Clifford Stoll, author of The Cuckoo's Egg, wrote that "Rumors have it that [Morris] worked with a friend or two at Harvard's computing department (Harvard student Paul Graham sent him mail asking for 'Any news on the brilliant project')".
2) After he was convicted, he went from Cornell to Harvard to complete his Ph.D.
3) He became an assistant professor at MIT after that.
He had to be really spectacular/have crazy connections to still be able to finish his training at a top program and get a job at the institution he tried to frame.
One of my favourite quiet jokes is the "Editorial Board" list for The Annals of Improbable Research¹ where RTM is listed under Computer Science. Asterisks after each name denote qualifications, RTM's being "Convicted Felon"
Just go pull up his bibliography. Chord, the Click Modular Router (super big deal to me), RON (also a big deal to me), Vivaldi (which made its way into the Hashi products). He had a hand in a lot of stuff. His pre-CSAIL work was very much like that of the LBL Network Research Group (that's Van Jacobsen, Vern Paxson, Steve McCanne) --- he's in that league.
He was and is very smart. This is not disputed. He was 23 at the time. Not exactly a child.
The worm was surprisingly elaborate containing three separate remote exploits.
It probably took a few weeks to build and test.
So sabotaging thousands of at the time very expensive network connected computers was a very deliberate action.
I posit that he likely did it to become famous and perhaps even successful, feeling safe with his dad’s position. And it worked. He did not end up in prison. He ended up cofounding Viaweb and YCombinator.
I talked to the son at one of the early (~2008) YC dinners. Actually found him more approachable than PG or most YC founders; RTM is a nerd in the "cares a whole lot about esoteric mathematics" way, which I found a refreshing change from the "take over the world" vibe that I got from a lot of the rest of YC.
Interesting random factoid: RTM's research in the early 2000s was on Chord [1], one of the earliest distributed hash tables. Chord inspired Kademlia [2], which later went on to power Limewire, Ethereum, and IPFS. So his research at MIT actually has had a bigger impact in terms of collected market cap than most YC startups have.
I did not. That actually makes everything make much more sense. I was even wordering how he got out of jail time for something like this and just thought he had amazing lawyers.
I think the bigger thing was that the Internet just wasn't that big a deal at the time. I got serious access in '93, and into '94-95 there were still netsplits on it (UUNet/NSFNet is the one I remember most). It was a non-remunerative offense, with really unclear intent, that took out a research network. He had good counsel, as you can tell from the reporting about the trial, but the outcome made sense. I doubt his dad had much to do with it.
Yeah, in 1988 the Internet appeared like a research network that connected universities. No money was directly at stake and the systems harmed didn't appear critical. Related to what Thomas says above, part of the response to the incident was to partition the Internet for a few days [2] - I don't know if such a thing would be possible now.
But looking into the specifics again after all these years [1], I read:
"The N.S.A. wanted to clamp a lid on as much of the affair as it could. Within days, the agency’s National Computer Security Center, where the elder Morris worked, asked Purdue University to remove from its computers information about the internal workings of the virus."
and that CERT at CMU was one response to the incident [2].
So there is a whiff of the incident being steered away from public prosecution and towards setting up security institutions.
Robert Morris did get a felony conviction, three years probation, and a $10K fine. As for hn users, aside from pg, Cliff Stoll has a minor role in the story.
Barely. In my area around that time, teenagers were causing havoc by breaking into local colleges just so they could get onto IRC and access FTP sites. "Network security" was a pretty new concept.
Ehh? It had only recently been made explicitly criminal by federal statute. If you're thinking of "the Hacker Crackdown" that occurred a few years after the Morris Worm, or of Kevin Mitnick's exploits, it's worth keeping in mind that they were doing pretty crazy shit even relative to today; they were owning up phone switches across the country. And despite that, the penalties were not crazy high.
What you didn't have back then was financial fraud on the scale that happens today, where even nominal damages run into 8-9 figures.
RTM Jr is a very nice person, obviously very smart, but also has a good sense of humor and is friendly and approachable. We overlapped as C.S. grad students at Harvard for several years.
