Sonar Keyboard Logs You Out To Protect Your Data

Zothecula writes "While the simple act of logging off a workstation is an obvious way to protect sensitive data – like that used by healthcare providers, pharmacies, banks and government agencies – it is all too easy for users to forget and leave the data not only viewable, but also editable by anyone who happens to pass by. Custom keyboard supplier Key Source International (KSI) has developed a keyboard that does the remembering for you, logging out as soon as the user physically leaves the keyboard."

Hey, I've got an idea.

[intellitech]

Simply instruct your employees on the importance of not leaving a workstation unsecured (i.e. locked, logged off, etc.). Use a 3-strike system, if you must. There really shouldn't be a need for such fancy equipment.

In the end, though, I guess it comes down to whichever method of prevention is less expensive, or less time-consuming..

Re:Hey, I've got an idea.

Rule 1: The weakest link in computer security is the user.
Rule 2: See rule 1.
Rule 3: See rules 1 and 2.

Re:Hey, I've got an idea.

[Sigmon]

I'm sure that would work GREAT in a hospital setting where a nurse keying in data has to jump up and run down the hall to a patient who is crashing..... and then gets fired because she forgot to log herself out on 3 occasions. /sarcasm

Re:Hey, I've got an idea.

[EvanED]

Right, because everyone who knows the dangers is perfect and is never distracted. Way better to force the user to conform to the computer than make the computer conform to the user.

Re:Hey, I've got an idea.

[ColdWetDog]

Simply instruct your employees on the importance of not leaving a workstation unsecured (i.e. locked, logged off, etc.). Use a 3-strike system, if you must. There really shouldn't be a need for such fancy equipment.

In the end, though, I guess it comes down to whichever method of prevention is less expensive, or less time-consuming..

Bigger problem: The whole concept of logging in / logging out doesn't work well for lots of people. Let's say I have to key some data in or look something up - OK, log into the system. I then have to move away from the terminal to do something (just a reminder to Slashdotter's - not everyone is physically chained to their desk nor locked in the basement all day). I do this day in and day out. If the system logged me out every time I moved away from the keyboard or I had to log out every time my head didn't block the screen I would be one annoyed camper.

Sure, there are 'technical fixes' - use a laptop (doesn't work well if I'm standing), use a tablet (none one them yet work with clunky Enterprise software that will not be significantly upgraded in my lifetime), use a smart card system (we don't have one, aren't likely to get it). So yep, there are security holes all around the place but you always have the balance between security and usability.

A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.

Re:Hey, I've got an idea.

[EvanED]

A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.

And that depends on your domain. In many places, e.g. a software development house, sure. However, in something like a doctor's office, where even the other people in an office shouldn't have access to all the systems, this is much less true.

Re:Hey, I've got an idea.

[fuzzyfuzzyfungus]

Fighting known cognitive weaknesses and common patterns of poor prediction in humans really isn't worth the effort(nor, arguably, is it even in good taste) if relatively cheap technological solutions are available.

Humans forget sometimes. Some enough to describe them as "sloppy and incompetent" and fire them; but almost anyone will fuck up occasionally if they have to do it enough.(Plus, I'm guessing that nurses forget a little more often than average if their distractions include such minor items as "patient coding suddenly and dramatically in the next room'...)

Humans also get distracted fairly easily, and can't always predict when. "Just stepping away from the computer for 15 seconds" can easily become "get dragged into something and come back half an hour later".

Whether this particular(almost certainly overpriced) product is the way to go(when you could just use a $5 webcam that can also detect presence/absense and can even prevent naive attempts at presence spoofing, facial recognition is weak; but it is easier to impersonate a human-shaped lump than it is a specific face, without prior planning); but the idea that we should just buck up and strengthen our moral fiber, when a machine could easily do the job for us, is a masochistic recipe for poor results.

Re:Hey, I've got an idea.

[ewieling]

You can NEVER EVER trust users to do anything that might be the least bit inconvenient for them, no matter what the consequences are.

For all the employees you want, the new hires will do the same thing.

What might work is to make something painful happen, like losing all their work when they get up and walk away from their computer and their keyboard logs them out.

Re:Hey, I've got an idea.

[hedwards]

There are solutions to that kind of problem. Basically you can have a wireless token. I've seen them advertised before where they automatically log you out as soon as the token gets out of range. It's not perfect, but fine for situations where you absolutely need to be logged out.

Re:Hey, I've got an idea.

[_0xd0ad]

...which is why, after a couple of times of this thing logging them out when they didn't want it to, they'll find a way to defeat it.

I wonder if unplugging it from the PC would work?

Re:Hey, I've got an idea.

[Rary]

There are solutions to that kind of problem. Basically you can have a wireless token. I've seen them advertised before where they automatically log you out as soon as the token gets out of range. It's not perfect, but fine for situations where you absolutely need to be logged out.

This does more or less the same thing.

There can be multiple solutions to the same problem.

Re:Hey, I've got an idea.

[_0xd0ad]

Humans also get distracted fairly easily, and can't always predict when. "Just stepping away from the computer for 15 seconds" can easily become "get dragged into something and come back half an hour later".

Which is why, if I'm only stepping away from the computer for 15 seconds, I lock it. And it's why, even if I'm just driving the car across the street to park it on the other side, I buckle up.

Habits work to your advantage if you let them.

Re:Hey, I've got an idea.

[Rary]

The intention is for this to be used in environments where unlocking the computer can be done with a proximity card or a fingerprint, and scanners for both are built into this keyboard. So, all it takes to return to your work is sit down, wave your card over the keyboard, and get back to typing.

Re:Hey, I've got an idea.

[gstrickler]

Well, given that the description says the keystroke sequence to lock the terminal is stored in the keyboard, unplugging the keyboard seems like it's a likely way to bypass it.

Re:Hey, I've got an idea.

[Bill_the_Engineer]

I like the wireless token idea better, since this keyboard doesn't appear to be washable. I love hospitals that work hard to reduce infection rates and then decides to install keyboards that are prone to collect dust next to patient's beds.

Re:Hey, I've got an idea.

Step 1: Create a folder with a NSFW name and move it to a prominent location on the desktop.
Step 2: Take a screenshot.
Step 3: Set that as the wallpaper.
Step 4: Delete the folder.

Optional: plug in a 2nd wireless mouse and move it at random intervals while the absent-minded coworker is present.

There are all sorts of things that can be done with an unattended workstation other than accessing restricted data.

Re:Hey, I've got an idea.

Tried sonar mounted above the monitor at our hospital already. Unsurprisingly, you a corrrect. The genius docs and nurses taped tongue depressors with a small index card to hang in front of the device so it wouldn't log off...

Re:Hey, I've got an idea.

[rogueippacket]

Seriously, mod this guy up. All too common in our industry is the mentality that the user needs to conform to the technology. If you want to be truly successful in everything you do, try understanding the needs of your users before throwing "solutions" at them.

Re:Hey, I've got an idea.

[hawguy]

Sure, there are 'technical fixes' - use a laptop (doesn't work well if I'm standing), use a tablet (none one them yet work with clunky Enterprise software that will not be significantly upgraded in my lifetime),

Run your clunky enterprise app on an Windows Terminal Server and RDP into it, the application need not know that you're on a tablet.

A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.

