One thing that continues to amaze me in general is how bad public computers are often set up. Even in larger Internet cafés or hotels in have seen the weirdest configurations in terms of security and privacy.
The last place where I expected this, however, is a Microsoft conference where everything seemed to have been thought through to the very last detail.
In the conference area, there are dozens of public PCs available for participants, which is good, even though there is WiFi coverage, because not everybody wants to drag the laptop with him all day, plus no laptop battery lasts all day.
Obviously all PCs are set up the same, as the installation comes from a single image. The only program that can be started is the Internet Explorer – which makes sense. In the Internet Explorer, the „Tools“ menu is disabled (i.e. the icon is not displayed), so there is no obvious way to delete the browser history after a quick emailing session.
If you search a little longer (Vista is still new for most of us) you will find the options in the Control Panel at „Delete Browsing History“. The dialoge box that opens looks like this:
This is where it gets really strange. You can delete everything (Files, cookies, etc.) except the browser history, as this option is disabled. The browser history is only deleted when the PCs are rebooted.
I asked the helpdesk staff if this was meant to be, aend a nice guy named Miles did acknowledge that this appeared to be a stupid setup, but that they had not build the image but only copied it to the PCs, and that they were not allowed to change it „for security reasons – now that you tell me this, I realize how absurd this is“, Miles said.
This conversation took place on Monday, and there was no apparent change in the setup yesterday. So during one break I looked at three PCs. The (only) good new is: I did not have access any email accounts. This being a tech savvy audience, nobody did not press „logout“, before he or she left the computer. However, a lot of private data was visible to me. Here are some examples.
At every computer I looked at, ten or more email addresses were easily visible just by opening the site again (I guess they all saved cookies).
Ben Skelton is using Google Apps for your domain and jackyxu98 is using MS Hotmail.
Yahoo! Mail displays the account name in the page title, so all usernames are conveniently listed in the History:
whoiskb and david_kizzia are using Yahoo! Mail
There were some other funny things to look at. Somebody from Russia obviously is preparing some dates back home, so he logged into dating.ru and looked at some profiles of girls.
I’m not a master of the kyrillic alphabet, but it looks like he was checking out Svetlana, 19, and Svetlana, 23 (he must like that name) and some others.
Plus, a sweet and pure newborn from Scandinavia and his mother were looked at from Las Vegas:
Picture gallery from Scandinavia (the only edits I made are in the left picture – you don’t want to start your life being posted like this with your real name)
Funny, right? Well, not entirely. I have at least three reasons why this is bad, even though I was not able to get into the email accounts:
1) Many people, maybe some of them walking around here, will have more knowledge than me and might be able to get into them with the address and the cookie
2) If I was a spammer, I could have walked around during a break and collected hundreds of email addresses.
3) As some of the email addresses are clearly secondary/private, and as everybody is wearing badge with the real name clearly visible, it would be very easy to post some facts like „John Doe from ACME Corp. has setup a private email address „meet-me-in-my-hotel-room@yahoo.com“ for the conference. I don’t find this funny, but some people might.
I think Microsoft could really do better. There are staff members around to restart the browsers in every break and set it to display the mix homepage, and it would be very easy to tell them to delete the browser history as well – after enabling that feature.
Tags: mix07, public pc, security issues
merke: an öffentlichen pcs gibt man gar keine eigenen daten ein, man loggt sich also auch nicht in seine e-mail ein. man weiss schlicht nicht, was auf dem pc läuft. cookies löschen und so weiter nützt nichts, wenn ein keylogger läuft. und so weiter.
Für mein Empfinden ist Dein Post ziemlich heiß. Wie würde MS reagieren, wenn das richtig publik würde? Und warum machen die das? Zufällig ist das ja nicht passiert!
Rumsum: Das Bedürfnis ist eben manchmal grösser als das Sicherheitsempfinden. Immerhin haben hunderte von IT-Professionals sich nicht an Deine Regel gehalten. Wobei ich das mit dem Keylogger an einem von MS aufgesetzten PC jetzt eher unwahrscheinlich finde, aber ich war schon in Internet-Cafés in Indien, da hätte mich nichts gewundert…
Hardy: Finde ich eigentlich auch. Hat aber trotzdem keiner gemerkt.