Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Revenge of the nerds

Nicholas Martin
Washington Monthly, Vol. 20, No. 12, p. 21
ISSN 0043-0633
January 1989

1
[Back to index] [Comments]

Revenge of the nerds; the real problem with computer viruses isn't genius programmers, it's careless ones

Nicholas Martin is the production manager of The Washington Monthly.

The real problem with computer viruses isn't genius programmers, it's careless ones

It was with admiration rarely applied to saboteurs that the media presented us Robert T. Morris Jr., the 23-year-old "whiz" who brought the 60,000-computer Advanced Research Projects Agency network (Arpanet) to a halt in November. Time called Morris's creation "one of the most sophisticated and infectious computer viruses the world has yet seen." The New York Times referred to Morris's virus as a "programming tour de force," and quoted, without comment, one Harvard graduate student's analogy that"It's as if Mathias Rust had not just flown into Red Square, but built himself a stealth bomber by hand and then flown into Red Square."

Morris fit-or was made to fit-the image of the Diabolical Supergenius Computer Nerd: Glasses. Frequent late-night sessions with the computer terminal. Slightly crazed look. He probably learned to read at age three and was doing calculus in seventh grade. His teachers all called him "brilliant," but bored with normal adolescent preoccupations and unchallenged by school work, he was drawn to the one deed that required all of his staggering intellectual prowess: breaking into the most powerful computer system on earth. Or something like that. In the movies we usually end up at DefCon Two.

Of course, many people in the computer business only helped encourage the notion that it took a one-in-a-million genius to pick this lock. A group of programmers working to counteract Morris's program told the Times they were "impressed with its power and cleverness." But then again, they would look sort of silly being outsmarted by your generic computer-literate 23-year-old.

In fact, a great deal of what Morris did was frighteningly simple. As Eugene Spafford, a Purdue computer science professor, wrote in a recent technical report on Morris's program, "The [program] was apparently. . .done by someone clever but not particularly gifted. In general, [it] is not that impressive and its 'success' was probably due to a large amount of luck rather than any programming skills possessed by the author." Morris didn't pick the lock to the Arpanet computers, so much as find the key someone had left under the mat. Or as it turned out, on top of it.

The key on the mat

The computers Morris invaded were part of the Arpanet, an international grid of telephone lines, buried cables, and satellite hookups established by the Department of Defense in 1969. It connects 60,000 computers owned by universities, private research companies, and the federal government. Users routinely share information on topics as diverse as the Strategic Defense Initiative (unclassified material only), Shakespeare, and-yes, some parts of the computer hacker stereotype are true-recent episodes of Star Trek. It's much like when the rest of us mail letters-except that the network's split-second speed definitely beats the U.S. Postal Service.

On the evening of November 2, Morris used his terminal at Cornell University to introduce a computer program into a Massachussetts Institute of Technology computer. (He apparently chose MIT to throw detectives off his trail.) The key to his success was finding a security flaw in "Berkeley Unix," the "operating system" or basic software, used by many of the network's computers. Morris's program-a "worm" as computer cops call this type of program-didn't exactly defeat the security systems on the 6,000 Arpanet computers it infected (about 10 percent of the computers on the network); it just ignored them.

His program made use of a simpl "mail" service, a convenience provided with most operating systems that allows one user to send a message to another. (In Los Angeles, Rodgers types in his idea for a new musical, and whoosh, off it goes to Hammerstein in Manhattan.) The Unix package came with such a program called "Sendmail." But computer programmers are as fond of optional extras as car buyers, and in this case the options made it just a bit too user friendly. Eric Allman, the Berkeley graduate student who wrote Sendmail, included a feature so people could mail messages not just to other people but also to other computer programs. All Morris did was to notice that if you could send a message (which is simply a collection of letters, numbers, and punctuation) to a program, then you could send a second program (which is also just letters, numbers, and punctuation) to the first program. From there it was simply a matter of Morris sending his instructions forth to be fruitful and multiply.

There are many different types of programs. Some make calculations, some organize data-and some start up or give birth to other programs. By mailing his worm to one of these surrogate mother programs, Morris ensured that it would get copied and sent forth to infect other computers. His program still couldn't delete other people's files-not at this stage anyway-but it enabled him to run a program on someone else's computer, something Unix security systems were supposed to control. Once there, Morris's program let loose with all sorts of requests: it searched the system for other computers to call up and infect; it broke into higher security areas; and it sent an announcement of its "birth" to a computer in Berkeley (apparently another effort to shake off computer detectives). After a while, the programs demanded so much time and memory from the computers that the computers broke down, or, in the jargon, "crashed."

