Trailing whitespace as “security”

Don’t use this to secure your website!

August 23, 2010

This is one of those “back in the day” stories, so if you don’t want to listen to this grandpa rock in his chair and spin a yarn, then move along…Lessee, now where did I put my glasses?

My very first job “in computers” was as a computer operator from 1980 to 1985. It was a good job in many ways, especially since it allowed me to go to college during the day and work in the evenings, and I never had to step foot in the school computer lab because I was able to do all my programming for class on my work account.

As time went on a fellow operator and I started creating a bunch of scripts to help us do our jobs, using mostly ISPF screens and first CLIST (the horror! the horror!) and then Rexx as the scripting language to drive the screens.

For reasons that now escape me, we didn’t want other operators running our scripts. Yet they were all available, since we were all in the same security group and we didn’t have the ability to secure files to our individual ids. What to do? Then I got a “bright” idea.

On MVS at that time script files could be in one of two record formats – 80 character fixed length records (to mimic punched cards) and 255 character variable length records. The vast majority of people used 80 character records in their scripts. This was to our advantage. Remember, at this time we were working completely with 3270 “green screen” terminals, most of which were 80 character displays, although there were a few that had 132 character displays. While you could scroll to the right there were no visual indicators that you would need to do so on a long line – you just had to know that there was more data to the right.

So using the psychological expectation by most people that script files are 80 characters wide, the solution was simple. At the top of the file I simply put a comment block, like this:

/************************************************************************/
* This script written by Jim Lehmer.                                    */
/* It does blah, blah, blah.                                            */
/************************************************************************/

Then, padding those comment lines with spaces I put in an IF statement similar to the following way over to the right of the comment block:

IF USERID() != "jlehmer" THEN
  EXIT

Everyone thought we had some sort of special security on the files, because they’d try and run the scripts and the code would immediately exit. No one figured it out, for years. They never thought to scroll to the right, even if they noticed that the record type on the script files was 255 character variable length records.

So now you’ve heard everything – security through trailing whitespace!