Peter Yee was tall and serious with none of the impish sparkle of his younger brother Tim. Robert Morris was tall and thin and the son of a computer science genius who worked for the National Security Agency. They were both great programmers.
In early November 1988 they were both involved in what was then called The Internet Worm incident. The worm began to appear on November 2. Computers connected to the Internet began to slow down. System administrators soon realized that they were dealing with a program that was spreading through the Net and sending message after message, so many that the network was slowing to a crawl.
At that time Peter Yee was a student at the University of California and working with the system administrators. Around 11:30 PM Pacific Time, Yee sent a message to an electronic mailing list. The message began "We are currently under attack from an Internet virus … " Then he rejoined the others who were working to defeat the "virus."
Actually it wasn't a virus at all. It was the kind of program that computer folks call a worm. Viruses, like their real-life counterparts, are parasites. They have to attach themselves to another program in order to work. Worms, on the other hand, can travel from computer to computer under their own power.
Worms take their name from a science fiction classic called Shockwave Rider by John Brunner. In that book a totalitarian government uses an all-powerful computer network to exercise power. A programmer bent on bringing down the government infests their network with a rogue program called a tapeworm.
The first computer worms were programs written to help make it easier for folks to use computer networks. Researchers at Xerox PARC developed several. One was the "town crier" that went through the network posting notices. Another one was designed to check to see if systems on different computers were working properly. The Internet Worm was very different.
The Internet Worm wasn't destroying files or anything like that, but it was definitely clogging up the system. Within a little more than a day the Worm had shown up in 6000 computers or about 10 percent of the total number of Internet hosts at the time. It was the top news on TV and in the newspaper.
Robert Morris missed a lot of that news. He was studying and, besides, he didn't have a television. So he didn't know that the program he had created had just about brought the Internet to its knees.
In the fall of 1988 Robert Morris was a graduate student in computer science at Cornell University. He was the son of Bob Morris. Bob Morris was a brilliant mathematician and computer scientist who'd worked at Bell Labs and who, in November 1988, worked for the National Security Agency. .
Robert had written the program that became The Internet Worm as a way to check the security of a computer network. He even thought it would be the basis of his dissertation. He activated a trial version of the program on the evening of November 2 and headed off to dinner.
When he came back to his workstation to check on his program's progress the workstation and the network wouldn't respond. His program had clogged the system at Cornell and was working its way around the Internet.
It was a very different, clubbier time on the Net. John Markoff, the New York Times reporter who covered the Internet Worm story, got hold of the user identification ,"rtm". He was able to use an Internet white page directory to identify Robert Morris as the owner.
At Morris' trial the defense pleaded the innocent nature of what Morris did. The results were pretty catastrophic, but it was all the result of an accident, an honest mistake in how he wrote his program and how he judged its capabilities. After all, the defense said, he hadn't infected any government or financial systems.
Things were very different last Saturday.
I stood at the ATM and waited. The message on the screen said, "Please wait." So I did, for much longer than usual. Then, inexplicably, the ATM disgorged my card with no further message. I tried again. Insert card. Key in code. "Please wait." After over a minute the machine whirred and spit my card out of its slot.
I didn't know it then, but my experience was being repeated by people all over the United States. Some were unluckier. They didn't get their cards back from the ATM machines that had always worked so well before.
Bank of America, Canadian Imperial Bank of Commerce and others who haven't "fessed up" had their ATM networks go inoperable for the better part of Saturday. Some travel reservation systems shut down. Some telephone information systems quit working. In some places 911 operators went to manual procedures as their system response slowed down.
This was an international phenomenon. The Internet Worm had mostly hit computer networks in the US because in 1988 that was where most of the Internet-connected computers were. This attack hit networks all over the world. In South Korea, one of the most wired countries in the world, basic Internet service was virtually unavailable for most of Saturday.
Last weekend the "SQL Slammer" attacked computers attached to the Internet that use the Microsoft's SQL Server 2000 and computer applications created with something called the Microsoft SQL Server 2000 Desktop Engine. Those computers started sending messages across the net until the Net began to choke on the amount of traffic.
That meant that any system that got data feeds from the Net had to slow down. So computers and systems that were not actually infected with the "SQL Slammer" worm still were affected. In all about 250,000 computers were infected in a very short time. Far more simply slowed down because they couldn't get their usual flow of data from the Internet.
We're starting to get used to this kind of thing. Morris' program was called THE Internet Worm. This one was named after the kinds of machines and software that were vulnerable. Another attack hit the net back in July 2001 and attacked 350,000 computers. It was called "Code Red."
That name came from an especially caffeinated version of Mountain Dew that programmers guzzled late into the night as they figured out how to deal with the program's attacks. They were aided by programmers from Emergency Response Teams that didn't exist in 1988. There was also help from computer security consulting firms.
Back in 1988 it took a while for network administrators to even figure out what was happening to them. This time the signs were pretty well known. In 1988 the programmers virtually cobbled together a description of the problem and then a solution. This time the solution had been ready for months.
Back in July Microsoft came out with a patch to fix the security problem with its SQL servers and software. The computers that were hit this last weekend hadn't installed it. The big question is, "Why not?"
There are lots of reasons. For one thing, in case you haven't noticed, most system administrators are human beings. That means they do the kinds of things human beings do and suffer from the same kinds of foibles.
This fix suffered from two problems. First, it was relatively boring work. Most administrators also know that fixes need to be reviewed to see if they're going to make changes to their system that affect how other programs work. System administrators don't like boring work anymore than other people.
In addition, installing the Microsoft patch was seemingly less urgent than lots of other things commanding the administrator's attention. Lot of administrators probably put the fix in the "Someday" file and went on fighting administrative fires.
In the case of the SQL Server patch this was aggravated by another fact. This fix required whoever was doing the job to change the code in several files by hand. That's even more boring than usual.
This is a human problem with human impacts. It took a human being to decide to launch a rogue program onto the net. It affected systems in the care of other humans, many of them overloaded with projects and understaffed. The results affected people standing at ATMs, trying to send email, and doing dozens of other things that we rarely think of as connected to the Internet.
If you're looking for a workable solution to this, look for one that takes account of human nature. Fixes for computer security problems need to be as easy to install as possible. They have to come to the attention of folks who have the time, or are given the time by their bosses, to install the fix.
We won't get rid of hackers and other folks with malicious intent. They'll always be with us. We won't get rid of mistakes that have giant consequences, like Robert Morris’ Internet Worm. But, thankfully, we have hundreds of folks like Peter Yee out there working on security and solutions.
Created/Revised/Reviewed: 27 January 2003
