The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #376 [a nice summary of the Cornell report] (1 message, 4457 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/376.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: comer
To: [not phage]
Date: Sun 17:19:16 09/04/1989 EST
Subject: a nice summary of the Cornell report
References: [Thread Prev: 375] [Thread Next: 377] [Message Prev: 377] [Message Next: 378]

Summary by Manny Farber <G47Y@cornella.cit.cornell.edu>

The Cornell Chronicle is the Administration's organ.  As such, their
coverage of the Bob Morris report may be relatively one-sided, but
since they got the report in advance, they summarized it.  I'll put
the last paragraph right here: Copies of the report are available from
the Office of the Vice President for Information Technologies, 308 Day
Hall, [area code 607] 255-3324.

CORNELL PANEL CONCLUDES MORRIS RESPONSIBLE FOR COMPUTER WORM
(By Dennis Meredith, Cornell Chronicle, 4/6/89)

  Graduate student Robert Tappan Morris Jr., working alone, created
and spread the "worm" computer program that infected computers
nationwide last November, concluded an internal investigative
commission appointed by Provost Robert Barker.

  The commission said the program was not technically a "virus"--a
program that inserts itself into a host program to propagate--as it
has been referred to in popular reports.  The commission described the
program as a "worm," an independent program that propagates itself
throughout a computer system.

  In its report, "The Computer Worm," the commission termed Morris's
behavior "a juvenile act that ignored the clear potential
consequences."  This failure constituted "reckless disregard of those
probable consequences," the commission stated.

  Barker, who had delayed release of the report for six weeks at the
request of both federal prosecutors and Morris's defense attorney,
said, "We feel an overriding obligation to our colleagues and to the
public to reveal what we know about this profoundly disturbing
incident."

  The commission had sought to determine the involvement of Morris or
other members of the Cornell community in the worm attack.  It also
studied the motivation and ethical issues underlying the release of
the worm.

  Evidence was gathered by interviewing Cornell faculty, staff, and
graduate students and staff and former students at Harvard University,
where Morris had done undergraduate work.

  Morris declined to be interviewed on advice of counsel.  Morris had
requested and has received a leave of absence from Cornell, and the
university is prohibited by federal law from commenting further on his
status as a student.

  The commission also was unable to reach Paul Graham, a Harvard
graduate student who knew Morris well.  Morris reportedly contacted
Graham on Nov. 2., the day the worm was released, and several times
before and after that.

  Relying on files from Morris's computer account, Cornell Computer
Science Department documents, telephone records, media reports, and
technical reports from other universities, the commission found that:

  - Morris violated the Computer Sciences Department's expressed
policies against computer abuse.  Although he apparently chose not to
attend orientation meetings at which the policies were explained,
Morris had been given a copy of them.  Also, Cornell's policies are
similar to those at Harvard, with which he should have been familiar.

  - No member of the Cornell community knew Morris was working on the
worm.  Although he had discussed computer security with fellow
graduate students, he did not confide his plans to them.  Cornell
first became aware of Morris's involvement through a telephone call
from the Washington Post to the science editor at Cornell's News
Service.

  - Morris made only minimal efforts to halt the worm once it had
propagated, and did not inform any person in a position of
responsibility about the existence or content of the worm.

  - Morris probably did not indent for the worm to destroy data or
files, but he probably did intend for it to spread widely.  There is
no evidence that he intended for the worm to replicate uncontrollably.

  - Media reports that 6,000 computers had been infected were based on
an initial rough estimate that could not be confirmed.  "The total
number of affected computers was surely in the thousands," the
commission concluded.

  - A computer security industry association's estimate that the worm
caused about $96 million in damage is "grossly exaggerated" and "self-
serving."

  - Although it was technically sophisticated, "the worm could have
been created by many students, graduate or undergraduate ...
particularly if forearmed with knowledge of the security flaws
exploited or of similar flaws."

  The commission was led by Cornell's vice president for information
technologies, M. Stuart Lynn.  Other members were law professor
Theodore Eisenberg, computer science Professor David Gries,
engineering and computer science Professor Juris Hartmanis, physics
professor Donald Holcomb, and Associate University Counsel Thomas
Santoro.

