The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

Phage List

Overview:

Name: Phage List
Paternity: Gene Spafford
Propriety: Gene Spafford (3 November 1988 - 24 May 1989)
Spatiality: Department of Computer Sciences, Purdue University (West Lafayette, Indiana, USA); ARPANET
Temporality: 3 November 1988 - 24 May 1989
Constituency: Approximately 128 (max) posters, >160 (max) readers, 387 (4 missing, 29 context : 412 presently) archives, containing 387 items of mail, 14530 lines of text, for 558k size
Notable participants: Gene Spafford; Vint Cerf; Douglas Comer; Matt Bishop; Stephen Bellovin; Theodore Ts'o
Notable occurrences: Gene Spafford created the mailing list alias at Steven Bellovin's suggestion;
Peter Denning was asked, and provided opinion on, the ACM policy 'with respect to controversial information relative to security';
The list intersected with tcp-ip, Zardoz 'Security Digest', and the Unix 'Security Mailing List'
Artifacts: Archives (missing 4); USENET postings (complete); Founder correspondence (complete); Participant perspectives (incomplete); Additional resources (complete)

Summary:

Gene Spafford began the Phage List on 3rd November 1988 as a forum for communication during the Robert T. Morris worm emergency, and though largely a relic by January 1989, its last message is dated 24th May 1989. The list operated out of Purdue University. Initially concerned with identifying and eradicating the worm, the list turned to reflect and consider broader issues in computer security, including methods of disclosure and responsible release of source code. The list had a short life, and after the incident, it quickly retired to become a conduit for follow-up announcements. Participants included Gene Spafford, Dennis Ritchie, Neil Gorsuch, Douglas Comer, Keith Bostic, Matt Bishop, Paul Vixie, and Theodore Ts'o. An approximate count shows the list having over 160 readers, and 128 posters, for a total of 387 messages (plus 4 unaccounted for), comprising 14530 lines and 558 kilobytes.

Description:

INTRODUCTION

The following annotation of the Phage List is concerned with the role that the list played in the resolution of the Morris worm emergency. For more comprehensive details about the incident itself, refer to the original papers by Spafford [RESOURCE-WORM_TR_SPAF], Reynolds [RESOURCE-RFC_1135], and Eichin & Rochlis [RESOURCE-WORM_TR_ROCHLIS]. Spafford's 10 year [RESOURCE-WORM_TR_10YEARS] and 15 year [RESOURCE-WORM_TR_15YEARS] anniversary works must also be considered.

THE INCIDENT BEGINS

The Robert T. Morris worm (often referred to as "The Internet Worm") began its life in the early evening of 2nd November 1988 [RESOURCE-WORM_TR_SPAF]. Early messages about the existence of the worm include those by Peter Yee at 02:45EST [ARCHIVE-383] and "foo@bar.arpa" (later revealed to be Andy Sudduth) at 03:34EST [ARCHIVE-410]. At 05:58EST, Keith Bostic posted a patch to USENET, and at 08:18EST this patch was forwarded by Gene Spafford to a number of "friendly" recipients (including Neil Gorsuch, Andrew Burt, Paul Vixie, etc) with the subject "Virus alert!" [ARCHIVE-000].

Later that morning at 10:36EST -- now the day after the worm had been released -- Gene sent another message with "More on the virus", including an early modus operandi [ARCHIVE-001]. By mid afternoon at 14:50EST, there was "Yet more on the virus" [ARCHIVE-002] and a "closed" discussion continued into the night [ARCHIVE-004] [ARCHIVE-006] [ARCHIVE-005] [ARCHIVE-009] [ARCHIVE-008]. By now, the incident had reached radio and TV [ARCHIVE-007], and a network management bulletin had been issued at 17:32EST [ARCHIVE-383]. Discussions were active on USENET [USENET-1988-11-03].

THE LIST IS CREATED

The first signs of the Phage List are found in the evening of the 3rd November 1988 at 21:20EST. In a message by Gene Spafford [ARCHIVE-013], with subject "A worm 'condom' enclosed.", he wrote:

First, I have created (at Steve Bellovin's suggestion) a mailing alias at arthur.cs.purdue.edu named "phage." You are all on it, unless you ask to be removed. I will also add other names if you ask.
The message also offered more detail about the worm, including its mode of operation, first hand experience of its infection, and an early cure.

