![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Hypothesis validated
We've had problems with a kid who has clearly figured out how to evade the controls on public computers in the library. He manages to stay logged in way past the time when his session should be cut off, manages to log in at times when the machines are supposedly disabled, and evades rules about signing a log showing his time on and off. His privileges were suspended for a couple of months this summer after I caught him unplugging a computer to force it to reboot.
The terms of the suspension required him to re-register with his mother present to co-sign the new registration form. Apparently they appeared on Monday night to do this, 25 minutes before the library closing time and thus only ten minutes before public computers automatically close down. He kept fidgeting during the formalities and was finally told that he wouldn't have time to use a computer that evening. He insisted that he would, and made a dash for the machine at the earliest possible moment, almost exactly as things were closing down. Normally this logs everyone off who is still connected, and locks up the screens, but sure enough, he sat down and was still logged in (to facebook, naturally, which he apparently can't use from home) five minutes after everything else was shut down. He quickly logged off as a librarian approached, and left.
I was asked how he could have done this, and as on previous occasions, I said "He probably knows the admin password for the entire system, or at least the one that lets you extend a session past the time quota." I actually think he knows both, and a good deal about how the administration system operates.
Others insisted that there was no way he could know these things, even though I'm sure they've performed admin operations and even discussed them within his earshot. He was a volunteer who helped straighten shelves and dust books for quite a long time. The software vendor's manuals are accessible on the web, without any special identification required in order to read them. (I don't blame the vendor for this, though. Read on...)
Tonight I tested both my guesses at how he did the trick on Monday. Both work equally well. If you manage to get logged in even just a few seconds before shutdown, you can activate the sequence to extend the session, supply the password, and add as much time to your session as you like. It does not log you out or shut the computer down until you voluntarily log out.
And, worse, if you know the admin password and how to bring up a prompt for it (a simultaneous triple keypress) you can even get past the "System disabled because it is closing time" screen. Worse, when you activate an admin session, web accesses are not filtered, no time limits are applied, and of course you can reboot or otherwise mess with the hardware and software.
How did he get the passwords? I had guessed he watched someone type them, which is possible. However I found both of them clearly written down, with instructions for using them, on sticky tabs stuck to the phone directory holder at the circulation desk. They were clearly readable to anyone standing there if they chose to do so. It always amazes me how many people will assume that something cannot be read upside down. I know it can, because I can read upside down text nearly as fast as I can proper, rightside up text...
All those passwords are getting changed tomorrow, even if it takes two weeks to get the new ones out to people. Anyone caught writing sensitive passwords down and sticking them to a desk, monitor, or other visible place will, from now on, be hung in a printer cable, then boiled in screen cleaning fluid, after which they will be drawn and quartered using a broken floppy disk casing as a knife.
The terms of the suspension required him to re-register with his mother present to co-sign the new registration form. Apparently they appeared on Monday night to do this, 25 minutes before the library closing time and thus only ten minutes before public computers automatically close down. He kept fidgeting during the formalities and was finally told that he wouldn't have time to use a computer that evening. He insisted that he would, and made a dash for the machine at the earliest possible moment, almost exactly as things were closing down. Normally this logs everyone off who is still connected, and locks up the screens, but sure enough, he sat down and was still logged in (to facebook, naturally, which he apparently can't use from home) five minutes after everything else was shut down. He quickly logged off as a librarian approached, and left.
I was asked how he could have done this, and as on previous occasions, I said "He probably knows the admin password for the entire system, or at least the one that lets you extend a session past the time quota." I actually think he knows both, and a good deal about how the administration system operates.
Others insisted that there was no way he could know these things, even though I'm sure they've performed admin operations and even discussed them within his earshot. He was a volunteer who helped straighten shelves and dust books for quite a long time. The software vendor's manuals are accessible on the web, without any special identification required in order to read them. (I don't blame the vendor for this, though. Read on...)
Tonight I tested both my guesses at how he did the trick on Monday. Both work equally well. If you manage to get logged in even just a few seconds before shutdown, you can activate the sequence to extend the session, supply the password, and add as much time to your session as you like. It does not log you out or shut the computer down until you voluntarily log out.
And, worse, if you know the admin password and how to bring up a prompt for it (a simultaneous triple keypress) you can even get past the "System disabled because it is closing time" screen. Worse, when you activate an admin session, web accesses are not filtered, no time limits are applied, and of course you can reboot or otherwise mess with the hardware and software.
How did he get the passwords? I had guessed he watched someone type them, which is possible. However I found both of them clearly written down, with instructions for using them, on sticky tabs stuck to the phone directory holder at the circulation desk. They were clearly readable to anyone standing there if they chose to do so. It always amazes me how many people will assume that something cannot be read upside down. I know it can, because I can read upside down text nearly as fast as I can proper, rightside up text...
All those passwords are getting changed tomorrow, even if it takes two weeks to get the new ones out to people. Anyone caught writing sensitive passwords down and sticking them to a desk, monitor, or other visible place will, from now on, be hung in a printer cable, then boiled in screen cleaning fluid, after which they will be drawn and quartered using a broken floppy disk casing as a knife.
no subject
no subject
It's aggravated by the fact that most of these people are decidedly non-technical in their orientation and have no desire to change that. They don't want to know how any of it works, and resist having to learn. Therefore they can't imagine the mentality of someone like this young kid who will soak the stuff up the way a sponge picks up water.
no subject
Also a rather surprising attitude for library clerks, I think. :|
no subject
no subject
Complicated. Sealed envelope somewhere? If they need it they can find it, but if the envelope's open then the password gets changed and a new one sealed away at the earliest opportunity? Far from perfect, I know...
no subject