Conference 7.286::digital

                 <<< TAMARA::SYS$VTX:[NOTES]WAR_STORY.NOTE;1 >>>
                          -<  Computer War Stories  >-
================================================================================
Note 187.0                    Hogging a VAXcluster.                   12 replies
KBOMFG::POST "Veni Vedi Vinci"                       31 lines  10-AUG-1988 13:59
--------------------------------------------------------------------------------

Was at home one day, and was enjoying a round LEGAL computer hacking
on our network. Going over to other systems on the network and looking
the files in search of some nifty command procedures and stumbled 
across something that looked just wonderful. The .com file was situated
in Colorado. After looking at the file, I was intrigued to run it and
see what happened.

My terminal froze and absolutely no inputs could be made via the
keyboard. Ctrl-Y, Ctrl-C, Ctrl-X, Ctrl-Z, <ESC>, <Enter> and break.
Nothing worked. I went to the set-up and hit CLEAR COMM, RESET TERM,
CLEAR SCREAN and still no response.

Finally I got tired of diddling around and simply unplugged the modem.
Brutal, but it worked. I then logged in again, and was told that I
had one disconnected session. I reconnected but again my terminal froze.
Knowing what to do, I quickly unplugged the modem again and then 
logged in again. This time I did not reconnect to the session, but
opened a new one. 

Finally could get back to interesting stuff. After my eyelids were almost
down to my chin, I logged off. The next day in the office, the system
manager called and said that I had a number of disconnected processes
that had been hogging the CPU-power of a VAXcluster consisting of 8
processors.

I quickly explained that something went strange while working at home
and asked him to kill all my sessions.

Whew ...


================================================================================
Note 187.1                    Hogging a VAXcluster.                      1 of 12
QUARK::LIONEL "May you live in interesting times"     6 lines  10-AUG-1988 17:45
                             -< Don't be a snoop >-
--------------------------------------------------------------------------------

    I would argue that what you were doing was "legal".  It certainly
    wasn't ethical, any more than rummaging around in someone's office
    to see if there was anything "nifty" would be.  You try that on
    my system and you'll likely hear from Corporate Security.
    
    				Steve
================================================================================
Note 187.2                    Hogging a VAXcluster.                      2 of 12
EAGLE1::EGGERS "Tom, 293-5358, VAX Architecture"      3 lines  11-AUG-1988 01:11
--------------------------------------------------------------------------------

    There is a difference between public files and private files.
    Are there objections to someone normally external to a cluster
    looking at the cluster's public files?
================================================================================
Note 187.3                    Hogging a VAXcluster.                      3 of 12
BUNYIP::QUODLING "Anything! Just play it loud!"       4 lines  11-AUG-1988 03:21
--------------------------------------------------------------------------------

        And who decides what is public and what is private...
        
        q
        
================================================================================
Note 187.4                    Hogging a VAXcluster.                      4 of 12
CHEFS::HASTONM "Asked for Water..got gasoline"        4 lines  11-AUG-1988 08:42
--------------------------------------------------------------------------------

    
    Whoever sets protection (W:RW) I guess.
    
    Mark
================================================================================
Note 187.5                    Hogging a VAXcluster.                      5 of 12
COGMK::MURPHY "QUICK, GOOD, CHEAP; pick two & call m" 6 lines  11-AUG-1988 09:03
                           -< Is it really ethical? >-
--------------------------------------------------------------------------------

    I resent the use of the word "hacking" used in this topic (as most
    of the press seems to like to use that term.  Better terms might
    be snooping or skulking around.
    
    -skip
    
================================================================================
Note 187.6                    Hogging a VAXcluster.                      6 of 12
SNDCSL::SMITH "Macrotechnology!"                      8 lines  11-AUG-1988 12:54
                 -< Someone is going to resent your use of... >-
--------------------------------------------------------------------------------

    Watch out for the use of the term "skulking".  DNS, the Distributed
    Name Server, which is soon to become ubiquitous on the ENET, uses
    a process called skulking to keep it's distributed database current.
    
    Don't ask me, I dunno how skulking works, just what it does (sort
    of).  Anyone want to explain the algorythm?
    
    Willie
================================================================================
Note 187.7                    Hogging a VAXcluster.                      7 of 12
QUARK::LIONEL "May you live in interesting times"     9 lines  11-AUG-1988 18:08
--------------------------------------------------------------------------------

    I consider it fair game to look at files that have been explicitly
    declared available to the network, such as network kits.  I consider
    it snooping to do a DIR node::SYS$GAMES:, etc., as people try on
    my system every once in a while.  What .0 describes is clearly
    snooping.
    
    And no, I don't consider it ok even if the files have W:R access...
    
    				Steve
================================================================================
Note 187.8                    Hogging a VAXcluster.                      8 of 12
EAGLE1::EGGERS "Tom, 293-5358, VAX Architecture"     18 lines  12-AUG-1988 02:43
                              -< today's mores? >-
--------------------------------------------------------------------------------

    Hmmmmmmmmmmm. Perhaps my 20-year familiarity with TOPS-10 and TOPS-20
    is showing. I regard anything with a low protection in a TOPS-10-style
    SYSTEM directory as perfectly reasonable for anybody to look at or to
    copy if they feel like it. Also, anything in my personal files that are
    W:R are fair game as well. Since w:r isn't the default, it means I had
    to do some work to give a file that protection, and it can only mean
    I'm willing for anyone to read it. 
    
    I no longer entertain myself by looking around various systems, but
    long ago when I did do it, I never considered it snooping. It was
    window shopping. And I know many others did it as well.
    
    Have times changed? Have security issues changed perceptions of
    reasonable behavior? Was I out of line when I did it? 
    
    What are other people's opinions for today on somebody "just looking
    around to see what might be interesting." Let's assume they stay out of
    obviously private diectories and don't attempt to break any security. 
================================================================================
Note 187.9                    Hogging a VAXcluster.                      9 of 12
STAR::ROBERT                                         21 lines  12-AUG-1988 05:51
--------------------------------------------------------------------------------

I think times have changed.  w:r is simply a physical level of security,
not an intent to publish.  It's not that different from a printout lying
in the computer room --- it has an owner and is presumed private, despite
its low level of physical security.

But things were different years ago.

I'd say unless you're invited, that SYS$PUBLIC and perhaps NOTES$LIBRARY
are the only legitimate targets for snooping, and, to tell the truth, I
feel uncomfortable even doing that.

Seems to me I recollect that some P & P level memo said that your
personal directories were, in effect, an extension of your office.

Oddly, despite Steve's note, I'd say that SYS$GAMES comes close to being
a public invitation as well.  Almost like putting candy out for public
consumption.

- greg

ps: is this digital.note?  let's get back to the good stories
================================================================================
Note 187.10                   Hogging a VAXcluster.                     10 of 12
BEING::POSTPISCHIL "Always mount a scratch monkey."  19 lines  12-AUG-1988 08:33
--------------------------------------------------------------------------------

    Re .7, .9:
    
    "W:R" does not mean anybody can look at it?  What do you think "W"
    stands for?  "Site"?  "Friends"?  "Only those who I want"?  No, "W"
    stands for "World", as in "the whole entire planet; anybody on Earth".
    When somebody from Mars reads a file with only World access, then you
    will have grounds for complaint.
    
    W:R is not simply a physical level of security.  The code in the VMS
    system is the security; W:R is a purposeful turning off that security.
    It is different from a print-out lying in a computer room.  It is more
    like a print-out which has been taped in an open position in a computer
    room which has been purposely unlocked and the door opened wide.
    
    The English translation of "SET FILE/PROTECTION=(WORLD:R) xxx" is "Let
    anybody in the world read xxx".
    
    
    				-- edp 
================================================================================
Note 187.11                   Hogging a VAXcluster.                     11 of 12
COMICS::DEMORGAN "Richard De Morgan, UK CSC"          8 lines  12-AUG-1988 10:07
                               -< What office?? >-
--------------------------------------------------------------------------------

    Re .8: Office??? How many of us have offices? I work in a large
    noisy open plan area where I have a desk, a share in a carousel
    for my manuals, and the top of a cupboard for more personal stuff.
    I also have a half share in a filing cabinet 25' away.
    
    When I worked in Maynard (1969 - 71), I seem to remember that in
    trays were fair game, but that filing cabinets (unlocked or otherwise)
    were not. Perhaps Tom Eggers can confirm that.
================================================================================
Note 187.12*                  Hogging a VAXcluster.                     12 of 12
EAGLE1::EGGERS "Tom, 293-5358, VAX Architecture"      6 lines  12-AUG-1988 11:30
                       -< Let's move to Human::Digital >-
--------------------------------------------------------------------------------

    I'm going to copy the relevant notes on this "What files can I look at"
    topic over to Human::Digital, hit KP7 on your terminal. As per a
    previous comment, the subject really belongs over there. 
    
    Since this is an open conference, I presume I can copy the notes
    without any objections.

    I did some "snooping" about 1.5 years ago on various systems on
    the network.  I never executed anything or even typed anything,
    I just did DIR's.  Well, one system manager didn't like it and he
    tracked me down....I must say, I felt like a criminal after he gave
    me the third degree!!  It was quite innocent, I was just 'window
    shopping' out of curiosity.
    
    Would I do it again?  Nope!
    
    Vicki
    

    From the perspective of a "non-techie", I think it's important that
    system managers and others with system privs realize that a portion
    of the subscribers probably don't even know what R:W protections
    are!  It doesn't seem right that the protections determine whether
    files can be viewed by others.  For example, if I forgot to lock
    my desk one night, I wouldn't expect someone to consider that an
    invitation to go looking through it.  Since some people don't even
    know what the protection commands are (or, in the equivalent, have
    broken/nonexistent locks on their desks), it shouldn't be assumed
    that they'd set protections for their 'private' files.
    
    Personally (and you'll probably all consider me rather ignorant
    for this) I didn't find out about file privs 'til I had been in
    DEC for about six years -- I had a need to ensure absolute protection
    of a file, went to my system manager, and found out that ALL my
    files had world read/write access as the system default!!
    
    Since I never had a need to know, I never asked, and was never told.
    I can only hope that system people weren't merrily going through
    my files for those six years on the assumption that I had invited
    them to peruse!
    
    So, please keep non-techies in mind.  There are a *few* in Digital,
    aren't there?
    
    

    From a different perspective, I don't think one should need to be
    a "techie" to understand commands and utilities available to ALL
    system users.  I never ceased to be amazed at the number of employees
    of a computer company that know so little about how to use the
    machines on, under, or at the end of the wire leading from their
    desks.

    re: .3
    
    "non-techies" using systems attached to Digital's network should
    have defaults set up by their system management to ensure the proper
    protection of their files.  One does not need to be a "techie" to
    work with proprietary information, obviously!
    
    That said, and speaking as a Techie, file protections and ACLs are
    what tell me if I have the right to access a file.  If a file is
    "W:R" on a system permitting DECNET access, and that file should
    be not access by J. Random Employee, then the fault lies with the
    owner of the file or the people who manage the system hosting the
    file.

    New topic for non-techies on the net at topic 594. Leave this
    one for "What files can I read". OK? Thanks.
    
    		Alfred

If you don't want the file read you protect it appropriately.  If you leave
a file anywhere with W:R access then expect it to be read and don't
complain if someone does read it. 

My solution is to set the directories to W:E.  That way you need to know 
the name of the file to access it.

Lock it or loose it.

jb

        re .7 et al
        
        VMS, should have by default, better and easier to use Security
        Auditing.
        
        I have seen some software from a company called Cubic Systems
        which does this admirably.
        
        q
        

I take exception to suggesting that non-techies go to the other note.
Ruth's comments were entirely proper and quite germane to the subject.
The _majority_ of our employees are non-technical, and if this conference
is to live up to its name, their opinions are extremely relevant to
most topics herein.

Also I strongly disagree that file protections equate to "rights".
This is a tradition of computers and DEC that was probably ill-
conceived to begin with.

To restate the analogies:

	An unlocked house does not grant right of access
	An unsecured printout in a computer room does not grant right of access
	An unlocked file cabinet does grant right of access
	An unlocked file or directory does not grant right of access

Where "right of access" refers to human concepts, not computer concepts
(since we use that terminology within our software to mean physical
ability to read as contrasted with authorized right to read).

I think perhaps we already have prior policy on this.  Wasn't it made clear
in some P&P level memos or policies a while back that a person's files
on a computer system have exactly (or at least very similar) privacy
protections as anything in your desk?  Especially mail files.  While
there should also be a policy that you should set protections appropriately,
and while a good system manager would do so, failure to "lock the door"
does not grant any rights to other employees whatsoever.

This does not mean past behavior was wrong.  I was a snooper in the
past as well, but those were more innocent days.  When mail and notes
did not even exist, the amount of personal information on our systems
was much much lower.  And an ethic of more-or-less shared data was
understandable.  Indeed, there was a time when it was even ethical
to use SYSPRV to get at protected files without permission.  Protection
was viewed more as protection against unintended or accidental deletion
than as a way of banning reading.

These somewhat contradictory statements are what I believe is true today:

	No one should ever assume that anything on a computer
	system is truely secure.  Indeed, the appearances of
	security on computers is much lower than the reality,
	except for sophisticated users that understand the
	immense number of ways that security can be incomplete,
	evaded, or penetrated.

	No one should assume they have the right to read a
	file they do not own in the abscence of some reason
	to believe they can.  r:w is not such a reason.
	SYS$PUBLIC:, announced files, work-habits (our group
	has an informal practice of ...), may be such reasons.

Once granted, people _hate_ to give up freedoms.  Snooping is
one of those, but it inconsistent with today's networked
world and, in my strong opinion, the Digital way of working.

- greg

The scenario that follows illustrates my point.

While reading the MACINTOSH notesfile I read a couple of notes
pointing to a users directory on FOO::DUA2:[BAR.MACINTOSH] as
containing a couple of specific MACINTOSH programs.  Now I
could try reading clear through the notesfile (and possibly
others) to see if the owner mentioned any other programs, but
I find it much more efficient to do a DIR FOO::DUA2:[BAR.MACINTOSH]
to see if there are any other MACINTOSH programs.

If I get a protection violation in doing the DIR, I won't proceed
further.  If, however, there are other MACINTOSH files in the
directory protected W:RE, I might download them and try them out.
I consider myself a person who tries to "do the right thing."  I
certainly would not be expecting any nasty calls from a system
manager saying I had been hacking his/her system.

	Bob

I rather agree ... I also prefer "permission to read" to "right to
read" as a more relevant phrase.

Of course, it's pretty hard to define common sense, but once invited
into a directory the situation changes significantly from random
searching.

It's obvious the spectrum is going to range widely on this; from
"absolutely not without explicit permission", to all's fair.

- greg

    I agree with most of what's been said above and, on a network with nearly
    2000 "public or semi-public" (announced in TLE::EASYNET_CONFERENCES) VAX
    Notes Conferences, it's difficult for me to understand why anyone would
    need/want/have the time to go "window shopping." 

    On the other hand, as a system manager, a "Cost Center" level of file
    protection would sure be nice.  Much of the stuff on my cluster should be
    available to the whole business group, but a non-trivial percentage is of
    internal interest to each of the 2 cost centers only.   It would be nice to
    be able to set a system-wide default protection that would accomodate this
    situation.  (I know there are ways to use ACPs to do this, but default file
    protections are just so straight forward. 

    Terry

    	I have a public subdirectory of my user account in which I place
    files I want to make available to the net.  Browsing the rest of
    my user account will bring my wrath down on you real quickly.
    
    	The system has a public area from which we issue kits for our
    internal product.  Searching the rest of the system for "neat stuff"
    will bring my wrath down on you quickly.
    
    	DIR/CONF in Notes will show you the conferences available. 
    DIR NOTES$LIBRARY: will cause a security alarm and cause me to contact
    you and ask what you were up to.
    
    	If you're not invited, you're not welcome!
    
    					--Doug
    				(System Manager of 18 or so systems)
                                                                    

RE: .18

Could you expand on the distinctions between DIR/CONFERENCE and
DIR NOTES$LIBRARY please?

I, for one, find DIR/CONF to be obnoxious in its display behavior,
and so sometimes use DIR NOTES$LIBRARY:*.note instead (assuming the
system has advertised at least one conference).

Seems to me that NOTES$LIBRARY is a borderline directory that has
some of the properties of SYS$PUBLIC.

By the way, I recommend against making a public directory a
subdirectory of a personal one because it confuses things.
It's awfully easy to accidentally issue a directory command
against something you think private in the process of accessing
it.  Rather like telling someone to just go into a particular
room in your house, and them taking a wrong turn.

- greg

(Note that I've take a strong anti-snooping position).

    I find it best to make NOTES$LIBRARY.DIR and the conference files
    within it owned by the NOTES$SERVER UIC and protected
    (S:RWED,O:RWED,G,W). This is means that you must get at any conferences
    using Notes since there is no world access to the files. This is
    especially important on a system with restricted conferences because
    otherwise somebody can just copy the restricted conference to their
    node and read it locally.
    
    The only drawback to this is that everyone must access the conferences
    through the notes server process. Even (non-privileged) local users
    need to put the node name in their notebook entry for the local
    conferences. But I find the conferences to be better protected this
    way.
    
    -Glenn-

        This will also stop conference lock-outs from those idiots
        that still try to copy conferences...
        
        q
        

        Re: .15
        
        	To let local users access the conference.  Leave the
        files world read-writable, but put an ACE on it saying the
        default DECNET account's UIC has no access.  Then remote users
        would need proxies to get to it (except for NOTES$SERVER).
        This is assuming, of course, that the NOTES$SERVER UIC if
        different than the DECNET account's UIC.
        
       _Mike

re .17

This is only reasonable if you trust all local users to never deliberately
or accidentally do something rude to a conference file.

/john

    Re .9:
    
    Your analogies are inappropriate.  A file which has been set to world
    access is not analogous to a mere unsecured print-out.  It is analogous
    to a print-out which has been posted on a bulletin board.
    
    People from Mars may not use World access.  Everybody on Earth can.
    
    
    				-- edp 

re: .19

It would probably be helpful to the discussion if you explained
your reasoning.  By default VMS establishes world read.  But
even if it didn't, intentionally leaving my house unlocked is
not an invitation.  Why should unlocking a file necessarily
be different?

- g

    I wholeheartedly agree that leaving your house unlocked is not
    and invitation for others to enter and wish we lived in a world
    where you could do so and not have to worry about it.  I think
    the reality of the situation is, though, that you would get a
    HELL of a lot of grief from your insurance company for sustained
    losses caused by a failure to lock your house (and a much less than
    enthusiastic response from police...and certainly unsympathetic).

re: .21

I FULLY agree.  That's not the point of the analogy.  It's already
been said multiple times that you _should_ lock your files.

