Hypothesis validated

[altivo]

We've had problems with a kid who has clearly figured out how to evade the controls on public computers in the library. He manages to stay logged in way past the time when his session should be cut off, manages to log in at times when the machines are supposedly disabled, and evades rules about signing a log showing his time on and off. His privileges were suspended for a couple of months this summer after I caught him unplugging a computer to force it to reboot.

The terms of the suspension required him to re-register with his mother present to co-sign the new registration form. Apparently they appeared on Monday night to do this, 25 minutes before the library closing time and thus only ten minutes before public computers automatically close down. He kept fidgeting during the formalities and was finally told that he wouldn't have time to use a computer that evening. He insisted that he would, and made a dash for the machine at the earliest possible moment, almost exactly as things were closing down. Normally this logs everyone off who is still connected, and locks up the screens, but sure enough, he sat down and was still logged in (to facebook, naturally, which he apparently can't use from home) five minutes after everything else was shut down. He quickly logged off as a librarian approached, and left.

I was asked how he could have done this, and as on previous occasions, I said "He probably knows the admin password for the entire system, or at least the one that lets you extend a session past the time quota." I actually think he knows both, and a good deal about how the administration system operates.

Others insisted that there was no way he could know these things, even though I'm sure they've performed admin operations and even discussed them within his earshot. He was a volunteer who helped straighten shelves and dust books for quite a long time. The software vendor's manuals are accessible on the web, without any special identification required in order to read them. (I don't blame the vendor for this, though. Read on...)

Tonight I tested both my guesses at how he did the trick on Monday. Both work equally well. If you manage to get logged in even just a few seconds before shutdown, you can activate the sequence to extend the session, supply the password, and add as much time to your session as you like. It does not log you out or shut the computer down until you voluntarily log out.

And, worse, if you know the admin password and how to bring up a prompt for it (a simultaneous triple keypress) you can even get past the "System disabled because it is closing time" screen. Worse, when you activate an admin session, web accesses are not filtered, no time limits are applied, and of course you can reboot or otherwise mess with the hardware and software.

How did he get the passwords? I had guessed he watched someone type them, which is possible. However I found both of them clearly written down, with instructions for using them, on sticky tabs stuck to the phone directory holder at the circulation desk. They were clearly readable to anyone standing there if they chose to do so. It always amazes me how many people will assume that something cannot be read upside down. I know it can, because I can read upside down text nearly as fast as I can proper, rightside up text...

All those passwords are getting changed tomorrow, even if it takes two weeks to get the new ones out to people. Anyone caught writing sensitive passwords down and sticking them to a desk, monitor, or other visible place will, from now on, be hung in a printer cable, then boiled in screen cleaning fluid, after which they will be drawn and quartered using a broken floppy disk casing as a knife.

Comments

[avon-deer.livejournal.com]

I found both of them clearly written down, with instructions for using them, on sticky tabs stuck to the phone directory holder at the circulation desk.

*head-desk* Been here.

[altivo]

Yes, I imagine you have. It's not the first time for me, either, though it makes me glad that I've never handed out root passwords to anything. I now understand why some places that I've worked controlled passwords from a central location, changed them monthly, and used only hard to remember and type random combinations.

The director wanted me to choose the new passwords. I told her she didn't want that because they would be hard to remember. However...

[avon-deer.livejournal.com]

I am a fan of secure passwords, but less so of ones that change monthly. I find that it increases the odds that a user will write it down, not decreases them. Certainly computer systems need to be secure, but they also need to be used by fallible human beings. Make it too awkward and human nature dictates that they WILL take highly insecure shortcuts. The problem of course is that these insecure shortcuts are taken even if the process is made easy for them. We can't win either way.

[cabcat.livejournal.com]

The human element is almost always the failure when it comes to password cracking...because it is the easiest way :)

[schnee]

Wow — you would've thought people at a library of all places would be less (to be blunt) moronic.

[altivo]

It's a problem caused by having to share the same password among a diverse group of people, some of whom will only need to use it once a month or so but will not have anyone to fall back on for help if that need does arise.

It's aggravated by the fact that most of these people are decidedly non-technical in their orientation and have no desire to change that. They don't want to know how any of it works, and resist having to learn. Therefore they can't imagine the mentality of someone like this young kid who will soak the stuff up the way a sponge picks up water.

[schnee]

They don't want to know how any of it works, and resist having to learn.

Also a rather surprising attitude for library clerks, I think. :|

[kakoukorakos.livejournal.com]

Having worked with many instructors, who you'd think would be rather intelligent people eager for more knowledge, I noticed that the overwhelming majority were a bit lacking in the logic department, which caused a good number to be highly resistant to learning. Librarians and other types of curator are no different, they're really just organized, professional hoarders, but not necessarily any more eager to learn than the average person, despite maintaining repositories of knowledge. Also, expertise, interest, and enthusiasm in one niche doesn't always translate into a broad range of interests.

[hrrunka]

"only need to use it once a month or so but will not have anyone to fall back on for help if that need does arise."

Complicated. Sealed envelope somewhere? If they need it they can find it, but if the envelope's open then the password gets changed and a new one sealed away at the earliest opportunity? Far from perfect, I know...

[altivo]

I ended up removing the admin password from general knowledge, and changing the other two to an entire phrase that they *should* be able to remember without writing it on the wall.

[rebelsheart]

How did he get the passwords? I had guessed he watched someone type them, which is possible. However I found both of them clearly written down, with instructions for using them, on sticky tabs stuck to the phone directory holder at the circulation desk. They were clearly readable to anyone standing there if they chose to do so. It always amazes me how many people will assume that something cannot be read upside down. I know it can, because I can read upside down text nearly as fast as I can proper, rightside up text...

All those passwords are getting changed tomorrow, even if it takes two weeks to get the new ones out to people. Anyone caught writing sensitive passwords down and sticking them to a desk, monitor, or other visible place will, from now on, be hung in a printer cable, then boiled in screen cleaning fluid, after which they will be drawn and quartered using a broken floppy disk casing as a knife.

I support this plan

[altivo]

Alas, it probably falls under "cruel and unusual punishment."

[kakoukorakos.livejournal.com]

The human element is the weakest link in security.

I find both forced password changes and most password strength rules to be utterly foolish. The way I see it, account security is the responsibility of the users themselves; all admins should do is try to instruct them in best practices. If they choose not to follow best practices in terms of password strength and not having passwords on publicly-visible sticky notes, then that's their fault and they should be held professional responsible for any breaches that occur as a result of their incompetence, just as if they forgot to lock the door to the building or arm the alarm on their way out.

Sure, having the same password for year after year after year is not necessarily a good thing, but I find it far more preferable for users to have a good, memorized password than have them either write one down because they had to change it, or call the helpdesk repeatedly because they don't remember what they changed it to. Either of the last two just result in security debacles, and don't really improve security at all.

[altivo]

Passwords changed, which was long overdue anyway, and severe admonishments about writing them down in public view or speaking them aloud issued. We'll see how long it lasts. I suspect a number of library users knew one or more of the old passwords...