Slashdot Mirror
Sonar Keyboard Logs You Out To Protect Your Data
Zothecula writes "While the simple act of logging off a workstation is an obvious way to protect sensitive data – like that used by healthcare providers, pharmacies, banks and government agencies – it is all too easy for users to forget and leave the data not only viewable, but also editable by anyone who happens to pass by. Custom keyboard supplier Key Source International (KSI) has developed a keyboard that does the remembering for you, logging out as soon as the user physically leaves the keyboard."
Rule 1: The weakest link in computer security is the user.
Rule 2: See rule 1.
Rule 3: See rules 1 and 2.
I'm sure that would work GREAT in a hospital setting where a nurse keying in data has to jump up and run down the hall to a patient who is crashing..... and then gets fired because she forgot to log herself out on 3 occasions. /sarcasm
What does "physically leave the keyboard" mean?
Not touch it any more? What if he's using the mouse?
The Tao of math: The numbers you can count are not the real numbers.
I think I'll sneak into the office and swap all the keyboards out with these.
When I worked about a decade ago at a place where people with dubious intentions could access the work area, I ended up making a switch embedded in a seat cushion that was connected to the serial port of my workstation. When I got up, the program sitting and monitoring that port would automatically xlock the machine.
It was an ugly hack, but I never had unattended terminal issues unlike some cow-orkers.
Right, because everyone who knows the dangers is perfect and is never distracted. Way better to force the user to conform to the computer than make the computer conform to the user.
Being a performance tester, I constantly engage in risk analysis. Yes, it may $600,000 to performance test your app. How much does an hour of downtime cost you? Depending on how costly a security breach might be, the $100 keyboard (or whatever it costs) could seem like a bargain, even per employee. Smart idea.
Simply instruct your employees on the importance of not leaving a workstation unsecured (i.e. locked, logged off, etc.). Use a 3-strike system, if you must. There really shouldn't be a need for such fancy equipment.
In the end, though, I guess it comes down to whichever method of prevention is less expensive, or less time-consuming..
Bigger problem: The whole concept of logging in / logging out doesn't work well for lots of people. Let's say I have to key some data in or look something up - OK, log into the system. I then have to move away from the terminal to do something (just a reminder to Slashdotter's - not everyone is physically chained to their desk nor locked in the basement all day). I do this day in and day out. If the system logged me out every time I moved away from the keyboard or I had to log out every time my head didn't block the screen I would be one annoyed camper.
Sure, there are 'technical fixes' - use a laptop (doesn't work well if I'm standing), use a tablet (none one them yet work with clunky Enterprise software that will not be significantly upgraded in my lifetime), use a smart card system (we don't have one, aren't likely to get it). So yep, there are security holes all around the place but you always have the balance between security and usability.
A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.
Faster! Faster! Faster would be better!
These keyboards are completely hackable by dolphins.
If you work at an aquarium or have dolphin coworkers, I would avoid these keyboards.
This is going to be nightmarish for IT and it will generate all kinds of useless calls as a result. My guess is we'll be seeing some people using duct tape over the sensors on the first day too, making these expensive keyboards totally useless, apart from being a great way to inflate IT budgets, to ensure they stay plump.
The dangers of knowledge trigger emotional distress in human beings.
Couldn't a solution using RFID be used. Basically you have a RFID detector with 1m radius of detection. The detector would poll the card to see if is there and logs you out or locks your session if you leave the zone.
Jumpstart the tartan drive.
A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.
And that depends on your domain. In many places, e.g. a software development house, sure. However, in something like a doctor's office, where even the other people in an office shouldn't have access to all the systems, this is much less true.
All the technology in the world won't fix staff who don't want to do what you tell them. All this will do is piss off people who have to keep going to and from their desk while in sight of their machine to get files or talk to visitors until they figure out a way to trick the keyboard into thinking they're always at their machine, at which point you've spent a lot of money for nothing.
Put reasonable security policies in place, punish your staff proportionally if they repeatedly violate them and don't try to fix people with gadgets.
Will fix the problem of these keyboards logging you out when you leave for a quick coffee. Once again, any kind of security is thwarted by duct tape.
The dangers of knowledge trigger emotional distress in human beings.
Fighting known cognitive weaknesses and common patterns of poor prediction in humans really isn't worth the effort(nor, arguably, is it even in good taste) if relatively cheap technological solutions are available.
Humans forget sometimes. Some enough to describe them as "sloppy and incompetent" and fire them; but almost anyone will fuck up occasionally if they have to do it enough.(Plus, I'm guessing that nurses forget a little more often than average if their distractions include such minor items as "patient coding suddenly and dramatically in the next room'...)