Isn't a simple inactivity timer just as effective? Just set your PC's inactivity timer to whatever you'd set your motion sensor inactivity timer to (5 minutes, 10 minutes, whatever) and you've removed most of the threat of computers running unattended all day without the added complexity of a motion sensor (which, if it works as well as my office light sensor, will lock your computer out 5 times a day until you jump up from your chair and wave your arms so it can see movement).

use a smart card system (we don't have one, aren't likely to get it)

So your employer won't install a smart card system, but will install motion sensors linked to your computers?

(just a reminder to Slashdotter's - not everyone is physically chained to their desk nor locked in the basement all day). I do this day in and day out. If the system logged me out every time I moved away from the keyboard or I had to log out every time my head didn't block the screen I would be one annoyed camper.

I must have missed the part in the article where it said this was a solution for everyone. It seems that this sonar keyboard is best suited for places where confidential information is keyed in and the computer should be locked immediately once someone steps away -- like at a doctor's office or pharmacist. Why would you think it would be applied to your case where you and your coworkers (who all have equal access rights to the computer) are in a room together?

Re:Hey, I've got an idea.

[gstrickler]

Don't you just love security products designed by people who don't ever think about how they can be bypassed? Or test them in real user environments?

Re:Hey, I've got an idea.

[Wolvenhaven]

I've been using a program with ubuntu for a year or so now that you just connect your phone and laptop with bluetooth and then tell it to lock/suspend/logout when the phone gets X feet away. Works great as long as you keep your phone in your pocket at all times.

Re:Hey, I've got an idea.

[Yvan256]

Companies who make security should really have two teams:
- Team A in charge of security
- Team B in charge of defeating/bypassing security

Re:Hey, I've got an idea.

[fahrbot-bot]

...after a couple of times of this thing logging them out when they didn't want it to

It can also be programmed to simply lock the session.

Re:Hey, I've got an idea.

[v1]

Don't you just love security products designed by people who don't ever think about how they can be bypassed? Or test them in real user environments?

It's not terribly unreasonable to expect some cooperation from the people you're trying to protect. If you have locks on your building at night but people keep propping the door open, you don't look for ways to defeat the door propping, you go beat heads and tell them to knock it off.

The only time it makes sense to get involved in a forced-security escalation war is when you're dealing with a mob of minimum wage workers that care more about their job being easier today than being there tomorrow. (been there done that, two words: "wire ties") Professionals should behave like professionals and not intentionally break the rules because they're inconvenient.

But if you're making it unreasonably inconvenient for an inequitable increase in security, then you're just plain being a BofH and need to start considering the people you're supposed to be supporting.

Re:Hey, I've got an idea.

[Reverand+Dave]

Yeah, this seems to be a bit short sighted. The idea is not even really sound. (da-da-ting!)

Re:Hey, I've got an idea.

[jayhawk88]

Far too often, however, the problem comes not in whether you can properly educate your users/punish them for non-compliance, but whether you, as an IT entity, have the power to do so. If you do, awesome, but if you don't have the favor of the high muckity-mucks, phrases like "3 strikes" are going to get you stricken from the payroll records. This is particularly a problem in educational or medical environments, where profs/docs rule the roost, have for years, and aren't particularly interested in you coming in and changing things.

The point being, you sometimes have to pick your battles. A device like this is potentially a good way to avoid a particularly nasty battle, if it allows for increased security without having to constantly berate the people who have the ear of your CEO/Board of Directors/Dean.

Re:Hey, I've got an idea.

[peragrin]

They usually do.

However Team M (managers) never let the two team mingle, or even know each side exists.

look at HBGary for more information. They never bothered to look at their own systems, or audit their own processes for flaws.

Re:Hey, I've got an idea.

[Belial6]

What is the program. And is it available for Windows and Mac? I have always wondered why more companies don't use the wireless token. It gives the user all of the convince of leaving their computer unlocked, and give the Administrator more security than expecting users to make their jobs harder. The cost isn't large. A phone based wireless token system like you say your are using would be a better solution in many situations. The battery issue would be pitted against people leaving the token on their desk when they went to lunch.

Re:Hey, I've got an idea.

[peragrin]

inactiviety timers fail easily. 5 minutes is enough time for a nurse to get called away, walk up to her terminal do something and walk away. for such a timer to be secure in a high secure environment you need it to be 30 seconds long at which point it is more of a hassle.

The best so far is the id/RFID tag to login, logout when out of range. To log in the card must be present and a finger scanned.(two factors), every 15 -30 seconds the computer checks the proximity of the RFID tag or it logs you out.

If you want even more security embed the RFID tag in the wrist of the user.

Re:Hey, I've got an idea.

[PopeRatzo]

Use a 3-strike system, if you must.

Maybe try not overworking them to the point where they're exhausted after you've laid off 1/3 of the workforce in a "cost-cutting" move and expected the remaining 2/3 to pick up the "slack" even though your company has earned record profits and has paid a huge bonus to the new CEO who decided on the "cost-cutting" measure. Having employees that are underpaid, overworked, having their benefits reduced, monitored with cameras and keyloggers, are allowed two bathroom breaks a day, and who have just had their health benefits cut back to the point where they're paying three times as much every month out of their pay checks with a new $5000 deductible and yearly cap on benefits so that if they were to get sick they'd be wiped out (and who know you'd fire them anyway if they got sick) might not be the best situation when you're looking for "zero-tolerance" in the security area.

Any employer who talks about a "3-strike system" really needs to see their facility shut down in an old-fashioned strike and then have someone strike them across the forehead with a rotting fish.

And anybody who works in IT, probably as a low-level end-user support functionary for minimum wage, who would recommend to management that they institute a "3-strike system" because they're so deficient in real security (because they're paying $11.00/hr to their tech workers after all, so what do you expect?) needs to have a stone tied around their neck and be cast into the sea by the rest of the employees (who can't stand the guy anyway because he's got horrible hygiene and never seems to be able to solve any of their computer problems anyway).

And "intellitech"? Seriously, fuck you for even thinking that some low-paid clerk ought to have a "3-strike system" just because you can't figure out how to do real security.

Re:Hey, I've got an idea.

[hawguy]

inactiviety timers fail easily. 5 minutes is enough time for a nurse to get called away, walk up to her terminal do something and walk away. for such a timer to be secure in a high secure environment you need it to be 30 seconds long at which point it is more of a hassle.

Please read my post - I was responding to the poster that said he has a PC in a room with 8 other employees, he's not a nurse in a patient's room:

A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.

Isn't a simple inactivity timer just as effective? Just set your PC's inactivity timer to whatever you'd set your motion sensor inactivity timer to (5 minutes, 10 minutes, whatever) and you've removed most of the threat of computers running unattended all day without the added complexity of a motion sensor (which, if it works as well as my office light sensor, will lock your computer out 5 times a day until you jump up from your chair and wave your arms so it can see movement).

I guess the point I was trying to make (but was remiss in not stating it plainly) is that there are different solutions for different environments. It's pointless to look at a solution for one person's environment and say "Bah! That's stupid! It would never work in my (completely different) environment.

Re:Hey, I've got an idea.

[gknoy]

Better yet, set the wallpaper to "LOCK YOUR WORKSTATION" , rather than somethign NSFW. The former is not something you'd get in trouble for having/creating, whereas bringing NSFW stuff into work is, by definition, not safe.

Re:Hey, I've got an idea.

