Internet Fact and Fantasy

Internet

The Great Worm -- an power point presentation script

an all black slide with the giant movie logo "REVENGE OF THE NERDS" (available from http://www.supermanfred.it/nerds.htm -- the image will need to be slightly edited to remove "the website" from it) in the center. Play a section of "She Blinded me with Science!"

Script: [said ominously] "It was the eighties. Anything could have happened. The internet was still a text-based baby and there wasn't even public dial-up access yet. Nonetheless, over 60,000 systems in universities, corporations and government offices were connected in a living system... one that was about to get seriously ill.

The image is an old college picture of Robert T. Morris (available from http://www.rotten.com/library/bio/hackers/robert-morris / ). A list on the side of the image reads:

*Robert T. Morris, JR.

*Cornell Computer Science Graduate Student

*Future founder of Viaweb & MIT professor

*Criminal Mastermind?

Script: "Robert T. Morris [cue first list item] was an innocuous looking graduate student at MIT. [cue second list item] By all reports he was a brilliant fellow from a brilliant line. His father was the chief scientist and the National Computer Security Center and he himself would go on to be an influential part of the development of the Internet with dozens of papers under his belt. Eventually he would found Viaweb, a set of online store tools used by Yahoo! And others, [cue third list item] and be a professor at MIT in the field of computing and artificial intelligence. In the Eighties, [cue last list item] however, little Robert was responsible for releasing the first worm and bringing the fledgling internet to its knees.

Slide #3 -- An image of a huge carnivorous Gobi worm serves as the background for this slide. (http://www.forteantimes.com/articles/182_deathworm1.shtml) On the left the following text reads:

'1975-- A freedom fighter creates the Tapeworm, a computer program forcing his totalitarian government to shut down all operations. Luckily for the U.S., it's only science fiction, part of John Brunner's story SHOCKWAVE."

SCRIPT: (read the text) "Science fiction has long proved to be science-prophesy in the field of computing. Both worms and viruses get their names from science fiction stories that proceeded them. In the story of Shockwave, worms were used both to bring down the system and as a regular part of the computer net's functioning.

Slide #4 -- A picture of clowns riding a Dune-Style sandworm. (http://www.ibiblio.org/Dave/ar00394.htm) Text elements to the right of the worm read:

List #1 -- "1979 -- Xerox's Palo Alto Research Center uses five worms as part of their routine."

List #2 -- "Shortly thereafter -- Xerox's worms started escaping"

SCRIPT: [cue #1] "1979 -- Xerox's Palo Alto Research Center uses five worms as part of their routine. Worms perform various activities, from deliverying messages to deleting defunct accounts or running programs. This proved to be as dangerous as it was useful. " [cue #2] "Shortly thereafter -- Xerox's worms started escaping. One mutated and started crashing computers. Another spread to computers where it was not wanted. As less people read Shockwave, the idea of worms was almost forgotten... Until Morris Jr. came along."

Slide #5 -- As the list appears, two images will appear. The first shows up with the first list element. This is an image of an earthworm wearing a labcoat. The second image comes in with the third slide. It's the image of the same worm having a great idea. Both images are found at: http://www.jmgkids.com/index.k2?did=2440& sectionID=2019

List #1 -- "How big is the internet anyway?"

List #2 -- "If only I could test this by counting them with a program..."

List #3 -- "What about a program that installed itself and sent copies to any connected computer?"

SCRIPT: [cue #1] "Morris claims that the goal of the worm was to measure the size of the Internet and determine how many computers were interconnected. [cue #2] The worm was supposed to infect every computer it could. Upon infecting the computer, this worm sent a single byte of information to Morris' web address. By counting those bytes, Morris would know how many computers there were online using the susceptible systems. [cue #3] The entire function of the worm was to install itself on any computer it infected and use that computer to send out copies of the program to other computers. Unfortunately, Morris made what he claims was a serious coding mistake.

Slide #6 -- an image of a worm packing two shotguns and growling. This image can be found sketched at: http://archives.thedaily.washington.edu/1999/100899/N3.F& N.html. To make it match the previous worms, it can be taken into a paint program and colored in. The text reads:

OOPS -- Instead of only allowing one copy of the worm per computer, each computer was repeatedly infected until the simple worm processes devoured the entire processing power.

SCRIPT: "Morris claims that the original program was supposed to check to see if a server already had a working version of the worm, and if so it should not re-install the program. Instead, the worm installed itself every time it cam in contact with a machine. That meant that if two infected computers were connected to one another, they would trade copies of the worm back and forth until both crashed. Each time they sent out a copy, that copy would install itself and send back a copy -- like two mirrors facing each other and forming an endless reflection. Instead of merely counting the computers it infected, this worm ate them."

Slide #7 -- Image of a worm eating a computer. (availaible from: http://life.wayne.edu/article.php?id=33) The title text reads "She's Gonna Get You!" Cue the music to Ace of Base song "All That She Wants," fading into the first chorus ("She's gonna get you -- all that she wants is another baby, she's gone tomorrow boy....") The following text appears line by line. This text was written by Donn Seely and is available online (http://snowplow.org/tom/worm/what.html).

All the following events occurred on the evening of Nov. 2, 1988.

* 6:00 PM At about this time the Worm is launched.

