[TUHS] Happy birthday Morris worm

Dave Horsfall dave at horsfall.org
Wed Nov 13 08:00:26 AEST 2019

On Tue, 12 Nov 2019, Norman Wilson wrote:

> I think I recall an explicit statement somewhere from an interview with 
> Robert that the worm was inspired partly by Shockwave Rider.

Yes, I noticed the similarity too.

> I confess my immediate reaction to the worm was uncontrollable laughter. 
> I was out of town when it happened, so I first heard it from a newspaper 
> article (and wasn't caught up in fighting it or I'd have laughed a lot 
> less, of course); and it seemed to me hilarious when I read that Robert 
> was behind it.  He had interned with 1127 for a few summers while I was 
> there, so I knew him as very bright but often a bit careless about 
> details; that seemed an exact match for the worm.

That was the trouble; had he bothered to test it on a private network (as 
if a true professional would even consider carrying out such an act)[*] he 
would've noticed that his probability calculations were arse-backwards, 
and so spread much faster than it "should" have.

> My longer-term reaction was to completely drop my sloppy old habit 
> (common in those days not just in my code but in that of many others) of 
> ignoring possible buffer overflows. I find it mind-boggling that people 
> still make that mistake; it has been literal decades since the lesson 
> was rubbed in our community's collective noses.  I am very disappointed 
> that programming education seems not to care enough about this sort of 
> thing, even today.

Yep.  Don't use fixed-length buffers unless you *know* that it will
not overflow (i.e. the data is under your control), and don't trust
user input (especially if the reader is an interpreter with the
possibility of spawning a shell); there are of course others.

This is what you get when people call themselves programmers because
they once took a course in programming or read a book; that's like
calling oneself a doctor because you took a first-aid course...

One of my favourite examples is "Barbie the Computer Engineer" (grep the 
net for it, but warning: the title contains a naughty word).

Oh, OK; here's a sanitised URL:


Yes, that really is the URL; I've just tested it (but contents may offend
some viewers; you have been warned).

And for those who slagged me off for calling him an idiot, try this quick 
quiz: on a scale from utter moron to sheer genius, what do you call 
someone who deliberately releases untested software designed to compromise 
machines that are not under his administrative control in order to make 
some sort of a point?  I don't know about other countries, but try that in 
Australia and you'd be seriously out of pocket and/or doing porridge.

-- Dave (BSc, majoring in Computer Science and Mathematics)

More information about the TUHS mailing list