The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
From: Dave Horsfall <dave@horsfall.org>
To: The Eunuchs Hysterical Society <tuhs@tuhs.org>
Subject: Re: [TUHS] Happy birthday Morris worm
Date: Wed, 13 Nov 2019 09:00:26 +1100 (EST)	[thread overview]
Message-ID: <alpine.BSF.2.21.9999.1911130822290.11612@aneurin.horsfall.org> (raw)
In-Reply-To: <1573592179.5935.for-standards-violators@oclsc.org>

On Tue, 12 Nov 2019, Norman Wilson wrote:

> I think I recall an explicit statement somewhere from an interview with 
> Robert that the worm was inspired partly by Shockwave Rider.

Yes, I noticed the similarity too.

> I confess my immediate reaction to the worm was uncontrollable laughter. 
> I was out of town when it happened, so I first heard it from a newspaper 
> article (and wasn't caught up in fighting it or I'd have laughed a lot 
> less, of course); and it seemed to me hilarious when I read that Robert 
> was behind it.  He had interned with 1127 for a few summers while I was 
> there, so I knew him as very bright but often a bit careless about 
> details; that seemed an exact match for the worm.

That was the trouble; had he bothered to test it on a private network (as 
if a true professional would even consider carrying out such an act)[*] he 
would've noticed that his probability calculations were arse-backwards, 
and so spread much faster than it "should" have.

> My longer-term reaction was to completely drop my sloppy old habit 
> (common in those days not just in my code but in that of many others) of 
> ignoring possible buffer overflows. I find it mind-boggling that people 
> still make that mistake; it has been literal decades since the lesson 
> was rubbed in our community's collective noses.  I am very disappointed 
> that programming education seems not to care enough about this sort of 
> thing, even today.

Yep.  Don't use fixed-length buffers unless you *know* that it will
not overflow (i.e. the data is under your control), and don't trust
user input (especially if the reader is an interpreter with the
possibility of spawning a shell); there are of course others.

This is what you get when people call themselves programmers because
they once took a course in programming or read a book; that's like
calling oneself a doctor because you took a first-aid course...

One of my favourite examples is "Barbie the Computer Engineer" (grep the 
net for it, but warning: the title contains a naughty word).

Oh, OK; here's a sanitised URL:

    http://www.gizmodo.com.au/2014/11/barbie-fks-it-up-again/

Yes, that really is the URL; I've just tested it (but contents may offend
some viewers; you have been warned).

[*]
And for those who slagged me off for calling him an idiot, try this quick 
quiz: on a scale from utter moron to sheer genius, what do you call 
someone who deliberately releases untested software designed to compromise 
machines that are not under his administrative control in order to make 
some sort of a point?  I don't know about other countries, but try that in 
Australia and you'd be seriously out of pocket and/or doing porridge.

-- Dave (BSc, majoring in Computer Science and Mathematics)

  reply	other threads:[~2019-11-12 22:01 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-12 20:56 Norman Wilson
2019-11-12 22:00 ` Dave Horsfall [this message]
2019-11-12 22:10 ` [TUHS] buffer overflow (Re: " Bakul Shah
2019-11-12 22:14   ` Larry McVoy
2019-11-12 22:41     ` Robert Clausecker
2019-11-12 22:49       ` Arthur Krewat
2019-11-12 23:45       ` Jon Steinhart
2019-11-13  0:38         ` Warren Toomey
2019-11-13  1:09         ` Arthur Krewat
2019-11-13  0:24       ` Larry McVoy
2019-11-12 22:54   ` Dave Horsfall
2019-11-12 23:22     ` Warner Losh
2019-11-12 23:27       ` Arthur Krewat
     [not found]     ` <alpine.DEB.2.20.1911191443530.10845@grey.csi.cam.ac.uk>
2019-11-21 20:02       ` Dave Horsfall
2019-11-21 20:38         ` Warner Losh
2019-11-21 21:04           ` Clem Cole
2019-11-21 22:06           ` Dave Horsfall
2019-11-21 21:48         ` Steffen Nurpmeso
2019-11-13  7:35 ` [TUHS] " arnold
2019-11-13 18:02   ` [TUHS] Happy birthday Morris worm [ really programming education ] Jon Steinhart
2019-11-13 18:49     ` Tyler Adams
2019-11-13 19:15     ` [TUHS] #defines and enums ron
2019-11-13 21:11       ` Warner Losh
2019-11-13 21:22     ` [TUHS] Happy birthday Morris worm [ really programming education ] Chet Ramey
2019-11-15 22:49     ` Adam Thornton
2019-11-15 23:59       ` Theodore Y. Ts'o
  -- strict thread matches above, loose matches on Subject: below --
2019-11-15 14:31 [TUHS] Happy birthday, Morris worm Doug McIlroy
2019-11-15 14:39 ` Warner Losh
2019-11-13 13:47 [TUHS] Happy birthday " Doug McIlroy
2019-11-12 22:24 Norman Wilson
     [not found] <mailman.3.1572832803.30037.tuhs@minnie.tuhs.org>
2019-11-04 18:10 ` Paul McJones
2019-11-04 18:57   ` Bakul Shah
2019-11-04 19:24     ` Richard Salz
2019-11-05  3:48       ` Lawrence Stewart
2019-11-05 16:04         ` Ronald Natalie
2019-11-06 10:37           ` arnold
2019-11-06 13:35             ` Ronald Natalie
2019-11-04 19:25     ` SPC
2019-11-04 20:27     ` Dan Cross
2019-11-04 22:10       ` Michael Kjörling
2019-11-05  0:25     ` Anthony Martin
2019-11-02 14:12 Doug McIlroy
2019-11-02 20:12 ` Warner Losh
2019-11-03 17:12   ` Paul Winalski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.BSF.2.21.9999.1911130822290.11612@aneurin.horsfall.org \
    --to=dave@horsfall.org \
    --cc=tuhs@tuhs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).