What Famous Internet Worm Led To The First Federal Computer Crime Prosecution?
Answer: The Morris Worm
As far as security vulnerabilities and malicious software go, The Morris Worm is down right legendary. Created by Robert Tappan Morris while he was a graduate student at Cornell University, the worm unleashed a perfect storm upon the computing world and Morris’s life.
Morris was a computer geek with a pedigree–his father coauthored the UNIX code and was a chief computer scientist at the NSA–and a talent for exploring computer systems. In 1988, Morris went from simply being a promising young graduate student to being the author of an inadvertently destructive computer worm. Morris insists that he did not create the worm to cause trouble but that it was intended to measure the size of the internet by counting all the systems it could reach. The worm exploited vulnerabilities in the UNIX sendmail, finger, and rsh/exec applications. Morris released the worm from an MIT computer lab, in order to avoid drawing undue attention to himself and Cornell University.
The worm had, what would turn out to be, a critical flaw. Machines could be infected multiple times which led to a sort of hall-of-mirrors effect. Once the worm was in the wild it spread rapidly, often reinfecting the same machines over and over again. Essentially The Morris Worm was the first, albeit accidental, denial of service attack, as the massive amount of reinfections and network traffic brought thousands of machines to their knees. The infection was unprecedented and left many system administrators scrambling to keep their systems online (usually with little success).
The Morris Worm served as a huge wake up call to the security community. The antics of one graduate student had shut down a significant portion of the internet, done tens of millions of dollars in damage, and demonstrated just how fragile the budding global network really was.
Morris’s reward for unleashing such a firestorm upon the internet was a place in history as the first person prosecuted under the Computer Fraud and Abuse Act of 1984. This act has been expanded and rolled into The Patriot Act but, in it’s original form, was largely intended to offer the U.S. federal government a means to prosecute people who tampered with federal computers. Many of the computers Morris crippled were part of federal institutions and, as such, he was found guilty and sentenced to three years probation, 400 hours of community service, and fined $10,000.
If you’re curious where Mr. Morris is now, he’s a tenured professor of Electrical Engineering and Computer Science at MIT–it’s nice to see they don’t hold a grudge.