Oooof in light of Aaron Swartz. He plugged directly into a network switch that was in an unlocked and unlabelled room at MIT so he could download faster and faced "charges of breaking and entering with intent, grand larceny, and unauthorized access to a computer network".
MIT really didn't lift a finger for this either.
>Swartz's attorneys requested that all pretrial discovery documents be made public, a move which MIT opposed
Agreed, it's hard to see this as some sort of "hacker respect hacker" in light of MIT's other actions.
It's very hard to extract Robert Tappan Morris from the context of his father being an extremely powerful man when trying to figure out how he managed to get away with what he did.
I was a student part-time administrator/systems programmer at the Purdue Engineering Computer Network at the time. Our OS installs had enough local mods (and we had enough non-VAX, non-Sun architectures) that we were immune to some of the worm's modalities, but the sendmail debug mode exploit at least still caused a lot of consternation.
Diversity is security! I wish more people understood that. It may be more difficult to manage a bunch of diverse systems, but they are much more resilient to attacks.
I remember this event as one of the few times that the Internet made the mainstream news in the eighties. After the fact talked with some network people at Michigan and Michigan State and it was not a very good day for them. They also wanted jail time for him which did not happen.
Everything was slower though. Turkey as a whole country had one 9600bps link to Bitnet at the time. Internet was accessed through Bitnet gateways. Systems (CPUs and I/O in general) were also much slower.
I'm pretty sure Paul Graham was directly involved in this story (not in any bad, culpable way, but enough that, were a film to be made about it, a well-known actor would be cast for his part).
There's contemporaneous reporting. It's in Katie Hafner and John Markoff's book! A friend of Morris', named Paul, has a role in the aftermath of the worm.
I'm not dunking on Paul Graham here. If you know anything about me, if anything, this is a point in his favor. :)
I used to keep a vt100 at the head of my bed, roll over and check on things a few times at night. 3am and everything is screwed. can't really log in anyplace, or start any jobs. The bus doesn't run until 5:30, so I just get dressed and walk across the bridge the to lab. Visitors center isn't open, so I just sneak through the exit by the guardhouse. They're civilian contractors, they either don't see me, or recognize me and don't care.
Since it's all locked up, I just reboot the big vax single user - that takes about 10 minutes so I also start on a couple of the suns. You have to realize that everything including desktops runs sendmail in this era, and when some of these machines come up they are ok for a sec and then sendmail starts really eating into the cpu.
I'm pretty bleary eyed but I walk around restarting everything single and taking sendmail out of the rcs. The TMC applications engineer comes in around 7 and gets me a cup of coffee. He manages to get someone to pick up in Cambridge and they tell him that's happening everywhere.
I assume you all know that Robert Morris is one of the YC (and Viaweb) cofounders? [1] Together with Paul Graham, Jessica Livingston, and Trevor Blackwell.
Currently AI doesn't work very well on hardware separated by hundreds of milliseconds of latency and slow network links. Both the training and inference are slow.
However I think this is a solvable problem, and I started solving it a while ago with decent results:
When someone gets this working well, I could totally see a distributed AI being tasked with expanding it's own pool of compute nodes by worming into things and developing new exploits and sucking up more training data.
The article is from a somewhat reliable source; Wikipedia is not a reliable source (by Wikipedia's own rules). Maybe you should use the article to update Wikipedia?
>However, the pioneering Morris worm malware wasn’t made with malice, says an FBI retrospective on the “programming error.” It was designed to gauge the size of the Internet, resulting in a classic case of unintended consequences.
had RTM actually RTM the world might be a bit different than it is today.
Well, sort of. RTM underestimated the effect of exponential growth, and thought that he would in effect have an account on all of the connected systems, without permission. He evidently didn't intend to use this power for evil, just to see if it could be done.
He did do us all a service; people back then didn't seem to realize that buffer overflows were a security risk. The model people had then, including my old boss at one of my first jobs in the early 80s, is that if you fed a program invalid input and it crashed, this was your fault because the program had a specification or documentation and you didn't comply with it.
Interestingly, it took another 7 years for stack overflows to be taken seriously, despite a fairly complete proof of concept widely written about. For years, pretty much everybody slept on buffer overflows of all sorts; if you found an IFS expansion bug in an SUID, you'd only talk about it on hushed private mailing lists with vendor security contacts, but nobody gave a shit about overflows.
