Online Today            OLT-2180

ONLINE TODAY'S BACKGROUNDER: THE ROBERT MORRIS WORM CASE

  (Editor's note: Robert T. Morris was arrested in November 1988 on charges he
created and released a worm program that stymied thousands of Unix-based
computers. This file contains related stories carried by Online Today.)


  From 1988 files:

THOUSANDS OF UNIVERSITY, RESEARCH COMPUTERS STUCK IN MAJOR ASSAULT

  (Nov. 4)
  Thousands of Unix-based computers at universities and research and military
installations were slowed or shut down throughout the day yesterday as a rogue
program ripped through international networks, an incident proclaimed by some to
be the largest assault ever on the nation's computers.
  No permanent damage or security breaches appear to have occurred during the
attack. This led some to say this morning that the intrusion was not actually a
computer "virus" but rather was a "worm" program, in that it apparently was
designed to reproduce itself, but not to destroy data.
  Science writer Celia Hooper of United Press International says the virus/worm
penetrated the computers through a "security hole" in debugging software for
electronic mail systems that connect Unix-based computers, evidently then moving
primarily through ARPAnet (the Advanced Research Projects Agency Network) and
NSFnet (network of the National Science Foundation) that link 2,000 computers
worldwide.
  At other systems:
  -:- The virus/worm also apparently invaded the Science Internet network that
serves many labs, including NASA's Jet Propulsion Laboratory in Pasadena, Calif.
  -:- NASA spokesman Charles Redmond said there were no reports of the space
agency's network, Space Physics Analysis Network (SPAN), being affected by the
attack, but he added that SPAN was linked to some of the infected networks.
  Meanwhile, The New York Times this morning reported an anonymous call from a
person who said his associate was responsible for the attack and that the
perpetrator had meant it to be harmless.
  The caller told the newspaper that his associate was a graduate student who
made a programing error in designing the virus, causing the intruder to
replicate much faster than expected. Said The Times, "The student realized his
error shortly after letting the program loose and ... was now terrified of the
consequences."
  UPI's Hooper says the virus/worm intrusion was detected about 9 p.m. Eastern
Time Wednesday at San Francisco's Lawrence Livermore National Laboratory, one of
two such labs where nuclear weapons are designed. Spokeswoman Bonnie Jean
Barringer told UPI said the invasion "was detected and contained within two
hours."
  The rogue program evidently spread through a flaw in the e- mail system of the
networks. Hooper said it quickly penetrated Air Force systems at the NASA Ames
Research Center in Mountain View, Calif., and systems at the Massachusetts
Institute of Technology, the University of California at Berkeley, the
University of Wisconsin, the University of Chicago, the University of Michigan,
the University of Rochester, the University of Illinois and Rutgers, Boston,
Stanford, Harvard, Princeton, Columbia, Cornell and Purdue universities.
  Charley Kline, senior research programmer with the Computing Services Office
at the University of Illinois at Urbana-Champaign, Ill., told Associated Press
writer Bernard Schoenburg, "This is the first time that I know of that (a virus
infection) has happened on this scale to larger systems."
  Kline agreed the virus traveled between computer systems through e-mail and,
once the messages were received, they linked up to command controls and told the
local computers to make copies of the virus. Kline said the copies then sought
out other connected devices.
  He also said that as far as he knows, only locations using Digital Equipment
Corp.'s VAX computers or those systems made by Sun Microsystems Inc. were
affected. He estimated about 75 percent of all national networks use such
systems.
  Schoenburg also noted that all the affected computers use the BSD Unix
operating system, written at University of California/Berkeley as a modified
version AT&T's original Unix.
  Commenting on the situation, Chairman John McAfee of the new Computer Virus
Industry Association in Santa Clara, Calif., told AP writer Paul A. Driscoll,
"The developer was clearly a very high-order hacker (because) he used a flaw in
the operating systems of these computers."
  Research director Todd Nugent of the University of Chicago's computing
department told UPI computer operators across the country were tipped off to the
invasion when they noticed their Unix-based systems running unusually slowly.
The machines turned out to be bogged down by loads of viral programs. Nugent
said that in one machine he had disconnected, the virus appeared to have
replicated itself 85 times.
  Today, in the morning-after, systems operators were fighting back on several
fronts:
  -:- First, a software "patch" has been developed to fend off the virus/worm.
Spokesman Bill Allen of the University of Illinois at Urbana-Champaign told
UPI's Hooper, "The strategy is to shut off various (infected) computers from the
network then sanitize them, purging the virus with a patch program." Hooper said
the patches, which find and excise the virus/worm from the computer and then
plug the hole through which it entered, now are circulating on campuses and have
been posted nationally on computer bulletin board systems.
  -:- Secondly, the Defense Communications Agency has set up an emergency center
to deal with the problem. However, The New York Times noted that no known
criminal investigations are under way.
  NSFnet Program Manager Al Thaler told UPI he considered the virus/worm "a
mean-spirited, vicious thing that interferes severely with the communications
network our research computers live in. We are angry." Even though it will be
hard to determine who started the virus/worm, Thaler said, "We are going to
try."
  Finally, McAfee of the virus group told AP that this virus/worm was rare
because it infested computers at major institutions, not just personal
computers. "Any hacker in the world can infect personal computers," McAfee said,
"but in this case, the person who did this would have had to have been
physically at the site of one of the computers belonging to the network." He
added, though, that chances of identifying that person were "extremely slim."
  --Charles Bowen



REPORTS NAME 23-YEAR-OLD CORNELL STUDENT AS THE AUTHOR OF "VIRUS"

  (Nov. 5)
  A 23-year-old Cornell University student and the son of a government computer
security expert now is said to be the person who planted that "virus" that
stymied some 6,000 Unix- based computers across the nation for more than 36
hours this week.
  The New York Times this morning quoted two sources as identifying the suspect
as Robert T. Morris Jr., a computer science graduate student. The paper says
Cornell University authorities found that the young man possessed unauthorized
computer codes.
  The young man's father, Robert Morris Sr., the Silver Springs, Md., chief
scientist at the National Computer Security Center in Bethesda, Md.,
acknowledged this morning that "it's possible" his son was responsible for the
rapidly-replicating virus that started crashing international networks late
Wednesday night.
  However, Morris Sr., who is known for security programming in Unix systems,
told science writer Celia Hooper of United Press International that he had "no
direct information" on his son's involvement. He added he had not spoken to his
son in several days and was unaware of his whereabouts.
  The elder Morris also told The Times that the virus "has raised the public
awareness to a considerable degree. It is likely to make people more careful and
more attentive to vulnerabilities in the future."
  As reported here, the incident, in which thousands of networked computers at
universities and research and military installations were halted or slowed, is
said to be the largest assault ever on the nation's computers. However, no
permanent damage or security breaches appear to have occurred during the attack.
  Of Morris Jr.'s alleged involvement, Cornell Vice President M. Stuart Lynn
released a statement late last night saying the Ithaca, N.Y., university has
uncovered some evidence. For instance, "We are investigating the (computer
files) to see if the virus was inserted in the system at Cornell. So far, we
have determined that this particular student's account does hold files that
appear to have passwords for some computers at Cornell and Stanford University
to which he's not entitled.
  "We also found that his account contains a list of passwords substantially
similar to those contained in the virus," said Lynn. He added that students'
accounts show which computers they had accessed and what they had stored. The
university is preserving all pertinent computer tapes and records to determine
the history of the virus.
  Morris Jr. himself has not been reached for comment. Associated Press writer
Douglas Rowe says the young man is believed to have flown to Washington, D.C.,
yesterday and plans to hire a lawyer and to meet with officials in charge of the
infected computer networks to discuss the incident.
  Rowe also quotes computer scientists as saying the younger Morris worked in
recent summers at the AT&T's Bell Laboratories, where one of his projects
reportedly was rewriting the communications security software for most computers
that run AT&T's Unix operating system.
  AP also notes that computer scientists who now are disassembling the virus to
learn how it worked said they have been impressed with its power and cleverness.
  Of this, Morris' 56-year-old father told the Times that the virus may have
been "the work of a bored graduate student."
  Rowe says that when this comment was heard back at Cornell, Dexter Kozen,
graduate faculty representative in the computer science department, chuckled and
said, "We try to keep them from getting bored. I guess we didn't try hard
enough."
  Meanwhile, there already is talk of repercussions if Morris is determined to
be responsible for the virus.
  Lynn said, "We certainly at Cornell deplore any action that disrupts computer
networks and computer systems whether or not it was designed to do so. And
certainly if we find a member of the Cornell community was involved, we will
take appropriate disciplinary action." He declined to specify what the action
would be.
  In addition, federal authorities may be calling. Speaking with reporter Joseph
Verrengia of Denver's Rocky Mountain News late yesterday, FBI spokesman William
Carter said a criminal investigation would be launched if it is determined
federal law was violated. He said the bureau will review the Computer Fraud and
Abuse Act, which deals with unauthorized access to government computers or
computers in two or more states. Conviction carries a maximum penalty of 10
years in prison.
  --Charles Bowen


