Hacker OPSEC

STFU is the best policy.

Morris Worm OPSEC Lessons

25th Anniversary of STFU about your computer crimes

Reading this interview with the prosecutor of Robert Morris Jr about the Morris Worm there are a few cool OPSEC lessons we can learn.

How was Morris caught?

One way was with computer forensics. Tracing back the source of the worm. The second way was one of Morris’s friends told The New York Times in response to some articles that John Markoff was writing he inadvertently gave his initials.

There were a couple of ways that he was discovered. The first was the forensic analysis of the worm itself, and tracing that back to the original infection point. This sort of evidence shows where to look (the original infection), but it does not provide enough information to successfully prosecute. It is circumstantial so far, and given some careful sanitisation of the original box, it would be a very hard case to prove.

The far more damaging way that Morris was caught was via an OSINT case officer doing HUMINT collection (a reporter interviewing people about the worm). The journo managed to elicit information about the worm’s author (his initials). This is the sort of extremely damaging information leakage that happens when there is poor OPSEC. There was no anti-interrogation training provided to the members of the Morris cell (i.e. all his friends who knew about the development of the worm).

Deny everything. Admit nothing. Or, you know, not.

he did testify that he wrote the worm. He came in and testified, “I did it, and I’m sorry.” I turned to my co-counsel and asked, “Should I prove he didn’t do it or he’s not sorry?”

When the prosecution has to prove that you committed a felonious act, it is a lot easier for them when you confess on the stand. I can’t second guess the decisions of Morris’ legal counsel, but unless you are instructed to do so by your lawyer: STFU.

The Morris Cell and “Need to know”

We talked to his friends. His friends were witnesses for us. They didn’t have a choice. There was a core group. …one of the meetings where Robert Morris was discussing the worm occurred at a Legal Seafood in Kendall Square… He talked about how it was developed, how it worked, what vulnerabilities it exploited. At one point he was at a meeting back at Harvard, he got so excited that he literally jumped up on a table pacing back and forth on the table explaining how it worked…

The close friends of Robert Morris, the Morris Cell, were fully briefed on all aspects of the worm. Its capabilities, its functionality, and its author’s real identity. None of the other members of the cell were actively exposed to the risks of the operation. They had no “need to know”.

This failure to STFU, to properly compartment the design and development of the worm, was a key factor leading to his capture and prosecution. Fortunately, things worked out well for him, in the long run.

How to evaluate “Need to know”

The rule of thumb is: if someone is actively sharing the risk, they have a need to know. This need to know is, of course, restricted to only those aspects of the operation in which they are actively involved.