Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Hall of Heroes
Larry Wall pixel portrait
⬡ Pioneer⬢ Builderfame

Larry Wall

@larry

Creator of Perl

1980s–1990s · 4 min read
There's more than one way to do it.

The Story

Larry Wall was a linguist before he was a programmer, and it shows. He studied natural languages at graduate school, and when he created Perl in 1987, he designed it the way natural languages work: expressive, context-sensitive, full of synonyms, and tolerant of ambiguity. Where other language designers sought mathematical purity, Wall sought expressiveness.

Perl 1.0 was released as a text-processing language — a better awk, a more capable sed. It could do in one line what shell scripts took ten to accomplish. Regular expressions were first-class citizens. String manipulation was effortless. Variable interpolation in double-quoted strings meant you could embed variables directly: "Hello, $name" just worked.

Then the web happened.

In the early 1990s, the Common Gateway Interface (CGI) gave web servers a way to execute programs in response to HTTP requests. Perl was perfectly positioned: it was already installed on most Unix systems, it excelled at text processing, and it could read form data and generate HTML with minimal code. Perl CGI scripts became the engine of the interactive web. Guestbooks, counters, form handlers, early e-commerce — if a website did something dynamic before PHP and Java arrived, it was probably Perl.

The variable interpolation that made Perl so convenient for text processing became, in the CGI context, one of the most consequential design choices in security history. Consider this pattern:

``perl

my $query = "SELECT * FROM users WHERE name = '$user_input'";

`

In Perl, double-quoted strings interpolate variables. The $user_input is replaced with its value before the string is complete. If that value contains a single quote, the SQL statement breaks in ways the programmer never intended. This is the injection vector documented in Exhibit EXP-001 — The Concatenated Query. The Perl CGI variant is particularly insidious because the interpolation is invisible. There's no concatenation operator to see. The variable just... appears in the string. The boundary between code and data dissolves.

Wall's philosophy — "There's more than one way to do it" (TMTOWTDI, pronounced "tim-toady") — was the anti-thesis of Python's "one obvious way." Perl gave you five syntaxes for the same operation. unless instead of if not. Postfix conditions (print "hello" if $ready`). The diamond operator, the spaceship operator, the goatse operator (yes, really). The language was a toybox for people who loved cleverness.

This expressiveness had a cost. Perl became famous for write-only code — programs that worked perfectly and were completely incomprehensible six months later. The regex-heavy, context-dependent, syntax-rich style that made Perl powerful also made it a maintenance hazard. By the 2010s, Perl's popularity had declined sharply, replaced by Python and Ruby in most niches.

Why They're in the Hall

Wall is a Pioneer and Builder whose creation left fingerprints on both the web and the security landscape.

Pioneer: Wall brought linguistic thinking to programming language design. The idea that a programming language should work like a human language — with context, ambiguity, expressiveness, and multiple valid ways to say the same thing — was genuinely original. It was also a direct philosophical challenge that Guido van Rossum explicitly rejected when designing Python. The Wall-van Rossum axis (expressiveness vs. readability) remains one of the fundamental tensions in language design.

Builder: Perl built the early web. Not the static web of HTML pages — the interactive web. The web where you could submit a form and get a response. The web where databases backed websites. The web that became e-commerce, social media, and everything that followed. Perl was the first language most web developers used, and its patterns — good and bad — echoed through PHP, Ruby, and JavaScript.

The injection story is the hard part. Variable interpolation in double-quoted strings isn't a bug. It's a feature — one of Perl's best features for text processing. But when that feature met user-supplied input in a CGI context, it created a class of vulnerability that has caused more security incidents than perhaps any other single pattern. The Concatenated Query exhibit documents the result. Perl didn't invent SQL injection, but its design made it frictionless. The boundary between "convenient string building" and "injection vulnerability" is exactly zero characters wide in Perl.

Wall's creation is a reminder that design choices have downstream consequences their creators cannot foresee. Nobody designing variable interpolation in 1987 was thinking about SQL injection in 1997. The feature and the vulnerability are the same thing, viewed from different angles. That's not a failure of design. That's the nature of software in an evolving ecosystem.