According to [1], the original Multics trap door that Thompson cites as his inspiration was distributed, to an Air force installation no less.
Tangentially, I'm more fascinated by the fact that Paul Karger, the lead author on [1], was a principal on a Class A1 secure hypervisor for the VAX, which DEC essentially finished, but cancelled in 1991. [2]
Thanks for this - I'm reading the Multics retrospective - do you know of a follow up work? I'd be very interested to see a detailed account as to why some of these features never got implemented.
The paper kind of just leaves it at:
With the growth of individual workstations and personal computers, developers concluded (incorrectly) that security
was not as important on minicomputers or single-user
computers.
I don't know of any explicit follow up, but there is a ton of interesting info at multicians.org.
I think that, for multi-million dollar mainframe timesharing systems, it was easier to make the cost argument for good security, since the customer would pay for it so that they could spread out the cost of the machine on many users, between whom there was no trust.
But once you got $100k minis and $10k single user micros, why not just buy a second machine?
Of course, things turned out a little bit differently, but from a time before the ubiquitous internet, I can see it making sense to many people.
It's amazing how much more diverse the hardware/OS ecosystem was in say 1985 than it is now. A lot of good stuff has happened since then, but I think a lot of good ideas got lost, or at least are waiting to be dug up again.
John Gilmore(https://en.wikipedia.org/wiki/John_Gilmore_%28activist%29) has related to me that the doored version was distributed and persisted in the ATT production environment for several months before someone noticed the unexpected debug symbols which were left in to aid discovery.
