Advertisement

Cornell Report Reviews Morris Computer Virus

ITHACA, N.Y.--A rogue computer program created by a former Harvard undergraduate that crippled a nation-wide computer network last fall was neither the creation of a genius nor the act of a criminal, a Cornell University commission has concluded.

Cornell graduate student Robert T. Morris '87-'88 alone created the program that infected thousands of military and university computers on November 2, 1988, said the panel's 45-page report obtained Saturday by The Associated Press.

Morris, 23, who is on a leave of absence from Cornell's doctoral program in computer science, declined to be interviewed by the commission, which was left to speculate as to the reasons Morris created the "worm."

"It may simply have been the unfocused intellectual meanderings of a hacker completely absorbed with his creation and unharnessed by considerations of explicit purpose or potential effect," the panel wrote.

Technically, the program was not a "virus," which inserts itself into a host program to propagate; it was actually a "worm," or an independent program that endlessly duplicates itself once placed in a computer system.

Advertisement

Cornell officials and members of the special panel were scheduled to discuss their findings at a news conference at 10 a.m. today.

Morris, of Arnold, Md., remains under investigation by a federal grand jury in Syracuse and by the U.S. Justice Department in Washington, D.C.

During that investigation, Morris's files at Harvard's Aiken Computational Laboratories were seized, and an employee and Harvard graduate student were summoned to testify before the jury.

Morris had been known for his playful pranks at Harvard and continued to have computer access at Aiken after working there last summer. Morris also reportedly telephoned the two Aiken workers in a panic the night the computer program was released.

Morris could not be reached for comment at his home late last night.

The Cornell panel rejected the idea that Morris created the worm to point out the need for greater computer security.

"This was an accidental by-product of the event and the resulting display of media interest," the commission wrote, "Society does not condone burglary on the grounds that it heightens concern about safety and security."

The program could have been created by manystudents, graduate or undergraduate, particularlyif they were aware of the Cornell system'swell-known security flaws.

"It is no act of genius or heroism to exploitsuch weaknesses," the commission said.

Morris, a first-year student, should havereported the flaws he discovered, which would"have been the most responsible course of action,and one that was supported by his colleagues," thepanel wrote.

According to Andrew H. Sudduth '83-'85, one ofthe two Harvard affiliates contacted by Morriswhen the worm spread out of control, Morris wassurprised and alarmed at the program's progressand had Sudduth broadcast a warning to computerusers nationwide.

The commission found that Morris probablywanted to spread the worm without detection, butdid not want to clog the computers. It said heclearly should have known the worm would replicateuncontrollably and accused Morris of "recklessdisregard" for the consequences.

Once the worm was unleashed, Morris made only"minimal efforts" to stop its spread and did notinform any person in a position of responsibilityabout the existence of the program, the commissionreported.

The panel disputed industry claims that theworm caused about $96 million in damage,"especially considering no work or data wereirretrievably lost."

The episode's greatest impact may be a loss oftrust among scholars who use the network, whichlinks research centers and universities thatexchange non-classified information.

The report said computer science professionalsseem to favor "strong disciplinary measures," butthe commission said they "should not be so sternas to damage permanently the perpetrator'scareer."

The panel also recommended Cornell develop auniversity-wide policy on computer abuse

Advertisement