Humans also get distracted fairly easily, and can't always predict when. "Just stepping away from the computer for 15 seconds" can easily become "get dragged into something and come back half an hour later".
Whether this particular(almost certainly overpriced) product is the way to go(when you could just use a $5 webcam that can also detect presence/absense and can even prevent naive attempts at presence spoofing, facial recognition is weak; but it is easier to impersonate a human-shaped lump than it is a specific face, without prior planning); but the idea that we should just buck up and strengthen our moral fiber, when a machine could easily do the job for us, is a masochistic recipe for poor results.
You can NEVER EVER trust users to do anything that might be the least bit inconvenient for them, no matter what the consequences are.
For all the employees you want, the new hires will do the same thing.
What might work is to make something painful happen, like losing all their work when they get up and walk away from their computer and their keyboard logs them out.
I really shouldn't have used someone else's email address for this account.
There are solutions to that kind of problem. Basically you can have a wireless token. I've seen them advertised before where they automatically log you out as soon as the token gets out of range. It's not perfect, but fine for situations where you absolutely need to be logged out.
...which is why, after a couple of times of this thing logging them out when they didn't want it to, they'll find a way to defeat it.
I wonder if unplugging it from the PC would work?
There are solutions to that kind of problem. Basically you can have a wireless token. I've seen them advertised before where they automatically log you out as soon as the token gets out of range. It's not perfect, but fine for situations where you absolutely need to be logged out.
This does more or less the same thing.
There can be multiple solutions to the same problem.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
Wouldn't a keyboard that simply locks the terminal make more sense? I don't want to be completely logged out just because I leave my desk to use the can.
FTFA:
The SonarLocID Keyboard connects to a PC via USB and can be configured via an included programming application that allows the user to program custom keystrokes as well as delays and a sequence to lock the computer when the user walks away.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Humans also get distracted fairly easily, and can't always predict when. "Just stepping away from the computer for 15 seconds" can easily become "get dragged into something and come back half an hour later".
Which is why, if I'm only stepping away from the computer for 15 seconds, I lock it. And it's why, even if I'm just driving the car across the street to park it on the other side, I buckle up.
Habits work to your advantage if you let them.
The intention is for this to be used in environments where unlocking the computer can be done with a proximity card or a fingerprint, and scanners for both are built into this keyboard. So, all it takes to return to your work is sit down, wave your card over the keyboard, and get back to typing.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
I hope this works better than those public toilets that flush as soon as you "leave." Reach down to tie your shoe and suddenly...*whoosh* all over you naked buttocks.
No trespassing. Violators will be shot. Survivors will be shot again.
Well, given that the description says the keystroke sequence to lock the terminal is stored in the keyboard, unplugging the keyboard seems like it's a likely way to bypass it.
make imaginary.friends COUNT=100 VISIBLE=false
For linux:
http://blueproximity.sourceforge.net/
For Win:
http://btprox.sourceforge.net/
I like the wireless token idea better, since this keyboard doesn't appear to be washable. I love hospitals that work hard to reduce infection rates and then decides to install keyboards that are prone to collect dust next to patient's beds.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Tried sonar mounted above the monitor at our hospital already. Unsurprisingly, you a corrrect. The genius docs and nurses taped tongue depressors with a small index card to hang in front of the device so it wouldn't log off...
Wow, that is potentially (highly) irritating.
Imagine:
* You duck down in your chair to grab a pencil you drop ... and then you've got to take the time to log back in and for everything to load back up again. Hopefully you weren't working on something and the data got lost...
* You lean over to open a desk drawer
* You lean back to take a moment of reflection
* You step to the side (if standing) to grab something
* You're skinny and the sensors can't see you
* You (potentially) don't move enough while watching something on the screen
* You do a lot of back-and-forth in a small area (eg. a pharmacy, where you've got to fetch medications after looking them up, then come back to the next person) and leave the keyboard frequently without leaving the system uncontrolled (ie it's always in view).
A more sensible meme would be to lock the machine when the user steps away instead of logging them out, to be sure. Hopefully the sensors are accurate. Even then, there are many cases (within the designed use case) where this probably isn't appropriate or useful. Biometric logins/unlocking would likely be a bare minimum additional component, IMO.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
My computer has a state of the art dynamic temporal activity sensing program that will automatically lock my workstation! I can even set it for different amounts of time!
So if at ANY time I am not doing any activity on my computer, for a period of time, say 5 or 10 or even 15 minutes (Whatever I want!) say if I get up, or fall asleep or stare out the window too long, it will automatically and magically lock up my computer. Talk about safety! Amazing!
You could just, you know, use that option that that requires a password after coming back from screensaver and set the screensaver idle timer rather low.
