On Sat, May 13, 2017 at 11:25 AM, Steve Simon <steve(a)quintile.net> wrote:
hi,
this is (IMHO) a rather subtle bug,
the ones i remember where rather simpler. is it ok to discuss ancient
security holes or is that still bad manners?
Speaking for myself..... I clearly don't think it is bad manners as
this stage - I brought it up!E
It was a different time when that occurred. Today, I think *the general
security community*** pretty lives by the rules of if you find something,
notify the folks that fix it as quickly as possible and try to get a patch
out and figure out how to get that patch out. Then make damned sure the
whole is well documented and published so: a) do we can test for it in the
wild, b) make sure it does not happen again.
It actually has always impressed me at how good UNIX was (is) when you
really get down to it. IMHO, was less the 'thousand eyeballs'' and more
the 'eye balls that all of cared, could do something about it and most
importantly actually understood' the 'calculus' of the different problems
were want made UNIX secure and as good if not better than many 'commercial'
systems than its contemporaries. *i.e.* the UNIX schemes used sensible
human based security processes/mechanisms combined with basic math &
physics ( technology if you will) - as the higher order bits, not being
secret or obscure to protect.
Were there mistakes, yup. But frankly, VMS had as many if not more and
some of them were far, far worse. IBM's OS were considered good, but
their were documented exploits in the news there too.
Clem
** I note 'security community' because not all firm buy into this behavior.
I speak for myself. In the last few weeks my own employer (Intel)
recent has been mixed up in a bit over played issue with server chips sets,
AMT and Winders [its not my area/group etc but as I under the issue, the
bug does not seem to effect UNIX flavors nor systems that do not use AMT -
which is a server thingy]. Some outside of Intel people are have
complained that folks that own the bug @ my employer has been less that
forth coming. I'll not defend nor comment because it's not mine to
comment on, other than to state I personally take an attitude of trying to
say a much as I can and when I am in a position for my job I will and do.