The first significant Internet worm was released on November 2, 1988, by a 23-year-old Cornell University graduate student named Robert Morris. The “Morris worm” shut down about 10 percent of the 60,000 or so computers connected to the Internet in those days. This was a few years before the introduction of the World Wide Web when mainly only academic researchers, technology companies, and government officials were connected.
Morris’ 99-line program exploited four vulnerabilities in the Internet to gain unauthorized access to network computers. The worm wasn’t destructive, but paralyzed computers with unnecessary processing.
Morris never fully explained what he was up to. But he must have known what he was doing wasn’t right because he released the worm on an MIT computer during a visit to that campus in an apparent attempt to hide his identity. And when the worm reproduced out of control, he had a friend send out an anonymous message that “there may be a virus loose on the Internet.”
Computer science departments swung into action and eventually disabled the worm. But the effort was expensive, with estimates of the cost ranging from $100,000 to $10,000,000 to restore the computers on the network. And the assault shocked the Internet community which until then assumed that everyone on the network was well-intentioned and responsible. Security became a real concern for the first time .
Morris was exposed a few days later as the instigator of the worm by John Markoff of the New York Times and eventually became the first person convicted under a new Computer Fraud and Abuse Act passed by Congress in 1986. He was sentenced to three years probation, 400 hours of community service, a $10,050 fine, and $3,276 to cover the cost of his probation. Morris’ appeals went nowhere.
Cornell University suspended Morris for a year, then refused to readmit him. He transferred to Harvard University where he earned a doctorate in computer science, and is now on the faculty at MIT.
Links of interest: