funsec mailing list archives
Re: Hey old people
From: Blue Boar <BlueBoar () thievco com>
Date: Thu, 22 Dec 2005 13:35:43 -0800
Tom Van Vleck wrote:
Wow. Bob Fiske was one of my room mates freshman year at MIT (1961). And another friend of mine dated Goheen.
I'm seriously considering tracking some people down for interviews at some point, any idea if they are still around and locatable? I'll be taking a hard look at the multicians for some of this.
These are not nearly old enough though. But one gets into the question of the definition of vulnerability. e.g. it was well known that one could disable the 7094 FMS supervisor's job time limit counter and accounting by storing zero in a certainlocation in core. (No, I'm not going to say which one on an open channel.)That was a vulnerability in a system with no memory protection where only one job was running at a time, circa 1962.
I've had some private conversations with the osvdb guys, and I think we have semi-agreed that we're looking for a documented privilege escalation or bypass bug, and and OS/hardware combination with some protection mechanism, probably a supervisor mode at least. I suspect for this exercise, they would exclude things like a crypto crack. Original link for those that missed it:
http://www.osvdb.org/blog/?p=77So I don't think a system with no memory protection would qualify in this instance. Not that I still wouldn't love details.
I *think* this means that for this definition, the earliest possible is early '60s?
A little later, there was a documented bug in CTSS where programs that increased their memory allocation size would get non-zeroed core. So a programmer in the system group wrote a little program to start small, get big, scan its new memory for passwords. Quickly got root, that is, Dick Mills's password. This would be 1965 or so.
I've known that one as folklore for a long time. (It's older than my personal experience, I was born in 1969.) That's one I'm looking for documentation on. In the '72 paper, that (class of) bug is already treated as an old-time bug.
You folks have looked at Donn Parker's book, right, and you are looking for things earlier than his earliest?
I don't think so, I think we're a bunch of newbs approaching this from a position of ignorance. That's the case for myself, anyway. I see Amazon knows of lots of books by him. Is it one of these?
Crime by computer 1976 Manager's Guide to Computer Security (Paperback) 1983 Computer abuse perpetrators and vulnerabilities of computer systems 1975 Computer abuse assessment 1975 (The list goes on, he's done quite a few) BB _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Hey old people, (continued)
- Re: Hey old people Blue Boar (Dec 21)
- Re: Hey old people David Lodge (Dec 21)
- Re: Hey old people Blue Boar (Dec 21)
- Re: Hey old people Roland Dobbins (Dec 21)
- Re: Hey old people Blue Boar (Dec 21)
- Re: Hey old people Tom Van Vleck (Dec 22)
- Re: Hey old people Drsolly (Dec 21)
- Re: Hey old people Valdis . Kletnieks (Dec 21)
- Re: Hey old people Tom Van Vleck (Dec 22)
- Re: Hey old people dudevanwinkle () gmail com (Dec 22)
- Re: Hey old people Blue Boar (Dec 22)
- Re: Hey old people Drsolly (Dec 22)
- Re: Hey old people Roland Dobbins (Dec 22)
- Re: Hey old people Tom Van Vleck (Dec 22)
- Re: Hey old people Roland Dobbins (Dec 21)
- Re: Hey old people Blue Boar (Dec 21)
- Re: Hey old people Jeff Kell (Dec 21)
- RE: Hey old people Larry Seltzer (Dec 22)