It was Thomas Lopatic and 8lgm that really lit a fire under this (though likely they were inspired by Morris' work). Lopatic wrote the first public modern stack overflow exploit, for HPUX NCSA httpd, in 1995. Later that year, 8lgm teased (but didn't publish --- which was a big departure for them) a remote stack overflow in Sendmail 8.6.12 (it's important to understand what a big deal Sendmail vectors were at the time).
That 8lgm tease was what set Dave Goldsmith, Elias Levy, San Mehat, and Pieter Zatko (and presumably a bunch of other people I just don't know) off POC'ing the first wave of public stack overflow vulnerabilities. In the 9-18 months surrounding that work, you could look at basically any piece of privileged code, be it a remote service or an SUID binary or a kernel driver, and instantly spot overflows. It was the popularization with model exploits and articles like "Smashing The Stack" that really raised the alarm people took seriously.
That 7 year gap is really wild when you think about it, because during that time period, during which people jealously guarded fairly dumb bugs, like an errant pipe filter input to the calendar manager service that run by default on SunOS shelling out to commands, you could have owned up literally any system on the Internet, so prevalent were the bugs. And people blew them off!
I wrote a thread about this on Twitter back in the day, and Neil Woods from 8lgm responded... with the 8.6.12 exploit!
It's a little shocking to me that there haven't been more things like this.
While we're much more conscientious and better at security than we were way back then, things are certainly not totally secure.
The best answer I have is the same as what a bio professor told me once about designer plagues: it hasn't happened because nobody's done it. The capability is out there, and the vulnerability is out there.
(Someone will chime in about COVID lab leak theories, but even if that's true that's not what I mean. If that happened it was the worst industrial accident in history, not an intentional designer plague.)
Bill Gates sent out the "Trusted Computing" memo to harden Windows and make it somewhat secure.
Essentially, Windows used to be trivial to exploit, in that Every single service was by default exposed to the web, full of very trivial buffer overflows that dovetailed nicely into remote code execution.
Since then, Windows has stopped exposing everything to the internet by default and added a firewall, fixed most buffer overflows in entry points of these services, and made it substantially harder to turn most vulnerabilities into the kind of remote code execution you would use to make simple worms.
>better at security than we were way back then
In some ways this is dramatically understated. Now the majority of malware comes from getting people to click on links, targeted attacks that drop it, piggyback riding in on infected downloads, and other forms of just getting the victim to run your code. Worms and botnets are either something you "Willingly" install through "free" VPNs, or target absolutely broken and insecure routers.
The days where simply plugging a computer into the internet would result in you immediately trying to infect 100 other computers with no interaction are pretty much gone. For all the bitching about forced updates and UAC and other security measures, they basically work.
To a fairly significant extent, the Morris worm is why there haven't been more; it did prompt something of a culture shift away from trusting users to trusting mechanisms, mostly by prompting people to realise that the internet wasn't only going to be in the hands of a set of people who were one or two degrees of separation apart. It didn't make sense to assume people would treat it with reverence like a giant beautiful shared space.
It's most obviously paralleled by Samy Kamkar's MySpace worm, which exploited fairly similar too-much-trust territory.
I imagine the
- heterogeneity of modern computing environments
- number of 'layers' in any system
- sheer size of the modern Internet
all also make it harder to scale
6,000+, and those machines served many others (back then there were tens of thousands of machines on the Internet, but probably 10x as many that were connected to these by relays that handled email or Usenet traffic).
Also worth remember that especially with Internet-connected computers almost everything was multiuser. You did work on the Internet from a shell on a shared Unix server, not from a laptop.
Hypothetically if the m$ cloud ecosystem got completely oblibetated (including backups) would customers switch? Or is the lockin as complete as it is with the operating system customers?
From the Wikipedia article:
Clifford Stoll, author of The Cuckoo's Egg, wrote that "Rumors have it that [Morris] worked with a friend or two at Harvard's computing department (Harvard student Paul Graham sent him mail asking for 'Any news on the brilliant project')".
Has pg commented on this?
Would you?
I find it funny that:
1) He released it from MIT to avoid suspicion.
