RTM was my TA at MIT for a CS/systems engineering course. It took the students until we did an assignment about the worm to realize who he was IIRC. The students thought it was very cool, but even then, as a TA covering the assignment, he didn't really talk about it.
Account "guest" with no password was provided by default back then, to help others do some work remotely, debug connection issues, or chat with admins.
When i worked at Convex, there was an unnatural mania that fingerd be disabled and all sendmail patches be applied as quickly as possible. When I asked why, the answer started with "well... a couple of years ago there was this guy from the east coast who worked here for a year..."
The 10% number is completely made up. According to Paul Graham, "I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."
That figure is probably UUCP mostly not live connected hosts. I could be wrong, but 60k hosts that you could telnet to sounds like a lot of ducking hosts back then. I was there too, in my late teens. God bless PG.
Yeah and a 'host' back then wasn't a cheap PC or something, they tended to be $30000 workstations or $300000 servers. At tech companies and Universities only, and mostly in the US. 60k sounds like a lot for those days. It grew massively from the early 90s.
Even UUCP was still really fringe and those weren't actually connected hosts on tcp/ip. They had their own dialup mail exchange protocol similar to fidonet.
Those were the days. I still remember my fido number. And I still remember just how painful it was to get uucp working properly. Ugh. But my mother had an email address years before any of her contemporaries. Being a geek was fun then.
A good account is With Microscope and Tweezers: The Worm from MIT's Perspective [1], published in CACM a few months after the event. Notice it was the worm.
I was an intern at IBM in '88 and they shut-down the (iirc) two internet getaways to their corporate network (vnet) while people figured out what was going on. News moved slowly back then, and the idea of self-replicating software was unusual. Although IBM had had its own replicator the previous year [2].
Morris’s program wasn’t meant to be malicious, but it accidentally became a turning point in cybersecurity history. Much of what we now know as security research, red teaming, and even the “gray hat” culture can be traced back to that moment.
That day our tech chief at the time came running and told us about the worm, and that apparently our country managed to avoid it because the news spread quickly enough that one guy simply unplugged the whole country from the Internet - there was only a single connection back then. (!)
Clifford Stoll, author of The Cuckoo's Egg, wrote that "Rumors have it that [Morris] worked with a friend or two at Harvard's computing department (Harvard student Paul Graham sent him mail asking for 'Any news on the brilliant project')".
> The worm, no one would have ever known that the worm existed, except there was a bug in it. That was the problem. The worm itself was absolutely harmless. But there was a bug in the code that controlled the number of copies that would spread to a given computer. And so the computer would get like 100 copies of the worm running on it, back in the day, when having 100 processes running on your computer would be enough to crash it.
I suppose the notion that you could just distribute untested software onto an unlimited amount of other peoples computers without consent wasn't yet considered unethical so therefore the worm was perceived to be absolutely harmless by rtm and pg. Just some minor details they couldn't possibly have seen back then.
> I suppose the notion that you could just distribute untested software onto an unlimited amount of other peoples computers without consent wasn't yet considered unethical
As someone who is old enough to have been a teenage hacker back in this timeframe and who spent his time on old Diversi Dial dialup systems which lead to early internet systems via gnu/fsf's open access policy, which lead to bitnet relay, and who was around during the initial development of irc right around this very year (1988) I can say that it was absolutely considered a bad act to do this sort of thing back then even as just a prank or demonstration (which made it kind of cool to back-then me, as a teenager, but which made it certainly unethical in a professional sense even for the time).
... however when you oopsied and the shit hit the fan, you could get away with it if your dad worked for the NSA.
The vast majority of people who weren't RTM would have had a far more severely negative outcome in his situation.
He was treated comparably to other people prosecuted for computer felonies post-CFAA. Non-remunerative crime, first-time offense, super unclear intent, damaged a research network. Felony conviction. What more do you want? The next wave of people who were sentenced, to like 1 year, were owning up phone switches.
I think part of this might be that as fun as this all is to talk about, it wasn't super fun for Robert Tappan Morris. My friends from back in the day are not OK with me talking about what they did, even though nothing happened to any of them.
For the sake of argument, let's assume that rtm finds the whole episode embarrassing or whatever and would prefer to avoid the topic. If pg is really his close friend, it makes sense that pg would defer from conversing about it (especially in public) simply out of respect for his friend.
It’s been a long time since I read the book, but IIRC Cliff visited with Robert Morris (rtm’s dad) at the NSA when he traveled to Washington DC, and I think the worm and rtm are mentioned after he meets with the elder Robert.
I was a student part-time administrator/systems programmer at the Purdue Engineering Computer Network at the time. Our OS installs had enough local mods (and we had enough non-VAX, non-Sun architectures) that we were immune to some of the worm's modalities, but the sendmail debug mode exploit at least still caused a lot of consternation.
Diversity is security! I wish more people understood that. It may be more difficult to manage a bunch of diverse systems, but they are much more resilient to attacks.
I don't think that's proven out, like, at all; measure it against the returns on hardening mainstream platforms. The "monoculture" security thing has always been overblown, not least because you're never going to get an ecology where you have enough diversity to matter. Having 3 mainstream desktop or phone options is only marginally better than having just 1, and you're never going to have 20.
Put everything in MicroSoft Active Directory. Wait until it gets hacked. You will lose DNS, DHCP, Email, file servers, web servers, endpoints, etc. Obviously, running a mono-culture is a dumb thing to do if you want to keep your business running.
Maybe instead, run BIND on Linux servers, Apache on OpenBSD servers, have some Chromebooks, some Macs, etc. so everything doesn't go down together.
Really, it's not overblown... it's just common sense to diversify. Like we do with our diet/nutrition, with our financial investments, etc.
It sounds like common sense, but halfhearted diversification --- which is all that's available to mainstream users and enterprises --- can easily reduce security. That's because almost all real world security is logically perimeterized, with a single outward-facing attack surface that's given attention and an implicit premise that post-compromise persistence and pivoting is a given. Nobody survives an internal pentest, not even in 2025.
So by running BIND on Linux and Apache on OpenBSD and trying to tie it all into MSAD, what you're really doing is just expanding your attack surface, and once any of those are broken, attackers won't have to care about the state of the art in vulnerabilities to extend access from there.
The "monoculture" stuff is a product of a time when security pundits worried Microsoft was running the table on corporate IT. We're (generally) SAAS startup people here and very few of us run any Microsoft stuff. Almost all of us are better off extensively hardening a single Linux server environment than we are in deliberately trying to sprinkle NetBSD and Microsoft servers. That's doesn't improve security; it just turns your network into a CTF challenge.
I'm pretty sure Paul Graham was directly involved in this story (not in any bad, culpable way, but enough that, were a film to be made about it, a well-known actor would be cast for his part).
There's contemporaneous reporting. It's in Katie Hafner and John Markoff's book! A friend of Morris', named Paul, has a role in the aftermath of the worm.
I'm not dunking on Paul Graham here. If you know anything about me, if anything, this is a point in his favor. :)
Not sure if that was supposed to be sarcasm[1] or was intended seriously, but for what it's worth Hafner & Markoff have frequently received a lot of criticism for playing fast and loose with the truth in that book. Now most of that is specifically in regards to their treatment of Mitnick, and I'm not making any particular accusation here. Just sharing a thought that "it's in Katie Hafner and John Markoff's book" might not be terribly strong evidence of $WHATEVER.
I think Poe's Law applies to Shakespeare too. I recently saw Taming of the Shrew and people are still arguing about whether Shakespeare was endorsing Petruchio's starvation of Katherine to make her obey him. Or was that sarcasm, actually condemning that behavior? If only Will had used a smiley face!
Nope, no theory at all. Just providing some context for people who might not be as familiar with that book and the authors, and some of the questions that have been raised about it.
I know that the book makes a much bigger deal out of Mitnick than is reasonable (Mitnick was basically the consummate script kid). But I also know that scenesters of the time hated Markoff and thought he was, like, an enemy of the scene.
It's a great read, but to echo what I said above: there have been a lot of questions over the years about the veracity of some of the details of their book. Take that for what it's worth. I enjoyed it enough that I've read it 3 or 4 times, but I do also suggest consulting other books on the same stories - particularly the stuff around K. Mitnick.
I used to keep a vt100 at the head of my bed, roll over and check on things a few times at night. 3am and everything is screwed. can't really log in anyplace, or start any jobs. The bus doesn't run until 5:30, so I just get dressed and walk across the bridge the to lab. Visitors center isn't open, so I just sneak through the exit by the guardhouse. They're civilian contractors, they either don't see me, or recognize me and don't care.
Since it's all locked up, I just reboot the big vax single user - that takes about 10 minutes so I also start on a couple of the suns. You have to realize that everything including desktops runs sendmail in this era, and when some of these machines come up they are ok for a sec and then sendmail starts really eating into the cpu.
I'm pretty bleary eyed but I walk around restarting everything single and taking sendmail out of the rcs. The TMC applications engineer comes in around 7 and gets me a cup of coffee. He manages to get someone to pick up in Cambridge and they tell him that's happening everywhere.