[dunkelfalke]

I changed the wallpaper picture of a colleague to hello.jpg once and hid it under a maximised application.
Then the colleague and his boss walk in, the colleague minimises the application, hilarity ensues. Needless to say that the colleague has always locked his workstation after that.

Re:Hey, I've got an idea.

[Jake+Griffin]

Or, even better, use a script on startup that checks every x minutes to see if a folder exists on the desktop, and if not, create it. That way they can keep deleting the folder, but it will keep coming back. AutoHotKey can even be used to simulate your "Optional" step. I have an AutoHotKey script that moves my mouse a single pixel every minute to keep my (password protected) screensaver from coming on whenever I'm at my computer but not actively using it.

Re:Hey, I've got an idea.

[natehoy]

Me, too.

But I'm not a duty nurse who might be on the other side of my cubicle grabbing a file to get a single bit of data off it when I get a code blue. Do I take the two steps back to my desk and tap "WinKey-L" or run in the other direction to get the crash cart?

Is that even a decision?

If I were a duty nurse, a system that locks my workstation when I step away further than the bounds of my cubicle would seem to be ideal. I get to turn around and answer the phone or answer a quick question from a patient or doctor, and turn back and not have to log back in each time, so my normal workload proceeds efficiently. However, when I have to jump up and dash away, I can focus on what I absolutely need to be doing (running like hell for the crash cart), rather than what the computer needs me to do (lock it because it's too stupid to figure out I've left the area).

Think about choosing a relatively secure password and having to enter that password every time you had to turn around (on a job that you spend a lot of time turning around). You'd very quickly figure out some sort of workaround to keep the computer unlocked rather than have to type your password 200-300 times during an 8-hour shift. Either that, or you'd be fired for gross inefficiency and replaced with someone who was clever enough to find a workaround.

Breaches are rare. Logging out and in happens every few minutes. What do you think the average desk nurse's priority is going to be? Can you blame them?

Re:Hey, I've got an idea.

[ceoyoyo]

I use Proximity on the Mac. It lets you run an Applescript when your phone comes in range, and another when it goes out of range.

Re:Hey, I've got an idea.

[nahdude812]

I successfully used http://code.google.com/p/reduxcomputing-proximity/ for this purpose under OS X. Have not looked to see if there's something for Windows.

Re:Hey, I've got an idea.

[_0xd0ad]

The simple fact of the matter is, if it's often enough to be annoying, they won't like the automated system either, and they'll find ways to defeat it. Compared to the hassle of typing the password to unlock it when you get back, it's not really that inconvenient to hit Win-L as you're leaving.

Re:Hey, I've got an idea.

[khr]

Humans also get distracted fairly easily, and can't always predict when. "Just stepping away from the computer for 15 seconds" can easily become "get dragged into something and come back half an hour later".

Which is why humans have little place in any sort of efficient workspace and should be replaced...

Re:Hey, I've got an idea.

[ceoyoyo]

It doesn't have to log you out all the way, just switch to a login screen while maintaining your session. It seems that kind of thing, with something to automatically detect whether you are at the computer, would be perfect. Set it up so it recognizes your cell phone and can log you in as well as out.

Re:Hey, I've got an idea.

[blind+monkey+3]

A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.

That's true for some situations but a lot of the time companies are more concerned employees don't "see" information they are not cleared for (payroll, contracts etc) or place requisitions using someone else's ID. Users with different levels of clearance / departments share work areas in a lot of companies (open plan offices were tres chic for a while) plus a lot of software uses audit stamps to track who entered /edited what.
Ultimately, I suspect the users will defeat any attempt at "security" if the measure hinders them (complex passwords that end up on sticky notes stuck next to keyboards, swipe cards left next to workstations, secure doors taped open... usual stuff).
Although if this gadget just locks the workstation and a finger print swipe can unlock it instead of keying in a complex password or having to rummage around for your swipe card... nah, it still requires additional effort.

Re:Hey, I've got an idea.

[ColdWetDog]

Actually, I was thinking about hospital work. In the real world, we don't just jealously hunch over our screens. blocking access with our heads. Walking through the nurses station I can see a half dozen screens and I was truly arsed I could read everything on all of them. The data is never that sanitized since most of us are working on the same patients and anyway have the same applications at our station.

What I worry about is a PC left on in a side room which isn't staffed continuously and some bored teenager gets drawn to the Glow of God. Auto shut down in that scenario makes a lot of sense. Not so much if I just get up off my chair. A token system would be nice but we need something that keeps everyone from keying their usernames / passwords in a dozen times a day.

Re:Hey, I've got an idea.

[natehoy]

True, but a system that detects when someone has actually left the area would be useful.

I don't think this SONAR system is it, mind you, but there's probably something that is. RFID chip on their badge seems like a real possibility, for example.

I don't think many people would complain if they had to log back in once they've actually left their desk area (especially if the login could be a quick fingerprint scan coupled with the close presence of an RFID chip in their badge).

But if you've ever watched a duty nurse for any period of time, you know they don't spend a lot of time sitting right at their computer (but they do spend a lot of time working on their computer, just interrupted by lots of little events like "get up and grab a chart from the desk", "answer the phone", "give directions to a family member of a patient", "turn around to grab a printout to hand to someone", etc). My point is, having to unlock your workstation after each one of those interruptions is going to be ridiculous.

And it's going to happen - you're going to be near the exit of your workstation grabbing a chart for data entry when code blue goes off. No human being in their right mind would take the time to go hit Win-L.

If the duty nurse is within the bounds of their cubicle or workstation, locking the workstation is inefficient and serves no useful purpose. They are RIGHT THERE. No one can access the computer without them knowing it, and if they want someone else to have access to their computer there's little point in trying to use technical means to prevent it.

If the duty nurse leaves the bounds of their cubicle or workstation, locking the workstation is essential, immediately. The nurse should not have to think about it. It should just happen.

Re:Hey, I've got an idea.

[somersault]

I think some kind of body/facial recognition software with a webcam might be a nice cheap way to do it. Whenever the program detects that the user has left their chair, lock the session.

Re:Hey, I've got an idea.

[Yvan256]

Unless your camera can detect depth, I'm pretty sure that kind of security is easy to bypass. See Columbo And The Murder Of A Rock Star.

Re:Hey, I've got an idea.

[ColdWetDog]

Isn't a simple inactivity timer just as effective? Just set your PC's inactivity timer to whatever you'd set your motion sensor inactivity timer to (5 minutes, 10 minutes, whatever) and you've removed most of the threat of computers running unattended all day without the added complexity of a motion sensor (which, if it works as well as my office light sensor, will lock your computer out 5 times a day until you jump up from your chair and wave your arms so it can see movement).

Actually, that's not a half bad idea if I can get one to work in XP. I'll have to look around for that.

So your employer won't install a smart card system, but will install motion sensors linked to your computers?

No, they won't do either but the smart card system has been nixed for the moment because various ancient bits don't work with any we've looked at and / or are too expensive (too expensive being a rather low bar). Many of the rooms all ready have motion detectors on the lights as an energy saving strategy. It probably would be relatively easy to tap a signal off the detector (or even just use a light detector) and then build a box that that pretends it's a UPS to tell the computer to shut down or restart. But nobody is going to let me build things and attach them to hospital computers. They're crazy but not particularly stupid.

And don't get all excited. Of course there is no one size fits all (unless you use Apple things). I might actually show the thing to our IS folks to see if it raises their pulse rates. They like shiny toys to play with and they're tired of the iPad they bought last month (CEOs being the clueless creatures that they are ....)

Re:Hey, I've got an idea.

[Bing+Tsher+E]

try understanding the needs of your users before throwing "solutions" at them.

My practice is to decant the solution, then throw the precipitate at them. Less wasteful.

Re:Hey, I've got an idea.

[somersault]

If it was only responsible for locking rather than unlocking, and it locked within seconds of you standing up, then it would be pretty effective I'd think. You can detect depth of a sort simply by the size of the body, but we may all have 3D webcams in a few years anyway.. depends whether the fad turns out not to be a fad this time.

Plus, I would probably still hit ctrl-alt-l when leaving my desk anyway, this would just be a backup measure.

Re:Hey, I've got an idea.

[Bing+Tsher+E]

My techie alternative to this (techie, as opposed to 'office drone with phillips screwdriver skills') was when I wired my power supply into the Z axis of a co-workers oscilloscope, using a long wire that reached to my bench. Then, I could dim or brighten his 'scope by simply adjusting my power supply's voltage. Those were fun times. That was back when there was one computer in the lab, a shiney new '286 machine. We tried to lock it once using the lockswitch on the case. Someone who wanted 'in' used one of those spring loaded center punches, which blew the keylock away, unlocking the system.

Which brings me to the main point of this post: those spring-loaded center punches are great. When you encounter a keyboard with a sensor such as the one in this article has, give it a little encouragement to comply with your wishes. You want the sensor, of course, to die quickly and with little fuss or effort.

Re:Hey, I've got an idea.

[Bing+Tsher+E]

Far too often, however, the problem comes not in whether you can properly educate your users/punish them for non-compliance, but whether you, as an IT entity, have the power to do so.

It sucks to work in places where the IT flunkies have that much power. It leads to all sorts of problems, like them spending too much time running around being thuggish, when they could be changing the toner in the Ljet4 up on third floor, like they're supposed to.

Re:Hey, I've got an idea.

[hedwards]

Additionally, depending upon the implementation you can also cope with situations where one might fool the keyboard into thinking your still there, when what really happened was the nurse got knocked out or you were in the vicinity as she left. Of course wireless tokens aren't perfect either, but at least they take some savvy and equipment to duplicate.

Re:Hey, I've got an idea.

[hedwards]

That never fails to surprise me, even though there are keyboards out there that are designed to take a bath or a quick rub down well.

Re:Hey, I've got an idea.

[gringer]

Isn't a simple inactivity timer just as effective?

Actually, that's not a half bad idea if I can get one to work in XP. I'll have to look around for that.

It's called a screensaver, with the 'password protect' option. Even Microsoft puts one of those on their default system installation.

Re:Hey, I've got an idea.

[icebraining]

For Linux, install blueproximity. Very useful.

Re:Hey, I've got an idea.

[DrEasy]

Do you mind posting a link to the wireless token product in question? I've been working on one myself, and I'd love to know what's out there already. Thanks!

Re:Hey, I've got an idea.

[Nursie]

I set that up a while ago, I like it.

However it's easy to defeat the unlock portion by cloning someone's bluetooth device ID.

Re:Hey, I've got an idea.

[initialE]

If you have a wireless token why not use it to better effect - locking and unlocking the terminal display as and when you are in or out of range. Saves a bit of hassle logging in all the time.

Re:Hey, I've got an idea.

[lpq]

I guess some employers just don't want to strike their employees once, let alone three times...

Re:Hey, I've got an idea.

[sznupi]

Being crazy with hygiene isn't the same as "working hard to reduce infection rates", apparently.

Re:Hey, I've got an idea.

[sznupi]

If it turns out not to be a fad - stereoscopic(*) images of your face would be easy enough to come by in such case... and they could be also quite easily used to fool stereoscopic webcam.

(*not "3D"; but it would be similar with more "real" 3D - if, say, Kinect-like controllers would become popular - ...plenty opportunities to get a hold of your "mold")

Re:Hey, I've got an idea.

[Tom]

Simply instruct your employees on the importance of not leaving a workstation unsecured (i.e. locked, logged off, etc.). Use a 3-strike system, if you must. There really shouldn't be a need for such fancy equipment.

If that would work, it would have worked by now. It doesn't. We can skip all the philosophical discussion about why and how and bla bla bla. The real world provides us with the evidence that this solution does not work, and that really is all there is to it.

Re:Hey, I've got an idea.

[allo]

just use a screensaver with password.
oh, okay not very much security on windows, but on linux a good choice. 5 minutes after the last keystroke/mouse movement my screen is locked.

Re:Hey, I've got an idea.

[somersault]

It doesn't even have to recognise individual faces, just recognising any body being in the chair, and lock if that body leaves the viewable area or gets beyond a certain distance. You'd notice anyone else sitting down in your chair at that point.. and like I said I think it would be nice as a backup option for if you forget to lock your screen. Similar to putting a 1 minute screensaver delay or something, but better because you can still not use the computer for a while (say if you're working with paper, or reading something onscreen) as long as you're sitting at your desk.

Re:Hey, I've got an idea.

[Wolvenhaven]

It's called BlueProximity, so it's probably the exact same thing that ceoyoyo is talking about.

Re:Hey, I've got an idea.

[_0xd0ad]

I agree that it would be handy if you were already conscious of security. The tendency though is almost certain to be using this instead of being conscious of security, to force security on people who didn't want it in the first place.

Re:Hey, I've got an idea.

[sznupi]

I took it as "also" - because stereo isn't required / wouldn't help much in determining if somebody is sitting at the desk (by itself it doesn't distinguish from a nice comfy chair...); it would have to go through constant face and body detection anyway, which work in "2D". Still probably resulting in enough "false"(*) negatives to annoy people...

(*)not really false, it's just that we tend to move around the desk much more than we realize (even Kinect-like sensor would have trouble)

Ultimately, technical band-aids to security can only do so much...

Re:Hey, I've got an idea.

[ceoyoyo]

Sure, that's fine if no one else needs to use that computer.

Re:Hey, I've got an idea.

[natehoy]

Ah, but the beauty of an RFID system is that the user doesn't have to be conscious of security. If they need their badge to access everything, they'll have their badge with them. Once they leave their office, the computer is locked.

So the computer remains useable while an authorized user is right there and can monitor it, and locks itself when it doesn't have an authorized user present.

Conscientious users can still lock their own workstations when they know they won't be using it for a while, but this covers sudden urgent departures (or non-conscientious users).

Added bonus: In addition to helping fill a security gap, it also allows you to monitor for non-conscientious users and "remind" them that they need to be locking their workstations using whatever policies you choose.

Re:Hey, I've got an idea.

[lsatenstein]

Any autolog out system will invite people to make use of it. Therefore, another unauthorized person could jump into the session before the timeout occurs and the rest will be "Unauthorized access".

Re:Hey, I've got an idea.

[allo]

if somebody does, he just opens another session

What does "physically leave the keyboard" mean?

[maxwell+demon]

What does "physically leave the keyboard" mean?

Not touch it any more? What if he's using the mouse?

Re:What does "physically leave the keyboard" mean?

[doubleplusungodly]

Probably means something akin to being AFK.

Re:What does "physically leave the keyboard" mean?

Read the article and find out. In fact, don't even read the article, read the caption on the image at the top of the page.

