Morris worm

Discussion Questions

The Robert T. Morris case. 

For launching the Internet worm, Robert T. Morris, Jr. was sentenced to a $10,000 fine, 400 hrs. of community service, and 3 years' probation. Did the punishment fit the crime? You may want to consider the following facts.
  • Morris did not appear to want to cause any significant harm 
  • The majority of the class believes that intent should be taken into account in pronouncing sentence. 
  • But also consider the $96M claim of damage caused. Though inflated, this claim may not be altogether unreasonable, given the amount of time that computer professionals all over the country spent chasing the worm and recovering from its effects. 
  • In pronouncing sentence, is it important that most of the harm appeared to result from a bug? Do you agree with Richard Stallman, Henry Minsky, and Gary Drescher, who said, "[T]he 'worm' had parts designed to avoid clogging; one had an error. Re search is error prone; punishing errors is futile if limited to errors in pranks"? 
  • Is the following comment from John Brunner reasonable? "Anyone who reminds our lords and masters that the computer society is fragile has definitely done a service to the public at large."

Responding to the worm

Suppose you had been a system administrator at the time of the Internet worm. What security precautions would you have taken as a result of the incident? Which were most urgent? Which were demanded by reasonable caution? Which had to be balanced again st the cost and inconvenience to users?
  • Turning off the debug option of sendmail
  • Disabling rsh and .rhosts files? 
  • Changing fingerd to use fgets instead of gets
  • Informing programmers of the need to check for overflow of input buffers? 
  • Removing from the system all utilities that used gets, scanf, etc. until they could be converted to use safer routines?
For background, look at a step-by-step tour of the worm's actions, the CAMarticle by Spafford and the Risks Digests 7:74, 7:75 , 7:76, and 7:77

Should the source code be released to the public?

Should the decompiled source code for the Internet worm have been released to the public? Some people argued that it should, on the basis that it would reveal the extent of the holes in Unix security. But a consensus later developed that it should not, because it would make it easier for others to write their own worms. Before commenting on this, you may want to read an  excerpt from the the CACM article "W ith microscope and tweezers: the worm from MIT's perspective,"a description of what the decompiled source code revealed, from Risks 7:73, news reports of actions by government agencies to prevent its release, and a commentary on those actions.