Wednesday, January 18, 2012

A Suggestion for Your Open Campus PCs

I was reading the latest news about City College of San Francisco administrators urging students and staff not to use their computers for sensitive purposes like online banking, when I had an idea (also see here for my earlier post). Certainly City College is not the only institution with lots of PCs available for student and staff use but without the means to protect those devices. My guess is everyone reading this blog has a similar situation on their campus.

My idea is simply to post a sign above each one something like the one above. It seems that if the institution cannot stop students from downloading malware (and who can?) or even installing malware intentionally (it could happen), then it makes sense to have some kind of warning for casual users. A good place to start might be to just tell users that if they are visiting a site that requires a password, that site likely contains some personal or financial information they might not want going to the bad guys.

The Web is a dangerous place. Maybe that should be part of everyone's education.

1 comment:

  1. This is just my $.02, but isn't this just burying your head in the sand?

    Many universities advertise that students are not required to have their own personal computer. The first thing that happens in most computer labs is student type their university username and password at either the system login screen or some universities allow local use but use captive portal to restrict online access until authenticated. In most cases, this is the same username/password used for thing like scheduling and modifying a student schedule can have severe financial implications if you drop a class at the wrong time.

    Maybe you aren't buying the whole online access bit, so let's assume you're a student without our own personal laptop, more than likely you are going to fill out a FAFSA right? Then aren't you going to do that on a computer in a public lab and since that requires an SSN I'd say we're requiring them to do something worse then just log into a site with a password.

    I honestly think university labs should allow the end-user to wipe a machine; both before they do something sensitive and after. This is far from perfect; hardware key loggers are easy to get and there's a real danger of some one tampering with the firmware or memory (video card memory doesn't get wiped on boot, so its one way to persist through an operating system wipe). Even though its not perfect, I think its a better step in the right direction.