The question is, if someone else doesn't do that do you feel that
just gave you either a right or an invitation to look at them?
Do you feel, for example, that that is equivalent to posting them
on a bulletin board in the lobby?

I assume that in the case of the analogy that you would still
prosecute someone that entered your house and took something?

- g

    I don't feel that the unlocked house is an appropriate analogy to an
    unprotected file. We all work for DEC, and DEC owns it all. A person
    who reads another's unprotected files has not broken any law.
    
    (I'm just saying I don't feel the analogy is appropriate. I am not
    implying that it is either reasonable or unreasonable to read
    unprotected files.) 

       re .19:
       
       > People from Mars may not use World access.  Everybody on Earth
       > can.
       
       I disagree.  I know some people who live in Missouri (they have
       nothing to do with Digital) who cannot read files on my system,
       even though the files are set to World access.  On the other hand,
       I know of no one from Mars who has ever been unable to examine the
       files on CALLME. 
       
       --Mr Topaz

    I, too, take exception to directing non-techies to the note regarding
    training [BTW, thanks, Greg, for your support - 593.9].  
    
    When I said I didn't know about file protections until well into
    my Digital career, I knew I was leaving myself open for some 
    criticism.  However, I did it to make a point:  Not ALL Digital
    employees are aware of the mechanisms behind, or the existence
    of, file protections.  One should not assume that an unprotected
    file is an invitation! -----------------------------------------
    ----------------------
    
    SET TERM/MILD_FLAME_ON:
    
    Just for the record, I don't think my ignorance of file protections
    (and I'm using "ignorance" in the true sense of the word) implies
    a lack of training.  I do my job very well.  However, my job has not
    always made it necessary for me to use many DCL commands.  Some
    people [obviously] find this hard to believe, but not ALL Digital
    employees need a lot of VMS knowledge, nor do all Digital employees
    spend the bulk of their time doing VMS-level stuff.  Personally,
    VMS commands/activity comprise about 5% of my job; therefore, I
    don't feel bad at all about being a "non-techie" with respect to
    VMS.  On the other hand, I'll challenge most people out there to
    match my expertise on some of the other, more applicable, components
    of my job!!  DCL commands aren't that important to me, but I'd blow
    you away with my expertise in PageMaker or even on the simple use
    of a DECmate II hard disk!!
    
    SET TERM/MILD_FLAME_OFF
    
    For the technically-oriented people out there:  Please keep an open
    mind when reading this and other replies on behalf of the
    "non-techies".  Shoving arbitrary training in our direction doesn't
    help us do our jobs if the training isn't applicable to what we
    do every day.  We should, however, feel moderately secure that our
    files are not being perused by others as we happily go about our
    business -- reading this file makes me want to furiously check-out
    file protections for my stuff in ALL-IN-1, PageMaker, DECpage, LOTUS,
    DECcalc, and all my VAXmate hard disk contents which might be
    accessible via the LAN!!!

    I'll shut up now.  [*audible* sigh from the audience]
    
   

Leaning very heavily on tongue-biting restraint, I will NOT say anything about
the arrogant snobism of some of the previous responses.

There is a much more important issue here.  File protection MUST be the
responsibility of the system manager.  Defaults should most certainly be in
place that will bar casual readers of files.

Having sat with newly hired senior managers and walked them through the login
process I KNOW that there are many (otherwise brilliant) people in this company
who know nothing about file protection.  They could quite easily produce very
sensitive information which will be unwittingly exposed to casual readers.  
They are not hired because of their computer expertise, and certainly are too
valuable in their particular fields to send 'off to school' for indefinite
amounts of time.

Let's be reasonable here.

Betty

    Re .20:
    
    File protection is not like a lock.  A lock is either locked or
    unlocked; it lets everybody in or keeps everybody out.
    
    File protection is different.  You can lock something and keep the only
    key for yourself -- except even the words "lock" and "key" here are
    incorrect; there is no key.  The system knows who you are and allows
    you to read.  You can also lock something and let a group of people
    have the keys.  Or you can lock something and let the management have
    keys.  Or just you and the management, or you and the group, or you and
    the group and management.  Or you can add ACLs and have lists of groups
    of people who have access.  Clearly, this is not like having a lock and
    a key or keys.  It is more like having an entrance at which a
    receptionist looks at everybody and lets them in or not.  And when you
    set a file to WORLD:READ, you have told the receptionist to let
    everybody in.
    
    Certainly if you walk into a strange but unlocked house and go through
    the contents, you are acting wrongly.  But if you walk into a business
    office where the receptionist has been told to let anybody in, and you
    walk around and look at the things the receptionist says you may look
    at and you do not look at the things the receptionist says you may not
    look at, are you acting wrongly? 
    
    Some have made the argument here that they did not know about file
    protections.  By the same token, there are those who know there are
    files they are prohibited from reading and there are files they are NOT
    prohibited from reading.  They do not know about these non-universal
    beliefs some people have that world-readable files are not
    world-readable.  Why should your ignorance be preferred to theirs?
    
    
    				-- edp

    
    Re: .26
    
    	Do you consider 5 days indefinite.If you'll look at the 
    Employee Course Catalog,Ed. Services offers a 5 day course
    called VAX/VMS Utilities and Commands.
    
    	VMS U&C teaches,among other *useful* topics,file protections.That
    is,how to set them and how to determine *who* can access what files.
    
    	I can't see how anybody,no matter how valuable could not take
    5 daysout to become a better VMS user.You don't have to be a techie
    to learn file protections and how to fix your files so that only
    you (or a suitably privileged user) can access them.
    
    Re:.26(again)
    
    	I agree with you thhe the system wide defaults for protection
    shoud allow for *no* acces whatsoever,to at least the world.
                                                        
    Re: Last Few.
    
    	In light of the fact that many employees don't know protections
    from a hole in the ground,it seems reasonable tha for a file to
    be trulypublic,it should be announced as such.It does not seem fair
    to pick on users who really don't know better.
    
    -Tom Gallo
    
    

I agree with edp on this one.  I base my agreement on the corporate VAX/VMS
Operating System Security Standard required to be implemented on all Easynet
nodes:

>	3.0 Security for VAX/VMS System and User Files:
>
>	   3.1 Files provided by VAX/VMS will not have their protection 
>              changed in such a manner that allows broader access than 
>              originally intended.
>   ...
>          3.3 Default file protection (RMS_FILEPROT) will disallow WORLD
>              access.

This standard requires that the default access for files be *NO* WORLD access.

A file with WORLD access must have been given that access deliberately.  Giving
a file WORLD access is like posting a printout on a wall or bulletin board.

There is no issue of the "non-technical" user.  A system manager must understand
file protection and must implement the Security Standard.  A user must know what
WORLD access means before explicitly changing the protection of a file.

/john

.20> By default VMS establishes world read.
    
    And I think an earlier reply said something similar.
    
    In case people are worried about their files, VMS by default does
    NOT establish world read. VMS's default file protection is
    
    	SYSTEM:RWED, OWNER:RWED, GROUP:RE, WORLD:NONE
    
    This default can be changed by modifying the VMS system parameter
    RMS_FILEPROT, but I can't imagine a system manager doing this (even
    though I think some earlier reply said some system manager did).
    
    Seems to me the default protection that VMS establishes should be
    used except for those files that you explicitly want to set to world
    access.
    
    -Glenn-

    Re: .29
    
    Correct me if I'm wrong, but I'm reading your reply to mean that the 
    corporate philosophy behind file protection, based upon the VAX/VMS
    Operating System Security Standard, is that:
    
    o  It is the System Manager's duty to see to it that file protection
       for all files contained within the system is implemented according
       to the Security Standard.
    			(and)
    o  Any file whose file protection is set WORLD:READ is available
       to all who wish to peruse it's contents without fear of retribution
       (of course, disregarding Digital's "do the right thing" philosophy).

    So, how does corporate deal with poor system management?
        
-Andy

The policy that we should protect our files is a separate issue from
the policy about files that are not so protected, whether that lack
of protection be intentional, accidental, or an oversight.

re: edp, thank you

re: inappropriate analogy --- it is meant to bring up the theory of
    whether or not the lack of a lock is an invitation ... not police
    and the law

re: snobbishness; i think everyone is interested in the right answer
    not persuing any sort of private agenda

re: inference; that the policy says "thou shalt lock thy files" does
    not imply "failure to do so is an invitation or grant to read"

re: granularity of locks, defaults, etc., good points

Still, nothing here has changed my mind at all.  I can not see any
logic whatsoever in trying to maintain that a file found to be w:r
implies publishment, invitation, grant, or rights.  It is simply
a file marked w:r and nothing more.

I find the attitude of "I can read anything I can manage to get
my hands on without priv's" to be disturbing.  I assume though,
that even the proponents of same would use good sense if they
stumbled upon something obviously sensitve, personal, or confidential,
and that they argue only that it is not a "wrong" action to read same.

Does anyone have the memo that went around some time ago discussing
employees' files and directories?  It may have been a ZK site policy.

- g

    I think extending VMS defaults to a "corporate philosophy" is going a
    bit too far. I seriously doubt that the VMS defaults, and their
    consequences, have ever been examined by as many as two VPs. But I've
    been wrong on things like this before. 

    Re .32:
    
    > I assume though, that even the proponents of same would use good
    > sense if they stumbled upon something obviously sensitve, personal, or
    > confidential, and that they argue only that it is not a "wrong" action
    > to read same.
    
    I do not think that has been raised as an issue before.  People who are
    looking around are looking for things that are interesting, but that
    does not necessarily mean sensitive, personal, or confidential.
    
    Interesting can cover games, hacks, useful utilities, information about
    how computers work, and similar items.
    
    Somebody who has sensitive, personal, or confidential files with world
    access has a bigger problem than the person innocently looking around
    -- their problem is actual criminals on the network, such as the West
    German intrusion in the past few months.
    
    
    				-- edp 

    Re .28:
    
    > It does not seem fair to pick on users who really don't know better.
    
    "Pick on"?  Who is picking on users who let their files be read? Nobody
    punishes them for their mistaken behavior.  Instead, tell us why a
    person should be reprimanded for looking around at stuff they believed
    they could look at.  It does not seem fair to pick on users who really
    don't know better.
                      
    
    				-- edp 

The memo about perusing a person's files was written by Bill Heffner.  I believe
it referred to misusing privileges to do so.

/john

        I'll try and explain my thoughts on the "browsing" of personal
        directories.

        If a directory has my name on it ie [PHIPPS...] the files in
        those directories belong to me and the corporation. If you are
        poking around without my knowledge I would consider that
        improper conduct. If a file protection is set W:R that does not
        excuse the conduct.

        If I have set a file W:R and have announced its location either
        to an individual or publicly, no problem. If I announce the
        wrong file name or extension or in some other way you get an
        error trying to access the file, I have no problems with you
        using the DIR command to double check my accuracy.

        System files are similar but different. Lots of systems have
        very sensitive data on them. I cannot blame a system manager
        for being upset about someone browsing.

    
    Re: System Management being responsible for default file protections..
    
    	If memory serves me correctly there is something from Corporate
    Security that mandates no W:R on certain "system" files. In fact
    systems all across the network are randomly checked for the presence
    of world readable system files and a message is fired off to the
    system manager if any are found. (The tool XSAFE is used for this
    purpose).
    
    The same document from Corporate Security also explicitly mentions
    that system managers ARE responsible for the overall integrity of
    their systems. System managers are also directed to identify ALL
    world readable files and verify if this level of access is necessary.
    
    Users responsibilities listed in the document also include not making
    files world readable without good reason.
    
    My understanding is that if a system continues to be found in violation
    of the document guidelines it will be removed from network.
    
    THE BOTTOM LINE IS WE ALL ARE RESPONSIBLE FOR SYSTEM SECURITY.
    
    							Warren
    

        Warren is correct. XSAFE is looking for SYSTEM files that do
        not have the correct protection.

        If the following line is edited in the systems master log in
        file, users could be inadvertently creating files with world
        read access. I don't know why anyone would want to but I think
        that is what some of the previous responses were referring to.

$ SET PROTECTION=(S:RWED,O:RWED,G:RE,W)/DEFAULT

        Yes, security is everyone's responsibility but some are more
        responsible than others 8^)

        ok everyone at the "$" prompt type DIRECTORY/PROT and see where
        you stand.

I can certainly see that we are all going to disagree on this!

Fact:  Doing a wildcard directory search is going to really upset
       some system managers who are deeply concerned about their
       system safety.

Fact:  Some people happen to leave files W:R who don't want just
       anyone to read them.

Fact:  Other people purposefully leave files W:R because they
       want to allow anyone to read the files.  (e.g. I have a
       whole directory of command files that I've written or
       found in notesfiles that many people could learn neat
       techniques from).

What can we put on the VMS 6.0 wishlist that will solve these
problems?  What say we suggest a new protection bit called "P" (for
publish of course) that would allow one to get a directory of all
"published" files without setting off alarms and bringing down the
wrath of the Management?  Now don't tell me that we don't have any
more bits in the filesystem -- we're engineers!  :-) 

If we had a more robust multiple file linkage structure a la U*%&
(oops the U word) we could make a standard directory on the systems
called SYS$PUBLISH where files linked to the "hidden" version in the
user's directory could be located. 

With all the creativity of the minds on the Easynet we simply must
come up with a workable solution to this problem. 

Regards,

	Bob

    And until we come up with a workable engineering solution, we can
    continue the discussion of "window shopping" vs "invasion of privacy
    and security". 

    re .40:
    
    There is a well established convention on the Easynet for a directory
    (actually a logical name) SYS$PUBLIC. It would certainly imply that
    its contents are public. Nothing is put there by default. So anything
    put there must have been through a specific, conscious act. Thus, it
    seems reasonable to interpret the contents of this directory as
    published for public access.
    
    VMS does have a multiple name link mechanism. It is invoked by the 
    SET FILE/ENTER command. The only caution has to do with deletes, and
    this is made more robust against user error on v5. Thus, to publish a
    file, give the command:
    
    	SET FILE/ENTER=SYS$PUBLIC:   file-to-be-published
    
    this will place a public linkage to the file in the SYS$PUBLIC:
    directory. Obviously, the file should already have a protection that
    includes World=RE. It should also not have an ACL that bans access,
    say from network jobs. And the user must have create access to the
    SYS$PUBLIC directory.
    
    Note, that since VMS v3.0, or thereabouts, the default file
    protections have been World=None and the default directory protections
    are inherited from their parent directory at creation, and the
    volume's top level directory (the MFD) has been INITIALIZED at
    World=E which only allows access by specific name--no window shopping
    unless explicitly allowed.

    Re .40:
    
    > Fact:  Doing a wildcard directory search is going to really upset
    >        some system managers who are deeply concerned about their
    >        system safety.
    
    If there are any such system managers, their systems are AT RISK.  What
    we are discussing here is shopping versus privacy -- NOT SECURITY.
    
    If your system is not secure against shoppers, then it is not secure
    against crackers, and you cannot control cracking by reprimanding
    shoppers or making policies against shopping.  Therefore any discussion
    about policy in whether or not people should read files with world
    access will have no effect on security.
    
    > Fact:  Some people happen to leave files W:R who don't want just
    >        anyone to read them.
    
    This fact says nothing about whether a person who goes browsing has
    done anything wrong.  Okay, when they go browsing, they see something
    the owner did not intend for them to see.  But the browser does not
    know that, so have they done anything wrong?
    
    
    				-- edp 

    re: .42 
    
    Note that 'SET FILE/ENTER=SYS$PUBLIC: file' will work only if
    SYS$PUBLIC: and the directory containing the file are on the
    same disk.  If this condition is not met the file must me copied
    to SYS$PUBLIC:

    
    I know this is going to sound prejudice to some, but it is not meant
    to be such, just an observation.
    
    For those people who have read 'HACKERS', I can understand the idea
    of, if it is available, then use it, but not abuse it.  It has been
    in computers for a long time.
    
    If a file is W:R, then you should expect that ANY can and will access
    it.  Quite commonly I will use FTSV to copy files from a system,
    mentioned in NOTES of course.  In doing so, I could make a typo.
    I might get YOUR W:R files.  Of course, I will look at them to figure
    out what happened.  Two days later, I get a call from some system
    manager asking what is going on.
    
    Most people will say, the above will happen so infrequently that
    it should be ignored (i.e. the exception).  I agree, but many rules
    are made because the exception DID occur.
    
    	- mark

    Re: .43
    
>    This fact says nothing about whether a person who goes browsing has
>    done anything wrong.  Okay, when they go browsing, they see something
>    the owner did not intend for them to see.  But the browser does not
>    know that, so have they done anything wrong?
   
    If I left the curtains in my bedroom open and you watched me through
    my window, have you done anything wrong?  I didn't intend for you
    to see anything inside the room, but that doesn't give you permission
    to look either.  Furthermore, I have the right to be upset if
    you went around looking in my windows, and I might even call the
    police.  
    
    Files belong to their owners just like anything in my house belongs
    to me.  Unless I state that something is available for your use,
    I would expect you to respect my privacy and not to attempt snooping. 
    I would even consider calling "window shopping" an attempt to steal
    intellectual property, in the case of a computer file.  And, to
    counter what some people implied in other replies, just because my 
    work belongs to the company doesn't grant you right-of-access, 
    should I set a protection improperly.

    At the same time, a user should not be trusting of the network (or
    other users on the system, for that matter) and should assume that
    people will attempt access to his data.  For this reason, he/she
    must set file protections accordingly.  
    
>    If your system is not secure against shoppers, then it is not secure
>    against crackers, and you cannot control cracking by reprimanding
>    shoppers or making policies against shopping.

    If you were the system manager, how would you tell the difference
    between a window shopper and somebody trying to crack the system?
    If the system manager is responsible for the overall security of
    the system, then it is his job to pursue protection violations.
    
    --Pat

    I simply do not believe and will not accept the analogy between privacy
    in my personal house and property and privacy on Digital-owned files
    and computer equipment!
    
    Even if I did accept the analogy, it is still legal for me to stand on
    the public street and use binoculars to look in your open window. You
    might not like it, it is probably voyeurism, and it may very well
    indicate a mental abnormality on my part, but I believe it is legal.
    
-----------------------
    
    Can we agree on the following:
    
    1. The VMS defaults are world=none (this is either true or false), and
    2. It is the system manager's job to see that the systems under
       his control have reasonable defaults, and
    3. It is unreasonable for anyone to try to crack the security?
    
    If we can agree on those, then does it follow that there is nothing
    wrong with window shopping and reading files marked WORLD=READ? It
    seems a reasonable conclusion to me, even though I have no interest in
    doing it.

    Re .46:
    
    > If I left the curtains in my bedroom open and you watched me through
    > my window, have you done anything wrong?
    
