The Morris Worm
In 1988 a graduate student released a self-replicating program to measure the internet. A bug in its restraint logic instead became the internet's first disaster.
On the evening of November 2, 1988, a program written by a Cornell graduate student named Robert Tappan Morris began copying itself between machines on the early internet. Within hours, an estimated six thousand computers — a significant fraction of everything connected at the time — were grinding to a halt under repeated reinfection.
A measurement that did not stay one
Morris later said the program was intended to gauge the size of the internet by quietly propagating and counting. To avoid detection it exploited known weaknesses — a debug feature in sendmail, a buffer overflow in fingerd, weak passwords — and to avoid drawing attention it was supposed to mostly skip machines it had already infected. The restraint logic had a flaw. Roughly one in seven times, the worm reinfected a host regardless. The compounding reinfections turned a measurement tool into a denial-of-service event against itself.
The legal and institutional firsts
There was no playbook for response, so administrators improvised, sharing patches over a network that the worm itself was congesting. The aftermath produced enduring institutions: Morris became the first person convicted under the 1986 US Computer Fraud and Abuse Act, and the incident directly prompted the creation of the first Computer Emergency Response Team (CERT/CC) at Carnegie Mellon.
What the chronicle remembers
The Morris Worm is the field's origin myth. It established, in a single night, that self-propagating code does not respect the intent of its author, that the internet had no immune system, and that the institutions to build one would have to be invented from scratch. Every later worm chronicle is, in some sense, a footnote to this one.