It was clear that was that the Phage List was to become a communication forum for helping participants resolve the emergency. Afterwards, Mark Eichin and Jon Rochlis were to write [RESOURCE-WORM_TR_ROCHLIS] that

It included all the people [Gene Spafford] had been mailing virus information to since the morning; more people were to be added during the next few days. This list proved invaluable, since it seemed to have many of the 'right' people on it and seemed to work in near real time despite all the network outages.

In the evening, Douglas Comer thought to ask about the pronunciation of "phage" [ARCHIVE-384], to which Gene and others replied [ARCHIVE-385] [ARCHIVE-390]. The word "phage" had been used before, but the Morris worm would become "the first example" of one as the term was originally defined [USENET-2000-12-17]. Clarifying the terminology was an important aspect of later technical reports [RESOURCE-WORM_TR_SPAF], and disputes over the correctness of the media coverage.

THE INCIDENT UNFOLDS AND IS INCREASINGLY UNDERSTOOD

In the hours leading up to midnight in the evening of the day after the worm had been released, the list saw a stream of messages about existing cures [ARCHIVE-016], new cures [ARCHIVE-015] [ARCHIVE-017] [ARCHIVE-018], faulty cures [ARCHIVE-019] [ARCHIVE-021], impending cures [ARCHIVE-020] and worm traps [ARCHIVE-389]. Interleaved with this were further details of the worm's nature [ARCHIVE-022] or reports of the worm's progress [ARCHIVE-024].

Early in the morning at 03:51EST, Greg Skinner referred to the central role being played by the list [ARCHIVE-386]:

From the looks of the list contents and participants, the virus is pretty widespread and not quite yet under control. Does anyone have a feel for how much actual damage has been done to sites, how many sites have disconnected from the net, how much service has been disrupted, how upset or angry DCA/DARPA is, and who are the perpetrators? Aside from this list, I haven't been able to find out much about what has happened. I expected tcp-ip to be full of messages about it, but it wasn't. I didn't know whether or not that was because no one was taking much of an interest in the problem, or that most everyone has signed off the net until the virus is under control.

As the morning rolled in -- a continuation of the previous day for some [ARCHIVE-389] -- details arrived about "External Exposure of [the] problem" [ARCHIVE-388] referring to reports in radio and print media. This sparked a number of follow up messages about other news reports [ARCHIVE-023] [ARCHIVE-025]. It was disturbing to find that despite these very high profile external reports, Greg Skinner maintained that "Aside from this list, I still have not heard much about the virus or its ramifications." [ARCHIVE-028].

THE INCIDENT IS UNDERSTOOD AND INCREASINGLY CONTAINED

The worm was still in the process of being contained, yet a reflective nature was entering the discussions. Mark Verber suggested that the "Security Mailing List" that "died about a year ago due primarily to inactivity" should return but with a number of changes [ARCHIVE-108]. Matt Crawford expressed annoyance at "unneighborly" sites where information was "being hoarded" [ARCHIVE-027], and continued the debate over the return of the security list [ARCHIVE-393], as did others [ARCHIVE-037].

It was now the morning of Friday 4th November 1988; some 36 hours after the worm had been discovered. The list had allowed participants to exchange information about the incident itself, and to collaborate in their attempts to manage the incident. Discussions continued during the day [ARCHIVE-029] [ARCHIVE-030] [ARCHIVE-031] [ARCHIVE-033], and included systems administrators asking their peers about how to make their systems safe [ARCHIVE-034] [ARCHIVE-032] [ARCHIVE-038].

At 14:32EST that Friday, Rich Kulawiec provided a comprehensive summary of "Steps in the virus, as best we know them (and fixes)" [ARCHIVE-035], indicating that considerable progress was being made. In response to this, Theodore Ts'o described activity that had started the previous night at MIT to disassemble the code and had "succeeded this morning" [ARCHIVE-041]. Theodore also pointed out "a few 'fixes' and descriptions that have been floating around this list, which appear to be not fully correct" [ARCHIVE-042]. The sensitive nature of the material on the list was reflected in Martha Rose's comment that "Given the kinds of info going around here, I agree with the suggestions that aliases such as 'postmaster' be phased out..." [ARCHIVE-039].