To actually delete data, Morris's chain-letter-from-hell had to give secret passwords that would get it past key checkpoints. It did. By what ingenious method? It guessed. Using a list of 400 common English words, Morris's program guessed right in at least 12 cases at Cornell alone. This is one case where human qualities like impatience and skepticism might have served the computer well. Imagine the husky soldier at the guardhouse waiting for an hour as a frantic visitor guesses incorrect passwords-and then letting him go by when he finally hits the right one. Sure, it's a hassle to memorize a gibberish password. But it displays a certain disregard for security-not to mention a lack of imagination-that programmers who know how easy it is to break simple passwords would use codes like "Mozart" or "Princeton" to protect their files. It's the rough equivalent of usin"Open Sesame" to get into SAC headquarters.

Sharing vulnerabilities

Why was security so lax? Quite simply, because computer designers get careless. Allman says he put the hole in Sendmail because it .made it easier for him to test the program, and no one bothered to remove it before the final product was shipped. Some people have suggested the hole remained open because it made it simpler for those in the know to get in, We should remember these programs are not exactly developed in top secret silos 600 feet underground. Berkeley Unix, like many big programs written for multi-user computers, was partially developed at a university, with little faculty supervision. It was written "basically [by] grad students," Allman says. Allman himself wasn't even officially assigned to the Unix project when he wrote Sendmail. "I did it in my spare time. . . ," he says, "Just as a lark- some lark '" In case something does go wrong though, Berkeley Unix carries a disclaimer which explains that "this software is supplied 'as is' without express or implied warranty." This is about as reassuring as a security team that turns off the alarms because it doesn't like the noise, while disclaiming responsibility for break-ins.

This attitude may explain why so many important computers have already been infiltrated, In August 1982, Ken Thompson of Bell Labs also broke into the Arpanet system. "I picked at it for two or three days and I got into it," he told Smithsonian magazine. "Then all the other systems fell." Two or three days isn't very long to compromise security on a major network. And if you think 0-rings are the only potential problems for spacecraft, consider that intruders used Arpanet to break into the Jet Propulsion Lab in Pasadena three times in two years. After a break-in in June, the Los Angeles Times wrote, "Officials worried that an intruder could learn 'how to send bogus commands' to the [eight] spacecraft the laboratory controls.'"

Yet so far those in charge of protecting the nation's important computers have been blase. In 1982, using a technique as simple as Morris's but harder to protect against, a group of Berkeley undergraduates discovered a flaw in Unix that allowed them to break into the school's computer system. Experts at the Stanford Research Institute called it "the most serious computer security problem" they had encountered. They alerted the National Security Agency, which at the time was charged with setting security standards for the nation's computers. But the solution involved costly hardware, and even though those are usually the magic words for a military agency, the NSA said no. "I share [Stanford's] general concern for the lack of security in computer systems," said Colonel Roger Schell, then deputy director of NSAs computer security evaluation center "But this is just one of numerous sorts of concerns '" (Translation: We can't solve this problem because there are too many problems like it.) His sol"Although we are generally committed to sharing information, we would not share vulnerabilities." (Translation: Don't worry. We won't tell saboteurs that our systems are vulnerable.)

But don't think the Pentagon has left its own computers completely defenseless. In the 1970s it set up "tiger teams" to try to steal sensitive information from Defense Department computers. The teams invariably were able to get whatever they wanted. The Pentagon's response: abolish the tiger teams. When asked if a virus like Morris's could have infected classified computers, army Colonel Thomas M. Herrick, a senior officer at the Defense Communications Agency, Absolutely not." Others in the Pentagon didn't share his optimism. Several weeks later the Pentagon abruptly disconnected Milnet, an unclassified military network, from Arpanet because a defense contractor's computers had in recent months been violated several times.

The stereotype of the computer genius is so strong that it's difficult for us to believe that the problem is negligence. Reporters, like most people, place great faith in scientists and their unfathomable ways. That faith is understandable, but it could stand a little tempering.

What's more appalling is the sheer indifference of so many programmers, who know there's a problem, but won't sound the alarms. There may be no perfectly secure system, but that doesn't justify or explain shoddy quality control. And apathetic programmers can make expensive solutions like NSA's proposed anti-virus coordination center (replete with beeper-carrying "response teams") irrelevant.

After the Morris incident many of them just circled the wagons. Tom Knight, a professor of computer science at MIT, told The Washington Post, "The job of a university is to distribute information, not to keep it secret." But the fact is that MIT's libraries aren't open to everyone who can read. There's no reason why its computers should be open to everyone who can program.

COPYRIGHT 1989 Washington Monthly Company

COPYRIGHT 2004 Gale Group

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua