[Info-vax] Have the NSA planted backdoors in VMS ?
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Jan 8 17:09:40 EST 2018
On 2018-01-08, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2018-01-08 16:03:20 +0000, dgordonatvsi at gmail.com said:
>
>> Please recalibrate your tinfoil hat.
>
> Do I think that's what happened here? No. Why would an agency
> deliberately introduce intentional vulnerabilities before the
> incidental and accidental vulnerabilities become more difficult to
> locate? I'd expect attackers have already looked for existing holes
> too, and this particular hole is a local privilege escalation and not a
> rather more desirable remote command execution (RCE) flaw. As an
> attacker intent on invoking clandestine means to gain access, I'd also
> want something that led to an RCE, if I was going to go to the effort
> involved.
>
Today that would be true, but this vulnerability was introduced in the
middle 1980s. At that time, many systems were standalone systems with
networking being a (very) optional extra.
Many non-privileged interactive users would be using these systems as
well. In that environment, a known interactive privilege escalation
method would be a very valuable thing to have.
I wonder if SEVMS had the same vulnerability as well ?
BTW, let's assume that this was an accident and not a deliberate
backdoor. That means the next question is: did the NSA find out
about this during their normal evaluation of systems and then
decide not to tell DEC about it ?
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list