I remember this event as one of the few times that the Internet made the mainstream news in the eighties. After the fact talked with some network people at Michigan and Michigan State and it was not a very good day for them. They also wanted jail time for him which did not happen.
I assume you all know that Robert Morris is one of the YC (and Viaweb) cofounders? [1] Together with Paul Graham, Jessica Livingston, and Trevor Blackwell.
He was sentenced to pay $10,050, today he would not get away that easily I guess...
Another thing I didn't know (citing Wikipedia):
"In 1995, Morris cofounded Viaweb with Paul Graham, a start-up company that made software for building online stores. It would go on to be sold to Yahoo for $49 million[14], which renamed the software Yahoo! Store. "
and (same source):
"He is a longtime friend and collaborator of Paul Graham. Along with cofounding two companies with him, Graham dedicated his book ANSI Common Lisp to Morris and named the programming language that generates the online stores' web pages RTML (Robert T. Morris Language) in his honor."
The future isn't evenly distributed. I recently discovered an actively developed software project that had a ton of helper functions based on the design of `gets` with the same vulnerability. Surprisingly not all C/C++ developers have learned yet to recoil in horror at seeing a buffer pointer being passed around without a length. (C++'s std::span was very convenient for fixing the issue by letting the buffer pointer and length be kept together, exactly like Go and Rust slices.)
The Morris worm is certainly the more historically important one but AFAIK nothing has ever beaten SQL Slammer (2003) for sheer sleekness and propagation speed: 376 bytes, sent as UDP packets to randomly generated IP addresses as fast as the network interface could pump them out. Infected all susceptible hosts on the entire Internet within 10 minutes. Thankfully, that was only MSSQL servers and, being that sleek, it had no persistence mechanism. So turning the machine off and on again removed the infection completely.
2) After he was convicted, he went from Cornell to Harvard to complete his Ph.D.
3) He became an assistant professor at MIT after that.
He had to be really spectacular/have crazy connections to still be able to finish his training at a top program and get a job at the institution he tried to frame.
One of my favourite quiet jokes is the "Editorial Board" list for The Annals of Improbable Research¹ where RTM is listed under Computer Science. Asterisks after each name denote qualifications, RTM's being "Convicted Felon"
Just go pull up his bibliography. Chord, the Click Modular Router (super big deal to me), RON (also a big deal to me), Vivaldi (which made its way into the Hashi products). He had a hand in a lot of stuff. His pre-CSAIL work was very much like that of the LBL Network Research Group (that's Van Jacobsen, Vern Paxson, Steve McCanne) --- he's in that league.
He was and is very smart. This is not disputed. He was 23 at the time. Not exactly a child.
The worm was surprisingly elaborate containing three separate remote exploits.
It probably took a few weeks to build and test.
So sabotaging thousands of at the time very expensive network connected computers was a very deliberate action.
I posit that he likely did it to become famous and perhaps even successful, feeling safe with his dad’s position. And it worked. He did not end up in prison. He ended up cofounding Viaweb and YCombinator.
What confuses me right now is your ongoing very obvious leftist activist stance on HN vs refusing to entertain the thought that he got away with it because of his NSA dad.
Edit: I am not American. Please realize that I meant exactly what I wrote and not what some of you now imagine that I wrote. I have high trust in you!
A felony conviction, three years probation, 400 hours of community service, and a $25,000 (inflation adjusted) fine for a novel non-violent crime with no personal material benefit isn't exactly "got away with it"
You can't judge his behaviour without knowing his intent, and the culture of the late 80s and early internet.
Everyone hacked. When the internet was connected to Sydney University early 90s, all the students were grabbing Stanfords /etc/passwd files and peeking at the open X displays of people in Sweden. Etc. All for fun / curiosity.
You can be sure that even rtm's Dad did similar, perhaps confined to his lab / peers.
That's a values debate, I guess. What is the purpose of punishment? Is it to set an example to others, is it to remove a dangerous person from society, is it to prevent the criminal from reoffending, is it to satisfy society's desire to see wrongdoers punished?
He didn't reoffend (as far as we know), and in fact went on to become a highly-contributing member of society. His crime was not so egregious that recompense was impossible even in principle. I don't see how a harsher punishment for him would have produced an obviously better outcome. I think it would be more productive to argue that people who commit similar crimes should receive similar punishments as this, rather than arguing that he should have received a harsher punishment.
in those days computer crimes weren't punished that harshly. I'm surprised it was that severe, in fact, it sounds like there must have been some heavy hitters on the prosecution side.
I think the story is that this was one of the first ever prosecutions under the CFAA and they quickly realized that the fact it had taken down so many systems was an accident (there was a bug in the replication code). The prosecution was mainly to establish precedent in an emerging field of law and technology.
Just gotta say that this thread really delivered in so many ways.
Thank you for constantly removing some of the veils from the mystery of our computational universe.
The notion that you’re a very obvious leftist seems asinine to anyone who has seen your comment history in these digital catacombs for the last decades.
There's no need to "insult" people. What I'm seeing in his comments is just a successful tech bro admiring and defending a fellow tech bro, "boys will be boys" style. I don't think it has anything to do with politics.
I talked to the son at one of the early (~2008) YC dinners. Actually found him more approachable than PG or most YC founders; RTM is a nerd in the "cares a whole lot about esoteric mathematics" way, which I found a refreshing change from the "take over the world" vibe that I got from a lot of the rest of YC.
Interesting random factoid: RTM's research in the early 2000s was on Chord [1], one of the earliest distributed hash tables. Chord inspired Kademlia [2], which later went on to power Limewire, Ethereum, and IPFS. So his research at MIT actually has had a bigger impact in terms of collected market cap than most YC startups have.
RTM Jr is a very nice person, obviously very smart, but also has a good sense of humor and is friendly and approachable. We overlapped as C.S. grad students at Harvard for several years.
I did not. That actually makes everything make much more sense. I was even wordering how he got out of jail time for something like this and just thought he had amazing lawyers.
I think the bigger thing was that the Internet just wasn't that big a deal at the time. I got serious access in '93, and into '94-95 there were still netsplits on it (UUNet/NSFNet is the one I remember most). It was a non-remunerative offense, with really unclear intent, that took out a research network. He had good counsel, as you can tell from the reporting about the trial, but the outcome made sense. I doubt his dad had much to do with it.
Yeah, in 1988 the Internet appeared like a research network that connected universities. No money was directly at stake and the systems harmed didn't appear critical. Related to what Thomas says above, part of the response to the incident was to partition the Internet for a few days [2] - I don't know if such a thing would be possible now.
But looking into the specifics again after all these years [1], I read:
"The N.S.A. wanted to clamp a lid on as much of the affair as it could. Within days, the agency’s National Computer Security Center, where the elder Morris worked, asked Purdue University to remove from its computers information about the internal workings of the virus."
and that CERT at CMU was one response to the incident [2].
So there is a whiff of the incident being steered away from public prosecution and towards setting up security institutions.
Robert Morris did get a felony conviction, three years probation, and a $10K fine. As for hn users, aside from pg, Cliff Stoll has a minor role in the story.
> I think the bigger thing was that the Internet just wasn't that big a deal at the time.
Maybe I’m just getting old, but it seems like nothing was such a big deal at the time.
Everything seems to have gotten more uptight in the last few decades. I used to have a metal cutlery set that an international airline gave to every passenger on the plane.
From what I can remember, while there was some public awareness of "computer crime" by 1988 (War Games helped with that), it wasn't exactly a "big deal" to most people yet. My subjective recollection is that things took a marked turn around 1990, with the advent of "Operation Sundevil"[1], the raid on Steve Jackson Games, etc.
And by the mid to late 90's (I'd say about 1997) it was finally becoming "received wisdom" to most hacker that "this is real now: getting caught doing this stuff could mean actual jail time, fines, not getting into college, losing jobs, etc." Now I grew up in a rural part of NC and so we probably lagged other parts of the country in terms of information dispersal, so I expect other people view the timeline differently, so YMMV.
Lots of chaos, but just three arrests. Did any of them proceed to full prosecutions? I'm reasonably sure Bruce Esquibel wasn't charged (at least, there's nothing in PACER to say so). I have no idea who "Tony The Trashman" was.
Barely. In my area around that time, teenagers were causing havoc by breaking into local colleges just so they could get onto IRC and access FTP sites. "Network security" was a pretty new concept.
Ehh? It had only recently been made explicitly criminal by federal statute. If you're thinking of "the Hacker Crackdown" that occurred a few years after the Morris Worm, or of Kevin Mitnick's exploits, it's worth keeping in mind that they were doing pretty crazy shit even relative to today; they were owning up phone switches across the country. And despite that, the penalties were not crazy high.
What you didn't have back then was financial fraud on the scale that happens today, where even nominal damages run into 8-9 figures.
Oooof in light of Aaron Swartz. He plugged directly into a network switch that was in an unlocked and unlabelled room at MIT so he could download faster and faced "charges of breaking and entering with intent, grand larceny, and unauthorized access to a computer network".
MIT really didn't lift a finger for this either.
>Swartz's attorneys requested that all pretrial discovery documents be made public, a move which MIT opposed
Agreed, it's hard to see this as some sort of "hacker respect hacker" in light of MIT's other actions.
