From mboxrd@z Thu Jan 1 00:00:00 1970 From: dave@horsfall.org (Dave Horsfall) Date: Sat, 4 Nov 2017 12:15:37 +1100 (EST) Subject: [TUHS] Happy birthday, Morris Worm! In-Reply-To: References: Message-ID: Well, that sure stirred up a hornet's nest; then again, I've been a stirrer for most of my 65 years (just ask anyone who knows me, including WKT), so I guess I should've expected it... There are far too many responses to deal with individually (it will only go exponential) so I'll make this my final post, and then it can continue off-list if people insist; if Warren has shut down the topic then I haven't noticed it yet, but at least I can see it's an active topic going by the "TUHS" tag (and thanks again Warren for reinstating that). First, apologies I guess to anyone who was offended, but I've never balked at kicking the odd sacred cow now and then. I would've dismissed RTM's effort as an "oopsie" that we all make from time to time, except for the following extract from the Morris Worm page: https://en.wikipedia.org/wiki/Morris_worm ``The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether to invade a new computer by asking whether there was already a copy running. But just doing this would have made it trivially easy to stop, as administrators could just run a process that would answer "yes" when asked whether there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra "Randomization". To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes" 1 out of 7 times. This level of replication proved excessive, and the worm spread rapidly, infecting some computers multiple times. Rabin said that Morris "should have tried it on a simulator first".'' The (reconstructed) source code, easily found in a few seconds, shows just that i.e. it was *designed* to avoid any attempts to suppress it; a simple statistical analysis shows that it would become uncontrollable even within a small cluster (I can provide it upon request, in case anyone doubts my admittedly-rusty statistical skills). The first thing any binary did was to unlink itself, thereby making detection difficult. It forks a lot to change the process ID, thereby making it difficult to kill. It encrypts all the strings (a simple XOR with 0x81), thereby disguising it. In short, although I doubt whether there was malicious intent, if I were to write something to bring down the Internet then I would start along those lines. No doubt his goal was laudable (estimating the number of hosts) but there are weirdos like me who prefer not to be "counted" (even my census returns are illegally anonymous, by not providing a real name, no birth date but age is OK, no street address but suburb is OK; I don't care who knows that I'm an atheist as until now we were lumped in as "other"); I regularly fend off such probing attempts in my firewall (ACK scans, FIN scans, etc). So, was RTM an idiot or not? You be the judge. -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."