return
Robert Tappan Morris is known for creating the first massively propagated Internet worm, an event that marked a turning point in the history of cybersecurity. Although his intention was not malicious, his creation accidentally affected a large part of the systems connected to the Internet at the time, triggering a crisis in the nascent digital world.
Early years and education
Morris was born into a family with a strong connection to computer science. His father, Robert Morris Sr. was a renowned cryptographer and an early member of the AT&T Bell Labs research lab, which exposed Robert to the world of computing from an early age.
Robert attended the Massachusetts Institute of Technology (MIT) and then Cornell University, where he was pursuing his PhD in computer science when the incident that would make him famous occurred. In his spare time, Morris worked in programming and cybersecurity, looking for ways to explore vulnerabilities in the growing network of computers known as the Internet.
The Morris Worm
On November 2, 1988, while a student at Cornell, Robert launched what became known as the Morris Worm. The worm was designed as an experiment to measure the size of the Internet, but due to a bug in the code, the worm replicated faster than expected. This caused a large portion of online systems to be overwhelmed, resulting in crashes of thousands of computers.
The worm exploited vulnerabilities in various Unix services and replicated across network connections, infecting systems throughout the United States. In total, the worm affected approximately 6,000 computers, which in 1988 represented about 10% of the machines connected to the Internet.
Morris worm structure
Design and Initial Motivation
RRobert Tappan Morris, while studying at Cornell University, decided to create a worm to measure the size of the Internet. His original idea was to calculate how many machines were connected to the global network. To do this, he designed a program that would replicate from one system to another, exploiting known vulnerabilities in Unix.
Vulnerability Exploitation in Unix
The worm exploited three main vulnerabilities:
• Vulnerability in sendmail: This Unix service allowed arbitrary commands to be executed in some configurations.
• Vulnerability in fingerd: A service used to provide information about connected users. Morris used an exploit known as buffer overflow.
• Remote connection via weak or known passwords: The worm attempted to access other machines using trivial passwords.
Propagation to Other Systems
The worm was designed to spread through the network by connecting to other systems. Once a vulnerability in a system was exploited, the worm attempted to replicate itself. The code sent a copy of itself to the infected machine and then executed the code to start the infection on the new machine.
Replication and Evasion Mechanism
Morris implemented a mechanism to prevent his worm from repeatedly infecting the same machine. This mechanism consisted of the worm checking to see if a copy was already running on the infected system. However, due to a flaw in the control logic, the worm often failed to correctly detect existing infections, resulting in multiple copies on a single machine, saturating its resources.
Replication and Resource Saturation Error
The error in the replication logic caused infected machines to run multiple copies of the worm simultaneously. This saturated the resources of the infected computers, causing many of them to crash or become extremely slow. This problem was one of the main reasons why the Morris worm became a global incident.
Detention and Response (November 1988)
On November 2, 1988, the Morris worm was accidentally released on the Internet. Within hours, thousands of Unix systems across the United States were affected. The magnitude of the attack led to the creation of the first computer emergency response team, known as the Computer Emergency Response Team (CERT).
Duration of the incident
The Morris worm is considered a fundamental predecessor to today's computer attacks, as it was one of the first incidents that showed the serious consequences that can arise from exploiting vulnerabilities in interconnected systems. In the following, we will see how it was a precursor to modern computer attacks:
Vulnerability Exploitation
This worm exploited several vulnerabilities in Unix systems, including weaknesses in sendmail and fingerd, two very common network programs at the time. This laid the groundwork for modern attacks that focus on identifying and exploiting software vulnerabilities, such as zero-day vulnerabilities or unpatched flaws, to infiltrate systems.
Today, attacks on computer systems often exploit software flaws, similar to how the Morris worm did. These vulnerabilities can be exploited in attacks such as:
• Software exploits.
• Ransomware.
• Modern worms such as WannaCry and NotPetya.
Autonomous Propagation
The Morris worm had the ability to spread autonomously, infecting other systems without human intervention. This concept of self-replication has become a key feature of modern attacks, such as worms and network viruses. Contemporary attacks such as:
• Stuxnet
• Conficker
• WannaCry
These are examples of how modern malware continues to use this principle of self-replication to spread rapidly across networks, causing massive damage to interconnected systems.
Saturation effect
One of the most notable effects of the Morris worm was that it saturated the resources of infected systems, causing many to stop working. This "denial-of-service (DoS) attack" phenomenon is now a common tactic in cyberattacks, with more advanced versions such as distributed denial-of-service (DDoS) attacks. In these, attackers flood systems with requests or data until they become unusable, with devastating effects on critical infrastructure.
Global Impact
The Morris worm showed how a computer attack could have a global impact, affecting thousands of interconnected systems across the United States in a matter of hours. This anticipated the global interconnectedness we depend on today and the large-scale attacks that can affect critical services around the world, such as:
• Attacks on critical infrastructures (electricity, transportation, health).
• Hacking campaigns in multiple countries (e.g. SolarWinds, attacks on governments and corporations).
CERT Creation and Incident Response
The impact of the Morris worm led to the creation of the first Computer Emergency Response Team (CERT), an organization dedicated to coordinating the response to computer security incidents. This reflects how incidents like Morris led to the development of the structures used today to handle large-scale security incidents.
Today, incident response teams play a crucial role in mitigating damage from cyberattacks, tracing the source of attacks and restoring compromised systems, from ransomware to cyber espionage.
Security Awareness
The Morris worm was one of the first incidents to bring computer security into the public and professional debate. Systems managers began to take the security of their networks and systems more seriously, something that is now paramount due to the number and sophistication of cyber-attacks. This increased awareness led to improvements in security practices, such as:
• Implementation of security patches.
• Use of firewalls and antivirus.
• Development of more robust cyber defense practices.
Legal Consequences
In 1990, Robert Tappan Morris was tried and became the first person to be convicted under the U.S. Computer Fraud and Abuse Act of 1986. He was sentenced to three years probation, 400 hours of community service and a $10,000 fine.
The Morris case set an important precedent in cybersecurity law and the treatment of computer crimes. Although his intent was not malicious, the law treated his case seriously, given the global impact his experiment had.
Rear race
Far from being deterred by his legal problems, Morris continued his academic and professional career in computer science. He earned his Ph.D. in computer science and became a respected scholar in the field of computer science. He eventually became a professor at MIT, where he has worked in a variety of research areas, including systems architecture and computer security.
In 1995, he co-founded Y Combinator with Paul Graham, one of the world's most influential startup incubators. Y Combinator has played a crucial role in the development of many of the most successful technology startups, such as Dropbox and Airbnb.
Legacy
Although Robert Tappan Morris is remembered for creating the first Internet worm, his impact on the history of computing goes far beyond that. The Morris worm incident helped underscore the need for improved security in computer networks and systems, leading to significant advances in cybersecurity. In addition, his subsequent work as an academic and investor has been crucial to the development of modern technology.
His life and career are a testament to how a significant mistake can lead to positive change in a field and how intellectual curiosity and entrepreneurial spirit can transform technology and innovation.
Conclusion
Robert Tappan Morris is a unique figure in the history of computing, not only for his role in one of the most notorious incidents in the early days of the Internet, but also for his contribution to the advancement of technology and the startup ecosystem. His story serves as a reminder of the risks inherent in experimenting with complex systems, but also highlights the importance of learning and innovation in the field of cybersecurity.
