[TUHS] The evolution of Unix facilities and architecture

William Pechter pechter at gmail.com
Sun May 14 03:19:42 AEST 2017 

Clem Cole wrote:
>
> On Sat, May 13, 2017 at 11:25 AM, Steve Simon <steve at quintile.net 
> <mailto:steve at quintile.net>> wrote:
>
>     hi,
>
>     this is (IMHO) a rather subtle bug,
>     the ones i remember where rather simpler. is it ok to discuss
>     ancient security holes or is that still bad manners?
>
> ​Speaking for myself.....   I clearly don't think it is bad manners​ 
> as this stage - I brought it up!E
> It was a different time when that occurred.  Today, I think /the 
> general security community**/ pretty lives by the rules of if you find 
> something, notify the folks that fix it as quickly as possible and try 
> to get a patch out and figure out how to get that patch out.   Then 
> make damned sure the whole is well documented and published so: a) do 
> we can test for it in the wild, b) make sure it does not happen again.
>
> It actually has always impressed me at how good UNIX was (is) when you 
> really get down to it.  IMHO, was less the 'thousand eyeballs'' and 
> more the 'eye balls that all of cared, could do something about it and 
> most importantly actually understood' the 'calculus' of the different 
> problems were want made UNIX secure and as good if not better than 
> many 'commercial' systems than its contemporaries. /i.e./ the UNIX 
> schemes used sensible  human based security 
> processes/mechanisms combined with basic math & physics ( technology 
> if you will) - as the higher order bits, not being secret or obscure 
> to protect.
>
The problem is once you got past "One true Unix" you were left hoping 
the vendor fixed their bugs.
I saw somethings on Solaris and HPUX which were pretty much as bad as 
Windows.

The thing about Research Unix was that the underlying security structure 
was well designed.
VMS wasn't too bad either.  The problem was the stuff layered on it.

When VMS went to 3.6 or so a friend of mine was almost fired by DEC for 
randomly testing boxes looking
to see DEC's internal boxes weren't running System/Manager, 
Field/Service and UETP/UETP User/password
combinations.  DEC had just implemented new security features and alerts 
and Mitnick had just recently
penetrated them (IIRC).  Next thing you know corporate security was all 
over my buddy who was just killing
time on night shift  temporarily covering someone's vacation time.

It was interesting to see the SysV security enhanced Unix from AT&T at 
Pyramid -- who was migrating to
SVR4 from their BSD/SysV hybrid.  ACL's, split root/system and security 
mgr stuff which had been added
to get VMS to C and B2...  Some of these things had me wondering if any 
commercial sites would implement
two sign-ins to authorize special root-type actions on an os.

| Were there mistakes, yup.   But frankly, VMS had as many if not more 
and some of them were far, far worse.   IBM's OS were considered good, 
but their were documented exploits in the news there too.

The loginout.exe one was bad.  Were there any structural ones past v3.6?
>
> Clem
>
>
> ** I note 'security community' because not all firm buy into this 
> behavior.   I speak for myself.   In the last few weeks my own 
> employer (Intel) recent has been mixed up in a bit over played issue 
> with server chips sets, AMT and Winders [its not my area/group etc but 
> as I under the issue, the bug does not seem to effect UNIX flavors nor 
> systems that do not use AMT - which is a server thingy].   Some 
> outside of Intel people are have complained that folks that own the 
> bug @ my employer has been less that forth coming.   I'll not defend 
> nor comment because it's not mine to comment on, other than to state I 
> personally take an attitude of trying to say a much as I can and when 
> I am in a position for my job I will and do.
>
Actually... I'd think AMT is an automated remote IT  Management thing 
rather than a server thing,
since it exists on all the business Thinkpads from my T61's Core 2's up 
to the T420 i5.  They couldn't
be considered servers except they do support Samba and NFS and ssh. They 
also dual boot which
is a major part of the risk.

Sorry for the pedantic add... but I just remediated my 5 laptops for 
crap that should've been fixed with
new vendor software -- but they can't be bothered.




-- 
Digital had it then.  Don't you wish you could buy it now!
pechter-at-gmail.com  http://xkcd.com/705/

More information about the TUHS mailing list