Originally Posted by jakeny
Like I thought perhaps public libraries would have their computers managed and protected super well. ... whereas I thought perhaps the computers at a public library would have like super smart tech guys managing them against these types of programs. But maybe my logic is flawed?
How I wish it weren't, but sadly that is the complete opposite of the security model. Always consider any security questions as 'what is the risk, and to who?' Security is always about risk-management - since you can never be completely
secure, it is a balance between risk and reward, get the balance right and you'll be secure enough
but get it wrong and you're an attractive target. Consider the following example:
1) You're using a library computer and download credential-stealing malware by accident through an ad on a page you visit. The page you were looking at was a weather forecast for the next day, then you go to visit a news website (requiring no login). You finish you browsing session and leave the machine.
Q) What risk does this pose to you?
A) None. You didn't enter any personal details and therefore the malware stole none of your information.
Q) What risk does this pose to the library?
A) Some. Over time, they could build up a reputation for having badly infected machines and lose business.
Q) What risk does this pose the attacker?
A) None. It is unlikely that these machines are monitored/cleaned on a regular basis and the attacker could pick up credentials for a long time with no active oversight required, information just pops up at their server's front door in a steady stream from around the world. There is little chance of this person being identified and caught.
(now the important one)
Q) What risk does this pose the person who uses the computer after you?
A) Lots. They have no idea that you've inadvertently just infected that terminal, and whilst you weren't browsing safely (because you were only checking news/weather) the next person could be divulging a lot of personal information, on a very trusted website, with no idea that the damage has already been done.
Therefore, you have to assume that whenever you use a shared terminal in a public place that you are the second person
in this scenario.
Obviously I am describing the average public terminal here, I imagine universities do have better security monitoring and cleaning processes for their terminals - however I doubt this is any more frequent than daily, by which time hundreds of users could have been at risk of the above scenario.
The best way to implement a public network (e.g. library) would be:
1) Use thin-client terminals (i.e. those with no hard-drive directly attached)
2) Use a well-secured central server which provides network (PXE) boot capability to the clients
3) When booting, thin-clients request an operating system image from the server
4) The image is provided as a stock installation of the chosen operating system
5) Every time a user logs-in, a virtualised environment (Virtual Machine) is provisioned and isolates that users activity from the physical terminal they're sitting at
6) When the user logs off, this session state could be saved under that user's account on the central server, or discarded for a fresh logon next time. This could be at the user's discretion (presuming they haven't finished what they wanted to do but wasn't ready to save a document to a shared network drive for later)
7) The next user who logs on has the choice of resuming a saved session or starting fresh
In this situation, the virtual machines are managed securely (and only need to be patch in one place, the central server) and the thin-clients are immune (mostly) from infection by the virtual machine.
Originally Posted by jakeny
And let me recommend that you need to consider posting videos on YouTube or something LOL. Seriously. You might even be able to rake in some money from them if you get a lot of hits and get ads from people watching them (you just gotta make them helpful, interesting, and enticing to people).
As for the videos, not really my thing - but I am working on a website to cover this stuff, just taking a long time getting it done.
Glad to help though