Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Morris Worm' Turns 25: Watch How TV Covered It Then

timothy posted about a year ago | from the luckily-it-was-all-hype dept.

Security 51

netbuzz writes "On Nov. 2, 1988, mainstream America learned for the first time that computers get viruses, too, as the now notorious "Morris worm" made front-page headlines after first making life miserable for IT professionals. A PBS television news report about the worm offers a telling look at how computer viruses were perceived (or not) at the time. 'Life in the modern world has a new anxiety today,' says the news anchor. 'Just as we've become totally dependent on our computers they're being stalked by saboteurs, saboteurs who create computer viruses.'"

Sorry! There are no comments related to the filter you selected.

A Warning? (3, Insightful)

Anonymous Coward | about a year ago | (#45310073)

It was more than a "warning". It turned into an multi-billion dollar industry.

Re: A Warning? (-1)

Anonymous Coward | about a year ago | (#45310163)

You're a homo truck-drivin' man.

Re: A Warning? (-1, Flamebait)

jones_supa (887896) | about a year ago | (#45310287)

An employed homosexual truck driver sounds much better scenario than life of yours which involves lurking in your mother's basement and doing nothing useful.

Re: A Warning? (0)

Anonymous Coward | about a year ago | (#45310397)

Actually, I've been lurking in *your* mother's basement. BTW I wish she practiced better hygiene.

Re: A Warning? (0)

gatkinso (15975) | about a year ago | (#45311279)

Well played sir. Touche!

Re: A Warning? (0)

Anonymous Coward | about a year ago | (#45310401)

Nope his mommy and daddy made him get a job. He gives head down at the truck stop to the fag truckers.

-- Ethanol-fueled

Re: A Warning? (0)

Anonymous Coward | about a year ago | (#45310571)

How's it feel to lose your job to him?

Re: A Warning? (0)

Anonymous Coward | about a year ago | (#45310655)

Great. Just what the world needs. A transcontinental homosexualist.

60 years ago (1)

Anonymous Coward | about a year ago | (#45310083)

How did we function in black and white?

Re:60 years ago (4, Funny)

JustOK (667959) | about a year ago | (#45310149)

The important thing was that we had an onion tied to our belt, which was the style at the time.

Re:60 years ago (1)

Anonymous Coward | about a year ago | (#45310221)

"Gimme 5 bees for a quarter!", we used to say.

Oh how we've fallen (-1)

Anonymous Coward | about a year ago | (#45310101)

Seems like more faithful coverage of a virus that present day coverage.
How the media refers to viruses and 'hackers' these days makes me cringe.

I'mmadashellandImnotgonnatakeitanymore!!! (1, Troll)

flyneye (84093) | about a year ago | (#45310123)

"they're being stalked by saboteurs, saboteurs who create computer viruses."

          We have an NSA with nothing better to do than fuck with the people of the world, who, mostly aren't doing anything wrong. Tell me why ANY of our spying agencies couldn't FIND the coders, worldwide, and eliminate the possibility of their ever writing malicious code again, with extreme prejudice. I pay good tax money to be protected within my borders, not fucked with by the help.
Let's send that fucking monkey in the White House a message. Everyone, stand up, go to your window @ noon and scream at the top of your lungs " Put our money back to work for us you fucking bastard, or YOU'RE FIRED!!!!!!"

Get out of jail free card (5, Interesting)

Anonymous Coward | about a year ago | (#45310165)

Don't forget, Bob Morris's dad was head of the NSA. Where do you think Bob learned that the ordinary system security is horrid? And where do you think Bob learned that, when you screw up and lives and careers are at stake, it's more important to go hiding the evidence that might lead back to you than to publish the mistake and help get the mistake controlled?

Must be nice to have a dad who can help keep the NSA from reporting anything for a *week* while the civilians reverse engineered the work and tracked it back, and who can help guide your career into a nice little computer lab at MIT where you can produce nothing useful for the rest of your life, but will be out of your dad's hair. (Look up Computer Architecture Group at MIT, and its complete lack of useful projects or meaningful work from Robert Tappan Morris). My dad would have beat me with a *stick* for this kind of stupidity.