Re:What does "physically leave the keyboard" mean?

[Rary]

What does "physically leave the keyboard" mean?

Not touch it any more? What if he's using the mouse?

Click the link and watch the video. It detects when you've physically left your seat and locks the OS (note: it locks, not logs you out like the summary claims). It has a little pointer that you adjust to point at wherever you're sitting, and when you leave that spot, it triggers the lock function. It also has a proximity card scanner and fingerprint scanner so the person doesn't have to type in a password each time they return to their seat.

Re:What does "physically leave the keyboard" mean?

[Thud457]

BRB party van^W^W secret police

What a great practical joke this would be.

[olsmeister]

I think I'll sneak into the office and swap all the keyboards out with these.

Re:What a great practical joke this would be.

[Captain+Centropyge]

Have fun with that bill, at $150 per keyboard!

Re:What a great practical joke this would be.

[CastrTroy]

It really depends what your data is worth to you. If you don't think that kind of protection is worth $150 per computer to you, then don't buy it. But for many industries, its almost completely negligible, especially in the medical field.

Re:What a great practical joke this would be.

[Captain+Centropyge]

WHOOOOOOSH! Did you not see the GP's joke..?

Re:What a great practical joke this would be.

[ColdWetDog]

Better, get a bunch of these. Total security.

And BTW, the medical field is not dripping with dollars. Despite the incredible costs many hospitals / clinics are running in the red. It makes little sense, but there your are. If I thought this thing was the greatest thing since sliced bread, I would have to argue passionately to get it funded and likely be dumped way down the list since we can't bill for keyboards.

The Das Keyboards I could probably get IS to buy a couple of out of petty cash just to be mean.

Switch in a seat cushion and xlock...

[mlts]

When I worked about a decade ago at a place where people with dubious intentions could access the work area, I ended up making a switch embedded in a seat cushion that was connected to the serial port of my workstation. When I got up, the program sitting and monitoring that port would automatically xlock the machine.

It was an ugly hack, but I never had unattended terminal issues unlike some cow-orkers.

Re:Switch in a seat cushion and xlock...

I just press Windows-L. I wish I had that much time to waste...

Re:Switch in a seat cushion and xlock...

[mlts]

You were assuming Windows... the SPARC workstation I was using back then definitely didn't have a Windows key.

Yes, I had a macro with CDE that would lock the screen, but I wouldn't trust my job to making sure I nailed it for a quick coffee break. Especially with people who would be zooming for an unattended machine with a root prompt on it.

Re:Switch in a seat cushion and xlock...

[NFN_NLN]

When I worked about a decade ago at a place where people with dubious intentions could access the work area, I ended up making a switch embedded in a seat cushion that was connected to the serial port of my workstation. When I got up, the program sitting and monitoring that port would automatically xlock the machine.

It was an ugly hack, but I never had unattended terminal issues unlike some cow-orkers.

In 90% of office scenarios the general public doesn't have access to the office computers. I can see guarding against the public in a hospital setting for example, but for most people the office should be secured against outsiders only.

My computer is like the "pocket watch" in "Gangs of New York". I leave it out in the open and invite people to mess with it. Yet they don't... because they know, if they do, there will be repercussions... and they will be horrific.

Re:Switch in a seat cushion and xlock...

The concept reminds me of how a lot of mechanical workstations will have a control setup that requires both hands be on the controls in order to operate. Speaking of dubious intentions... I'm reminded of the saying "Both hands on the keyboard"...

Re:Switch in a seat cushion and xlock...

[ColdWetDog]

My computer is like the "pocket watch" in "Gangs of New York". I leave it out in the open and invite people to mess with it. Yet they don't... because they know, if they do, there will be repercussions... and they will be horrific.

And the rest of us just clean the cheetos off occasionally.

Re:Switch in a seat cushion and xlock...

There are some scenarios where locking the computer is required by policy to limit or prevent insider attacks. One location I've worked at had such a policy and failure would result in a prank wallpaper if you were lucky, an email from your account to the whole department talking about your love of Twilight if you weren't. Repeated failure would attract the attention of management and, on paper at least, was grounds for termination.

Re:Switch in a seat cushion and xlock...

While it is good to be able to trust your co-workers, sometimes you shouldn't. If there was an insider with malicious intentions giving them the opportunity to carry out their nefarious activities on someone else's computer will help them hide their tracks and make it harder to discover them.

annoying

so every time I get up to check something on my bookshelf it locks my station? seems annoying to me.

Risk Analysis

[pnuema]

Being a performance tester, I constantly engage in risk analysis. Yes, it may $600,000 to performance test your app. How much does an hour of downtime cost you? Depending on how costly a security breach might be, the $100 keyboard (or whatever it costs) could seem like a bargain, even per employee. Smart idea.

Re:Risk Analysis

[geekoid]

Bad idea.

Most people do work at their desk, not necessarily at the key board. all this will do is frustrate employees and the will work aorund it.
No, A web cam the detect when you physically leave your desk would be a good idea.

Re:Risk Analysis

[Anne_Nonymous]

>> No, A web cam the detect when you physically leave your desk would be a good idea.

No, an RFID chip implanted in each employee's head would be a good idea.

Re:Risk Analysis

[Belial6]

Or, just a wireless dongle that they could keep in their pocket, or a bluetooth connection that can detect that their phone is nearby. Sonar is built into a specialized keyboard is just a bad idea. There is a time for integration, and times that it is bad. Keyboards are WAY to varied, and this keyboard would be too expensive for the integration to make sense. Heck, I would be better if it was just a USB dongle that sat on the desk than being integrated into the keyboard.

Re:Risk Analysis

[knarfling]

No, an RFID chip implanted in each employee's head would be a good idea.

(Stolen from Dogbert's School of Managment's How to spread rumours.)

Boss: No, we are not considering implanting implanting RFID chips into each employee's head! Not even with the added bonus of a partial lobotomy during the same surgery. It never even occurred to us to think about that. And certainly not at the prices we were quoted.

How about locking instead?

[ZorinLynx]

Wouldn't a keyboard that simply locks the terminal make more sense? I don't want to be completely logged out just because I leave my desk to use the can.

Re:How about locking instead?

[Scutter]

Wouldn't a keyboard that simply locks the terminal make more sense? I don't want to be completely logged out just because I leave my desk to use the can.

FTFA:

The SonarLocID Keyboard connects to a PC via USB and can be configured via an included programming application that allows the user to program custom keystrokes as well as delays and a sequence to lock the computer when the user walks away.

These keyboards are horribly insecure

These keyboards are completely hackable by dolphins.

If you work at an aquarium or have dolphin coworkers, I would avoid these keyboards.

IT Support?

[mfh]

This is going to be nightmarish for IT and it will generate all kinds of useless calls as a result. My guess is we'll be seeing some people using duct tape over the sensors on the first day too, making these expensive keyboards totally useless, apart from being a great way to inflate IT budgets, to ensure they stay plump.

Re:IT Support?

[d6]

I think you are right about the duct tape.

I've seen employees tape over lights that annoyed, tape foam over speaker grills that alarmed and habitually lay small weights on their keyboards to avoid an AFK logout. For some folks, this keyboard will just be another annoyance to overcome. This might allow someone who _would_ log out anyway to do so automatically, but if pitched as a "fix" for not following policy, think again.

Can't fix people with hardware.