The first part of the worm's source code arrived to the list at 17:11EST on Friday afternoon [ARCHIVE-182], having resulted from work by Don Becker that had been distributed to another list at MIT at 12:11EST earlier in the day. After a trickle of messages, it was becoming clearer by the evening that worm was increasingly being brought under control: "a number of sites have fixed ftpd locally and have unofficially distributed the fixed server to sites without source" [ARCHIVE-397]. A message from Keith Bostic at 17:20EST [ARCHIVE-044] provided a fourth and "hopefully the final posting [...] regarding the worm that was released onto the Internet" with more patches. However, "general network connectivity [was] still bad" [ARCHIVE-394]: either a result of the worm itself or networks that had been intentionally disconnected.

THE INCIDENT IS INCREASINGLY CONTAINED

At 01:47EST in the morning on Saturday 5th November, it was brought to the lists attention that the "culprit [had been] identified": the worm originated from Cornell and the perpetrator was a Robert Morse [sic] Jr whose father was "apparently head of the National Computer Security Center" [ARCHIVE-047]. Almost immediately, a CNN report with further detail was forwarded to the list [ARCHIVE-077].

Traffic on the list was slow on Saturday morning -- perhaps many were recovering from the last few late nights. Steven Miller asked whether "MIT and perhaps others" could make the disassembled virus objects available [ARCHIVE-048]. Others were interested in the source code [ARCHIVE-053], and while musing over issues, Theodore Ts'o referred to the nature of the list [ARCHIVE-400], and raised issues about how "safe" it was:

One thing about this list: it was assembled hastily for an emergency purpose. Great thanks to Gene Spafford for creating it! As an emergency list, however, it has a large number of bad addresses on it (or shutdown mailers :-) At some point, we should retire this list, and re-create the security mailing list. While people may agree or disagree about whether the security list should be ``secure'' (and please let's not rehash all of this again here), we should remember that this list is _not_ secure. Not that this was a problem, since the more information that could be distributed on the virus, the better. But some people may disagree about whether this is appropriate for general security discussions.

By Saturday afternoon, volume on the list was increasing. Keith Bostic's message stating that MIT would "not make [the disassembled virus objects] available to ANYBODY" [ARCHIVE-050] kicked off a debate about the merits of disclosing the source. This debate considered the intentions of, and implications for, the worm's author [ARCHIVE-051] [ARCHIVE-052] [ARCHIVE-054] [ARCHIVE-057] [ARCHIVE-055] [ARCHIVE-058] [ARCHIVE-059] [ARCHIVE-060] [ARCHIVE-061] [ARCHIVE-062] [ARCHIVE-073]. Reactions were occasionally strong [ARCHIVE-069] [ARCHIVE-074], and the discussion continued into the night and over the next few days, becoming the largest thread on the list. For the rest of Saturday, apart from that debate, a varied mixture of messages referred to external reporting [ARCHIVE-056] [ARCHIVE-63], further worm details [ARCHIVE-064], cures [ARCHIVE-072], cure corrections [ARCHIVE-066] [ARCHIVE-067] [ARCHIVE-070] [ARCHIVE-071], and anecdotes about the worm's author [ARCHIVE-068].

ATTENTION TURNS TO THE WIDER IMPLICATIONS OF THE INCIDENT

The focus was turning away to broader issues. That Sunday the 6th November 1988, Phil Karn remarked elsewhere: "Now that we have a pretty good idea who wrote the virus and what his intentions were, I would like to suggest something he might do that would go a long way toward mitigating the damage he has done." [USENET-1988-11-06]. The next day, it was apparent to Phil that "After I posted my note, I discovered that the phage mailing list has had a raging debate about precisely this point." [USENET-1988-11-07]. It would seem that USENET was not host to debate about meta-issues, but the Phage list was the place to be.