2) After he was convicted, he went from Cornell to Harvard to complete his Ph.D.
3) He became an assistant professor at MIT after that.
He had to be really spectacular/have crazy connections to still be able to finish his training at a top program and get a job at the institution he tried to frame.
One of my favourite quiet jokes is the "Editorial Board" list for The Annals of Improbable Research¹ where RTM is listed under Computer Science. Asterisks after each name denote qualifications, RTM's being "Convicted Felon"
---
¹Awarders of the Ig Nobel prize
Have you read any of his papers? Morris was not fucking around.
Can you elaborate, or suggest a specific paper?
Just go pull up his bibliography. Chord, the Click Modular Router (super big deal to me), RON (also a big deal to me), Vivaldi (which made its way into the Hashi products). He had a hand in a lot of stuff. His pre-CSAIL work was very much like that of the LBL Network Research Group (that's Van Jacobsen, Vern Paxson, Steve McCanne) --- he's in that league.
Please expand?
He was and is very smart. This is not disputed. He was 23 at the time. Not exactly a child.
The worm was surprisingly elaborate containing three separate remote exploits.
It probably took a few weeks to build and test.
So sabotaging thousands of at the time very expensive network connected computers was a very deliberate action.
I posit that he likely did it to become famous and perhaps even successful, feeling safe with his dad’s position. And it worked. He did not end up in prison. He ended up cofounding Viaweb and YCombinator.
I'm not psychoanalyzing the guy, I'm saying I'm not surprised he had an elite academic career, because he's an elite performer.
You know his dad ran research at the NSA right?
His dad's also a badass and super fun to talk to. Never talked to the son though, but I'd love to some day.
I talked to the son at one of the early (~2008) YC dinners. Actually found him more approachable than PG or most YC founders; RTM is a nerd in the "cares a whole lot about esoteric mathematics" way, which I found a refreshing change from the "take over the world" vibe that I got from a lot of the rest of YC.
Interesting random factoid: RTM's research in the early 2000s was on Chord [1], one of the earliest distributed hash tables. Chord inspired Kademlia [2], which later went on to power Limewire, Ethereum, and IPFS. So his research at MIT actually has had a bigger impact in terms of collected market cap than most YC startups have.
[1] https://en.wikipedia.org/wiki/Chord_(peer-to-peer)
[2] https://en.wikipedia.org/wiki/Kademlia
I did not. That actually makes everything make much more sense. I was even wordering how he got out of jail time for something like this and just thought he had amazing lawyers.
I think the bigger thing was that the Internet just wasn't that big a deal at the time. I got serious access in '93, and into '94-95 there were still netsplits on it (UUNet/NSFNet is the one I remember most). It was a non-remunerative offense, with really unclear intent, that took out a research network. He had good counsel, as you can tell from the reporting about the trial, but the outcome made sense. I doubt his dad had much to do with it.
Yeah, in 1988 the Internet appeared like a research network that connected universities. No money was directly at stake and the systems harmed didn't appear critical. Related to what Thomas says above, part of the response to the incident was to partition the Internet for a few days [2] - I don't know if such a thing would be possible now.
But looking into the specifics again after all these years [1], I read:
"The N.S.A. wanted to clamp a lid on as much of the affair as it could. Within days, the agency’s National Computer Security Center, where the elder Morris worked, asked Purdue University to remove from its computers information about the internal workings of the virus."
and that CERT at CMU was one response to the incident [2].
So there is a whiff of the incident being steered away from public prosecution and towards setting up security institutions.
Robert Morris did get a felony conviction, three years probation, and a $10K fine. As for hn users, aside from pg, Cliff Stoll has a minor role in the story.
[1] https://archive.nytimes.com/www.nytimes.com/times-insider/20...
[2] https://en.wikipedia.org/wiki/Morris_worm#Effects
> I think the bigger thing was that the Internet just wasn't that big a deal at the time.
”Computer crime” definitely was though.
Barely. In my area around that time, teenagers were causing havoc by breaking into local colleges just so they could get onto IRC and access FTP sites. "Network security" was a pretty new concept.