ROBERT MORRIS' FRIENDS SAY NO MALICE MEANT WITH ALLEGED VIRUS

  (Nov. 7)
  Friends of a Cornell University graduate student suspected of creating a
"virus" that jammed some 6,000 networked computers for 36 hours last week say
they believe he intended no malice and that he also frantically tried to warn
operators after he saw his programming experiment had gone terribly awry.
  Twenty-three-year-old Robert Tappen Morris Jr. is said to now be in contact
with his father -- Robert T. Morris Sr., a computer security expert with the
super secret National Security Agency - - and is expected to meet this week with
FBI agents after hiring a lawyer.
  As reported earlier, the virus, which started Wednesday night, spread along
several major networks and, for about 36 hours, created widespread disturbances
in the unclassified branch of the military's defense data system, as well as in
thousands of university and research computer systems. However, apparently no
information was lost or damaged.
  Morris Sr. told Associated Press writer David Germain that he met with FBI
agents for about an hour Saturday to explain why his son will not immediately
comply with their request for more information. The elder Morris said the family
has had preliminary discussions with an attorney and expects to hire one by
today. He said his son won't be available for a comment until at least tomorrow
or Wednesday.
  The New York Times yesterday quoted Morris' friends as saying he had spent
weeks creating the virus. However, the paper said that by all accounts Morris
meant no harm to the systems; instead, the virus, created as an intellectual
challenge, was supposed to lie dormant in the systems.
  A friend alleges Morris discovered a flaw in the electronic mail section of
the Unix 4.3 operating system, a modification of AT&T's original Unix produced
by the University of California at Berkeley. When he saw the flaw allowed him to
secretly enter the networked Unix computers, Morris literally jumped onto the
friend's desk and paced around on top of it, the Times reported.
  Cornell instructor Dexter Kozen told AP the flaw was "a gaping hole in the
system that I'm amazed no one exploited before." While the loophole was not
evident before the virus was unleashed, "in retrospect it's really quite
obvious," Kozen said.
  Incidentally, the programmer who designed Unix's e-mail program through which
the virus apparently entered told the Times this weekend that he had forgotten
to close a secret "back door." Eric Allman said he created the opening to make
adjustments to the program, but forgot to remove the entry point before the
program was widely distributed in 1985. He was working for a programming
organization at the University of California/Berkeley at the time.
  Friends and others say Morris' original vision was to spread a tiny program
throughout and have it secretly take up residence in the memory of each computer
it entered, the Times said.
  Working virtually around the clock, Morris reportedly made a single
programming error involving one number that ultimately jammed more than 6,000
computers by repeating messages time after time.
  AP's Germain said Morris reportedly went to dinner after setting the program
loose Wednesday night and then checked it again before going to bed. Discovering
his mistake, Morris desperately worked to find a way to stop the virus' spread.
  However, "his machines at Cornell were so badly clogged he couldn't get the
message out," said Mark Friedell, an assistant professor of computer science at
Harvard University, where Morris did his undergraduate studies.
  AP says that, panicked, Morris called Andrew Sudduth, systems manager at
Harvard's Aiken Laboratory. He asked Sudduth to send urgent messages to a
computer bulletin board system, explaining how to defeat the virus.
  Sudduth told The Washington Post, "The nets were like molasses. It took me
more than an hour to get anything out at all."
  At a press conference this weekend, Cornell University officials said that,
while the computer virus was traced to their institution, they actually had no
evidence to positively identify Morris as the virus creator.
  Said Dean Krafft, Cornell's computer facilities manager, "We have no
fingerprints. We have no eyewitness, but it was created on his computer
account." Krafft added that Morris' computer account holds files that appear to
have unauthorized passwords for computers at Cornell and Stanford University.
  In addition, Cornell Vice President M. Stuart Lynn said the origin of the
program is hard to investigate, and it may be impossible to trace the virus back
to Morris. "At this stage we're simply not in a position to determine if the
allegations are true," Lynn said, adding he did not know how long the
investigation would take.
  Curiously, in light of Krafft's statements, Lynn is quoted as saying, "It's
quite conceivable we may not be able to say with any certainty" if the virus was
created in Cornell's computer system.
  Lynn also said the university had been contacted by the FBI, but there was no
indication any criminal charges would be filed. Officials said the school could
discipline Morris if he was involved.
  By the way, one Cornell official, who spoke on condition of anonymity, told AP
that it appeared there was an earlier version of the virus in Morris' computer
files.
  Regarding possible penalties, United Press International this morning quoted
an FBI spokesman as saying that the person responsible for the virus could face
up to 20 years in prison and $250,000 in fines for the federal offense of
unauthorized access to government computers.
  Finally, Harvard graduate student Paul Graham, a friend of Morris, told the
Times he thought Morris' exploit was similar to that of Mathias Rust, the young
West German who flew a light plane through Soviet air defenses in May 1987 and
landed in Moscow.
  "It's as if Mathias Rust had not just flown into Red Square, but built himself
a stealth bomber by hand and then flown into Red Square."
  --Charles Bowen



FBI UPGRADES VIRUS PROBE TO A "FULL CRIMINAL INVESTIGATION"

  (Nov. 8)
  The young man alleged to have written the virus that stymied some 6,000
networked computers last week has hired a Washington, D.C., attorney. His
selection apparently comes just in time, because the FBI reportedly is upgrading
its probe of the matter to a full criminal investigation.
  Robert T. Morris Jr., 23-year- old Cornell University graduate student, has
not been formally charged, but nonetheless is widely alleged to have created the
virus that played havoc for 36 hours last week with Unix- based computers on the
Pentagon-backed ARPANET network and other systems.
  Associated Press writer Anne Buckley this morning reported that lawyer Thomas
Guidoboni of the Washington firm of Bonner & O'Connell has been retained to
represent Morris. Guidoboni told Buckley, "We have notified the federal
authorities of our representation and (Morris') whereabouts. We are in the
process of investigating the facts and circumstances which have been reported by
the press in order to determine our course of action."
  Meanwhile, The Washington Post this morning quoted law enforcement sources as
confirming their inquiry has been expanded to a full field investigation by the
FBI's Washington field office. That means the FBI has consulted with federal
prosecutors, agreed that the bureau has jurisdiction and that there is reason to
believe there may have been a violation of federal criminal law.
  "In a full-scale investigation," Buckley said, "the government has the power
to subpoena records and documents and compel testimony through the authorization
of immunity, two techniques which are not permitted through preliminary
inquiries. The move indicate(s) the FBI (is) moving very quickly in the case
because in many instances, preliminary inquiries take a month or more."
  AP also quoted a government source who spoke on condition of anonymity as
saying investigators aren't sure whether any criminal activity actually
occurred, as defined by a statute passed in 1984.
  Says Buckley, "A section of that law says it is unlawful to enter a government
computer with the intent to disrupt its functions. The crime is punishable by up
to 10 years in prison. The source said that in this case, there's no evidence
that anything was taken from the computers, but rather that it was a question of
disrupting computer systems. One section of law addresses sabotage, but the
source said it (is) unclear whether the virus case would involve an intent to
disrupt the computer."
  AP says its source believes the bureau is investigating the matter in view of
the fact that there were breaches of security, and that the Justice Department
will have to determine whether the matter involved criminal conduct.
  --Charles Bowen



GOVERNMENT MAY SUBPOENA CORNELL

  (Nov. 9)
  Sources close to the investigation of last week's massive virus attack say the
government may seek search warrants or subpoenas to get documents from Cornell
University before trying to interview the virus's alleged author.
  Associated Press writer Pete Yost quotes Washington, D.C., lawyer Thomas
Guidoboni as saying he hasn't been contacted by the FBI since informing the
bureau that he was chosen on Monday to represent the suspect, 23-year-old Robert
T. Morris Jr., a Cornell graduate student.
  Says Guidoboni, "The ball's in their court. We're waiting to hear from them."
  Yost notes that earlier the FBI had sought to question Morris, but that was
before Guidoboni was retained. The lawyer told AP he didn't think "we'll have
enough information by the end of this week" to determine whether to talk to the
FBI. He says he wants to talk more with his client before deciding what course
to take.
  Says the wire service, "The possibility of seeking grand jury subpoenas or a
search warrant for data at Cornell that could shed light on the computer virus
incident was considered (yesterday) within the FBI. It was discarded as being
unnecessary and then revived in discussions with Justice Department lawyers,
said the sources, speaking on condition of anonymity."
  Meanwhile, Cornell Vice President M. Stuart Lynn reiterated that the
university will cooperate fully with the investigation.
  Morris, son of acclaimed computer security expert Robert Morris Sr. of Arnold,
Va., has not been formally charged. Still, he is widely alleged to be the person
who created the virus that paralyzed some 6,000 networked Unix-based computers
on the Pentagon-backed ARPANET network and other systems for about 36 hours last
week.
  --Charles Bowen



FBI LOOKING AT WIDE RANGE OF POSSIBLE VIOLATIONS IN VIRUS CASE

  (Nov. 10)
  The FBI now is looking at a wide range of possible federal violations in
connection with last week's massive computer virus incident, ranging beyond the
bureau's original focus on the provisions of the Computer Fraud and Abuse Act of
1986.
  That was the word today from FBI Director William Sessions, who told a news
conference in Washington that the FBI is trying to determine whether statutes
concerning wire fraud, malicious mischief or unlawful access to stored
communications may have been broken.
  The Associated Press notes that earlier the FBI had said it was concentrating
on the 1986 Computer Fraud and Abuse Act, which prohibits fraud or related
activity in connection with computers.
  The FBI chief said, "We often look at intent as being knowing and intentional
doing of an act which the law forbids and knowing that the law forbids it to be
done. But we also have other statutes which deal simply with knowingly doing
something."
  The wire service observed the following about two statutes to which Sessions
referred:
  -:- The malicious mischief statute provides a maximum 10-year prison term for
anyone who wilfully interferes with the use of any communications line
controlled by the US government.
  -:- The unlawful access law makes it a crime to prevent authorized access to
electronic communications while they are in electronic storage and carries a
maximum six-month jail term absent malicious destruction or damage.
  Sessions also told reporters the preliminary phase of the bureau's criminal
investigation probably will be completed in the next two weeks.
  As reported here earlier, authorities think 23-year-old Cornell University
student Robert T. Morris created the virus that disrupted thousands of networked
computers last week. However, Morris has not yet been charged with any crime.
  --Charles Bowen



FBI SEIZES MORRIS RECORDS IN PROBE OF NATIONAL VIRUS CASE

    (Nov. 17)
  While young Robert T. Morris Jr. still has not been charged with anything in
connection with the nation's largest computer virus case, the FBI now reveals
that items it has seized so far in its probe include magnetic tapes from Morris'
computer account at Cornell University.
  The Associated Press reports that documents released by the FBI late yesterday
say investigators seized "two magnetic tapes labeled `files from Morris account
including backups' and hard copy related thereto" from Dean Krafft, a research
associate in computer science at Cornell, where the 23- year-old Morris is a
graduate student.
  AP says the agents also obtained "two yellow legal pads with calculus and
assorted notes." Associate university counsel Thomas Santoro had taken the legal
pads from an office in Upson Hall, a campus building that contains computer
science classrooms and offices, AP says.
  Even though Morris hasn't been charged, it has been widely reported that the
young man told friends he created the virus that stymied an estimated 6,200
Unix- based computers on ARPANET and other networks for some 36 hours earlier
this month.
  As reported, the FBI is conducting a criminal investigation to determine
whether statutes concerning wire fraud, malicious mischief or unlawful access to
stored communications may have been violated.
  AP quotes these latest FBI documents as saying that US District Judge Gustave
J. DiBianco in the northern district of New York in Syracuse issued two warrants
on Nov. 10 for the Cornell searches. The FBI searches were conducted that same
afternoon.
  "The government had said earlier that it might try to obtain documents from
the university before interviewing Morris," AP observes, "and Cornell's vice
president for information technologies, M. Stuart Lynn, had said the university
would cooperate fully with the investigation."
  --Charles Bowen