Sunday saw a brief response by Douglas Comer on virus litigation [ARCHIVE-078]. The discussion about making the disassembly available continued [ARCHIVE-079], and suggestions for dealing with the media in reporting of the incident were proposed [ARCHIVE-080] [ARCHIVE-081] [ARCHIVE-161] [ARCHIVE-082] [ARCHIVE-132] [ARCHIVE-084]. There was thought given to the need for a security mailing list for "life after worm" [ARCHIVE-083], and in the hours after midnight, Jon Rochlis had begun to analyse the reason why fixes had taken so long, and what knowledge would have helped stop the worm earlier [ARCHIVE-085]. Jon later authored one of the substantial technical reports on the incident [RESOURCE-WORM_TR_ROCHLIS].

In the background, Gene Spafford had returned from a weekend away and was adding new members to the list [ARCHIVE-402] [ARCHIVE-082]. He suggested that "we may want this list to remain around for a few weeks" and enclosed a list of current recipients [ARCHIVE-086]: there were 77 names (some 15 were postmasters or other aliases), including Andrew Burt, Neil Gorsuch, Stephen Bellovin, Paul Vixie and Douglas Comer.

That Monday morning -- now the 7th November 1988 -- Dennis Ritchie lent his hand to the debate by discussing issues of responsibility and security [ARCHIVE-089] and this turned into an expansive philosophical discussion [ARCHIVE-092] [ARCHIVE-093] [ARCHIVE-095] [ARCHIVE-097] [ARCHIVE-105] [ARCHIVE-160]. Other utilitarian discussions had also become philosophical [ARCHIVE-096] [ARCHIVE-100] [ARCHIVE-103], and were focusing on issues in computer security itself [ARCHIVE-109] [ARCHIVE-104]: in particular, [ARCHIVE-101] is concerned with responsible disclosure.

These discussions were a distinct shift away from the practical aspects of halting the worm. It was clear that critical aspects of the event were over, and it was time to reflect on the meta-issues. Gene Spafford clarified the terminology by distinguishing the differences between a "worm" and a "virus" by drawing from historical references [ARCHIVE-107] [ARCHIVE-111] [ARCHIVE-231]. Various individuals discussed punishment and implications for the author [ARCHIVE-114] [ARCHIVE-117] [ARCHIVE-118] [ARCHIVE-123] [ARCHIVE-121].

Discussion also focused on misrepresentation of the issues by the media [ARCHIVE-104] [ARCHIVE-106] [ARCHIVE-110] [ARCHIVE-113] [ARCHIVE-119] [ARCHIVE-128] [ARCHIVE-136]: that evening, Bob Page provided an initial 5-page report "to try and set them straight" [ARCHIVE-403]. The worm and its propagation continued to be addressed [ARCHIVE-116] [ARCHIVE-120] [ARCHIVE-122]. Other vulnerabilities were being given attention [ARCHIVE-196] (later taken elsewhere [USENET-1988-11-22]), and testing tools were circulated [ARCHIVE-404]. Debate about whether to publish the source code continued [ARCHIVE-124], and USENIX announced that it would hold a formal session covering worms in February [ARCHIVE-125]. There were further requests to be placed onto the list [ARCHIVE-409].

Monday evening also saw a revived discussion about restarting the Security Mailing List, either in its existing (as previously maintained by Andrew Burt), or new (as suggested by Neil Gorsuch) form [ARCHIVE-406] [ARCHIVE-407] [ARCHIVE-142]. Some of these "meta-issues" were also raised in relation to the Phage List itself [ARCHIVE-143].

Gene Spafford reported on an "Interesting meeting" to occur the following day at the National Computer Security Center, involving "people from MIT, Berkeley, FBI, NSA, and others", that was "to discuss the worm and implications" [ARCHIVE-127]. He asked whether an attendee could provide a summary of the meeting to the list.

By that evening, Gene indicated that there were "a couple hundred names on the list now, a few of which are local aliases for 'postmaster' or 'phage'", and 'I hope this list will be unneeded in a few days. The regular security lists should be sufficient to talk about security issues -- I don't intend to administer a closed security mailing list -- I don't have the time or energy." [ARCHIVE-134]

There were a number of messages discussing Robert T. Morris as a person, including references to his previous activities [ARCHIVE-141], support from friends [ARCHIVE-146], and comments from previous peers [ARCHIVE-148].

