One thing that continues to amaze me in general is how bad public computers are often set up. Even in larger Internet cafés or hotels in have seen the weirdest configurations in terms of security and privacy.
The last place where I expected this, however, is a Microsoft conference where everything seemed to have been thought through to the very last detail.
In the conference area, there are dozens of public PCs available for participants, which is good, even though there is WiFi coverage, because not everybody wants to drag the laptop with him all day, plus no laptop battery lasts all day.
Obviously all PCs are set up the same, as the installation comes from a single image. The only program that can be started is the Internet Explorer – which makes sense. In the Internet Explorer, the „Tools“ menu is disabled (i.e. the icon is not displayed), so there is no obvious way to delete the browser history after a quick emailing session.
If you search a little longer (Vista is still new for most of us) you will find the options in the Control Panel at „Delete Browsing History“. The dialoge box that opens looks like this:
This is where it gets really strange. You can delete everything (Files, cookies, etc.) except the browser history, as this option is disabled. The browser history is only deleted when the PCs are rebooted.
I asked the helpdesk staff if this was meant to be, aend a nice guy named Miles did acknowledge that this appeared to be a stupid setup, but that they had not build the image but only copied it to the PCs, and that they were not allowed to change it „for security reasons – now that you tell me this, I realize how absurd this is“, Miles said.
This conversation took place on Monday, and there was no apparent change in the setup yesterday. So during one break I looked at three PCs. The (only) good new is: I did not have access any email accounts. This being a tech savvy audience, nobody did not press „logout“, before he or she left the computer. However, a lot of private data was visible to me. Here are some examples.
At every computer I looked at, ten or more email addresses were easily visible just by opening the site again (I guess they all saved cookies).
Yahoo! Mail displays the account name in the page title, so all usernames are conveniently listed in the History:
There were some other funny things to look at. Somebody from Russia obviously is preparing some dates back home, so he logged into dating.ru and looked at some profiles of girls.
Plus, a sweet and pure newborn from Scandinavia and his mother were looked at from Las Vegas:
Funny, right? Well, not entirely. I have at least three reasons why this is bad, even though I was not able to get into the email accounts:
1) Many people, maybe some of them walking around here, will have more knowledge than me and might be able to get into them with the address and the cookie
2) If I was a spammer, I could have walked around during a break and collected hundreds of email addresses.
3) As some of the email addresses are clearly secondary/private, and as everybody is wearing badge with the real name clearly visible, it would be very easy to post some facts like „John Doe from ACME Corp. has setup a private email address „email@example.com“ for the conference. I don’t find this funny, but some people might.
I think Microsoft could really do better. There are staff members around to restart the browsers in every break and set it to display the mix homepage, and it would be very easy to tell them to delete the browser history as well – after enabling that feature.