It's very hard to extract Robert Tappan Morris from the context of his father being an extremely powerful man when trying to figure out how he managed to get away with what he did.
Its the other way around, they throw hackers under the bus. Aaron Swartz, Star Simpson arrested for stupid LED brooch, the list is quite long https://news.ycombinator.com/item?id=7411868
The article is from a somewhat reliable source; Wikipedia is not a reliable source (by Wikipedia's own rules). Maybe you should use the article to update Wikipedia?
Currently AI doesn't work very well on hardware separated by hundreds of milliseconds of latency and slow network links. Both the training and inference are slow.
However I think this is a solvable problem, and I started solving it a while ago with decent results:
When someone gets this working well, I could totally see a distributed AI being tasked with expanding it's own pool of compute nodes by worming into things and developing new exploits and sucking up more training data.
It's kind of surprising that it hasn't happened already, outside of iot junk. Seems like computer OSs just got so secure that it's become impractical to deploy a widespread exploit. And everything moved to scamming instead.
Everything was slower though. Turkey as a whole country had one 9600bps link to Bitnet at the time. Internet was accessed through Bitnet gateways. Systems (CPUs and I/O in general) were also much slower.
Slower and unstable. I spent a lot of my freshman year in college on Bitnet chat and iirc about every 30 minutes there would be a "netsplit" and a bunch of folks in the chat would disappear. Maybe it was our universities connection, which I think was direct to UIUC. I've posted here before that back then I thought Bitnet chat was magical. Things like being in a chat room with students in Berlin while the wall was falling felt so futuristic to me.
>However, the pioneering Morris worm malware wasn’t made with malice, says an FBI retrospective on the “programming error.” It was designed to gauge the size of the Internet, resulting in a classic case of unintended consequences.
had RTM actually RTM the world might be a bit different than it is today.
Well, sort of. RTM underestimated the effect of exponential growth, and thought that he would in effect have an account on all of the connected systems, without permission. He evidently didn't intend to use this power for evil, just to see if it could be done.
He did do us all a service; people back then didn't seem to realize that buffer overflows were a security risk. The model people had then, including my old boss at one of my first jobs in the early 80s, is that if you fed a program invalid input and it crashed, this was your fault because the program had a specification or documentation and you didn't comply with it.
Interestingly, it took another 7 years for stack overflows to be taken seriously, despite a fairly complete proof of concept widely written about. For years, pretty much everybody slept on buffer overflows of all sorts; if you found an IFS expansion bug in an SUID, you'd only talk about it on hushed private mailing lists with vendor security contacts, but nobody gave a shit about overflows.
It was Thomas Lopatic and 8lgm that really lit a fire under this (though likely they were inspired by Morris' work). Lopatic wrote the first public modern stack overflow exploit, for HPUX NCSA httpd, in 1995. Later that year, 8lgm teased (but didn't publish --- which was a big departure for them) a remote stack overflow in Sendmail 8.6.12 (it's important to understand what a big deal Sendmail vectors were at the time).
That 8lgm tease was what set Dave Goldsmith, Elias Levy, San Mehat, and Pieter Zatko (and presumably a bunch of other people I just don't know) off POC'ing the first wave of public stack overflow vulnerabilities. In the 9-18 months surrounding that work, you could look at basically any piece of privileged code, be it a remote service or an SUID binary or a kernel driver, and instantly spot overflows. It was the popularization with model exploits and articles like "Smashing The Stack" that really raised the alarm people took seriously.
That 7 year gap is really wild when you think about it, because during that time period, during which people jealously guarded fairly dumb bugs, like an errant pipe filter input to the calendar manager service that run by default on SunOS shelling out to commands, you could have owned up literally any system on the Internet, so prevalent were the bugs. And people blew them off!
I wrote a thread about this on Twitter back in the day, and Neil Woods from 8lgm responded... with the 8.6.12 exploit!
> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01)
and I've found, that it can be tricked into executing shell commands.
Actually, this bug is similar to the bug in fingerd exploited by the internet
worm. The HTTPD reads a maximum of 8192 characters when accepting a request
from port 80.
This was great to read. Related: Morris also discovered the predictable TCP sequence number bug and described it in his paper in 1985 http://nil.lcs.mit.edu/rtm/papers/117.pdf. Kevin Mitnick describes how he met some Israeli hackers with a working exploit only in only in 1994 (9 years later) in his book "Ghost in the Wires" (chapter 33). I tried to chronicle the events here (including the Jon Postel's RFC that did not specify how the sequence number should be chosen) https://akircanski.github.io/tcp-spoofing
Mitnick's use of the sequence number spoofing exploit was a super big deal at the time; it's half of the centerpiece of his weird dramatic struggle with Tsutomu Shimomura, whose server he broke into with that exploit (the other half was Shimomura helping use radio triangulation to find him).
Mitnick didn't write any of this tooling --- presumably someone in jsz's circle did --- but it also wasn't super easy to use; spoofing tools of that vintage were kind of a nightmare to set up.
I was logged into brillig.umd.edu (University of Maryland's Vax 8600) that night, frustrated that my emacs kept getting paged out, rhythmically typing ^A ^E ^A ^E to wiggle the cursor around to keep it paged in while I thought.
I ps aux'ed and saw a hell of a lot of sendmail demons running, but didn't realize till the next morning that we were actively under attack, being repeatedly but unsuccessfully finger daemon gets(3) buffer overflowed, and repeatedly and successfully sendmail daemon DEBUG'ed.
RTM's big mistake was not checking to see if a machine was already infected before re-infecting it and recursing, otherwise nobody would have noticed and he would have owned the entire internet.
What's funny is that UMD was on MILNET via NSA's "secret" IMP 57 at Fort Mead, so RTM's worm was attacking us through his daddy's own MILNET PSN (Packet Switching Node)!
>At the University of Maryland, our network access was through the NSA's "secret" MILNET IMP 57 at Fort Mead. It was pretty obvious that UMD got their network access via NSA, because mimsy.umd.edu had a similar "*.57" IP address as dockmaster, tycho and coins.
>[...] Once I told the guy who answered, "Hi, this is the University of Maryland. Our connection to the NSA IMP seems to be down." He barked back: "You can't say that on the telephone! Are you calling on a blue phone?" (I can't remember the exact color, except that it wasn't red: that I would have remembered). I said, "You can't say NSA??! This is a green phone, but there's a black phone in the other room that I could call you back on, but then I couldn't see the hardware." And he said "No, I mean a voice secure line!" I replied, "You do know that this is a university, don't you? We only have black and green phones."
>[...more stuff about the rumored "Explosive Bolts" that could separate ARPANET and MILNET from Erik Fair and Milo Medin...]
More from Jordan Hubbard about his infamous "rwall" incident, when he accidentally sent an rwall message to almost every Unix host on the internet. I received it and sent him a cheerful reply within minutes, which he said was nicer than most of the 743 replies he got. Also: Milo Medin's description of Dennis Perry's reaction (head of DARPA/IPTO) to getting his Interleaf windows scribbled on ("absolutely livid"), Mark Crispin's flame about security, Jordan's response, and Dennis Perry himself replying to Jordan.
From: Dennis G. Perry <PERRY@vax.darpa.mil>
Date: Apr 6, 1987, 3:19 PM
Jordan, you are right in your assumptions that people will get annoyed
that what happened was allowed to happen.
By the way, I am the program manager of the Arpanet in the Information
Science and Technology Office of DARPA, located in Roslin (Arlington), not
the Pentagon. [...]
Chris Torek had hacked our version of fingerd (running on mimsy.umd.edu and its other Vax friends brillig, tove, and gyre) to implement logging, and while he was doing that, he noticed the fixed size buffer, and thoughtfully increased the size of the buffer a bit. Still a fixed size buffer using gets, but at least it was a big enough buffer to mitigate the attack, although the worm got in via sendmail anyway. And we had a nice log of all the attempted fingerd attacks!
The sendmail attack simply sent the "DEBUG" command to sendmail, which, being enabled by default, let you right in to where you could escape to a shell.
Immediately after the attack, "some random guy on the internet" suggested mitigating the sendmail DEBUG attack by editing your sendmail binary (Emacs hackers can do that easily of course, but vi losers had to suck eggs!), searching for the string "DEBUG", and replacing the "D" with a null character, thus disabling the "DEBUG" command.
But unfortunately that cute little hack didn't actually disable the "DEBUG" command: it just renamed the "DEBUG" command to the "" command! Which stopped the Morris worm on purpose, but not me by accident:
I found that out the day after the worm hit, when I routinely needed to check some bouncing email addresses on a mailing list I ran, so I went "telnet sun.com 80" and hit return a couple times like I usually do to clear out the telnet protocol negotiation characters, before sending an "EXPN" command. And the response to the "EXPN" command was a whole flurry of debugging information, since the second newline I sent activated debug mode by entering a blank line!
So I sent a friendly email to postmaster@sun.com reporting the enormous security hole they had introduced by patching the other enormous security hole.
You'd think that the Long Haired Dope Smoking Unix Wizards running the email system at sun.com wouldn't just apply random security patches from "some random guy on the internet" without thinking about the implications, but they did!