Re:IT Support?

[mfh]

Because management won't spring for the sonar badges that log you in automatically or the badges will turn out to be flawed and insecure as hell, so they will be disabled. And employees won't want to be micromanaged, so they will slap tape over the sonar which will then react as though someone is within range of the keyboard.

Re:IT Support?

[overIThill]

..another use for duct tape. Reverse engineer the MS kinect where as opposed to telling you to move back...move back, it recognizes when you are "x" distance away. Mount the device on you monitor with duct tape. Use the left over duct tape to hide unsightly wallpaper seams in your apartment.

Re:IT Support?

[Lord+Ender]

A bigger concern would be supporting translucent jellyfish.

Re:IT Support?

[Tom]

Not likely. The setting this is advertised for is the medical environment, where users are well aware that they are handling sensitive data. If logging back on is as easy as they make it seem in the video, it may even be a benefit to the users.

Re:IT Support?

[mfh]

Not likely. The setting this is advertised for is the medical environment, where users are well aware that they are handling sensitive data. If logging back on is as easy as they make it seem in the video, it may even be a benefit to the users.

You could be right. Instead of putting duct tape this level of subterfuge may require cloudy scotch tape to be equally as effective. It's possible that some people would use this as intended with the cards, but my guess is that those cards could easily be duped, making this a very insecure system.

Re:IT Support?

[Tom]

I'm sorry, but that is total nonsense.

Keys - the physical ones, not the cryptographic - are quite easily forged. Nevertheless, keys are in widespread use and generally considered secure enough for most uses. These tokens can certainl be forged, but it will almost certainly require one of a) physical posession of the card for a while and/or b) special equipment.

For either case is valid that if you manage to do that within the hospital setting, you are capable of worse things than having access to a nurse account.

RFID?

[Midnight+Thunder]

Couldn't a solution using RFID be used. Basically you have a RFID detector with 1m radius of detection. The detector would poll the card to see if is there and logs you out or locks your session if you leave the zone.

Re:RFID?

[fuzzyfuzzyfungus]

RFID/smartcards in the employee IDs would work. You just want to be very careful that you don't set up a system that simply encourages people to leave the card on the computer in order to stay logged in... Then you have stolen IDs floating around, and unlocked terminals. Whether or not people will do this probably depends on how tyrranical you are, and how fast they can log back in/unlock. If your horrible mess of a system image takes 5 minutes to log in, you'll need an overtly totalitarian IT security group to keep people from doing that.

If, as with the Sun Rays of old, your session(complete with state) pops up within seconds of inserting the smart card, people will be much more likely to take reasonable precautions...

Re:RFID?

You could use RFID for both logout and whole or partial login, and my Dr has for at least a year or two. This slashdot posting is an ad for a lacking product, not news.

Re:RFID?

Back when I would do programming for devices like RFID, biometrics, smartcards, and sign on solutions, me and my coworkers would joke that the best authentication devices would be an anal probe embedded in your chair. You would sit down on the probe, it would recognize you, and automatically log you into the computer. When you stood up, the computer would log you off.

This took care of all of the standard biometric issues. Fingers go missing by accident or profit. Eyes are pretty good, but expensive to work with. With an anal probe, you will never loose your ass, and it would be pretty much impossible to fake someone else's ass.

I still look back on this with a grin.

Re:RFID?

As somebody with a colostomy bag(got my ass shot off in the war^h^h^hpolice action), I have a problem with your probe placement, you insensitive clod! :)

Re:RFID?

[Midnight+Thunder]

I suppose this is where having virtual computers is useful, since you would essentially always be logged in, but your session would only be accessible as long as you are connected and could simply switch to which ever terminal you are at.

Re:RFID?

[peragrin]

The answer there is to use the same card but a different RFID token as a door unlock.

Leaving the ID card behind is fine but you can't enter the employee lounge, or access other areas.

Re:RFID?

This is already available. Kaiser Hospitals uses this on their workstations in the examination room. If there isn't a fob within some small number of feet, it locks the station.

Re:RFID?

[scorp1us]

I've looked at this, and the commercially available ones are only good for a few (4-6) inches. that's 10-15cm for metric folk.

Re:RFID?

[Amouth]

could always add .. where my mom works if you don't have your ID on you and you are in the building you are fired. no 3 strikes no questions no excuses.

Re:RFID?

[Midnight+Thunder]

Why not have the same RFID? Many companies manage the card list on a central system.

Re:RFID?

[peragrin]

because security through stupidity is never good.

Do you use the same key to unlock your car as you do your house?

Besides with two RFID tags in one device long range scanning becomes harder.

Re:RFID?

[Macgrrl]

Is it sad that I originally read this as a reply to the comment about anal probes...

Tech

[Spad]

All the technology in the world won't fix staff who don't want to do what you tell them. All this will do is piss off people who have to keep going to and from their desk while in sight of their machine to get files or talk to visitors until they figure out a way to trick the keyboard into thinking they're always at their machine, at which point you've spent a lot of money for nothing.

Put reasonable security policies in place, punish your staff proportionally if they repeatedly violate them and don't try to fix people with gadgets.

Duct tape

[mfh]

Will fix the problem of these keyboards logging you out when you leave for a quick coffee. Once again, any kind of security is thwarted by duct tape.

Re:Duct tape

[fuzzyfuzzyfungus]

Will fix the problem of these keyboards logging you out when you leave for a quick coffee. Once again, any kind of security is thwarted by duct tape.

They've got that one figured out: If the sensor detects a range of zero, corresponding to the duct-tape trick, your workstation will play a tinny rendition of "Don't Stand so Close to Me" at earsplitting volume until one of your enraged coworkers rectifies the situation and then shoves a pen into your eye...

Re:Duct tape

[Amouth]

if it can give actual depth.. then just don't except any readings less than 1ft ... but then we can defeat it with a cardboard cutout (which would be funny to see really)

Vaporware?

I've been looking for this exact sort of thing and was in the middle of designing my own solution but I can't find this product available anywhere, has it even been released? Is it just a demo/prototype? What's the deal?

Prior art?

[dasdrewid]

I hope this works better than those public toilets that flush as soon as you "leave." Reach down to tie your shoe and suddenly...*whoosh* all over you naked buttocks.

Re:Prior art?

Before you sit down, fold a piece of toilet paper and cover the sensor. Then when you want to flush, just pull the toilet paper and drop it in.

Another alternative - bluetooth phone as a sensor

[gQuigs]

For linux:
http://blueproximity.sourceforge.net/
For Win:
http://btprox.sourceforge.net/

Swap all the keyboards out with these

WITH the sonar/sensor covered with black tape.

Irritating

[CAIMLAS]

Wow, that is potentially (highly) irritating.

Imagine:

* You duck down in your chair to grab a pencil you drop
* You lean over to open a desk drawer
* You lean back to take a moment of reflection
* You step to the side (if standing) to grab something
* You're skinny and the sensors can't see you
* You (potentially) don't move enough while watching something on the screen
* You do a lot of back-and-forth in a small area (eg. a pharmacy, where you've got to fetch medications after looking them up, then come back to the next person) and leave the keyboard frequently without leaving the system uncontrolled (ie it's always in view). ... and then you've got to take the time to log back in and for everything to load back up again. Hopefully you weren't working on something and the data got lost...

