Tue, 10 Mar 1992 14:57:39 +0100
|
On Tue, 10 Mar 1992 07:26:51 EST Jim Gerland - User Support Services
<GERLAND@UBVM> said:
>I think its time to re-think the 'NAD' only idea. Since most of those
>files require some advanced privilege, what is the concern?
A long time ago, I wrote a program called ACCESS0 to access mode A0 files
on a R/O disk. The purpose was to make backups and examine the disks of
service machines which use A0 files to store status information. I made
this file available, and about 1 month later, a paper letter from the
director of one of the largest computing centres in the country landed on
the desk of the director of my computing centre that basically said I was
a dangerous criminal helping hackers to crack systems (in nicer words). I
assume students retrieved the program and used it to access sensitive
data (such as leftover DIRECT files from DIRMAINT on an administrator's
191) that the local systems people, in their incompetence, had thought to
be protected by the A0 mode in spite of READ=ALL.
Given that the exposure had always been there, and is documented by IBM,
one would have expected a different reaction. But human nature being what
it is, a confession of incompetence and carelessness is always hard to
swallow, whereas blaming someone for involuntarily helping malicious
people is very easy and makes all the people involved (locally) feel
good. From the point of view of "human resources management", I guess it
is a good thing: local staff is happy to escape unblamed but feels a bit
guilty and will be very careful, knowing that "next time" they *would* be
blamed, and the reputation of the computing centre is unblemished - they
are the unfortunate victims.
Eric
|
|
|