Re: 10th anniversary of the Internet Worm

From: Rich Kulawiec (rskat_private)
Date: Tue Nov 03 1998 - 21:23:41 PST

Next message: Willy TARREAU: "Re: X11 cookie hijacker"

Previous message: Alan Cox: "Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)"
Maybe in reply to: Gregory Newby: "10th anniversary of the Internet Worm"
Next in thread: Perry E. Metzger: "Re: 10th anniversary of the Internet Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 02, 1998 at 10:33:51PM -0500, Gregory Newby wrote:
> Lest we forget, today was the 10th anniversary of the
> Internet Worm, released by Robert Tappan Morris, Jr.

I remember -- I was in the trenches that day.  In fact, I'd gone
into work (the Purdue University Computing Center, a large Unix site)
early that day because I needed to leave early as well.

I didn't. ;-)  In all the years I've done Unix, that was the
most exciting 36 hours I went through.

Most of what we did there is documented in Spaf's paper on the
subject, so you can read that to find out what Dave Stevens and
Kevin Braunsdorf and George Goble and all of us there at Purdue
did that day.  (We invented the "condom".  No, really!)

I remember two major concerns that are still with me years later --
which is why I'm babbling this at bugtraq:

1. We had almost no way to communicate out-of-band with other sites.
That's why I keep an address/phone/fax book now.  It's far from
complete, and it's frequently outdated, but I keep it in hardcopy --
and handy -- against the day when things go foom again.  As you
pointed out, CERT was formed in part to take on this role, but much
to my great disappointment, CERT is largely an information black hole,
and reacts at a glacial pace, far too slowly to be any help in a crisis.
I also know where several local ISPs are physically located -- guessing
that the next attack might come when voice/data/cable/etc. are unified
and that it might take them *all* out.  And I don't think sending them
postcards will cut it. ;-)

2. Our biggest worry wasn't figuring out who launched it, or why, or
how it propagated.   Our worry was "Is it destructive (i.e. does it
deliberately corrupt data)? or is it just meta-destructive (i.e. does
it corrupt data only as an accidental by-product)?"  Granted, we've got
a lot more tools that have been developed since then, but if we were
put in that precise circumstance again by a different threat, I'm not
sure we're in a position to answer that question quickly and
accurately.  The best response to this that I've come up with is to do
on-site and off-site backups with near-religious fervor (including
verifying them) and to use tools like tripwire regularly.  But I'm not
satisfied that this adequately addresses the problem of answering that
same question under severe time pressure.

---Rsk
Rich Kulawiec
rskat_private

Next message: Willy TARREAU: "Re: X11 cookie hijacker"
Previous message: Alan Cox: "Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)"
Maybe in reply to: Gregory Newby: "10th anniversary of the Internet Worm"
Next in thread: Perry E. Metzger: "Re: 10th anniversary of the Internet Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:59 PDT