I'm not so mad at him because he wrote the worm.: a technical error caused it spew far more copies than intended, it was supposed to only prove popr security. I'm mad at him because he acted like a kid who went went camping in a national park, set a fire where he wasn't supposed to, and *drove out of state to hide* instead of reporting the fire. The bastard cost me weeks of work in my own lab, cleaning up from his mess, and ruined chances to do vital medical experiments that I was involved in. Medical research labs live on a shoestring as it is, knocking us and our colleagues offline could and did ruin years of work. I was personally *lucky*, because of thorough backup policies and I knew what I was doing to recover, but a lot of labs suffered far worse. (I did a lot of helping out in the next month.)

Re:Get out of jail free card (1)

Anonymous Coward | about a year ago | (#45310317)

Robert Morris is nothing like that. This is a guy who was so publicity shy after that stunt that he left his name off of things [] .

I also love how you claim that you can look up some MIT professor and declare his work is useless. Let's go look up Anonymous Coward online and see how much good work you've done!

Re:Get out of jail free card (1)

Anonymous Coward | about a year ago | (#45310395)

That's not "shyness", that's "staying off the radar so people don't remember what a jerk you were".

Re:Get out of jail free card (0)

Anonymous Coward | about a year ago | (#45313481)

You missed the adverb, "publicity"... so the meaning comes from "publicity shy", not "shy".

Re:Get out of jail free card (3, Interesting)

Anonymous Coward | about a year ago | (#45310845)

Robert Morris wasn't the head of the NSA - He worked there from 86 to 94. He was certainly an accomplished cryptographer.

I was working at a Silicon Valley company at the time. As I remember - the worm was an experiment that escaped into the wild. It was capable of infectin Vaxen and Sun boxes. I also was a reader of comp.risks - a venerable Usenet group that had a great/detailed blow-by-blow of the effects and analysis of the occurence. If anyone is interested in REALLY hearing the story - go look those archives up.

I believe it was estimated that 6000 computers were infected by the worm. This pails in comparison todays mass infections, DOS attacks, etc.

I'm sorry that you were inconvenienced - for me - email/usenet was slow for a couple days.

As I recall we didn't have ANY infected machines in the company I was at ( a major Terminal/PC manufacturer of the time.) The point to make is that Junior was punished for something that was a really a mistake, and unintentional. So he has done his time and the world got fair warning about what was to come!

Re:Get out of jail free card (-1)

Anonymous Coward | about a year ago | (#45310857)

"pails"? LOL

Re:Get out of jail free card (1)

eyenot (102141) | about a year ago | (#45313041)

Well, the way I read it, the problem wasn't that he choked storage with copies of the virus but that he screwed up in thinking that the phone system could handle all of these copies of the virus trying to make calls at once. He didn't realize the phone system was mechanical, for some reason, and couldn't handle a number of calls from a geometrically huge number of sources, all at once. Which is how the virus first got noticed. If I read the articles on the worm correctly.

But his mistake, in my opinion, wasn't writing the virus. I have to say and admit publicly, that I don't think RTM was ethically wrong in creating that hookworm and letting it free. See, he had already gone to people -- people in positions of authority -- who should have been more interested in what he was saying. And they failed to take much interest, and he was marginalized because of his efforts to do the right thing.

In the long run, we can measure the economic loss to the RTM worm in scant thousands of dollars in immediate cost. Projected costs, if we take into consideration that perhaps not being able to connect over the phone system to somebody in Massachusetts caused some broker to fuck up a $10,000,000 deal, we could add $10mil to it, but realistically it wasn't a huge fucking deal. Even calling it a m|stake begs qualification of the term, for the sake of clarifying the direction of the vector his mistake was scalar to.

Re:Get out of jail free card (1)

Zero__Kelvin (151819) | about a year ago | (#45314617)

"Well, the way I read it, the problem wasn't that he choked storage with copies of the virus but that he screwed up in thinking that the phone system could handle all of these copies of the virus trying to make calls at once. He didn't realize the phone system was mechanical, for some reason, and couldn't handle a number of calls from a geometrically huge number of sources, all at once. Which is how the virus first got noticed. If I read the articles on the worm correctly."

If you are reading an article correctly then you are reading a completely bogus article. It had absolutely nothing to do with telephones. He chose a bad value and was quoted as saying that he should have simulated before release. I have no idea where anyone would get the whole " He didn't realize the phone system was mechanical, for some reason bullshit, which was clearly pulled out of someones ass. I just read the Wiki article for a refressher and it describes exactly what John Markoff and Katie Hafner wrote in Cyberpunk: Outlaws and Hackers on the Computer Frontier. in 1992 which IIRC has a direct quote from RTM to this effect.