MORRIS CASE NOW BEFORE GRAND JURY

  (Nov. 21)
  The case of Robert T. Morris Jr., the 23-year-old Cornell University graduate
student alleged to have created the "virus" that jammed some 6,200 networked
computers, now is being weighed by a Syracuse, N.Y., federal grand jury.
  Speaking with The Associated Press recently, Assistant US Attorney Andrew
Baxter declined to say when the panel began hearing evidence or whether anyone
has been subpoenaed to testify.
  Said Baxter, "I can say this is the only district in which a grand jury
investigation is pending. Some evidence has been presented to the grand jury."
He also declined to say whether anyone other than Morris is targeted in the
investigation.
  As reported earlier, the FBI, which has subpoenaed computer tapes and other
records at Cornell's computer science department, is conducting a criminal
investigation to determine whether statutes on wire fraud, malicious mischief or
unlawful access to stored communications may have been broken.
  No one has been charged, but it has been widely reported that Morris told
friends he created the virus that stymied military and research computers on
ARPANET and other networks for some 36 hours earlier this month.
  Meanwhile, an official with Los Alamos National Laboratory has told reporter
Lawrence Spohn of The Albuquerque, N.M., Tribune that his lab spent an estimated
$250,000 to cleanse its computers of that virus.
  Security chief Jim McClary said the cost covered some 900 hours of labor to
clean 400 terminals.
  McClary said he wasn't shocked by the virus, "but the surprising thing is how
rapidly it spread ... and the amount of people and time it took to clean up."
  While the virus was short-lived and affected primarily computer time and
personnel, as opposed to data or information, the incident demonstrates how
vulnerable computer systems and networks can be, he said.
  --Charles Bowen



3 HARVARD EXPERTS TO TALK WITH GRAND JURY IN "MORRIS VIRUS" CASE

  (Nov. 24)
  Cambridge, Mass., officials confirm that three Harvard computer specialists
have been called to testify before that federal grand jury in Syracuse, N.Y.,
that is looking in the jamming of some 6,200 networked computers by a "virus"
earlier this month.
  Harvard attorney Frank J. Connors tells United Press International the three
aren't themselves targets of the inquiry, but rather were summoned to testify
about their relationship with Robert T. Morris Jr., a 1988 Harvard graduate who
is said to be the creator of the virus.
  As reported here earlier, Assistant US Attorney Andrew Baxter says Syracuse is
the only district in which a grand jury investigation of the virus case is
pending.
  UPI says that those subpoenaed by FBI agents to appear before the grand jury
next Wednesday are assistant computer science professor Mark Friedell, computer
programmer Andrew H. Sudduth and graduate student Paul Graham.
  Connors told the wire service, "The FBI served search warrants and we gave
them the computer information they requested." The the men are "simply
witnesses, not targets," he said, adding, "In the eyes of the Justice
Department, they may have information."
  Friedell was Morris' thesis adviser at Harvard. Sudduth and Graham were
working at Harvard's Aiken Computational Laboratories on Nov. 2 when Morris
telephoned from Cornell University. As noted earlier, Morris, now a graduate
student at Cornell, is believed to have called associates for advice on how to
warn other computer users and how to remove the virus.
  --Charles Bowen


MORRIS ASSOCIATES APPEAR

  (Dec. 1)
  Two Harvard University computer experts, graduate student Paul Graham and
programmer Andrew H. Suddeth, appeared yesterday before a federal grand jury in
Syracuse, N.Y., which is investigating the virus incident.
  Suddeth said earlier that Robert T. Morris called him in a panic for help in
getting out a message to other computer operators after he reportedly realized
what the virus was doing.
  The Associated Press says a third person subpoenaed -- Mark Friedell, an
associate professor of computer science -- was excused from testifying because
he told prosecutors he knew nothing about the allegations of Morris' involvement
with the virus.
  Morris has not been subpoenaed to appear before the grand jury, lawyer Thomas
Guidoboni of Washington, D.C., told the Syracuse Herald-Journal.
  Says AP, "Guidoboni so far has advised Morris not to talk with anyone about
the virus, including FBI agents. But the lawyer said an agreement may soon be
reached in which an interview with agents would be arranged."
  --Charles Bowen


  From 1989 files:

SPLIT SEEN ON HOW TO PROSECUTE MAN ACCUSED OF ARPANET VIRUS

  (Feb. 2)
  Authorities apparently are divided over how to prosecute Robert T. Morris Jr.,
the 23- year-old Cornell University graduate student suspected of creating the
virus that stymied the national Arpanet computer network last year.
  The New York Times reports today these two positions at issue:
  -:- US Attorney Frederick J. Scullin in Syracuse, N.Y., wants to offer Morris
a plea bargain to a misdemeanor charge in exchange for information he could
provide. Scullin reportedly already has granted Morris limited immunity in the
case.
  -:- Some in the US Justice Department want Morris charged with a felony in
hopes of deterring similar computer attacks by others. They are angry over
Morris's receiving limited immunity.
  Confirming a report in The Times, a source who spoke on condition of anonymity
told Associated Press writer Carolyn Skorneck the idea of granting Morris
limited immunity has "caused a lot of consternation down here."
  Skorneck notes the 1986 Computer Fraud and Abuse Act makes unlawful access to
a government computer punishable by up to a year in jail and a $250,000 fine. If
fraud is proved, the term can reach 20 years in prison.
  The source told AP, "As far as we're concerned, the legal problem was still
(Morris's) intent." In other words, officials apparently are uncertain whether
Morris had planned to create and spread the virus that infected some 6,000
government computers on the network last Nov. 2.
  As reported earlier, Morris allegedly told friends he created the virus but
that he didn't intend for it to invade the Unix- based computers linked to
Arpanet.
  Skorneck says Mark M. Richard, the Justice Department official who is
considering what charges should be brought in the case, referred questions to
the FBI, which, in turn, declined to discuss the case because it is an ongoing
investigation.
  However, Skorneck's source said he understood the FBI was extremely upset over
the limited immunity granted to Morris.
  Meanwhile, Morris's attorney, Thomas Guidoboni of Washington, D.C., said no
plea bargain had been worked out, "They have not told me," he said, "what
they've recommended, and I've not offered on behalf of my client to plead guilty
to anything. I have told them we won't plead guilty to a felony. I'm very
emphatic about that."
  --Charles Bowen


MORRIS "WORM" WAS NEITHER GENIUS NOR CRIMINAL, COMMISSION SAYS

  (April 2)
  A Cornell University investigating commission says 23- year-old graduate
student Robert Morris acted alone in creating the rogue program that infected up
to 6,000 networked military computers last Nov. 2 and 3.
  In addition, the panel's 45- page report, obtained yesterday by The Associated
Press, further concludes that while the programming by the Arnold, Md., student
was not the work of a genius, it also was not the act of a criminal.
  AP says Morris, who is on a leave of absence from Cornell's doctoral program,
declined to be interviewed by the investigating commission.
  Speculating on why Morris created the rogue program, the panel wrote, "It may
simply have been the unfocused intellectual meanderings of a hacker completely
absorbed with his creation and unharnessed by considerations of explicit purpose
or potential effect."
  Incidentally, the panel also pointed out what others in the industry observed
last November, that the program technically was not a "virus," which inserts
itself into a host program to reproduce, but actually was a "worm," an
independent program that endlessly duplicates itself once placed in a computer
system.
  As reported, Morris still is being investigated by a federal grand jury in
Syracuse, N.Y., and by the US Justice Department in Washington, D.C.
  AP says the university commission rejected the idea that Morris created the
worm to point out the need for greater computer security. Says the report, "This
was an accidental byproduct of the event and the resulting display of media
interest. Society does not condone burglary on the grounds that it heightens
concern about safety and security."
  The report said, "It is no act of genius or heroism to exploit such
weaknesses," adding that Morris, a first-year student, should have reported the
flaws he discovered, which would "have been the most responsible course of
action, and one that was supported by his colleagues."
  The group also believes the program could have been created by many students,
graduate or undergraduate, particularly if they were aware of the Cornell
system's well-known security flaws.
  The wire service quotes the report as speculating Morris probably wanted to
spread the worm without detection, but did not want to clog the computers. In
that regard, the commission said Morris clearly should have known the worm would
replicate uncontrollably and thus had a "reckless disregard" for the
consequences.
  However, the Cornell panel also disputed some industry claims that the Morris
program caused about $96 million in damage, "especially considering no work or
data were irretrievably lost." It said the greatest impact may be a loss of
trust among scholars who use the research network.
  AP says the report found that computer science professionals seem to favor
"strong disciplinary measures," but the commission said punishment "should not
be so stern as to damage permanently the perpetrator's career."
  --Charles Bowen


ETHICS STUDY NEEDED IN COMPUTING

  (April 4)
  A Cornell University panel says education is more effective than security in
preventing students from planting rogue programs in research networks.
  As reported earlier, the panel investigated the work of Cornell graduate
student Robert Morris Jr., concluding the 23-year-old Maryland man acted alone
and never intended permanent damage when he inserted a "worm" into a nationwide
research network last November.
  Speaking at a press conference late yesterday in Ithaca, N.Y., Cornell Provost
Robert Barker said, "One of the important aspects of making the report public is
that we can now use it on campus in a much fuller way than we have before."
  United Press International says Cornell has taken steps to improve its
computer security since the incident, but members of the committee noted that
money spent on building "higher fences" was money that could not be spent on
education.
  Barker said Cornell will place a greater emphasis on educating its students on
computer ethics, and might use the recent case as an example, instead of relying
primarily on increased security to prevent similar incidents. Said the provost,
"It was the security of the national systems, and not of Cornell, that was the
problem here."
  As reported, Morris's worm infected up to 6,000 Unix-based computers across
the country. A federal grand jury in Syracuse, N.Y., investigated the case and
Justice Department officials in Washington now are debating whether to prosecute
Morris.
  --Charles Bowen




MORRIS SUSPENDED FROM CORNELL

  (May 25)
  Robert T. Morris, the 23-year-old graduate student whose "worm" program
brought down some 6,000 networked government and scientific computers last
November, has been suspended from Cornell University.
  The New York Times reported today Cornell officials have ruled that Morris, a
first-year graduate student, violated the school's Code of Academic Integrity.
  The paper quoted a May 16 letter to Morris in which Alison P. Casarett, dean
of Cornell's graduate school, said the young man will be suspended until the
beginning of the 1990 fall semester. Casarett added that if Morris wants to
reapply, the decision to readmit him will be made by the graduate school's
computer science faculty.
  The Times says the letter further states the decision to suspend Morris was an
academic ruling and was not related to any criminal charges Morris might face.
  No criminal charges have been levied against Morris so far. A federal grand
jury earlier forwarded its recommendations to the US Justice Department, but no
action has been taken.
  As reported last month, a Cornell University commission has said Morris'
action in creating and accidentally releasing the worm program into the ARPANET
system of Unix-based computers at universities, private corporations and
military installations was "a juvenile act that ignored the clear potential
consequences."
  While the Morris worm did not destroy data, it forced the shut- down of many
of the systems for up to two days while they were cleared of the rogue program.
  --Charles Bowen