On the morning of Tuesday 8th November, Mark Verber opened with a treatise on how a new "Security Mailing List" could work [ARCHIVE-151], and John Markoff had reported in the NYT that "release of virus causes soul-searching among computer experts" [ARCHIVE-154]. The posting of several complete copies of media articles resulted in Gene Spafford stating that "this list has two basic topics right now: security and the ethics of the worm problem", and that anybody posting copyrighted material would be removed from the list. Discussion continued on communication with the media [ARCHIVE-164] [ARCHIVE-165] [ARCHIVE-167] and looked at general computer security lessons to be learnt from the incident [ARCHIVE-166] [ARCHIVE-168].

Steven Miller posted a "worm chronology, and some other info" [ARCHIVE-170] and his pivotal points included: the worm first attempts to enter UMD [Nov 2, 10:54PM EST]; Gene Spafford announces the creation of a mailing list [Nov 3, 9:20PM EST]; "From the tone of the discussion, it is clear that the emergency is over" [Nov 5, afternoon and evening EST]; and "the general discussion becomes increasingly fragmented" [Nov 6, evening EST].

Gene Spafford asked about adding John Markoff (a savvy NYT reporter) to the list [ARCHIVE-169]: this request was later rejected by a number of participants. Steven Bellovin clarified Robert T. Morris' activities at Bell Labs [ARCHIVE-177]. Discussions about source availability continued that evening [ARCHIVE-178] [ARCHIVE-181] [ARCHIVE-184] [ARCHIVE-183] [ARCHIVE-185] and early into the morning [ARCHIVE-186] [ARCHIVE-189]. In response to guidelines for better computer program construction, the warning against using "gets()" was highlighted [ARCHIVE-179].

Neil Gorsuch provided detail about the nature of the zardoz security mailing list [ARCHIVE-204]:

[[ I realize that I may be only pointing out the obvious .... There are two security lists currently under discussion and I get the feeling that some people are talking about them as if we're talking about one proposed list. ]] And to even further confuse things, there was another security mailing list on zardoz (cpd.com), already in place and operating slightly before Andrew Burt announced his intended revitalization of the old security mailing list. The zardoz list is intended for any system administrator and is probably not going to have the same level (and dangerous hints) of material posted in the phage mailing list. Certainly no explicit details of breaking security such as a posting of the virus source code.

On Wednesday morning, Pete Cottrell continued the debate on source availability [ARCHIVE-191]. Matt Crawford thought that "it should be published (after about four weeks have elapsed) ..." [ARCHIVE-193], but there were other perspectives such needing to know "that most sites have applied suitable patches" [ARCHIVE-195]. For other security holes, some needed to understand "detailed instructions for exploiting this hole ... to be able to verify that [we] have the problem ... before [we] are willing to fix things" [ARCHIVE-197].

Elsewhere, Peter Denning had been asked about his opinion of distributing the worm source code, and provided an enlightened reply [ARCHIVE-203]: the ACM policy on "controversial information relative to security" was "simple", and saw the balance between the "short term" risk and "long term" gain. For others, this abstraction had a concrete reality [ARCHIVE-210]:

ps. the more I read this list, the more concerned I am about network security. rtm's worm exploited what I assume is the first of multiple gaping and not-so-gaping holes in unix security. I fear that the academic/research community will, in fixing these problems, endanger the actual security of business installations who are dependent on the good business sense of their vendors to provide timely upgrades.

What limited code had already been made available was in the process of being removed with an iron fist by government agencies. Jeff Smith described his experience [ARCHIVE-211], followed by Gene Spafford [ARCHIVE-217]. In Gene's case, the NCSC first phoned him, and then took the issue to president of the University, who had "leaned on someone else", then they phoned Gene back only to find out that the source had been in circulation since noon on Friday anyway. Gene was concerned enough to discuss and consider his legal position, and to reassure that he would not reveal the names of list participants, even though it may ultimately be out of his hands. The NCSC "also said they were going to lean *very* heavily on the computer companies to provide security upgrades in a very timely fashion". Later, Mark Eichin calmed down most of these concerns [ARCHIVE-228]. An enlightened treatment on this was given by Theodore Ts'o in the subsequent issue of RISKS [USENET-1988-11-16].

