[TUHS] Happy birthday, Morris Worm!
dave at horsfall.org
Sat Nov 4 11:15:37 AEST 2017
Well, that sure stirred up a hornet's nest; then again, I've been a
stirrer for most of my 65 years (just ask anyone who knows me, including
WKT), so I guess I should've expected it...
There are far too many responses to deal with individually (it will only
go exponential) so I'll make this my final post, and then it can continue
off-list if people insist; if Warren has shut down the topic then I
haven't noticed it yet, but at least I can see it's an active topic going
by the "TUHS" tag (and thanks again Warren for reinstating that).
First, apologies I guess to anyone who was offended, but I've never balked
at kicking the odd sacred cow now and then.
I would've dismissed RTM's effort as an "oopsie" that we all make from
time to time, except for the following extract from the Morris Worm page:
``The critical error that transformed the worm from a potentially harmless
intellectual exercise into a virulent denial of service attack was in the
spreading mechanism. The worm could have determined whether to invade a
new computer by asking whether there was already a copy running. But just
doing this would have made it trivially easy to stop, as administrators
could just run a process that would answer "yes" when asked whether there
was already a copy, and the worm would stay away. The defense against this
was inspired by Michael Rabin's mantra "Randomization". To compensate for
this possibility, Morris directed the worm to copy itself even if the
response is "yes" 1 out of 7 times. This level of replication proved
excessive, and the worm spread rapidly, infecting some computers multiple
times. Rabin said that Morris "should have tried it on a simulator
The (reconstructed) source code, easily found in a few seconds, shows just
that i.e. it was *designed* to avoid any attempts to suppress it; a simple
statistical analysis shows that it would become uncontrollable even within
a small cluster (I can provide it upon request, in case anyone doubts my
admittedly-rusty statistical skills).
The first thing any binary did was to unlink itself, thereby making
It forks a lot to change the process ID, thereby making it difficult to
It encrypts all the strings (a simple XOR with 0x81), thereby disguising
In short, although I doubt whether there was malicious intent, if I were
to write something to bring down the Internet then I would start along
No doubt his goal was laudable (estimating the number of hosts) but there
are weirdos like me who prefer not to be "counted" (even my census returns
are illegally anonymous, by not providing a real name, no birth date but
age is OK, no street address but suburb is OK; I don't care who knows that
I'm an atheist as until now we were lumped in as "other"); I regularly
fend off such probing attempts in my firewall (ACK scans, FIN scans, etc).
So, was RTM an idiot or not? You be the judge.
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
More information about the TUHS