>In the sendmail attack, the worm opens a TCP connection to another machine's sendmail (the SMTP port), invokes debug mode, and sends a RCPT TO that requests its data be piped through a shell. That data, a shell script (first-stage bootstrap) creates a temporary second-stage bootstrap file called x$$,l1.c (where '$$' is the current process ID). This is a small (40-line) C program.
>The first-stage bootstrap compiles this program with the local cc and executes it with arguments giving the Internet hostid/socket/password of where it just came from. The second-stage bootstrap (the compiled C program) sucks over two object files, x$$,vax.o and x$$,sun3.ofrom the attacking host. It has an array for 20 file names (presumably for 20 different machines), but only two (vax and sun) were compiled in to this code. It then figures out whether it's running under BSD or SunOS and links the appropriate file against the C library to produce an executable program called /usr/tmp/sh - so it looks like the Bourne shell to anyone who looked there.
>The Fingerd Attack:
>In the fingerd attack, it tries to infiltrate systems via a bug in fingerd, the finger daemon. Apparently this is where most of its success was (not in sendmail, as was originally reported). When fingerd is connected to, it reads its arguments from a pipe, but doesn't limit how much it reads. If it reads more than the internal 512-byte buffer allowed, it writes past the end of its stack. After the stack is a command to be executed ("/usr/ucb/finger") that actually does the work. On a VAX, the worm knew how much further from the stack it had to clobber to get to this command, which it replaced with the command "/bin/sh" (the Bourne shell). So instead of the finger command being executed, a shell was started with no arguments. Since this is run in the context of the finger daemon, stdin and stdout are connected to the network socket, and all the files were sucked over just like the shell that sendmail provided.
It's a little shocking to me that there haven't been more things like this.
While we're much more conscientious and better at security than we were way back then, things are certainly not totally secure.
The best answer I have is the same as what a bio professor told me once about designer plagues: it hasn't happened because nobody's done it. The capability is out there, and the vulnerability is out there.
(Someone will chime in about COVID lab leak theories, but even if that's true that's not what I mean. If that happened it was the worst industrial accident in history, not an intentional designer plague.)
Bill Gates sent out the "Trusted Computing" memo to harden Windows and make it somewhat secure.
Essentially, Windows used to be trivial to exploit, in that Every single service was by default exposed to the web, full of very trivial buffer overflows that dovetailed nicely into remote code execution.
Since then, Windows has stopped exposing everything to the internet by default and added a firewall, fixed most buffer overflows in entry points of these services, and made it substantially harder to turn most vulnerabilities into the kind of remote code execution you would use to make simple worms.
>better at security than we were way back then
In some ways this is dramatically understated. Now the majority of malware comes from getting people to click on links, targeted attacks that drop it, piggyback riding in on infected downloads, and other forms of just getting the victim to run your code. Worms and botnets are either something you "Willingly" install through "free" VPNs, or target absolutely broken and insecure routers.
The days where simply plugging a computer into the internet would result in you immediately trying to infect 100 other computers with no interaction are pretty much gone. For all the bitching about forced updates and UAC and other security measures, they basically work.
To a fairly significant extent, the Morris worm is why there haven't been more; it did prompt something of a culture shift away from trusting users to trusting mechanisms, mostly by prompting people to realise that the internet wasn't only going to be in the hands of a set of people who were one or two degrees of separation apart. It didn't make sense to assume people would treat it with reverence like a giant beautiful shared space.
It's most obviously paralleled by Samy Kamkar's MySpace worm, which exploited fairly similar too-much-trust territory.
I imagine the
- heterogeneity of modern computing environments
- number of 'layers' in any system
- sheer size of the modern Internet
all also make it harder to scale
6,000+, and those machines served many others (back then there were tens of thousands of machines on the Internet, but probably 10x as many that were connected to these by relays that handled email or Usenet traffic).
Also worth remember that especially with Internet-connected computers almost everything was multiuser. You did work on the Internet from a shell on a shared Unix server, not from a laptop.
Hypothetically if the m$ cloud ecosystem got completely oblibetated (including backups) would customers switch? Or is the lockin as complete as it is with the operating system customers?
I followed his course 6.5840 on distributed systems (https://pdos.csail.mit.edu/6.824/, YouTube videos at https://youtube.com/playlist?list=PLrw6a1wE39_tb2fErI4-WkMbs...) and completed the labs. One day, out of curiosity, I looked up his name. Then I realized what a legend he is.
Great course by the way.
RTM was my TA at MIT for a CS/systems engineering course. It took the students until we did an assignment about the worm to realize who he was IIRC. The students thought it was very cool, but even then, as a TA covering the assignment, he didn't really talk about it.
Would be cool if he adds a session on how to hack distributed system in 1988...
In 1988? Just stick random semicolons in things.
Honestly, there was not very much security back in those days. So much relied on trusting the Internet "community" not to abuse.
> Would be cool if he adds a session on how to hack distributed system in 1988..
username: field
password: technician
Account "guest" with no password was provided by default back then, to help others do some work remotely, debug connection issues, or chat with admins.
His dad was a legend as well, chief scientist in NSA.
I am also doing the course now in my freetime. Even I wasn't aware who he is.
On a sidenote, what did you do after the course?
It is an amazing course though!
I went here next: https://www.youtube.com/@CMUDatabaseGroup
When i worked at Convex, there was an unnatural mania that fingerd be disabled and all sendmail patches be applied as quickly as possible. When I asked why, the answer started with "well... a couple of years ago there was this guy from the east coast who worked here for a year..."
The 10% number is completely made up. According to Paul Graham, "I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."
That figure is probably UUCP mostly not live connected hosts. I could be wrong, but 60k hosts that you could telnet to sounds like a lot of ducking hosts back then. I was there too, in my late teens. God bless PG.
Yeah and a 'host' back then wasn't a cheap PC or something, they tended to be $30000 workstations or $300000 servers. At tech companies and Universities only, and mostly in the US. 60k sounds like a lot for those days. It grew massively from the early 90s.
Even UUCP was still really fringe and those weren't actually connected hosts on tcp/ip. They had their own dialup mail exchange protocol similar to fidonet.
Those were the days. I still remember my fido number. And I still remember just how painful it was to get uucp working properly. Ugh. But my mother had an email address years before any of her contemporaries. Being a geek was fun then.
foo@baz!quux, those were the days.
What, no path thru seismo ?
[dead]
A good account is With Microscope and Tweezers: The Worm from MIT's Perspective [1], published in CACM a few months after the event. Notice it was the worm.
I was an intern at IBM in '88 and they shut-down the (iirc) two internet getaways to their corporate network (vnet) while people figured out what was going on. News moved slowly back then, and the idea of self-replicating software was unusual. Although IBM had had its own replicator the previous year [2].
[1] https://www.cs.columbia.edu/~gskc/security/rochlis89microsco...
[2] https://en.wikipedia.org/wiki/Christmas_Tree_EXEC
>the idea of self-replicating software was unusual
floppy based viruses were well established and quite common
Yes. We ran non networked, Mac computer rooms at university, and having a good antivirus was an absolute must. Infections spread through floppies.
The Mac's ease of use as opposed to the PC made it also the juiciest virus target.
Morris’s program wasn’t meant to be malicious, but it accidentally became a turning point in cybersecurity history. Much of what we now know as security research, red teaming, and even the “gray hat” culture can be traced back to that moment.
That was one scary exciting day (source: was running machines at MIT at the time)
That day our tech chief at the time came running and told us about the worm, and that apparently our country managed to avoid it because the news spread quickly enough that one guy simply unplugged the whole country from the Internet - there was only a single connection back then. (!)
Which country?
Could have been more, but Norway was one.
https://snl.no/Pål_Spilling#:~:text=Da%20Spilling%20kuttet%2...
Yes, that's the one.
I remember that day was sooooooooooo quiet on Usenet.
Not much was happening in the Eng and CS buildings on campus (except for those that had to deal with the worm).
WPI was immune, the main machines on the net at time were an Encore Multimax and a DEC-20.
Good times, good times. I was in a Stanford computer lab when everything started to get very, very slow.
From the Wikipedia article:
Clifford Stoll, author of The Cuckoo's Egg, wrote that "Rumors have it that [Morris] worked with a friend or two at Harvard's computing department (Harvard student Paul Graham sent him mail asking for 'Any news on the brilliant project')".
Has pg commented on this?
PG spoke about the worm a bit in an interview here: https://aletteraday.substack.com/p/letter-85-paul-graham-and...
Some quotes from that:
> The worm, no one would have ever known that the worm existed, except there was a bug in it. That was the problem. The worm itself was absolutely harmless. But there was a bug in the code that controlled the number of copies that would spread to a given computer. And so the computer would get like 100 copies of the worm running on it, back in the day, when having 100 processes running on your computer would be enough to crash it.
>he called me and told me what had happened.
I suppose the notion that you could just distribute untested software onto an unlimited amount of other peoples computers without consent wasn't yet considered unethical so therefore the worm was perceived to be absolutely harmless by rtm and pg. Just some minor details they couldn't possibly have seen back then.