    Please do not ignore what I said:  "the browser does not know that".
    An employee has just discovered the node name part of the file
    specification and has realized they can use DIRECTORY, node names, and
    wildcards.  They do not know what a computer bedroom looks like, so
    they have no idea they are looking in anybody's bedroom.  When they
    look someplace they reasonably believe they are allowed to look, they
    cannot be blamed for acting reasonably.
    
    In addition, what makes your analogy valid?  I gave what I believe to
    be a better analogy:  Protections are not just locks or curtains; they
    are _algorithms_.  They are algorithms with some intelligence, which
    makes them like receptionists that approve or disapprove of you looking
    around the office.  As long as the receptionist approves, you may look
    around the business office. 
    
    That analogy fits the facts better -- if you don't think so, then say
    why.
    
    > If you were the system manager, how would you tell the difference
    > between a window shopper and somebody trying to crack the system?
    
    That's not the point.  The point is that a system manager who gets
    upset is in trouble.  They have a security problem.  If the system
    manager is not confident their system can withstand wildcard searches,
    the system is at risk.
    
    A good system manager should know their system is secure.  If they
    wish, they can inquire as to the cause for the search, to ensure it is
    merely a browser and not a cracker.  But there is no reason for a good
    system manager to be upset.
    
    
    			       	-- edp

>   I simply do not believe and will not accept the analogy between privacy
>   in my personal house and property and privacy on Digital-owned files
>   and computer equipment!

        Agree. There are too many activities within the company that
        are equated to outside activities.
    
>   indicate a mental abnormality on my part, but I believe it is legal.
    
        Gee! I would never have known it of you. I'm not sure how
        legal. The aggrieved person could call the police who would
        certainly threaten you with something.

>   If we can agree on those, then does it follow that there is nothing
>   wrong with window shopping and reading files marked WORLD=READ? It

        Totally disagree. Example:

        I may have an Engineering Specification that is really to large
        to MAIL but has been set W:R so an individual (with a need to
        know) could copy it. It is in one of my personal directories
        not a SYS$PUBLIC one. The intention is that they call me once
        the copy is complete so I can set the protection W=no access.

        In this example, the need is time critical so don't tell me
        about tape, floppy or hard copy.

        What if I am delayed or just forget to put the protection back?
        I don't want a "browser" to stumble across it and read or copy
        it while it is accessible. If it gets distributed to someone
        that doesn't have a need to know, my job could be on the line.

        If it is in [PHIPPS...] you better get my permission!!!

RE: .49

>        I may have an Engineering Specification that is really to large
>        to MAIL but has been set W:R so an individual (with a need to
>        know) could copy it. It is in one of my personal directories
>        not a SYS$PUBLIC one. The intention is that they call me once
>        the copy is complete so I can set the protection W=no access.

But VMS already has a mechanism for this.  You can put the file
in a directory that is protected against directories and only
a person with the correct directory path and filename can copy
the file.

I still maintain that given a modicum of common sense one should be
able to assume that seeing W:R protection on a file in a directory
listing gives probable permission to read the file.  (probable because
someone might have mistakenly unprotected a sensitive file).

	Bob

    How large does a file have to be before it is too large to MAIL, or to
    nMAIL? What causes the limit? Does that same limit apply to COPY? 

    re: .49
    
    If you have a proprietary document that you want to give to somebody
    within Digital I think simply setting it W:R is very bad policy.
    The document should really be placed where it can be copied by name,
    but not seen by Joe-Random-VMS-user.  Questions about the validity
    of "window-shopping" aside we are naive to think that only Digital
    employees have access to our systems...
    
    					Rich
    

    If I sneak into your bedroom without you knowing, and see a vase on you
    table that I really like, can I make an exact duplicate of it, without
    you knowing it? 
    
    Can you set the locks on your desk to open automatically in the
    presence of specific individuals (who don't even have keys), but only
    allow specific individuals access to certain items in your desk? 
    
    Can you place a note on a bulletin board that is visible to anyone
    on the entire planet, but only if they happen to know the title
    written on the note?
    
    Analogies to desks, bulletin boards, bedrooms, etc. are misleading,
    confusing, inappropriate and generally not helpful.  
    
    Moreover, most human beings understand not only the physical operation
    and mechanical limitation of such objects, but also the accepted morale
    behavior associated with searching someone's desk, bedroom, personal
    files, etc.  Not necessarily so with computer files.
    
    I don't think we are discussing whether it is proper to search
    someone's desk.  We are talking about disk files (mostly) and the issue
    is NOT whether its like a bulletin board or a desk, but whether its
    proper or not. 

    Everyone keeps suggesting some way of making files specifically
    public.  Well, it exists.  Its called WO:R.  It isn't spelled the
    same, but that IS VMS' way of saying "YES - ANYONE CAN READ THIS".
    WO:R MEANS PUBLIC.  Accept that in the technical sense, and
    communication can proceed.  Intent is another matter.
    
    As previously mentioned, if you only want people who somehow ALREADY
    KNOW about something (learned from you by mail, read it in a notesfile,
    etc.) then use WO:E.  That is VMS' way of saying "YES - ANYONE WHO
    ALREADY KNOWS IT IS THERE CAN READ IT".  Again, this is a technical
    definition for how VMS works.  Whether the intent of the user matched
    the effect of his actions is another issue.
    
    IF you don't know what these file protection mechanisms are or how
    to use them properly, then you run a risk of compromising your own
    privacy.  Ollie North found this out the hard way.
    
    If you knowingly take advantage of someone else's ignorance, then you
    are an opportunist at best.  In a more negative light, you are probably 
    lacking in moral standards.
    
    However, it is hard to imagine that because you understand the
    functioning of VMS, assume the same of other users, and utilize
    this knowledge as best you can, and you do not knowingly invade
    someone's privacy, that you could be considered guilty of any
    wrongdoing. 
    
    Here's the tough part:  If you feel that you did something wrong (that
    is, if you either did something you feel is incorrect, or you just feel
    plain old feel guilty) and you don't move to correct it (notify the
    person that they left sensitive files unprotected, or ask permission to
    copy a file you found while browsing), then you are probably doing
    something wrong, and you probably deserve some form of punishment
    (perhaps your own guilt, or fear of reprisal).
    
    But its not VMS' role to determine if you've done anything wrong,
    or determine file protection based on intent.  As Gary Trudeau said
    in a comic strip (paraphrased and probably not original), computers
    are only as ethical as their users.  It is "intent" that determines
    wrongdoing, not actions (When is it proper to spit in a man's face?
    When his mustache is on fire).

    As for use of computers by those who are not sufficiently educated
    to protect themselves, that is a fault of the corporation.  Anytime
    the company places a person in a position for which they are
    insufficiently trained, the company takes a risk that that person
    will in some way fail.  Anytime an employee must use a computer
    to do their job, there is a risk that a lack of education could
    result in harmful consequences, either because the employee didn't
    know how to protect themselves, or because the employee honestly
    didn't realize that the "window-shopping" was incorrect behavior.

    I frankly admit to window shopping.  Not just of computer files,
    but computer hardware, company publications, anything I can get
    my hands on.  I would never invade someone's desk or other private
    areas, and I have been known to tell people that files are unprotected.
    Basically, my intent is always benevolent.  And I have, on some
    occasions, gotten in trouble for what seemed completely innocent
    behavior.
    
    The bottom line is that everyting depends on the intentions of those
    involved, and there is no way to record intentions on RMS files.
    I issue the DIR command hundreds of times a day, and whether it
    is morally correct or not, will depend on a thousand different factors.

    But there can be no doubt that, whether it was intended or not, WO:R IS
    public, and that is not VMS' default.  And only particular
    circumstances will determine if wrongdoing was committed in accessing
    something made public in this way.  No general statement can ever be
    made that will be correct more than a fraction of the time.
    
    Jim
     

    
    Re: "...how does a system manager know the difference between
         a window shopper and a cracker..."
    
    ANY system manager worth their salt can tell the difference
    between the two types of security violations merely by the pattern
    of those violations. "Crackers" typically try certain *types* of
    actions as well as doing things repeticiously with small changes
    to each "attempt". It may require signifigant research but in most
    cases you CAN tell the difference. The only hurdle here is the
    volume of information that sometimes must be sifted to make the
    determination of "browser" or "cracker".
    
    As to temporarily making a file available, a previous response
    said it best: make the directory immediately above the temporary
    file W:E. This prevents "browsing" but will allow access if the
    other party knows the file name (and it is W:R).
    
    							Warren
    
    (Former college {hacker/cracker/browser})
    [But only to LEARN!!!]
    
    

    Re .49:
    
    > I may have an Engineering Specification that is really to large
    > to MAIL but has been set W:R so an individual (with a need to
    > know) could copy it.
    
    Put it in a subdirectory with WORLD:E but not R.
    
    Encrypt it, set it WORLD:R, copy it, and decrypt it.
    
    Have your friend create a directory with WORLD:EW.  Keep your file
    protected, and copy it to their directory.  Neither the old nor the new
    copy is ever WORLD:R. 
    
    Give them an account on your system.  Set the protections so that
    account can copy the file.  Then they copy it, specifying the access
    control string.
    
    
    				-- edp 

Ratholes about here.  It doesn't matter if the analogies are false.  They
were never intended to live up to the objections that are being raised,
but merely suggest an attitude that might apply in this situation as well.
They are valid to that extent.

What system managers can and should do, what individuals can and should
do, what browsers can do, are not relevant to what browers _should_ do.

Some people think browers shouldn't.  Other think they should.  The
debate seems to have only two real sides:

	I can therefore I will
	You can, but you still shouldn't

I can't see ANYway to resolve this except based on a philosophy of
ownership.  If the files in my directory have some sense of being
"mine", or my stewardship if you want to argue that they are DEC's,
then they are mine.  I don't see any more reason that someone else should
look at them, without invitation, than if you were in my office
and snooped a memo that happened to be lying face up on my desk.

Eric: I agree with your analysis, but I think you attribute too much
      human intent to technical acts.  I think that SYS$PUBLIC is
      analogous to bulletin board, not W:R.  It's a judgement call.

Tom: I agreed with your three points, but I honestly did not understand
     the logic involved in getting from them to your conclusion.  Could
     you fill in the (for me) missing steps?

Several: the acts or ommissions of system managers and users does not
     define the correct moral behavior or DEC policy with respect to
     snooping/browsing.

Several: I do not agree that the correct training of employees wrt
     to file protections is the solution to this problem.  This grossly
     misunderstands what an "average" non-technical person can really
     be expected to manage as part of their job.  This is another
     judgement call, but most engineers and "power users" are arrogant
     in their concept of what is "simple basic competence".

Put tersely:

	Some call it "browsing".
	Some call it "snooping".

Which of those adjectives is used pretty much defines the attitude
of the writer.  Which of those adjectives applies pretty much defines
what the policy/attitude should be.

So, is it snooping or browsing?  I recognize the INTENT is nearly
always browsing.  But I think the objective act is snooping.

        The example I gave was just that... and example.

        The scenario is not good practice and should be avoided. Yes, I
        know of the W:E etcetera methods.

        The point I was trying to make, not too well, was that under my
        name; KEEP OUT unless invited. W:R is not an invitation in and
        of itself.

        I hope that's clear.

        As for system managers, your review probably depends in part or
        whole on how you manage your system. That being the case, in
        your place I would consider the entire system as being under
        your name.

    Re .58:
    
    > I hope that's clear.
    
    No, that's not clear.  There are perhaps a few hundred employees to
    whom it is clear and one hundred and twenty thousand employees to whom
    it is not.
    
    
    				-- edp 

    I think it's clear in .58 that Mike Phipps does not regard w:r on any
    of his files as an invitation to read them. He actually worded it more
    strongly as, "KEEP OUT unless invited." I can't find any way this can
    be ambiguous.

    We are where our customers were 5 years ago.  If you don't know
    who is accessing your files or IF someone is accessing your files,
    then you are sticking your neck out.  If your computer vendor or
    your system manager can't protect your files from unwanted access
    you got a big problem.  As to whether it is moral...who cares! 
    If you bare yer bod in front of the open window and somebody
    peeps...then the deed is done!  Morality is out the window.
    
    I recall an incident at one customer's site where the provost of
    the computer science department had his files marked as "nobackup".
     Any new files were marked as "nobackup" as well.  To cover his
    tracks the perpetrator screwed aroung with the accounting file and
    the system manager never noticed that the accounting.dat had bad
    attributes despite the fact that, because of a hardware problem,
    the system was rebooted 60 times in one month.  Each time the startup
    complained and noone noticed.  When the backup tapes were completely
    recycled, all of the files were deleted by the hacker.  This is
    not a good thing to happen at the end of the semester.  Protect
    yourself.  If you don't have a system manger that can help then
    get one or be one.
    
    Personally, ( I'm so ashamed of this) I performed the ultimate perusal
    of someone elses files.  There was something I had to know and I
    found it.  Unfortunately, I found a lot more than I wanted to find
    out.  So much for morality. 
    
    The moral of the story...if you are tripping through someone elses
    files, it is impolite.  If DEC ever gets smart they will make it
    a capital offense.  If you don't know if someone else is into your
    files either don't keep anything important or find out who is in
    your files.  

    Re .60:
    
    > I can't find any way this can be ambiguous.
    
    I can't find any way .59 says .58 is ambiguous.  Do you think it does?
    
    .59 says quite clearly that almost no Digital employees will see Mike
    Phipps' message, so it doesn't matter how clear it is -- It will never
    be clear to those who don't see it.  What good does a "Keep Out" sign
    do when you put it where nobody will see it? 
    
    
    				-- edp 

	I use my account(s) 99.99% for work-related purposes on a cluster
	where giving out SETPRV is STANDARD.  Almost all of us really need
	privs to deal with customer problems on the phone.  I have absolutely
	no guarantee that others aren't snooping in my directories.  The
	occasional .01% of my stuff that I want PRIVATE, I encrypt.  If
	somebody tries to browse my PRIVATE files, they won't see much.
	
	Even so, I would take drastic and immediate action if someone was
	unlucky enough to let me catch them with their hands in MY cookie
	jar.
	
	Scott.

    Re .64:
    
    That opinion has been expressed here before; do you have any new
    reasoning to back it up?
    
    
    				-- edp 

Explicitly granting world read to directories and files explicitly announces to
the VMS security system that the files are available to any readers.

    There are performance and ease-of-use considerations that make it
    onerous to protect all files against browsing.  While any files
    that I don't want looked at ARE protected, I feel it is an intrusion
    and a waste of resources, not to mention bad manners, for someone
    to do uninvited searches, even if they ultimately fail because of
    file protections.  To me, it is the same as someone rummaging
    through my office looking for "interesting" objects.  In the case
    of the user who wrote the base note in WAR_STORY, his snooping
    created a loss-of-service to the rightful users of his victimed
    system.
    
    I feel that many users consider Digital's network to be one giant
    toybox, through which they are free to rummage, in spite of the
    nuisance they may cause.  The relative openness of our systems
    is a tradeoff of ease-of-use against security, relying on the
    good behavior of the network users to not make things more difficult
    than they need be.
    
    In summary, to me, it doesn't matter whether or not the files
    are protected - it is just plain bad manners, and I'd even say
    unethical, to browse through the network.  I'd include someone
    doing a DIR SYS$PUBLIC: (or SYS$GAMES:, or whatever) on every node
    in this category.
    
    					Steve

    I just waded through the mire of this note because I got a request
    for permission to read files from a directory that I had announced
    in another note as containing public files.
    
    My feelings are that by announcing the directory I had implicitly
    given permission to Joe Random to read and copy any file that he
    could find there. When I announced the directory, I checked that
    the rest of my files were and will be protected. The point is that
    I now expect browsers to try to look at my directories and have
    taken the appropriate precautions.
    
    I have spent a lot of time on UNIX systems at Bell Labs were the
    philosophy has been that developers are expected to browse in order
    to avoid reinventing wheels, nuts, bolts or other useful items.
    
    VMS provides a decent set of tools to protect files. I believe that
    if you care about the privacy of your files, you will use the tools.
    Ignorance is no excuse, and system managers who allow ignorant users
    to remain ignorant are failing in their jobs. Admittedly, this can
    be a problem for management types with a uVAX under their desk but
    no training in system management but corporate security should be
    worrying about this.
    
    It would be polite and honourable for browsers to warn users about
    files that are open but should not be, and maybe even suggest how
    to correct the situation. I firmly believe that the onus of file
    protection lies solely with the owner of the file.
    
    I also believe that the presence of a few internal hackers an the
    net who are trying to break security will help to raise the communal
    level of awareness.
    
    To the people who object to browsing, 'What are you afraid of?'.
    How does someone browsing through your directories hurt the work
    that are supposed to be doing? Are you frightening that some invisible
    watcher will damage your career by flaws in your work? Are you keeping
    files that indicate that you are in breach of company policies?
    Can browsers see that you are not worthy of your position?
    Are you paranoid?
    
    If you can do nasty things to me on the basis of browsing then I
    deserve it. If the company can be damaged by such browsing then
    the owners of the files and their managers should be castigated
    for allowing vital infromation to be left in insecure areas.
    
    Note. I am not saying that I am perfect, I am saying that it is
    a part of my responsibility to ensure that only public data is
    accessible by invisible browsers. I feel that it is my managers
    responsibility to ensure that I am aware of my own responsibilities
    and that I have the tools and the training to do my job.

    Re: .68
    
    I am not "afraid of browsing".  It is a nuisance, and a misuse of
    corporate resources.  There's nothing for them to find on my system,
    but they shouldn't be looking in the first place unless they have
    previously been told that a certain file is available on my system.
    Browsing wastes network bandwidth (which is scarce in some areas)
    and CPU time.  It also wastes my time trying to sort out legitimate
    users from potential intruders.
    
    				Steve

re: .68

>    I have spent a lot of time on UNIX systems at Bell Labs were the
>    philosophy has been that developers are expected to browse in order
>    to avoid reinventing wheels, nuts, bolts or other useful items.

If a group of developers wish to adopt this philosophy among themselves
that is fine, and I even recommend it.  I can "browse" the master pack
for VMS anytime I like.  However, I do not "browse" my co-workers
personal directories if not invited.
    
Many replies to this note seem unable to distinguish the issue of
what can and should be done by way of using VMS security features
from the entirely separate issue of what is ethical/correct/right
by way of attitudes of browsers.  It is simply a rathole to discuss
VMS security features.  They have nothing whatsoever to do with
the question at hand.  This is not the system management conference,
nor a VMS Security technical conference, it is the "Digital way of
working" conference.
    
