Revenge of the Nerds

Martin, Nicholas

Revenge of the Nerds The real problem with computer viruses isn't genius programmers, it's careless ones by Nicholas Martin It was with admiration rarely applied to saboteurs that the media...

...But then again, they would look sort of silly being outsmarted by your generic computer-literate 23-year-old...
...it broke into higher security areas...
...He probably learned to read at age three and was doing calculus in seventh grade...
...I did it in my spare time...
...His solution...
...The key on the mat The computers Morris invaded were part of the Arpanet, an international grid of telephone lines, buried cables, and satellite hookups established by the Department of Defense in 1969...
...What's more appalling is the sheer indifference of so many programmers, who know there's a problem, but won't sound the alarms...
...done by someone clever but not particularly gifted...
...It connects 60,000 computers owned by universities, private research companies, and the federal government...
...Or something like Nicholas Martin is the production manager of The Washington Monthly...
...After a break-in in June, the Los Angeles Times wrote, "Officials worried that an intruder could learn 'how to send bogus commands' to the [eight] spacecraft the laboratory controls.' " Yet so far those in charge of protecting the nation's important computers have been blase...
...Slightly crazed look...
...It's the rough equivalent of using "Open Sesame" to get into SAC headquarters...
...Of course, many people in the computer business only helped encourage the notion that it took a oneina-million genius to pick this lock...
...Once there, Morris's program let loose with all sorts of requests: it searched the system for other computers to call up and infect...
...We should remember these programs are not exactly developed in top secret silos 600 feet underground...
...The Pentagon's response: abolish the tiger teams...
...They alerted the National Security Agency, which at the time was charged with setting security standards for the nation's computers...
...His program made use of a simple "mail" service, a convenience provided with most operating systems that allows one user to send a message to another...
...The stereotype of the computer genius is so strong that it's difficult for us to believe that the problem is negligence...
...In August 1982, Ken Thompson of Bell Labs also broke into the Arpanet system...
...Berkeley Unix, like many big programs written for multi-user computers, was partially developed at a university, with little faculty supervision...
...As Eugene Spafford, a Purdue computer science professor, wrote in a recent technical report on Morris's program, "The [program] was apparently...
...Postal Service...
...Experts at the Stanford Research Institute called it "the most serious computer security problem" they had encountered...
...it just ignored them...
...All Morris did was to notice that if you could send a message (which is simply a collection of letters, numbers, and punctuation) to a program, then you could send a second program (which is also just letters, numbers, and punctuation) to the first program...
...His teachers all called him "brilliant," but bored with normal adolescent preoccupations and unchallenged by school work, he was drawn to the one deed that required all of his staggering intellectual prowess: breaking into the most powerful computer system on earth...
...He apparently chose MIT to throw detectives off his trail...
...On the evening of November 2, Morris used his terminal at Cornell University to introduce a computer program into a Massachussetts Institute of Technology computer...
...In 1982, using a technique as simple as Morris's but harder to protect against, a group of Berkeley undergraduates discovered a flaw in Unix that allowed them to break into the school's computer system...
...Morris didn't pick the lock to the Arpanet computers, so much as find the key someone had left under the mat...
...Using a list of 400 common English words, Morris's program guessed right in at least 12 cases at Cornell alone...
...Morris fit—or was made to fit—the image of the Diabolical Supergenius Computer Nerd: Glasses...
...By mailing his worm to one of these surrogate mother programs, Morris ensured that it would get copied and sent forth to infect other computers...
...Then all the other systems fell ." Two or three days isn't very long to compromise security on a major network...
...By what ingenious method...
...Translation: Don't worry...
...Several weeks later the Pentagon abruptly disconnected Milnet, an unclassified military network, from Arpanet because a defense contractor's computers had in recent months been violated several times...
...It was written "basically [by] grad students," Allman says...
...It guessed...
...I share [Stanford's] general concern for the lack of security in computer systems," said Colonel Roger Schell, then deputy director of NSA's computer security evaluation center, "But this is just one of numerous sorts of concerns ." (Translation: We can't solve this problem because there are too many problems like it...
...From there it was simply a matter of Morris sending his instructions forth to be fruitful and multiply...
...Quite simply, because computer designers get careless...
...Morris's program—a "worm" as computer cops call this type of program—didn't exactly defeat the security systems on the 6,000 Arpanet computers it infected (about 10 percent of the computers on the network...
...In general, [it] is not that impressive and its 'success' was probably due to a large amount of luck rather than any programming skills possessed by the author...
...and it sent an announcement of its "birth" to a computer in Berkeley (apparently another effort to shake off computer detectives...
...There may be no perfectly secure system, but that doesn't justify or explain shoddy quality control...