> I suppose the notion that you could just distribute untested software onto an unlimited amount of other peoples computers without consent wasn't yet considered unethical
As someone who is old enough to have been a teenage hacker back in this timeframe and who spent his time on old Diversi Dial dialup systems which lead to early internet systems via gnu/fsf's open access policy, which lead to bitnet relay, and who was around during the initial development of irc right around this very year (1988) I can say that it was absolutely considered a bad act to do this sort of thing back then even as just a prank or demonstration (which made it kind of cool to back-then me, as a teenager, but which made it certainly unethical in a professional sense even for the time).
... however when you oopsied and the shit hit the fan, you could get away with it if your dad worked for the NSA.
The vast majority of people who weren't RTM would have had a far more severely negative outcome in his situation.
He was treated comparably to other people prosecuted for computer felonies post-CFAA. Non-remunerative crime, first-time offense, super unclear intent, damaged a research network. Felony conviction. What more do you want? The next wave of people who were sentenced, to like 1 year, were owning up phone switches.
I mean, he did get convicted of a felony.
He's referred to it a few times in essays:
https://www.google.com/search?q=site%3Apaulgraham.com+%22mor...
Would you?
If the statute of limitations was long passed and I had fuck you money, why not?
I think part of this might be that as fun as this all is to talk about, it wasn't super fun for Robert Tappan Morris. My friends from back in the day are not OK with me talking about what they did, even though nothing happened to any of them.
For the sake of argument, let's assume that rtm finds the whole episode embarrassing or whatever and would prefer to avoid the topic. If pg is really his close friend, it makes sense that pg would defer from conversing about it (especially in public) simply out of respect for his friend.
Also of all the places he could ever talk about it --- HERE?
I hope he at least leaves it in his will or something. We're all wondering / waiting to know.
top comment of the year
[flagged]
A bit of an aside from The Cuckoo’s Egg;
It’s been a long time since I read the book, but IIRC Cliff visited with Robert Morris (rtm’s dad) at the NSA when he traveled to Washington DC, and I think the worm and rtm are mentioned after he meets with the elder Robert.
I was a student part-time administrator/systems programmer at the Purdue Engineering Computer Network at the time. Our OS installs had enough local mods (and we had enough non-VAX, non-Sun architectures) that we were immune to some of the worm's modalities, but the sendmail debug mode exploit at least still caused a lot of consternation.
Diversity is security! I wish more people understood that. It may be more difficult to manage a bunch of diverse systems, but they are much more resilient to attacks.
I don't think that's proven out, like, at all; measure it against the returns on hardening mainstream platforms. The "monoculture" security thing has always been overblown, not least because you're never going to get an ecology where you have enough diversity to matter. Having 3 mainstream desktop or phone options is only marginally better than having just 1, and you're never going to have 20.
Do you do anything besides post on HN ;)
Put everything in MicroSoft Active Directory. Wait until it gets hacked. You will lose DNS, DHCP, Email, file servers, web servers, endpoints, etc. Obviously, running a mono-culture is a dumb thing to do if you want to keep your business running.
Maybe instead, run BIND on Linux servers, Apache on OpenBSD servers, have some Chromebooks, some Macs, etc. so everything doesn't go down together.
Really, it's not overblown... it's just common sense to diversify. Like we do with our diet/nutrition, with our financial investments, etc.
It sounds like common sense, but halfhearted diversification --- which is all that's available to mainstream users and enterprises --- can easily reduce security. That's because almost all real world security is logically perimeterized, with a single outward-facing attack surface that's given attention and an implicit premise that post-compromise persistence and pivoting is a given. Nobody survives an internal pentest, not even in 2025.
So by running BIND on Linux and Apache on OpenBSD and trying to tie it all into MSAD, what you're really doing is just expanding your attack surface, and once any of those are broken, attackers won't have to care about the state of the art in vulnerabilities to extend access from there.
The "monoculture" stuff is a product of a time when security pundits worried Microsoft was running the table on corporate IT. We're (generally) SAAS startup people here and very few of us run any Microsoft stuff. Almost all of us are better off extensively hardening a single Linux server environment than we are in deliberately trying to sprinkle NetBSD and Microsoft servers. That's doesn't improve security; it just turns your network into a CTF challenge.
Was KSB there at the time? That dude was fun.
Yes, we overlapped around then.
The term "worm" came from the 1975 (sci-fi) novel The Shockwave Rider:
* https://en.wikipedia.org/wiki/The_Shockwave_Rider
The worm in shockwave rider released secret information to the public. Turns out a worm was not needed for this, just wikileaks.
Sounds like the plot of sneakers.
I'm pretty sure Paul Graham was directly involved in this story (not in any bad, culpable way, but enough that, were a film to be made about it, a well-known actor would be cast for his part).
https://news.ycombinator.com/item?id=38020635
Out of curiosity, why do you think this?
There's contemporaneous reporting. It's in Katie Hafner and John Markoff's book! A friend of Morris', named Paul, has a role in the aftermath of the worm.
I'm not dunking on Paul Graham here. If you know anything about me, if anything, this is a point in his favor. :)
It's in Katie Hafner and John Markoff's book!
Not sure if that was supposed to be sarcasm[1] or was intended seriously, but for what it's worth Hafner & Markoff have frequently received a lot of criticism for playing fast and loose with the truth in that book. Now most of that is specifically in regards to their treatment of Mitnick, and I'm not making any particular accusation here. Just sharing a thought that "it's in Katie Hafner and John Markoff's book" might not be terribly strong evidence of $WHATEVER.
[1]: https://en.wikipedia.org/wiki/Poe%27s_law
I think Poe's Law applies to Shakespeare too. I recently saw Taming of the Shrew and people are still arguing about whether Shakespeare was endorsing Petruchio's starvation of Katherine to make her obey him. Or was that sarcasm, actually condemning that behavior? If only Will had used a smiley face!
I mean, sure, it's not my favorite book either, but what's your theory here, that they just made up a Paul?
Nope, no theory at all. Just providing some context for people who might not be as familiar with that book and the authors, and some of the questions that have been raised about it.
I know that the book makes a much bigger deal out of Mitnick than is reasonable (Mitnick was basically the consummate script kid). But I also know that scenesters of the time hated Markoff and thought he was, like, an enemy of the scene.
Def know lots about you and def didn't think you were dunking on Paul, hence my curiosity, because it was specifically you Mr. Ptacek. :)
Thanks for the answer, I'll check out the book.
Thanks for the answer, I'll check out the book.
It's a great read, but to echo what I said above: there have been a lot of questions over the years about the veracity of some of the details of their book. Take that for what it's worth. I enjoyed it enough that I've read it 3 or 4 times, but I do also suggest consulting other books on the same stories - particularly the stuff around K. Mitnick.
I expected some info on its functioning. The goal was to gauge the size of the Internet, how? Why did it fail? I guess Wikipedia for the rescue.
I used to keep a vt100 at the head of my bed, roll over and check on things a few times at night. 3am and everything is screwed. can't really log in anyplace, or start any jobs. The bus doesn't run until 5:30, so I just get dressed and walk across the bridge the to lab. Visitors center isn't open, so I just sneak through the exit by the guardhouse. They're civilian contractors, they either don't see me, or recognize me and don't care.
Since it's all locked up, I just reboot the big vax single user - that takes about 10 minutes so I also start on a couple of the suns. You have to realize that everything including desktops runs sendmail in this era, and when some of these machines come up they are ok for a sec and then sendmail starts really eating into the cpu.
I'm pretty bleary eyed but I walk around restarting everything single and taking sendmail out of the rcs. The TMC applications engineer comes in around 7 and gets me a cup of coffee. He manages to get someone to pick up in Cambridge and they tell him that's happening everywhere.
The IETF’s review has an amazing title “The Helminthiasis of the Internet”
https://www.rfc-editor.org/rfc/rfc1135
I remember this event as one of the few times that the Internet made the mainstream news in the eighties. After the fact talked with some network people at Michigan and Michigan State and it was not a very good day for them. They also wanted jail time for him which did not happen.
I assume you all know that Robert Morris is one of the YC (and Viaweb) cofounders? [1] Together with Paul Graham, Jessica Livingston, and Trevor Blackwell.
[1] https://en.wikipedia.org/wiki/Robert_Tappan_Morris
He also is (or was) an HN user. No comments in quite some time though. I wish he did post here more.
https://news.ycombinator.com/user?id=rtm
Karma of 195. I’d say more of a former lurker.
and his dad was head of computer security at the NSA for a while
Oh, those memories!
He was sentenced to pay $10,050, today he would not get away that easily I guess...
Another thing I didn't know (citing Wikipedia):
"In 1995, Morris cofounded Viaweb with Paul Graham, a start-up company that made software for building online stores. It would go on to be sold to Yahoo for $49 million[14], which renamed the software Yahoo! Store. "
and (same source):
"He is a longtime friend and collaborator of Paul Graham. Along with cofounding two companies with him, Graham dedicated his book ANSI Common Lisp to Morris and named the programming language that generates the online stores' web pages RTML (Robert T. Morris Language) in his honor."
Thankfully the security holes in C that have allowed Morris worm to exist, have been taken care by WG14 since then.