MORRIS INDICTED IN WORM INCIDENT

  (July 27)
  A federal grand jury has indicted the 24-year-old Cornell University graduate
student who is alleged to have released a "worm" program that temporarily
crippled the massive Internet computer network last November.
  Robert Tappan Morris of Arnold, Md., becomes the first person to be indicted
under the federal Computer Fraud and Abuse Act of 1986 in connection with the
spread of a computer virus.
  In convicted, Morris faces a maximum sentence of five years in federal prison
and a $250,000 fine. Morris' attorney, Thomas A. Guidoboni, said his client will
fight the charges.
  The virus, a worm that sought out unused memory throughout the system and
recopied itself to fill the vacant space, infected at least 6,000 computers
nationwide. Internet is an unclassified, multinetwork system connecting 500
networks and more than 60,000 computers around the world.
  The indictment, handed up yesterday in Syracuse, N.Y., charges Morris
"intentionally and without authorization, accessed ... federal interest
computers."
  The action, the indictment continued, "prevented the authorized use of one or
more of these federal interest computers and thereby caused a loss to one or
more others of a value aggregating $1,000 or more."
  The indictment said the illegally accessed computers included those at the
University of California at Berkeley, the Massachusetts Institute of Technology,
the National Aeronautics and Space Administration, Purdue University and the US
Air Force Base Logistics Command at Wright Paterson Air Force Base in Dayton,
Ohio.
  "Mr. Morris will enter a plea of not guilty and contest the charge against
him," Guidoboni said. He said his client "looks forward to his eventual
vindication and his return to a normal life."
  Morris, a Harvard graduate and computer science graduate student at Cornell,
is about to begin a one-year suspension from Cornell that stemmed from the
incident. His father is chief computer scientist for the National Computer
Security Center near Baltimore.
  The indictment comes less than a week after the General Accounting Office
found that Internet and other similar systems remain open to attack with much
more serious results than the temporary shutdown experienced last year.
  The GAO warned the Internet virus was relatively mild compared to other more
destructive viruses. It went on to recommend the President's Science Advisor and
the Office of Science and Technology Policy take the lead in developing new
security for Internet.
  In addition, the report said Congress should consider changes to the Computer
Fraud and Abuse Act, or the Wire Fraud Act, to make it easier to bring charges
against computer saboteurs.
  The GAO said the Internet worm spread largely by exploiting security holes in
system software based on the Berkeley Software Distribution Unix system, the
most commonly used operating system on Internet.
  The report from the GAO said the virus moved with startling speed. It was
first detected at 9 p.m. on Nov. 2. Within an hour it had spread to multiple
sites and by the next morning had infected thousands of systems.
  According to GAO, the virus had four methods of attack. It used:
  -:- A debugging feature of the "Sendmail" utility program to allow the sending
of an executable program. After issuing a debug command, the virus gave orders
to copy itself.
  -:- A hole in another utility program -- "Fingerd," which allows users to
obtain public information about other users -- to move on to distant computers.
  -:- Different methods to guess at user passwords. Once successful, the virus
"masqueraded" as a legitimate user to spread and access other computers.
  -:- "Trusted host" features to spread quickly though local networks once one
computer was penetrated.
  --J. Scott Orr



MORRIS TO PLEAD INNOCENT

  (Aug. 2)
  Robert T. Morris Jr., the former Cornell University graduate student who was
indicted last week by a federal grand jury, will plead innocent in federal court
to charges he planted a computer worm that wrecked havoc with some 6,000
computers nationwide, reports United Press International.
  As reported, the 24-year-old Arnold, Md., resident was indicted by the grand
jury on charges of breaking a federal statute by gaining unauthorized access to
a nationwide computer network and causing damage in excess of $1,000.
  Both federal investigators and a Cornell University panel claim Morris created
the computer worm, which spread from the Cornell campus in Ithaca, N.Y., on Nov.
2 to computers around the country, notes UPI.
  The worm infiltrated a Department of Defense computer system and forced many
federal and university computers to shut down.  The exact amount of damage has
not been determined.
  If convicted, Morris could be sent to prison for five years and fined up to
$250,000.  In addition, the judge could order him to make restitution to those
who were adversely affected by the incident.
  -- Cathryn Conroy



PROSECUTORS ASK JUDGE NOT TO DISMISS ROBERT MORRIS "WORM" CASE

  (Oct. 14)
  Following defense allegations of prosecutorial misconduct, federal prosecutors
have filed a legal brief asking the judge not to dismiss felony charges against
former Cornell University graduate student Robert T. Morris accused of computer
fraud in last November's "worm" incident.
  Morris attorney Thomas Guidoboni has alleged his client's right to a fair
trial has been damaged by prosecutors allegedly leaking news to reporters. Last
month, Guidoboni accused federal officials of improperly revealing that Morris
made a statement to prosecutors and that officials were considering whether he
should be allowed to plead guilty to a misdemeanor.
  Now trial lawyer Mark Rasch of the fraud section of the Criminal Division of
the US Department of Justice, has filed a brief asking federal Judge Howard
Munson not to dismiss the charges.
  Steve Schaefer of United Press International reports Judge Munson has
scheduled a hearing on the issue for next Friday at US District Court for the
Northern District of New York. If Munson does not throw out the indictment, he
is expected to schedule a date to begin the trial, Schaefer writes.
  Guidoboni's motion said there were articles in the local newspapers in
Syracuse, N.Y., and that the release of the information contained in the
articles violated Department of Justice regulations and agreements between the
Department of Justice and defense council.
  Schaefer notes Justice Department officials neither denied nor confirmed a
prosecutor had improperly leaked information about the case, but Rasch's brief
argues the defense did not offer proof of any specific harm Morris suffered as a
result of the alleged news leak.
  Guidoboni's other motion argues the indictment should be dismissed because it
fails to allege Morris intended to cause damage or prevent the use of the
computers. "It also alleged that the statute and indictment are vague, and fail
to put him on notice of what kind of conduct is illegal," Rasch said. "Our
response is essentially that it is neither vague nor ambiguous."
  The 24-year-old Morris, who is currently suspended from Cornell, is accused of
creating the computer "worm" that invaded an estimated 6,000 computers
nationwide through ARPANET, a network that links research computers at military
bases, universities and other institutions. He is the first person to be charged
with violating a specific section of the 1986 Computer Fraud and Abuse Act.
  --Charles Bowen


  From 1990 files:


ROBERT MORRIS "WORM" TRIAL BEGINS

  (Jan. 8)
  Jury selection was beginning today in Syracuse, N.Y., for the federal trial of
Robert T. Morris Jr., 24-year-old suspended Cornell University graduate student
accused of designing and releasing a "worm" program that stymied some 6,000
networked computers on Nov. 2, 1988.
  If convicted in this first criminal trial under the 1986 federal Computer
Fraud and Abuse Act, the Arnold, Md., man faces up to five years in prison and a
$250,000 fine.
  The New York Times reported yesterday the defense will try to demonstrate
Morris's concern for computer safety by showing a videotape of a 1987 lecture he
made to officials of the National Security Agency about on how to foil computer
crackers.
  However, the Time noted, prosecutors also might use the videotapes against
Morris. And the tape could lead testimony into classified areas.
  Morris, who also is the son of a chief scientist at the NSA's National
Computer Security Center in Bethesda, Md., was indicted in July on a charge of
intentionally, without authorization, introducing a program into the military
and research computer network.
  Computers shut down in the incident included some at the National Aeronautics
and Space Administration facility at Moffett Field, Calif., and the US Air Force
Logistics Command system at Wright-Patterson Air Force Base in Dayton, Ohio.
  Officials have said the outage cost millions of dollars in damage. The Reuter
Financial News Service says it understands that the only damage the government
plans to allege at the trial is based on the hours needed to remove the program
from thousands of sites across the country.
  Reuter added, "While Morris has refused a government offer of a trial
stipulation that his actions launched the worm that clogged the computer
network, he is not disputing that he wrote and dispatched the program."
  The wire service quoted papers on file in federal court as saying Morris met
with investigators and members of the US attorney's office on Dec. 1, 1988, and
outlined what happened under an agreement that the information could not be used
directly against him.
  "After the meeting, the US attorney's office in Syracuse recommended Morris be
allowed to plead guilty to a misdemeanor," Reuter said. "But Justice rejected
the request and insisted the matter be handled as a felony. Morris' defense
attorney Thomas Guidoboni is expected to focus on intent."
  Reuter observes that the literal wording of the computer security act requires
the government prove three separate elements, that:
  -:- Morris intentionally released the alleged worm program.
  -:- That he had no authorization to access those machines.
  -:- And that the unauthorized release caused a loss of at least $1,000 during
a one-year period.
  The wire service added that computer experts who analyzed the worm and
comments found in Morris' computer files believe the former student intended the
worm to sit in different computers harmlessly, possibly flashing a message to
alert users to security weaknesses. However, a small programing error caused the
program to replicate uncontrollably, causing machines on the network to quickly
become clogged, the experts say.
  About the case, computer science professor emeritus Harold Highland at the
State University of New York told Associated Press writer William Kates that the
trial is a chance to garner support for tougher anti-cracker laws.
  "It's a no-lose situation," said Highland, who also is editor of the Computers
& Security trade journal, "because the trial will showcase the weaknesses of
computer security and current computer security law."
  He said the trial will focus attention on the need for more stringent computer
tampering legislation. If the government loses, Highland said, computer security
advocates "will say there is a need for stronger laws. If the government wins,
they'll say he did it because the system is weak and we need to tighten up the
system."
  In addition, associate professor Eugene Spafford of Purdue University, who is
expected to be a government witness, told AP that losses from computer crimes in
the United States total about $7 billion annually.
  "Ten years ago," he said, "these kinds of things didn't hurt anybody, but you
have to realize now all the places where computers are used and the dangers
involved in shutting down a system or damaging data."
  Reports from The Associated Press and from Reuter's financial news service are
available in the Executive News Service (GO ENS).
  --Charles Bowen