Re:Get out of jail free card (1)

eyenot (102141) | about a year ago | (#45322757)

Then you obviously aren't aware of what tipped off the authorities to the existence of his worm in the first place.

Re:Get out of jail free card (1)

Zero__Kelvin (151819) | about a year ago | (#45331437)

I'm 100% certain of what tipped off the authorities and it has absolutely nothing to do with RTM and if he understood telephones.

" He didn't realize the phone system was mechanical, for some reason"

That is just a phenomenally stupid claim to make. By your own admission elsewhere in this thread you know nothing about the situation than what you read in a magazine article, so just accept that you are clueless on the subject and move on with your life.

Re:Get out of jail free card (0)

Anonymous Coward | about a year ago | (#45327391)

He didn't realize the phone system was mechanical, for some reason, and couldn't handle a number of calls from a geometrically huge number of sources, all at once. Which is how the virus first got noticed. If I read the articles on the worm correctly.

That isn't an accurate or fare assessment of him.

Claiming he didn't realize these things is directly contradicted by the limiting code he wrote into the thing and his actions of (attempting) to send a patch to two of the zero day holes he was using to spread the thing via sendmail.

I mean ignoring the typos and errors in the code, he did in fact attempt to limit each copy of the worm in that after a copy infected a new system, it would check if and how many copies were already running there, and just self-kill itself if it already had two processes running.

The problem of course was screwing up that code and making the 2 a 20 or 200 or something, and that many copies running at full bore just bought many systems network stacks or CPUs to their knees.

Even the many people analyzing the code easily saw what it was supposed to be limited to, and readily admitted that at the time. No one looking at the worm at the time though the coding error was intentional. There were apparently many such errors, though most others not causing such problems.

Now this isn't all to say he didn't fuck up bad, in many ways. Nor does it justify or excuse anything.
In fact the moris worm is example #1 used against the idea of any "release a worm to patch security holes the vendor won't" ideas that pop up every so often even to this day. One little typo and the cure is easily worse than the original problem.

My only point is speculating Roberts intent in this way.
It really seems like he did realize to an extent how bad it could get, enough to put some effort into minimizing it, even if not realizing the entire plan was a bad idea.
He has given a few interviews after the fact, which all seem consistent with each other at least, and with 3rd party accounts of the timeline. He discussed his worm plan with his small circle of friends, and they not only are consistent with each other and Roberts account, but not all are completely flattering as one would expect if they were only covering for a friend.
I think I even remember one of his closer friends that knew more of what Robert was up to than most, was ready to turn him in himself. I can't remember if he actually did or not.

Robert also tried to anonymously send out some patches to fix things once he realized how bad it got.
One was a fix to sendmail, which was one of the main ways the worm spread itself.
Another patch he sent out effectively made the system appear infected with more copies of the worm than the actual threshold it had with the errors in the code, so new copies infecting the system would always kill itself.

The only problem was that back in those days, a lot of admins only knew each other online and so only had online contacts, like email. But the worm was crippling internet email, preventing the fixes from being delivered before a clean system brought back online just got infected and bogged down again.
It took some time for people with phone or other in person contacts to spread the word "out of band" to everywhere it was needed.

Today it's not just feasible but common-sense to simulate such things in a virtual environment, then in a limited real network (air-gapped or the like), before trying the real thing.
Today such software is also typically sponsored by big-money, be it organized crime or governments or the big name black-hat groups. More money means more resources to write good code, and to test the code. Also, the main goal these days is generally stealing of information, and so staying undetected is a desired feature. The longer you remain undetected, the more opportunity to intercept valuable info. That's where the money is to be made after all.

But back then, there was next to nothing "commercial" about the arpanet. It was even a rule for the big services (like usenet) to keep commercial things off the net.
There wasn't much to steal or profit from then, so it is very fitting that the worm was basically for bragging rights that it was possible. Which I can imagine would have been fairly epic had the plan worked as intended. Not many non-software developers get to claim a process they created is running on next to every machine on the network after all.

So sorry for the tome like reply. In general you have the right idea of what happened, even though some details are off (It was a long time ago after all.)
It's just that punishing curiosity and above-average-but-of-course-not-perfect intelligence seems to be a more recent trend in our culture, and seeing it applied retroactively and with such lack of empathy, sort of hit a bit of a nerve.
(While not near this extent or level, I too have made similar screw ups that were incorrectly attributed to malice on my part, where none was present at the time in the slightest)

Re:Get out of jail free card (1)

gatkinso (15975) | about a year ago | (#45311299)

Robert Morris was not "head of the NSA." He was a department head there.

Re:Get out of jail free card (0)

Anonymous Coward | about a year ago | (#45312821)

You mad, bro?

Re:Get out of jail free card (1)

eyenot (102141) | about a year ago | (#45312985)

I'd say the more important technical error was allowing every copy of the worm to attempt the connection without checking to see if the connection was already being made from that terminal, first.

ET? (4, Funny)

Neo-Rio-101 (700494) | about a year ago | (#45310191)

The most important thing from that video is that explained computer viruses while Atari 2600 ET was on the screen. Some Atari 2600 users still believe that ET was the first console cartridge virus.


Anonymous Coward | about a year ago | (#45310201)

So what is new there ??

Espionage, NSA, the Morris Worm, and more (5, Interesting)

cold fjord (826450) | about a year ago | (#45310219)

The Morris Worm was written by Cornell University student Robert T. Morris [] while in school. He is the son of former chief scientist of the NSA's National Computer Security Center, and inventor of the Unix password scheme, Robert Morris [] . The incident is discussed in part of this book:

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage []

I've enjoyed reading it more than once.

Cookie monster? (0)

Anonymous Coward | about a year ago | (#45310235)

Wasn't the first virus the "I want cookies" virus? Or was that a worm? Or a trojan?

Re:Cookie monster? (2)

GPierce (123599) | about a year ago | (#45312257)

The original "cookie monster" ran on an IBM mainframe back in the early 1970s. It printed "I want a cookie" on the operator console. After being ignored too many times, it would do a number of annoying things such as rewinding mag tapes or sending the printer a command to skip to a channel on the control tape that was hardly ever used - result was paper being ejected at a very high speed until the operator ran over and pushed the off button. The alternative was for the operator to type in the word "cookie" every time the monster woke up.

"Totally Dependent On Computers" (1)

Arancaytar (966377) | about a year ago | (#45310253)

Man, 1988 had no idea.

Re:"Totally Dependent On Computers" (0)

Anonymous Coward | about a year ago | (#45310669)

...are you for real? Hell, by the 1960s computers were already used to calculate payrolls, in factories and for scientific calculations. Again, are you for real? How do you think the Space Age happened? Computers. Fighters like the F-14 had flight control computers by the late 1960s.

Nobody Seems To Notice and Nobody Seems To Care (-1, Offtopic)

Anonymous Coward | about a year ago | (#45310289)


Nobody Seems To Notice and Nobody Seems To Care â" Government & Stealth Malware

"In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.

Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.

If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.

The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.

But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use â" which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.

Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.

I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then⦠you won't notice it.

Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running[1], scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.

[1] In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.

[2] Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".

[3] []

Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.

So scan away, or blissfully ignore it, but we need more people like RMS[3] in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.

I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".


Schneier has covered it before: power line fluctuations (differences on the wire in keys pressed).

There's thermal attacks against cpus and temp, also:

ENF (google it)

A treat (ENF Collector in Java):

sourceforge dot net fwdslash projects fwdslash nfienfcollector

No single antimalware scanner exists which offers the ability to scan (mostly proprietary) firmware on AGP/PCI devices (sound cards, graphics cards, usb novelty devices excluding thumb drives), BIOS/CMOS.

If you boot into ultimate boot cd you can use an archane text interface to dump BIOS/CMOS and examine/checksum.

The real attacks which survive disk formats and wipes target your PCI devices and any firmware which may be altered/overwritten with something special. It is not enough to scan your hard drive(s) and thumb drives, the real dangers with teeth infect your hardware devices.

When is the last time you:

Audited your sound card for malware?
Audited your graphics card for malware?
Audited your network card for malware?

Google for:

* AGP and PCI rootkit(s)
* Network card rootkit(s)
* BIOS/CMOS rootkit(s)

Our modern PC hardware is capable of much more than many can imagine.

Do you:

        Know your router's firmware may easily be replaced on a hacker's whim?
        Shield all cables against leakage and attacks
        Still use an old CRT monitor and beg for TEMPEST attacks?
        Use TEMPEST resistant fonts in all of your applications including your OS?
        Know whether or not your wired keyboard has keypresses encrypted as they pass to your PC from the keyboard?
        Use your PC on the grid and expose yourself to possible keypress attacks?
        Know your network card is VERY exploitable when plugged into the net and attacked by a hard core blackhat or any vicious geek with the know how?
        Search out informative papers on these subjects and educate your friends and family about these attacks?
        Contact antimalware companies and urge them to protect against many or all these attacks?