A request was made for reports of affected sites as part of a census call [ARCHIVE-218], and Gene Spafford asked for participants to help him coordinate "a global history of how this thing hit and how we beat it" [ARCHIVE-222]. It was revealed that as a result of actual counting, the Internet then had about 60,000 hosts [ARCHIVE-223]. Eventually, Gene authored one of the major technical reports in the incident [RESOURCE-WORM_TR_SPAF].

On Thursday, Andrew Burt announced that "Neil Gorsuch, Mark Verber and I are in the process of deciding which of the multitude of lists should be kept around ...", but the details of his views were elsewhere [ARCHIVE-233]. Incidentally, Martha Rose had uncovered "Internet time" [ARCHIVE-243].

Near to midnight that Thursday, Gene Spafford announced that "the phage list will now go on a temporary hiatus" as it needed some fixing [ARCHIVE-238]. There was continued interest in joining the list across Friday [ARCHIVE-239]. On Sunday, the "Phage Mailing list [was] Coming Back" [ARCHIVE-242]. Gene became the list moderator to "improve the signal-to-noise ratio", and clarified appropriate and non-appropriate topics. The list had "160+ recipients", eventually reaching more than 300 recipients [RESOURCE-WORM_TR_SPAF].

In the mean time, Gene Spafford had also forwarded John Nagle's password checker from comp.sources.unix [ARCHIVE-240], and others had verified that "UUCP *can* propagate the Worm": details about fixes and a code patch were supplied [ARCHIVE-246]. Dennis Ritchie wrote that "those interested in earlier works of Robert T. Morris, or interested in network security in general, might wish to read" Robert's AT&T Technical Report on a weakness in 4.2BSD Unix [ARCHIVE-247].

CONTINUING THE FOCUS ON WIDER IMPLICATIONS

In the week beginning Monday 14th November 1988, the traffic levels on the list were declining. Conversation was rambling over various topics, including an FBI request for information [ARCHIVE-250], discussion on better mail program design [ARCHIVE-251], program bug hunting and configuration issues [ARCHIVE-254] [ARCHIVE-259] [ARCHIVE-260], follow-up media reports [ARCHIVE-255] [ARCHIVE-258] [ARCHIVE-273], follow-up academic/community activities [ARCHIVE-257] [ARCHIVE-261], humour [ARCHIVE-279], and an announcement by Gene Spafford about the impending availability of his technical report [ARCHIVE-268].

A number of more general security "holes" were also uncovered [ARCHIVE-277], and security aspects of UNIX systems were debated [ARCHIVE-283] [ARCHIVE-286]. Keith Bostic attempted to cap a number of these discussions in the following week with the suggestion that "UNIX is neither more or less secure than any other general purpose operating system I'm aware of" [ARCHIVE-292] [USENET-1988-11-21] [ARCHIVE-411]. A UNIX vendor offered an insiders perspective [ARCHIVE-291].

On Wednesday 23rd November 1988, Gene Spafford took to reigning in the scope of the list [ARCHIVE-294], by stating that

From here the view is that this list isn't for posting anything about security flaws in programs unless a simple fix accompanies it. I really don't want this to turn into a security mailing list...we've got enough of those already. This list is going to wind down and go away before too long if that is what it becomes. The reason I'm keeping this list at all is to try to talk about some of the meta-issues: what steps do we take to prevent the next worm? What reactions are companies having to all this? Etc.
He then referred to his message of the previous week [ARCHIVE-242] and restated what topics were appropriate or not.

On the following Saturday, Gene Spafford again addressed "This group" [ARCHIVE-301], and made reference to the availability of other more suitable lists for general computer security topics:

Andrew Burt has started to mail things out to his list, and the security list at zardoz seems to be alive and well. Specific security holes and fixes should be addressed to those lists in the future. If you aren't subscribed to those lists, you should consider doing so (could the moderators of those two lists post something to this list on how people can join?).
In the following week, Neil Gorsuch responded with instructions for joining "the zardoz security mailing list" [ARCHIVE-306].

Gene Spafford's "tech report on the Internet Worm" was "finally finished" and announced on Monday 28th November 1988 [ARCHIVE-304]. The list also carried various follow-ups about "security hassles" in the aftermath of the incident [ARCHIVE-308] [ARCHIVE-315].