(By screensaver I mean turning off the monitor, I haven't used an actual screensaver since the 90s)
I just created my own motion sensing system to log you out. It melds the security of handcuffs to the authenticating power of a USB key. BAM!
Computer with sonar keyboard pings you.
I eat only the real part of complex carbohydrates.
Seriously, mod this guy up. All too common in our industry is the mentality that the user needs to conform to the technology. If you want to be truly successful in everything you do, try understanding the needs of your users before throwing "solutions" at them.
Sure, there are 'technical fixes' - use a laptop (doesn't work well if I'm standing), use a tablet (none one them yet work with clunky Enterprise software that will not be significantly upgraded in my lifetime),
Run your clunky enterprise app on an Windows Terminal Server and RDP into it, the application need not know that you're on a tablet.
A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.
Isn't a simple inactivity timer just as effective? Just set your PC's inactivity timer to whatever you'd set your motion sensor inactivity timer to (5 minutes, 10 minutes, whatever) and you've removed most of the threat of computers running unattended all day without the added complexity of a motion sensor (which, if it works as well as my office light sensor, will lock your computer out 5 times a day until you jump up from your chair and wave your arms so it can see movement).
use a smart card system (we don't have one, aren't likely to get it)
So your employer won't install a smart card system, but will install motion sensors linked to your computers?
(just a reminder to Slashdotter's - not everyone is physically chained to their desk nor locked in the basement all day). I do this day in and day out. If the system logged me out every time I moved away from the keyboard or I had to log out every time my head didn't block the screen I would be one annoyed camper.
I must have missed the part in the article where it said this was a solution for everyone. It seems that this sonar keyboard is best suited for places where confidential information is keyed in and the computer should be locked immediately once someone steps away -- like at a doctor's office or pharmacist. Why would you think it would be applied to your case where you and your coworkers (who all have equal access rights to the computer) are in a room together?
Don't you just love security products designed by people who don't ever think about how they can be bypassed? Or test them in real user environments?
make imaginary.friends COUNT=100 VISIBLE=false
I've been using a program with ubuntu for a year or so now that you just connect your phone and laptop with bluetooth and then tell it to lock/suspend/logout when the phone gets X feet away. Works great as long as you keep your phone in your pocket at all times.
Orwell was an optimist.
Companies who make security should really have two teams:
- Team A in charge of security
- Team B in charge of defeating/bypassing security
There's an exploit for it already: stickers.
It can also be programmed to simply lock the session.
It must have been something you assimilated. . . .
I wonder if it can also be used to prevent teenagers from using the PC. Ref: "Mosquito Repels Youths" http://www.cbsnews.com/stories/2005/12/05/earlyshow/living/main1095665.shtml
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
This keyboard is so great that I am now even more likely to forget my sessions open on computers that aren't equipped with it compared with before.
It's not terribly unreasonable to expect some cooperation from the people you're trying to protect. If you have locks on your building at night but people keep propping the door open, you don't look for ways to defeat the door propping, you go beat heads and tell them to knock it off.
The only time it makes sense to get involved in a forced-security escalation war is when you're dealing with a mob of minimum wage workers that care more about their job being easier today than being there tomorrow. (been there done that, two words: "wire ties") Professionals should behave like professionals and not intentionally break the rules because they're inconvenient.
But if you're making it unreasonably inconvenient for an inequitable increase in security, then you're just plain being a BofH and need to start considering the people you're supposed to be supporting.
I work for the Department of Redundancy Department.
Yeah, this seems to be a bit short sighted. The idea is not even really sound. (da-da-ting!)
I got here through a series of tubes
#!/bin/bash
#
#####
# Use 'hcitool scan' to find the MAC address of the desired bluetooth device
MACADDR="00:00:00:00:00:00"
STATE="$(hcitool name ${MACADDR})"
if [ "${STATE}" = "" ] ; then
echo "Bluetooth device not found at startup. Exiting..." >&2
exit 1
fi
LOCK="UNSET"
CHECK="$(ps -ef | grep gnome-screensaver | grep -v grep | cut -c49- )"
if [ "${CHECK}" = "gnome-screensaver" ] ; then
LOCK="gnome-screensaver-command -a"
UNLOCK="gnome-screensaver-command -d"
fi
CHECK="$(ps -ef | grep xscreensaver | grep -v grep | cut -c49- )"
if [ "${CHECK}" = "xscreensaver" ] ; then
LOCK="xscreensaver-command -lock"
UNLOCK="xscreensaver-command -deactivate"
fi
if [ "${LOCK}" = "UNSET" ] ; then
echo "Supported screensaver not running" >&2
exit 2
fi
SLEEP_TIME=15
# Enter main loop
while true ; do
if [ "${STATE}" = "" ] ; then
${LOCK}
else
${UNLOCK}
fi
sleep ${SLEEP_TIME}
STATE=$(hcitool name ${MACADDR})
done
exit 0
Far too often, however, the problem comes not in whether you can properly educate your users/punish them for non-compliance, but whether you, as an IT entity, have the power to do so. If you do, awesome, but if you don't have the favor of the high muckity-mucks, phrases like "3 strikes" are going to get you stricken from the payroll records. This is particularly a problem in educational or medical environments, where profs/docs rule the roost, have for years, and aren't particularly interested in you coming in and changing things.
