Re: Hey old people

[Tom Van Vleck <thvv () multicians org>]

> I'm seriously considering tracking some people down for interviews  
> at some point, any idea if they are still around and locatable?   
> I'll be taking a hard look at the multicians for some of this.

One of the best people to interview about this would be Professor  
Jerry Saltzer of MIT.  He's retired but still active at MIT, and can  
be mailed via the form on multicians.org.  Saltzer was in charge of  
the "vulnerabilities list" during the CTSS/Multics days at Project MAC.

Peter Neumann is another wonderful resource.  Read his books and  
papers first, and then you will be able to interview him sensibly.
  http://www.csl.sri.com/users/neumann

> So I don't think a system with no memory protection would qualify  
> in this instance.  Not that I still wouldn't love details.

So since MSDOS and MacOS did not use memory protection until the 90s,  
no vulnerabilities relating to them count. Or, since they ran on  
hardware which supported memory protection, but didn't use it, were  
MSDOS and MacOS the vulnerabilities?  I always said that the Apple  
and PC operating system people who created unprotected operating  
systems should be held responsible for all the trouble users faced.   
It's not as if protecting the system was a new idea.. CTSS did it in  
the 60s.
> I *think* this means that for this definition, the earliest  
> possible is early '60s?

yup
> > A little later, there was a documented bug in CTSS where programs
> > that increased their memory allocation size would get non-zeroed  
> > core.
> > So a programmer in the system group wrote a little program to start
> > small, get big, scan its new memory for passwords.  Quickly got root,
> > that is, Dick Mills's password.  This would be 1965 or so.
>
> I've known that one as folklore for a long time.  (It's older than  
> my personal experience, I was born in 1969.)  That's one I'm  
> looking for documentation on.  In the '72 paper, that (class of)  
> bug is already treated as an old-time bug.

I will write the person I think did this and ask him his recollections.

> > You folks have looked at Donn Parker's book, right, and you are  
> > looking
> > for things earlier than his earliest?
>
> I don't think so, I think we're a bunch of newbs approaching this  
> from a position of ignorance.  That's the case for myself, anyway.   
> I see Amazon knows of lots of books by him.  Is it one of these?

I think Computer abuse assessment 1975 is the one you want.  He did a  
voluminous report, interviewing people about computer abuses, in the  
early 70s and onward, while he was at SRI.  I remember visiting him  
in 1974 and supplying first hand details of some computer breakins.   
I think that many of the early ones in his book are what you want,  
and he did a lot of urban-legend-shooting even back then.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.