A more sensible meme would be to lock the machine when the user steps away instead of logging them out, to be sure. Hopefully the sensors are accurate. Even then, there are many cases (within the designed use case) where this probably isn't appropriate or useful. Biometric logins/unlocking would likely be a bare minimum additional component, IMO.

Re:Irritating

[pz]

Wow, that is potentially (highly) irritating.

Imagine:

* You duck down in your chair to grab a pencil you drop
* You lean over to open a desk drawer

[ etc. ]

A more sensible meme would be to lock the machine when the user steps away instead of logging them out, to be sure. Hopefully the sensors are accurate. Even then, there are many cases (within the designed use case) where this probably isn't appropriate or useful. Biometric logins/unlocking would likely be a bare minimum additional component, IMO.

Nearly every OMGITCANTPOSSIBLYWORK scenario suggested above can be fixed by proper adjustment of various sensitivity and timeout settings. And, if you read the article, it can lock the system, or log out, or potentially anything you want it to do. Why automatically assume that the people who designed such a thing are incompetent boobs?

"The SonarLocID Keyboard connects to a PC via USB and can be configured via an included programming application that allows the user to program custom keystrokes as well as delays and a sequence to lock the computer when the user walks away."

Sounds like they already thought of all the scenarios above. And I bet if you have a fingerprint swipe, it could be made to work with that, too.

Can be done in software on most laptops

[Pedant]

A research group at the McCormick School of Engineering and Applied Science at Northwestern University did this a while ago using the built-in speakers and microphone on most laptops.

PFFFT! Thats nothing!

[DarthVain]

My computer has a state of the art dynamic temporal activity sensing program that will automatically lock my workstation! I can even set it for different amounts of time!

So if at ANY time I am not doing any activity on my computer, for a period of time, say 5 or 10 or even 15 minutes (Whatever I want!) say if I get up, or fall asleep or stare out the window too long, it will automatically and magically lock up my computer. Talk about safety! Amazing!

Re:PFFFT! Thats nothing!

[peragrin]

So your computer is secure as long as your nearby enough to notice it, and no one can walk into the room 30 seconds after you run to the bathroom and use your computer.

5 minutes is enough time to walk into an unlocked house and walk out with a computer and TV.

Re:PFFFT! Thats nothing!

[_0xd0ad]

I have a script specifically written to simulate a keypress every 14 minutes and 30 seconds (the screensaver time-out is 15 minutes). Most people, though, just set a weight on the Ctrl key or something.

Re:PFFFT! Thats nothing!

[nzap]

Just for research purposes, pleases state your address and schedule.

Re:PFFFT! Thats nothing!

[peragrin]

exactly. for the Parent to my post, you can visit him selling girl scout cookies to find out if he locks his door while he is home. Then wait for him to lock himself in the bath room and take his unsecured computer because it is on a 5 minute delay.

Or...

[EnsilZah]

You could just, you know, use that option that that requires a password after coming back from screensaver and set the screensaver idle timer rather low.
(By screensaver I mean turning off the monitor, I haven't used an actual screensaver since the 90s)

Re:Or...

As I think most of the rest of the world does. If they have access to your pc, it's all over anyway, I suppose. "Say, who is that guy on Joe's pc?" "I dunno. Probably some guy from the Help Desk." So, perhaps guarding the front door is more important.

PFFT! Thats Nothing!

[DarthVain]

I just created my own motion sensing system to log you out. It melds the security of handcuffs to the authenticating power of a USB key. BAM!

Must be from Soviet Russia

[Megahard]

Computer with sonar keyboard pings you.

Exploit

[arunce]

There's an exploit for it already: stickers.

Alternate uses?

[jbmartin6]

I wonder if it can also be used to prevent teenagers from using the PC. Ref: "Mosquito Repels Youths" http://www.cbsnews.com/stories/2005/12/05/earlyshow/living/main1095665.shtml

User testimony

[Dalzhim]

This keyboard is so great that I am now even more likely to forget my sessions open on computers that aren't equipped with it compared with before.

For linux users...

[mmell]

Just use this script:

#!/bin/bash

#

#####

# Use 'hcitool scan' to find the MAC address of the desired bluetooth device

MACADDR="00:00:00:00:00:00"

STATE="$(hcitool name ${MACADDR})"

if [ "${STATE}" = "" ] ; then

echo "Bluetooth device not found at startup. Exiting..." >&2

exit 1

fi

LOCK="UNSET"

CHECK="$(ps -ef | grep gnome-screensaver | grep -v grep | cut -c49- )"

if [ "${CHECK}" = "gnome-screensaver" ] ; then

LOCK="gnome-screensaver-command -a"

UNLOCK="gnome-screensaver-command -d"

fi

CHECK="$(ps -ef | grep xscreensaver | grep -v grep | cut -c49- )"

if [ "${CHECK}" = "xscreensaver" ] ; then

LOCK="xscreensaver-command -lock"

UNLOCK="xscreensaver-command -deactivate"

fi

if [ "${LOCK}" = "UNSET" ] ; then

echo "Supported screensaver not running" >&2

exit 2

fi

SLEEP_TIME=15

# Enter main loop

while true ; do

if [ "${STATE}" = "" ] ; then

${LOCK}

else

${UNLOCK}

fi

sleep ${SLEEP_TIME}

STATE=$(hcitool name ${MACADDR})

done

exit 0

Re:For linux users...

First thought is MAC spoofing. Not that secure.

Re:For linux users...

[mmell]

Wasn't advocating using the bluetooth phone as a sensor - just outlining how to do it (without having to download/install too much software).

Although I do use this technique - I just don't tell anybody around my workplace how the magic's done. You know - the obsecurity model.

Re:For linux users...

How do you set the range with your script? That is using signal strength as a proxy for range, which BlueProximity allows you to do.

No more baggy pants!

[EmagGeek]

I guess this will put a stop to that!

Peer Enforcement

[Kylock]

In my office, it's typical for someones workstation to be vandalized by employees if left unattended AND unlocked.

alias cd="you suck"

Of course people get much more creative. We had one guy get over 40 entries added to his local host file and his mouse buttons reversed.

Logs you out?

Automatically logging you out is a horrible idea. How many web based applications do you use in a day? Do they all auto-save your data for you? Imagine how annoying it would be when you were in the middle of writing an e-mail using a web browser, and you stepped away from your computer for a minute and lost everything? You would be in perpetual fear of accidentally moving too far away from your desk. If I was forced to use this, I would put duct tape over the sonar sensor so that it always thought there was a person there...

Re:Logs you out?

[natehoy]

Trusting the summary to be accurate is an even worse idea. TFA talks about LOCKING the workstation, not logging it out.

It's the companies work, not the users.

[Belial6]

It's not the users work. It is the companies work. I would fire any administrator that suggested we destroy the companies work as a punishment to users that didn't do what we wanted. OK, I wouldn't fire them for suggesting it. I would point out how they are suggesting that the company's property should be destroyed. Then if they implemented it, I would fire them.

Military grade sonar?

[Clay1985]

Would tape/a postcard/stickers/etc. really stop sonar? It's obviously the first thing I would try. This keyboard really looks like a waste of money unless the administrators are going to write up anyone found trying to work around the keyboard's security, which wouldn't be ideal. This seems like a keyboard more for a company where everyone understands how important security is, and is just for when you forget to lock your screen. It only takes one temporarily absentminded user to create a security hole. So, I think it's a good idea to create hardware/software precautions, just in case. But it sounds (from prior posts) as though this sonar keyboard can be hacked, which makes it useless. Also, how secure are fingerprint scanners, really? Do the hacks from the movies really work on those?

