Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
1988breachPublic

The Morris Worm — The First Internet Pandemic

First internet worm infected ~6,000 Unix machines (10% of the internet), causing widespread disruption. The worm's source code disk is preserved at the Boston Museum of Science.

2 min read
Root Cause

Exploited known vulnerabilities in sendmail, fingerd (buffer overflow), and rsh/rexec. A bug in the worm's self-propagation logic caused re-infection of already-infected machines, creating crippling load the author claimed was unintended.

Aftermath

Robert Tappan Morris became the first person convicted under the Computer Fraud and Abuse Act. Fined $10,000. The incident is credited with exposing fundamental internet vulnerabilities and accelerating the creation of CERT/CC. Morris is now a professor at MIT.

The Incident

On November 2, 1988, Robert Tappan Morris — a 23-year-old Cornell University graduate student — released a self-replicating program onto the internet. Within hours, approximately 6,000 Unix machines were infected. This represented roughly 10% of the entire internet at the time.

The Root Cause

The worm exploited three known vulnerabilities: a debug mode in sendmail that allowed remote command execution, a buffer overflow in fingerd, and trust relationships in rsh/rexec that allowed propagation to connected systems. All three vulnerabilities were known before the worm was released.

The devastating impact was partially unintended. Morris included a mechanism to prevent re-infection: the worm would check if a copy was already running and, in most cases, skip that machine. But he set the re-infection rate to 1 in 7 — meaning every seventh check would re-infect regardless. This was intended to prevent administrators from creating dummy processes to immunize their machines. In practice, it caused exponential re-infection that consumed all available CPU and memory, effectively creating a denial-of-service attack.

The Aftermath

Morris was the first person convicted under the Computer Fraud and Abuse Act of 1986. He was sentenced to three years of probation, 400 hours of community service, and fined $10,000. The incident directly led to the creation of CERT/CC (Computer Emergency Response Team) at Carnegie Mellon University — the first coordinated vulnerability response organization.

The worm's source code was preserved on a floppy disk now held at the Boston Museum of Science. Morris went on to become a professor of computer science at MIT and co-founded Y Combinator.

Why It Matters

The Morris Worm demonstrated that connected systems amplify failures exponentially. A buffer overflow in a single service — combined with network connectivity — turned a local vulnerability into a global incident. The same pattern would repeat with Code Red, Slammer, Conficker, WannaCry, and every other worm for the next 35 years. The vulnerabilities changed. The amplification mechanism didn't.

Techniques
buffer overflowunix exploitation