>    To the people who object to browsing, 'What are you afraid of?'.
>    How does someone browsing through your directories hurt the work
>    that are supposed to be doing? Are you frightening that some invisible
>    watcher will damage your career by flaws in your work? Are you keeping
>    files that indicate that you are in breach of company policies?
>    Can browsers see that you are not worthy of your position?
>    Are you paranoid?

Actually, this question has already been answered many times in previous
replies.  Whether you agree with it or not is up to you.  But ascribing
a lot of loaded statements about paranoia, fear, personal interest to
a group of people conducting a professional and sincere discussion of
an important topic isn't, in my opinion, productive.

- greg

    I posted the base note for this topic, but have held off expressing a
    strong opinion. I wasn't really sure what my opinion was, but I am now.

    I don't believe the "Digital way of working" and the ethics are
    separable from the VMS-provided security mechanisms. I believe they are
    very strongly intertwined, and it is natural for them to be so. Since
    VMS does provide mechanisms which most (or perhaps all) of the previous
    responders believe should be used, I see very little reason to
    introduce yet another level of "appropriate behavior". 
    
    Let the VMS-provided mechanisms be the "Digital ethic". That is simple,
    straight-forward, well documented, easily explainable ("if you can read
    it, it's OK") and a natural consequence of the VMS mechanisms. Trying
    to set a "higher" standard will be subject to endless argument and many
    people not being informed. Those who object to browsing will endlessly
    be trying to communicate their ethics to those who were merely "doing
    what VMS permits me to do". And when the browsers, who don't know about
    the "higher ethics than VMS", receive harsh complaints from system
    managers, the browsers are going to be upset. This will happen
    repeatedly.
    
    Avoid all of this! Make the Digital ethic be the VMS mechanisms. It has
    the tremendous advantages of simplicity and manageablitly. And it
    already exists! It has already been implemented company wide. There is
    no need for any other standard! Don't make life more difficult than
    necessary with yet more rules, however informal. Let the system
    managers see to their file protection defaults and the education of
    their users instead of complaining about browsers. (If the VMS
    mechanisms are not sufficient, then we should recognize that and fix
    it: our customers will have the same problems.) 
    
    twe, casting_his_vote_for_whatever_VMS_allows

We have started to branch out into two different directions.

The original discussion was on privacy.  Many people have expressed the opinion
that files explicitly made world read are no longer private and are fair game
to be read.

A new discussion has started:  the waste of corporate resources when someone is
searching for world read files.  I consider this a separate issue.

/john

re: .72

Actually John we have three different topics:

	A discussion of the ethics of snooping (the original)
	A discussion of VMS security mechanisms (unrelated)
	A discussion of network use (semi-relevant)

re: .71

Sorry Tom but I simply can't agree.

	I don't believe the ethics of snooping vary, for example,
	depending on whether the system I am looking at is Ultrix,
	VMS, MSDOS, TOP-20, or whatever ... under DECnet or other
	protocols I may not even know.

	I don't believe in determining correct behavior based on
	technology ... especially where that technology is simply
	magic to all but perhaps 10% of the company.

It may sound simple to say "let's base it on VMS security details",
but in reality, since most people don't understand the implications
of even rather simple VMS protections, privileges, proxies, ACLs,
etc., in fact, it is actually much more complex than the very simple
statement:

	If you weren't invited, stay out of areas that are
	obviously part of my personal space: my desk, my
	file cabinets, and my personal directories.

Any irresponsibility I may show in failing to lock any of those is
neither a declaration of publication, nor an excuse for you to snoop.
It is entirely possible for two parties in a situation to _both_ be
wrong.

Note that that is a moderate position;  Steve L., for example, takes
a stronger position.

- greg

ps: I can't help observing that I _think_ there is a tendency for
    the vote to be corelated with technical sophistication.  Those
    "in the know" rely on technology, those not on ethics.

    Thank goodness that "do the right thing" is definately not
    defined by the 22,000 page VMS docset.

pps: I was in a classified installation yesterday.  We were in a
    room when someone began running some simulation screens.  Our
    guide, who was quite open to that point said, "well, everything
    here is _supposed_ to be unclassified, but I think we better
    leave".   Good judgement in my mind.

    Greg, I think we are going to have to agree to disagree. 

    I don't believe it is necessary to establish an ethical system for
    dealing with the problem. For example, whatever ethical system you
    establish will vary from user to user, system to system, OS to OS, and
    whatever else I may not even know about. But all of the systems I know
    about have some form of file protection. Let's use it. The rules then
    do not vary from system to system but are invariant across systems: if
    the file is readable, then you are allowed to read it.

    Relying on the system manager to establish a reasonable set of defaults
    removes the issue of user non-sophistication. It has the distinct
    advantage that somebody can find out what the rules are by trying. None
    of the schemes based on non-technical rationales has that tremendous
    advantage. And being able to find out what the rules are is necessary
    if you intend to have any fair enforcement at all.
    
    It doesn't matter what percentage of the company understands the
    technology. It could be 1% or 100%. The technology has the ability both
    to insure privacy and to inform people when they have reached limits.
    That operational publication of the rules is more informative than this
    conference or any informal concensus will ever be. If you don't tell
    people what the rules are, then you can't object when they violate
    them. Let the OS tell people "stop here". If they then try to
    circumvent the OS (by trying lots of passwords for example), then let
    the wrath of whoever descend on them. 
    
    I do assume that VMS (and other OSs) and the system managers do their
    job in setting up the system. I don't think that is asking too much.
    Then, if somebody does have the expertise to change the defaults, and
    perhaps 90% of the people don't, then they can take responsibility for
    their own actions. Changing file protections simply doesn't happen by
    accident. 
    
    The rule is very simple: if you don't want people to read your files,
    then don't invite them by making them readable. It is not snooping; it
    is window shopping and is perfectly reasonable behavior. If you didn't
    want it to happen, then you wouldn't have gone out of your way to make
    the files readable. 
    
    ps: I see no reason for the vote to have any correlation with technical
    sophistication. If VMS is doing its job, then those not "in the know"
    should be able to rely on it and the system managers who are supposedly
    "in the know". If this is  not true, then we should fix VMS or whatever
    OS we are selling. There is simply no reason to complicate the issue
    with ethical considerations when the underlying technology has built-in
    solutions. 

    twe

re: .74

>    Greg, I think we are going to have to agree to disagree.

Yes, and this is rather a strong agreement, wouldn't you say?  :-)))

>    I don't believe it is necessary to establish an ethical system for
>    dealing with the problem.

But you have established one, no?  You've said, "it is ethical to read
whatever you can get your hands upon".  True, that statement is a bit
slanted, for which I apologise, but I just don't want to let you duck it.

>    For example, whatever ethical system you
>    establish will vary from user to user, system to system, OS to OS, and
>    whatever else I may not even know about.

Now I'm a tad confused.  I thought that was the essence of my rebuttal.
It is in inappropriate to base the system on technology.  Instead lets
base it on common sense.  Have I miscomuniciated here?  Or have I mis-
understood you?

>    But all of the systems I know
>    about have some form of file protection. Let's use it. The rules then
>    do not vary from system to system but are invariant across systems: if
>    the file is readable, then you are allowed to read it.

No.  Then the rules precisely DO vary from system to system.  Hmmm, we
are dangerously close to a semantic debate aren't we?  Why can't we have
a philosophy that DOESN'T vary across systems?  It is simply: "don't read
something that you weren't invited to and is owned by me?"  Is that hard
to understand?  Is it better to say, "you have no real responsiblity to
figure this out?  Just trust the OS?"  I suppose it is, but I don't care
for it.  Why vest in technology?  Why not vest in people?

Although I've read, understood, and considered EDP's arguments, I'm
unconvinced.  I continue the analogy.  May I simply try for "unlocked"
desk drawers?  Please explain why you feel so sure it is different?

(EDP, I heard your rationale around "defaults", but remain unconvinced.
Even if a drawer "automatically" locks, but I am so stupid as to leave
it ajar, that is NOT an excuse to snoop.).

>    Relying on the system manager to establish a reasonable set of defaults
>    removes the issue of user non-sophistication.

Must we bring in a third party?  Can't you and I, just for example, work
this out?   (Besides, it doesn't remove the issue at all; incompetent,
or inexperienced system managers remain.  Let's not throw every new hire
to these whims --- let's give them a supportive and ethical environment
instead.)

>    It has the distinct advantage that somebody can find out what the
>    rules are by trying.

Privacy by experiment and probe?  No thank you.

I didn't answer the rest.  Feel free to rebut.  Following that, or even
without it, I think a phone call is in order, and that is my "action item",
('Cause I'm taking a few days off).

Regards, Greg

ps: I hope everyone recognizes my comments as "non-flaming".  Though
    i do feel _very_ strongly on this point, I also find it one of the
    best discussions in DIGITAL.NOTE to date.

    Greg, I feel that you have reworded my statements and opinions in a way
    that I no longer recognize them. I'm sure you didn't do this with
    malice aforethought, and I make some allowance for hyperbole, but the
    result is I can't figure out how to respond. If you and I are going to
    continue, it will have to be off-line.
    
    The "problem" discussed in this topic has been brought on by
    technology. It is a technology issue. And that same technology comes
    with its own solution. Let's use it and make the rule, "Read whatever
    you can." That's exactly the same rule for everybody, it follows
    naturally from the technology, it's simple and easily understood by
    everybody, and it doesn't require teaching newcomers anything. 
    
    Is anybody hurt by that rule? No! Certainly not the technical
    cognoscenti. And not the technically naive either; they have the OS and
    the system managers seeing that the file-protection defaults are set
    properly. 
    
    So who is adversely affected? Show me a class of people who are
    adversely affected, and I'll consider changing my opinion. 

    I got an idea, folks.  Let's everyone submit a batch job that
    tries looking for interesting files on EAGLE1.  If we get enough
    of them going, Tom won't be able to get a network link through to
    complain here... :-)
    
    As I see it, the problem with an ethic that encourages unrestricted
    browsing is that browsing is, by nature, inefficient.  It uses a
    lot of resources for very little gain.  If our network and systems
    had infinite capacity, this argument might not be compelling, but
    looking at the FAL activity from the Easynet to the TLE cluster
    (largely for legitimate kit access, true), I can easily see certain
    "interesting" nodes being innundated with browsers.  I maintain
    that the only thing that keeps our network with its head above water
    is that, by and large, our users DON'T squander resources on
    such entertainment.
    
    In the past, I have detected at least a half-dozen attempts to look
    for certain files on EVERY DEFINED NODE.  Seeing that we now have
    30,000 nodes, that's a lot of network use.  
    
    I think I must take exception to the earlier comment that suggested
    non-technical people argue in favor of ethics...  I'm as technical
    as anyone, and I have secured my system quite well, in that it has
    withstood multiple attacks by the Chaos Computer Club as well as
    other, less sophisticated attacks.  As I said earlier, I've protected
    all I want protected.
    
    So for me it's not a question of whether or not someone can get
    at a file I don't want them to.  It's a question of manners.
    
    					Steve

    Steve, I agree with your comments on wasting computes and network
    bandwidth. And I agree that wasting them when other people are trying
    to get work done is bad manners. (Actually, it's worse than that
    because it lowers Digital's productivity.) It's the same as using
    employee-interest NOTES conferences, such as this, during peak load
    times.
    
    But doing hand searches at 2am? I doubt that that impinges
    productivity significantly. It still leaves the privacy issue,
    though.

    Interesting things about our ethical, moral or religious behavior is
    that you can examine only your _own_ behavior in the frame work of your
    _own_ ethical, moral or religious standards.  Any time, you try to
    extend your standards to others, you are overstepping their bounds.
    Once you understand that you _can not_ (and I hope you will never be
    able to) make others abide by your ethical, moral or religious
    standards, the sooner you will be able to resolve this type of
    conflicts whether the conflict is about the privacy about your files or
    your views about adultery or abortion.  (Don't you dare to start a note
    about adultery or abortion here :-) 
    
    So, even if I were to agree with the ethical standards proclaimed by
    Greg Roberts regarding what files are readable,  I understand that I
    have to limit my expectations of other people's behavior which will be
    consistent with the stance taken by Tom Eggers. 
    
    Given that we need laws and regulations which will encompass moral
    or ethical standard and above all will be technically enforceable.
    Under that condition, VMS file protection seems to be the only _real_
    rule of the game.
    
    Once again, use your ethical, moral or religious standards to judge
    your _own_ behavior.  When you want to be judgmental about others,
    use well defined, enforceable laws, rules and regulations.  That's
    what they are there for.
    
- Vikas

re: .76

... am replying without reading the further replies.

Yes, no malice meant and I will give you a call.

I think that in my re-wording is the crux ... we see this issue
very differently and so exchange our may be "out of phase".  Time
for verbal, if not face-to-face.

I do suspect I'm articulating the feelings of many, though I'm
certainly prepared to learn that reality is otherwise.

- greg

re: .79

I do not wish to create a philosophical debate over ethics, per se, etc.

I believe I work for a company that considers such things, and further
find the P & P to contain many explicit statements in support of that.

If there is a different word than "ethics" that we can use here, feel
free to provide it.  I do know that I object to "technology" as a
substitute.

- greg

Re .76:

>    The "problem" discussed in this topic has been brought on by
>    technology. It is a technology issue. And that same technology comes
>    with its own solution. Let's use it and make the rule, "Read whatever
>    you can." That's exactly the same rule for everybody, it follows
>    naturally from the technology, it's simple and easily understood by
>    everybody, and it doesn't require teaching newcomers anything. 

   1)	The issue is more than a technical issue.  It is part of a much larger
	issue surrounding privacy.  This particular aspect has been influenced
	by technical development, but is not uniquely defined by the technology.

   2)	The technology does not come with a solution.  It comes with a multitude
	of problems under the general headings of "ignorance", "education",
	"enpowerment" and "abuse of power".  The solution to these problems is
	NOT technical.
    
>    Is anybody hurt by that rule? No! Certainly not the technical
>    cognoscenti. And not the technically naive either; they have the OS and
>    the system managers seeing that the file-protection defaults are set
>    properly. 

	YES, there ARE people hurt by the rule as you define it.  They are the
        ignorant and uneducated served by the incompetent or unethical.  You may
        say that these people deserve what they get, but that is only true if
        they have real opportunities to change their situation.  The reality of
        the situation is that often they do not have any real options. 

>    So who is adversely affected? Show me a class of people who are
>    adversely affected, and I'll consider changing my opinion. 

	The class of people impacted are those who have to use the computer to
	perform their work without the luxury of time to learn all the ways
	computers can be screwed up.  In other words, most of the people outside
	of the computer technical elite.

Re .77:

>    As I see it, the problem with an ethic that encourages unrestricted
>    browsing is that browsing is, by nature, inefficient.  It uses a
>    lot of resources for very little gain.  If our network and systems
>    had infinite capacity, this argument might not be compelling, but
>    looking at the FAL activity from the Easynet to the TLE cluster
>    (largely for legitimate kit access, true), I can easily see certain
>    "interesting" nodes being innundated with browsers.  I maintain
>    that the only thing that keeps our network with its head above water
>    is that, by and large, our users DON'T squander resources on
>    such entertainment.

	Even with unlimited network resources, the limits on competent, ethical
	human support makes the policy of "if I can get away with it, it must
	be all right" a poor one.
    
>    I think I must take exception to the earlier comment that suggested
>    non-technical people argue in favor of ethics...  I'm as technical
>    as anyone, and I have secured my system quite well, in that it has
>    withstood multiple attacks by the Chaos Computer Club as well as
>    other, less sophisticated attacks.  As I said earlier, I've protected
>    all I want protected.

	If we take Tom's position to its extreme logical conclusion, the CCC is
	not doing anything wrong.  After all, if there is no ethical limits,
	only technical limits, the fact that the CCC can get into a computer
	system gives them the right to be there.  If you bring in the legal 
	question, you have to bring in the internal equivalent, DEC policy.
	One of the main tenants of that policy is "Do what is right", an 
	invocation of ethics if there ever was one.
    
Re .79:

>    Interesting things about our ethical, moral or religious behavior is
>    that you can examine only your _own_ behavior in the frame work of your
>    _own_ ethical, moral or religious standards.  Any time, you try to
>    extend your standards to others, you are overstepping their bounds.
>    Once you understand that you _can not_ (and I hope you will never be
>    able to) make others abide by your ethical, moral or religious
>    standards, the sooner you will be able to resolve this type of
>    conflicts whether the conflict is about the privacy about your files or
>    your views about adultery or abortion.  (Don't you dare to start a note
>    about adultery or abortion here :-) 

	Sorry, no way.  Ethics, morals and religious standards are not ONLY
	personal.  The fact that they are STANDARDS implies some form of group
	to agree to the standard.  This conflict is over different groups
	consensus on what the standard is.  (If it were only one individual
	against the group consensus, that person would either conform or be
	thrown out of the group.  If were only a conflict between individuals,
	the discussion would have been taken off-line a long time ago.)
    
>    So, even if I were to agree with the ethical standards proclaimed by
>    Greg Roberts regarding what files are readable,  I understand that I
>    have to limit my expectations of other people's behavior which will be
>    consistent with the stance taken by Tom Eggers. 

	No, you do not.  In fact, if the ethical standard were universally
        adopted within DEC, you would add an expectation that anyone caught
        misbehaving would be punished for their misbehavior.  You might even
        find that YOU were expected to help teach people not to misbehave. 
    
>    Given that we need laws and regulations which will encompass moral
>    or ethical standard and above all will be technically enforceable.
>    Under that condition, VMS file protection seems to be the only _real_
>    rule of the game.

	Technical enforcement implies too much of a commitment to having
	competent and ethical support personnel available to be practical.  There
	is also the problem with the limits inherent in technical solutions -
	they do not always behave as intended.  (Set the RISKS forums on 
	USENET.)
    
>    Once again, use your ethical, moral or religious standards to judge
>    your _own_ behavior.  When you want to be judgmental about others,
>    use well defined, enforceable laws, rules and regulations.  That's
>    what they are there for.

	The main issue is enforcement.  The rules and standards are reasonably
	well defined and are not as individualistic as you imply.  

	The OS provides some automatic and absolute enforcement.  What is needed
        is additional levels of enforcement to supplement and back up this low
        level enforcement.  In some organizations strong backup enforcement was
        provided.  In others, no backup has been provided, undermining the whole
        system.  Unfortunately, upper level management is going to have to get
        involved before this is settled.  It is really a waste of their time,
	but the problem seems to have gotten badly out of hand.

    The .82 note does make a significant point: people who have
    "incompetant or unethical" system mangers are not protected. I did
    assume in .76 that the available technical solutions are competantly
    used by at least the system managers.

    I wonder if someone took an informal poll among, say, 20 secretaries,
    20 marketers, and 20 engineers at DEC and asked, "Do you think that
    anyone other than yourself is able to read the files you have created
    on your VAX?" what it would show.  I suspect that there would be
    a significant skewing upward from "no one" or "no one except myself
    and my system manager" to "anyone on the net for my W:R" files.
    
