Please note: This is an original piece of writing by me - it was
not copied from someplace else. It was originally a uni assignment which I wrote in a couple of hours (yeah, another last minute assignment). Thought someone may find it interesting here in
Everything :)
Background:
During November 1988, Robert T Morris, a first year Cornell University PhD student, released an computer worm onto the Massachusetts Institute of Technology (MIT) computers.
The Internet Worm, as it became known, quickly and successfully replicated itself across the MIT network causing the computers to effectively become useless as they laboured under the load of multiple worms. From MIT, the Internet Worm spread across to other computer networks across the United States including the Bay Area Research Network (BARnet).
In his testimony to the Federal court, Morris stated that it was his intention to demonstrate the inadequate security measures implemented on computer networks.
While Morris’ intentions were noble, the worms started replicating and reinfecting machines at a much faster rate than he had anticipated. Ultimately, many machines at locations around the country either crashed or became “catatonic” (US Federal Government, 1991).
Many system administrators were forced to spend time isolating and solving the problem. Vital software programs (eg sendmail) were halted to try and stop the spread of the worm and systems were re-booted resulting in prolonged downtime for network users. Some network gateways were also closed resulting in significant delays in the delivery of electronic mail and the subsequent increase in the load on other functioning gateways.
Within forty-eight hours, a team of computer specialists had decompiled the worm and found a solution.
Morris was suspended from Cornell University for acting irresponsibly and was later convicted by a federal court. He was sentenced to 3 years of probation, 400 hours of community service, and $10,050 in fines plus probation costs.
This report will examine some of the ethical considerations concerning this situation.
Ethical Problem:
While Morris was waiting to be sentenced by the Federal Court, there was substantial debate on the seriousness and ethics of his deeds.
One argument was that Morris had acted for the greater good and as a result, the public and system administrators had a greater awareness of the lack of security present in their computer networks. Indeed, in the weeks following the Internet Worm attack, ‘several security bugs have come to light which the worm could have used to thoroughly destroy a system’ (Seeley, 1988). This line of argument also believes that since no long term damage was done, the punishment should be lenient.
The other line argues that Morris acted irresponsibly and maliciously. Given the resources (human time and effort) that were consumed in stopping the spread of the worm, the disruption to computing facilities, and the invasion of people’s privacy (see later) many people believed that Morris should have been handed a harsher sentence.
The argument effectively comes down to whether the ‘end justifies the means’ type of decision.
Actions of the Players:
To determine if Robert Morris’ acted in an ethical manner, it is appropriate to identify the actions of major participants throughout the lifetime of the Internet Worm and to determine if each action was ethical. This section will identify the actions of the major players.
Robert Morris was the key player in the Internet Worm saga. His intention was to highlight security holes which he had discovered in a computer network. Morris accomplished this by releasing the Internet Worm which exploited those security holes. The worm was not designed to destroy or alter any critical system files, but merely to propagate and reside on as many computers as possible.
There were three methods which the worm used to gain access to computer systems. The first two used security loopholes in ‘sendmail’ and ‘finger daemon’ to automatically download the worm virus. The third method was to try guessing user passwords and then once access was gained, to download the worm code via the users account.
To make the worm more effective, Robert Morris designed the worm to be as innocuous as possible. Some techniques that the worm used included:
None of these actions caused any system files to be deleted. The only purpose of these actions was to hide any evidence that the worm existed at all.
Finally, once Morris realised the extent and speed with which the worm propagated, he attempted to post an anonymous cure for the worm, but the email channels were already clogged or disabled.
The other major players are the system administrators of the various computer networks. Upon discovering the attack on their systems, they grouped together to find a solution to the problem. Many system administrators disabled key features in an attempt to stop the spread of the worm. Within 48 hours of the Internet Worm appearing, they had disassembled the Worm code and determined how to stop its spread.
Ethical Analysis of Actions:
As the events took place in the United States of America, it is more appropriate that the Association of Computing Machinery (ACM) Code of Ethics are used than the Australian Computer Society version – which while more local in experience, aren’t as relevant to the situation.
While Morris may or may not have been a member of the ACM, its code of ethics can still be used as a comparison to determine the ethical nature of his actions.
From the actions that were listed in the section above, we can compare and comment as contained below.
The intention to highlight the security loopholes is ethical. It conforms with many of the moral responsibilities listed in the ACM Code of Ethics such as ‘Respect privacy of others’ (Johnson, 1994), and ‘improve public understanding of computing and its consequences’ (Johnson, 1994) and for this, Morris should be commended.
To determine whether the use of the worm was ethical, it will considered in two parts. The first part will examine the techniques from an ethical viewpoint with which the worm used to propagate itself and the second part will examine the effects of the worm.
As has been previously mentioned, one of the techniques that the worm used to propagate was to guess users passwords and then enter their account. The worm also covered its tracks by using a variety of methods.
Morris did not ‘respect the privacy of others’ (Johnson, 1994) in that he used a software program to determine someone’s password and then entered their account; nor did Morris ‘access computing and communications resources only when authorised to do so’ (Johnson, 1994).
