October 30, 2008, 9:27 PM — Robert Tappan Morris, the 21-year-old Cornell University student who unleashed the first worm attack on the Internet in 1988, has fully rehabilitated his reputation in the computer science community. Today, he is a respected associate professor of computer science at MIT.
"I've met Robert. He's a nice guy, and he's a really brilliant professor," says Eric Allman, chief science officer at Sendmail and author of the sendmail Internet e-mail routing software that Morris exploited with his worm. "He tries to keep a low profile. I do feel kind of sorry for the guy."
Twenty years ago, however, many in the Internet engineering community wanted to see him punished after the worm he wrote caused around 10% of all Internet-connected systems to be knocked off the network. (See full account.)
"It was interesting to see how people viewed Morris," says Steve Bellovin, an Internet security expert who worked at Bell Labs when the Morris Worm attack occurred and is now a professor of computer science at Columbia University. "Some people who were really angered with Morris wanted stern retribution. Others said it was a stupid mistake and that he should not be barred from the profession."
Ultimately, Morris was sentenced to three years of probation, ordered to pay a US$10,000 fine and to perform 400 hours of community service for his violation of the federal Computer Fraud and Abuse Act of 1986.Â
"I don't think anybody ever thought that Mr. Morris had malice in his heart," says Gene Spafford, a computer science professor at Purdue University and executive director of Purdue's Center for Education and Research in Information Assurance and Security. "But he did intend his worm to spread, and he did intend it to have unauthorized access. . . . There is no question that it was wrong."
Even those who wanted Morris prosecuted say he ended up with too steep a punishment, especially given how mild his worm was compared to the attacks the Internet now faces daily. "Considering what others have done since then, I think the penalty he got was too harsh. It might have been better off prosecuted as a misdemeanor," Spafford says. "I think he should even be considered for a pardon because since then he's done nothing in his career to take advantage or to gain stature from the incident. He was contrite. . . . He has gone on to have a productive career."
Internet security experts say the reason for their lack of lingering anger with Morris is that he didn't mean to cause the Internet so much harm. "Morris' motive was to show there were security problems on the Internet that needed to be taken seriously, but he didn't do the arithmetic right on the exponential growth" of the worm he developed, Bellovin says.
"I don't think anyone believed that Robert was trying to destroy the Internet," Allman says. "He was young, he was a student, and he screwed up. Most of us screw up when we are young, but our screw-ups didn't make the front page of The New York Times."