By Charles Joseph | Cybersecurity Advocate
Most cybersecurity experts know Gordon Lyon by his pseudonym, Fyodor, but they all know him for his creation: Nmap, an incredibly advanced, feature-rich network scanner.
What started as a dorm-room programming experiment turned into one of the most widely-used pieces of cybersecurity software ever created — and, for its creator, the passion project of a lifetime.
But the road to glory is usually paved with controversy, especially for cybersecurity champions. And for Gordon Lyon and Nmap, that journey has been particularly rocky.
Gordon Lyon at a Glance
- Gordon Lyon, aka Fyodor, learned to code on his father’s Apple IIe when he was in elementary school.
- After a friendly Unix hacking battle with a friend, he became obsessed with cybersecurity.
- In 1997, frustrated by the lack of an all-purpose network scanner, Lyon decided to create his own free, open-source tool: Nmap.
- He initially released Nmap to the public as an afterthought, but after seeing the glowing response to its debut, decided to keep developing new features for it.
- Critics decried Nmap for its potential use by cybercriminals, but Lyon persevered with the help of volunteer programmers and companies like Google, which supported its development.
- Today, Lyon continues to work on Nmap as he has for over 15 years, focusing on new features to maintain its status as the most advanced, usable network scanner out there.
The Life of Gordon Lyon
Gordon Lyon’s Early Life
Born in 1977, Gordon Lyon grew up around computers in an age where home computing was still incredibly niche.
His father had previously worked at IBM and still programmed as a hobby. By the time Lyon was 3, he had begun learning to use the Apple IIe and Commodore VIC-20, and soon he was writing his first BASIC code for the former machine.
After saving his money, he bought a computer of his own. It had a 12 MHz Intel 286 processor and a 2400 bps modem, which allowed him to go online for the first time.
Lyon quickly became a regular on BBS message boards, though he mostly stuck to local ones around the Phoenix area where he lived in order to avoid long-distance charges. But it wasn’t until he started high school in the early ’90s that he discovered — and fell in love with — Unix, hacking, and the broader internet.
It started when Lyon and his friend David realized that they both had internet-connected Unix shell accounts on the same ISP.
Unix was by far the most powerful OS Lyon had yet used, and he’d been spending much of his free time reading source code to learn how it worked. Now he could put his knowledge into practice by engaging in a friendly battle with David, racing to see who could hack the other’s account the fastest.
By the time Lyon went to college, he had become quite an adept Unix user, well-versed in permissions, code, networking, and security. He’d adopted the handle “Fyodor Vaskovich”, after Russian author Fyodor Dostoyevsky, and created his own website, “Fyodor’s Playhouse”.
While in college, Lyons interest in hacking blossomed, and he soon amassed an impressive collection of cybersecurity software. He also created Exploit World: a database of software vulnerabilities he’d found or read about, complete with bug details and exploits.
The Creation of Nmap
In the summer of 1997, Lyon found himself in Baltimore. He was doing a stint as a teaching assistant at a summer program for gifted youth at the esteemed Johns Hopkins University.
Johns Hopkins had set him up in a dorm room with Ethernet access, which was quite the novelty: residential Ethernet was still uncommon, and Lyon was ready to take full advantage of it. He set about scanning the entire Johns Hopkins network, exploring all the traffic, and mapping all the connected machines.
But the endeavor proved more complicated than he anticipated.
At the time, Lyon had access to numerous network scanners, but each had its limitations, often related to network protocols and packet types. Reflscan, for instance, could only detect SYN packets, and SATAN was only good for UDP scanning.
Lyon’s favorite network scanner was Strobe, created by Julian Assange, but even that program couldn’t do everything Lyon needed it to do. He hacked his network scanners as best he could but still dreamed of one program that could do it all seamlessly.
So he decided to create his own. In between teaching assistant shifts, he holed up in his room and built a new network scanner from scratch, one that was fast enough to scan large networks and robust enough to support every major scan type.
Lyon gave his creation a simple name: Nmap, short for the network map.
Nmap Makes a Splash
At first, Lyon intended the software to be for his personal use only but soon realized that others might find it useful as well. He sent Nmap to Phrack Magazine, the biggest hacking publication at the time, and the magazine’s editor was impressed enough to publish an article about it.
