Big IQ play from IT outsourcer: Can't create batch files if you can't save files. Of any kind

Be careful what you wish for

Who, Me? The end of a damp weekend (for the UK at least) heralds a new instalment in our ongoing series of Register reader confessions. Welcome back to Who, Me?

Today's story comes from a reader Regomised as "Alan" and concerns the time he was instrumental in the accidental near-shutdown of an entire department of Her Majesty's Government (HMG).

While our tale takes place some decades ago, we'll draw a discreet veil over the department concerned, suffice to say it had outsourced much of its IT services (desktops, servers, mainframes et al) to one of the big boys, as was the fad of the time (and remains so today).

Alan was working for the government in the role of IT Security Consultant. While dutifully reviewing the list of security requirements issued by the Powers That Be, he noted one that stated that DOS commands must not be available to users.

It all seemed to have been implemented as specified, but Alan was a curious chap. Was there another way of firing off a cheeky command or two?

"I had a thought," he said, "and booted up MS Word, and wrote the following text:"

dir | files.txt

Next, he simply saved the file as plain text and named it list.bat.

The batch file was simple stuff. Double-clicking list.bat fired it off. The operating system recognised it and dutifully ran it. The result was "a nice listing of the contents of the directory" in the freshly created files.txt

"This has proved useful for delivery of sets of documents to many customers since," he added.

It did, however, highlight a gaping hole in security. Alan had been able to get at the verboten commands via the medium of a common-or-garden batch file combined with the trusting nature of the OS of the time.

"I showed my work to my civil servant manager, the head of IT Security," Alan said, "pointing out that had I used the instruction I would have obtained a command-line interface window allowing use of DOS commands directly."

We imagine that strong words were then had with the supplier of all things IT who, in a rare moment of efficiency, took rapid action.

Alan turned up for work the next day to find his account only had read-only access. He could not save any files anywhere. At all.

Neither could anyone else in the department for the rest of the day.

In order to stop naughty batch files from being created, the IT outsourcer had simply stopped the saving of any files, solving Alan's problem, but creating a huge swathe of new ones.

"There were," recalled Alan, "some forthright 'discussions' concerning what had actually been asked for versus what had been delivered.

"Moral: be careful what you wish for, and from whom you wish it."

Ever issued a smug "there, I fixed it" for one problem, only to create near limitless user pain? Or been on the receiving end of one of those IT "fixes"? Share your tale of woe with all at Who, Me? ®

Biting the hand that feeds IT © 1998–2021