At 8:30 in the evening on November 2, 1988, a 23-year-old computer science graduate student at Cornell University ran a small program from a terminal at the Massachusetts Institute of Technology.
He had written the program himself. He believed it would do something interesting and harmless — silently spread across the early internet, count how many computers it could reach, and quietly report back. It was 99 lines of code, written in C. He had been working on it for months.
Within hours of his pressing return, somewhere around 6,000 of the 60,000 computers connected to the internet had crashed. Universities went dark. Government labs disconnected their network cables in panic. System administrators in California, Massachusetts, Maryland, and Illinois sat through the night trying to figure out what was destroying their machines and why turning them off and on did not help.
The graduate student’s name was Robert Tappan Morris. The program he released has been known, ever since, as the Morris Worm. It was the first time anyone had ever broken the internet.
What he was actually trying to do
It’s worth being clear about what Morris meant to happen, because the story has often been retold as a deliberate attack and it wasn’t.
Morris wanted to measure the size of the internet. In 1988, nobody actually knew how big the network — then called ARPANET — was. It had grown from a small Pentagon research project into something connecting universities, research labs, and military sites across the country, but the exact count of connected machines was a matter of guesswork.
Morris’s idea was elegant. Write a program that could quietly hop from computer to computer, install itself, send back a small signal, and move on. At the end, you’d have an accurate census of the early internet. It was, conceptually, an experiment in mobile computing as much as a piece of malware.
He released it from an MIT terminal rather than Cornell, where he was actually studying — a precaution intended to disguise the program’s origin if anyone happened to notice it running.
To do its job, the worm exploited known vulnerabilities in three common internet programs of the era: sendmail (which handled email), fingerd (which let users look up information about other users), and the rsh/rexec remote-execution tools. It also attempted to crack weak passwords on systems it reached. None of these techniques were unique to Morris — security researchers had been writing about them for years. He just wove them into a program that could use them to spread.
What went wrong sat in a single design choice.
The single line that broke everything
Morris anticipated that some system administrators, once they understood what was happening, might try to defend their machines by spoofing an “I’m already infected” signal — telling the worm to skip them. To defeat that defence, he programmed the worm with a rule: in roughly 1 of every 7 cases, it should ignore the “already infected” response and reinfect the machine anyway.
The intent was reasonable. The number was catastrophic.
A 1-in-7 ignore rate — about 14% — was far too high. Computers that had already been infected were being reinfected, again and again, sometimes dozens of times. Each new copy of the worm spawned new processes. Each new process consumed more CPU and memory. Within hours, infected machines were running so many copies of the worm that they ran out of resources to do anything else. They simply seized up.
Worse, the worm was extraordinarily good at spreading. As soon as one machine on a network was infected, it would quickly reach every connected machine. Universities found that turning off a single computer didn’t help — others on the same network would simply reinfect it the moment it came back online. The only effective defence was to physically disconnect machines from the internet entirely.
By the morning of November 3, an estimated 6,000 computers — roughly 10% of every machine then connected to the internet — were either crippled or completely offline.
The aftermath
The scale of what had happened took days to register fully.
Universities lost computing time worth millions of dollars in 1988 money. Defence research sites were partially blacked out. The fledgling community of system administrators — most of whom had never seen anything resembling a malicious program — communicated by phone and fax to piece together what was happening, since email itself was one of the things being attacked.
By the time the worm was contained and the infections cleared, Morris had been identified. His father, Robert Morris Sr., was a senior cryptographer at the National Security Agency — a biographical detail that, when it became public, added an unmistakable strangeness to the story. The son of one of America’s most respected computer security experts had accidentally crashed the internet.
Morris was prosecuted under the recently passed Computer Fraud and Abuse Act and became the first person ever convicted under it. He was sentenced to three years’ probation, 400 hours of community service, and a fine of just over $10,000. He was not sent to prison.
What changed because of it
The Morris Worm is the most important moment in the history of cybersecurity, because it ended an era.
Before November 1988, the internet was built on trust. The systems connecting universities and research institutions had been designed by people who assumed the only other people on the network were colleagues. Security was minimal. Passwords were often default values. Programs that could spread silently between machines were a theoretical curiosity, not a class of weapon.
The worm ended that assumption permanently. Within weeks of the incident, the Defence Advanced Research Projects Agency funded the creation of the Computer Emergency Response Team — CERT — at Carnegie Mellon University, the first organisation in history specifically established to handle internet security incidents. Universities began taking network security seriously. The Computer Fraud and Abuse Act gained its first conviction and its first real teeth.
The modern cybersecurity industry, in many ways, dates from that single night in November 1988.
Robert Tappan Morris himself went on to become a respected professor at MIT — the same institution he had used to disguise the launch of his worm — and a co-founder of Y Combinator, the influential Silicon Valley startup accelerator. He has spent his career, by all accounts, doing serious and valuable work in computer science.
But for 23 hours on a Wednesday night in 1988, his 99 lines of code did something nobody had ever managed to do before. They broke the internet.