The future isn't evenly distributed. I recently discovered an actively developed software project that had a ton of helper functions based on the design of `gets` with the same vulnerability. Surprisingly not all C/C++ developers have learned yet to recoil in horror at seeing a buffer pointer being passed around without a length. (C++'s std::span was very convenient for fixing the issue by letting the buffer pointer and length be kept together, exactly like Go and Rust slices.)
The Morris worm is certainly the more historically important one but AFAIK nothing has ever beaten SQL Slammer (2003) for sheer sleekness and propagation speed: 376 bytes, sent as UDP packets to randomly generated IP addresses as fast as the network interface could pump them out. Infected all susceptible hosts on the entire Internet within 10 minutes. Thankfully, that was only MSSQL servers and, being that sleek, it had no persistence mechanism. So turning the machine off and on again removed the infection completely.
I find it funny that:
1) He released it from MIT to avoid suspicion.
2) After he was convicted, he went from Cornell to Harvard to complete his Ph.D.
3) He became an assistant professor at MIT after that.
He had to be really spectacular/have crazy connections to still be able to finish his training at a top program and get a job at the institution he tried to frame.
His dad was Bob Morris. Unless that's the joke you're making.
Bob Morris wrote crypt(1), dc(1), crypt(3), libm, co-wrote the rainbow series, and did additional unknown work as a cryptographer for the NSA.
dmr writes about working with Bob Morris here: https://web.archive.org/web/20250121041734/https://www.bell-...
One of my favourite quiet jokes is the "Editorial Board" list for The Annals of Improbable Research¹ where RTM is listed under Computer Science. Asterisks after each name denote qualifications, RTM's being "Convicted Felon"
---
¹Awarders of the Ig Nobel prize
Have you read any of his papers? Morris was not fucking around.
Can you elaborate, or suggest a specific paper?
Just go pull up his bibliography. Chord, the Click Modular Router (super big deal to me), RON (also a big deal to me), Vivaldi (which made its way into the Hashi products). He had a hand in a lot of stuff. His pre-CSAIL work was very much like that of the LBL Network Research Group (that's Van Jacobsen, Vern Paxson, Steve McCanne) --- he's in that league.
Please expand?
He was and is very smart. This is not disputed. He was 23 at the time. Not exactly a child.
The worm was surprisingly elaborate containing three separate remote exploits.
It probably took a few weeks to build and test.
So sabotaging thousands of at the time very expensive network connected computers was a very deliberate action.
I posit that he likely did it to become famous and perhaps even successful, feeling safe with his dad’s position. And it worked. He did not end up in prison. He ended up cofounding Viaweb and YCombinator.
Unironically a great role model for YC. :/
I'm not psychoanalyzing the guy, I'm saying I'm not surprised he had an elite academic career, because he's an elite performer.
What confuses me right now is your ongoing very obvious leftist activist stance on HN vs refusing to entertain the thought that he got away with it because of his NSA dad.
Edit: I am not American. Please realize that I meant exactly what I wrote and not what some of you now imagine that I wrote. I have high trust in you!
To clarify: not a Trump fan.
A felony conviction, three years probation, 400 hours of community service, and a $25,000 (inflation adjusted) fine for a novel non-violent crime with no personal material benefit isn't exactly "got away with it"
Yes, that is getting away with it for someone with means and clout.
You can't judge his behaviour without knowing his intent, and the culture of the late 80s and early internet.
Everyone hacked. When the internet was connected to Sydney University early 90s, all the students were grabbing Stanfords /etc/passwd files and peeking at the open X displays of people in Sweden. Etc. All for fun / curiosity.
You can be sure that even rtm's Dad did similar, perhaps confined to his lab / peers.
That's a values debate, I guess. What is the purpose of punishment? Is it to set an example to others, is it to remove a dangerous person from society, is it to prevent the criminal from reoffending, is it to satisfy society's desire to see wrongdoers punished?
He didn't reoffend (as far as we know), and in fact went on to become a highly-contributing member of society. His crime was not so egregious that recompense was impossible even in principle. I don't see how a harsher punishment for him would have produced an obviously better outcome. I think it would be more productive to argue that people who commit similar crimes should receive similar punishments as this, rather than arguing that he should have received a harsher punishment.
I don't think this is as much about the purpose of punishment as it is about the monkeys with the grapes and the cucumbers.
in those days computer crimes weren't punished that harshly. I'm surprised it was that severe, in fact, it sounds like there must have been some heavy hitters on the prosecution side.
I think the story is that this was one of the first ever prosecutions under the CFAA and they quickly realized that the fact it had taken down so many systems was an accident (there was a bug in the replication code). The prosecution was mainly to establish precedent in an emerging field of law and technology.
Hold on, I need to capture and circulate this claim that I'm a "very obvious leftist" to my friends and acquaintances. Thanks, this made my day.
> I need to capture and circulate this claim that I'm a "very obvious leftist" to my friends and acquaintances.
s/leftist/Catholic/g; (in a good sense)
I don't know how obvious my Catholicism is but my mom will be glad to hear that. :)
Just gotta say that this thread really delivered in so many ways.
Thank you for constantly removing some of the veils from the mystery of our computational universe.
The notion that you’re a very obvious leftist seems asinine to anyone who has seen your comment history in these digital catacombs for the last decades.
> very obvious leftist activist stance
Is there something wrong with being a "leftist"?
[flagged]
(Not USA:ian.)
> Why are flattering tptacek?
?
There's no need to "insult" people. What I'm seeing in his comments is just a successful tech bro admiring and defending a fellow tech bro, "boys will be boys" style. I don't think it has anything to do with politics.
In this corner: leftist activist!
And in this corner: successful tech bro!
You know his dad ran research at the NSA right?
His dad's also a badass and super fun to talk to. Never talked to the son though, but I'd love to some day.
I talked to the son at one of the early (~2008) YC dinners. Actually found him more approachable than PG or most YC founders; RTM is a nerd in the "cares a whole lot about esoteric mathematics" way, which I found a refreshing change from the "take over the world" vibe that I got from a lot of the rest of YC.
Interesting random factoid: RTM's research in the early 2000s was on Chord [1], one of the earliest distributed hash tables. Chord inspired Kademlia [2], which later went on to power Limewire, Ethereum, and IPFS. So his research at MIT actually has had a bigger impact in terms of collected market cap than most YC startups have.
[1] https://en.wikipedia.org/wiki/Chord_(peer-to-peer)
[2] https://en.wikipedia.org/wiki/Kademlia
RTM Jr is a very nice person, obviously very smart, but also has a good sense of humor and is friendly and approachable. We overlapped as C.S. grad students at Harvard for several years.
I did not. That actually makes everything make much more sense. I was even wordering how he got out of jail time for something like this and just thought he had amazing lawyers.
I think the bigger thing was that the Internet just wasn't that big a deal at the time. I got serious access in '93, and into '94-95 there were still netsplits on it (UUNet/NSFNet is the one I remember most). It was a non-remunerative offense, with really unclear intent, that took out a research network. He had good counsel, as you can tell from the reporting about the trial, but the outcome made sense. I doubt his dad had much to do with it.
Yeah, in 1988 the Internet appeared like a research network that connected universities. No money was directly at stake and the systems harmed didn't appear critical. Related to what Thomas says above, part of the response to the incident was to partition the Internet for a few days [2] - I don't know if such a thing would be possible now.
But looking into the specifics again after all these years [1], I read:
"The N.S.A. wanted to clamp a lid on as much of the affair as it could. Within days, the agency’s National Computer Security Center, where the elder Morris worked, asked Purdue University to remove from its computers information about the internal workings of the virus."
and that CERT at CMU was one response to the incident [2].
So there is a whiff of the incident being steered away from public prosecution and towards setting up security institutions.
Robert Morris did get a felony conviction, three years probation, and a $10K fine. As for hn users, aside from pg, Cliff Stoll has a minor role in the story.
[1] https://archive.nytimes.com/www.nytimes.com/times-insider/20...
[2] https://en.wikipedia.org/wiki/Morris_worm#Effects
> I think the bigger thing was that the Internet just wasn't that big a deal at the time.
Maybe I’m just getting old, but it seems like nothing was such a big deal at the time.
Everything seems to have gotten more uptight in the last few decades. I used to have a metal cutlery set that an international airline gave to every passenger on the plane.
Organizations naturally accrue regulations in response to incidents as time goes by.
> I think the bigger thing was that the Internet just wasn't that big a deal at the time.
”Computer crime” definitely was though.
From what I can remember, while there was some public awareness of "computer crime" by 1988 (War Games helped with that), it wasn't exactly a "big deal" to most people yet. My subjective recollection is that things took a marked turn around 1990, with the advent of "Operation Sundevil"[1], the raid on Steve Jackson Games, etc.
And by the mid to late 90's (I'd say about 1997) it was finally becoming "received wisdom" to most hacker that "this is real now: getting caught doing this stuff could mean actual jail time, fines, not getting into college, losing jobs, etc." Now I grew up in a rural part of NC and so we probably lagged other parts of the country in terms of information dispersal, so I expect other people view the timeline differently, so YMMV.
[1]: https://en.wikipedia.org/wiki/Operation_Sundevil
Lots of chaos, but just three arrests. Did any of them proceed to full prosecutions? I'm reasonably sure Bruce Esquibel wasn't charged (at least, there's nothing in PACER to say so). I have no idea who "Tony The Trashman" was.