Ehh? It had only recently been made explicitly criminal by federal statute. If you're thinking of "the Hacker Crackdown" that occurred a few years after the Morris Worm, or of Kevin Mitnick's exploits, it's worth keeping in mind that they were doing pretty crazy shit even relative to today; they were owning up phone switches across the country. And despite that, the penalties were not crazy high.
What you didn't have back then was financial fraud on the scale that happens today, where even nominal damages run into 8-9 figures.
RTM Jr is a very nice person, obviously very smart, but also has a good sense of humor and is friendly and approachable. We overlapped as C.S. grad students at Harvard for several years.
> tried to frame.
MIT really respects good hacks and good hackers. It was probably more effective than sending in some PDF of a paper.
>MIT really respects good hacks and good hackers.
Oooof in light of Aaron Swartz. He plugged directly into a network switch that was in an unlocked and unlabelled room at MIT so he could download faster and faced "charges of breaking and entering with intent, grand larceny, and unauthorized access to a computer network".
MIT really didn't lift a finger for this either.
>Swartz's attorneys requested that all pretrial discovery documents be made public, a move which MIT opposed
https://en.wikipedia.org/wiki/Aaron_Swartz
Agreed, it's hard to see this as some sort of "hacker respect hacker" in light of MIT's other actions.
It's very hard to extract Robert Tappan Morris from the context of his father being an extremely powerful man when trying to figure out how he managed to get away with what he did.
At the same time, it's easy to believe that MIT of 2013 is very different than MIT of 1988.
While that's entirely possible, MIT was established in 1861. I think the old boys club was established long before 1988.
This one is before my time, but I remember the blaster worm very clearly.
The term "worm" came from the 1975 (sci-fi) novel The Shockwave Rider:
* https://en.wikipedia.org/wiki/The_Shockwave_Rider
I followed his course 6.5840 on distributed systems (https://pdos.csail.mit.edu/6.824/, YouTube videos at https://youtube.com/playlist?list=PLrw6a1wE39_tb2fErI4-WkMbs...) and completed the labs. One day, out of curiosity, I looked up his name. Then I realized what a legend he is.
Great course by the way.
I am also doing the course now in my freetime. Even I wasn't aware who he is.
On a sidenote, what did you do after the course?
It is an amazing course though!
Would be cool if he adds a session on how to hack distributed system in 1988...
In 1988? Just stick random semicolons in things.
I was a student part-time administrator/systems programmer at the Purdue Engineering Computer Network at the time. Our OS installs had enough local mods (and we had enough non-VAX, non-Sun architectures) that we were immune to some of the worm's modalities, but the sendmail debug mode exploit at least still caused a lot of consternation.
Diversity is security! I wish more people understood that. It may be more difficult to manage a bunch of diverse systems, but they are much more resilient to attacks.
Was KSB there at the time? That dude was fun.
That was one scary exciting day (source: was running machines at MIT at the time)
I remember that day was sooooooooooo quiet on Usenet.
Not much was happening in the Eng and CS buildings on campus (except for those that had to deal with the worm).
Good times, good times. I was in a Stanford computer lab when everything started to get very, very slow.
I remember this event as one of the few times that the Internet made the mainstream news in the eighties. After the fact talked with some network people at Michigan and Michigan State and it was not a very good day for them. They also wanted jail time for him which did not happen.
> the internet in 1988
60k computers ( mostly at institutions ) in 20 countries
Everything was slower though. Turkey as a whole country had one 9600bps link to Bitnet at the time. Internet was accessed through Bitnet gateways. Systems (CPUs and I/O in general) were also much slower.
Much slower. Most campuses in the US were connected with 56K dedicated lines. The NSF backbone had just upgraded to T1.
I expected some info on its functioning. The goal was to gauge the size of the Internet, how? Why did it fail? I guess Wikipedia for the rescue.
I'm pretty sure Paul Graham was directly involved in this story (not in any bad, culpable way, but enough that, were a film to be made about it, a well-known actor would be cast for his part).
https://news.ycombinator.com/item?id=38020635
Out of curiosity, why do you think this?
There's contemporaneous reporting. It's in Katie Hafner and John Markoff's book! A friend of Morris', named Paul, has a role in the aftermath of the worm.