Finally, Morris’ worm caused a disruption of computing services around the country. Computer networks became unusable, system administrators were forced to put aside their current projects and spend time combating the worm. One institution became so worried about the attack that they formatted all their disks. Network gateways were closed to prevent the spread of the worm causing a twofold effect. First, it lead to a delay in the delivery of electronic mail and second, it increased the load on gateways that were still functioning resulting in a degradation in performance.
Under ACM’s Code of Ethics, a member must avoid harm to others which included ‘intentional destruction or modification of files and programs leading to serious loss of resources or unnecessary expenditure of human resources such as the time and effort required to purge systems of “computer viruses” (Johnson, 1994).
The unauthorised access of computer accounts is definitely unethical, however, despite the extent of harm that the worm caused, it is debatable whether this was intentional on Morris’ part.
Analysis of the Worm code reveals a ‘number of bugs in the worm that appear to be the result of hasty or careless programming’ (Seeley, 1988) which could be seen to be a result of the Worm having been accidentally released before it was fully tested. However, the Worm was certainly designed to make it hard to detect and ‘there is ample evidence that the worm was designed to hamper efforts to stop it even after it was identified and captured’ (Seeley, 1988) which would possibly indicate the intention to cause harm.
Nevertheless, even if there was no intent to cause harm, the ACM Code of Ethics states that in the event that harm does occur unexpectedly, the person responsible are ‘obligated to undo or mitigate the negative consequences as much as possible.’ (Johnson, 1994). According to court documents, Morris did send out an email informing system administrators how to defeat the worm and prevent re-infection but due to the congested network, nobody received the message. So in this way, Morris acted ethically.
However, the ACM also state that ‘to minimise the possibility of indirectly harming others, computing professionals must minimise malfunctions by following generally accepted standards for system design and testing’ (Johnson, 1994). From examination of the Worm code, the number of bugs that appear to be a result of hasty programming tends to indicate that no standard was followed. As Morris knew that computer networks across the US would be exposed to the Worm, it was unethical not to follow accepted standards for system design and testing.
Therefore, regardless of whether Morris intended to cause harm to the computer network, his actions in releasing the worm were on the whole unethical.
It can also be argued that the system administrators were unethical in their actions prior to the Worm attack. One of the general moral imperatives of the ACM Code of Ethics is to ‘respect the privacy of others’ which includes ‘taking precautions to ensure the accuracy of data, as well as protecting it from unauthorised access or accidental disclosure to inappropriate individuals.
However, there is no record in court documents or in reports to say that the system administrators were not already actively seeking holes in security. Furthermore, regardless of whether the system administrators acted ethically or not, it does not minimise or justify Morris’ unethical actions.
Possible Actions To Reduce The Unethical Behaviour:
As has been mentioned several times before, there is no question that Morris’ intention to draw attention to the lack of security was an ethical action.
However, the release of the Worm was highly unethical. Alternative methods with which Morris could have drawn attention to the security loopholes include:
- directly approaching the Cornell University system administrator with the details of the security hole
- informing the Cornell University body if the system administrator did not act on this information
- informing representative bodies such as the Association of Computing Machinery
- informing the media
Reports do not state if Morris did or didn’t do any of the above actions, however, they tend to imply that the only discussion that Morris engaged in was with his friends.
All these actions would have helped raise awareness of the problem without resorting to unethical behaviour. It is quite possible that he might have been asked to demonstrate the problem in which he would then have had authorisation to exploit the security holes.
Conclusion:
Having examined Morris’ actions, the court ruling and subsequent penalty appear to be fair. Morris had ethical intentions but implemented them in an unethical manner.
References:
Johnson, D. (1994) ‘Computer Ethics’ Englewood Cliffs, Prentice-Hall
Seeley, D. (1988) ‘A Tour of the Worm’ ftp://coast.cs.purdue.edu pub/doc/morris_worm
US Government (1991) ‘US Appeal Court Decision re Worm conviction’ http://www.eg. bucknell.edu/~kapolka/cs240/morris/morris.appeal
Bibliography:
Eichin, M., Rochlins, J. (1988) ‘With a Microscope and Tweezers: An Analysis of the Internet Virus of November 1988’ http://www.mit.edu:8001/people/eichin/virus/ main.html
Page, B. (1988) ‘A Report On The Internet Worm’ http://www.eg.bucknell.edu/~kapolka/cs240/morris/worm.paper
Reynolds, J. (1989) ‘RFC1135: The Helminthiasis of the Internet’ http://www.eg.bucknell.edu/~kapolka/cs240/morris/rfc1135
Spafford, G. (1996) ‘A Short Worm FAQ’ http://www.eg.bucknell.edu/~kapolka/cs240/morris/FAQ – FAQ
United States General Accounting Office (1989) ‘GAO Report’ http://www.eg.bucknell.edu/~kapolka/cs240/morris/GAO-rpt.txt