Almost immediately, Lyon’s inbox was flooded with feedback from users: lots of praise and gratitude, but also bug reports and feature requests.
Lyon hadn’t expected this — he’d thought that Nmap would be a one-and-done project used by maybe a handful of other hackers. But he’d long been a proponent of free, open-source software and collaborative development, so he took the community’s suggestions and soon released a new, improved version of Nmap.
The new features only amplified Nmap’s growing profile in the cybersecurity world, and feedback continued pouring in. Lyon soon found himself working full-time on the project.
But he wasn’t alone: as is common in the open-source community, other programmers began volunteering their talents to the project. Lyon loved the collaborative approach: it felt truer to the ethos of free software, plus it freed up a little time for him to earn a living doing software and security consulting.
Nmap’s Controversy Grows
In 1999, Lyon cofounded the Honeynet Project, a research organization dedicated to investigating cyber threats and developing open-source cybersecurity software.
He also came up with a plan to quit consulting and work on Nmap full-time once again.
Lyon refused to charge individual users for Nmap, and he had no problem with other developers using components of it in their software as long as said software was also open-source. But various companies had approached him about using Nmap technology in their proprietary software, and Lyon felt that commercializing his free software was going too far.
However, if those companies were willing to pay him a license fee, that would be a different story.
Lyon started a new company, Insecure.Com LLC, and began licensing Nmap to corporations. Though he wasn’t sure about the venture at first, by 2002 he’d built up an impressive roster of customers that allowed him to devote himself fully to Nmap.
Nmap had now become the go-to network scanner for amateur hackers, cybersecurity pros, and everyone in between. It was so high-profile that it was even featured in the 2003 movie The Matrix Reloaded, in a scene where hacker protagonist Trinity uses it to scan ports on a power grid computer.
But its popularity had also drawn the attention of the FBI, which had noticed Nmap being used in an increasing number of cybercrimes. In 2004, Lyon received multiple subpoenas for server logs from the Nmap website — the authorities, it seemed, were trying to track down many of those who used his software.
At the same time, criticism of Nmap was mounting from outside the world of cybersecurity. Many found it irresponsible of Lyon to freely release software that held such strong appeal for cybercriminals.
Lyon wasn’t oblivious to the potential criminal uses of Nmap, but he also knew that there was no way to keep software out of the bad guys’ hands without also withholding it from the good guys. And if Nmap wasn’t public, the bad guys would just figure out another way to commit their crimes — and the good guys would lack the resources to stop them.
Nmap Into the Future
Despite the criticism Lyon had faced, Nmap had one big name on its side: Google. In 2005, the company brought him on as a mentor for the Summer of Code program, in which students with a talent for computer science were given the opportunity to work with renowned programmers.
Lyon’s group had ten students, and they spent the summer working on new Nmap features. He proved to be such a good mentor that Google brought him back in 2006 and 2007 as well.
But controversy struck again in 2007 when domain name host GoDaddy banned one of Lyon’s domains, SecLists.org, which maintained an archive of cybersecurity mailing lists.
In between updating Nmap for its 10th anniversary and maintaining SecTools.org, a database of the top 100 cybersecurity tools, Lyon eventually got SecLists.org back up. He was also busy in the physical world, traveling to speak about Nmap at conferences like DEFCON, IT-Defense, and CanSecWest.
Meanwhile, Nmap itself had become truly legendary in cybersecurity. Rather than merely being used to conduct research, it was now a research topic in its own right, with several academic papers being published on it.
Today, Nmap has received endorsements from organizations ranging from the US government’s Cybersecurity and Infrastructure Security Agency to Kali Linux, the popular pen-testing OS.
And over 15 years after he first released it, Lyon is still at its helm, continually developing new features to keep Nmap on the cutting edge of cybersecurity.
Join Our Community
Gordon Lyon and Nmap: Fyodor’s Finest Work
Gordon Lyon was far from the first person to wipe away a summer coding on a dorm room computer.
But few of Fyodor’s fellow hobby programmers have managed to create something as powerful and long-lasting as Nmap, a tool so iconic that it’s been immortalized in the Matrix franchise and endorsed by CISA.
And though Lyon has endured his fair share of controversies, Nmap has proven so valuable to both burgeoning and veteran cybersecurity geeks that it’s not going anywhere anytime soon.
Nmap – OS and Service Version Scanning (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional