What Famous Internet Worm Led To The First Federal Computer Crime Prosecution?
Answer: The Morris Worm
As far as security vulnerabilities and malicious software go, The Morris Worm is downright legendary. Created by Robert Tappan Morris while he was a graduate student at Cornell University, the worm unleashed a perfect storm upon the computing world and Morris’s life.
Morris was a computer geek with a pedigree—his father helped design Multics and Unix, then became the chief computer scientist at the National Computer Security Center, a division of the NSA—and had a talent for exploring computer systems. In 1988, Morris went from simply being a promising young graduate student to being the author of an inadvertently destructive computer worm. Morris insists that he did not create the worm to cause trouble, but that it was intended to measure the size of the Internet by counting all the systems it could reach. The worm exploited vulnerabilities in the UNIX sendmail, finger, and rsh/rexec applications, as well as weak passwords. Morris released the worm from an MIT computer lab in order to avoid drawing undue attention to himself and Cornell University.
The worm had what would turn out to be a critical flaw. Machines could be infected multiple times, which led to a sort of hall-of-mirrors effect. Once the worm was in the wild, it spread rapidly, often reinfecting the same machines over and over again. Essentially, The Morris Worm was the first, albeit accidental, denial of service attack as the massive amount of reinfections and network traffic brought thousands of machines to their knees. The infection was unprecedented and left many system administrators scrambling to keep their systems online (usually with little success).
The Morris Worm served as a huge wake-up call to the security community. The antics of one graduate student had shut down a significant portion of the Internet, done an estimated $100,000 to $10,000,000 in damage, and demonstrated just how fragile the budding global network really was.
Morris’s reward for unleashing such a firestorm upon the Internet was a place in history as the first person prosecuted under the Computer Fraud and Abuse Act of 1986 (an amendment to existing computer fraud law which had been included in the Comprehensive Crime Control Act of 1984). This act has been expanded numerous times over the years, including a revision by the Patriot Act in 2001, but in its original form, was largely intended to offer the U.S. federal government a means to prosecute people who tampered with federal computers. Many of the computers Morris crippled were part of federal institutions and, as such, he was found guilty and sentenced to three years probation, 400 hours of community service, and fined $10,050 plus the costs of his supervision.
If you’re curious where Mr. Morris is now, he’s a tenured professor of Electrical Engineering and Computer Science at MIT—it’s nice to see that they didn’t hold a grudge.
Image by Trevor Blackwell/Wikimedia.