On Friday 2nd December 1988, the list was the proud recipient of a message from Russell Brand with the news of CERT's birth [ARCHIVE-320]. It had been established by ARPA as "a computer emergency response team" with a twenty-four hour number. They were to be "the people to call" when "bad things happen", and there were initially six people involved [ARCHIVE-325]. It was already clear that the incident was a catalyst for the growth of the field of computer security.

Otherwise, the occasional sendmail "nasty" was found [ARCHIVE-324]. There was news about Robert T. Morris's prosecution [ARCHIVE-321], and a clarification by Gene Spafford on the motivation for a suit against Robert T. Morris [ARCHIVE-326]. Gene also posted a "Security checklist" [ARCHIVE-327], and Russell Brand detailed an incident at LLNL [ARCHIVE-332]. Not making the source public remained a contentious issue of debate [ARCHIVE-330] [ARCHIVE-336], with the acknowledgement by Bob Page [ARCHIVE-337] that:

we now know that many "cracker groups" have the source code to the Worm. I'm sure a half dozen folks within ULowell already have access to the code. It upsets me that I have to go to these groups to get the code rather than more legitimate channels. It should not be harder for people with white hats to get the code.
This bothered others [ARCHIVE-345].

Although the incident was over and traffic on the list was waning, it was clear that the impact of the incident had yet to subside entirely as "the flood [of mail messages hadn't] abated just yet" [ARCHIVE-334]. The list continued to discuss various sendmail and ftp issues [ARCHIVE-352].

On 6th December 1988, Gene restated the purpose of the list [ARCHIVE-342]:

Mel Pleasant pointed out that I stated some time ago that this list was not intended to be an ongoing thing. It is still my intent that once the Internet seems stable again, and once the security mailing lists crank up (I'm supposed to be on both lists and have only seen 2 postings from the isis list so far), then this list will probably die out. In the meantime, let me encourage you to join the security lists and help them get going with appropriate postings. If you want to drop out of this list, please send me mail and say so. ... In the meantime, there are many topics that we could discuss, but aren't. There are the breakins at Mitre. There are the breakins at LLNL. There were the breakins and shut-down of the DEC NE network over Thanksgiving. There is the formation of the CERT.

By the 8th December 1988, CERT was already playing an active role, with a "Stock message" forwarded to the list suggesting a number of actions to help secure systems against "several problems or attacks which have occurred in the past few weeks" [ARCHIVE-353]. A reworked version was distributed for review later [ARCHIVE-358] because CERT "need[s] to be sure [that it is] accurately representing the best information." On 10th December 1988, an announcement was made about the "Three Internet worm reports available via FTP" [ARCHIVE-357], followed by an update to Gene's paper [ARCHIVE-356] [ARCHIVE-359]. This clearly signaled that the not only was the incident itself over but it had been thoroughly analysed and scrutinised. On the other hand, it was a sign that there was considerable work to be done at a broader level.

THE LIST BECOMES A LEGACY

From this point onwards, some six weeks after its birth, the list became a legacy, consigned to carry the lingering after-effects of the incident. The volume of traffic was very low.

There were no further messages in December 1988, but this may have been the result of technical problems or a focus elsewhere [USENET-1988-12-25].

January 1989 saw a few sporadic messages on topics such as the availability of sendmail [ARCHIVE-361], vulnerability in Yellow Pages [ARCHIVE-362], requests for historical information about viruses [ARCHIVE-366], and an announcement about the "first public release of the Kerberos Authentication System" [ARCHIVE-367].

In February came details about Robert T. Morris' trial [ARCHIVE-368] and a new MIT paper on the incident [ARCHIVE-371]. More UNIX bugs had been found [ARCHIVE-372].

During March, a request was made by the Justice Dept. It wanted "to hear from system admins who had machines infected" [ARCHIVE-373].

In April, reports of an investigation into the incident by the "Cornell University Commission" arrived [ARCHIVE-377] [ARCHIVE-376]. A "security hole in 386i login" had been found [ARCHIVE-378].

In May, Eliot Lear summarised "Cliff Stoll on the Virus", as Cliff had "appeared in front of the Senate Judiciary committee yesterday to testify on the Internet Worm incident" [ARCHIVE-381]. On 24th May 1989, Vint Cerf questioned some of these conclusions [ARCHIVE-382], and wondered whether Cliff would clarify to the list. No clarification was forthcoming: in fact, this was the last message on the list.