Our solution

[screwzloos]

Occasionally the director here will wander through and look for machines that have been left unlocked and unattended. Email is a big part of what we do, so since I started working here we've seen a couple emails sent to our department's mailing list stating more or less "Hi, I have left my computer unattended and am posing a security threat to this University."

That mailing list goes to about thirty people, all of which are more than happy to berate and tease one another. There was never a formal punishment or even a direct scolding from the director afterwards, but it made enough of an impact to make it a one time issue for the people involved. At this point, locking the machine is as much a natural part of leaving my cube as is getting out of my chair. I'd say it worked - I certainly wouldn't want that kind of attention.

Users will bitch

We have computers at our office set to lock after 10 minutes of inactivity. People bitch and don't understand why they 'have to keep logging in'. They don't care about security. They don't care about their files because someone can restore them from backup.

Why a whole keyboard?

[scorp1us]

Why not just a USB transducer?

Ummm screensaver?

What's wrong with a screensaver password?

Re:Ummm screensaver?

That would have to be set to maybe 10 minutes of inactivity for it not to be too annoying. When leaving, a ton o things can happen in 10 minutes.

Looked into this idea last year

[Spikeles]

I was tasked to find a solution for this kind of problem last year for my workplace. Basically it came down to a couple of different technologies.

• RFID - Range too small, you basically have to have the keycard sitting on the desk. Free software to do it though.
• Bluetooth - Easily enough to do with software, but getting an accurate bluetooth range is difficult. It's quite possible someone walking along in a room next to the room the computer is in could cause it to unlock without them ever being aware.
• Sonar - The most promising of the bunch. TFA uses an actual keyboard, whereas these guys make a device hooked to a usb adapter.
• Automatic screensaver lock - Enforced through policy, 5min lock. Cheapest easiest.

In the end we went with the automatic lock, the cost and bother of using other methods didn't justify having to use them. We set all the easiest to access computers to 1min, and every other computer to 5mins.

Re:Looked into this idea last year

[Spikeles]

Blah, teach me not to proof read. With bluetooth we also looked into automatically unlocking when back in range hence the range comment. But the point stands, the range is notorious to be accurate. It could lock straight away, or it could stay unlocked 15m away while you are at the photocopier. Not to mention some devices go into low power mode turning off bluetooth, which makes the computer think it's gone and locks it.

Re:Another alternative - bluetooth phone as a sens

[fenix849]

The only real issue with this is that if you don't regularly require bluetooth, leaving it turned on in your phone is an unnecessary drain on the battery.

Re:Another alternative - bluetooth phone as a sens

[OverlordQ]

btprox is overrated, tried it and found I could walk nearly anywhere in the office and the computer wouldn't lock, bluetooth has too large a range for this.

Good for Healthcare, w/ appropriate software

[bill_mcgonigle]

I'm sure that would work GREAT in a hospital setting where a nurse keying in data has to jump up and run down the hall to a patient who is crashing..... and then gets fired because she forgot to log herself out on 3 occasions. /sarcasm

Used to do healthcare IT. I wrote a gizmo that would clear the user's Kerberos ticket when they walked away for more than, I think, 15 seconds, using a serial/IR dongle taped to the top of the monitor. The nice thing about the Kerberized sessions were that lacking a ticket one could not proceed, but it didn't log the user out of the application either. So, a nurse running for a code blue could resume by typing in her password when she returned.

A prototype was as far as it got - automatic flush toilets were new in the building (late 90's) and everybody in the clinical applications group called it the auto-flush feature, so it never went anywhere. Real mature group, I quit after being asked to trade patient safety for reduced license costs.

Doesn't have to be so complicated...

[pclminion]

The tech doesn't have to be quite so "high." You just need a magnetic receptacle at the terminal. Attached to your belt, on a tether, is a little magnetic bead. When you sit down, you put the bead in the receptacle and the terminal activates. When you get up and walk away the bead pops out and the terminal locks.

They've had this kind of thing on watercraft forever. If you're thrown from the boat, the tether pops and the ignition cuts.

Re:Doesn't have to be so complicated...

[PPH]

Attached to your belt, on a tether, is a little magnetic bead.

So now you're telling me I'll have to wear pants?

Win Key + L

[egranlund]

I think a lot of the forgetting has to do with the multi-step lock process that most people seem to be taught (Control+Alt+Delete then "Lock") rather than pressing Windows + L

screen lock

[vanyel]

I have way too many things open to be logging out all the time --- it's a royal pain and I lose too much state, so I just lock the screen when I leave. It was easy to build the habit as for a while I had a co-worker who was a joker who had a warped sense of humor, so I was careful to make sure he never had a chance to screw anything up. It's now a reflex...

USB proximity lock

[wiedzmin]

Why can't they jut make a simple, reasonably-sized USB proximity dongle that sends a Windows+L keystroke (instead of using stupid third party "lockscreens").

Two birds one stone

[WinstonWolfIT]

Sweet. I've been looking for a better way to time bathroom breaks (monitoring cam footage is tedious).

Screensaver

[gringer]

How is this solution better than a screensaver with the 'lock after X mins of inactivity' option?

Re:Screensaver

No inactivity timeout is correct.

Make it too long, and people who want to abuse your userid have plenty of time to do so. After all, all they need to do is move the mouse or hit a single key.

Make it too short, and it will lock when you are reading something, which happens to include neither moving the mouse nor typing.

In the middle there are an overlap, where it's both too long and too short at the same time.

lol

[Charliemopps]

The badge will be left sitting on the keyboard and finger print scanners can be fooled by a simple black and white photocopy of the users finger print. What little improvement the vendor may or may not have provided with the sonar feature was quickly eliminated by the introduction of convenience features made to alleviate what would obviously become tedious shortly after installation.

If the data truely needs that kind of security the answer is simple. When the inactivity time limit is reached and the machine is locked, a supervisor needs to be notified, and incident filed. The manager should have to find the machine and verify that no one is there illicitly using the station and then follow up with the employee, possibly with formal documentation. Employees would learn to lock their computers almost immediately.

At my workspace we use the much simpler method of policing ourselves. When we see someones walked away we quickly send out an email on their behalf declaring they will be bringing the donuts tomorrow. I'm sure many other shops do the same as it works quite well.

Xyloc - proximity based authentication

USB connectivity for the receiving station and an ID card sized tag you wear.You could configure optional automatic login as you walked up to a machine, or use it in two-factor mode, and it would automatically lock the machine as you walk away. It actually worked pretty well. I looked at them 10 years ago but the price was to steep for me.

Could be nice

[McTickles]

If properly tuned... that is ... or else I see disaster looming...

--
http://www.twilightcampaign.net/

why not task scheduler?

[rilian4]

I wrote a very small, very simple batch script almost 10 years ago that will run on windows xp and 7 (probably on Vista as well but never bothered testing it as I never bothered using Vista) that will lock the screen of a computer. I simply used the windows built-in task manager to configure it to run after the system was idle for 5 minutes. I found this a very efficient way to protect anything a user might leave open when they step away from their terminal. If 5 minutes is too long for you, you can give task manager a shorter time frame too. Very simple, very direct and requires no special hardware that can foul up things.