3. Robert Morris (Morris Worm)

200px-Robert_Tappan_Morris

Robert Tappan Morris (born November 8, 1965) is an American computer scientist, best known for creating the Morris Worm in 1988, considered the first computer worm on the Internet and subsequently becoming the first person convicted under the Computer Fraud and Abuse Act.

He went on to co-found the online store Viaweb, one of the first web-based applications, and later the funding firm Y Combinator—both with Paul Graham. He is a tenured professor in the department of Electrical Engineering and Computer Science at the Massachusetts Institute of Technology.

His father was the late Robert Morris, a coauthor of UNIX and the former chief scientist at the National Computer Security Center, a division of the National Security Agency (NSA).

Morris created the worm while he was a graduate student at Cornell University. The original intent, according to him, was to gauge the size of the Internet. He released the worm from MIT to conceal the fact that it actually originated from Cornell. The worm exploited several vulnerabilities to gain entry to targeted systems, including:

  • a hole in the debug mode of the Unix sendmail program,
  • a buffer overrun hole in the fingerd network service,
  • the transitive trust enabled by people setting up rexec/rsh network logins without password requirements.

However, the worm had a design flaw. The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, 14% of the time, no matter what the response to the infection-status interrogation. This level of replication created system loads that not only brought it to the attention of system administrators, but also disrupted the target computers. It was estimated that the cost in “potential loss in productivity” caused by the worm and efforts to remove it ranged on each system from $200 to more than $53,000.