The point being, you sometimes have to pick your battles. A device like this is potentially a good way to avoid a particularly nasty battle, if it allows for increased security without having to constantly berate the people who have the ear of your CEO/Board of Directors/Dean.
They usually do.
However Team M (managers) never let the two team mingle, or even know each side exists.
look at HBGary for more information. They never bothered to look at their own systems, or audit their own processes for flaws.
i thought once I was found, but it was only a dream.
I guess this will put a stop to that!
What is the program. And is it available for Windows and Mac? I have always wondered why more companies don't use the wireless token. It gives the user all of the convince of leaving their computer unlocked, and give the Administrator more security than expecting users to make their jobs harder. The cost isn't large. A phone based wireless token system like you say your are using would be a better solution in many situations. The battery issue would be pitted against people leaving the token on their desk when they went to lunch.
In my office, it's typical for someones workstation to be vandalized by employees if left unattended AND unlocked.
alias cd="you suck"
Of course people get much more creative. We had one guy get over 40 entries added to his local host file and his mouse buttons reversed.
inactiviety timers fail easily. 5 minutes is enough time for a nurse to get called away, walk up to her terminal do something and walk away. for such a timer to be secure in a high secure environment you need it to be 30 seconds long at which point it is more of a hassle.
The best so far is the id/RFID tag to login, logout when out of range. To log in the card must be present and a finger scanned.(two factors), every 15 -30 seconds the computer checks the proximity of the RFID tag or it logs you out.
If you want even more security embed the RFID tag in the wrist of the user.
i thought once I was found, but it was only a dream.
Maybe try not overworking them to the point where they're exhausted after you've laid off 1/3 of the workforce in a "cost-cutting" move and expected the remaining 2/3 to pick up the "slack" even though your company has earned record profits and has paid a huge bonus to the new CEO who decided on the "cost-cutting" measure. Having employees that are underpaid, overworked, having their benefits reduced, monitored with cameras and keyloggers, are allowed two bathroom breaks a day, and who have just had their health benefits cut back to the point where they're paying three times as much every month out of their pay checks with a new $5000 deductible and yearly cap on benefits so that if they were to get sick they'd be wiped out (and who know you'd fire them anyway if they got sick) might not be the best situation when you're looking for "zero-tolerance" in the security area.
Any employer who talks about a "3-strike system" really needs to see their facility shut down in an old-fashioned strike and then have someone strike them across the forehead with a rotting fish.
And anybody who works in IT, probably as a low-level end-user support functionary for minimum wage, who would recommend to management that they institute a "3-strike system" because they're so deficient in real security (because they're paying $11.00/hr to their tech workers after all, so what do you expect?) needs to have a stone tied around their neck and be cast into the sea by the rest of the employees (who can't stand the guy anyway because he's got horrible hygiene and never seems to be able to solve any of their computer problems anyway).
And "intellitech"? Seriously, fuck you for even thinking that some low-paid clerk ought to have a "3-strike system" just because you can't figure out how to do real security.
You are welcome on my lawn.
inactiviety timers fail easily. 5 minutes is enough time for a nurse to get called away, walk up to her terminal do something and walk away. for such a timer to be secure in a high secure environment you need it to be 30 seconds long at which point it is more of a hassle.
Please read my post - I was responding to the poster that said he has a PC in a room with 8 other employees, he's not a nurse in a patient's room:
A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.
Isn't a simple inactivity timer just as effective? Just set your PC's inactivity timer to whatever you'd set your motion sensor inactivity timer to (5 minutes, 10 minutes, whatever) and you've removed most of the threat of computers running unattended all day without the added complexity of a motion sensor (which, if it works as well as my office light sensor, will lock your computer out 5 times a day until you jump up from your chair and wave your arms so it can see movement).
I guess the point I was trying to make (but was remiss in not stating it plainly) is that there are different solutions for different environments. It's pointless to look at a solution for one person's environment and say "Bah! That's stupid! It would never work in my (completely different) environment.