JURY SELECTED FOR MORRIS TRIAL

   (Jan. 9)
  A jury of eight women and four men has been chosen for the federal trial of
Robert T. Morris Jr., suspended Cornell University graduate student accused of
crippling the national Internet computer network in November 1988 with a worm
program.
  The first 10 potential jurors questioned yesterday from a pool of 93 were
dismissed due to objections by the judge or by the lawyers. Defense attorney
Thomas Guidoboni singled out for elimination jury candidates who said they had
computer experience.
  However, after the first 10 rejections, all parties were able to agree on the
next 12 candidates, finishing jury selection in less than three hours.
  In the major legal maneuver of the day, Justice Department lawyers filed a
motion seeking to hinder Morris' expected defense that he did not intend to
paralyze the network by allegedly introducing the worm.
  Associated Press writer William Kates reports the prosecutors asked Judge
Howard Munson to limit examination of witnesses on Morris' state of mind,
specifically whether it was his intent to prevent authorized use of Internet and
to cause any loss or damage to the system.
  Said the motion, "The evidence of lack of intent to cause loss or lack of
intent to prevent the authorized use of the victim computers, however, is simply
not relevant to any issue in this case."
  Judge Munson did not immediately rule on the motion. However, Kates noted that
when defense attorney Guidoboni raised the question of intent in a pretrial
motion to have Morris' indictment dismissed, Judge Munson rejected the argument
that the defendant's intentions were pertinent to the indictment's legality.
  Guidoboni contends the federal law is unclear as to whether criminal intent
means intent to cause damage or simply intent to gain access to computer
systems.
  Kates says the prosecutors also asked the court to allow witnesses to explain
what the worm program was designed to do.
  In a separate motion, the government said, "Evidence that Morris designed
earlier versions of the computer virus are relevant to the charges." AP reports
the earlier versions were not launched.
  The wire service predicts the trial will last about two weeks. The government
has presented the court with a list of about 20 potential witnesses and
Guidoboni has named at least four witnesses in court.
  --Charles Bowen


CORNELL OFFICIAL SAYS MORRIS WORKED WEEKS ON WORM PROGRAM

  (Jan. 10)
  An official with Cornell University's computer science department has
testified that suspended graduate student Robert T. Morris worked for weeks
trying to perfect a worm program that is said to be responsible for crashing
thousands of networked computers on Nov. 2, 1988.
  Testifying yesterday in Morris' federal computer tampering trial in Syracuse,
N.Y., Dean Krafft, director of computer facilities for Cornell's computer
science department, told the jury his investigation found that forms of the worm
program existed in Morris' Cornell computer account as early as Oct. 15, 1988.
  According to dispatches from Associated Press writer William Kates and from
Steve Schaefer of United Press International, Kraft said those files were hidden
so they would remain undiscovered in a normal search of computer files.
  Krafft said he was able to uncover them as part of an exhaustive search of all
computer science department files following the Nov. 2 disruption of some 6,000
Unix-based systems on the Internet research network, including those at NASA and
at Air Force facilities.
  Testifying before about 50 reporters and spectators in the federal courtroom,
Krafft said the files in question were encrypted and in a compressed form that
would keep somebody else from reading them.
  Also included in those files, he said, were the decrypted passwords of 73
other computer users at Cornell. And Krafft said he found password files from
the University of California in Berkeley, Massachusetts Institute of Technology
and Harvard University.
  Krafft told the court the final worm program stored in Morris' computer area
on Nov. 2 took two days to decode and an additional week to translate.
  The government hopes that Krafft's testimony will bolster accusations made by
Justice Department trial attorney Mark Rasch in his opening statement earlier
yesterday. Rasch told the jury it is the government's position that Morris
launched a "full-scale assault" on military and research computer networks with
a program purposely made "hard to defeat."
  Rasch said Morris "devoted a lot of time, energy and research to planning this
assault" from his computer at Cornell University in Ithaca, N.Y. "This assault
was deliberate, it was planned, it was calculated."
  The prosecutor said the worm program was designed to break into as many
computers connected to Internet as possible and that it was programmed with many
different ways to accomplish its goal.
  "It was designed to be innocuous," Rasch said. "It was designed to hide itself
to frustrate the victims of the attack. It was deliberately and consciously
designed to be difficult to trace back to him. He took extraordinary steps to
protect himself from being caught."
  Added Rasch, "Valuable computer time was lost, valuable research was lost,
people could not communicate with each other, their computers were crashing.
They were being assaulted from the outside."
  Countering the government's case, defense attorney Thomas Guidoboni said in
his opening statement that Morris had only been experimenting with computer
security and that creation of the program did not constitute a felony.
  Morris "made a critical mistake and it caused the (worm) to spread much faster
than he anticipated," Guidoboni said. But "this worm caused no permanent damage
and it was not designed to cause permanent damage. ... It was designed to spread
slowly and quietly and only affect a few computers."
  Guidoboni said that once Morris realized the problems the program was causing,
he tried unsuccessfully to stop it, then tried to notify those connected with
the network.
  The defense counsel also characterized Internet as a network chiefly concerned
with research and "not a network that launched missiles and sends out armies."
He added, "This network was used for playing chess, sending love letters,
sending recipes" as well as research.
  Guidoboni said Morris, whose father is chief scientist at the National
Security Agency's National Computer Security Center in Fort Meade, Md., is a
"bright young man" keenly interested in computer safety.
  The worm, the attorney said, "was an experiment that had never been done
before. You will hear that he made a mistake, a critical mistake that caused
this (worm) to spread a lot quicker and caused its immediate discovery."
  "There are two sides to every story," Guidoboni said. "Mr. Morris is not
charged with assault or breaking or entering. Mr. Morris isn't charged with
assaulting anyone." In fact, the lawyer said, Morris "made several important
contributions to computer safety. This was a special concern to him."
  As reported earlier, the Morris trial is expected to last about two weeks.
  --Charles Bowen



MORRIS "WORM" SAID MEANT TO CRACK AS MANY COMPUTERS AS POSSIBLE

  (Jan. 12)
  A California computer analyst says the worm program that stymied 6,000
networked computers 14 months ago was "designed to break into as many computer
systems as possible, and be difficult to detect."
  Testifying at the trial of the man accused of creating that worm, Keith
Bostic, a computer analyst at the University of California at Berkeley, said the
rogue program "was designed to solve or crack computer passwords. The worm
actually had as part of its program a list of passwords that it would try."
  And, Bostic testified, the list closely matched one that investigators say
they found in computer files maintained by 25-year-old Robert T. Morris at
Cornell University.
  Morris, a 1988 Harvard University graduate who was attending his first year of
graduate school at Cornell, is charged with releasing the worm that crippled
computers on the Internet and Arpanet systems Nov. 2, 1988.
  Reporting on the trial from Syracuse, N.Y., Steve Schaefer of United Press
International quoted Bostic as saying the worm was designed so that if one of
the about 430 passwords on its list did not get into a system, the program would
use other basic information to try to crack the password.
  If that did not work, the witness said, the worm would use a computerized
dictionary until it found a match for the password. And, if the host computer's
security was programmed to jumble passwords, the worm would try different
methods to solve the jumble.
  Finally, Bostic said, the worm also was programmed to change its own name to
"sh," the name of a common program in the targeted systems, and to change its
identification number frequently, making it more difficult to detect.
  "It uses simple, quick, powerful attacks," Bostic said.
  Morris, who lives in Arnold, Md., is the first person to be prosecuted under a
portion of the 1986 Computer Fraud and Abuse Act. If convicted, he faces up to
five years in prison and a $250,000 fine.
  --Charles Bowen


CORNELL CLASSMATE CALLS ROBERT MORRIS' PROGRAM "PRETTY AMAZING"

   (Jan. 13)
  It was "pretty amazing," says a Cornell University graduate student, to watch
classmate Robert T. Morris Jr. slip in and out of a computer at the
Massachusetts Institute of Technology undetected.
  Testifying at Morris' computer tampering trial, Dawson Dean III said that five
days before the 1988 crash of thousands of computers on national research
networks, Morris let him look over his shoulder at a terminal on Cornell's
Ithaca, N.Y., campus and watch him enter an MIT computer.
  "The machine didn't know that he was logged in," Dean said. "It was pretty
amazing."
  The 25-year-old Morris is accused of creating and releasing a "worm" program
that temporarily crippled some 6,000 Unix-based computers on the Internet and
Arpanet systems on Nov. 2 and 3, 1988.
  Covering the federal trial in Syracuse, N.Y., Steve Schaefer of United Press
International reports Dean testified yesterday that Morris let him scan a list
of more than 400 passwords Morris allegedly had discovered.
  Dean, an MIT graduate and doctoral candidate at Cornell, said the passwords
had been translated from an "encrypted" form into English. "There are 4,096 ways
to encrypt a given password," Dean said. "He said he had done it basically to
see if it was possible to do."
  Dean told the jury Morris gave him the impression that a computer at Cornell
spent four days running a program that Morris had designed to find the true
spellings of the encrypted passwords.
  Said Dean, "I asked him, `Is mine in the list?' I also asked him if the
password of this other really obnoxious graduate student was (listed)." For
Justice Department trial lawyer Ellen Meltzer, Dean confirmed in court that the
list he read that night was similar to one investigators found in computer files
Morris maintained at Cornell.
  Dean said Morris told him he would pursue a doctorate and career in computer
languages and that, although he already had extensive experience in computer
security, did not plan to write his thesis on security issues. "He told me he
had hacked around with computers before," Dean said.
  Then, under cross examination, Dean commented he thought Morris' efforts to
break computer security systems were the result of an inquisitive mind. "He was
a graduate student of computer science," Dean said. "You're learning to do
research. It's a real natural instinct to want to learn how the thing works."
  Schaefer also reports that in earlier testimony yesterday, William Johnston, a
computer systems manager at the Lawrence Berkeley Laboratory in California, said
the Nov. 2 worm did not at any time endanger cancer patients at the research
center. However, he added, it did cost the lab more than of $10,000 to purge the
system.
  Morris, the first person to be prosecuted under a portion of the 1986 Computer
Fraud and Abuse Act, faces up to five years in prison and a $250,000 fine if
convicted.
  --Charles Bowen