    It concerns me that, even if VMS defaults are used, that the "average
    user" assumes a password protects their documents.  Passwords give
    a false sense of security to many folks.
    
    Marge

    Sorry, but if you even _hinted_ that you want judge my behaviour
    by _your_ religious standard, I would be extremely upset.
    
    I still stand by my assertion that ethical, moral and religious
    standards are personal and I am going to make every effort that
    they remain that way.
    
    I will not be judged by anyone else's ethical, moral or religous
    standards but I will obey all the laws and regulations.  

    In this particular instant, I believe existing OS laws and regulations
    are sufficient and does not warrant to impose more rules.
    
    - Vikas

Re .85:

	Please get your terminology straight.  Ethical, moral and religious
VALUES are personal.  Ethical, moral and religious STANDARDS are applied by
groups.  You may not like that, but that is the way of the world.

	Also, we all make judgments.  Expressing those judgments is another 
matter.  So, yes, I judge you by my values, but I will keep my opinion to 
myself unless there are very good reasons to express those opinions.  If you
are upset, there is nothing I can do about it.

	Laws and regulations DO NOT apply to ALL of us.  That is part of the
problem.  The laws and regulations in Massachusetts are different from those in
New Hampshire, and those are still different from the laws and regulations here
in Georgia.

	You will be judged by the standards of the groups you belong to.  On
religious standards, that should be your co-religinists (if any).  On moral 
standards, you will be judged by your local community.  On ethical grounds, you
will be judged by those you work with.

	There are serious problems with making the technology the basis of what
is acceptable.  You may bury your head in the sand and ignore the problems if
you like, but do not cry to me when one of those problems comes along and 
tramples you into the ground.  I have a hard enough job helping the people who
are trying to live in this world. 

re: .85

Vikas,

This discussion has nothing whatsoever to do with religion.  Could
we please stay a littler nearer the point?

We aren't discussing arbitrary judgements, values, and their kin.
We are discussing simple work-behavior.  Rather like saying, "it's
wrong to steal from the coffee fund you know".

Snooping is wrong, and browsing is ok.  The debate is simply over
whether the behavior at hand is the former or the latter.

- greg

    Hey, Greg, we agree! Snooping is bad, and browsing is OK.

    re: .78
    
    I couldn't let this get by .. your 2 a.m. is someone else's 10 a.m.,
    given the size of the network.  And your off-hours period may be
    someone else's prime time.  We've got a bunch of overnight batch
    stuff that _has_ _to_ _run_, doing network copies, and updates,
    in order to prepare a production database for the next day's run.
    2 a.m. is prime-time for that!
    
    Certainly, off-loading network access is goodness, but don't assume
    that the rest of the world sleeps when you do!
    
    thanks,
    b.

Re .88:

	Yes, and 'browsing' in someone's private directories, unless invited 
	explicitly or by some public notice, is snooping, no matter what the 
	file protections are.

    FLAME ON!
    WHOA! guys and gals - A good subject has gotten a little off track.
    
    We started out asking about "privacy"
    
    "privacy" is NOT only an "ethical" or "technological" concern -
    it is very fundamentally a "LEGAL" concern!
    
    re: 593.49 - "its legal"
    re: 593.86 - "laws vs ethics"
    
    DIGITAL POLICY:
    
    - all materials, knowledge and product produced by its employees
    on behalf of the corporation are CORPORATE ASSETS owned and controlled
    by the corporate.  In other words they are NOT ours to decide how
    to use/control.
    
    - All materials, knowledge and product will be provided to employees
    on a NEED TO KNOW basis.  In other words DIGITAL policy decides
    who can access what corporate resource - not the individuals.
    
    - Digital's network is a private, corporate resource available solely
    for the purpose of conducting corporate business and at the discretion
    of the company.  In other words when, where and how it is used is
    subject to corporate policy.
                                
    Violation of corporate policy is grounds for dismissal!  Yep - it
    is that serious!
    
    If you "wander around" the company looking into things (desks, computer
    rooms, paycheck envelopes, engineering notes, source code, etc)
    you are violating corporate policy - ie. industrial espionage!
    
    FLAME OFF!
    
    Ok - now lets look at this:
    
    Policy - governs what we have the "right" to do.
    
    Practice - tells us what we can "get away" with doing.
    
    VMS security - governs what we have the "ability" to do.
    
    Many years ago (before VAXen and VMS) we had a case where a digital
    employee was corrupting directories on network nodes throughout
    the US.  It took Mayer Lipman MONTHS to track this guy down and
    isolate the problem, it cost the company mega-bucks to fix the damage.
    The point is, the guy had the ability, he (or she) had practice
    working for him/her - since everyone else was wandering around the
    network, but he/she sure didn't have POLICY to do what he/she did.
    
    I approve and applaude the proactive attitude I see of using the
    network to answer questions quickly and to develop our knowledge
    base.  Just be cautious on how its done.
    
    

    re: Browsing is okay, snooping is not
    
    But the only difference between the two is intent.  Now if VMS
    supported protection from those with ill-will toward your person... :-)

    re: .92
    
    Exactly right!  Again, everything is a matter of interpretation,
    or subject to specific circumstances.  Its based on "need", which
    can change under different conditions.
    
    For example, at 2:00AM I discover my version of Rdb is insufficient
    for what I have to do.  I have a presentation at 9:00AM and I NEED
    THAT SOFTWARE.  Its not available on the net, but I "browsed" a
    few accounts and found that someone left a copy of the saveset on
    disk somewhere.  
    
    I could even make this more complicated by saying I have privs,
    and that I used them to slice right through the protection scheme
    to satisfy my "need".
    
    This simple example could be subject of debate for weeks, but thats
    not the point.  Its up to the owner of the account, my manager,
    the system manager and me to decide if I did something wrong.
    
    Its unlikely that any ethic will successfully resolve most such issues.
    Thats what legal systems are for, interpreting the law (in this case,
    the "laws": "Do whats right" and "Need to know").  In this instance the
    legal system is the hierarchy of DEC management. 
    
    And odds are good that if you believed that what you were doing was in
    the best interests of the company and it was to do your job, there
    won't be a problem.  If it was for recreation, then it might be
    a problem.
    
    Its all in the intent (and how well you convince your accusers of
    your intent).

    Jim
    

    I interpret the meaning of the term ethics to refer to the code
    by which an individual judges his or her own actions. Such a code
    is not subject to legislation. I interpret 'morals' as the common
    subset of the ethics of the members of a group. Laws are morals
    that are so marginal that they need to have a defined penalty for
    a detected breach.
    
    It follows that you can tell me that something is ethically wrong
    and you might persuade me to change my morals but not my ethics.
    
    Use of either term in this reply should be trated accordingly.
    
    My upbringing taught me that it is immoral to deny somebody something
    that is theirs, but that invisible use of their property was ok.
    It doesn't hurt a file to read it, but it may hurt the network to
    try to identify every readable file on every node.
    
    Thus I maintain the views that browsing is ok, using special
    priviledges to go browsing is immoral and that blanket searches
    through significant protions of the network should be made illegal.
    Users should be able to be confidant that the VMS security mechanisms
    are adequate. System managers should be responsible for ensuring
    that the security mechanisms are adequate and their managers should
    be answerable for their competancy.
    
    The discussion of other operating systems is irrelevant as such
    files are not accessible through the net.
    
    To continue with the analogy to desks or houses, you are responsible
    for the security of your own desk and home. If you chose, by accident
    or design, not to use the locks on the day a prowler comes through,
    the you will be expected to accept some of the liability. On the
    other hand, the police recognize that all a lock buys you is a little
    time. A determined thief will steal your possessions regardless
    of all the locks you use.
    
    Computer files are no different. Given the diversity and number
    of users of this network, expecting morals to keep your unlocked
    files private is hopelessly optomistic. I will, however, aid attempts
    to track down people who can bypass the security mechanisms.
    
    As a related point, I appreciate the odd note of thanks from people
    who have found my public files useful.
    

    re .94
    Minor nit: not all systems on the Easynet are VMS or even run on
    VAX hardware.
    

>< Note 593.94 by HJUXB::HASLOCK "Nigel Haslock @ Manalapan,NJ" >

>    I interpret the meaning of the term ethics to refer to the code
>    by which an individual judges his or her own actions. Such a code
>    is not subject to legislation. I interpret 'morals' as the common
>    subset of the ethics of the members of a group. Laws are morals
>    that are so marginal that they need to have a defined penalty for
>    a detected breach.

Define them this way if you like, but I don't believe common usage
recognizes that distinction between those terms.  "Ethics" is the study
of "morals."

>    My upbringing taught me that it is immoral to deny somebody something
>    that is theirs, but that invisible use of their property was ok.
>    It doesn't hurt a file to read it, but it may hurt the network to
>    try to identify every readable file on every node.

There is NO "invisible use" of someone's property!  You have reiterated
the old justification for stealing software, descrambling cable TV,
and peeking over the walls at a drive-in theatre!
Even if you limit your definition of "invisible" to non-destructive
and take on yourself the burden of copying, you are at least depriving
the owner of opportunity cost.
Granted, if we accept that the Company owns it all anyway, then shared
use for Company purposes may be arguably justified, but there are other
aspects that argue against allowable usurpation.
Among these are loss of control of particular versions of code or an interim
document by the author.

This is a bit off the track of whether W:RE is implicit permission to copy.
I make all my directories W:E, limiting access to shareable files 
to those who know the complete path.
I consider W:RE files a convenience to those who KNOW they have a right
to copy them.  I don't have to fence in my back yard against itinerant
picknickers, because I can trust most of them to know that my yard
is not free to their use.  This gives me, my family, and invited guests
free passage as needed.  If the times and circumstance change, THEN I  can
fence the yard to protect it, while accepting the problems to me and mine
of having to walk around to a gate.  The same is the case with W:RE.

On a side note:   Protection classifications S, O, G, W predate 
common use of networks.  "World" used to be limited to the rest
of the users of a single computer not in one's own group.
Thus, in that respect, SOGW is obsolete.
Can we expect a new protection scheme with domains that adds
classifications to distinguish among same-cluster residents, same-domain
residents, same-WAN residents, or such?  That would clarify the debate
to some degree.

- tom powers]

        Tom, I take exception to your assertion in .94 that there is
        something wrong with observing something that is broadcast. 
        
        In particular, I question whether there is anything immoral about
        "peeking over the walls at a drive-in theatre".  If the walls are
        low enough to allow you to see over them without the use of a
        ladder, then the theater owner has chosen to broadcast the visual
        part of the program.  If, in addition, the audio portion can be
        heard, then you have a right to listen, as well.  You're not
        stealing any "opportunity cost" -- it has been given away. 
        
        Even if a law were passed saying that people should not look at
        what's on the screen, it would be an essentially unenforcable law. 
        
        For example, the laws against receiving cellular phone broadcasts
        are ludicrous at best.  They are fundamentally unenforcable, as it
        is trivially easy to carry out "invisible" reception of most radio
        broadcasts.  What would be good law, of course, would be to forbid
        using information obtained through eavesdropping on cellular phone
        conversations.  But we already have laws against wire-tapping that
        address the "use of the information" issue. 

        Tom 

    re .78:
    
    "But doing hand searches at 2am? I doubt that that impinges
     productivity significantly. "
    
    There is a cost of browsing attempts on my system. Since I run
    SECURPACK, per corporate policy, and examine all access violations,
    people attempting to browse consume my time. Every couple of days, I
    get an access violation report from someone trying to look at the MFD,
    or doing a $DIR HUMAN::NOTES$LIBRARY: or some such. These are all
    banned by the protections, so these attempts fail. However, I get a
    report of the access violation. This interferes with the time I have
    available to do electronic mail each day.
    
    P.S.--whoever out there has NOTES do an UPDATE on
    HUMAN::NOTES$ARCHIVE: every night, please stop. I'm tired of the
    security reports from accesses to this read-only directory!

>< Note 593.97 by DR::BLINN "General Eclectic" >

>        Tom, I take exception to your assertion in .94 that there is
>        something wrong with observing something that is broadcast. 
Interception of "broadcast" material is a fine point.  My meaning was 
to indicate that there are other instances where apparently "invisible"
use of information is actually exploitative and perhaps immoral.
If I have to put up a ladder to see the drive-in screen is that the same
as just strolling by and watching.  What if trespass is required vs.
sitting on my own roof?  

And yes, there are some stupid laws about the airwaves, and perhaps my
analogy there was weak.  My basic position is that just because it causes
no direct costs to the owner for another to share his intellectual
property doesn't give the other a right to use it.
Ability to read does not imply permission to read.

- tom]

        I think we are probably in agreement at the core of things,
        as I would agree that if you are using a ladder to look over
        the wall the owner erected, then you're actively engaged in
        activity that you yourself probably realize is snooping, and
        that you probably shouldn't be doing.  On the other hand, if
        you are sitting on your balcony, and happen to be able to see
        and hear the drive-in movies, it's at best a minor repayment
        for the inconvenience you suffer by having them disturb your
        peaceful enjoyment of your home.
        
        Alas, it really does, in the final analysis, boil down to the
        intent of the person receiving the information.  If you leave it
        out where I can see it, and I happen to see it, but I don't do
        anything else with it, and you never know, then no harm is done. 
        If I come snooping around, on the other hand, then I may (and
        probably will) violate your reasonable expectations of privacy.
        
        I believe that rummaging through the disk structures on a computer
        isn't remarkably different from rummaging through someone's desk
        or file cabinets.  There may be occasions where this is warranted
        -- for instance, a manager who has reason to suspect there's
        something amiss, or corporate security, may be justified in doing
        this.  The average system manager would have a MUCH harder time
        justifying this, and J. Random NetHacker has *NO* justification.
        [These are my opinions.  Your opinions may vary.] 
        
        However, I also believe that it is the responsibility of anyone
        who minds idle snooping to take reasonable precautions to prevent
        it.  In fact, there is an EASYNET management policy which states
        that every VMS system connected to the EASYNET should be running
        SECUREPAK, and should be secured so that casual browsers won't
        find anything of interest.  [You don't have to like this policy,
        but it is a policy set by people responsible for the security of
        the EASYNET and the corporate resources using it.]  Among the
        reports generated by SECUREPAK is a list of world-readable files.
        I suspect that many system managers either suppress this report,
        or don't bother to run it for other than the system disks, or
        simply discard it.  It can be helpful in securing a system against
        snoopers. 
        
        There are three DIS policies that are particularly relevant to
        this topic, in my opinion.  They are policy #3.10, "Electronic
        Information Protection", #3.11, "Electronic Information Access",
        and #6.11, "Connection to EASYNET".  (You can find these in
        the DIS infobase in the corporate videotex library.)
        
        Policy 3.11 says this about access to electronic information:
        
OBJECTIVE:

The company is dependent on its information systems to conduct normal business
activities.  Electronic Information is an asset whose value is only realized
through use.  Inadequate access restricts its value and impedes staff from
making valid decisions.  Addressing the need for adequate and free access is
the objective of this policy.

SCOPE:

Worldwide.

POLICY:

Access by Digital employees on a need-to-know basis to Electronic Information
shall not be restricted, except for specific categories of information that
shall be classified as restricted and available only to certain employees.

RESPONSIBILITIES:

All employees must take the responsibility for protecting the data to which
they have access.  They also have the responsibility for not accessing data
and files that are restricted and for which they do not have permission to
access.  Such access may be subject to terms of Corporate Personnel policy
governing employee conduct.

Information managers should provide access to data that is unrestricted
while monitoring actual access.  Access to restricted data is to be monitored
and controlled in accordance with the policy on Electronic Information
Protection (Policy 3.10).

        Note in particular the first paragraph under "RESPONSIBILITIES".
        Anyone snooping around in directories on some system to which they
        have not been given explicit access permission had better be able
        to explain why they need to know the information.  Depending on
        your manager, idle curiosity may or may not be viewed as a valid
        reason.  If your manager doesn't know what you're up to and gets a
        call from corporate security, you could find yourself very far up
        the proverbial creek, in a leaky canoe, without a paddle. 

        Tom

    Re .100: 
    
>>	RESPONSIBILITIES:
>>	All employees must take the responsibility for protecting the data
>>	to which they have access.  They also have the responsibility for
>>	not accessing data and files that are restricted and for which they
>>	do not have permission to access.  Such access may be subject to
>>	terms of Corporate Personnel policy governing employee conduct.


    The paragraph doesn't say anthing about "snooping" anywhere in it that
    I can find. To me, it says not to access data and files with some VMS
    protection, for example world=non-read. If the file has world=read as a
    protection, then I have been given permission to access in complete
    accord with the wording and intent of the paragraph! Trying to
    circumvent VMS protections would subject me to the employee conduct
    policies.

> All employees must take the responsibility for protecting the data
> to which they have access.  They also have the responsibility for
> not accessing data and files that are restricted and for which they
> do not have permission to access.  Such access may be subject to
> terms of Corporate Personnel policy governing employee conduct.

        If I have inadvertently left a file at W:R state, do not
        think that that implies I have given my permission to read it.

        I repeat, you may not read any file in a directory under my
        name ([PHIPPS...]) without my express permission.

        I believe the paragraph above agrees with that, "...have the
        responsibility for not accessing data and files that are
        restricted [breaking and entering] and for which they do not
        have permission to access [mine]." I don't see VMS mentioned
        and I don't consider the way the software works to be corporate
        policy.

        I would no more read files under someone else directory name
        than I would pick up their mail printouts at the printer room
        and read them. But I know people that do.

        (I wonder if I have to make this announcement in all of the
        ~1204 announced VAX Notes Conferences. Not that it would do any
        good.)

    RE: .101
    
    Give me a break.  You're joking, right?  You mean to tell us that
    you read the words "granted permission" and interpret it as meaning 
    "didn't explicitly change the file protection to deny others access"?
    I can just see the car thief standing before the judge pleading
    innocense because the car owner forgot to lock the doors.
    
    Someone protested earlier that the whole issue of ethics and religious
    convictions doesn't belong here.  I happen to be on a captive ALL-IN-1
    system so my interest in this issue is rather low (I don't have any
    control over how protection is set for my files).  But I think
    that this discussion is a good example of the idiotic mindset that
    thinks "we should never judge another person's morals, ethics, personal
    practices, etc, because there are no moral absolutes."  What such
    thinking seeks to avoid is the appearance of moral judgement.  The
    fact of the matter is that this "No morality ethic" is itself an
    ethical rule, ie. we ought to be shocked and angered when someone
    is so rude as to impose upon or judge someone else by their own
    ethical standard.
    