It's not the users work. It is the companies work. I would fire any administrator that suggested we destroy the companies work as a punishment to users that didn't do what we wanted. OK, I wouldn't fire them for suggesting it. I would point out how they are suggesting that the company's property should be destroyed. Then if they implemented it, I would fire them.
Better yet, set the wallpaper to "LOCK YOUR WORKSTATION" , rather than somethign NSFW. The former is not something you'd get in trouble for having/creating, whereas bringing NSFW stuff into work is, by definition, not safe.
Would tape/a postcard/stickers/etc. really stop sonar? It's obviously the first thing I would try. This keyboard really looks like a waste of money unless the administrators are going to write up anyone found trying to work around the keyboard's security, which wouldn't be ideal. This seems like a keyboard more for a company where everyone understands how important security is, and is just for when you forget to lock your screen. It only takes one temporarily absentminded user to create a security hole. So, I think it's a good idea to create hardware/software precautions, just in case. But it sounds (from prior posts) as though this sonar keyboard can be hacked, which makes it useless. Also, how secure are fingerprint scanners, really? Do the hacks from the movies really work on those?
You can discover more about a person in an hour of play than in a year of conversation. -Plato
Occasionally the director here will wander through and look for machines that have been left unlocked and unattended. Email is a big part of what we do, so since I started working here we've seen a couple emails sent to our department's mailing list stating more or less "Hi, I have left my computer unattended and am posing a security threat to this University."
That mailing list goes to about thirty people, all of which are more than happy to berate and tease one another. There was never a formal punishment or even a direct scolding from the director afterwards, but it made enough of an impact to make it a one time issue for the people involved. At this point, locking the machine is as much a natural part of leaving my cube as is getting out of my chair. I'd say it worked - I certainly wouldn't want that kind of attention.
I changed the wallpaper picture of a colleague to hello.jpg once and hid it under a maximised application.
Then the colleague and his boss walk in, the colleague minimises the application, hilarity ensues. Needless to say that the colleague has always locked his workstation after that.
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
Or, even better, use a script on startup that checks every x minutes to see if a folder exists on the desktop, and if not, create it. That way they can keep deleting the folder, but it will keep coming back. AutoHotKey can even be used to simulate your "Optional" step. I have an AutoHotKey script that moves my mouse a single pixel every minute to keep my (password protected) screensaver from coming on whenever I'm at my computer but not actively using it.
SIG FAULT: Post index out of bounds.
Me, too.
But I'm not a duty nurse who might be on the other side of my cubicle grabbing a file to get a single bit of data off it when I get a code blue. Do I take the two steps back to my desk and tap "WinKey-L" or run in the other direction to get the crash cart?
Is that even a decision?
If I were a duty nurse, a system that locks my workstation when I step away further than the bounds of my cubicle would seem to be ideal. I get to turn around and answer the phone or answer a quick question from a patient or doctor, and turn back and not have to log back in each time, so my normal workload proceeds efficiently. However, when I have to jump up and dash away, I can focus on what I absolutely need to be doing (running like hell for the crash cart), rather than what the computer needs me to do (lock it because it's too stupid to figure out I've left the area).
Think about choosing a relatively secure password and having to enter that password every time you had to turn around (on a job that you spend a lot of time turning around). You'd very quickly figure out some sort of workaround to keep the computer unlocked rather than have to type your password 200-300 times during an 8-hour shift. Either that, or you'd be fired for gross inefficiency and replaced with someone who was clever enough to find a workaround.
Breaches are rare. Logging out and in happens every few minutes. What do you think the average desk nurse's priority is going to be? Can you blame them?
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
I use Proximity on the Mac. It lets you run an Applescript when your phone comes in range, and another when it goes out of range.
I successfully used http://code.google.com/p/reduxcomputing-proximity/ for this purpose under OS X. Have not looked to see if there's something for Windows.
Slay a dragon... over lunch!
Trusting the summary to be accurate is an even worse idea. TFA talks about LOCKING the workstation, not logging it out.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
The simple fact of the matter is, if it's often enough to be annoying, they won't like the automated system either, and they'll find ways to defeat it. Compared to the hassle of typing the password to unlock it when you get back, it's not really that inconvenient to hit Win-L as you're leaving.
Why not just a USB transducer?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Humans also get distracted fairly easily, and can't always predict when. "Just stepping away from the computer for 15 seconds" can easily become "get dragged into something and come back half an hour later".
Which is why humans have little place in any sort of efficient workspace and should be replaced...
It doesn't have to log you out all the way, just switch to a login screen while maintaining your session. It seems that kind of thing, with something to automatically detect whether you are at the computer, would be perfect. Set it up so it recognizes your cell phone and can log you in as well as out.
In the end we went with the automatic lock, the cost and bother of using other methods didn't justify having to use them. We set all the easiest to access computers to 1min, and every other computer to 5mins.