* 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu)

* 9:09 PM The Worm initiates the first of its attacks to infect other computers from the infected VAX

* 9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.)

* 9:41 PM The load average reaches 7

* 10:01 PM The load average reaches 16

* 10:06 PM At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore.

* 10:20 PM The system administrator kills off the worms

* 10:41 PM The system is reinfected and the load average reaches 27

* 10:49 PM The system administrator shuts down the system. The system is subsequently restarted

* 11:21 PM Reinfestation causes the load average to reach 37.

-- Don Seely, A Tour of the Worm

SCRIPT: [cue line 1] "On November second, 1988, the election wasn't the only thing making news. On this evening, the great internet worm was released at 6 PM on the MIT colege system." [cue line 2] "Within hours it had spread nation wide." [cue line 3] "This is a timeline of the effects on just one system as the administrators tried to survive the worm... when all that it wanted was to reproduce it was definately out to get them." [cue line 4] "Within twenty minutes of infection of the server, the worm began to spread." [cue line 5] "The system was quickly reinfected and began to overload and was soon working five times harder than usual." [cue line 6] "Then seven times faster...." [line 7] "Then sixteen times faster." [line 8] "Eventually the system couldn't function at all. After only one hour and 17 minutes, the computer has gone from infection to standstill. At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore." [line 9] "The administrators go through and kill the worms manually." [line 10] "However, within minutes the computer is reinfected and brought to a complete halt once more" [line 11] "The administrators try restarting the system..." [line 12] "But within half an hour the reinfection has once more reached terminal levels. Until the worm was actually defeated, this was the situation for every vulnerable computer."

SLIDE #8 -- Image on the right shows a worm wearing a graduate cap with a pointing stick (availaible from: http://www.nrcs.usda.gov/feature/education/squirm/skworm.html -- crop image to edit out text). Text at top of page reads: "WHY DID THE WORM WORK SO WELL?"

The following list answers that question.

#1 -- It targets common systems: DEC VAX machines running Sun 3 & BSD 4

#2 -- It transmitted itself through SENDMAIL bugs

#3 -- It transmitted itself through FINGER bugs

#4 -- It knew a whole dictionary of passwords to RSH

Script: "The worm targetted only specific servers, DEC VAX machines running Sun 3 and BSD 4 systems. Just like today when the majority of machines use Windows, at that time a huge number of machines met these specifications and carried the programs that were susceptible." [cue line 2] "The worm transmitted itself through the Sendmail service, which is notoriously buggy, and accepted the worms request to use it. Many administrators' first line of defense was to shut down their mail programs, however the worm had other ways of spreading as well and shutting down mail only prevented operators from hearing about the antidote when it was discovered." [cue line 3] "Finger is a program related to a webpage or blog, which allowed people to share information about themselves. It had a bug where anything overly complex was automatically accepted rather than being checked. This included fingering a worm." [cue line 4] "Finally, the worm broke into RSH, which allowed it to access second healthy machines if one had the same level access to both computers. The worm ran through thousands of passwords on an infected computer and, upon gaining access, would use that to enter new computers. The worm used a copy of the dictionary, among other tactics. Bad password choice, then as now, made systems weaker."

SLIDE #8 -- Large text across the top reads: AFTER THE WORMS WERE OUT OF THE COMPUTER... The image on the left shows a bunch of worms laying on a keyboard. (http://www.terecon.de/uploads/mediapool/Images/worm.jpg) .

Text: #1 -- 6,000 machines estimated to be infected with $10-100 million in labor to resecure them.

#2 -- Morris was the first hacker convicted under the 1986 Computer Fraud and Abuse Act.

#3 -- Reduced sentence because "the total dollar lost overstates the seriousness of the offense" (U.S. v. Robert Tappan Morris. Case Number 89-CR-139)

#4 -- In the end, the computer community benefitted by an increased awareness of security.

Script: Eventually, of course, the worm was defeated. Computer programmers and academics isolated the worm, deconstructed it, and figured out how to stop the bugs it was using and secude computers against it." [cue #1] "The prosecuters claimed that the worm infected about 6,000 computers and the cost in man-hours to clean and secure the computers was between ten and a hundred million dollars. Some claim that these numbers were a little off base. Accordin to Programmer Paul Graham: "I was there when [this statistic] was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them." [quoted in the Wikipedia article] Morris program itself failed to count the number of infected computers, because reinfection skewed the count. The dollar cost was based not on actual damage but on the cost of hiring people to remove the worm and to change the code so it couldn't reinfect. Nonetheless..." [cue #2] " Morris was convicted for violating the 1986 Computer Fraud and Abuse Act, which could have meant serious jail time. Luckily for him, the judge was very lenient." [ Cue #3] "The judge in this case said that: "the total dollar lost overstates the seriousness of the offense..." And sentenced him to years of probation, public service, and a hefty fine. This was particularly fair considering that the worm's only damage was a side effect of its reproduction." [cue #4] "The worm could have destroyed data, stolen and transmitted password, or even burnt out computers. Later worms and viruses have attempted to do all of these things and often succeeded. Morris' worm was relatively harmless, even if temporarily disabling, and its existence pointed out the serious security flaws in the internet and the possibility of future attacks. In the end, the computer community benefitted by an increased awareness of security, because if it wasn't for him we might not have been prepared for future malevolent worms.