How to stop young dudes from taking over library ‘puters
March 20, 2008 11:39 PM   Subscribe

If 10 to 12yr olds are are somehow circumventing your network security,.... I personally doubt there is anything to "admire". They probably havent spent hours coding some super-ingenious "hack" to get around your system. Most likely (occums razor principle), they've just found some easy, open, backdoor to walk right into controlling your systems. In the hacker/geek world, we would say: "Dude, you've just been totally 0wned." (meaning, you are no longer in control of your systems)

As someone who has spent 3-ish years working in a K-12 and knows the relentless assualt pre-teen and teens can have on computers... I would look at the following things:

(you mentioned World of Warcraft, so I'm going to assume your computers and public terminals are some flavor of Windows)

1.) How is your network setup? Do you have a domain controller? (one central computer that manages the network and logons/accounts) Is the Domain controller configured to enforce any type of "security policy" ? (my guess would be, its not. Or you are using the default security policy which is (obviously) not secure enough for your environment)

2.) How do users logon to the public terminals ?... Do they have single, unique accounts?, or is there one generic public logon?. Have you disabled ALL "guest" accounts?.... Do you allow people to logon locally (to the computer in front of them)... or do you enforce a policy where the only way they can logon is by logging into the network?

I could go on... but what you really need is someone (hopefully an IT professional) to come in and review your network configuration and help you make its more secure. (in a perfect world, I'd consider the option of making all the public terminals some flavor of Linux, that would put a cold stop to most teen-hacking attempts ) but I'm sure your running Windows for certain reasons. I understand Libraries are typically low on budget and the demands of technology are immense, but you have to do some basic things to ensure the security of your network. (meaning, if a 10 or 12 yr old can "hax0r" your boxes, ... its quite possible someone like me could walk in and steal a copy of your entire library database, or use your network to broadcast spam or worse types of illegitimate traffic)

I'd be happy to offer more constructive advice, .... Email in my profile.
posted by jmnugent at 12:37 AM on March 21, 2008

Most likely they're just pressing Ctrl-Alt-Del twice at the logon screen, then typing Administrator into the Username box, then logging on. I am always amazed how many Winboxen run with blank Administrator passwords.

Note that Administrator is typically not one of the users that shows up on the Welcome screen.

The fix is to do this yourself, and while logged on as Administrator, visit Control Panel->User Accounts and create a nice opaque Administrator password.
posted by flabdablet at 12:48 AM on March 21, 2008 [1 favorite has favorites]

Oh yeah: you also need to change the BIOS settings on the computers to disallow booting from anything except the hard disk, and then lock the BIOS settings down with a password. If you don't do that, than anybody can just walk up to one of your machines, power it down, boot it up into BartPE or any of the Linux-based admin password resetters off a USB key or CD-ROM, and you've lost control again.

If these miniature haxx0r5 have already changed your Administrator passwords to some secret thing of their own (which they may well have done if they can lock other people out of the computers), you just need to log on to the admin account you'd normally use, then open a cmd window and type

net user Administrator *

and enter the new Administrator password when prompted for it.
posted by flabdablet at 1:21 AM on March 21, 2008

Apparently there's an easy hack if PC Reservation is in the default location.

But there's also a human factor here. Your higher-ups need to put some backbone into your policies -- such as ejection and bannination.
posted by dhartung at 1:25 AM on March 21, 2008 [3 favorites has favorites]

Obstruct the USB ports.
posted by fourcheesemac at 2:54 AM on March 21, 2008

You could obstruct the USB ports.
posted by fourcheesemac at 2:54 AM on March 21, 2008

"You could obstruct the USB ports." - fourcheesemac

It would be a touch funnier to internally disconnect the USB ports, such that the troublemakers would attempt to plug USB devices in.. and then wonder why they werent being detected. *chuckle softly* as they remove and re-plug the devices in frustrating attempt to get them to work. :)
posted by jmnugent at 3:16 AM on March 21, 2008

Speaking from experience, not being able to use the usb ports on a library computer would suck. I used to do my work at home and then go to library to email it. That's when I was a little poorer than I am right now.
posted by sully75 at 4:12 AM on March 21, 2008

Along with computer security changes, it may just be as simple as putting up a sign (if there isn't one already) asking people to reserve the computers, and to logout when done. There's a good chance a sign and the presence of a nosy employee will be a good deterrent. If you see them playing tell them they shouldn't be. If you see the kids walk in then take a 5 minute break to check on them. They may just think nobody knows they're doing it. They may also see the computers as unused, and not realize that there are people like sully75 who actually need access to those computers, so tell them.
posted by monkeymadness at 4:29 AM on March 21, 2008

Ah, the joys of envisionware. We disabled the USB drives on computers that were being booted via flash drives at my library. I haven't had personal experience wih your other hacks but similiar shinanigans (for a long time ANY 14 digit number would allow a reservation on our system) was handled through behaviour modification: I give the offender one warning, ban them for a day at the second incident and ban them for months at the third incident. Of course, if your administration is not keen on baning you have to make the case that the library computers need to be accessible to all patrons, not just the tech-saavy ones that feel entitiled to hours of gameplay while someone who wants to print off their resume walks out empty-handed.
posted by saucysault at 5:22 AM on March 21, 2008

Sorting this out is just not a priority for her.

That's the part that boggles my mind. You have *10-year-olds* with admin privileges on your computers and she's not seeing that as a priority?

Good lord. Does she *want* to get fired?
posted by mediareport at 7:07 AM on March 21, 2008

At the very least, if I were you I'd cover my own ass by sending a letter to the IT person, discussing the problem and pointing out this is a serious security issue with possibly *very* serious ramifications in the angry parent/community department.
posted by mediareport at 7:13 AM on March 21, 2008

Sounds like your reservation software is working fine, but you're letting people log onto windows with accounts that are not limited. Once you give them admin access then you've lost everything. They're probably doing nothing other than disabling the software and then re-enabling it when they are done. If you can do you anything you should:

1. change all passwords.

