From: dave@horsfall.org (Dave Horsfall)
Subject: [TUHS] Happy birthday, Morris Worm!
Date: Sat, 4 Nov 2017 12:15:37 +1100 (EST) [thread overview]
Message-ID: <alpine.BSF.2.21.1711041123030.66513@aneurin.horsfall.org> (raw)
In-Reply-To: <alpine.BSF.2.21.1711020915520.66513@aneurin.horsfall.org>
Well, that sure stirred up a hornet's nest; then again, I've been a
stirrer for most of my 65 years (just ask anyone who knows me, including
WKT), so I guess I should've expected it...
There are far too many responses to deal with individually (it will only
go exponential) so I'll make this my final post, and then it can continue
off-list if people insist; if Warren has shut down the topic then I
haven't noticed it yet, but at least I can see it's an active topic going
by the "TUHS" tag (and thanks again Warren for reinstating that).
First, apologies I guess to anyone who was offended, but I've never balked
at kicking the odd sacred cow now and then.
I would've dismissed RTM's effort as an "oopsie" that we all make from
time to time, except for the following extract from the Morris Worm page:
https://en.wikipedia.org/wiki/Morris_worm
``The critical error that transformed the worm from a potentially harmless
intellectual exercise into a virulent denial of service attack was in the
spreading mechanism. The worm could have determined whether to invade a
new computer by asking whether there was already a copy running. But just
doing this would have made it trivially easy to stop, as administrators
could just run a process that would answer "yes" when asked whether there
was already a copy, and the worm would stay away. The defense against this
was inspired by Michael Rabin's mantra "Randomization". To compensate for
this possibility, Morris directed the worm to copy itself even if the
response is "yes" 1 out of 7 times. This level of replication proved
excessive, and the worm spread rapidly, infecting some computers multiple
times. Rabin said that Morris "should have tried it on a simulator
first".''
The (reconstructed) source code, easily found in a few seconds, shows just
that i.e. it was *designed* to avoid any attempts to suppress it; a simple
statistical analysis shows that it would become uncontrollable even within
a small cluster (I can provide it upon request, in case anyone doubts my
admittedly-rusty statistical skills).
The first thing any binary did was to unlink itself, thereby making
detection difficult.
It forks a lot to change the process ID, thereby making it difficult to
kill.
It encrypts all the strings (a simple XOR with 0x81), thereby disguising
it.
In short, although I doubt whether there was malicious intent, if I were
to write something to bring down the Internet then I would start along
those lines.
No doubt his goal was laudable (estimating the number of hosts) but there
are weirdos like me who prefer not to be "counted" (even my census returns
are illegally anonymous, by not providing a real name, no birth date but
age is OK, no street address but suburb is OK; I don't care who knows that
I'm an atheist as until now we were lumped in as "other"); I regularly
fend off such probing attempts in my firewall (ACK scans, FIN scans, etc).
So, was RTM an idiot or not? You be the judge.
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
next prev parent reply other threads:[~2017-11-04 1:15 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-01 22:17 Dave Horsfall
2017-11-01 22:32 ` Lyndon Nerenberg
2017-11-02 16:43 ` Don Hopkins
2017-11-01 23:03 ` Charles H. Sauer
2017-11-01 23:15 ` Paul Winalski
2017-11-02 0:06 ` Ralph Corderoy
2017-11-02 0:09 ` Dan Cross
2017-11-02 1:08 ` Clem cole
2017-11-02 8:18 ` arnold
2017-11-02 17:56 ` Don Hopkins
2017-11-02 18:32 ` Lars Brinkhoff
2017-11-02 20:32 ` Don Hopkins
2017-11-02 21:59 ` Don Hopkins
2017-11-02 22:27 ` Ralph Corderoy
2017-11-04 1:15 ` Dave Horsfall [this message]
2017-11-15 21:36 ` Erik E. Fair
2017-11-15 21:50 ` Don Hopkins
2017-11-15 21:54 ` Ron Natalie
2017-11-16 1:05 ` Erik E. Fair
2017-11-16 1:22 ` Will Senn
2017-11-16 1:56 ` Erik E. Fair
2017-11-16 2:41 ` Ron Natalie
2017-11-16 3:00 ` Don Hopkins
2017-11-16 7:39 ` Steve Simon
2017-11-16 15:54 ` Clem Cole
2017-11-16 15:58 ` Jon Steinhart
2017-11-02 3:46 Doug McIlroy
2017-11-02 5:53 ` George Michaelson
2017-11-02 12:10 Noel Chiappa
2017-11-02 14:26 ` Dan Cross
2017-11-02 13:46 Norman Wilson
2017-11-02 14:32 ` Chet Ramey
2017-11-02 14:42 ` Will Senn
2017-11-02 15:00 ` Michael Kjörling
2017-11-02 15:26 ` Tim Bradshaw
2017-11-02 16:48 ` Don Hopkins
2017-11-02 16:50 ` Don Hopkins
2017-11-02 16:52 ` Don Hopkins
2017-11-02 16:54 ` Don Hopkins
2017-11-02 16:56 ` Don Hopkins
2017-11-02 16:57 ` Don Hopkins
2017-11-02 17:00 ` Don Hopkins
2017-11-02 17:57 ` Don Hopkins
2017-11-02 15:25 ` Dan Cross
2017-11-02 15:52 ` Will Senn
2017-11-02 18:42 ` Ken Thompson
2017-11-03 0:53 Doug McIlroy
2017-11-03 1:39 ` Ken Thompson
2017-11-03 9:25 ` arnold
2017-11-03 10:23 Noel Chiappa
2017-11-03 11:20 ` arnold
2017-11-03 13:11 ` Arthur Krewat
2017-11-03 19:26 ` Toby Thain
2017-11-03 20:54 ` Arthur Krewat
2017-11-16 23:24 Doug McIlroy
2017-11-16 23:35 ` Ralph Corderoy
2019-11-01 20:36 Dave Horsfall
2019-11-01 21:12 ` Dan Cross
2019-11-01 21:49 ` A. P. Garcia
2019-11-02 6:35 ` William Corcoran
2019-11-02 6:44 ` William Corcoran
2019-11-02 7:31 ` A. P. Garcia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.BSF.2.21.1711041123030.66513@aneurin.horsfall.org \
--to=dave@horsfall.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).