You might know (but very it’s likely you don’t) I wrote about securing your Windows machine by not running as a user who has administrative privileges on in a previous post. So this summer I was staying in a hotel by a well known and established chain, which have these nifty computers in the lobby with internet access, to do some random surfing and perhaps check your mail when your inner geek gets the feeling you’ve been disconnected from the net too long.
Anyway, after searching some tourist info about the city of Rotterdam, where we turned out to be during that period, I thought about checking my GMail account. Then it struck me that I was on a machine I didn’t know if it was secure or not, so I tried to see what the “internet” user’s privileges would be. I sorta figured it would be secure, as I noticed it had a virus scanner installed and all, so at least someone with a bit of common sense had been installing the machine.
I quickly found out I was an admin on that system. WTF!
I could install anything on it, I managed to download from the world wide web. Keyloggers, trojans, virii, whatever. In fact, some people already had installed some software on it, harmless stuff, but it’s hard to tell what else might have been snuck on it right? The process list already had some suspicious entries, which didn’t really augment my trust in the machine.
This kind of stuff is just hazardous IMO. Not only do you expose everyone using the machine to some degree of identity theft, but secondly you are exposing a number of machines to the internet ready to be exploited by hackers to be used in their bot-nets.
As if we aren’t getting enough spam already these days.
Securing a system like this could be as simple as using a guest account, which is not a system administrator of course, much like the Windows XP standard guest account. Reinstalling once a week, or even daily from a prepared image file would be a good idea as well, in case the machine gets compromised anyway at some point.
People don’t seem to have a problem with trusting their account info to a strange machine either, otherwise this kind of thing would be frowned upon, which clearly isn’t the case.
Don’t take candy from strangers, nor talk to strange computers people.