1/ Let's talk about CodeRed for a moment. It's one of the watershed events in the early history of the Internet.

https://twitter.com/VessOnSecurity/status/1125892301430108160

2/ You can read about it on the Wikipedia page. It was a major worm in 2001 that spread through Microsoft's IIS webservers.
en.wikipedia.org/wiki/Code_Red_…

3/ Sometime before the worm happened, I got an email from a higher up at Microsoft "BTW, I tried to hack your website over the weekend". This was appropriate, we had a close relationship were such things were allowed.

4/ However, his hacking attempt failed, because I had the ".ida" extension turned off, as did a lot of servers. The majority of machines the worm infected were in fact workstations that had the extension enabled by default.

5/ Back in those days, the default configuration of all systems, Windows, Solaris, Linux included, was to enable all sorts of stuff, which was insecure as heck. Hardened systems were relatively secure.

6/ Solaris worms were much worse in general when CodeRed happened, but CodeRed was worse than any Solaris worm because of the sheer numbers of desktops, not because of a difference in servers.

7/ Anyway, I was at some sort of corporate function with @kevinmitnick in attendance, soon after his release from jail. Apparently, he'd heard of the .ida bug (which hadn't been disclosed yet), which I found a bit odd.

8/ I wrote a tarpit for CodeRed (I called it "deredoc"). I'd written a tarpit for the Morris worm, but it didn't work then because the Morris worm was well written and timed out connections. CodeRed didn't, so tarpits stopped the worm.

9/ A "tarpit" is a tool that will accept incoming connections and simply hold open the connection forever. This causes worms like CodeRed to eventually run out of resources and stop running because all the connections are left open.