Hacker News

The 10% number is completely made up. According to Paul Graham, "I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."

I followed his course 6.5840 on distributed systems (https://pdos.csail.mit.edu/6.824/, YouTube videos at https://youtube.com/playlist?list=PLrw6a1wE39_tb2fErI4-WkMbs...) and completed the labs. One day, out of curiosity, I looked up his name. Then I realized what a legend he is.

Great course by the way.

A good account is With Microscope and Tweezers: The Worm from MIT's Perspective [1], published in CACM a few months after the event. Notice it was the worm.

I was an intern at IBM in '88 and they shut-down the (iirc) two internet getaways to their corporate network (vnet) while people figured out what was going on. News moved slowly back then, and the idea of self-replicating software was unusual. Although IBM had had its own replicator the previous year [2].

[1] https://www.cs.columbia.edu/~gskc/security/rochlis89microsco...

[2] https://en.wikipedia.org/wiki/Christmas_Tree_EXEC

That was one scary exciting day (source: was running machines at MIT at the time)

The term "worm" came from the 1975 (sci-fi) novel The Shockwave Rider:

* https://en.wikipedia.org/wiki/The_Shockwave_Rider

From the Wikipedia article:

Clifford Stoll, author of The Cuckoo's Egg, wrote that "Rumors have it that [Morris] worked with a friend or two at Harvard's computing department (Harvard student Paul Graham sent him mail asking for 'Any news on the brilliant project')".

Has pg commented on this?

I was a student part-time administrator/systems programmer at the Purdue Engineering Computer Network at the time. Our OS installs had enough local mods (and we had enough non-VAX, non-Sun architectures) that we were immune to some of the worm's modalities, but the sendmail debug mode exploit at least still caused a lot of consternation.

I'm pretty sure Paul Graham was directly involved in this story (not in any bad, culpable way, but enough that, were a film to be made about it, a well-known actor would be cast for his part).

https://news.ycombinator.com/item?id=38020635

The IETF’s review has an amazing title “The Helminthiasis of the Internet”

https://www.rfc-editor.org/rfc/rfc1135

I expected some info on its functioning. The goal was to gauge the size of the Internet, how? Why did it fail? I guess Wikipedia for the rescue.

I used to keep a vt100 at the head of my bed, roll over and check on things a few times at night. 3am and everything is screwed. can't really log in anyplace, or start any jobs. The bus doesn't run until 5:30, so I just get dressed and walk across the bridge the to lab. Visitors center isn't open, so I just sneak through the exit by the guardhouse. They're civilian contractors, they either don't see me, or recognize me and don't care.

Since it's all locked up, I just reboot the big vax single user - that takes about 10 minutes so I also start on a couple of the suns. You have to realize that everything including desktops runs sendmail in this era, and when some of these machines come up they are ok for a sec and then sendmail starts really eating into the cpu.

I'm pretty bleary eyed but I walk around restarting everything single and taking sendmail out of the rcs. The TMC applications engineer comes in around 7 and gets me a cup of coffee. He manages to get someone to pick up in Cambridge and they tell him that's happening everywhere.

I remember this event as one of the few times that the Internet made the mainstream news in the eighties. After the fact talked with some network people at Michigan and Michigan State and it was not a very good day for them. They also wanted jail time for him which did not happen.

I assume you all know that Robert Morris is one of the YC (and Viaweb) cofounders? [1] Together with Paul Graham, Jessica Livingston, and Trevor Blackwell.

[1] https://en.wikipedia.org/wiki/Robert_Tappan_Morris

Thankfully the security holes in C that have allowed Morris worm to exist, have been taken care by WG14 since then.

PG has said that he made up the 10% figure. It was a guess, but it was not correct.

I find it funny that:

1) He released it from MIT to avoid suspicion.

2) After he was convicted, he went from Cornell to Harvard to complete his Ph.D.

3) He became an assistant professor at MIT after that.

He had to be really spectacular/have crazy connections to still be able to finish his training at a top program and get a job at the institution he tried to frame.

