On Tue, 10 Mar 1992 07:26:51 EST Jim Gerland - User Support Services
<GERLAND@UBVM> said:
 
>I think its  time to re-think the  'NAD' only idea. Since  most of those
>files require some advanced privilege, what is the concern?
 
A long time ago, I wrote a program called ACCESS0 to access mode A0 files
on a R/O disk.  The purpose was to make backups and  examine the disks of
service machines which  use A0 files to store status  information. I made
this file  available, and about  1 month later,  a paper letter  from the
director of one of the largest computing centres in the country landed on
the desk of the director of my computing centre that basically said I was
a dangerous criminal helping hackers to crack systems (in nicer words). I
assume students  retrieved the  program and used  it to  access sensitive
data (such as  leftover DIRECT files from DIRMAINT  on an administrator's
191) that the local systems people, in their incompetence, had thought to
be protected by the A0 mode in spite of READ=ALL.
 
Given that the exposure had always  been there, and is documented by IBM,
one would have expected a different reaction. But human nature being what
it is,  a confession of incompetence  and carelessness is always  hard to
swallow,  whereas blaming  someone  for  involuntarily helping  malicious
people is  very easy  and makes  all the  people involved  (locally) feel
good. From the point of view  of "human resources management", I guess it
is a good thing: local staff is  happy to escape unblamed but feels a bit
guilty and will be very careful, knowing that "next time" they *would* be
blamed, and the reputation of the  computing centre is unblemished - they
are the unfortunate victims.
 
  Eric