Robert Morris Jr


Following the most celebrated of all US computer crimes cases, Robert 
Morris Jr faces five years in prison after being found guilty of
deliberately unleashing a software program that knocked out over 6,000
computers around the world.

Morris is the first person to be convicted under the 1986 Computer Fraud
and Abuse Act.  In many ways, he represents the computer hacker gone bad:
the brilliant computer whizz-kid spending hours trying to break into
computer systems and hatching mischievous plots.  This character type is
repeated many hundreds of times in the US and other countries.

For the last 15 months, he has become the focal point in the debate about
a widespread problem: how to deal with a plague of computer virus and worm
programs and the associated worries of unauthorized access to computer
systems.

With fears of software virus and worm programs running at near hysterical
levels in the US, the Morris trial was the first in-depth probe into the
creation, execution, and damaging effects of computer worms.  It also had
another important ingredient.  Unlike other computer virus and word
program cases, for once the identity of the worm's creator was known. 
What's more, Morris's father is chief scientist at the top secret National
Security Agency and one of the world's top leading experts in computer
security.

Morris's crime is that he created a computer program that exploited a
weakness in the Unix operating system controlling electronic mail on
Internet.  This is an international network linking other networks and
primarily used by universities, researchers and the military.  Morris's
program is technically known as a worm.  Once he introduced it into
Internet on the evening of 2nd November 1988, it replicated itself and
infected computers connected to Internet.  It had it's own list of over
400 passwords to help break into computer systems, plus a sophisticated
algorithm of finding a password it didn't already have. It was designed to
be difficult to detect, and hard to eradicate once detected.

Morris used his terminal at Cornell University to launch the worm.  He
made it appear to have originated from a terminal at the University of
Berkeley in California.  He then went out to dinner.  Returning several
hours later, he noticed his terminal was very slow to respond to commands. 
He immediately realized that the worm had multiplied at a fantastic speed,
much faster than anticipated.  It was now clogging up his computer system,
and those of thousands of others.

Morris was frantic.  He knew he was in deep trouble.  His first thoughts
were to create a second worm to eat up the original.  But this would take
too long, and be all but impossible, given how fast the computer network
was deteriorating.

Computer experts at a US army computer centre in Maryland thought their
200 computers were under attack by a foreign power.  They were knocked out
for a week.  The Computer Virus Industry Association claims Morris's worm
infected 6,200 computers.  It estimates the cost of eradication, including
lost computer time, is over $100 million.

Though unaware of the extent of the damage, Morris knew he had a serious
problem.  He contacted a friend at Harvard University, Andrew Sudduth, and
asked him to post a message on the Internet bulletin board which
apologized for the worm, and offered to help get it out of all infected
systems.  Unfortunately, that message was useless since the worm had
backed up all electronic mail messages and nothing could get through for
several days.  Morris then screwed up his courage and phoned his father. 
"He was not amused," Morris told the court.  "My father advised me to come
home and not talk to anybody."

At first, the authorities were uncertain how to punish Morris.  The US
attorney's office in Syracuse, New York agreed to treat his actions as a
misdemeanor offence - effectively a mere slap on the wrist.  But there was
a widespread feeling that Morris should not get off so lightly, especially
as there had been a lot of bad publicity about the potentially threatening
consequences of a computer virus or worm.  The US justice department
stepped in and decided it would make an example of Morris.  It accused him
of committing a felony under the Computer Fraud and Abuse Act, which
carries maximum penalties of five years in prison and $250,000 in fines. 
In choosing this action, the Justice Department was testing the
four-year-old law for the first time.  If Morris was acquitted,
legislators could argue for stronger laws against computer crime.  If
Morris was successfully prosecuted, it would demonstrate that the law was
well-drafted.

To obtain a conviction against Morris, the prosecution had to prove three
conditions.  These were that he had intentionally created the worm, that
he had unauthorized access to computer systems, and that his worm caused
more than $1,000 worth of damage over a period of one year.  Morris's
defence intended to show how the worm had helped to highlight serious
security weakeners in Internet and associated security systems, and that
Internet had now benefitted from better security systems.

Before the trial could begin, a jury had to be selected.  The defence
lawyers used an unusual tactic.  They rejected all jurors who had a
working knowledge of computers.  Nine women and three men were chosen out
of 93 candidates.  The prosecution presented 20 witnesses, while the
defence called upon four.

Prosecutors easily proved the three main prosecution points.  They showed
the jury how Morris had spent weeks planning the design and developing the
worm.  Six different versions of the worm were found in Morris's computer
files.  He had also assembled a list of 430 passwords that would give his
worm unauthorized entry into hundreds of different computer systems.  He
obtained many of these passwords by writing a special program that managed
to translate encrypted passwords.

His friend, Paul Graham told the court that Morris first said he was
planning to create a worm in October 1988.  Graham noticed that he seemed
almost obsessed with the idea, becoming oblivious to his surroundings.  At
one point, Morris was pacing back and forth in a room, and walked right
onto a desk.  Graham said: "I don't think he realized he was standing on a
desk."

Several computer experts described the worm as an ingenious program. It
was armed with 430 passwords, and could discover others it didn't already
have.  After infecting seven computers, it was programmed to re-infect one
of the seven, thus making it difficult to eradicate.  Once the worm was in
a computer, it would change it's name to "SH", a common system file, so
helping to hide itself in the computer.

Morris said his intention was simply to highlight a security weakness. 
The worm travelled around Internet but was not meant to bring it to a
grinding halt.  He said he had made a major programming mistake, causing
the worm to multiply uncontrollably.  Prosecutor Ellen Meltzer told the
court that Morris had taken several steps to ensure he would not be
caught.  Meltzer also attacked the defence's main argument of exposing
security weakeners by saying: "We do not thank terrorists for increasing
airline security."  The defence objected to Morris being compared to a
terrorist and asked for a mistrial.

The jury found Morris guilty of committing a felony.  He is scheduled to
be sentenced in the spring.  His father said his son had received a fair
trial, but added: "It's perfectly honest there is not a fraudulent or
dishonest bone in his body."  He wouldn't discuss what possible effect his
son's blatant security breaches have had on his career as a computer
security specialist.

Debate now centers on how severely Morris should be sentenced.  Even his
prosecutors are not pressing for the maximum five years in custody.  Dean
Kraft, the director of computer facilities at Cornell, said he hopes
Morris's punishment will not be too severe.  Gene Spafford, an associate
professor of computer science at Purduce University, and a prosecution
witness, said:  "A public apology by Morris would be a good idea.  I also
hope he doesn't get a great job because of this."

The real question is whether this will discourage others from doing the
same or even worse.

In an attempt to discourage virus and worm creators, legislators in many
states have proposed various laws.  But unless those laws are very
carefully drafted, they could inadvertently punish the creators of
legitimate programs that behave the same as viruses and worms.

The successful prosecution of Morris may actually threaten the passage of
those laws.  This is because the Computer Fraud and Abuse Act has shown
itself capable of prosecuting the developer even though the law doesn't
specifically name worms or viruses.  Nevertheless, some critics say the
law needs strengthening as there has been only one conviction in it's
entire four-year history.

Others in the computer industry believe more stringent laws are not the
answer.  Gary Chapman, executive director of Computer Professionals for
Social Responsibility, said: "We train thousands of bright programmers
every year, but we teach them nothing about ethics."  His campaign is for
courses in US colleges that will teach students about the responsibilities
as programmers.


Quoted in full from: "Computing" magazine, pages 24 - 25, dated 29th March
1990.  Published by VNU Publications.   Full copyright noted.