  Release of the worm was not "an heroic event that pointed up the
weaknesses of operating systems," the report said.  "The fact that
UNIX ... has many security flaws has been generally well known, as
indeed are the potential dangers of viruses and worms."

 The worm attacked only computers that were attached to Internet, a
national research computer network and that used certain versions of
the UNIX operating system.  An operating system is the basic program
that controls the operation of a computer.

  "It is no act of genius or heroism to exploit such weaknesses," the
commission said.

  The commission also did not accept arguments that one intended
benefit of the worm was a heightened public awareness of computer
security.

  "This was an accidental byproduct of the event and the resulting
display of media interest," the report asserted.  "Society does not
condone burglary on the grounds that it heightens concern about safety
and security."

  In characterizing the action, the commission said, "It may simply
have been the unfocused intellectual meanderings of a hacker
completely absorbed with his creation and unharnessed by
considerations of explicit purpose or potential effect."

  Because the commission was unable to contact Graham, it could not
determine whether Graham discussed the worm with Morris when Morris
visited Harvard about two weeks before the worm was launched.  "It
would be interesting to know, for example, to what Graham was
referring to in an Oct. 26 electronic mail message to Morris when he
inquired as to whether there was 'Any news on the brilliant
project?'" said the report.

  Many in the computer science community seem to favor disciplinary
measures for Morris, the commission reported.

  "However, the general sentiment also seems to be prevalent that such
disciplinary measures should allow for redemption and as such not be
so harsh as to permanently damage the perpetrator's career," the
report said.

  The commission emphasized, that this conclusion was only an
impression from its investigations and not the result of a systematic
poll of computer scientists.

  "Although the act was reckless and impetuous, it appears to have
been an uncharacteristic act for Morris" because of his past efforts
at Harvard and elsewhere to improve computer security, the commission
report said.

  Of the need for increased security on research computers, the
commission wrote, "A community of scholars should not have to build
walls as high as the sky to protect a reasonable expectation of
privacy, particularly when such walls will equally impede the free
flow of information."

  The trust between scholars has yielded benefits to computer science
and to the world at large, the commission report pointed out.

  "Violations of that trust cannot be condoned.  Even if there are
unintended side benefits, which is arguable, there is a greater loss
to the community as a whole."

  The commission did not suggest any specific changes in the policies
of the Cornell Department of Computer Science and noted that policies
against computer abuse are in place for centralized computer
facilities.  However, the commission urged the appointment of a
committee to develop a university- wide policy on computer abuse that
would recognize the pervasive use of computers distributed throughout
the campus.

  The commission also noted the "ambivalent attitude towards reporting
UNIX security flaws" among universities and commercial vendors.  While
some computer users advocate reporting flaws, others worry that such
information might highlight the vulnerability of the system.

  "Morris explored UNIX security amid this atmosphere of uncertainty,
where there were no clear ground rules and where his peers and mentors
gave no clear guidance," the report said.

  "It is hard to fault him for not reporting flaws that he discovered.
From his viewpoint, that may have been the most responsible course of
action, and one that was supported by his colleagues."

  The commission report also included a brief account of the worm's
course through Internet.  After its release shortly after 7:26 p.m. on
Nov 2, the worm spread to computers at the Massachusetts Institute of
Technology, the Rand Corporation, the University of California at
Berkeley and others, the commission report said.

  The worm consisted of two parts--a short "probe" and a much larger
"corpus."  The probe would attempt to penetrate a computer, and if
successful, send for the corpus.

  The program had four main methods of attack and several methods of
defense to avoid discovery and elimination.  The attack methods
exploited various flaws and features int he UNIX operating systems of
the target computers.  The worm also attempted entry by "guessing" at
passwords by such techniques as exploiting computer users'
predilections for using common words as passwords.

  The study's authors acknowledged computer scientists at the
University of California at Berkeley for providing a "decompiled"
version of the worm and other technical information.  The Cornell
commission also drew on analyses of the worm by Eugene H. Spafford of
Purdue University and Donn Seeley of the University of Utah.

END OF DOCUMENT