On Sat, May 13, 2017 at 11:25 AM, Steve Simon <steve@quintile.net> wrote:
hi,

this is (IMHO) a rather subtle bug,
the ones i remember where rather simpler. is it ok to discuss ancient security holes or is that still bad manners?
Speaking for myself.....   I clearly don't think it is bad manners​ as this stage - I brought it up!E
It was a different time when that occurred.  Today, I think the general security community** pretty lives by the rules of if you find something, notify the folks that fix it as quickly as possible and try to get a patch out and figure out how to get that patch out.   Then make damned sure the whole is well documented and published so: a) do we can test for it in the wild, b) make sure it does not happen again.

It actually has always impressed me at how good UNIX was (is) when you really get down to it.  IMHO, was less the 'thousand eyeballs'' and more the 'eye balls that all of cared, could do something about it and most importantly actually understood' the 'calculus' of the different problems were want made UNIX secure and as good if not better than many 'commercial' systems than its contemporaries.  i.e. the UNIX schemes used sensible  human based security processes/mechanisms combined with basic math & physics ( technology if you will) - as the higher order bits, not being secret or obscure to protect. 

Were there mistakes, yup.   But frankly, VMS had as many if not more and some of them were far, far worse.   IBM's OS were considered good, but their were documented exploits in the news there too. 

Clem


** I note 'security community' because not all firm buy into this behavior.   I speak for myself.   In the last few weeks my own employer (Intel) recent has been mixed up in a bit over played issue with server chips sets, AMT and Winders [its not my area/group etc but as I under the issue, the bug does not seem to effect UNIX flavors nor systems that do not use AMT - which is a server thingy].   Some outside of Intel people are have complained that folks that own the bug @ my employer has been less that forth coming.   I'll not defend nor comment because it's not mine to comment on, other than to state I personally take an attitude of trying to say a much as I can and when I am in a position for my job I will and do.