MORRIS JURY LEARNING ON THE JOB

  (Jan. 15)
  Members of the jury now hearing testimony in the federal computer tampering of
Robert T. Morris in Syracuse, N.Y., were selected specifically because of their
lack of knowledge about computers.
  When the jury was seated last week, US Justice Department lawyers Ellen
Meltzer and Mark Rasch and defense attorney Thomas Guidoboni interviewed 23
prospective jurors to hear the case and both sides focused on computer
knowledge.
  In fact, the only three prospective jurors who said they owned a personal
computer were rejected. However, two jurors who worked with computers at their
jobs -- an airline reservation clerk and insurance claims processor -- were
accepted for the panel.
  Law professor Theodore Hagelin of Syracuse University told Associated Press
writer William Kates it is not uncommon to fill a jury with people unfamiliar
with a subject that is central to a trial, but that it can be a gamble.
  "It's a trial strategy one has to decide," Hagelin said, "but you run a real
risk of losing them in the flood of information and definitions they must listen
to."
  The 25-year-old Morris is accused of unleashing a "worm" program that
temporarily immobilized some 6,000 networked Unix-based computers in November
1988.
  Kates reports that during much of the first three days of testimony last week,
"jurors listened as witnesses painstakingly tried to simplify the
high-technology world of computers, explaining alien terms like 'e-mail,'
'finger demons' and 'decompilation,' or the differences among source codes,
assembly codes and binary codes. Even the court reporter has struggled to keep
up with the jargon."
  Professor Hagelin commented, "By choosing jurors that are not particularly
sophisticated about technology, you create a juror pool with an open mind, or at
least you hope so."
  Lawyer Harold L. Burstyn, who specializing in computer law, added that one
computer expert could contaminate the jury. "You'd have to be deathly afraid
that one individual, claiming to be an expert or being an expert, would get all
the other jurors to follow him because of his knowledge, rather than because of
their belief in guilt or innocence," he said, adding that jurors lacking great
computers knowledge would be better able to follow the instructions of law given
by the judge.
  However, professor Hagelin noted that prosecutors must educate jurors
sufficiently before ending their case. "On one level you have to get them to
understand what happened," he said, "but on a second level you have to put it a
way that won't swamp them, a way that will stay in their minds when they go to
their room to deliberate. The real trick is to find the balance. They can only
follow so far."
  --Charles Bowen



US ARMY FIRST THOUGHT WORM ATTACK WAS THE WORK OF A FOREIGN POWER

  (Jan. 17)
  A US Army computer specialist has told a federal jury in Syracuse, N.Y., that
his first reaction to a "worm" program in November 1988 was to think his network
was under attack by a foreign power trying to steal weapons secrets.
   Testifying yesterday at the computer tampering trial of a suspended Cornell
University student charged with creating the worm, Michael Muuss, leader of the
Advanced Computer Systems team at the US Army Ballistic Research Laboratory at
Aberdeen Proving Ground in Maryland, said the worm forced him to remove
computers from military and research networks at a cost of more than $53,000.
   Covering the trial now in its second week, Associated Press writer William
Kates and Steve Schaefer of United Press International both quoted Muuss as
testifying, "Our specific concern was that it was an attack by a foreign power.
We had a real fear that someone had broken in and was trying to take data inside
and send it to somebody outside, or that it would modify data."
   However, the attorney for Robert T. Morris, the 25-year-old Arnold, Md., man
accused of creating and releasing the worm, suggested the Army overreacted to
the situation.
   Muuss told the court the Army lab shut down 200 computers linked to Milnet, a
global network that carries unclassified military data, when the worm infected a
machine hooked up to the Internet research network. AP notes Milnet carries
information such as computational chemistry and data on improving projectiles
and armors.
   The Army official said the research center disconnected itself from Milnet
and two supercomputers at Aberdeen were shut off to outsiders for six days while
a team worked to eradicate the worm.
   Defense attorney Thomas Guidoboni questioned Muuss about that shutdown,
asking why it lasted so long when most universities attacked by the worm were
back in operations within a few days.
   "At a university," Muuss replied, "the end result may have been that someone
didn't get a paper published." By contrast, he said, his computers contained
information on the evolution of weapons to 20 years in the future. "Protecting
defense information is a critical part of the defense business. We had to
certify that no data was stolen or modified and make sure our system could
resist such an attack if it happened again."
   Muuss acknowledged that computer security at the lab had been improved
because of the worm's invasion.
   Earlier in the day yesterday, the jury heard testimony from computer system
managers at Purdue University, Carnegie-Mellon, Georgia Tech and the University
of Rochester. Some said that, while no data was permanently lost or damaged, the
worm was costly in terms of eradication and follow-up investigations. However,
Daniel Nydick, a systems manager at Carnegie-Mellon, said he got rid of the worm
by simply crawling under his computer and unplugging it.
   Meanwhile, the University of Rochester's computer lab manager, Liudvikas
Bukys, testified the worm forced three people at the school to work overtime to
correct glitches and problems caused by the worm. Under cross-examination, Bukys
testified that the program was not designed to destroy files or data.
   But Bukys' stronger comments apparently came away from the hearing of the
jury. Speaking with UPI's Schaefer outside the courtroom, Bukys said he thought
Morris ought go to prison for creating the worm, adding, "If this guy doesn't
experience some serious punishment, then it's going to be open season on our
system. Apparently, there are people who don't have the moral backbone to say,
`I'm not going to do this because it's wrong.'"
   Acknowledging that the defense contends the worm was an experiment gone awry
and that Morris did not intend to cause any damage, Bukys said outside the
courtroom, "I find that argument rather appalling. That's arguing that burglars
are doing you a favor by showing you how crummy your locks are. This particular
burglar raided every house on the block, and I guess the defense is arguing that
now everybody in the whole neighborhood has better locks so they should feel
safer."
   --Charles Bowen


MORRIS "FRANTIC" AFTER WORM PROGRAM RELEASE, STUDENT SAYS

   (Jan. 18)
   A Harvard University graduate student says his friend, Robert T. Morris, was
frantic after a worm program got out of control in November 1988 and began
paralyzing a national computer network.
   Testifying at Morris' federal computer tampering trial in Syracuse, N.Y.,
yesterday, 25-year-old Paul Graham said Morris designed the worm to break into
the Internet system, but that it wasn't intended to replicate wildly as it did
or to cause any damage. "It was just supposed to go from computer to computer to
see how far it could get," Graham said. "Once it got in, it wasn't supposed to
do anything."
   Associated Press writer William Kates and Steve Schaefer of United Press
International both quoted Graham as testifying Morris deliberately added
safeguards to limit the growth of his program to ensure it would cause no
permanent file damage to the computers it attacked.
   However, said Graham, "He put in a wrong number and instead of just allowing
a few copies every once-in-a-while, it made lots of copies every time."
   From Cornell University, where he was a graduate student, Morris telephoned
Graham at Harvard on the night of the attack after realizing his worm program
was out of control.
   "He sounded like he had a final the next day that he hadn't studied for,"
Graham said. "He sounded miserable. He sounded in a state of shock and horror."
Graham added that the usually "puritanical" Morris was even using profanities.
   Graham said that after the worm was out of control, Morris tried to regain
access to his computer at Cornell to try to stop it, but that his program
already had immobilized Cornell's computers, preventing him from getting back
into the system.
   "We thought maybe we could send out another program that could eat the worm
and stop its processes," Graham said, "but there was no way to send something
after the virus. It wouldn't get through. It was pointless."
   Graham said he first learned of the worm when Morris was visiting Harvard for
a weekend in late October 1988. He said Morris mentioned his plan to design a
program to infect Internet after discovering a bug in Harvard's Unix system that
would allow unauthorized entry.
   Graham said he was sitting alone in his adviser's office at Harvard when
Morris walked in and announced he had found a flaw in the Internet network. "I
was sitting in (Professor) Mumford's office and the door opened and R.T.M.
walked in and announced he had just found a big hole," Graham said. "He was
pacing back and forth across the room and at the end of one of his passes across
the room he walked right up onto Mr. Mumford's desk. I don't think he realized
he was standing on the desk."
   The witness said he also discussed the program and methods of implementing it
with Morris while they waited for a friend in front of a restaurant. "He wanted
to make a virus that would spread around Internet," Graham said. "There was
never any question of having it do anything bad."
   Graham added he never told anyone about Morris' worm because the plan was
mentioned to him in confidence and he hadn't realized Morris was so close to
having it finished. He said he saw nothing wrong about what Morris was doing
because breaking into systems is a common practice of fledgling computer
security students.
   Under cross examination by the defense, Graham said Morris "specifically
intended" not to destroy any data. "If you don't have commands in your program
to start files, then it's safe," Graham said.
   The problem, Graham testified, was in a portion of the program designed to
prevent it from copying into a computer more than once, except occasionally to
prevent programers from using a simple method to defeat the program. Morris made
an error in that portion of the program and that glitch let it replicate out of
control, Graham said.
   "I said, `You idiot,'" Graham testified. "It was such a great idea, and he
blew it. I was really mad."
   --Charles Bowen



MORRIS CALLS HIS WORM "DISMAL FAILURE," BUT NOT MALICIOUS

  (Jan. 19)
  Testifying in his own defense, Robert T. Morris Jr. has told a federal jury
the worm program he created at Cornell University in 1988 was a "dismal failure"
but that it was not intended to cause any damage to the computer networks it
invaded.
  The 25-year-old suspended Cornell graduate student, charged with releasing the
worm that temporarily crippled some 6,000 Unix-based computers for two days,
testified yesterday that he miscalculated while writing the worm program during
a three-week period in October 1988.
  Covering the trial in Syracuse, N.Y., Steve Schaefer of United Press
International and Associated Press writer William Kates quoted Morris as saying,
"It was an experiment. I never heard of anything similar before. My purpose was
to see if I could write a program that would spread as fast as possible."
  Morris, speaking publicly for the first time since the worm incident 14 months
ago, said that had his experiment worked successfully, the worm would have
spread quietly and undetected over the Arpanet and Internet computer networks,
but "it was a dismal failure."
  He said he gathered passwords from various universities and, without
permission, decoded them to ensure the worm would spread widely. Also, he said,
he took steps to make the worm harmless and protect it from easy eradication.
  Morris said he let the worm enter the Internet network through computers at
the Massachusetts Institute of Technology in Cambridge. After releasing the worm
from Cornell at about 8 p.m. on Nov. 2, 1988, he went to dinner. He returned
about three hours later and noticed Cornell's own computer was slow to respond
to commands. Then, when he found copies of the worm in the Cornell system, he
knew it was spreading and was not working as planned. He said that is when he
started to get scared.
  Morris said he thought about sending out a second worm to track down and
destroy the first one, but decided against it after seeing the unpredictable
nature of the first worm. "I messed up the first worm and I didn't think I would
be able to do any better of a job," Morris said. He said he also was unsure he
could get into the computer system once the worm had begun to cripple it.
  So instead, he called Andrew Sudduth, a friend at Harvard University, and
asked him to send a message on a computer bulletin board system read mainly by
Internet users. Morris said he wanted to apologize for unleashing the worm and
tell users how to eliminate it.
  Earlier this week, Sudduth testified he eventually did send a warning message,
but that it didn't show up on the computer system for two days because the route
he picked to keep his identity a secret already was backed up with mail.
  Finally, Morris said he then did what many a young man in trouble do: "I
screwed up my courage and called my father." (Morris' father is chief scientist
at the top-secret National Security Agency's Computer Security Center in Fort
Meade, Md.)
  "He was not amused," Morris said, prompting laughter from his sister, also in
the courtroom. "My father advised me to come home and not talk to anybody."
  Under cross examination by Justice Department prosecutor Mark Rasch, Morris
acknowledged that even if the worm had worked as planned, it would have entered
computers he was not authorized to work with and that it would have taken time
for experts to defeat it.
  During the testimony, US District Judge Howard Munson asked Morris about his
programming mistake.
  Morris said a portion of the program was designed to prevent it from copying
itself into a computer more than once, except once in every seven times it
returned to an infected machine. That, he said, was intended to limit the number
of computers the worm would enter more than once, while stopping programmers
from using a simple method to defeat it.
  However, he said, he made a "program error or a design error," underestimating
the speed with which the worm would infiltrate various systems. The problem was
"the choice of one in seven instead of, say, one in 1,000."
  Following Morris' testimony, defense attorney Thomas Guidoboni moved that
charges against his client be dropped, contending the prosecution failed to
prove two requirements of the indictment: that Morris prevented authorized use
of computers and that the action cost a minimum of $1,000 in damage.
  However, Judge Munson denied the motion and adjourned the trial until Monday.
The told the jury it could expect to hear closing arguments then.
  --Charles Bowen