Do you trust your neighbors? Are they all really stupid when it comes to computing or is there a geek or two without a conscience looking to exploit these areas?

The overlooked threat are the potential civilian rogues stationed around you, especially in large apartment blocks who feed on unsecured wifi to do their dirty work.

With the recent news of Russian spies, whether or not this news was real or a psyop, educate yourself on the present threats which all antimalware scanners fail to protect against and remove any smug mask you may wear, be it Linux or OpenBSD, or the proprietary Windows and Mac OS you feel are properly secured and not vulnerable to any outside attacks because you either don't need an antivirus scanner (all are inept to serious attacks) or use one or several (many being proprietary mystery machines sending data to and from your machine for many reasons, one is to share your information with a group or set database to help aid in threats), the threats often come in mysterious ways.

Maybe the ancients had it right: stone tablets and their own unique language(s) rooted in symbolism.


I'm more concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.

When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.

Some have begun with BIOS security: []

Some BIOS has write protection in its configuration, a lot of newer computers don't.


"Disconnect your PC from the internet and don't add anything you didn't create yourself. It worked for the NOC list machine in Mission Impossible"

The room/structure was likely heavily shielded, whereas most civvies don't shield their house and computer rooms. There is more than meets the eye to modern hardware.


subversion hack:

UPDATE on tagmeme domain - 11/2013 - You'll have to use to recover and view pages and files from the tagmeme domain as it has been abandoned and the content removed.

network card rootkits and trojans
pci rootkits
packet radio
xmit "fm fingerprinting" software
"specific emitter identification"

how many malware scanners scan bios/cmos and pci/agp cards for malware? zero, even the rootkit scanners. have you checksummed/dumped your bios/cmos and firmware for all your pci/agp devices and usb devices, esp vanity usb devices in and outside the realm of common usb devices (thumbdrives, external hdds, printers),

Unless your computer room is shielded properly, the computers may still be attacked and used, I've personally inspected computers with no network connection running mysterious code in the background which task manager for windows and the eqiv for *nix does not find, and this didn't find it all.

Inspect your windows boot partition in *nix with hexdump and look for proxy packages mentioned along with command line burning programs and other oddities. Computers are more vulnerable than most would expect.

You can bet all of the malware scanners today, unless they are developed by some lone indy coder in a remote country, employ whitelisting of certain malware and none of them scan HARDWARE devices apart from the common usb devices.

Your network cards, sound cards, cd/dvd drives, graphics cards, all are capable of carrying malware to survive disk formatting/wiping.

Boot from a Linux live cd and use hexdump to examine your windows (and *nix) boot sectors to potentially discover interesting modifications by an unknown party.


sorry about that (1)

raymorris (2726007) | about a year ago | (#45310651)

Okay so I'm not THAT Morris, but I am an information systems security professional.

ET? (1)

Anonymous Coward | about a year ago | (#45310841)

Lmao on the ET game as a representation of using tons of memory.

From Comp.Risks 7.73 What really happend (3, Interesting)

stevew (4845) | about a year ago | (#45310979)

Date: Tue, 8 Nov 88 21:40:00 PST
From: (the tty of Geoff Goodfellow)
Subject: NYT/Markoff: The Computer Jam -- How it came about

