PärPod by Claude
PärPod by Claude
PärPod by Claude
nc: A Tool With No Author
13m · May 08, 2026
nc: A Tool With No Author

nc: A Tool With No Author

What We Know

This episode is a detective story. The crime, if you want to call it that, is not really a crime. It is closer to a vanishing. A piece of software, used every day by hundreds of thousands of system administrators and security researchers, was written by someone whose real name nobody can confirm. The someone is still alive. The someone still answers email. The someone has a public website. The someone has, in thirty years, never told anyone in public who he actually is.

His name, on the program he released, is Hobbit. The email address on the original release was hobbit, at, avian, dot org. The release date was the twenty-eighth of October, nineteen ninety-five. He sent the announcement to a security mailing list called BugTraq.

The program he announced was called netcat. It was small. It was elegant. It was written in C. It did one thing, in the broadest possible sense. It connected one computer to another, and let bytes flow between them. From that one capability you could build, with a little ingenuity, almost anything else. A file transfer tool. A port scanner. A chat program. A web server. A reverse shell. A network proxy. The author called it a swiss army knife. The name stuck.

This episode is about the program. It is also about the question that has haunted every netcat tutorial ever written.

[slow] Who is Hobbit.

The Evidence on the Table

Let us lay out what we have.

The first piece of evidence is the BugTraq announcement from October nineteen ninety-five. It is a careful, technical message. The writer describes netcat as a simple Unix utility that reads and writes data across network connections, using either the TCP or the UDP protocol. He describes it as a feature rich network debugging and exploration tool. He notes that it can create almost any kind of connection. The writing is precise. The technical vocabulary is exactly correct. Whoever wrote it had been doing networking for years and was used to writing for an audience of professionals.

The second piece of evidence is the man page that ships with the program. The man page, the standard Unix help text, ends with a few lines of personal flavor that almost no other man page has. The author dedicates the program to the internet community. He notes that he assumes no responsibility for what people do with it. He mentions that if netcat happens to make anyone rich, they should consider mailing him a check. Then he closes with three short sentences that have, for thirty years, been the calling card of whoever wrote netcat.

The first sentence is technical. The second sentence is hostile, in a strange way, to a specific corporation. The third sentence is the strangest of all.

Always ski in control.

That is in the manual page of a network programming utility. The author included it. Nobody else has ever explained it. It does not appear to be a quote of anyone famous. The implication seems to be that the author is or was a skier. Possibly an aggressive skier. Possibly someone who had hurt themselves skiing and was passing on a piece of folk wisdom. We cannot verify.

The third piece of evidence is the email address. Avian, dot, org. Avian, as in birds. The domain still exists. It still appears to be Hobbit's. From it we can guess he likes birds. Or he liked birds in nineteen ninety-five and registered a clever domain. We cannot conclude much from this.

The fourth piece of evidence is the program itself. We have the source code. The source code is, as netcat veterans will tell you, beautifully written. The data structures are simple. The control flow is clean. The platform abstractions, accumulated over years of patches from contributors, are minimal but correct. Whoever wrote netcat had taste. Hobbit credits, in his readme, several specific contributors who helped over the years. One of them is named Mudge. Mudge is also a pseudonym, but Mudge is well documented. Mudge was a member of a famous Boston hacker collective called L0pht Heavy Industries, which was active in the mid to late nineteen nineties. Mudge would later testify before the United States Senate, found a security company that was acquired by Symantec, and become a senior security executive at Twitter under his real name, Peiter Zatko.

This is one of our better leads. If Mudge contributed code to netcat, Hobbit and Mudge knew each other. The L0pht crowd knew each other. The L0pht eventually became a security consultancy called atstake. Atstake was acquired by Symantec. So a reasonable inference is that Hobbit was either a member of L0pht, or an associate of L0pht, or somebody in the same scene of nineteen nineties Boston area security researchers.

This inference appears, with hedging, in several places online. A long discussion thread on the Wikipedia talk page for netcat, started in two thousand thirteen, debates whether Hobbit was an L0pht member or just a friend of one. The thread reaches no conclusion. It links to a few books that mention the connection but does not pin a name on Hobbit.

So we know, with reasonable confidence, that Hobbit was a security researcher in the Boston area in the mid nineteen nineties, knew Mudge, and probably knew most of the L0pht crew. We do not know his real name.

What He Built

While we are between clues, let us pause and look at what netcat actually does. This is also the how to use it section, because the two things are the same. Hobbit's tool has no separate manual. The tool itself is the manual.

You type nc, then a hostname, then a port number. Like this. NC google dot com eighty.

The program opens a connection to that machine on that port. Whatever you type in your terminal goes to the remote machine. Whatever the remote machine sends back appears in your terminal. That is the entire interactive mode. You are speaking, byte for byte, to whatever program is listening on the other side. If you connected to a web server, you can type an HTTP request by hand and get an HTML response back. If you connected to an email server, you can type an SMTP conversation. The tool puts you face to face with the network protocol, with no library or wrapper between you.

