Twenty years ago, the first internet worm made a dreadful error
It was twenty years ago, on November 2nd 1988, that the internet went away, when Robert Tappan Morris, a computer science student, ran a program he thought would tell him how many computers were connected to the internet. Exploiting security vulnerabilities, his program was meant to break into as many computers as possible, return a count value, and copy itself on to further systems. But a flaw in the program meant that computers were infected multiple times, placing an extremely heavy load on their resources and those of the network, a phenomenon now known as a Denial of Service.
Twenty years ago, the news agencies simply reported that the internet had collapsed. Robert Tappan Morris confessed his guilt and became the first person to be sentenced under the Computer Fraud and Abuse Act. He was sentenced to three years' probation, 400 hours' community service, and a fine of $10,000. Today, aged 42, he is a visiting professor at Massachusetts Institute of Technology (MIT), teaching at the very place where he released the worm into the wild.
Many legends have entwined themselves around the story of the worm, and there are no precise figures for how many computers it actually infected because Morris's worm could not count correctly. The court hearing accepted an estimate that ten per cent of the computers then connected to the Internet, around 6,000 systems, were hit. An expert from the Government Accountability Office assessed the damage caused at $10-100 million, a calculation the court criticised as imprecise. But the worm written by Morris was not the first of its kind. As early as 1979, Xerox researchers were experimenting with worm programs under laboratory conditions. At Christmas 1986, a worm went on the rampage in VNET, IBM's internal computer network. At the time, however, IBM was able to hush up the incident.
That left Morris's worm with the honour of being the first to demonstrate to a broad public how vulnerable computer networks were. It led to the setting up of the Computer Emergency Response Team (CERT) at Carnegie Mellon University. Every major country in the world and many large institutions now have their own CERT.
- The Internet Worm Program: An Analysis, technical analysis of the Morris worm