JURY GETS ROBERT MORRIS WORM CASE

  (Jan. 22)
  A federal jury of nine women and three men this afternoon began deliberating
the fate of Robert T. Morris Jr., suspended Cornell University graduate student
accused of temporarily crippling research and military computer systems in
November 1988 with a worm program.
  If convicted, the 25-year-old Arnold, Md., man -- the first person to be
prosecuted under a portion of the 1986 Computer Fraud and Abuse Act -- faces up
to five years in prison and a $250,000 fine.
  Earlier today in the Syracuse, N.Y., courtroom, Justice Department attorney
Ellen Meltzer said in her closing arguments that Morris clearly unleashed his
destructive program deliberately.
  Covering the closing statements, Steve Schaefer of United Press International
quoted Meltzer as pointing out that Morris, who claims the incident was the
result of an experiment gone awry, testified last week that he actually wrote
the program carefully to avoid detection and then set it loose.
  "He took each and every one of these steps to avoid ever being recognized as
the creator of this worm," Meltzer argued. She added there was no question
Morris created the worm and sent it out over the Internet network with the
intention of gaining access to federal computers he was not authorized to use.
  Meltzer said Morris furthermore knew his program would cross state lines and
that investigating and counteracting it would take computer experts a
considerable amount of time.
  She said Morris took advantage of flaws in existing computer systems, but that
the flaws did not create the damage that witnesses from 14 institutions
testified was created by the worm. "Indeed," Meltzer said, "Robert Morris did
not put those bugs in the software, but those weaknesses did not create the
worm. Robert Morris created the worm."
  Meltzer told the jury, "The fact that the worm did not cause permanent damage
to computer files, when it could have, is not a defense to this crime. ... Each
and every one of you must understand that the worm was not merely a mistake. It
was a crime against the government of the United States."
  In the defense's closing statement, Morris attorney Thomas Guidoboni said his
client did not intend for his program to cause damage or prevent authorized use
of computers on the affected networks.
  "The government spent a lot of time in this case proving things that weren't
in dispute," said Guidoboni. What the defendant has in this case is the truth."
  He said witnesses testified Morris inserted commands in the program that were
designed to limit its growth, that Morris never intended to bring any computers
down, never intended to prevent authorized access and never intended to cause
any damage.
  "He made a mistake. He told his friend, `I really messed up,' and Paul
(Graham) said, `You idiot,'" Guidoboni said. "Paul said let's send another worm
out there like a PAC man to eat it up, and he said, `No. I didn't do such a good
job on the first one.'"
  "You've heard Mr. Morris, and you've heard his testimony. The government, I
submit, hasn't made a dent in it," Guidoboni said.
  Schaefer noted the government said the defense argument that the worm did no
permanent damage to computer memories did not constitute a valid defense.
  In the government's rebuttal argument, Justice Department lawyer Mark Rasch
said, "Mr. Morris is not charged with deleting files. Mr. Morris is charged with
breaking into computers and preventing their authorized use. He certainly did
that."
  Rasch added that Morris' action forced experts to spend hours investigating
the worm. "They didn't know it had no Trojan Horses in it," Rasch told the jury.
"They didn't know it had no trap doors or anything like that, and the reason
they didn't know is because Robert Morris did not want them to know."
  Following a lunch recess, US District Judge Howard Munson instructed the jury
as to the legal issues in the case. The jurors began their deliberation at 2:15
p.m. EST.
  --Charles Bowen



JURY CONVICTS MORRIS IN WORM CASE

  (Jan. 23)
  More than seven hours after starting deliberation, a federal jury last night
convicted Robert T. Morris Jr. of computer tampering. He was accused of
releasing a worm program that caused millions of dollars in down-time and damage
to computer networks in November 1988.
  US District Judge Howard Munson released the former Cornell University
graduate student on his own recognizance depending sentencing and scheduled a
hearing on new motions for Feb. 27 in US District Court in Albany, N.Y.
  The 25-year-old Morris, now the first person ever convicted under the 1986
federal Computer Fraud and Abuse Act, could be sentenced to a maximum five years
in prison and $250,000 fine.
  The government can be expected to file a memorandum recommending a penalty for
Morris one week before the sentencing date.
  Prosecutors declined to say what they will recommend. However, Justice
Department attorney Ellen Meltzer, who along with Mark Rasch prosecuted the
case, told Steve Schaefer of United Press International that at no time has she
or Rasch indicated they will seek the maximum penalty.
  "The government will file an appropriate sentencing memorandum," Rasch added.
"A felony is a serious offense. (The worm) has had a profound effect on users of
computers across the country."
  Defense attorney Thomas Guidoboni, expressing disappointment in the verdict,
said he won't discuss possible appeals until after the hearing, where he said he
would introduce a motion for an acquittal.
  Morris, who lives with his family in Arnold, Md., managed only a silent smile
as his family huddled with Guidoboni following the verdict. He then strode off
silently with his girlfriend as dozens of reporters asked for comments on the
verdict.
  Meanwhile, talking outside the Syracuse, N.Y., federal courtroom where the
two-week trial took place, the defendant's father -- Robert T. Morris Sr. --
said he believed the landmark trial was fair but that he also doesn't view his
son as a criminal.
  Of the verdict, the elder Morris commented, "Anyone would have come to the
same conclusion. I think the trial was a fair one, and he had an opportunity to
state his case and he did so."
  However, the father, who is a chief scientist for the National Security
Agency's computer security division, emphasized, "It's perfectly obvious there
is not a fraudulent or dishonest bone in his body."
  Schaefer noted the Morris family declined to discuss the case during the weeks
of testimony and the elder Morris continued to refuse to talk about any
ramifications the decision might have on his profession. He said only, "I'm more
interested in my family and my son right at the moment."
  However, others in the computer industry already were talking about
ramifications of the case.
  Associated Press writer William Kates said the verdict "shocked" some of
Morris' friends, who said his worm program was experimental and not malicious,
and that it helped the computer community by pointing out weakness in networks
like Internet.
  Dean Krafft, director of computer facilities for Cornell's computer science
department, where Morris was studying when he transmitted the worm, told AP,
"You don't want to see him scarred for life. He's certainly a bright kid."
  Also Lance J. Hoffman, a professor of engineering and applied science at
George Washington University, said, "It's time for the computer industry to take
a hard look at itself." He added that many research networks were "held together
with chicken wire and bubblegum."
  But others said they were happy with the verdict.
  Ludivikas Bukys, lab manager for the computer science department at the
University of Rochester, who testified against Morris in the trial, told Kates,
"This is important. If he had been acquitted, it would have been open season for
other people to do similar things."
  --Charles Bowen




MORRIS CONVICTION MAY SLOW ACTION ON SECURITY BILLS

  (Jan. 24)
  Momentum on Capitol Hill for tougher computer security laws will probably slow
down following Monday evening's guilty verdict returned against Robert Tappan
Morris Jr., creator of the worm program that infiltrated the Internet system in
1988.
  According to The Washington Post, some lawmakers were concerned that the
Computer Fraud and Abuse Act, enacted in 1986 and used for the first time in the
Morris trial, might not be adequate to convict him since it makes no mention of
computer viruses or worms.  Instead, The Post speculates that the Morris verdict
will send out a tough message that the computer security laws now on the books
are sufficient to convict computer criminals.
  Although the computer industry wants tough laws in recognition that tampering
with the machines and networks is a serious offense, it also is concerned that
if Congress legislates too heavily, innovation will be suppressed in an
over-regulated environment.
  "It does demonstrate that the law that they used to prosecute him is
effective," said Dennis Steinauer, virus specialist at the National Institute of
Standards and Technology.
  Rep. Wally Herger (R-Calif.) is the author of a House bill that would close
perceived loopholes in the Computer Fraud and Abuse Act. Although he admits
action on the bill may be delayed since the guilty verdict, he insists stricter
laws are still needed.
  "Why is it after three years that we only have one conviction? I think that
the answer to that is that it is very, very difficult with the present tool that
we have to come up with a conviction," he told Post reporter John Burgess.
  Meanwhile, computer industry leaders believe the Morris conviction will send a
strong message. "We really are concerned that the world stop thinking about
these folks as some kind of Robin Hoods," said Doug Jerger, director of the
software industry division of the computer services group known as Adapso.
"They're criminals."
  --Cathryn Conroy