This one is before my time, but I remember the blaster worm very clearly.

Wikipedia says the Morris worm went out on 1998 Nov 2. No idea why they would publish the article on 2025 Nov 4 with that title.

I remember that the Boston Museum of Science used to have a floppy disk on display with the Morris worm on it.

I’m still waiting for the first runaway autonomous botnet.

> the internet in 1988

60k computers ( mostly at institutions ) in 20 countries

This Week in 1988 rather.

https://neal.fun/internet-artifacts/morris-worm/

I might have 10% of the internet from 1988 on my Apple Watch.

>However, the pioneering Morris worm malware wasn’t made with malice, says an FBI retrospective on the “programming error.” It was designed to gauge the size of the Internet, resulting in a classic case of unintended consequences.

had RTM actually RTM the world might be a bit different than it is today.

I was logged into brillig.umd.edu (University of Maryland's Vax 8600) that night, frustrated that my emacs kept getting paged out, rhythmically typing ^A ^E ^A ^E to wiggle the cursor around to keep it paged in while I thought.

I ps aux'ed and saw a hell of a lot of sendmail demons running, but didn't realize till the next morning that we were actively under attack, being repeatedly but unsuccessfully finger daemon gets(3) buffer overflowed, and repeatedly and successfully sendmail daemon DEBUG'ed.

RTM's big mistake was not checking to see if a machine was already infected before re-infecting it and recursing, otherwise nobody would have noticed and he would have owned the entire internet.

What's funny is that UMD was on MILNET via NSA's "secret" IMP 57 at Fort Mead, so RTM's worm was attacking us through his daddy's own MILNET PSN (Packet Switching Node)!

https://news.ycombinator.com/item?id=18376750

>At the University of Maryland, our network access was through the NSA's "secret" MILNET IMP 57 at Fort Mead. It was pretty obvious that UMD got their network access via NSA, because mimsy.umd.edu had a similar "*.57" IP address as dockmaster, tycho and coins.

>[...] Once I told the guy who answered, "Hi, this is the University of Maryland. Our connection to the NSA IMP seems to be down." He barked back: "You can't say that on the telephone! Are you calling on a blue phone?" (I can't remember the exact color, except that it wasn't red: that I would have remembered). I said, "You can't say NSA??! This is a green phone, but there's a black phone in the other room that I could call you back on, but then I couldn't see the hardware." And he said "No, I mean a voice secure line!" I replied, "You do know that this is a university, don't you? We only have black and green phones."

>[...more stuff about the rumored "Explosive Bolts" that could separate ARPANET and MILNET from Erik Fair and Milo Medin...]

More from Jordan Hubbard about his infamous "rwall" incident, when he accidentally sent an rwall message to almost every Unix host on the internet. I received it and sent him a cheerful reply within minutes, which he said was nicer than most of the 743 replies he got. Also: Milo Medin's description of Dennis Perry's reaction (head of DARPA/IPTO) to getting his Interleaf windows scribbled on ("absolutely livid"), Mark Crispin's flame about security, Jordan's response, and Dennis Perry himself replying to Jordan.

https://news.ycombinator.com/item?id=31822138

    From: Dennis G. Perry <PERRY@vax.darpa.mil>
    Date: Apr 6, 1987, 3:19 PM

    Jordan, you are right in your assumptions that people will get annoyed
    that what happened was allowed to happen.

    By the way, I am the program manager of the Arpanet in the Information
    Science and Technology Office of DARPA, located in Roslin (Arlington), not
    the Pentagon. [...]

Here's my story of The Night of The Worm:

https://news.ycombinator.com/item?id=29250313

DonHopkins on Nov 17, 2021 | parent | context | favorite | on: .plan

Yeah, 4.2 BSD fingerd was calling "gets" to read the name of who you were fingering into a small fixed size buffer on the stack.

https://man7.org/linux/man-pages/man3/gets.3.html

Chris Torek had hacked our version of fingerd (running on mimsy.umd.edu and its other Vax friends brillig, tove, and gyre) to implement logging, and while he was doing that, he noticed the fixed size buffer, and thoughtfully increased the size of the buffer a bit. Still a fixed size buffer using gets, but at least it was a big enough buffer to mitigate the attack, although the worm got in via sendmail anyway. And we had a nice log of all the attempted fingerd attacks!

