Here, Markoff recounts how Robert Tappan Morris, a 23 year-old Cornell University CS grad student, sat down at a terminal and unwittingly made history with what he thought would be a self-replicating (but ultimately harmless) chunk of C code:
Using a feature of Arpanet, called Sendmail, to exchange messages among computer users, he inserted his rogue program. It immediately exploited a loophole in Sendmail at several computers on Arpanet.
Typically, Sendmail is used to transfer electronic messages from machine to machine throughout the network, placing the messages in personal files. However, the programmer who originally wrote Sendmail three years ago had left a secret 'backdoor' in the program to make it easier for his work. It permitted any program written in the computer language known as C to be mailed like any other message.
So instead of a program being sent only to someone's personal files, it could also be sent to a computer's internal control programs, which would start the new program. Only a small group of computer experts -- among them Morris -- knew of the backdoor.
As they dissected Morris's program later, computer experts found that it elegantly exploited the Sendmail backdoor in several ways, copying itself from computer to computer and tapping two additional security provisions to enter new computers.
Markoff explains how Morris exploited one featue of Sendmail after another -- some undoubtedly qualifying as bugs by today's standards, others as legitimate, if highly insecure, features -- to get what he thought he wanted: a self-replicating worm designed to demonstrate some of his more innovative programming concept
Morris, however, had misjudged the environment in which he had relased his worm:
But because the speed of communications on Arpanet is so fast, Morris's illicit program echoed back and forth through the network in minutes, copying and recopying itself hundreds or thousands of times on each machine, eventually stalling the computers and then jamming the entire network.
After introducing his program Wednesday night, Morris left his terminal for an hour. When he returned, the nationwide jamming of Arpanet was well under way, and he could immediately see the chaos he had started. Within a few hours, it was clear to computer system managers that something was seriously wrong with Arpanet.
The damage estimates, viewed from a time when the loss of the Internet could bring the global economic system to its knees, are chilling: Over the course of 24 hous, Morris' worm, soon known simply as "The Internet Bug," took down between 4,000 and 6,000 servers, accounting for two-thirds of all registered Arpanet servers. Today, an equivalent attack would involvemillions of Internet infrastructure servers.
At the time, however, financial transactions didn't flow through the planet's packet-switched networks; most Arpanet users were still part of the U.S. Department of Defense, the nation's reseach universities, or major institutions such as the National Laboratory network. Arpanet's collapse didn't shock the stock market, panic the banks, or turn the Western Hemisphere's ATM networks into high-tech tree stumps.
All of these possibilities were close enough at hand, however, for Morris' exploits to inspire the foundation of the Computer Emeregncy Response Team (CERT), an organization dedicated to catching, identifying, and stopping future attacks, deliberate or otherwise, before they could eat their way so far into the nation's IT infrastructure. It also, to hear some accounts of the worm's legacy, served as a rude awakening to the programmers and reseachers who assumed their benign stewardship of the network would remain the rule, instead of the exception.
The Sendmail back door Morris used to launch his worm wasn't widely-known, but it was known to the people who called the shots in what was still a very, very small club. Before this point, public network security relied upon practices that were reasonable at the time but looked incredibly naive just a year or two later; Morris spawned a thousand imitators, and many of them tried their very best to top his act.
So, to come full circle: Does the Sendmail back-door that enabled The Internet Bug and the worst Internet outage in history belong in the same company as the Borland and Cisco back-doors I cited in my earlier column? I certainly don't think so, although I'm very grateful to Bill Whiting for taking me through a fascinating exercise to reach that conclusion.
And while I could cite any number of reasons why that's true, I think just one reason is sufficient: When we look at the Sendmail incident, we're looking back at a time when the rules of the security game were very, very different than they are today.