Skip to content
hacker_culture_
Back to the collection
SecurityCode· 1988

The Morris Worm

A 99-line program that crippled the early internet and forced a culture to confront its own consequences.

3 min read487 words
The Morris Worm source code on a floppy disk on display at the Computer History Museum
Image: Go Card USA · CC BY-SA 2.0

The object

The Morris Worm was a self-replicating program released onto the internet on the evening of 2 November 1988 by Robert Tappan Morris, a 23-year-old first-year graduate student at Cornell. He launched it not from Cornell but from a machine at MIT, an attempt to disguise its origin. It exploited known weaknesses in Berkeley Unix utilities (a buffer overflow in fingerd, a debug-mode backdoor in the sendmail mail daemon, and the rexec/rsh trust relationships), and it carried a dictionary of around 400 common passwords to guess its way onto further accounts. It then copied itself from machine to machine without human help. Morris was no outsider: his father, Robert Morris Sr., was a chief scientist at the National Security Agency's computer security center.

A bug, not a bomb

The worm carried no destructive payload: it deleted nothing and stole nothing. Its damage came from a flaw in its own design. Morris had anticipated that defenders might inoculate machines by faking infection, so he programmed the worm to reinfect a host roughly one time in seven regardless of what it found. That ratio was far too aggressive: machines accumulated dozens of running copies, and the load ground them to a halt. Within roughly a day it had reached an estimated 6,000 systems, commonly cited as about ten percent of the internet's then-60,000 hosts. A team at Berkeley and Purdue disassembled it within days, and Morris's own programmer's notes were later read at trial. A 1990 General Accounting Office report estimated cleanup costs between $100,000 and $10 million.

Why it matters

This was the moment hacker culture lost its innocence in public. The worm made the front page of The New York Times, which named Morris within days. He became the first person tried and convicted under the 1986 Computer Fraud and Abuse Act: in 1990 he was sentenced to three years' probation, 400 hours of community service, and a fine of roughly $10,050. Cornell expelled him. The incident directly produced the CERT Coordination Center, funded by DARPA and established at Carnegie Mellon University in November 1988, the first coordinated computer-emergency response team, and it made "internet security" a profession rather than an afterthought.

It also forced an ethical reckoning the culture had postponed. The same curiosity that wrote Spacewar! could, at internet scale, cause real harm without intending to. Exploration was no longer consequence-free. Morris himself went on to an academic and entrepreneurial career, co-founding the startup that became Viaweb and later joining the MIT faculty, a quiet coda to the case that named a felony category.

The lesson it set loose

At scale, intent stops being the only thing that matters. A curious experiment and an attack can be the same code; the difference is the size of the network it runs on. The worm taught hackers that understanding a system now carries a duty of care toward everyone else connected to it.

Further reading

Keep exploring

Next exhibit

The Founding of the EFF