The Morris Worm: The Internet's First Real Security Wreck
A graduate student's experiment to measure the internet's size instead knocked out an estimated 10% of it in a single night. The Morris Worm produced the first felony conviction under US computer crime law.
On the night of November 2, 1988, a self-replicating program released from MIT’s network brought a meaningful fraction of the still-young internet to a crawl — the Morris Worm, one of the first real demonstrations that software could cause internet-scale damage entirely on its own.
Who wrote it, and why
Robert Tappan Morris, a graduate student at Cornell University, wrote the worm — according to his own later account, intended as a way to gauge the size of the internet by having it quietly spread and report back, not as a deliberate attack. A design flaw in its replication logic caused it to re-infect already-infected machines repeatedly, compounding its load on each system far beyond what Morris reportedly intended.
How it actually spread
The worm exploited several distinct vulnerabilities to move between systems: a buffer overflow in the fingerd service, a debug mode in sendmail, and weak password guessing against rsh/rexec trust relationships between machines — technical details that mattered less to the wider public than the practical consequence: infected VAX and Sun systems running BSD-derived Unix slowed to the point of unusability, repeatedly re-executing worm copies.
The scale of the disruption
Within 24 hours, an estimated 6,000 of the roughly 60,000 machines then connected to the internet had been affected — a huge fraction of the entire internet’s population at the time, even though the total absolute number sounds modest by any later standard.
The legal aftermath
Morris was charged and convicted under the Computer Fraud and Abuse Act of 1986 — the first felony conviction under that statute, establishing an early legal precedent for prosecuting unauthorized computer intrusion and disruption as a serious federal crime, not merely a prank or civil matter.
The institutional response that outlasted the incident itself
In direct response to the Morris Worm, Carnegie Mellon University, with DARPA funding, established the CERT Coordination Center — one of the first dedicated computer emergency response teams, created specifically because the Morris Worm had demonstrated no coordinated body existed to respond to an internet-scale security incident when one actually happened.
Why this incident still matters to security practice
The Morris Worm is frequently cited as the moment the technical community first had to reckon, in a very concrete and disruptive way, with the reality that increasing network interconnection creates genuinely internet-scale risk from a single piece of software — a lesson that shaped the subsequent decades of coordinated vulnerability disclosure, incident response, and computer crime law that followed directly from this one 1988 incident.