Barely. In my area around that time, teenagers were causing havoc by breaking into local colleges just so they could get onto IRC and access FTP sites. "Network security" was a pretty new concept.
Ehh? It had only recently been made explicitly criminal by federal statute. If you're thinking of "the Hacker Crackdown" that occurred a few years after the Morris Worm, or of Kevin Mitnick's exploits, it's worth keeping in mind that they were doing pretty crazy shit even relative to today; they were owning up phone switches across the country. And despite that, the penalties were not crazy high.
What you didn't have back then was financial fraud on the scale that happens today, where even nominal damages run into 8-9 figures.
> tried to frame.
MIT really respects good hacks and good hackers. It was probably more effective than sending in some PDF of a paper.
>MIT really respects good hacks and good hackers.
Oooof in light of Aaron Swartz. He plugged directly into a network switch that was in an unlocked and unlabelled room at MIT so he could download faster and faced "charges of breaking and entering with intent, grand larceny, and unauthorized access to a computer network".
MIT really didn't lift a finger for this either.
>Swartz's attorneys requested that all pretrial discovery documents be made public, a move which MIT opposed
https://en.wikipedia.org/wiki/Aaron_Swartz
Agreed, it's hard to see this as some sort of "hacker respect hacker" in light of MIT's other actions.
It's very hard to extract Robert Tappan Morris from the context of his father being an extremely powerful man when trying to figure out how he managed to get away with what he did.
At the same time, it's easy to believe that MIT of 2013 is very different than MIT of 1988.
While that's entirely possible, MIT was established in 1861. I think the old boys club was established long before 1988.
I’m pretty sure MIT had a “state school” stigma until after WWII. Vandaveer Bush made sure they got lots of war research.
Its the other way around, they throw hackers under the bus. Aaron Swartz, Star Simpson arrested for stupid LED brooch, the list is quite long https://news.ycombinator.com/item?id=7411868
MIT faulted over its support for students https://www.bostonglobe.com/metro/2014/02/14/mit/9VBBq9pBQ1z... https://news.ycombinator.com/item?id=7411312
Wikipedia says the Morris worm went out on 1998 Nov 2. No idea why they would publish the article on 2025 Nov 4 with that title.
https://en.wikipedia.org/wiki/Morris_worm
1988
A quick search shows:
- a github repo containing "the original, de-compiled source code for the Morris Worm" - see https://github.com/agiacalone/morris-worm-malware
- a high level report about the worm - see https://www.ee.torontomu.ca/~elf/hack/internet-worm.html
Both of those agree that is was '88...
I strongly suspect 1998 was a typo by OP and he was actually pointing out the discrepancy between 2 Nov and 4 Nov WRT “this day”.
However the article has been updated so only the HN title has this flaw.
Sounds like the type of mistake I always make: Notice someone being off by two days, and in haste, post a correction that is off by ten years.
With that username you don't even need to be all that close to get the job done.
I think his question was whether it was Nov 2 or Nov 4...
The article is from a somewhat reliable source; Wikipedia is not a reliable source (by Wikipedia's own rules). Maybe you should use the article to update Wikipedia?
I remember that the Boston Museum of Science used to have a floppy disk on display with the Morris worm on it.
That exhibit is shown in the article.
This one is before my time, but I remember the blaster worm very clearly.
That time before shutdown popup is forever etched into my memory.
I’m still waiting for the first runaway autonomous botnet.
Currently AI doesn't work very well on hardware separated by hundreds of milliseconds of latency and slow network links. Both the training and inference are slow.
However I think this is a solvable problem, and I started solving it a while ago with decent results:
https://github.com/Hello1024/shared-tensor
When someone gets this working well, I could totally see a distributed AI being tasked with expanding it's own pool of compute nodes by worming into things and developing new exploits and sucking up more training data.
Couldn’t an AI write and deploy a botnet much like a human does today? With a small, centralized inference core.
It doesn’t need to be fully decentralized, the control plane just needs some redundancy
It's kind of surprising that it hasn't happened already, outside of iot junk. Seems like computer OSs just got so secure that it's become impractical to deploy a widespread exploit. And everything moved to scamming instead.
The botnets will always use the biggest bang for their buck, which at the moment is seemingly IoT devices and residential IP proxies. They do still exist: https://blog.cloudflare.com/defending-the-internet-how-cloud...
You don’t need a full host compromise to send network traffic
> the internet in 1988
60k computers ( mostly at institutions ) in 20 countries
Everything was slower though. Turkey as a whole country had one 9600bps link to Bitnet at the time. Internet was accessed through Bitnet gateways. Systems (CPUs and I/O in general) were also much slower.
Slower and unstable. I spent a lot of my freshman year in college on Bitnet chat and iirc about every 30 minutes there would be a "netsplit" and a bunch of folks in the chat would disappear. Maybe it was our universities connection, which I think was direct to UIUC. I've posted here before that back then I thought Bitnet chat was magical. Things like being in a chat room with students in Berlin while the wall was falling felt so futuristic to me.
Much slower. Most campuses in the US were connected with 56K dedicated lines. The NSF backbone had just upgraded to T1.
ftp.wustl.edu would manage about 1 KBps and I was sitting one hop away from it at UIUC.
Insomnia paid off a lot back then.
PG has said that he made up the 10% figure. It was a guess, but it was not correct.
I remember that
This Week in 1988 rather.
https://neal.fun/internet-artifacts/morris-worm/
>However, the pioneering Morris worm malware wasn’t made with malice, says an FBI retrospective on the “programming error.” It was designed to gauge the size of the Internet, resulting in a classic case of unintended consequences.
had RTM actually RTM the world might be a bit different than it is today.
Well, sort of. RTM underestimated the effect of exponential growth, and thought that he would in effect have an account on all of the connected systems, without permission. He evidently didn't intend to use this power for evil, just to see if it could be done.
He did do us all a service; people back then didn't seem to realize that buffer overflows were a security risk. The model people had then, including my old boss at one of my first jobs in the early 80s, is that if you fed a program invalid input and it crashed, this was your fault because the program had a specification or documentation and you didn't comply with it.
Interestingly, it took another 7 years for stack overflows to be taken seriously, despite a fairly complete proof of concept widely written about. For years, pretty much everybody slept on buffer overflows of all sorts; if you found an IFS expansion bug in an SUID, you'd only talk about it on hushed private mailing lists with vendor security contacts, but nobody gave a shit about overflows.
It was Thomas Lopatic and 8lgm that really lit a fire under this (though likely they were inspired by Morris' work). Lopatic wrote the first public modern stack overflow exploit, for HPUX NCSA httpd, in 1995. Later that year, 8lgm teased (but didn't publish --- which was a big departure for them) a remote stack overflow in Sendmail 8.6.12 (it's important to understand what a big deal Sendmail vectors were at the time).
That 8lgm tease was what set Dave Goldsmith, Elias Levy, San Mehat, and Pieter Zatko (and presumably a bunch of other people I just don't know) off POC'ing the first wave of public stack overflow vulnerabilities. In the 9-18 months surrounding that work, you could look at basically any piece of privileged code, be it a remote service or an SUID binary or a kernel driver, and instantly spot overflows. It was the popularization with model exploits and articles like "Smashing The Stack" that really raised the alarm people took seriously.
That 7 year gap is really wild when you think about it, because during that time period, during which people jealously guarded fairly dumb bugs, like an errant pipe filter input to the calendar manager service that run by default on SunOS shelling out to commands, you could have owned up literally any system on the Internet, so prevalent were the bugs. And people blew them off!
I wrote a thread about this on Twitter back in the day, and Neil Woods from 8lgm responded... with the 8.6.12 exploit!
https://x.com/tqbf/status/1328433106563588097
So this would be the first stack overflow after the Morris' fingerd one (well, first one that's widely publicized):
https://seclists.org/bugtraq/1995/Feb/109
> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01) and I've found, that it can be tricked into executing shell commands. Actually, this bug is similar to the bug in fingerd exploited by the internet worm. The HTTPD reads a maximum of 8192 characters when accepting a request from port 80.
This was great to read. Related: Morris also discovered the predictable TCP sequence number bug and described it in his paper in 1985 http://nil.lcs.mit.edu/rtm/papers/117.pdf. Kevin Mitnick describes how he met some Israeli hackers with a working exploit only in only in 1994 (9 years later) in his book "Ghost in the Wires" (chapter 33). I tried to chronicle the events here (including the Jon Postel's RFC that did not specify how the sequence number should be chosen) https://akircanski.github.io/tcp-spoofing
Mitnick's use of the sequence number spoofing exploit was a super big deal at the time; it's half of the centerpiece of his weird dramatic struggle with Tsutomu Shimomura, whose server he broke into with that exploit (the other half was Shimomura helping use radio triangulation to find him).
Mitnick didn't write any of this tooling --- presumably someone in jsz's circle did --- but it also wasn't super easy to use; spoofing tools of that vintage were kind of a nightmare to set up.
"Your security technique will be defeated. Your technique is no good"
I remember hearing the audio at the time and thinking it was pretty funny back before I realized racism was bad.
