Robert Morris
Home Up History Ethics Paradigms Resources Architecture

 

The First Internet Worm

Robert Morris is a famous name in hacking because he is responsible to the release of the first Internet worm that had a considerable impact on the Internet by reducing its performance.

Morris was a computer science graduate student at Cornell. In November 1988 Morris released a worm, a self-replicating program, that traveled on the Internet and "reproduced" at nodes. There difference between the worm and the virus is that the worm is peripatetic; that is, it travels from place-to-place on the network and does not infect individual hosts like the virus.  A worm is a "denial of service" because it prevents legitimate users from using the Internet because the worm eats up bandwidth.

The  worm was designed to be difficult to detect and eradicate.

In order to cover his tacks, Morris released the Worm from MIT rather than Cornell. It appears that Morris did not appreciate how effective his worm would be and he attempted to limit the damage by sending an anonymous message from Harvard. Unfortunately, the network had been clogged by the worm and the warning proved ineffective.

It took several days for the Internet to resume normal operation. Systems programmers spent a lot of time analyzing the worm to counter its effects. The worm exploited failings in two programs running on Internet nodes.

Although the worm did not do active harm to computers by deleting or changing files, it did cause a lot of trouble to systems operators who had to deal with the problem. Moreover, it prevented the transmission of legitimate traffic. The creator of a worm might argue that "All's well that ends well" and their worm is little more than a harmless prank. However, it is quite easy to demonstrate that there are circumstances where such a worm could lead to personal injury or a loss of life. People now rely on the Internet as a means of communicating important information; for example, a pathology laboratory might send the results of a biopsy over the Internet.

Morris was eventually convicted under the Computer Fraud and Abuse Act. He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.

In 1990 Lawrence Kestenbaum (http://www.potifos.com/morris.html) wrote an essay on the sentencing of Morris and ended with the statement:

I think that people who are unfamiliar with the legal system don't tend to consider how good Morris looks compared to the more typical criminal defendant who has a history of (a) prior crimes, (b) drug use, (c) violence, (d) greed, and (e) predatory behavior. Retribution is not usually foremost on a sentencing judge's mind; rather, he or she tries to look toward the impact of the sentence on the defendant's future behavior. It is hard to imagine Morris doing anything like the Internet worm again, so the need to lock him up is anything but pressing.

I agree in principle with Kestenbaum's sentiments, but we have to ask ourselves this question. Does the computer scientist who is able to predict the effect of their actions merit sympathy when they willfully act to cause harm to the community. By the way, Morris's father, Robert Morris, is a computer security expert at the National Security Agency.