The sendmail attack simply sent the "DEBUG" command to sendmail, which, being enabled by default, let you right in to where you could escape to a shell.

Immediately after the attack, "some random guy on the internet" suggested mitigating the sendmail DEBUG attack by editing your sendmail binary (Emacs hackers can do that easily of course, but vi losers had to suck eggs!), searching for the string "DEBUG", and replacing the "D" with a null character, thus disabling the "DEBUG" command.

But unfortunately that cute little hack didn't actually disable the "DEBUG" command: it just renamed the "DEBUG" command to the "" command! Which stopped the Morris worm on purpose, but not me by accident:

I found that out the day after the worm hit, when I routinely needed to check some bouncing email addresses on a mailing list I ran, so I went "telnet sun.com 80" and hit return a couple times like I usually do to clear out the telnet protocol negotiation characters, before sending an "EXPN" command. And the response to the "EXPN" command was a whole flurry of debugging information, since the second newline I sent activated debug mode by entering a blank line!

So I sent a friendly email to postmaster@sun.com reporting the enormous security hole they had introduced by patching the other enormous security hole.

You'd think that the Long Haired Dope Smoking Unix Wizards running the email system at sun.com wouldn't just apply random security patches from "some random guy on the internet" without thinking about the implications, but they did!

https://www.ee.torontomu.ca/~elf/hack/internet-worm.html

>The Sendmail Attack:

>In the sendmail attack, the worm opens a TCP connection to another machine's sendmail (the SMTP port), invokes debug mode, and sends a RCPT TO that requests its data be piped through a shell. That data, a shell script (first-stage bootstrap) creates a temporary second-stage bootstrap file called x$$,l1.c (where '$$' is the current process ID). This is a small (40-line) C program.

>The first-stage bootstrap compiles this program with the local cc and executes it with arguments giving the Internet hostid/socket/password of where it just came from. The second-stage bootstrap (the compiled C program) sucks over two object files, x$$,vax.o and x$$,sun3.ofrom the attacking host. It has an array for 20 file names (presumably for 20 different machines), but only two (vax and sun) were compiled in to this code. It then figures out whether it's running under BSD or SunOS and links the appropriate file against the C library to produce an executable program called /usr/tmp/sh - so it looks like the Bourne shell to anyone who looked there.

>The Fingerd Attack:

>In the fingerd attack, it tries to infiltrate systems via a bug in fingerd, the finger daemon. Apparently this is where most of its success was (not in sendmail, as was originally reported). When fingerd is connected to, it reads its arguments from a pipe, but doesn't limit how much it reads. If it reads more than the internal 512-byte buffer allowed, it writes past the end of its stack. After the stack is a command to be executed ("/usr/ucb/finger") that actually does the work. On a VAX, the worm knew how much further from the stack it had to clobber to get to this command, which it replaced with the command "/bin/sh" (the Bourne shell). So instead of the finger command being executed, a shell was started with no arguments. Since this is run in the context of the finger daemon, stdin and stdout are connected to the network socket, and all the files were sucked over just like the shell that sendmail provided.

It's a little shocking to me that there haven't been more things like this.

While we're much more conscientious and better at security than we were way back then, things are certainly not totally secure.

The best answer I have is the same as what a bio professor told me once about designer plagues: it hasn't happened because nobody's done it. The capability is out there, and the vulnerability is out there.

(Someone will chime in about COVID lab leak theories, but even if that's true that's not what I mean. If that happened it was the worst industrial accident in history, not an intentional designer plague.)

[dead]

So like 10 computers, then I suppose?

Hypothetically if the m$ cloud ecosystem got completely oblibetated (including backups) would customers switch? Or is the lockin as complete as it is with the operating system customers?