The Robert T. Morris case.
For launching the Internet worm, Robert T. Morris, Jr. was sentenced to
a $10,000 fine, 400 hrs. of community service, and 3 years' probation.
Did the punishment fit the crime? You may want to consider the following
Morris did not appear to want to cause any significant harm
The majority of the class believes that intent should be taken into account
in pronouncing sentence.
But also consider the $96M claim of damage caused. Though inflated, this
claim may not be altogether unreasonable, given the amount of time that
computer professionals all over the country spent chasing the worm and
recovering from its effects.
In pronouncing sentence, is it important that most of the harm appeared
to result from a bug? Do you agree with Richard Stallman, Henry Minsky,
and Gary Drescher, who said, "[T]he 'worm' had parts designed to avoid
clogging; one had an error. Re search is error prone; punishing errors
is futile if limited to errors in pranks"?
Is the following comment from John Brunner reasonable? "Anyone who reminds
our lords and masters that the computer society is fragile has definitely
done a service to the public at large."
Responding to the worm
Suppose you had been a system administrator at the time of the Internet
worm. What security precautions would you have taken as a result of the
incident? Which were most urgent? Which were demanded by reasonable caution?
Which had to be balanced again st the cost and inconvenience to users?
For background, look at a step-by-step tour of the worm's actions, the
by Spafford and the Risks Digests 7:74,
, 7:76, and 7:77
Turning off the debug option of sendmail ?
Disabling rsh and .rhosts files?
Changing fingerd to use fgets instead of gets?
Informing programmers of the need to check for overflow of input buffers?
Removing from the system all utilities that used gets, scanf,
etc. until they could be converted to use safer routines?
Should the source code be released to the public?
Should the decompiled source code for the Internet worm have been released
to the public? Some people argued that it should, on the basis that it
would reveal the extent of the holes in Unix security. But a consensus
later developed that it should not, because it would make it easier for
others to write their own worms. Before commenting on this, you may want
to read an excerpt from the the CACM article "W
ith microscope and tweezers: the worm from MIT's perspective,"a
description of what the decompiled source code revealed, from Risks
7:73, news reports of actions
by government agencies to prevent its release, and a commentary
on those actions.