...After a while, the programs demanded so much time and memory from the computers that the computers broke down, or, in the jargon, "crashed ." To actually delete data, Morris's chain-letter-fromhell had to give secret passwords that would get it past key checkpoints...
...The Unix package came with such a program called "Sendmail ." But computer programmers are as fond of optional extras as car buyers, and in this case the options made it just a bit too user friendly...
...Reporters, like most people, place great faith in scientists and their unfathomable ways...
...His program still couldn't delete other people's files—not at this stage anyway—but it enabled him to run a program on someone else's computer, something Unix security systems were supposed to control...
...Eric Allman, the Berkeley graduate student who wrote Sendmail, included a feature so people could mail messages not just to other people but also to other computer programs...
...Although we are generally committed to sharing information, we would not share vulnerabilities...
...In fact, a great deal of what Morris did was frighteningly simple...
...Or as it turned out, on top of it...
...I picked at it for two or three days and I got into it," he told Smithsonian magazine...
...Imagine the husky soldier at the guardhouse waiting for an hour as a frantic visitor guesses incorrect passwords—and then letting him go by when he finally hits the right one...
...In Los Angeles, Rodgers types in his idea for a new musical, and whoosh, off it goes to Hammerstein in Manhattan...
...Revenge of the Nerds The real problem with computer viruses isn't genius programmers, it's careless ones by Nicholas Martin It was with admiration rarely applied to saboteurs that the media presented us Robert T. Morris Jr., the 23-year-old "whiz" who brought the 60,000-computer Advanced Research Projects Agency network (Arpanet) to a halt in November...
...It's much like when the rest of us mail letters—except that the network's split-second speed definitely beats the U.S...
...This attitude may explain why so many important computers have already been infiltrated...
...Some people have suggested the hole remained open because it made it simpler for those in the know to get in...
...That faith is understandable, but it could stand a little tempering...
...Allman says he put the hole in Sendmail because it made it easier for him to test the program, and no one bothered to remove it before the final product was shipped...
...Tom Knight, a professor of computer science at MIT, told The Washington Post, "The jell, of a university is to distribute information, not to keep it secret ." But the fact is that MIT's libraries aren't open to everyone who can read...
...Frequent late-night sessions with the computer terminal...
...After the Morris incident many of them just circled the wagons...
...Sure, it's a hassle to memorize a gibberish password...
...he says, "Just as a lark—some lark ." In case something does go wrong though, Berkeley Unix carries a disclaimer which explains that "this software is supplied 'as is' without express or implied warranty...
...But the solution involved costly hardware, and even though those are usually the magic words for a military agency, the NSA said no...
...And if you think 0-rings are the only potential problems for spacecraft, consider that intruders used Arpanet to break into the Jet Propulsion Lab in Pasadena three times in two years...
...But don't think the Pentagon has left its own computers completely defenseless...
...In the movies we usually end up at DefCon Two...
...Time called Morris's creation "one of the most sophisticated and infectious computer viruses the world has yet seen ." The New York Times referred to Morris's virus as a "programming tour de force," and quoted, without comment, one Harvard graduate student's analogy that, "It's as if Mathias Rust had not just flown into Red Square, but built himself a stealth bomber by hand and then flown into Red Square...
...And apathetic programmers can make expensive solutions like NSA's proposed anti-virus coordination center (replete with beeper-carrying "response teams") irrelevant...
...Sharing vulnerabilities Why was security so lax...
...It did...
...In the 1970s it set up "tiger teams" to try to steal sensitive information from Defense Department computers...
...Allman himself wasn't even officially assigned to the Unix project when he wrote Sendmail...
...We won't tell saboteurs that our systems are vulnerable...
...This is one case where human qualities like impatience and skepticism might have served the computer well...
...There are many different types of programs...
...Some make calculations, some organize data—and some start up or give birth to other programs...
...This is about as reassuring as a security team that turns off the alarms because it doesn't like the noise, while disclaiming responsibility for break-ins...
...When asked if a virus like Morris's could have infected classified computers, army Colonel Thomas M. Herrick, a senior officer at the Defense Communications Agency, said, "Absolutely not ." Others in the Pentagon didn't share his optimism...
...There's no reason why its computers should be open to everyone who can program...
...The teams invariably were able to get whatever they wanted...
...A group of programmers working to counteract Morris's program told the Times they were "impressed with its power and cleverness...
...Users routinely share information on topics as diverse as the Strategic Defense Initiative (unclassified material only), Shakespeare, and—yes, some parts of the computer hacker stereotype are true—recent episodes of Star Trek...
...The key to his success was finding a security flaw in "Berkeley Unix," the "operating system" or basic software, used by many of the network's computers...
...But it displays a certain disregard for security—not to mention a lack of imagination—that programmers who know how easy it is to break simple passwords would use codes like "Mozart" or "Princeton" to protect their files...

Vol. 20 • January 1989 • No. 12


 
Developed by
Kanda Sofware
  Kanda Software, Inc.