    Sorry folks, but I've got to break this "standard".  ANYONE WHO
    "BROWSES", "SNOOPS", "TRESPASSES" OR OTHERWISE POKES-AROUND IN THE
    FILES OF ANOTHER OUGHT TO HAVE THEIR FINGERS CUT OFF!!!
    
    The exceptions have been noted.  Why don't you "browsers" take a
    good look at yourselves in the mirror and consider that just maybe
    you've done something wrong (albeit sometimes harmless)?  Anyone
    who reads that last reply has got to see a lot of thin-stretched
    rationalization, covering a guilty conscience! 
                              

    OOOPS!!!
    By "last reply" I meant .101.  
    
    In the spirit of .102, may I hereby announce that no-one has my
    permission to "browse" through my files.  If you need something,
    ask and I'll mail you a copy.

    The last couple of notes have made disparaging comments against my .101
    reply. 

    1. I am not joking; my intentions are serious. I am not merely playing
    devil's advocate. 
    
    2. I personally do not browse, window shop, snoop, or anything else in
    any system. (I do use other systems NOTES conferences, such as this
    one.) 
    
    3. As I understand it, VMS defaults make files world=non-read unless
    somebody (system manager, owner) changes them to be something else.
    Therefore, it takes explicit action on the part of somebody (the
    owner) to change a file to world=read. I believe there is a legitimate
    interpretation of that action as giving permission to the world to read
    it.
    
    (Your opinion may vary, and I will not denigrate your opinion; you are
    entitled to it, and I assume you hold it in good faith. Please give
    me the same rights!)
    
    If it becomes the concensus at Digital that one should not browse over
    world=read files, so be it. I have no trouble with that conclusion. I
    don't browse anyway. I do have trouble IF somebody is condemned for
    reading world=read files in the absence of such a policy and in the
    absence of any concensus on the subject. There is no concensus yet.
    
    ================
    
    When I entered the base note for this topic, I had not formed an opinion
    on the subject. I have since formed one, and it is based on the
    following reasoning with which you, of course, are free to totally
    disagree. (Let's try to keep this topic topic from becoming like
    SOPABOX!)
    
    1. This subject is a new area. The technology has provided a new means
    for some people to invade what others legitimately regard as private
    space. Almost everybody will agree, for example, that circumventing
    VMS' protections is snooping and a violation of company policy and
    concensus.
    
    2. We need not apply the conventions that most people (including me!)
    understand apply to their homes and office cubicles. We are free to
    decide that those conventions are not appropriate. (We can also decide
    that they are appropriate and should be applied.)
    
    3. Rules and conventions that are aligned with natural supporting
    structures are far easier to explain and enforce than ones which appear
    arbitrary or ill defined. 
    
    4. VMS and the network have brought this privacy problem into
    existence. VMS also provides a workable and well defined solution: its
    file protection mechanisms.
    
    5. We can decide to make our personal-behavior rules align with the VMS
    rules; in other words, let VMS provide both the definition and the
    enforcement of the personal privacy rules. (Again, we can also decide
    to do something else.)
    
    6. Letting the VMS protection rules be the only privacy rules and ethic
    (or morals, or whatever) has the advantages of simplicity, existing
    good definitions, and easy explanations of what is or is not acceptable
    behavior. "If you can read it with standard tools, then it's OK to read
    it." 
    
    7. The fewer sets of rules we have to deal with (assuming our goals are
    met), the better off we are. A small number of simple well-defined
    rules is much easier to teach, enforce, and justify than a large number
    of ill defined complicated rules. 
    
    8. And finally, the VMS rules, if used, are sufficient to ensure
    personal privacy.
    
    
    The conclusion I come to from all this is that we should choose
    to make the VMS rules be the only rules that apply to electronic
    privacy inside Digital.
    
    From previous replies, I do see some minor problems.

    1. (Steve Lionel) Browsing causes an unacceptable amount of network
    traffic. 
    
    2. Many (or most) users are not knowledgable about VMS protection
    mechanisms. That wouldn't be a problem by itself because the VMS
    defaults are world=non-read, but we have system managers who are
    not knowledgable, and they can unintentionally create a problem.
    
    3. (Peter Conklin) The existence of attempted and failed accesses is
    the means by which system mangers detect invaders. If browsing is
    allowed, it takes much more work by the system managers because
    browsing cannot be easily differentiated from attempted invasion. 
    
    ==========
    
    So I have stated what I prefer the final concensus to be. As I said
    above, opinions will legitimately differ: there can be more than one
    right answer to the electronic privacy problem. But let's at least
    assume that everybody participating in this topic is trying to do the
    right thing and not let the topic degnerate into impugning others'
    motives. I was not happy when that was done to me a few notes back.
    
    twe

>>	RESPONSIBILITIES:
>>	All employees must take the responsibility for protecting the data
>>	to which they have access.  They also have the responsibility for
>>	not accessing data and files that are restricted and for which they
>>	do not have permission to access.  Such access may be subject to
>>	terms of Corporate Personnel policy governing employee conduct.

This says that employees may not access data and files that
	are restricted
    and for which they do not have permission.

Therefore, employees may access files which are not restricted or files for
which they have permission.  Unless, of course, the policy should have had the
word "files" appear a second time after the word "and".  But it doesn't.

You have the responsibility for protecting data.  If you do not restrict it,
or it should not be restricted, other employees may access it, per the policy
above.  Need-to-know only applies to restricted data.  Other data is open to
all employees.  (Unless things are changing at The New Digital.)

/john

    Re: .105 (Tom Eggers)
    
>    3. As I understand it, VMS defaults make files world=non-read unless
>    somebody (system manager, owner) changes them to be something else.
>    Therefore, it takes explicit action on the part of somebody (the
>    owner) to change a file to world=read. I believe there is a legitimate
>    interpretation of that action as giving permission to the world to read
>    it.

    Sadly, the reverse is true.  The VMS default is WORLD:RE.  It takes
    explicit action on the part of the system manager and/or user to
    restrict access.  Since you seem to base the rest of your arguments
    on this, I cannot agree with your conclusions.
    
    				Steve

re .107 (Steve Lionel)

>    Re: .105 (Tom Eggers)
>    3. As I understand it, VMS defaults make files world=non-read unless
>    somebody (system manager, owner) changes them to be something else.

(Steve)
>    Sadly, the reverse is true.  The VMS default is WORLD:RE.

Tom Eggers is right.  Note the contents of the DEFAULT field:

SYSGEN>  SHOW RMS_FILEPROT
Parameter Name             Current   Default   Minimum   Maximum Unit  Dynamic
--------------             -------   -------   -------   ------- ----  -------
RMS_FILEPROT                 64000     64000         0     65535 Prot-mask   

    Of course, regardless of the default value in VMS, the policy
    says that users have the responsibility to protect their data.
    In other words, if data is world readable and should not be
    then the person responsible for it is in violation of policy.
    
    So should be assume that files W:R are available to the world
    correctly or should the default assumption be that the owner
    is in violation of policy? If the latter, who does one report
    such violations to?
    
    BTW, SECUREPACK provides lists of world readable files. At least
    on our system, the system manager sends us a list of such files
    that we are responsible for and asks us to verify that that is
    the correct protection. I assume (not really) that all responsible
    system managers do the same.
    
    		Alfred

    Steve Lionel, you are correct that it would put a significant dent in
    my argument if it turns out that VMS defaults to world=read. I would
    have to think quite a while, and I might very well change my opinion. 
    
    The last couple of notes have disagreed on the point. Is there some way
    we can get a definitive answer? 

    >    The last couple of notes have disagreed on the point. Is there some way
    >    we can get a definitive answer? 

    Come on-this isn't complicated. Someone already presented the definitive
    answer, the Sysgen Default, which translates to, 
    
    S:RWED, O:RWED, G:RE, W      
               
    The world has no access.  Period.  
    
    Your group, (which is often the people who know you best), CAN read
    (therefore copy, print)  your files.  
    
    I'm  disturbed that this basic fact of VMS security/file protection is
    so misunderstood within this forum.
    
    
              

re: .105 and others.

I'm disturbed to see the three letters "VMS" keep reappearing in this
discussion.  Even today, we have multiple operating systems on the net.
Tomorrow we will have more.  And we will provide increasingly transparent
ways to exchange data.  With RPC and CLIENT/SERVER models it only gets
more complex.

I've some difficulty thinking of many (any) corporate polices or laws
that specify brand names.

There is nothing fundamentally invalid about proposals to base either
corporate policy or DEC ethics on technical means (even though I disagree),
but to base it on "VMS" strikes me as both shortsighted and technocratic.

Tom, may I suggest, as a better basis to discuss your preferred concensus,
that you resubmit .105 with the term "VMS" replaced with something else?
I truely believe that will cast it in a somewhat different light.

By the way, I do agree with some of your points, and feel you've framed
many of the parameters correctly.  Perhaps my biggest difference is that
I honestly estimate that only about 10-20% of our employees would, on
a multiple choice test, be able to choose the correct answer to a question
such as, "What does a file protection of W:R mean?".   If I'm correct,
it seems a strange thing to base a policy upon, unless coupled by
some significant amount of education.

- greg

    Re .112:
    
    Greg, I agree that in the notes I've written I've always referred to
    VMS, but I'm fairly sure the argument will still hold for other
    operating systems. If it turns out that the argument doesn't hold for
    TOPS-10, TOPS-20, RSX, Ultrix, UNIX, VAXELN, and others, then I'm
    willing to reconsider. But so far nobody at all in this topic, in over
    a hundred replies, has given any data that those other operating
    systems don't have some file protection mechanism that can equate to
    VMS' world=non-read. 
    
    Are there any operating systems for which files can be accessed over
    the net that don't have a file protection mechanism? The answer to that
    would be very interesting information for this topic. (Greg, do you
    have any information about the models you alluded to in .112?
    
    I agree that only a very low percentage of the Digital workforce knows
    what is meant by "w:r" or even "world=read". I don't believe that
    matters in the slightest. The VMS defaults are world=non-read, and that
    protects the vast majority who don't know. It takes a specific and
    knowledgable act for a person to make his files world readable. The
    people who do that know full well what they are doing.

>                                              It takes a specific and
>   knowledgable act for a person to make his files world readable. The
>   people who do that know full well what they are doing.

    Specific act, yes.  Knowledgeable, not necessarily.  Picture the
    following conversation.
    
    A: "I'd like a copy of your sales forecast worksheet."
    B: "Okay, but I don't know how to give it to you."
    A: "Just type in  SET FILE SALES_FORECAST /PROT=W:R  and I'll be
       able to get it."
   
    So, B types this command, and now everybody on the easynet can look
    at the sales forecast.  I've seen this scenario before, and often
    times the owner of the file doesn't know (or care) what the command does,
    nor does he know that it ought to be un-done.  "A", not being a
    terribly sophisticated user, doesn't know the ramifications of the
    command; he only knows that it will give him access to the file.
    He might not know or think about telling "B" to change the protection
    back.
    
    Would you say that "B" gave you permission to access the file?
    Would you say that you are authorized to access the file?
    
    If you are "pro-browsing" and answered "no" to one of these questions,
    then you are maintaining a double standard.
    
    If you answered "yes" to either question (more particularly, the
    second one), how can you justify this?  Assume that "B" uses an
    arbitrary machine on the network, not necessarily one belonging
    to an organization you communicate with in the course of business.

    (NB: Clearly, such an occurrence points to the need to educate users
    about file protections. )

    --Pat

re: 13.

Tom,

I am no longer familar with how other systems work at this time (too long
since my Unix and TOPS days :-)   But that alone bothers me.  Technology
changes.  I hate seeing a policy dependent upon a moving target.
    
>    I agree that only a very low percentage of the Digital workforce knows
>    what is meant by "w:r" or even "world=read". I don't believe that
>    matters in the slightest. The VMS defaults are world=non-read, and that
>    protects the vast majority who don't know. It takes a specific and
>    knowledgable act for a person to make his files world readable. The
>    people who do that know full well what they are doing.

Is this default behavior also true for all the others?  Every time we
invoke a VMS specific behavior, the argument is at risk.  This is an
example of why specifying VMS bothers me.  I would have to vote "no"
on your proposal for this reason alone, even if I agreed with it in
general terms.

The real problem is that the technology is too immature to reply upon
at this time.  We need network naming services, clear "access/no-access"
status for systems, and a number of other things.  These are coming,
but won't be widespread for at least 5-10 years.   Absent these, we
need a standard of responsible behavior.

One simple example: what does the phrase "Unauthorized access is
prohibited" mean when it appears in a system "welcome" or "announcement"
message?  Are employees implicitly authorized?  If not, are browsers
explicitly prohibited?  How can the latter be prosecuted (I don't
mean legally) if they never saw the message but merely accessed a
file?

The technology is inadequate.  Hence we are forced to choose between:

	The network and all "publically readable" (whatever that
	actually means) files are part of the common work space,
	and all employees have full and unrestricted access to it.

	Your account gives you access to your own files, and those
	files which are obviously needed to do your job, and any
	files which traditionally are public on your system.
	Additionally you may access any files that have been publically
	or privately annouced as available.  The remainder of the
	network file space is prohibited to you.

In simpler words this latter paragraph means, "as long as you can
offer some work related reason for needing access, or you were invited,
you're ok, otherwise, what the heck are you doing reading that?".

I still think the computer room printout and desk drawer analogies
have been the best (imperfect, but near the nub of the matter).
If it has a name on it that a person could reasonably be expected
to recognize as a personal one, you should have some explanation for
why you are reading it beyond, "because I could".

Yes, I know that Tom has argued the latter is too complex or gray
to be workable and I've argued that the technology is equally unacceptable.
(I suspect that removing the term "VMS" will make this more apparent.)
I dislike continuing to think of the network as a playground where
abuse is restrained only by a technical locking scheme that is flawed
in more respects than the Challenger spacecraft.

What we seem to have is a problem without a good solution, and no
concensus.

We also seem to have three camps which I'll dub left, right, and
center:

	Left:	W:R is explicit permission to read.  If you can read
		it, go for it.

	Center:	Files owned by an individual should be treated as
		personal property whether protected or not, unless
		access has been explicitly or implicitly granted.

	Right:	Company policy should explicitly forbid access
		except where work-related need can be demonstrated,
		or access has been invited.

Actually, I may be in the center.  A formal policy may not be required,
but I abhor the position on the left when it seems to promote a
"free for all" attitude that places complete responsibility on the
information owners and forgives all others as if this were all a great
game of "hide-n-seek".

Personally, _regardless_ of what DEC's rules and traditions might be,
repeat, _regardless_ of them, I would consider anyone who read a file
named: WORK21:[ROBERT]PERSONAL.TXT simply because it was readable, to
be behaving unethically, and I would not hold them up as a model of
professionalism.

- greg

    
    
    	     While I cannot speak for EVERY operating system on this
    particular planet, I can speak GENERALLY and say that every MATURE
    operating system that supports MORE THAN ONE USER always defaults 
    to protecting each user from every other user. Translation: NO WORLD 
    ACCESS OF ANY TYPE. 
    
    As always, there may be exceptions to this rule, but if so they
    are few and far between and I would bet the operating systems with
    those "exceptions" have specific purposes, i.e. are not general-purpose.
    
    
    						Warren
   

    When even the most sophisticated manager/developer on DEC doesn't know
    the default VMS file protection, how can we assume that Joe Sysmgr
    would know better? 

    - Vikas

    This is NOT official policy.  This is my own policy so it tends
    to get implemented...
    
    - Files that are world-readable are public, even in a "private"
      area.  Some folks write COM files and leave them in their area,
      so others can use/copy them.
    
    - No file is EVER world-writable, except as a deliberate act of
      released software (MAIL, etc.).
    
    - Defaults on any system should be set assuming the above.
    
    So if someone reports to me that their files were stolen, looked
    at, etc., and the protection code was world-write, I shrug my
    shoulders.  System managers should shut down everything to the level
    of protection required by the user: that is, if you don't want anyone
    in your area, close your door.
    
    Leaving the keys in your car isn't a good analogy: even if you do
    leave your keys in the car, that doesn't give anyone a legal reason
    to drive it away.  However, there is a looong tradition on networks
    of regarding world-readable files as public files--as was pointed
    out earlier.  This may not be official corporate policy, but it's
    how I define it until someone posts good "no trespassing" signs.

    I apologize for my misinformation about the VMS system default.
    I was sure that it had been WORLD:RE sometime in the past, but perhaps
    it was changed in a previous release.
    
    				Steve

    No problem. You did give me a bit of a surprise, though. I thought
    there for a while that I had made a drastic mistake which would blow my
    suggestion away (for which more than a few people would cheer). 

    Actually, I shouldn't have fallen into that particular rathole,
    as I don't consider file protection relevant to the "rightness"
    of snooping.
    
    				Steve

    A big local software (body) shop got into a new customer (we actually
    loaned the customer his first VAX) and taught them a DCL course
    before our folks got there with the DECstart.
    
    The customer accepted their "words of wisdom" and set up all user
    accounts with identical UIC's.  They would not listen to our
    specialists - wouldn't even give them an account.  They had to get
    the Field Service account password under the table.
    
    Anyone willing to guess what type of customer this is going to be?
    
    Fred

    Uhmmmm. I seem to be missing something. I got the point that the
    customer is likely to be difficult. I don't understand the relevance
    of that customer to data privacy at Digital. 

    re:  .116
    
    > 	     While I cannot speak for EVERY operating system on this
    > particular planet, I can speak GENERALLY and say that every MATURE
    > operating system that supports MORE THAN ONE USER always defaults 
    > to protecting each user from every other user. Translation: NO WORLD 
    > ACCESS OF ANY TYPE. 

    I'm confused by this statement.  If "NO WORLD ACCESS OF ANY TYPE" is
    "protecting each user from every other user," doesn't that imply that
    each user on that system is a member of her/his own independent UIC
    group as well?  If so, is that typical of the majority of multi-user
    systems? 

    Terry

	Re: .124

>    I'm confused by this statement.  If "NO WORLD ACCESS OF ANY TYPE" is
>    "protecting each user from every other user," doesn't that imply that
>    each user on that system is a member of her/his own independent UIC
>    group as well?  If so, is that typical of the majority of multi-user
>    systems? 

	In stating this I was trying to be as generic as possible without
	regard to specific operating systems. This is true at the most
	basic level. Users ARE protected from each other. Some operating
	systems classify users into certain types of "groups", giving
	special access privileges to members of the same group.  

	But like the special case where you must DELIBERATELY change 
	file protections to allow others to access your files, so must
	you DELIBERATELY group users together to get the shared privileges.
	If you do not make a deliberate attempt to group users together,
	the system WILL protect every user from any other user.

	The keywords in my original statements were "defaults to". I
	stated that most operating systems will DEFAULT TO protecting
	every user from every other user. The default can be overridden
	by grouping users.