I don't need to test my programs.. I have an error correcting modem.
A more useful system, IMHO, would be one that automatically logged off every PC in a room after a motion detector noted a period of inactivity. We do have issues where people leave for the day, go into another area or just close the door and leave systems up. That's a much bigger attack surface than leaving a PC logged in with 8 other employees wandering around.
That's true for some situations but a lot of the time companies are more concerned employees don't "see" information they are not cleared for (payroll, contracts etc) or place requisitions using someone else's ID. Users with different levels of clearance / departments share work areas in a lot of companies (open plan offices were tres chic for a while) plus a lot of software uses audit stamps to track who entered /edited what.
Ultimately, I suspect the users will defeat any attempt at "security" if the measure hinders them (complex passwords that end up on sticky notes stuck next to keyboards, swipe cards left next to workstations, secure doors taped open... usual stuff).
Although if this gadget just locks the workstation and a finger print swipe can unlock it instead of keying in a complex password or having to rummage around for your swipe card... nah, it still requires additional effort.
BM3
The only real issue with this is that if you don't regularly require bluetooth, leaving it turned on in your phone is an unnecessary drain on the battery.
btprox is overrated, tried it and found I could walk nearly anywhere in the office and the computer wouldn't lock, bluetooth has too large a range for this.
Your hair look like poop, Bob! - Wanker.
Actually, I was thinking about hospital work. In the real world, we don't just jealously hunch over our screens. blocking access with our heads. Walking through the nurses station I can see a half dozen screens and I was truly arsed I could read everything on all of them. The data is never that sanitized since most of us are working on the same patients and anyway have the same applications at our station.
What I worry about is a PC left on in a side room which isn't staffed continuously and some bored teenager gets drawn to the Glow of God. Auto shut down in that scenario makes a lot of sense. Not so much if I just get up off my chair. A token system would be nice but we need something that keeps everyone from keying their usernames / passwords in a dozen times a day.
Faster! Faster! Faster would be better!
True, but a system that detects when someone has actually left the area would be useful.
I don't think this SONAR system is it, mind you, but there's probably something that is. RFID chip on their badge seems like a real possibility, for example.
I don't think many people would complain if they had to log back in once they've actually left their desk area (especially if the login could be a quick fingerprint scan coupled with the close presence of an RFID chip in their badge).
But if you've ever watched a duty nurse for any period of time, you know they don't spend a lot of time sitting right at their computer (but they do spend a lot of time working on their computer, just interrupted by lots of little events like "get up and grab a chart from the desk", "answer the phone", "give directions to a family member of a patient", "turn around to grab a printout to hand to someone", etc). My point is, having to unlock your workstation after each one of those interruptions is going to be ridiculous.
And it's going to happen - you're going to be near the exit of your workstation grabbing a chart for data entry when code blue goes off. No human being in their right mind would take the time to go hit Win-L.
If the duty nurse is within the bounds of their cubicle or workstation, locking the workstation is inefficient and serves no useful purpose. They are RIGHT THERE. No one can access the computer without them knowing it, and if they want someone else to have access to their computer there's little point in trying to use technical means to prevent it.
If the duty nurse leaves the bounds of their cubicle or workstation, locking the workstation is essential, immediately. The nurse should not have to think about it. It should just happen.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
I think some kind of body/facial recognition software with a webcam might be a nice cheap way to do it. Whenever the program detects that the user has left their chair, lock the session.
which is totally what she said
Unless your camera can detect depth, I'm pretty sure that kind of security is easy to bypass. See Columbo And The Murder Of A Rock Star.
Isn't a simple inactivity timer just as effective? Just set your PC's inactivity timer to whatever you'd set your motion sensor inactivity timer to (5 minutes, 10 minutes, whatever) and you've removed most of the threat of computers running unattended all day without the added complexity of a motion sensor (which, if it works as well as my office light sensor, will lock your computer out 5 times a day until you jump up from your chair and wave your arms so it can see movement).
Actually, that's not a half bad idea if I can get one to work in XP. I'll have to look around for that.
So your employer won't install a smart card system, but will install motion sensors linked to your computers?
No, they won't do either but the smart card system has been nixed for the moment because various ancient bits don't work with any we've looked at and / or are too expensive (too expensive being a rather low bar). Many of the rooms all ready have motion detectors on the lights as an energy saving strategy. It probably would be relatively easy to tap a signal off the detector (or even just use a light detector) and then build a box that that pretends it's a UPS to tell the computer to shut down or restart. But nobody is going to let me build things and attach them to hospital computers. They're crazy but not particularly stupid.
....)