I was logged into brillig.umd.edu (University of Maryland's Vax 8600) that night, frustrated that my emacs kept getting paged out, rhythmically typing ^A ^E ^A ^E to wiggle the cursor around to keep it paged in while I thought.
I ps aux'ed and saw a hell of a lot of sendmail demons running, but didn't realize till the next morning that we were actively under attack, being repeatedly but unsuccessfully finger daemon gets(3) buffer overflowed, and repeatedly and successfully sendmail daemon DEBUG'ed.
RTM's big mistake was not checking to see if a machine was already infected before re-infecting it and recursing, otherwise nobody would have noticed and he would have owned the entire internet.
What's funny is that UMD was on MILNET via NSA's "secret" IMP 57 at Fort Mead, so RTM's worm was attacking us through his daddy's own MILNET PSN (Packet Switching Node)!
https://news.ycombinator.com/item?id=18376750
>At the University of Maryland, our network access was through the NSA's "secret" MILNET IMP 57 at Fort Mead. It was pretty obvious that UMD got their network access via NSA, because mimsy.umd.edu had a similar "*.57" IP address as dockmaster, tycho and coins.
>[...] Once I told the guy who answered, "Hi, this is the University of Maryland. Our connection to the NSA IMP seems to be down." He barked back: "You can't say that on the telephone! Are you calling on a blue phone?" (I can't remember the exact color, except that it wasn't red: that I would have remembered). I said, "You can't say NSA??! This is a green phone, but there's a black phone in the other room that I could call you back on, but then I couldn't see the hardware." And he said "No, I mean a voice secure line!" I replied, "You do know that this is a university, don't you? We only have black and green phones."
>[...more stuff about the rumored "Explosive Bolts" that could separate ARPANET and MILNET from Erik Fair and Milo Medin...]
More from Jordan Hubbard about his infamous "rwall" incident, when he accidentally sent an rwall message to almost every Unix host on the internet. I received it and sent him a cheerful reply within minutes, which he said was nicer than most of the 743 replies he got. Also: Milo Medin's description of Dennis Perry's reaction (head of DARPA/IPTO) to getting his Interleaf windows scribbled on ("absolutely livid"), Mark Crispin's flame about security, Jordan's response, and Dennis Perry himself replying to Jordan.
https://news.ycombinator.com/item?id=31822138
Here's my story of The Night of The Worm:https://news.ycombinator.com/item?id=29250313
DonHopkins on Nov 17, 2021 | parent | context | favorite | on: .plan
Yeah, 4.2 BSD fingerd was calling "gets" to read the name of who you were fingering into a small fixed size buffer on the stack.
https://man7.org/linux/man-pages/man3/gets.3.html
Chris Torek had hacked our version of fingerd (running on mimsy.umd.edu and its other Vax friends brillig, tove, and gyre) to implement logging, and while he was doing that, he noticed the fixed size buffer, and thoughtfully increased the size of the buffer a bit. Still a fixed size buffer using gets, but at least it was a big enough buffer to mitigate the attack, although the worm got in via sendmail anyway. And we had a nice log of all the attempted fingerd attacks!
The sendmail attack simply sent the "DEBUG" command to sendmail, which, being enabled by default, let you right in to where you could escape to a shell.
Immediately after the attack, "some random guy on the internet" suggested mitigating the sendmail DEBUG attack by editing your sendmail binary (Emacs hackers can do that easily of course, but vi losers had to suck eggs!), searching for the string "DEBUG", and replacing the "D" with a null character, thus disabling the "DEBUG" command.
But unfortunately that cute little hack didn't actually disable the "DEBUG" command: it just renamed the "DEBUG" command to the "" command! Which stopped the Morris worm on purpose, but not me by accident:
I found that out the day after the worm hit, when I routinely needed to check some bouncing email addresses on a mailing list I ran, so I went "telnet sun.com 80" and hit return a couple times like I usually do to clear out the telnet protocol negotiation characters, before sending an "EXPN" command. And the response to the "EXPN" command was a whole flurry of debugging information, since the second newline I sent activated debug mode by entering a blank line!
So I sent a friendly email to postmaster@sun.com reporting the enormous security hole they had introduced by patching the other enormous security hole.
You'd think that the Long Haired Dope Smoking Unix Wizards running the email system at sun.com wouldn't just apply random security patches from "some random guy on the internet" without thinking about the implications, but they did!
https://www.ee.torontomu.ca/~elf/hack/internet-worm.html
>The Sendmail Attack:
>In the sendmail attack, the worm opens a TCP connection to another machine's sendmail (the SMTP port), invokes debug mode, and sends a RCPT TO that requests its data be piped through a shell. That data, a shell script (first-stage bootstrap) creates a temporary second-stage bootstrap file called x$$,l1.c (where '$$' is the current process ID). This is a small (40-line) C program.
>The first-stage bootstrap compiles this program with the local cc and executes it with arguments giving the Internet hostid/socket/password of where it just came from. The second-stage bootstrap (the compiled C program) sucks over two object files, x$$,vax.o and x$$,sun3.ofrom the attacking host. It has an array for 20 file names (presumably for 20 different machines), but only two (vax and sun) were compiled in to this code. It then figures out whether it's running under BSD or SunOS and links the appropriate file against the C library to produce an executable program called /usr/tmp/sh - so it looks like the Bourne shell to anyone who looked there.
>The Fingerd Attack:
>In the fingerd attack, it tries to infiltrate systems via a bug in fingerd, the finger daemon. Apparently this is where most of its success was (not in sendmail, as was originally reported). When fingerd is connected to, it reads its arguments from a pipe, but doesn't limit how much it reads. If it reads more than the internal 512-byte buffer allowed, it writes past the end of its stack. After the stack is a command to be executed ("/usr/ucb/finger") that actually does the work. On a VAX, the worm knew how much further from the stack it had to clobber to get to this command, which it replaced with the command "/bin/sh" (the Bourne shell). So instead of the finger command being executed, a shell was started with no arguments. Since this is run in the context of the finger daemon, stdin and stdout are connected to the network socket, and all the files were sucked over just like the shell that sendmail provided.
It's a little shocking to me that there haven't been more things like this.
While we're much more conscientious and better at security than we were way back then, things are certainly not totally secure.
The best answer I have is the same as what a bio professor told me once about designer plagues: it hasn't happened because nobody's done it. The capability is out there, and the vulnerability is out there.
(Someone will chime in about COVID lab leak theories, but even if that's true that's not what I mean. If that happened it was the worst industrial accident in history, not an intentional designer plague.)
Here's a whole list of "more things".
https://en.wikipedia.org/wiki/Botnet#Historical_list_of_botn...
After things like
https://en.wikipedia.org/wiki/Blaster_(computer_worm)
https://en.wikipedia.org/wiki/SQL_Slammer
https://en.wikipedia.org/wiki/Sasser_(computer_worm)
Bill Gates sent out the "Trusted Computing" memo to harden Windows and make it somewhat secure.
Essentially, Windows used to be trivial to exploit, in that Every single service was by default exposed to the web, full of very trivial buffer overflows that dovetailed nicely into remote code execution.
Since then, Windows has stopped exposing everything to the internet by default and added a firewall, fixed most buffer overflows in entry points of these services, and made it substantially harder to turn most vulnerabilities into the kind of remote code execution you would use to make simple worms.
>better at security than we were way back then
In some ways this is dramatically understated. Now the majority of malware comes from getting people to click on links, targeted attacks that drop it, piggyback riding in on infected downloads, and other forms of just getting the victim to run your code. Worms and botnets are either something you "Willingly" install through "free" VPNs, or target absolutely broken and insecure routers.
The days where simply plugging a computer into the internet would result in you immediately trying to infect 100 other computers with no interaction are pretty much gone. For all the bitching about forced updates and UAC and other security measures, they basically work.
your mention of designer plagues reminded me of the russian bioweapons anthrax leak in 1979
https://pubmed.ncbi.nlm.nih.gov/7973702/
To a fairly significant extent, the Morris worm is why there haven't been more; it did prompt something of a culture shift away from trusting users to trusting mechanisms, mostly by prompting people to realise that the internet wasn't only going to be in the hands of a set of people who were one or two degrees of separation apart. It didn't make sense to assume people would treat it with reverence like a giant beautiful shared space.
It's most obviously paralleled by Samy Kamkar's MySpace worm, which exploited fairly similar too-much-trust territory.
I imagine the - heterogeneity of modern computing environments - number of 'layers' in any system - sheer size of the modern Internet all also make it harder to scale
they're just better at hiding now.
[dead]
[dead]
[flagged]
6,000+, and those machines served many others (back then there were tens of thousands of machines on the Internet, but probably 10x as many that were connected to these by relays that handled email or Usenet traffic).
Also worth remember that especially with Internet-connected computers almost everything was multiuser. You did work on the Internet from a shell on a shared Unix server, not from a laptop.
Serverless remote workspaces as you might call them now.
I might have 10% of the internet from 1988 on my Apple Watch.
Hypothetically if the m$ cloud ecosystem got completely oblibetated (including backups) would customers switch? Or is the lockin as complete as it is with the operating system customers?