							Warren

    There seems to be a lot of problem with the analogies of
    locks/desks/etc., so how about another?  [and my apologies if this
    has been covered already, but I've only had the chance to read through
    Reply #94).
    
    The analogy is as follows:  Your VMS files are like your land. 
    You reside on it, people have access to it without having to go
    through locked doors.  If you choose to build a fence, you can do
    so (i.e., file protections).
    
    So, if we agree on this analogy, the LAW says that trespassing is
    ILLEGAL.  Keep in mind that the law also says that INTENT/KNOWLEDGE
    is irrelevant!!!  You can be walking innocently on someone's land,
    not even knowing it's 'protected', and the land isn't marked
    in any way, and you can still be arrested and convicted!  

    I still say that, even though the technology may allow you to
    access the files (no fence), if you're not invited, you don't belong
    there!
    
    
    

    RE: .127
    
    I also agree with the conservative view that ability to read does
    not imply permission to read.  Stretching the point, I could do
    a wildcard delete and argue that anyone who had not adequately
    protected their files had implicitly given me permission to delete
    those files.  I realize there is a major difference between reading
    a file and deleting it, but the logic is the same.
    
    Claude A. Bench
    

Re .127:

>    So, if we agree on this analogy, the LAW says that trespassing is
>    ILLEGAL.  Keep in mind that the law also says that INTENT/KNOWLEDGE
>    is irrelevant!!!  You can be walking innocently on someone's land,
>    not even knowing it's 'protected', and the land isn't marked
>    in any way, and you can still be arrested and convicted!  

Pardon me, but I believe that if you actually read Massachusetts law, you will
find that you are mistaken about the elements of trespassing. (I make no claims
about other jurisdictions). The closest place to your node where you can
definitely find it is the same place I first did, the reference room of the
Hudson public library.  However, the Stow library may have the volumes as well.
In Hudson, look for two or three dozen volumes titled "Mass. General Laws,
Annotated" in the bookcase to the right of the window in the wall facing Rt 62.
				/AHM/THX

    Why is the analogy of paper documents for electronic information
    being so quickly dismissed?  The law recognizes the validity of
    this analogy with respect to copyrights (a term from paper publishing)
    for software products.  In this way, browsing/snooping has to be
    viewed as equivalent to rifling paper files.  
    
    Also, I previously mentioned that many of us are now on captive
    ALL-IN-1 systems.  WE HAVE NO ACCESS TO DCL.  WE HAVE NO WAY OF
    KNOWING HOW OUR FILES ARE SET!  How can you then assume that if
    a file is set W=R (have I got that right?) in my directory that
    this isn't a case of a system administrator asleep at the wheel,
    rather than my giving tacit permission for snooping?

    .127 is wrong.
    .129 is correct.
    
    Merely walking on somebody else's land in Massachusetts is not illegal
    UNLESS it is posted or you have been explicitly told not to be there.
    
    I looked this issue up in the DEC legal library about two months ago
    to answer a non-related question. The wording was very clear, and
    there were no complicated court decisions obscuring the issue.
    
    I like the trespassing analogy, though. The analogy says that you ARE
    allowed to walk on my land (read my files) unless I have posted
    the land or otherwise told you not to (set world=non-read).

    Re: .128
    
    And extending the analogy, if you do walk on my land and do any damage,
    then I can sue you for the damage and expect to collect. Freedom to
    walk there (read my files) is not freedom to cause material harm
    (destroy data).
    
    Yup, this trespassing analogy is a very good one. Thank you people
    for thinking it up.

    But are they walking on your land or into your living room?  I'd say
    that they're walking into *my* living room.  Far as I'm concerned, it's
    implicit that noone has access to my files except me and those whose
    job it is to deal with the files.  For instance, if there's somebody
    around to do backups, that person has access sufficient to backup my
    files.  That doesn't include reading the file, nor does it include
    scanning what files I have in my directories.  It includes sufficient
    access necessary to do the job - backup the files.
    
    I'm vaguely annoyed that people would assume that they can go wandering
    around the network looking at other people's files.  I would expect
    people to keep their noses out of trouble and their hands in their own
    pockets.  If it's not part of your job, don't do it.  I know of noone
    who should be wandering the net in private directories.
    
John

	re .132

	> 				I know of noone
	>    who should be wandering the net in private directories.

    
    	The point is that people are doing it -- every day.  Even 
    	passing a strict corporate policy will not stop it.  All the
    	time that was spent by each of the participants in this discussion
    	could have been more usefully spent protecting their own properties
    	(files) with no trespassing signs, fences, barbed wire and
    	land mines.
    
    	Joe Oppelt

re: .133

>    	The point is that people are doing it -- every day.  Even 
>    	passing a strict corporate policy will not stop it.

So that makes it ok?

- g

        I think that part of the reason for "snooping" is the mystique
        of computers, even amongst the supposedly computer literate
        population of Digital. Many individuals sudenly find that a
        directory command will work across the network, that files
        are often left un protected. Of course, the System Management,
        both at an individual system level, and at a VMS design level,
        are far from adequate to cope with this, but that does not
        excuse the individual. 
        
        I have seen far too many people join this organization, without
        the slightest inkling of what the security ramifications are
        of what they are doing. Point in case, the office group next
        to mine (within earshot), is full of F&A people. On more than
        one occasion, I have heard one yell to another across the
        partitions " What is the password for the xyz account on machine
        abc", Back comes the reply. The number of times I have been
        asked to fix someones computer problem, and before I can ask
        them to log in, they tell me their password. Managers that
        give their secretaries access to their accounts, (and then
        temp secretaries are passed on all of the details.)
        
        The list goes on. Something defintely needs to be done, but
        that does not condone illegal activity in the interim.
        
        q

	RE .134

	>>    	The point is that people are doing it -- every day.  Even 
    	>>    	passing a strict corporate policy will not stop it.

	>So that makes it ok?

    
    	I never said that it was OK.  My point was that it exists, and
    	always will exist regardless of the amount of discussion, 
    	corporate rules or federal legislation surrounding it.  It is
    	like drugs.  The best we can do is protect ourselves from it
    	as best as we can, and to avoid doing it ourselves.
    
    	Joe Oppelt

    The reason I made my comment was because of the general slant of the
    discussion of someone walking onto your property being an analagous
    situation to someone looking at your files.
    
>    	I never said that it was OK.  My point was that it exists, and
>    	always will exist regardless of the amount of discussion, 
>    	corporate rules or federal legislation surrounding it.  It is
>    	like drugs.  The best we can do is protect ourselves from it
>    	as best as we can, and to avoid doing it ourselves.
    
    The best we can do is to make people understand why they should be
    honoring other people's posessions, be they electronic or physical.
    This has to be done at an early, impressionable age.  So it's a
    question of values.  It's just like drugs, or any other behavior that
    'society' deems objectionable.
    
    Removing the temptation is another good alternative.  If access to
    files was more visibly presented and controllable (i.e. direct
    manipulation on file access controls), perhaps there would be less
    misuse, specifically due to laziness.  And that's where bunches of
    security breaches come from - laziness and not seeing what access is in
    effect.
    
John

    I have stayed out of this so far, but cannot fail to comment on
    a percieved shortcomming in the reasoning to date.  Everyone has
    assumedthere is a simple line dividing acceptable behavior from
    unacceptable behavior.  I seems to me that there are responsibilies
    that must be accepted by both those owning files and those attempting
    to read them.  It is unquestionably wrong to browse through personal
    files without an invitation.  To me it is equally wrong to leave
    files unprotected with the assumption they will never be read.
    In between these two extremes lies a grey area where interpretation
    will vary between groups.  It seems the safe policy for a responsible
    employee would be to stay out of the grey area on both sides.
    
    In terms of "public" directorys, the meaning seems to change
    drastically from group to group.  As with so many other things, a
    note to the system manager may be a good (and curteous) preliminary
    to investigating these directorys.

Re 138:

>    Everyone has assumed there is a simple line dividing acceptable behavior
>    from unacceptable behavior.

	Please keep your generalizations to yourself.  I know that this is a
    complex problem, and I think most of the other people here do also.


>    I[t] seems to me that there are responsibilies that must be accepted by
>    both those owning files and those attempting to read them.  It is
>    unquestionably wrong to browse through personal files without an
>    invitation.  To me it is equally wrong to leave files unprotected with the
>    assumption they will never be read. 

   1)	Not everyone has agreed that it is wrong to browse personal files.
   2)	Not everyone has the knowledge to set file protections properly.
   3)	Not everyone who has the knowledge has the ability to set file 
	protections.

>    In between these two extremes lies a grey area where interpretation
>    will vary between groups.  It seems the safe policy for a responsible
>    employee would be to stay out of the grey area on both sides.

	The size of the black and white areas is much smaller than you think.
    It is extremely difficult to stay entirely in the white areas.  For example,
    do you have explicit permission to read this notes file?  You may have seen
    a list of public notes files that could be considered an invitation, but did
    you have permission to read that list?  (I know, I am stretching the point
    all out of shape, but you did give absolute advice.) 

	To make my own position clear, I think people should stay out of other
    peoples files, even if the protection is not set, unless there is some 
    strong reason to believe the files are public, or they can justify accessing
    the file to their manager.  I also think that people who have sensitive 
    information to protect have the responsibility to protect it to the best of
    their ability.  However, there are various reasons why they may not be able
    to protect their files properly and the lack of protection does not license
    other's access.  Finally, if you find a sensitive file with the wrong 
    protection, you should make a reasonable attempt to let the owner know that
    there is a problem.  (Reasonable does not include getting yourself in 
    trouble trying to help.)

< Note 593.139 by VMSNET::WOODBURY "Atlanta Networks/VMS Support" >

>>  Please keep your generalizations to yourself.  I know that this is a
>>  complex problem, and I think most of the other people here do also.
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

8^)

    Many users of ALL-IN-1 have no direct way of either knowing what
    the file protections are for their account or of changing them
    themselves. Why?
    Well they have no access to $prompt. Those who have heard about
    protections may take the trouble to ask IS for further info but
    the rest assume 'wrongly' that everything has been arranged for
    them.
    I have been on ALL-IN-1 courses and there has NEVER been anything
    mentioned about file protection.
    
    john evans

        re .142
        
        If an IS department takes it upon themselves to restrict access to
        applications only (like ALL-IN-1) on a system, then they are the
        reponsible people for security. IF they aren't doing it, then they
        aren't doing their job properly.
        
        q
        

    
    	I don't think it's proper to go around snooping in other people's
    	files. I keep my protections set very secure. People in my own
    	group do not even have access.

/prc

    Just received thru interoffice mail:
    
    "Security Awareness Training: Proprietary Information"
    
    Attend the Three DVN Broadcasts at Your Local
    		DVN Site or ACT Center
    		1:00 - 4:00 P.M. EST
    
    	Module I - October 19, 1988
    	Classification and 'Need-to-Know'
    
    	Module II - October 26, 1988
    	Users' Responsibility for Computer Systems,
    	Office and the Workplace and Non-Digital Personnel
    
    	Module III - November 16, 1988
    	Systems Management and The Exit Process
    
    Further down in the flyer is an all-caps comment:  
    "ALL EMPLOYEES SHOULD ATTEND THIS TRAINING."
    
    "For further information contact your local DVN Site location or
    ACT Center"
    
    
    		

Re .145:

>    Attend the Three DVN Broadcasts at Your Local
>    		DVN Site or ACT Center
>    		1:00 - 4:00 P.M. EST
...
>    "ALL EMPLOYEES SHOULD ATTEND THIS TRAINING."

Thats 550 man-years.
				/AHM

         There are many GOOD and BAD arguments in this note.  I sympathize
    with those users who are not 'techies' or do not have the knowledge
    necessary to protect their own files.  Their files are unfortunately
    vulnerable for any sleezy, low-life, snooping, I-have-every-right-
    because-it's-not-protected scum that comes along.  I realize it is
    difficult for the untrained "snooper" to determine which files were
    accidentally left unprotected and which were purposely made W:R;
    however, in MY opinion, that doesn't give anyone the right to sneakily
    inspect another's files -- personal or not.

         "Innocent browsing" can be and is, as it appears in this note,
    widely interpreted.  Most of us have, at one time or another, "happened
    upon" something we shouldn't have; and, if our ethics (again MY opinion)
    were in the right place, we quickly "backed off and headed home."  I
    have from time to time seen a new command in a notes conference and have
    tried it out, but my ethics prohibit me from attempting to open files,
    or run anything which I did not create.  Granted, there are those rare
    occasions where I stumble upon something I shouldn't have as a result of
    these "new" commands, but again, my ethics get me out just as quickly.
    I chock this up to "learning the system", but I don't go looking for files
    which are accessible so I can have a "peeksie" or to copy them.

         I know I'll be attacked regardless of what MY opinion is because
    there will always be another opinion better than mine, but I agree that
    this problem will not be easily solved.  It's either going to take a
    drastic change in a lot of people's ethics or a lot of professional,
    computer-security types to make it easy for the computer-illiterate folks
    to protect their own 'turf'.  I for one have sure protected mine since
    reading this note.  Whatever happened to the day when you could leave
    your house unlocked, secure in the knowledge that everyone else's ethics
    were the same as yours:  Do unto others as you would have done unto you.

         My ethics:  Don't play in my files and I won't play in yours. 


    -- Rob

    I think conventions and mutual understandings can go a long way
    in covering areas not specifically addressed by policy.  I always
    believed that the only files open to "browsing" were those in .public
    directories.  Otherwise, what's the point of having a public directory?
    
    If someone does not have a directory called Name.public, I assume
    there's nothing in the account I'm meant to see.  If someone is
    not technically sophisticated enough to create a public subdirectory,
    I assume there is nothing in their account that I'm meant to see
    at all.
    
    The obvious exceptions are when you have permission (I try to get      
    it in writing) or when you use your privileges to access a file
    in a co-worker's account for a valid work-related reason.  Again,
    I think it's important to have permission from the co-worker or
    from a supervisor if the co-worker is unreachable.

My original note in WAR_STORY prompted the entry into this notes file
and I would like to voice my personal opinion - especially since I feel
I have done NO-ONE any harm, nor do I find my behaviour as being UNETHICAL
or SLEAZY.

I personally resent the insulting comments made in .187. Why is it so 
impossible for Digital employees to be correct and polite to one another?



        1. When I joined Digital, I obtained a VAX/VMS account and was
           given a very primitive introduction to DECmail and how to logout.

        2. Shortly afterwards, I was sent to a VAX/VMS USERS GUIDE. This
           was a ONE-WEEK off site course offered by our Educational services.

           At this course we learned the absolute basics. How to login, change
           a password, set host, copy files etc.

           Our Instructor also very clearly showed us how to SET PROTECTION
           and explained why it was important.  He then went on to demonstrate
           HOW we could READ files in other directories that were not protected.
        
           In short the INSTRUCTOR showed us how to do SIMPLE tasks with a VAX.

       3.  In my function as a business analyst (then), I had to develop various
           tools - usually *.com files. The EASYNET indicated to VAXnotes
           conferences that seemed ideally suited  HACKERS  and the TOOLSHED.

           I have accessed both conferences and have found numerous indications
           of where certain files can be located on the network and transferred
           back to my account.  


      4.  On the said evening, I was browsing through a directory and looking
          at some *.com files in hope that I would find something useful for
          my professional work. All the files were set to W:R. 

          If a file protection is set, I never try to circumvent it or to
          CRACK any passwords. Alas, my selected wording of "LEGAL HACKING"
          was incorrect and STUPID. I was simply using the network as I 
          was taught by professional DIGITAL Training Instructors.

          The responses to my note in WAR_STORY were very strong, and I 
          personally apologized to the conference moderators explaining what
          I was doing.

          The responses in this conference were equally strong and there
          are basically the three camps as mentioned earlier.

          I now completely understand the feelings of the people who feel
          it is an intrusion in their privacy and respect their concerns.
          (and have also learned alot from this conference).


          Here some questions that I would like to ask this audience:

                A. If VMS sets the default to WORLD=NO ACCESS, why would
                   a system manager alter this?  I understand why a user
                   would want to change the protection, BUT WHY ON EARTH
                   would any sensible system manager want to do it?

                   Is this a common practice or an isolated case?
                   Isn't a system manager that alters the systems file
                   protection a very risky system manager indeed?

               B.  Certain individuals have strongly stated in this
                   conference "STAY AWAY FROM MY FILES".
 
                   Why don't you simply set your protection to WORLD = NO ACCESS
               
                   If you do not know HOW to set protection, please ask your
                   system manager to do it for you.

              C.   If users are locked into an application and are not 
                   authorized to get to DCL, why does the system management
                   not ensure that the files have the correct file protection?


P.S.  I have learned my lesson and will not be browsing anymore (although I
      still believe W:R means anyone on the network is authorized to read
      the file as the protection has knowingly been altered) unless specifically
      invited to do so. On the otherhand, I think system managers should look
      to educate their users better. 

      If you have a user who complains someone has read his W:R files, please 
      tell your user that he should change his personal protection. Feel free 
      to zap a browser a nastygram, but make
      sure YOUR users are not inviting people to browse by not setting the
      protection correctly.


 
P.P.S.S.  One time I did accidently stumble over a fairly confidential
     document which at first seemed very harmless. On this one time, I was
     100 % snooping - and should not have -. I apologize for my unethical
     behaviour. Once I identified that the document was NOT harmless and
     NOT meant to be WORLD accessible, I stopped reading it and notified
     the owner to change her protection. She was very happy that I had
     pointed out her security problem and was able to correct it without
     any harm done to the company.

     
     Again, I would like to emphasize that I have only browsed for
     *.com files that could be used for professionally reasons only.

     I have learned alot from this conferrence and will refrain from
     further browsing - unless specifically solicited.

     I personally ask all of you to check your own file protections and
     set it so the minimum of misuse can be conducted.

     
regards

Victor Post @KBO



  

Re .149:

	It sounds like you got a better education than a fair number of the
    less fortunate one the network.  To answer your questions -

    A.  There could be several reasons why the system manager reset the default
	file protection -

	1.  He didn't but someone else did for any of a number of reasons.
	2.  He didn't know what he was doing.
	3.  He did it temporarily and forgot to change it back.
	4.  His boss told him to do it.
	5.  He has some form of insanity.
	6.  Someone paid him to do it.

    B.	There could be several reasons why individual's files have world access
        besides being intended for public consumption and ignorance.

	1.  Access was set temporarily for use by someone else and never changed
	    back.
	2.  Someone else changed the access.

	Also, I have set the protection on my files properly as far as I know.
	(I checked the whole set about a month ago.)  However, I am aware that
	there are ways to get around the file protection.  Knowing this, and 
	adding the attitude expressed by a number of individuals that they will
	do whatever they can get away with, leaves me with a very bad feeling.

