[nickpsecurity]

It's true in CompSci but not popular INFOSEC. Most of them cite Thompson as original, definitive work as he likely intended when not giving Karger credit in first paper. The people discussing these things also dont know about all the attacks and solutions Karger found. If you need evidence, just compare most security-oriented VMM's to Karger's for VAX. It's like nothing got passed down. They even rediscovered covert channels in cloud VMM's around 2010 or whatever. So, I keep referencing him on topics likd these.

"Oh, and thanks for the citation about my paper on SCM security!"

You earned it. :) One thing I am still curious about was who originated the high-security techniques for SCM. Back in Karger's day, they just put it in safes on paper. Im wondering who did fundamental stuff on making it electronic and secure, though. Figure it's in your collection but asking in case you know off hand.

[dwheeler]

I don't think Ken Thompson meant to omit the names of Paul Karger and Roger Schell. At the time it was often extremely difficult to find a paper unless you already knew where it was. Whereas today you can do a search and instantly find it and read it: "Multics Security Evaluation: Vulnerability Analysis" by Paul A. Karger and Roger R. Schell, June 1974, http://seclab.cs.ucdavis.edu/projects/history/papers/karg74....

I've had trouble finding some of the earlier work on high-security SCM; I do reference what I found. If you find something important I'm missing, send me an email: https://www.dwheeler.com/contactme.html

[nickpsecurity]

The paper from the NPS in 2002 referenced Air Force as inventors of configuration management. As military, they might have had security implications in it. Found some pay dirt.

http://www.dtic.mil/dtic/tr/fulltext/u2/650214.pdf

https://www.computer.org/csdl/proceedings/afips/1967/5069/00...

First is a retrospect on original document. It referenced accounting procedures for the artifacts. Makes sense they'd look at it from accounting standpoint as that's what they did with other things. Ware Report did that, too, for early INFOSEC. Lacking details from manual, I found a follow-up in 1967 that describes key details on p4 under procedural data esp concerning changes. Sounds like an early form of SCM security. I'll have to try to find the computerized one later on as I have a feeling it independently happened in mainframes or minicomputers outside INFOSEC field.

Btw, your link to Zeigenhagen was dead when I tried it. DTIC to the rescue:

http://www.dtic.mil/dtic/tr/fulltext/u2/a417577.pdf

[dwheeler]

To be fair to Ken Thompson, he did ask for a better citation and used the new citation in later versions.

Here's the quote from "Thirty Years Later: Lessons from the Multics Security Evaluation": "This suggestion proved an inspiration to Ken Thompson who actually implemented the self-inserting compiler trap door into an early version of UNIX. Thompson described his trap door in his 1984 Turing Award paper [40], and attributed the idea to an “unknown Air Force document,” and he asked for a better citation. The document in question is in fact the Multics Security Evaluation report, and we gave a new copy of the report to Thompson after his paper was published. Thompson has corrected his citation in a reprint of the paper [39]."

[nickpsecurity]

I didn't know he asked for a better citation. I failed to spot that reading it originally. My mistake. I'll stop making that claim. I might still reference Karger in these discussions even if no credit was accidental as Karger's work deserves more recognition outside academia and actually teaches solutions to crap-load of problems (including this partly).

One more on Thompson. What got me suspicious about him was he had a famous work before that was also done by someone else. The other was much of the C language: its bare-metal nature, few keywords, and so-called "C philosophy" of programmer is in control. The original publications that got acclaim didn't cite the BCPL author, Martin Richards, at all despite him inventing and implementing all those concepts. They were in fact the BCPL philosophy originally with same semantics. Instead, just cited the B language like they did it all on their own in isolation with history crediting the victor that way. Publications that came a while after that started referencing BCPL.

Got that from the talk below which is great for tracing history of C from CPL project to BCPL to C to C++ influence.

https://vimeo.com/132192250

Really gives the big picture why Martin and others would do such languages with the constraints they were operating in. For this discussion, Martin Richards lays foundation for C-like languages with all key features and philosophy of C at 19:40 mark. Illustration of potential plagarism of C from Richards' work at 23:17-27:30. Looks a lot like cases of plagarism I've seen in academia but curious of your opinion as you're much more experienced in academic field. Would you think it was plagarism if you came across both works simultaneously seeing the one that came later without references was making waves?