Archives:

'Archive' (03/11/1988 - 24/05/1989, 412 items):
Thread listing 173 unique threads
Date listing 55 unique days, 7 unique months
Author listing 127 unique authors

Resources:

'Usenet':
1988-11-06: Re: The virus
1988-11-07: Re: The virus
1988-11-16: RISKS DIGEST 7.79
1988-11-21: UNIX security
1988-11-22: yet another security hole in ftpd
1988-12-25: Re: DECNET Virus (sorry)
1990-05-16: Possible Anti-Virus Legislation
1991-08-06: Computer Insecurity Terminology
1993-04-08: Re: Info needed on Robert Morris Jr.
2000-12-17: Re: early use of ``virus''
'Resources':
IETF RFC 1135: The Helminthiasis of the Internet
<< Joyce Reynolds (Information Sciences Institute). December 1989 >>

An overview of the incident, including a detailed review of the four major publications that describe the incident, and an extensive bibliography.
A Tour of the Worm
<< Donn Seeley (Department of Computer Science, University of Utah). 1989 >>

Another description of the worm and its effect.
The Cornell commission: on Morris and the worm
<< Eisenberg et al. (Communications of the ACM 32, 6, pp 706-709). June 1989 >>

Findings resulting from Cornell's investigation into Robert T. Morris and the worm incident.
The Internet Worm Incident
<< Gene Spafford (Technical Report CSD-TR-933, Purdue University). September 1991 >>

A detailed treatment of the entire incident, including code analysis, chronology, background detail and view of the aftermath.
The Internet Worm Program: An Analysis
<< Gene Spafford (Technical Report CSD-TR-823, Purdue University). December 1988 >>

A detailed analysis of the construction and operation of the worm program, based upon two independent reverse-compilations.
The Internet Worm: Crisis and Aftermath
<< Gene Spafford (Communications of the ACM 32, 6, pp 678-687). June 1989 >>

A brief version of Spafford's Technical Report, addressed less technically.
With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988
<< Mark Eichin & John Rochlis (Massachusetts Institute of Technology). November 1988 >>

A detailed paper of the incident from the perspective of MIT.
Morris Worm FAQ at the CERIAS Security Archive
<< Gene Spafford (CERIAS, Purdue University). February 1996 >>

A very short FAQ covering the key materials that relate to the incident.
Bugtraq request for 'Internet worm source code'
<< Gene Spafford (Bugtraq mailing list, no. 237). October 1994 >>

A summary mailing list post for references to materials that relate to the incident.
Gene Spafford: Homepage
<< Gene Spafford (CERIAS, Purdue University) >>

Homepage of one of the key participants in the incident, responsible for establishing the mailing list, assisting cleanup coordination, and producing post-mortem material.
The Internet Worm + 10 Years: Lessons Learned and Not Learned
<< Gene Spafford (CERIAS, Purdue University). November 1998 >>

A perspective from 10 years after the event.
A Failure to Learn from the Past
<< Gene Spafford (CERIAS, Purdue University). 2003 >>

A look back at the event, coupled with consideration for lessons not learnt in the intervening 15 years.
Eaten by the Worms: The perils of network hostile code
<< Neil Barrett (IRM, Hong Kong). September 2001 >>

Overview of the history and development of worms including Morris and beyond, to cover risks and countermeasures involved
The Future of Internet Worms
<< Jose Nazario, et al (Crimelabs research). July 2001 >>

An analysis of the basic components of a worm, including a look back to a number of incidents (including the Morris Worm), and a look forward with discussion about coping with future worms.
The SecurityWatch Glossary
<< securitywatch.com. 2001 >>

The glossary provides terminology for 'phage', 'worm', 'virus' and so forth.
The Jargon File (aka. The New Hacker's Dictionary)
<< Eric S. Raymond (ed.) >>

The definitions include direct references to the Morris Worm and Internet incidents.
'Mirrors':
Morris Worm at the CERIAS Security Archive (ftp.cerias.purdue.edu/pub/doc/morris_worm)
<< CERIAS Group (CERIAS, Purdue University) >>

A collection of resources, including papers, court records and newsgroup posts that relate to the incident.