Well I think that John summed it up pretty well. I have been the sysadmin for all of the libraries in Vermilion Parish for three years now, so I think I have a good insight into this issue, and I have to agree with John on this one.
Before I begin my rant, let me begin with some insight into our computer usage. Last month we had people use our public computers 3,201 times. I find this to be a good bit of use for our public computers for just one month. Keep in mind that many of these are repeat patrons who are in there every day. Just figured someone might like to see an actual figure. When it comes to things like this and libraries, you really should spend a couple of days in the library just watching and understanding the market you are pusing this too. "Get to know your customer" Public libraries don't harbor the particular demographic that you would think. I think I have only come across two real computer geeks that have come into the library in the last 3 years I have worked there (not including the ones I have invited to stop by). I would have to say that probably about 80% of our computer users are within walking distance, and we are located in a lower income neighborhood. Sure It's easy to "say" patrons want their own account and drivespace and it would be wonderful and gumdrops would fall from the heavens, but the reality of the situation is that most library computers cater to lower income patrons who don't have computers and who don't really understand computers to begin with. I have seen one lady come in to try to sell a car on ebay because a friend told her to try that, but she had NEVER touched a computer before and expected ME to show her how to do that from start to finish (starting with how to use a mouse). I have had patrons come in and complain about anything and everything you can image when it comes to public computer access, from rights and freedoms and privacy, to how often they think I should defrag the computer even though they are running off of an image using centurian guard and the image gets blown out every time the system reboots. People just want to come in and do random stuff on a machine and they want it to work correctly all the time every time. Forget the fact that the computers have been up for six moths straight with no problems, if it is down during their half hour, I'm not doing my job. Like John said, they just want to do these things: word processing, email, and surf. I can also say that they like to do yahoo chat, "try" to look at porn, print everything they see, with topics usually ranging from pokemon to 50 cent to wwf to anime to song lyrics. They don't care how they can do it, just that they can do it. The only time I have trouble with a patron is if they have enough knowledge about the machines to get themselves in trouble. These are the ones that only understand enough about computer to try to aggrivate and one up you and nothing you can tell them will make them understand that how the internet really works, or why it is better NOT to run 3 antivirus programs at once. They just will not listen. I couldn't imagine giving them a shell account, I'm not even sure I want some of them using a calculator. These are the people that you deal with on a daily basis. At the most we have about 10 regulars that we see on a daily basis who come in a use the computer for the purposes stated above. We see some people so often that they should just punch in and get a check. I would rather not have to deal with giving them a user account and drive space, because I'm afraid that they will sue me if their stuff accidently gets deleted or hacked. (just a side note:PEOPLE SUE FOR ANYTHING AND EVERYTHING THESE DAYS) Let me also state that I didn't go to library school and don't have a masters in library science (although I do have a degree in networking), I'm just a computer geek in the middle of Library Land. Believe me, until you WORK in a library you can't possibly understand (Johns wife could probably back me up on this one) I know I didn't. I'll also comment inline below. Adam J. Melancon Systems Administrator Vermilion Parish Library http://www.vermilion.lib.la.us >From: John Hebert <[EMAIL PROTECTED]> >Reply-To: [email protected] >To: [email protected] >Subject: WARNING: Long and boring rebuttal to Will was Re: >[brlug-general]Library switches to Linux! >Date: Sun, 9 May 2004 11:32:03 -0700 (PDT) > >--- Will Hill <[EMAIL PROTECTED]> wrote: > > Sure, John, I'm serious. Let's weigh the gains and > > the risks. Let's also > > look at some countermeasures for the risks. > > > > What can be lost? In a world full of cable modem > > zombies, show me the harm of > > someone taking over another computer that happens to > > be in a library. > >Among the myriad reasons, the most important would be >that the library would be legally responsible if it >knew its boxen were hacked, did nothing, and then >further damage were caused to machines outside the >library's network, or a user's private data >compromised. Yep, we would probably be held responsible for all of that. > > > Specifically, what new risk would you expose the > > patron to? > >Privacy of data for one. A compromised system could >easily have a keylogger installed. Any passwords typed >into even an SSL browser window would be compromised. >The library is liable for services they offer. > > > Because of poor > > current security, I imagine that most libraries > > already have compromised > > systems. > >Your imagination would be wrong. From my experience, >most library's public PC networks are not compromised, >and if they are, they usually get more than a little >concerned about it and do something pretty quick to >rectify the situation. We have a couple of sysadmins >for public library computer networks on this list; I'm >sure