I'm not dunking on Paul Graham here. If you know anything about me, if anything, this is a point in his favor. :)
Def know lots about you and def didn't think you were dunking on Paul, hence my curiosity, because it was specifically you Mr. Ptacek. :)
Thanks for the answer, I'll check out the book.
I used to keep a vt100 at the head of my bed, roll over and check on things a few times at night. 3am and everything is screwed. can't really log in anyplace, or start any jobs. The bus doesn't run until 5:30, so I just get dressed and walk across the bridge the to lab. Visitors center isn't open, so I just sneak through the exit by the guardhouse. They're civilian contractors, they either don't see me, or recognize me and don't care.
Since it's all locked up, I just reboot the big vax single user - that takes about 10 minutes so I also start on a couple of the suns. You have to realize that everything including desktops runs sendmail in this era, and when some of these machines come up they are ok for a sec and then sendmail starts really eating into the cpu.
I'm pretty bleary eyed but I walk around restarting everything single and taking sendmail out of the rcs. The TMC applications engineer comes in around 7 and gets me a cup of coffee. He manages to get someone to pick up in Cambridge and they tell him that's happening everywhere.
I assume you all know that Robert Morris is one of the YC (and Viaweb) cofounders? [1] Together with Paul Graham, Jessica Livingston, and Trevor Blackwell.
[1] https://en.wikipedia.org/wiki/Robert_Tappan_Morris
I’m still waiting for the first runaway autonomous botnet.
Currently AI doesn't work very well on hardware separated by hundreds of milliseconds of latency and slow network links. Both the training and inference are slow.
However I think this is a solvable problem, and I started solving it a while ago with decent results:
https://github.com/Hello1024/shared-tensor
When someone gets this working well, I could totally see a distributed AI being tasked with expanding it's own pool of compute nodes by worming into things and developing new exploits and sucking up more training data.
I remember that the Boston Museum of Science used to have a floppy disk on display with the Morris worm on it.
That exhibit is shown in the article.
Wikipedia says the Morris worm went out on 1998 Nov 2. No idea why they would publish the article on 2025 Nov 4 with that title.
https://en.wikipedia.org/wiki/Morris_worm
1988
A quick search shows:
- a github repo containing "the original, de-compiled source code for the Morris Worm" - see https://github.com/agiacalone/morris-worm-malware
- a high level report about the worm - see https://www.ee.torontomu.ca/~elf/hack/internet-worm.html
Both of those agree that is was '88...
I strongly suspect 1998 was a typo by OP and he was actually pointing out the discrepancy between 2 Nov and 4 Nov WRT “this day”.
However the article has been updated so only the HN title has this flaw.
Sounds like the type of mistake I always make: Notice someone being off by two days, and in haste, post a correction that is off by ten years.
I think his question was whether it was Nov 2 or Nov 4...
The article is from a somewhat reliable source; Wikipedia is not a reliable source (by Wikipedia's own rules). Maybe you should use the article to update Wikipedia?
This Week in 1988 rather.
https://neal.fun/internet-artifacts/morris-worm/
>However, the pioneering Morris worm malware wasn’t made with malice, says an FBI retrospective on the “programming error.” It was designed to gauge the size of the Internet, resulting in a classic case of unintended consequences.
had RTM actually RTM the world might be a bit different than it is today.
Well, sort of. RTM underestimated the effect of exponential growth, and thought that he would in effect have an account on all of the connected systems, without permission. He evidently didn't intend to use this power for evil, just to see if it could be done.
He did do us all a service; people back then didn't seem to realize that buffer overflows were a security risk. The model people had then, including my old boss at one of my first jobs in the early 80s, is that if you fed a program invalid input and it crashed, this was your fault because the program had a specification or documentation and you didn't comply with it.
Interestingly, it took another 7 years for stack overflows to be taken seriously, despite a fairly complete proof of concept widely written about. For years, pretty much everybody slept on buffer overflows of all sorts; if you found an IFS expansion bug in an SUID, you'd only talk about it on hushed private mailing lists with vendor security contacts, but nobody gave a shit about overflows.