c.1988 N.Y. Times News Service, 8-Nov-88

      Computer scientists who have studied the rogue program that crashed through
many of the nation's computer networks last week say the invader actually
represents a new type of helpful software designed for computer networks.
      The same class of software could be used to harness computers spread aroun
the world and put them to work simultaneously.
      It could also diagnose malfunctions in a network, execute large computations
on many machines at once and act as a speedy messenger.
      But it is this same capability that caused thousands of computers in
universities, military installations and corporate research centers to stall
and shut down the Defense Department's Arpanet system when an illicit version
of the program began interacting in an unexpected way.
      ``It is a very powerful tool for solving problems,'' said John F. Shoch, a
computer expert who has studied the programs. ``Like most tools it can be
misued, and I think we have an example here of someone who misused and abused
the tool.''
      The program, written as a ``clever hack'' by Robert Tappan Morris, a
23-year-old Cornell University computer science graduate student, was
originally meant to be harmless. It was supposed to copy itself from computer
to computer via Arpanet and merely hide itself in the computers. The purpose?
Simply to prove that it could be done.
      But by a quirk, the program instead reproduced itself so frequently that the
computers on the network quickly became jammed.
      Interviews with computer scientists who studied the network shutdown and
with friends of Morris have disclosed the manner in which the events unfolded.
      The program was introduced last Wednesday evening at a computer in the
artificial intelligence laboratory at the Massachusetts Institute of
Technology. Morris was seated at his terminal at Cornell in Ithaca, N.Y., but
he signed onto the machine at MIT. Both his terminal and the MIT machine were
attached to Arpanet, a computer network that connects research centers,
universities and military bases.
      Using a feature of Arpanet, called Sendmail, to exchange messages among
computer users, he inserted his rogue program. It immediately exploited a
loophole in Sendmail at several computers on Arpanet.
      Typically, Sendmail is used to transfer electronic messages from machine to
machine throughout the network, placing the messages in personal files.
      However, the programmer who originally wrote Sendmail three years ago had
left a secret ``backdoor'' in the program to make it easier for his work. It
permitted any program written in the computer language known as C to be mailed
like any other message.
      So instead of a program being sent only to someone's personal files, it
could also be sent to a computer's internal control programs, which would start
the new program. Only a small group of computer experts _ among them Morris _
knew of the backdoor.
      As they dissected Morris's program later, computer experts found that it
elegantly exploited the Sendmail backdoor in several ways, copying itself from
computer to computer and tapping two additional security provisions to enter
new computers.
      The invader first began its journey as a program written in the C language.
But it also included two ``object'' or ``binary'' files -- programs that could
be run directly on Sun Microsystems machines or Digital Equipment VAX computers
without any additional translation, making it even easier to infect a computer.
      One of these binary files had the capability of guessing the passwords of
users on the newly infected computer. This permits wider dispersion of the
rogue program.
      To guess the password, the program first read the list of users on the
target computer and then systematically tried using their names, permutations
of their names or a list of commonly used passwords. When successful in
guessing one, the program then signed on to the computer and used the
privileges involved to gain access to additonal computers in the Arpanet
      Morris's program was also written to exploit another loophole. A program on
Arpanet called Finger lets users on a remote computer know the last time that a
user on another network machine had signed on. Because of a bug, or error, in
Finger, Morris was able to use the program as a crowbar to further pry his way
through computer security.
      The defect in Finger, which was widely known, gives a user access to a
computer's central control programs if an excessively long message is sent to
Finger. So by sending such a message, Morris's program gained access to these
control programs, thus allowing the further spread of the rogue.
      The rogue program did other things as well. For example, each copy
frequently signaled its location back through the network to a computer at the
University of California at Berkeley. A friend of Morris said that this was
intended to fool computer researchers into thinking that the rogue had
originated at Berkeley.
      The program contained another signaling mechanism that became its Achilles'
heel and led to its discovery. It would signal a new computer to learn whether
it had been invaded. If not, the program would copy itself into that computer.
      But Morris reasoned that another expert could defeat his program by sending
the correct answering signal back to the rogue. To parry this, Morris
programmed his invader so that once every 10 times it sent the query signal it
would copy itself into the new machine regardless of the answer.
      The choice of 1 in 10 proved disastrous because it was far too frequent. It
should have been one in 1,000 or even one in 10,000 for the invader to escape
      But because the speed of communications on Arpanet is so fast, Morris's
illicit program echoed back and forth through the network in minutes, copying
and recopying itself hundreds or thousands of times on each machine, eventually
stalling the computers and then jamming the entire network.
      After introducing his program Wednesday night, Morris left his terminal for
an hour. When he returned, the nationwide jamming of Arpanet was well under
way, and he could immediately see the chaos he had started. Within a few hours,
it was clear to computer system managers that something was seriously wrong
with Arpanet.
      By Thursday morning, many knew what had happened, were busy ridding their
systems of the invader and were warning colleagues to unhook from the network.
They were also modifying Sendmail and making other changes to their internal
software to thwart another invader.
      The software invader did not threaten all computers in the network. It was
aimed only at the Sun and Digital Equipment computers running a version of the
Unix operating system written at the University of California at Berkeley.
Other Arpanet computers using different operating systems escaped.
      These rogue programs have in the past been referred to as worms or, when
they are malicious, viruses. Computer science folklore has it that the first
worms written were deployed on the Arpanet in the early 1970s.
      Researchers tell of a worm called ``creeper,'' whose sole purpose was to
copy itself from machine to machine, much the way Morris's program did last
week. When it reached each new computer it would display the message: ``I'm the
creeper. Catch me if you can!''
      As legend has it, a second programmer wrote another worm program that was
designed to crawl through the Arpanet, killing creepers.
      Several years later, computer researchers at the Xerox Corp.'s Palo Alto
Research Center developed more advanced worm programs. Shoch and Jon Hupp
developed ``town crier'' worm programs that acted as messengers and
``diagnostic'' worms that patrolled the network looking for malfunctioning
      They even described a ``vampire'' worm program. It was designed to run very
complex programs late at night while the computer's human users slept. When the
humans returned in the morning, the vampire program would go to sleep, waiting
to return to work the next evening.

