Port 79: Finger — The First Presence Protocol

Port 79 carries Finger traffic, the Internet's first presence protocol. Before status updates, before "last seen," before the green dot that means someone is online, there was Finger. You would type finger alice@mit.edu and learn whether Alice was logged in, when she was last seen, and what she was planning to do with her life.

This port answered the most fundamental question of networked existence: Is anyone there?

What Finger Does

The Finger User Information Protocol provides a simple way to query information about users on a remote system. When you send a query to port 79, the server responds with human-readable information: usernames, real names, terminal locations, idle times, and the contents of the user's .plan and .project files.¹

The protocol is elegant in its simplicity. Open a TCP connection to port 79. Send a username followed by a carriage return and line feed. Receive a stream of text about that person. Connection closes.

Send nothing but a blank line, and you get a list of everyone currently logged in. It was a window into the living, breathing state of a system, showing you who was present, who was idle, who had stepped away.

How It Works

The Finger protocol operates on a request-response model over TCP. A client connects to port 79, sends a single line query, and receives text output until the server closes the connection.¹

All data must be ASCII with no parity, lines ending in CRLF. The query format is simple:

• Empty query: Returns all online users
• Username query: Returns detailed information about that user
• Username with /W flag: Returns extended "whois" style information
• @hostname suffix: Forwards the query to another host (a feature that proved dangerous)

The server, called the Remote User Information Program (RUIP), gathers information from system databases and user-created files. The .plan file in a user's home directory became a form of self-expression, a personal message to anyone who came looking.¹

RFC 1288 includes a curious requirement: vending machines responding to Finger queries "should NEVER NEVER EVER eat money."¹ This was not a joke. People were already connecting Coke machines to the protocol.

The History

In 1971, Les Earnest sat at the Stanford Artificial Intelligence Laboratory watching his colleagues use a program called WHO. The output was a long list of logged-in users, and people would run their fingers down the screen, scanning for the name they wanted.²

So Earnest wrote FINGER.

The problem he was solving seems almost quaint now: SAIL researchers worked at all hours, and there was no way to know if someone was around before walking across the building to find them. FINGER showed who was logged in, when they last logged out, and what terminal they were sitting at.²

But FINGER did something more. It let users create a .plan file, a text file that anyone could read by fingering them. Originally meant for work schedules and vacation plans, the .plan file became something unexpected: the Internet's first microblog.³

The protocol spread across ARPANET. Ken Harrenstien formalized it in RFC 742 in December 1977.⁴ The Internet Engineering Task Force updated the specification in RFC 1288 in 1991, which remains the current standard.¹

Les Earnest died in August 2024, having invented the first network-wide service for determining presence information about users, a feature now copied by every chat application on Earth.²

The .plan File Culture

The .plan file was supposed to say what you were working on. Instead, it became something wilder.

Some people posted their actual plans. Others posted jokes, ASCII art, philosophical musings, or political rants. It was a blog before the word existed, a status update before social media, a way to broadcast your thoughts to anyone who came looking for you.⁵

The most famous .plan files belonged to John Carmack of id Software. During the development of Quake in 1996, Carmack uploaded his daily work logs to his .plan file, giving fans unprecedented access to the development process. "Quake is out. Finally," he wrote on July 1, 1996.⁶ These files have been archived on GitHub, a record of how games were made in the era before Discord and Twitter.

The .plan file was the first place ordinary people could publish their thoughts to the entire Internet, limited only by their imagination and ASCII characters.

The Cold Coke Problem

In 1982, graduate students at Carnegie Mellon University faced a crisis. The Coke machine was a long walk from their offices, and by the time they got there, it might be empty. Worse, it might have been recently refilled, meaning the sodas would be tragically warm.⁷

Mike Kazar, David Nichols, John Zsarnay, and Ivor Durham installed microswitches in each slot of the vending machine. They wrote a program that tracked when each column was restocked and how long the bottles had been cooling. Then Ivor Durham wrote a Finger server.⁷

Type finger coke@cmua from anywhere on ARPANET, and you could see which button would give you the coldest Coke.

This was one of the first Internet of Things devices, and it ran on port 79. The protocol designed to find your friends was repurposed to find cold beverages. RFC 1288's vending machine clause was not theoretical.⁷

The Morris Worm

On November 2, 1988, Robert Tappan Morris, a graduate student at Cornell, released a self-replicating program onto the Internet. Within hours, an estimated 6,000 machines, roughly 10% of the connected Internet, were infected or crashed.⁸

The Morris worm exploited three vulnerabilities. One was in sendmail. One was in the trust relationships between machines. And one was in fingerd, the Finger daemon listening on port 79.⁸

The fingerd program used a function called gets() to read user input into a 512-byte buffer. The function had no bounds checking. Morris sent a carefully crafted 536-byte string that overflowed the buffer, overwrote the return address on the stack, and redirected execution to shellcode that spawned a root shell.⁹

The buffer overflow in fingerd was arguably the first malicious exploitation of this class of vulnerability in the wild.⁹ It demonstrated that a simple protocol designed for human connection could become a weapon.

Morris became the first person convicted under the Computer Fraud and Abuse Act. The incident prompted DARPA to establish CERT/CC at Carnegie Mellon, creating a coordinated response capability for network emergencies.⁸

And the gets() function? It was eventually removed from the C standard library entirely. Too dangerous to exist.

Security Considerations

Finger was designed for a world that trusted strangers. It freely disclosed usernames, real names, email addresses, login times, idle times, and whatever users chose to put in their .plan files.¹

This information is reconnaissance gold:

• Username enumeration: Query for common names and learn which accounts exist
• Social engineering: Full names and office locations enable targeted attacks
• Activity patterns: Idle times and login histories reveal when systems are unattended
• User-controllable content: .plan files can contain misleading or malicious information

RFC 1288 acknowledged these concerns and recommended administrators have controls to disable user listings, limit forwarding queries, and audit access.¹ But the fundamental design assumed good faith.

The query forwarding feature (the @hostname syntax) allowed chaining queries across multiple hosts, potentially bypassing firewalls and masking the origin of reconnaissance. Most modern deployments disable this entirely.

If you encounter a Finger server today, it is either a legacy system that should be retired, a honeypot, or a hobbyist running retro protocols for fun. In enterprise environments, Finger deployment is confined to isolated intranets and air-gapped systems.¹⁰

Modern Echoes

Finger is technically still implemented. Windows includes finger.exe. Most Unix systems have a finger client. The protocol specification has not been updated since 1991, and no new RFCs have superseded it.

A small community of enthusiasts maintains the "fingerverse," experimenting with the protocol as a form of decentralized, low-bandwidth social networking.¹⁰ Modern implementations exist on GitHub, including finger servers in Node.js and Go, clients for various platforms, and even multi-protocol browsers that support Finger alongside Gemini and Gopher.

In 2024, security researchers documented threat actors using the Windows finger.exe command as a living-off-the-land technique to fetch payloads while evading detection.¹⁰ A protocol from the 1970s, largely forgotten, has become a covert channel precisely because modern security tools do not monitor for it.

The core insight of Finger, that networks create presence and presence is information worth sharing, now underpins billions of dollars of infrastructure. Every green dot in Slack, every "last seen" in WhatsApp, every "online" status in Discord traces its lineage to Les Earnest watching people run their fingers down a screen.

Related Ports