ATTORNEY ASKS COURT TO THROW OUT ROBERT MORRIS' "WORM" VERDICT

  (Feb. 14)
  The attorney representing Robert T. Morris Jr. has filed a motion urging a
federal court to throw out last month's guilty verdict in the highly-publicized
computer "worm" case, contending the prosecutor made "prejudicial" remarks at
the end of the trial.
  Thomas Guidoboni's motion urges federal Judge Howard Munson to either
reconsider the evidence himself or to order a new trial.
  The 24-year-old Morris, a former Cornell University graduate student, was
found guilty Jan. 22, becoming the first person ever convicted under a portion
of the 1986 Computer Fraud and Abuse Act. The Arnold, Md., man was accused of
releasing a computer worm in November 1988 that temporarily stymied thousands of
networked computers. Morris, yet to be sentenced, faces up to five years in
prison and a possible $250,000 fine.
  Steve Schaefer of United Press International reports Guidoboni's motion
alleges US Justice Department trial attorney Ellen Meltzer made "highly
prejudicial" remarks during her closing arguments. Specifically, he says it was
improper for Meltzer to compare the defendant's actions to that of a terrorist.
  "The reference to terrorism at this trial is especially egregious," the motion
says, "because little more than a year ago, a number of Syracuse University
students were killed in the crash of a Pan American World Airways jetliner over
Lockerbie, Scotland, due to a presumed terrorist bomb."
  UPI says Meltzer and fellow Justice Department lawyer Mark Rasch are expected
to respond to the motion before Feb. 27, when Munson is to rule on the motions
at a hearing scheduled for US District Court in Albany, N.Y.
  --Charles Bowen



JUDGE UPHOLDS MORRIS CONVICTION

  (Feb. 27)
  US District Judge Howard Munson today rejected defense motions to overturn
last month's conviction of computerist Robert T. Morris Jr., who created the
worm program that temporarily locked up some 6,000 networked computers in
November 1988.
  At an Albany, N.Y., hearing, the judge set May 4 for sentencing of Morris in
Syracuse, N.Y. The 24-year-old former Cornell University graduate student, who
was the first person to be prosecuted under a portion of the 1986 Computer Fraud
and Abuse Act, now could be sentenced to up to five years in prison and up to
$250,000 in fines.
  Charles F. Porcari of United Press International reports Judge Munson ruled
that, contrary to a motion by defense attorney Thomas Guidoboni, the Syracuse,
N.Y., jury in last month's trial was not prejudice by prosecutor's closing
remarks that compared Morris to a "terrorist," even though 35 Syracuse
University students were killed 13 months before when a terrorist bomb blew up
Pan Am Flight 103 over Lockerbie, Scotland.
  Judge Munson also rejected two other defense arguments, that his instructions
to the jury were unfair and that Morris did not violate a federal law on
computer tampering but rather he merely exceeded the authority given to him by
Cornell University to work with computers.
  Porcari says Morris, who was suspended from Cornell until September, now is
working as a programmer at Harvard University, where he earned his bachelors
degree in early 1988.
  --Charles Bowen



MORRIS GETS 3 YEARS' PROBATION

  (May 5)
  Robert T. Morris Jr., convicted in January of releasing a worm program that
stymied networked computers for two days in November 1988, has been sentenced to
three years' probation, fined $10,000 and ordered to perform 400 hours of
community service. He received no jail time.
  Twenty-four-year-old Morris, a suspended Cornell University graduate student,
smiled broadly yesterday as the sentence was handed down by US District Judge
Howard Munson in Syracuse, N.Y. Morris hugged his mother and shook hands with
his father, then left the courthouse without comment.
  He had reason to be happy. As the first person convicted under the 1986
federal Computer Fraud and Abuse Act, he could have been sentenced to up to five
years in prison and $250,000 in fines.
  Defense attorney Thomas Guidoboni told Steve Schaefer of United Press
International he will appeal the conviction. "The sentence was reasonable," the
lawyer said, but "we're appealing for legal reasons. We are concerned that he is
now a convicted felon."
  On the other side, US Attorney Frederick Scullin Jr. told Associated Press
Writer Hilary Appelman he believed the sentence was fair. "This is sort of a
unique circumstance. I don't feel it's going to be any sort of a precedent." He
added future computer vandals may face stricter sentences. "Would-be hackers are
now on notice that the Department of Justice will vigorously prosecute future
computer criminals and seek severe penalties, regardless of what their motives
are," he said.
  Morris, who was indicted in July 1989 on charges he introduced the worm into a
military and research network, was found guilty by a jury Jan. 22. During his
trial, he acknowledged he wrote and released the worm Nov. 2, 1988, but said it
was an accident that it replicated out of control and froze some 6,000
Unix-based networked computers linked to Internet, Arpanet and Milnet.
  The young man remains suspended from Cornell until September. Right now, he
has been living in Cambridge, Mass., and working as a programmer at Harvard
University.
  Prior to yesterday's sentencing, David O'Brien, a lawyer representing Morris,
argued for leniency, saying Morris accepted responsibility for his actions. "The
most fundamental thing that struck me about Mr. Morris," O'Brien said, "is his
basic decency, his basic honesty. Robert is too decent of a person to try to
hoodwink people out of their money. There is a world of difference between
Robert and what other people who have abused this equipment have done."
  While Morris did not speak at the sentencing nor to reporters afterward, his
father, Robert Morris Sr., a scientist at the National Computer Security Center
in Bethesda, Md., told AP he does not consider his son a criminal. "There is
real computer crime in this country," Morris Sr. said. "It is rampant and
extremely expensive, and this case did not begin to touch on that."
  Meanwhile, other reaction to the sentence varied greatly.
  Writing in The Washington Post this morning, John Burgess quoted Keith Bostic,
a University of California software specialist who helped stop the virus's
spread, as saying he welcomed the decision not to send Morris to jail. "He was
playing with fire," Bostic said, "but he didn't really mean to burn anybody."
Bostic was a witness for the prosecution during Morris's trial.
  On the other hand, Rep. Wally Herger (R-Calif.), author of legislation that
would outlaw viruses, condemned the ruling. In a statement, Herger said, "I am
very disappointed that the sentence did not include some prison time for this
serious offense. In this ground-breaking case, we must send a strong message
that computer virus outbreaks will be punished severely."
  Finally, Jude Franklin, who oversees computer security for Planning Resex.lh
Corp., a McLean, Va., computer services company, told the Post he thought the
prosecution and conviction of Morris would do the job of deterrence.
  The $10,000 fine was "severe" for a graduate student, Franklin said, adding,
"Clearly he's learned a lesson and, much more importantly, the community of
bright young graduate students and really bright hackers . . . have learned that
this is not something they can do."
  --Charles Bowen



W.VA. JURIST WANTS ROBERT MORRIS

  (May 8)
  The chief justice of West Virginia's state Supreme Court wants convicted
computer intruder Robert T. Morris Jr. to be assigned to help develop a faster
system to process child support payments in the state.
  As reported earlier, part of the federal sentence handed down to the Cornell
University graduate student was that he perform 400 hours of "community
service." Chief Justice Richard Neely is asking federal officials that the
sentence, or part of it, be served in West Virginia.
  Morris, convicted in January of creating and releasing a worm program that
stymied networked computers for two days in November 1988, also was sentenced to
three years' probation and fined $10,000 under the Computer Fraud and Abuse Act.
  Frank Watterson, the chief federal probation officer in Albany, N.Y., told
United Press International it will be 10 days to two weeks before a decision is
made on how Morris will serve the public.
  Neely told the wire service that while watching a cable network news feature
last winter about Morris, he said to himself, "That's the kid I need." The
justice serves on a steering committee that is developing a computer system to
accelerate the processing of child support payments.
  Neely said he has contacted the head of the criminal division of the
Department of Justice, Morris's lawyer, the judge who presided at the trial and
Morris's probation officer.
  "I said, `Look, this is no joking matter. My state desperately needs this
guy,'" Neely said. "We have women and children who are almost starving because
we can't pay for the programmers we need to fix the child advocate and family
master systems, both of which were mandated by federal statute. I thought back
then, that it would be a matter of him either working with us for a year or
going to prison. But the judge realized he wasn't a vicious guy, otherwise he
wouldn't have deviated from the sentencing guidelines. The kid didn't plan to
screw up everyone's disks. He had a program designed to undo what he'd done.
Only it didn't work right."
  The justice said Morris has shown an interest in working in West Virginia,
even though he is not forced to choose between that and prison. "We need an
enthusiastic genius to help us work from the ground level up," Neely said.
  --Charles Bowen




JUSTICE DEPARTMENT SAYS IT WILL NOT APPEAL ROBERT MORRIS SENTENCE

  (June 2)
  The Justice Department says it has decided not to appeal last month's light
sentence of Robert T. Morris Jr., the suspended Cornell University graduate
student convicted of releasing a worm program that paralyzed a national computer
network for two days in November 1988.
  Federal prosecutors had sought jail time for Morris, but the judge sentenced
the young man to three years' probation, fined him $10,000 and ordered him to
perform 400 hours of community service.
  Associated Press writer James Rowley says the decision not to appeal was made
after a recommendation by Assistant Attorney General Edward S.G. Dennis Jr.,
head of the criminal division.
  Justice Department spokesman Doug Tillett told Rowley federal authorities felt
prosecutors made their point by obtaining the felony conviction. "In terms of
deterrent value," he said, "our point was made by the fact we brought the case.
It was up to the discretion of the judge to mete out a proper sentence."
  He added Justice officials regarded Morris as "a bright kid who shouldn't have
done what he did." The case was seen as an important test of the computer fraud
law, he said.
  Defense lawyer Thomas Guidoboni told AP he was pleased about the government's
decision not to appeal.
  Online Today covered the Morris case throughout. For an extensive file of
earlier stories, enter GO OLT-2180 at any prompt. And for other reports from The
Associated Press, enter GO APO at any prompt. They also are available in the
Executive News Service (GO ENS).
  --Charles Bowen


MORRIS SENTENCED TO THE PHONE DUTY AT BOSTON BAR ASSOCIATION

  (Nov. 8)
  Robert Morris, the former Cornell University student convicted of releasing a
worm that stymied thousands of government computers in 1988, is answering the
phones for the Boston Bar Association. It's all part of his penalty assigned by
the judge.
  The Associated Press quotes Francis Moran, executive director of the bar
association, as saying the 24-year-old Morris began his telephone duties several
weeks ago.
  Earlier this year, Morris became the first person convicted under the 1986
Computer Fraud and Abuse Act, which makes it a felony to intentionally gain
unauthorized access to federal computers. Subsequently, a federal judge
sentenced the Cambridge, Mass., resident to 400 hours of community service and
three years' probation. He also was fined $10,000.
  In his well-publicized trial, Morris testified an experiment went badly awry
when he used a Cornell computer to unleash the worm program into the network on
Nov. 2, 1988. Prosecutors alleged the action caused at least $165,000 worth of
damage.
  Morris, who later was suspended from Cornell, is appealing his conviction.
  Reports from The Associated Press are accessible by entering GO APO at any
prompt. They also are availablein the Executive News Service (GO ENS).
  --Charles Bowen





!ssible by entering GO APO at any
prompt. They also are availablein the Executive News Service (GO ENS).
  --