And don't get all excited. Of course there is no one size fits all (unless you use Apple things). I might actually show the thing to our IS folks to see if it raises their pulse rates. They like shiny toys to play with and they're tired of the iPad they bought last month (CEOs being the clueless creatures that they are
Faster! Faster! Faster would be better!
I'm sure that would work GREAT in a hospital setting where a nurse keying in data has to jump up and run down the hall to a patient who is crashing..... and then gets fired because she forgot to log herself out on 3 occasions. /sarcasm
Used to do healthcare IT. I wrote a gizmo that would clear the user's Kerberos ticket when they walked away for more than, I think, 15 seconds, using a serial/IR dongle taped to the top of the monitor. The nice thing about the Kerberized sessions were that lacking a ticket one could not proceed, but it didn't log the user out of the application either. So, a nurse running for a code blue could resume by typing in her password when she returned.
A prototype was as far as it got - automatic flush toilets were new in the building (late 90's) and everybody in the clinical applications group called it the auto-flush feature, so it never went anywhere. Real mature group, I quit after being asked to trade patient safety for reduced license costs.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
try understanding the needs of your users before throwing "solutions" at them.
My practice is to decant the solution, then throw the precipitate at them. Less wasteful.
The tech doesn't have to be quite so "high." You just need a magnetic receptacle at the terminal. Attached to your belt, on a tether, is a little magnetic bead. When you sit down, you put the bead in the receptacle and the terminal activates. When you get up and walk away the bead pops out and the terminal locks.
They've had this kind of thing on watercraft forever. If you're thrown from the boat, the tether pops and the ignition cuts.
If it was only responsible for locking rather than unlocking, and it locked within seconds of you standing up, then it would be pretty effective I'd think. You can detect depth of a sort simply by the size of the body, but we may all have 3D webcams in a few years anyway.. depends whether the fad turns out not to be a fad this time.
Plus, I would probably still hit ctrl-alt-l when leaving my desk anyway, this would just be a backup measure.
which is totally what she said
I think a lot of the forgetting has to do with the multi-step lock process that most people seem to be taught (Control+Alt+Delete then "Lock") rather than pressing Windows + L
My techie alternative to this (techie, as opposed to 'office drone with phillips screwdriver skills') was when I wired my power supply into the Z axis of a co-workers oscilloscope, using a long wire that reached to my bench. Then, I could dim or brighten his 'scope by simply adjusting my power supply's voltage. Those were fun times. That was back when there was one computer in the lab, a shiney new '286 machine. We tried to lock it once using the lockswitch on the case. Someone who wanted 'in' used one of those spring loaded center punches, which blew the keylock away, unlocking the system.
Which brings me to the main point of this post: those spring-loaded center punches are great. When you encounter a keyboard with a sensor such as the one in this article has, give it a little encouragement to comply with your wishes. You want the sensor, of course, to die quickly and with little fuss or effort.
I have way too many things open to be logging out all the time --- it's a royal pain and I lose too much state, so I just lock the screen when I leave. It was easy to build the habit as for a while I had a co-worker who was a joker who had a warped sense of humor, so I was careful to make sure he never had a chance to screw anything up. It's now a reflex...
Far too often, however, the problem comes not in whether you can properly educate your users/punish them for non-compliance, but whether you, as an IT entity, have the power to do so.
It sucks to work in places where the IT flunkies have that much power. It leads to all sorts of problems, like them spending too much time running around being thuggish, when they could be changing the toner in the Ljet4 up on third floor, like they're supposed to.
Why can't they jut make a simple, reasonably-sized USB proximity dongle that sends a Windows+L keystroke (instead of using stupid third party "lockscreens").
Bow before me, for I am root.
Sweet. I've been looking for a better way to time bathroom breaks (monitoring cam footage is tedious).
Additionally, depending upon the implementation you can also cope with situations where one might fool the keyboard into thinking your still there, when what really happened was the nurse got knocked out or you were in the vicinity as she left. Of course wireless tokens aren't perfect either, but at least they take some savvy and equipment to duplicate.
That never fails to surprise me, even though there are keyboards out there that are designed to take a bath or a quick rub down well.
Isn't a simple inactivity timer just as effective?
Actually, that's not a half bad idea if I can get one to work in XP. I'll have to look around for that.
It's called a screensaver, with the 'password protect' option. Even Microsoft puts one of those on their default system installation.
Ask me about repetitive DNA
For Linux, install blueproximity. Very useful.
Dilbert RSS feed
How is this solution better than a screensaver with the 'lock after X mins of inactivity' option?
Ask me about repetitive DNA
The badge will be left sitting on the keyboard and finger print scanners can be fooled by a simple black and white photocopy of the users finger print. What little improvement the vendor may or may not have provided with the sonar feature was quickly eliminated by the introduction of convenience features made to alleviate what would obviously become tedious shortly after installation.
