Fernando Corbató and Time-Sharing

Before Time-Sharing: The Batch Processing Priesthood

Computing in 1960 was an exercise in scheduled access. A researcher who needed computation prepared a job — a deck of punched cards containing a program and its data — and submitted it to the computer center. An operator loaded the job, the computer ran it, and the researcher collected their output printout hours or days later. If the program had an error, the cycle began again.

This model concentrated computing in a small professional class of operators who mediated access to scarce machines. The researcher’s interaction with the computer was indirect and asynchronous; the feedback loop between writing code and seeing results could span days. Programming was slow precisely because debugging was slow, and debugging was slow because getting a program to run required scheduling access to a machine that served dozens or hundreds of users in sequence.

Fernando José Corbató recognized that the scheduling constraint was artificial. A computer’s processor was fast enough that even while running one user’s program, it spent most of its time waiting — for memory fetches, for input/output operations, for the inherent gaps in computation. Those gaps could be filled with other users’ programs. If the switching were fast enough, each user would perceive a private machine.

CTSS: The Compatible Time-Sharing System

Corbató was born on July 1, 1926, in Oakland, California, and earned his PhD in physics from MIT in 1956. He joined MIT’s Computation Center and became deputy director in 1960, a position that put him in charge of an IBM 709 mainframe that served the entire MIT research community through batch processing.

In 1961, Corbató and his colleagues built the Compatible Time-Sharing System (CTSS) on a modified IBM 7090, demonstrated to an audience at MIT in November 1961. CTSS ran up to thirty-two simultaneous users on a single machine, switching between them frequently enough that each experienced interactive response. The “compatible” referred to its ability to run existing MIT batch programs without modification.

CTSS introduced or pioneered:

• The terminal as primary interface: users interacted through teletypes and later CRT displays, not punched card decks
• Files stored on disk between sessions: a user’s work persisted without requiring them to carry card decks
• The command-line interface: users typed commands and received responses in text
• The computer password: Corbató introduced passwords for CTSS to give each user a private file space — the first use of passwords for computer access security
• Electronic mail: CTSS users exchanged messages through shared files, an early precursor to email

The password invention is illustrative of how CTSS changed computing’s social structure. In batch processing, files were physically controlled by operators; privacy was physical. In time-sharing, multiple users shared a single machine simultaneously and needed software enforcement of private file spaces. The password was the solution — and it has remained the dominant authentication mechanism for sixty years, with all the problems that implies.

Multics: The Grand Design

CTSS was a prototype, not a production system. Corbató’s ambition was a much larger vision: a computing utility, available to users like electricity from a power grid, with unlimited storage, high availability, and support for hundreds of simultaneous users.

In 1964, MIT joined with Bell Labs and General Electric to build Multics (Multiplexed Information and Computing Service). The project was funded by ARPA and aimed to produce, within a few years, an operating system that would define computing for the following decades.

Multics pioneered concepts that are now fundamental:

• Hierarchical file system: directories containing files and other directories, with path names — the structure used by every modern operating system
• Virtual memory: the illusion of a large address space backed by physical memory plus disk, managed by the OS; programs could use more memory than physically existed
• Segmented addressing: programs addressed memory as named segments rather than linear arrays, enabling sophisticated sharing between programs
• Protection rings: multiple privilege levels (rings 0 through 7) that enforced security boundaries between system components — the predecessor of the kernel/user mode distinction in modern OSes
• Dynamic linking: programs could share library code that was loaded and linked at runtime rather than compiled into each executable
• Online reconfiguration: the system could be updated and reconfigured without shutdown
• Mandatory access controls: formal security policies enforcing who could access what, decades before security became a commercial concern

The conceptual richness of Multics was matched by its practical difficulty. The system was written in PL/I, a language designed for both systems and application programming that proved awkward for both. The GE hardware (the GE-645) was expensive and slow. Multics required 4 megabytes of memory at a time when memory cost roughly $1 per bit. The system that was supposed to be running experimentally within two years was not operational until 1969 — five years late.

Bell Labs withdrew from the project in 1969, frustrated by the delays and complexity. Among the Bell Labs researchers who left was Ken Thompson, who responded to Multics’s excess by writing something radically simpler — Unix — on a discarded PDP-7 in a storage room. Unix’s design philosophy explicitly inverted Multics’s: do one thing simply rather than many things elaborately. The Unix article is Ken Thompson and Unix.

Password Problems: A 2014 Regret

In a 2014 interview with the Wall Street Journal, Corbató reflected on the password — the practical necessity that he had invented for CTSS in 1961:

“Unfortunately, it’s become kind of a nightmare with the World Wide Web. I don’t think anybody can possibly remember all the passwords that are issued or set up. That leaves people to use trigger words, which is a very large security problem.”

The man who invented the password recognized that he had inadvertently created a security architecture that would not scale. The proliferation of systems requiring passwords — hundreds per user, each with different requirements, each expiring on its own schedule — had broken the model by overwhelming human memory. The acknowledgment was honest and melancholy: a sixty-year-old solution had aged into a liability, and no adequate replacement had arrived.

Turing Award and Final Years

Corbató received the ACM Turing Award in 1990 for “pioneering work organizing the principles and practical implementation of large-scale, time-shared computer systems.” The award came thirty years after CTSS because it took approximately that long for the computing community to understand that time-sharing had not merely been a scheduling technique but a fundamental reconception of what a computer was — not a calculating machine operated by specialists but an interactive tool for everyone.

Fernando Corbató died on July 12, 2019, at age ninety-three. In his final years, Multics’s security innovations had become newly relevant: as ransomware, data breaches, and nation-state attacks became commonplace, the formal security models that Multics had implemented in the 1960s — mandatory access controls, protection rings, privilege separation — were recognized as having been architecturally correct fifty years before the threat models that made them necessary arrived.

📚 Sources

• Wikipedia: Fernando Corbató
• Wikipedia: Compatible Time-Sharing System
• Wikipedia: Multics
• ACM Turing Award: Fernando Corbató (1990)
• [Corbató: On Building Systems That Will Fail — Turing Award Lecture (1991)](https://dl.acm.org/doi/10.1145/114005.114(009)
• Multics.org: History and Documentation
• Dennis Ritchie: The Evolution of the Unix Time-sharing System (1979)
• Wall Street Journal: The Man Who Invented the Password (2014)