It was Thomas Lopatic and 8lgm that really lit a fire under this (though likely they were inspired by Morris' work). Lopatic wrote the first public modern stack overflow exploit, for HPUX NCSA httpd, in 1995. Later that year, 8lgm teased (but didn't publish --- which was a big departure for them) a remote stack overflow in Sendmail 8.6.12 (it's important to understand what a big deal Sendmail vectors were at the time).
That 8lgm tease was what set Dave Goldsmith, Elias Levy, San Mehat, and Pieter Zatko (and presumably a bunch of other people I just don't know) off POC'ing the first wave of public stack overflow vulnerabilities. In the 9-18 months surrounding that work, you could look at basically any piece of privileged code, be it a remote service or an SUID binary or a kernel driver, and instantly spot overflows. It was the popularization with model exploits and articles like "Smashing The Stack" that really raised the alarm people took seriously.
That 7 year gap is really wild when you think about it, because during that time period, during which people jealously guarded fairly dumb bugs, like an errant pipe filter input to the calendar manager service that run by default on SunOS shelling out to commands, you could have owned up literally any system on the Internet, so prevalent were the bugs. And people blew them off!
I wrote a thread about this on Twitter back in the day, and Neil Woods from 8lgm responded... with the 8.6.12 exploit!
https://x.com/tqbf/status/1328433106563588097
It's a little shocking to me that there haven't been more things like this.
While we're much more conscientious and better at security than we were way back then, things are certainly not totally secure.
The best answer I have is the same as what a bio professor told me once about designer plagues: it hasn't happened because nobody's done it. The capability is out there, and the vulnerability is out there.
(Someone will chime in about COVID lab leak theories, but even if that's true that's not what I mean. If that happened it was the worst industrial accident in history, not an intentional designer plague.)
Here's a whole list of "more things".
https://en.wikipedia.org/wiki/Botnet#Historical_list_of_botn...
After things like
https://en.wikipedia.org/wiki/Blaster_(computer_worm)
https://en.wikipedia.org/wiki/SQL_Slammer
https://en.wikipedia.org/wiki/Sasser_(computer_worm)
Bill Gates sent out the "Trusted Computing" memo to harden Windows and make it somewhat secure.
Essentially, Windows used to be trivial to exploit, in that Every single service was by default exposed to the web, full of very trivial buffer overflows that dovetailed nicely into remote code execution.
Since then, Windows has stopped exposing everything to the internet by default and added a firewall, fixed most buffer overflows in entry points of these services, and made it substantially harder to turn most vulnerabilities into the kind of remote code execution you would use to make simple worms.
>better at security than we were way back then
In some ways this is dramatically understated. Now the majority of malware comes from getting people to click on links, targeted attacks that drop it, piggyback riding in on infected downloads, and other forms of just getting the victim to run your code. Worms and botnets are either something you "Willingly" install through "free" VPNs, or target absolutely broken and insecure routers.
The days where simply plugging a computer into the internet would result in you immediately trying to infect 100 other computers with no interaction are pretty much gone. For all the bitching about forced updates and UAC and other security measures, they basically work.
your mention of designer plagues reminded me of the russian bioweapons anthrax leak in 1979
https://pubmed.ncbi.nlm.nih.gov/7973702/
To a fairly significant extent, the Morris worm is why there haven't been more; it did prompt something of a culture shift away from trusting users to trusting mechanisms, mostly by prompting people to realise that the internet wasn't only going to be in the hands of a set of people who were one or two degrees of separation apart. It didn't make sense to assume people would treat it with reverence like a giant beautiful shared space.
It's most obviously paralleled by Samy Kamkar's MySpace worm, which exploited fairly similar too-much-trust territory.
I imagine the - heterogeneity of modern computing environments - number of 'layers' in any system - sheer size of the modern Internet all also make it harder to scale
they're just better at hiding now.
So like 10 computers, then I suppose?
6,000+, and those machines served many others (back then there were tens of thousands of machines on the Internet, but probably 10x as many that were connected to these by relays that handled email or Usenet traffic).
Also worth remember that especially with Internet-connected computers almost everything was multiuser. You did work on the Internet from a shell on a shared Unix server, not from a laptop.
Hypothetically if the m$ cloud ecosystem got completely oblibetated (including backups) would customers switch? Or is the lockin as complete as it is with the operating system customers?