The other mode is listen mode. You type nc, dash l, then a port number. Now your machine is the server. Anyone who connects to that port and that machine gets to type at you. You type back. You have built a chat program. With one option you can have it close after the first connection or keep accepting new ones.

The combinations are where it gets interesting. You can pipe a file into one nc and pipe the other nc to a file. Now you have a file transfer. You can pipe a tar archive in. Now you have a directory transfer. You can wrap nc around a shell. Now you have a remote shell, with no encryption, no authentication, and no logs. This is why most modern Linux distributions ship a deliberately less powerful version of netcat than Hobbit's original. The unrestricted version is too useful to attackers. The OpenBSD project rewrote it from scratch in two thousand one with the dangerous features removed.

There is a kind of wholeness to the tool. It does almost nothing on its own. It does almost everything in combination with other things. It is the most Unix philosophy program ever written, more so than grep or sed or awk, because it has no opinions. It just connects. The opinions belong to whoever uses it.

The Trail Goes Cold

Back to the investigation.

If you search the public internet for Hobbit, the trail is, frustratingly, not cold. It is just unhelpful. Hobbit appears to still maintain a personal website on a domain called techno fandom dot org. The site has a directory under his pseudonym. The directory contains random material accumulated over decades. There is the original netcat tarball from nineteen ninety-six. There are essays about water heaters. There is a photo essay from inside a Newport, Rhode Island, Gilded Age mansion. There is a quick fix for the sharp edges of an early unibody MacBook. There is a review of a Garmin Nuvi GPS that takes Garmin to task for having declined in product quality.

None of this is fake. The writing voice across all the pages is consistent. It is the same voice as the netcat readme. Slightly cranky. Technically precise. Patient. Unwilling to use a word where two will do, but also unwilling to round off any sharp edge that is actually true. He has opinions about water heater anode rods. He has opinions about train ride share apps. He has opinions about, mostly, the way physical and digital things are supposed to work. The site reads like a personal commonplace book maintained for thirty years by someone with no audience and no commercial interest. It is, in its own way, a beautiful artifact.

What the site does not contain, anywhere, is the author's real name.

He answers email at the avian dot org address. He answers email at the techno fandom address. People who have written to him over the years, asking about netcat, report that he replies politely, technically, and never identifies himself further. The pseudonym Hobbit has held for thirty years.

Why This Matters

There is a temptation, in writing the history of a tool, to want a big reveal. The grandfather of netcat is a famous person. He turned out to be a senator's nephew. Or he wrote netcat in a single night while in graduate school under his real name. Or there is a touching dedication on the source code that everyone missed.

There is no reveal. Hobbit just keeps writing his website. Netcat just keeps running.

This is, when you sit with it, the actual lesson. The previous episodes in this series have all centered on a name. Ken Thompson. Lee McMahon. Brian Kernighan. Tatu Ylönen. Daniel Stenberg. Mike Muuss. Theo de Raadt. The name carries the story. The person is the lens through which you understand the tool. The legacy belongs, in some real sense, to the person.

Netcat does not work that way. The tool exists. The author exists. They have been kept apart, on purpose, by the author, for thirty years. Whatever Hobbit's reasons are, he has been completely consistent about them. He has not appeared at conferences. He has not written a memoir. He has not given an interview under any name we know to attach to his face. The closest thing to a public statement of intent is the line in the man page about wanting credit where it is due, but not GPL, not Berkeley copyrights, not any of that nonsense. Just credit. To the name Hobbit.

[slow] He chose to be the program, not the person.

In a culture that increasingly insists that every piece of software have a brand, a face, a Twitter account, a fundraising banner, a substack, and an LLC, this is unusual to the point of being almost ideological. Hobbit was working in nineteen ninety-five, before any of that was required. He has not adapted. He has not opened a personal account. He has not signed up to be a public figure on the internet that he, in part, helped build.

Netcat keeps running. The OpenBSD rewrite is on every Mac. The nmap rewrite, called ncat, is on every penetration tester's laptop. The traditional one, with the dangerous flags intact, is still in the backup repositories of most Linux distributions for the people who know they need it. The man page still contains the line about Microsoft Network. The man page still contains the line about skiing.

We will not be solving this case. The author of one of the most useful programs of the last thirty years has decided that he wants to be left alone, and the internet, in a quiet way, has agreed to leave him alone. The pseudonym holds. The water heater essay is still on his website. The email address still works. Somewhere in the Boston metropolitan area, or possibly in Vermont, or possibly somewhere else entirely, a man who likes birds and skiing and hardware that does its job, opens his email occasionally and answers questions about a program he wrote thirty years ago.

[slow] Always ski in control.

That is the one piece of evidence he wanted to leave on the record.

PärPod