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
  2017-11-01 22:17 Dave Horsfall
@ 2017-11-01 22:32 ` Lyndon Nerenberg
  2017-11-02 16:43   ` Don Hopkins
  2017-11-01 23:03 ` Charles H. Sauer
                   ` (6 subsequent siblings)
  7 siblings, 1 reply; 62+ messages in thread
From: Lyndon Nerenberg @ 2017-11-01 22:32 UTC (permalink / raw)



> On Nov 1, 2017, at 3:17 PM, Dave Horsfall <dave at horsfall.org> wrote:
> 
> A temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".

Renaming $PATH/cc to anything else also helped.


^ permalink raw reply	[flat|nested] 62+ messages in thread

* [TUHS] Happy birthday, Morris Worm!
@ 2017-11-01 22:17 Dave Horsfall
  2017-11-01 22:32 ` Lyndon Nerenberg
                   ` (7 more replies)
  0 siblings, 8 replies; 62+ messages in thread
From: Dave Horsfall @ 2017-11-01 22:17 UTC (permalink / raw)


The infamous Morris Worm was released in 1988; making use of known 
vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a 
metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was 
accidental, but the idiot hadn't tested it on an isolated network first). 
A temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."


^ permalink raw reply	[flat|nested] 62+ messages in thread

end of thread, other threads:[~2019-11-02  7:32 UTC | newest]

Thread overview: 62+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-03  0:53 [TUHS] Happy birthday, Morris Worm! Doug McIlroy
2017-11-03  1:39 ` Ken Thompson
2017-11-03  9:25   ` arnold
  -- strict thread matches above, loose matches on Subject: below --
2019-11-01 20:36 Dave Horsfall
2019-11-01 21:12 ` Dan Cross
2019-11-01 21:49 ` A. P. Garcia
2019-11-02  6:35   ` William Corcoran
2019-11-02  6:44     ` William Corcoran
2019-11-02  7:31       ` A. P. Garcia
2017-11-16 23:24 Doug McIlroy
2017-11-16 23:35 ` Ralph Corderoy
2017-11-03 10:23 Noel Chiappa
2017-11-03 11:20 ` arnold
2017-11-03 13:11 ` Arthur Krewat
2017-11-03 19:26   ` Toby Thain
2017-11-03 20:54     ` Arthur Krewat
2017-11-02 13:46 Norman Wilson
2017-11-02 14:32 ` Chet Ramey
2017-11-02 14:42 ` Will Senn
2017-11-02 15:00   ` Michael Kjörling
2017-11-02 15:26     ` Tim Bradshaw
2017-11-02 16:48       ` Don Hopkins
2017-11-02 16:50       ` Don Hopkins
2017-11-02 16:52       ` Don Hopkins
2017-11-02 16:54       ` Don Hopkins
2017-11-02 16:56       ` Don Hopkins
2017-11-02 16:57       ` Don Hopkins
2017-11-02 17:00       ` Don Hopkins
2017-11-02 17:57         ` Don Hopkins
2017-11-02 15:25   ` Dan Cross
2017-11-02 15:52     ` Will Senn
2017-11-02 18:42     ` Ken Thompson
2017-11-02 12:10 Noel Chiappa
2017-11-02 14:26 ` Dan Cross
2017-11-02  3:46 Doug McIlroy
2017-11-02  5:53 ` George Michaelson
2017-11-01 22:17 Dave Horsfall
2017-11-01 22:32 ` Lyndon Nerenberg
2017-11-02 16:43   ` Don Hopkins
2017-11-01 23:03 ` Charles H. Sauer
2017-11-01 23:15 ` Paul Winalski
2017-11-02  0:06 ` Ralph Corderoy
2017-11-02  0:09 ` Dan Cross
2017-11-02  1:08   ` Clem cole
2017-11-02  8:18 ` arnold
2017-11-02 17:56 ` Don Hopkins
2017-11-02 18:32   ` Lars Brinkhoff
2017-11-02 20:32     ` Don Hopkins
2017-11-02 21:59       ` Don Hopkins
2017-11-02 22:27         ` Ralph Corderoy
2017-11-04  1:15 ` Dave Horsfall
2017-11-15 21:36   ` Erik E. Fair
2017-11-15 21:50     ` Don Hopkins
2017-11-15 21:54     ` Ron Natalie
2017-11-16  1:05       ` Erik E. Fair
2017-11-16  1:22     ` Will Senn
2017-11-16  1:56       ` Erik E. Fair
2017-11-16  2:41         ` Ron Natalie
2017-11-16  3:00         ` Don Hopkins
2017-11-16  7:39         ` Steve Simon
2017-11-16 15:54         ` Clem Cole
2017-11-16 15:58           ` Jon Steinhart

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).