            [Please keep any responses short and to the point. PGN]

Further reading: A Tour of the Worm (1)

martyb (196687) | about a year ago | (#45311889)

Thanks for posting that synopsis of what happened. I'd not seen it before!

For further reading, I highly recommend: A Tour of the Worm [] by Donn Seeley, Department of Computer Science, University of Utah. The Chronology section reads like something out of a crime thriller and ably recounts what was observed, when, where, and the steps taken to identify, isolate, and repair affected systems. From the introduction:

November 3, 1988 is already coming to be known as Black Thursday. System administrators around the country came to work on that day and discovered that their networks of computers were laboring under a huge load. If they were able to log in and generate a system status listing, they saw what appeared to be dozens or hundreds of "shell" (command interpreter) processes. If they tried to kill the processes, they found that new processes appeared faster than they could kill them. Rebooting the computer seemed to have no effect--within minutes after starting up again, the machine was overloaded by these mysterious processes.

To put this in context: Windows 2.1 [] was released on May 27, 1988; current PCs ran on 80386 [] processors (originally released in 1985) as the 80486 [] was not released until 1989 and the first (stable) systems started appearing in 1990. IIRC, mainstream desktop PCs ran at 20-25MHz and had 1-2MB of RAM.

I was working at Pr1me at the time and witnessed some of the upheaval first-hand. Fortunately for us, our systems were not infected, but they were impacted by the initial disconnecting of our systems from the net as a precaution. When it was learned that our systems were safe from infection, things were still slow as the net recovered from the tremendous load the infected systems placed on it.

80's hipster (1)

AlphaWolf_HK (692722) | about a year ago | (#45311263)

Is that where Geico got the idea for their cavemen?

I *remember* the Morris Worm (1)

hey! (33014) | about a year ago | (#45311723)

It didn't affect me directly because I was working on System V Unix and we weren't directly connected to ARPANet.

I remember thinking, "Gee, someone actually *made* one of those?"

The idea had already popped up in some 70s sci-fi stories, and I remember in the late 70s pranking was already fairly common on timesharing systems. As soon as people began to share systems pranksters began to fool around with them, creating "fork bombs" and "chain jobs". It was annoying for sysadmins, but I think it wasn't malicious. The people who did this stuff were fascinated with the edge cases, the things a system could be made to do that it wasn't designed to do; and, let's just say they weren't necessarily the most attuned to the needs and desires of others.

Since the idea of network-vectored malware had cropped up shortly after the idea of a networked world became commonplace (this was still sci-fi stuff in the 70s), people had been talking about the real possibility of such a thing in the 80s; there were even some academic papers on the notion. But our forward thinking was more focused on the positive things that networked computers would do. In the end I think most of us fell short on both ends. Most of us underestimated just how useful and ubiquitous networking would become, at least in our lifetimes. And although we knew network-vectored malware was a theoretical possibility, we had no idea what a major feature of the networked world it would become -- at least in our lifetimes.

in retrospect, the Morris Worm wasn't so remarkable. We'd already seen pranksters on timesharing systems. I called them "doorknob twisters"; people whose curiosity and distractability meant they couldn't walk down a corridor without taking a peek behind the closed doors. Often these were the best people; Ken Thompson even described putting hidden hacks the C compiler in his Turing Award speech. And people had been talking about the possibility for network worms, albeit in sci-fi terms. Again in retrospect, something like the Morris Worm was bound to happen, probably within the next two or three years.