2. take the user account for login out of the administrators group.

Now discuss policy with your supervisors. Why are you even letting people play videogames on library computers?
posted by damn dirty ape at 7:19 AM on March 21, 2008

Envisionware is not a great piece of software, but it sounds like it has not been configured at all to allow the kids to do all these exploits. It sounds like the Admin module has not been password protected properly as well as I have a feeling that the patron number dump does not work correctly. It is probably set up to read any Xnumbered digit as 'valid' (how ever long your library card numbers are) so typing in 123456789 and then next time using 987654321 works for them.

If you are at all responsible for the computer area, do as mediareport states and write a letter to the IT Librarian laying out what you think is happening.

As a Systems Librarian this type of lazy IT shit infuriates me to no end.
posted by Razzle Bathbone at 7:20 AM on March 21, 2008

Speaking from experience, not being able to use the usb ports on a library computer would suck.

Disabling USB as a boot device is different than disabling USB in general. I agree disabling USB in general is stupid. There should be no software to fear if they are limited users.
posted by damn dirty ape at 7:21 AM on March 21, 2008

Hogging public computers disgusts me, but lawsuits could have worse consequences for your library and your users. If a computer is compromised, keyloggers can slurp all passwords, credit card numbers, and so on. Do you have a disclaimer and warnings on the general user start screen? One or more computers might distribute spam or denial of service, leading other places to ban email from your site, orrequiring your internet service provider to drop service.

The tech measures noted above are necessary and might suffice to support acceptable use. However, if the knaves have had full access or if outsiders have had full access through the net, then just changing the admin password and removing all unpassworded boot will not suffice. You need proper security and a bare metal install to implement it. Some schools build a secure image and do an automatic re-install every night, and also have a decent firewall. I applaud your attention to this matter. But the can of worms is open even if no staff member notices it, and it is a very big can of very big worms. Perhaps a library association or forum, or a nearby larger library or school can advise.
posted by gregoreo at 7:23 AM on March 21, 2008

After you:
disable USB boot in the BIOS, change the Administrator password, and lock the system so new accounts can't be made (you really just have to type anything in that login box), you really should block the WOW ports @ the router, if someone has a legitimate use they'll come tell you. (they won't.)

One more thing---is it remotely possible to make it so the screens are more visible from a staffed location? If so, it would be pretty easy to remotely terminate a connection to one computer when you see the infraction going on. Of course, this would best be done right when they're in a PVP zone.
posted by TomMelee at 7:30 AM on March 21, 2008

We use Fortres and CleanSlate in our library to lock our systems down. We only let certain software run on certain machines, so while we can't do much about Facebook being visited from a browser, we can be sure that folks are not installing anything on our machines.

Locking down the USB ports is a good idea, provided you set it so they can be unlocked easily with a password. This means that staff will have to come out from behind the desk to unlock machines for legit use. Could be a training and staffing issue depending on your numbers.

If you want this to become a higher priority for your library system, let the kids come in and hog as many machines as they like. Then when people complain, give them the contact info for the IT librarian, the IT librarian's boss, and the head of the board of directors. It will become a big deal fast.

Then when the shit rains down, be ready with your plan for a gamer lounge (or at least some designated game-okay machines). Be sure to point out that if you lock everything down hardcore, it will just encourage more kids to try and crack the system to get what they want. This is why we don't block Facebook even though it's a non-research related use of our machines - people would break more stuff trying to get around it that we'd lose much more staff time and resources to fixing/policing.
posted by robocop is bleeding at 7:32 AM on March 21, 2008

In our (university department) computer labs, we give people local admin access so they can install whatever they need on the machines while they're logged on. But the computers are frozen with Deep Freeze (expensive enterprise software, but there's probably some cheaper alternative) so everything resets upon reboot. I think you and your IT librarian need to read the MaintainIT project's (our very own Jessamyn is on the advisory board) Cookbooks on how to properly set up, administrate, and freeze your public terminals. If your IT librarian values her job, she damn well should be paying attention.
posted by calistasm at 7:49 AM on March 21, 2008

Do you have CD-ROM drives in the computer? They could easily be booting a Linux LiveCD and playing World of Warcraft on that as well. Disable booting from everything other than the hard drive.

Also, if your Admin account is disabled on those boxes, you can reboot windows in safe mode, and the Admin account becomes renabled (usually with no password), which then makes it easy to do whatever you want with the machine.

If you see a locked workstation that should be empty or reserved, press and hold down the power button and reboot it.
posted by blue_beetle at 8:19 AM on March 21, 2008

you can reboot windows in safe mode, and the Admin account becomes renabled (usually with no password),

This is untrue. If you boot into safe mode and you dont know the administrator password then you are out of luck. It doesnt magically reset it to blank.
posted by damn dirty ape at 11:23 AM on March 22, 2008

This is untrue. If you boot into safe mode and you dont know the administrator password then you are out of luck. It doesnt magically reset it to blank.

Sorry, I wasn't clear, if your local admin account is disabled, and doesn't have a password (the default setting) it will be enabled and still won't have a password. If you have set a password on the admin account, this won't remove it.
posted by blue_beetle at 11:25 AM on March 22, 2008

Deep Freeze (expensive enterprise software, but there's probably some cheaper alternative)

Microsoft SteadyState is not only cheap, its free for XP users.
posted by damn dirty ape at 11:25 AM on March 22, 2008

« Older I need a reliable service that...   |   How can I secretly and wireles... Newer »

This thread is closed to new comments.