Rant on Security Now! 94, RE: Library Security

On SN 94: The Fourth Authentication Type, Leo and Steve talked about how a hacker can have a thumb drive, install keylogging software, put it in a Library computer, leave it there for a week, come back and have all of the user names and passwords of the people who sat there. I'd like to argue this point, heavily. There may be some libraries that do not have any restrictions on their patron terminals, however there are many, including the one that I work at, that do. We run a program called "trust-no-exe". this does exactly what you think. It stops all EXE files from loading except the ones that you specify. We do this, in addition to several other security related things.

Additionally, many of the libraries in the US had donated, or were allowed to purchase at a significant discount, computers from the Bill & Melinda Gates Foundation. And the B&MGF did not just give the computers and say, here, you deal with security. No, the setup included that all of the users are Non-Administrators. Many libraries are extremely concerned about security and privacy, particularly because they have a very diverse population. One specific thing is that we did not allow thumb drives until we could find a way to restrict them from running programs. Plus, being non-administrator users, our patrons cannot run the U3 Software, since that requires Administrative rights; yet they can still save their files to their thumb drives. Many libraries continued this setup, even if they replaced their aging Gates' computers.

I find the belief that libraries are lackadaisical when it comes to security, disheartening and rather assumptive on the part of Leo and Steve.