If the data truely needs that kind of security the answer is simple. When the inactivity time limit is reached and the machine is locked, a supervisor needs to be notified, and incident filed. The manager should have to find the machine and verify that no one is there illicitly using the station and then follow up with the employee, possibly with formal documentation. Employees would learn to lock their computers almost immediately.
At my workspace we use the much simpler method of policing ourselves. When we see someones walked away we quickly send out an email on their behalf declaring they will be bringing the donuts tomorrow. I'm sure many other shops do the same as it works quite well.
Do you mind posting a link to the wireless token product in question? I've been working on one myself, and I'd love to know what's out there already. Thanks!
"In our tactical decisions, we are operating contrary to our strategic interest."
I set that up a while ago, I like it.
However it's easy to defeat the unlock portion by cloning someone's bluetooth device ID.
If you have a wireless token why not use it to better effect - locking and unlocking the terminal display as and when you are in or out of range. Saves a bit of hassle logging in all the time.
Starbucks, Harbuckle of Breath.
I guess some employers just don't want to strike their employees once, let alone three times...
Being crazy with hygiene isn't the same as "working hard to reduce infection rates", apparently.
One that hath name thou can not otter
If it turns out not to be a fad - stereoscopic(*) images of your face would be easy enough to come by in such case... and they could be also quite easily used to fool stereoscopic webcam.
...plenty opportunities to get a hold of your "mold")
(*not "3D"; but it would be similar with more "real" 3D - if, say, Kinect-like controllers would become popular -
One that hath name thou can not otter
Simply instruct your employees on the importance of not leaving a workstation unsecured (i.e. locked, logged off, etc.). Use a 3-strike system, if you must. There really shouldn't be a need for such fancy equipment.
If that would work, it would have worked by now. It doesn't. We can skip all the philosophical discussion about why and how and bla bla bla. The real world provides us with the evidence that this solution does not work, and that really is all there is to it.
Assorted stuff I do sometimes: Lemuria.org
It doesn't even have to recognise individual faces, just recognising any body being in the chair, and lock if that body leaves the viewable area or gets beyond a certain distance. You'd notice anyone else sitting down in your chair at that point.. and like I said I think it would be nice as a backup option for if you forget to lock your screen. Similar to putting a 1 minute screensaver delay or something, but better because you can still not use the computer for a while (say if you're working with paper, or reading something onscreen) as long as you're sitting at your desk.
which is totally what she said
It's called BlueProximity, so it's probably the exact same thing that ceoyoyo is talking about.
Orwell was an optimist.
I agree that it would be handy if you were already conscious of security. The tendency though is almost certain to be using this instead of being conscious of security, to force security on people who didn't want it in the first place.
I took it as "also" - because stereo isn't required / wouldn't help much in determining if somebody is sitting at the desk (by itself it doesn't distinguish from a nice comfy chair...); it would have to go through constant face and body detection anyway, which work in "2D". Still probably resulting in enough "false"(*) negatives to annoy people...
(*)not really false, it's just that we tend to move around the desk much more than we realize (even Kinect-like sensor would have trouble)
Ultimately, technical band-aids to security can only do so much...
One that hath name thou can not otter
Sure, that's fine if no one else needs to use that computer.
I wrote a very small, very simple batch script almost 10 years ago that will run on windows xp and 7 (probably on Vista as well but never bothered testing it as I never bothered using Vista) that will lock the screen of a computer. I simply used the windows built-in task manager to configure it to run after the system was idle for 5 minutes. I found this a very efficient way to protect anything a user might leave open when they step away from their terminal. If 5 minutes is too long for you, you can give task manager a shorter time frame too. Very simple, very direct and requires no special hardware that can foul up things.
...quicker, easier, more seductive the darkside is...but more powerful, it is not.
Ah, but the beauty of an RFID system is that the user doesn't have to be conscious of security. If they need their badge to access everything, they'll have their badge with them. Once they leave their office, the computer is locked.
So the computer remains useable while an authorized user is right there and can monitor it, and locks itself when it doesn't have an authorized user present.
Conscientious users can still lock their own workstations when they know they won't be using it for a while, but this covers sudden urgent departures (or non-conscientious users).
Added bonus: In addition to helping fill a security gap, it also allows you to monitor for non-conscientious users and "remind" them that they need to be locking their workstations using whatever policies you choose.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Any autolog out system will invite people to make use of it. Therefore, another unauthorized person could jump into the session before the timeout occurs and the rest will be "Unauthorized access".
Leslie Satenstein Montreal Quebec Canada