	Also, you are assuming that the system manager knows what he is doing 
	and is honest and sane.  You are also assuming that his boss is 
	knowledgeable, honest and sane.  In my case, you are right (:^>), but 
	that is not something you can assume to be universally true.

    C.	See the answers to A.

Re PPPS:
	Your behavior was commendable.

    Re:  .149

    Here, here!  Well said; however...

    I personally do not have any files set at W:R and my "login.com" and
    "logout.com" files insure I *never* will, BUT I do have a couple of
    directories set at G:R.  While I purposely set these to G:R, I do not
    want any other person on my node 'browsing' through these files.  You
    may say, why G:R then??  There are a couple of people on my node who
    need this information.  I realize there are a couple of other ways to
    give them this information and further secure the files; however, I
    update these files on a daily basis and don't wish to go through all
    that hassle when I should be able to expect people to keep their eyes
    out of my files.  If this becomes a problem, then I will have to seek
    an alternative method.  Actually, I will be changing the format shortly,
    but any computeroid, such as myself, could figure out how to get around
    it.  This information is NOT of a sensitive nature, but it still does
    not give ANYONE the right to have a looksey.  I *trust* the other folks
    on my node until they prove to me that they can't be trusted.  Maybe
    I have too much faith in humanity??

    Enough said.  By the way, who ever said what a teacher teaches is
    totally honest??

    Signed -- I'm tired and cranky and should go home...

       Rob ;^)

	Re Note 593.150:
    
>>    						... However, I am aware that
>>	there are ways to get around the file protection.  Knowing this, and 
>>	adding THE ATTITUDE EXPRESSED BY A NUMBER OF INDIVIDUALS THAT THEY WILL
>>      DO WHATEVER THEY CAN GET AWAY WITH, leaves me with a very bad feeling.

    			(The capitol emphasis is mine. twe)
    
    I don't recall anybody saying this. I know I haven't. Perhaps you
    could refresh my memory and point to the notes of people who said
    they would circumvent file protections. Or perhaps that's not what
    you meant. Perhaps the comment was intended as hyperbole to make
    a point.

    
    Sorry, but I can't resist....
    
    
    Granted, VMS defaults to no WORLD access of files.
    
    Granted, many users aren't knowledgeable about protections, etc.
    
    Granted, protections get lowered through misunderstanding, accidents,
    	on purpose, etc. 
    
    Granted, even if they know about protections some users can't change
    	the protections because no DCL access.
    
    
    
    THE BOTTOM LINE HERE IS THAT "SECURITY" IS THE SYSTEM MANAGER'S
    	RESPONSIBILITY. [This is documented in Corporate Security
    	Guidelines].
    
    Granted, not all system managers are knowledgeable enough to be
    	responsible about security.
    
    
    THE RESPONSIBLE PARTY IN THE ABOVE CASE IS THE SYSTEM MANAGER'S
    	MANAGER.
    
 
       	We don't put untrained people in charge of anything where
    	large scale technology or people's interest are involved 
    	(submarines and aircraft to name a couple). So why should 
    	untrained system managers be loosed upon a system? They 
    	shouldn't. But even if they are, THEY ARE STILL PARTIALLY 
    	RESPONSIBLE FOR WHAT THEY ARE CHARGED WITH MANAGING. And if 
    	they ARE untrained, and something goes wrong, then their manager 
    	is also partially responsible for placing an untrained system 
    	manager in a position they did not deserve and weren't capable 
    	of handling.
    
    Bandying the concept of whether snooping, public directory searches,
    etc. are right or wrong is like arguing whether killing is right
    or wrong. Regardless of what you and I think of killing, there is
    a THIRD PARTY charged with preventing killings (by whatever means,
    i.e. restricted access to guns, punishment of those breaking this
    "law", etc.) This THIRD PARTY is synonymous with the SYSTEM MANAGER.
    
    BOTH HAVE A RESPONSIBILITY TO SEE TO IT YOU AREN'T DOING SOMETHING
    	YOU SHOULDN'T.
    
    They may not be able to stop you from doing whatever it is you
    shouldn't, but they can take action as a result of your action.
    
    Am I making sense here or should I try to put this into different
    words?
    
    						Warren

    To me you make sense. I suspect there are others who won't like what
    you say. 
    
    One of the stronger arguments against "Let them read it if it is world
    readable" is incompetant system managers who don't do their job for
    whatever reason. It seems to me you are putting the responsibility on
    the system managers. If we can do this, and as you point out, it is
    already Digital policy, then we don't need to create any ethic over and
    above standard VMS file protections. 

    Corporate Security Standard 11.1 states:
    
       "A review process will be put in place by System Operations
        Management for the following purposes:
      
           -  To identify all files that are accessible to any user
              of the system and/or network and to verify that this
              level of unprotected access is necessary."
    
    Personnel Policy 6.24 states:
    
       "Employees are expected to treat information appropriately.
        For example, they will not:
           -  Access computer files or give information to others
              to access computer files when not properly authorized."
    
    Personnel Policy 6.21 states:
    
       "Certain conduct may be so serious as to justify immediate
        discharge.    ...some of the more common examples: ...
        inappropriate use or disclosure of Company proprietary
        information..." 
    
    FWIW, lots of people have been fired from DEC for knowingly poking
    into places they have not been given authorization.  
    
    Ken P. 

    Re .155: 

    As I read those policy quotations:
    
    Corporate Security Standard 11.1 puts a burden on the system managers
    to keep files protected unless there is good reason to do otherwise.
    This seems like a good idea. Several other notes have also stated this
    should be done. In fact, I can't recall any disagreement on this point. 
    
>>  Personnel Policy 6.24 states ... "Employees ... will not access
>>  computer files or give information to others to access computer files
>>  when not properly authorized."
    
    There is *major* disagreement in this topic on whether or not a file
    protection of world:read constitutes "proper authorization." This
    personnel policy doesn't help resolve that disagreement. 
     
>>  Personnel Policy 6.21 states:
>>    
>>       "Certain conduct may be so serious as to justify immediate
>>        discharge.    ...some of the more common examples: ...
>>        inappropriate use or disclosure of Company proprietary
>>        information..." 
    
    If J. Random Anybody is able to read company proprietary information,
    then there is a significant security breech (see Corporate Security
    Standard 11.1 quoted above) by the person who left the data
    unprotected. Any person who reads it isn't subject to discharge,
    according to the quoted 6.21 policy, unless he uses it inappropriately
    (personal gain?) or tells somebody (outside DEC?). I don't recall any
    of the previous 150 or so notes in this topic suggesting anything
    covered by that policy. Perhaps somebody can refresh my memory.
    
>>    FWIW, lots of people have been fired from DEC for knowingly poking
>>    into places they have not been given authorization.
    
    This is too general and too nebulous a comment to advance the topic
    unless we can get more details concerning precisely what, how, and why.
    (We can leave out who, when, and where.) Perhaps those details would
    lead us to an operational determination of Digital's policy on
    "browsing".

        Is "Corporate Security Standard 11.1" (easily) available
        on EASYnet?  I can ask our local Security people for a
        copy if it's not.
        
        Whether it is or not (readily available), how many system
        managers or managers of system managers (1) know it exists,
        (2) have a copy, or (3) follow it (or understand that they
        need to follow it)?
        
Jim Stratton
        

        It's interesting that lots of other policies seem to be on-line
        and accessible through the Corporate VTX Library, but as far as I
        know, the "Corporate Security" standards/policies are a big
        secret.  I suppose that's to keep them secure. 
        
        Tom

    There is a notesfile on security policies at
    HUMAN::SECURITY_POLICY.
    I haven't explored the entire thing, but it would probably be the
    best place to look...
    
    Kevin

    Tom,

         Stop by your local Corporate Security office.  They have a
    copy.  If not, they are lacking...  To my knowledge, they are not
    CLASSIFIED.

                                       -- Rob

    
    A colleague has his mail directory protected to disallow Group and
    World access. After suspecting that his mail was being read, he added
    an alarm ACL. The following day the audit report revealed the culprit
    was as suspected, reading mail, by means of privileges. This colleague
    is currently under a cloud because of something previously extracted
    from his mail directory that anonymously found its way to his manager.
    In view of this, he is very aware that escalation could bring about
    negative effects; after all, this action could have been sanctioned by
    management, who will not support an escalation on the grounds of breach
    of privacy or PP&P.
    
    What can he do to bring the snooper to book, and not risk his own job?
    
    Concerned.

>    What can he do to bring the snooper to book, and not risk his own job?

There's a risk in every action, but if I were in his position, I would first go
to Chief of Security at my site, especially if I had any suspicions
about my own management's involvement.

Reading someone else's mail is a clear violation of privacy and cannot
be sanctioned or tolerated.

-steve-

>Reading someone else's mail is a clear violation of privacy and cannot
>be sanctioned or tolerated.

This may be true in the general sense, but recently corporations have
permitted management to "invade an employee's privacy" if we're talking
about corporate equipment or resources. In every case, employees who
pursued this by via lawsuits or whatever have been fired and have lost
those lawsuits.

So it's not so cut and dry. It's an interesting problem. I'm glad it's not me!

Per .163, I've never considered my accounts on Digital-owned systems to be
my "private property".  I would never keep anything I considered private 
there.

But per .162, I would be annoyed if I thought someone were snooping.  Have 
you considered planting items in your mail or directory that would, if
found and forwarded, only cause embarassment and trouble for the snooper?

Ray

    Re .161
    
    I'd get into 9406::SECURITY_POLICY and see what advice is already there
    on this topic.  If you don't find an answer to the particular situation
    then I'd suggest you cross-post .161 and its reply string.

	I had thought that employers could read other peoples mail provided
they had that in their policy. I think DEC has it so system manager type people
can do this, but for fellow employees and managers I was not aware that this
was allowed. Hmmmm....


Glen

    
    
    
    You want privacy??? Then do not use DIGITAL's systems to send or store
    information that you want to keep private. Every system has somebody with
    privs that can read anything in your account.
    
          Theme of the 90's....Theres no such thing as paranoia anymore
                               it's all true.

    Re .167:
    
    > You want privacy??? Then do not use DIGITAL's systems to send or store
    > information that you want to keep private.
    
    Or use PGP, a military-grade encryption program available for free.
    
    
    				-- edp
    
    
Public key fingerprint:  8e ad 63 61 ba 0c 26 86  32 0a 7d 28 db e7 6f 75
To get PGP, FTP /pub/unix/security/crypt/pgp23A.zip from ftp.funet.fi.
For FTP access, mail "help" message to DECWRL::FTPmail or open Upsar::Gateways.
    

I once posted a simple stupid encryption program I wrote to ::HACKERS and
almost got squashed.  Something about export of encryption algorithms not
solely intended for authentication blah blah blah...

Scott

    >You want privacy??? Then do not use DIGITAL's systems to send or store
    >information that you want to keep private. Every system has somebody with
    >privs that can read anything in your account.
    
    Not true for MU, except in a trivial sense (i.e., the single user can 
    read anything the single user writes).
    

    Are you talking about a workstation? I *think* that's only true if the
    workstation is a "stand-alone" node,right? I mean,most of us with
    workstations are part of a cluster aren't we? I always thought the
    cluster admins. could access anything at all. Am I wrong again?
    
    Ken

    Yup, MU's a standalone workstation.  Only one priv'd user - PORTER.
    Even I don't know what the SYSTEM password is now (I typed it with
    my eyes closed).
    

re Note 593.172 by MU::PORTER:

>     Yup, MU's a standalone workstation.  Only one priv'd user - PORTER.
>     Even I don't know what the SYSTEM password is now (I typed it with
>     my eyes closed).
  
        There are other advantages to this, of course.  My
        workstation, also a single-user standalone system, is up
        whenever I want it to be.  My colleagues who use clustered
        workstations seem to experience a couple of times a month
        when their system is unavailable for an hour or more due to
        problems on the cluster.

        Bob

G'Day,

	Not wanting to really rathole the discussion on file privacy but the
biggest advantage I see to having your own workstation that is not part of a
cluster is that your email address should never need to change.  I recently
moved buildings and just packed up my VAXstation and took it with me.  No
nodename/alias changes etc to worry about.  Before I had this machine I changed
systems twice and trying to inform everybody and get distribution lists changed
is a nightmare especially if one is active on the internet.

Have fun!

David.

    >    There are other advantages to this, of course.  My
    >    workstation, also a single-user standalone system, is up
    >    whenever I want it to be.  My colleagues who use clustered
    
    Yup.  I always claim I'm far too busy to waste time letting
    someone else manage my systm for me!
    
    
    

   > cluster is that your email address should never need to change.  I recently
   >moved buildings and just packed up my VAXstation and took it with me.  No
    
    Hah, just wait for widespread use of DECnet Phase V.  The powers that be 
    have seen fit to bestow geography-dependent names on nodes.  MU's
    real name is DEC:.lkg.mu, and so if I ever move to another building,
    that'll have to change.
    
    (This isn't a necessary feature of Phase V, it's just how we in
     DEC have decided to set up the namespace.  It forced me to learn
     a lot about DEC geography that I really didn't see any need to know.)
    
    (You can call me MU::PORTER as long as we still have Phase IV
     node synonyms for Phase V nodes).
    
    

>	Not wanting to really rathole the discussion on file privacy but the
> biggest advantage I see to having your own workstation that is not part of a
> cluster is that your email address should never need to change.

  Since .175 and .176 continued down the rathole, I'll take it a it a bit
  farther.  I don't know how many EasyNet areas you have there David, but
  here in the GMA you don't need to be moved too far to get into another 
  area.  Last year, my cluster was moved from area 15 to area 29, then back
  to area 15 in under 5 months (148 days).  All of the names stayed the 
  same, but the numbers changed.  If everybody updated their databases 
  every week or so, no problem but ...

Terry

G'Day,

	I'm not sure what's happening on the Phase V front here in Australia but
we are already quite aware of the geographic naming conventions with IP.  My
workstation also runs UCX and it's IP name is ringss.sna.dec.com (SNA is my site
code).

	As for moving areas, well we only have area 59 so that's unlikely but
even moving areas shouldn't cause you to change your name.  It doesn't matter if
the DECnet address changes as mail is originally directed to a nodename.  This
will then be resolved into whatever the current address is.  My network database
updates every three days so I don't have too many troubles with people moving
around but I do see lots of notes from people who are trying to connect to a
system that changed addresses months earlier.  There's obviously a lot of very
outdated network databases out there.

David.

    	When we had phase 3 DECnet Valbonne was allocated node numbers 120
    to 129.  PASTIS (51.130) was the first additional node brought up in
    early field test of phase 4 DECnet, and PASTIS::MONAHAN has been my
    mail address ever since.
    
    	Since then I have worked in 5 different groups, had 4 building moves, 
    4 different site codes, the office telephone number has changed ... :-)
    
    	Site code addressing sounds crazy. In Valbonne they changed the
    site code of a building from VBO to SAC for political or image reasons,
    so I got a change of site code without even moving my desk.
    
    	Dave (currently site code SAT).

    
    >Hah, just wait for widespread use of DECnet Phase V.  The powers that be 
    >have seen fit to bestow geography-dependent names on nodes.  MU's
    >real name is DEC:.lkg.mu, and so if I ever move to another building,
    >that'll have to change.
    
    Doesn't that defeat the whole purpose of a Distributed Name Service?
    
    			Alfred

No.

    RE: .181 I thought part of the purpose was to facilitate location
    independent naming. Not so?

    		Alfred

"Location independent naming" means that a given name, if it's valid,
is valid from anywhere in space - that is, I can pass a name across
the net to you, and you can use that name and have it mean the same
that it means to me.

It doesn't guarantee that the name will remain valid throughout time,
and it certainly doesn't protect against people who create names
which need to be changed "often". 

Nope.  It was eliminate the idea of a central authority / server for all names.
DNS is a "whitepages" directory service, it lists everyone but it's not for
searching (that would be a "yellowpages" (not to be confused with Sun's YP)
directory service look up by what, then who provides).

Acutally DNS is kind o like telephone numbers in North America.  You can
use 7 digit number to dial locally (DNS uses just the last of the name for
systems is your part of the naming tree).

But if you call long distance, you need a 10 digit (area code and 7 digit local
number).  If you need to reference outside of your local part of the tree, you
need to the full (long) format of the system's name.

Also, in some parts of the US, you can dial a closeby toll call by dial 1 + the
seven digit phone number.  DNS allows the use of a synonym directory which 
allows to just a normal Phase IV style name to reference a name even though it
may not be where you are.

Dave,

Do you do backups of MU's files?  Is the backup tape left in the tape drive?
If so, your files are obviously not secure.

Re: .185

As system manager and sole user of QUARK, that potential problem had already 
occurred to me.  My backups are encrypted.  (I also keep my logs of
anonymous notesfile postings on behalf of others in separately encrypted files,
so they're never left as plaintext on my system for more than a couple of
minutes at a time.)

					Steve

>Also, in some parts of the US, you can dial a closeby toll call by dial 1 + the
>seven digit phone number.

Not for much longer.  U.S. West in Colorado will be starting to require the
full 10 digits for all toll calls (starting January 94 I think), I expect other
places will soon follow (if they haven't already).  This is because they are
out of area codes, and they need to start using area codes that don't have
0 or 1 as the second digit.

And now, back to DNS...  or whatever.

>Do you do backups of MU's files?  Is the backup tape left in the tape drive?
>If so, your files are obviously not secure.

They're as secure as MU.  If you're in my cube, then you can
get to the console, so you can break in to MU easily enough.

I suppose that simply stealing the tape cartridge would be
easier and quicker (assuming what you were after happened to
be on the incremental tape currently loaded in the drive)
and thus you'd be less likely to get caught red-handed.

Come to think of it, you could just unplug the hard drive...

At the risk of getting back to the topic...
My understanding is that there is no *legal* restriction against
reading another's files without permission, however I believe
that Digital Equipment Corp. has a corporate *Policy* banning
such access.  I believe that it is ensconsed in the orangebook.
The gist of it is that reading through another person's files without
permission is considered equivalent to rummaging through their physical
files/papers in their desk, and MAY be grounds for termination.

Please bear in mind all the usual caveats about how corporate, or
local personnel will interperet/enforce policies seems to be variable.
Also note that other companies have VERY different policies (some actually
encourage snooping in order to catch employees at other offenses), and if
we have hired employees from other corporations (which we have) they may have
a very different set of norms.

...And now to redeem myself in the rathole department:
Here in western Washington state (206 area code) we must dial the full 10+1
digits for any toll calls beccause the area code is so full that they have
started using prefixes with 0 and 1 in the second position (i.e. (206) 515-5555)
(a purely random number for illustration only.  Do not dial.)