The Morris Worm is remarkable because it was our introduction to the unpredictability inherent in the scale of the network world. Just a tiny miscalculation was enough to turn an intellectual curiosity into a widespread disaster.

I knew them well... (1)

swframe (646356) | about a year ago | (#45312413)

But I didn't know about the worm. I think the more interesting story is what they did afterwards. From worm, to grad school, to viaweb, to yahoo store, to y-combinator. Someone should write that story :)

who gives a fuck (0)

Anonymous Coward | about a year ago | (#45312475)

I'm in Arizona - we don't deal with that shit.

The Morris Worm and Sendmail .. (1)

codeusirae (3036835) | about a year ago | (#45312737)

The Morris Worm was enabled by a default exit-to-the-shell password that the original developers accidentally left in sendmail. This was an open secret for a long time before Morris exploited it. You see when they compiled it, they accidentally left in the debug directive leaving the password in the released version.

The Shockwave Rider (1)

eyenot (102141) | about a year ago | (#45312915)

I read a great article on RTM called "Shockwave Rider" or something like that. It was called that because RTM Sr. used the book "Shockwave Rider" to explain to his son how what he did was right in a certain way of looking at it, but wrong in every other way of looking at it. Can't remember what magazine the article was in. It was a good article to read back in the early 90's.

We still have a lot of mechanical devices hooked up to the internet, today. Some might say more every day. I say "mechanical devices" in reference to phones, because the exchange hubs used rotating disks (implementing their own optimized form of binary counting) to connect calls.

Considering we've had one major blackout in the United States due to a power station being online to the internet and left vulnerable, I'd say this is a very relevant topic today.

When I was taking a college course on transformers, the instructor used to come to class bragging about the work he did (his other job) for Siemens, designing and building transformers. He was a real egotist. He'd not only brag to students, but he wasn't very in touch with theory either, as I found out. Coming from electronics 101, you tend to want to ask some questions about electronics theory to your other instructors, stuff that they should by all means be well acquainted with. Well, this guy didn't know. So he'd get pissed, and when he got pissed, he would literally say, "oh yeah, well can you do this" and start writing out schematics for transformers according to code on the blackboard, and then take a calculator and figure out how many turns of what gauge wire was needed to fit the demand according to code. Yaba yaba yaba. A very insecure individual. So I not only wasn't surprised when I read in the newspaper that semester that Siemens transformers that had some kind of internet-capable component were found 100% irreversibly vulnerable to attack over the internet through a backdoor that presumably some disgruntled, insecure "mage" installed before leaving the company -- I also wasn't very surprised at all when that jackass had jack shit to say when I mentioned the story to him except stare at his shoes awhile and get on with the next lesson in rotating transformers (to use the Tesla coined phrase, which that instructor hated so damn much whenever I said it.)

Anyways, it's always going to be relevant. That hookworm was elegant and though not thoroughly thought through, it did show the potential for electronic disaster in the form of less than a handful of barely discernible on's and off's.

Re:The Shockwave Rider (1)

Zero__Kelvin (151819) | about a year ago | (#45314681)

Jeses Christ man. Can't you get anything right? First you make this ridiculous claim [] then you post that drivel? RTM got the idea for the worm from reading The Shockwave Rider which was his favorite book at the time. Your story about transformers that weren't wound properly causing systems to be vulnerable to attack over the internet is also hilarious. Thanks for the laugh!

Re:The Shockwave Rider (1)

eyenot (102141) | about a year ago | (#45322711)

Why would you go on to mis-read my anecdote? Does it somehow bolster your cause?

How was I supposed to know that RTM (Jr.) got his hookworm idea *from* The Shockwave Rider when there was a magazine article that portrayed his father as using the same book to teach RTM a lesson about what he had done wrong?

NPR radio play (1)

cpuffer_hammer (31542) | about a year ago | (#45313437)

I think is was NPR All Things Considered that explained how the Morris Worm worked with a radio play. Does anyone know where to find a recording.
It was both funny and reasonably accurate considering it was intended to explain to a mostly non technical audience of NPR the idea of a buffer overflow.

Nice Trip Down Memory Lane (0)

Anonymous Coward | about a year ago | (#45315561)

I remember it well.

Madelbrot fractal more of a threat :-) (1)

peter303 (12292) | about a year ago | (#45325455)

After that Martin Gardener article in Scientific American, everyone coded up iterative fractals on their computers and consumed a large fraction of the worlds computing resources. About the same time period too.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?