they would agree. > Library sysadmin here! My systems have never been compromised. Of course I may be the exception and not the rule, but I pride myself on avoiding hackers, viruses, worms, and the likes. > > People like John Ashcroft already think > > they own the information. > >I'm no fan of Ashcroft or the PATRIOT Act, but facts >usually work better than invective hyperbole. You have >any facts to backup your assertion? > > > Patrons worried about their privacy are welcome to > > use the guest account. > >So, they would have to limit themselves to anonymous >surfing or app usage. However, if the hax0r is >physically in the library, they could visually >identify the user and could tie surfing habits >(captured via tools on compromised system) or >generated app data to a person's identity. In a public >setting, using compromised systems, guest usage is no >guarantee of security. > > > If > > you are worried about gaining the ire of publishers, > > you are too late because > > they already hate libraries. > >They do? That's news to me and any library system. >Again, do you have actual facts to back up this >questionable assertion? My wife is a librarian and she >receives plenty of catalogs in the mail from >publishers, asking that she buy their wares for her >library. > Ditto, I get those all the time too. Plus we get good deals for being a library since we either fall under local government or an educational institute. > > What I propose is much less difficult than posting > > to the world at large. I'm > > talking about a system limited to people who have > > actually walked into the > > building and proved their residence nearby. > >I see your point that it would be cool to offer a >Linux distro for public library computer with user >data persistance and access to lots of neat apps. But >doing it securely is damned hard. > You also have to remember that we also deal with alot of people passing through town who just want to check their email. Most people like just signing up for the 30min session and moving along. Patrons don't want to prove where they live to use the computer. In Vermilion, you don't even have to have a library card to sign up for a 30min slot for computer use. Still this brings me back to the fact that most of the people who use the computers at the library DON'T HAVE COMPUTERS OR COMPUTER SKILLS. They don't want or need accounts, they just want to chat and print. > > What is to be gained? Lots. The services I > > mentioned would be a real benefit > > to library patrons. > >More would be lost, in time maintaining the system in >a secure fashion. Your point of not maintaining >security at all would simply lead to that library >appearing in a lawsuit as a defendant, therefore lots >of $$$ would be lost by the library. > How would this be a benefit to patrons if they don't need it. Remember, most have never touched a computer for more than 2 hours and just want the basics. No more no less. Just get me on the net and let me print. > > This is the kind of computing > > that people are coming to > > expect. It is going to be delivered. > >I think you have a better future as a marketer than a >sysadmin. Most of the application services you are >talking about are already being delivered. Yahoo! >offers a number of PIM type services, which I use. >Here are some others: >http://dmoz.org/Computers/Internet/On_the_Web/Web_Applications/Personal_Information_Managers/ > This type of computer service has a time and place, but not for this demographic of people. Maybe in Houston or Baton Rouge, but not in most of the rural libraries in the state. I don't even think Lafayette could benefit from this. I can probably equate this with saying that the people who walk to the library expect valet service. Now I did roll out free 802.11b wifi service in the library, but the main people I have seen use this is the people who are traveling, or lawyers. Most of our patrons don't even know what wifi is. >My point is that it is more cost-effective for the >library to offer access to services, not services >themselves. > >Asking a library to maintain computer accounts is more >effort than it is worth; considering the issues of >privacy and security, and the legal liabilities >associated with those services. In a better world, >libraries would have lots of funding to build solid >and secure computer networks and pay a staff of IT >admins what they are really worth to provide what you >are proposing. In the real world, public library >funding is very limited and the IT staff for an entire >parish's public library system usually consists of 1 >person. > Amen brother... sing it from the mountain tops. I'm the only sysadmin for Vermilion which has 7 branches, but I do run a tight ship and for the most part everything is smooth sailing. It would be cool to have a 2nd tech person on staff, but to be honest I would rather get double the pay. ;) > > One way to protect patron privacy is to not remember > > who has what account. > >Interesting idea, see >http://www.oreillynet.com/pub/a/network/2002/08/02/simson.html. > > > This can be accomplished by remembering that a > > patron has an account but not > > it's name or creation date. The patron could be > > given a temporary name and > > password that they can change with reasonable > > instruction. Anyone breaking > > into the system would need additional information, > > such as cell phone > > location or email contacts, to know what accounts > > belong to what user. > > Anyone who has that much already can break through > > anything I can imagine. > >It is a decent idea but still not totally secure if >the system is already compromised. Again, the hax0r >could be physically in the same location and link the >identity of the person with the person's data. Look at >the other thread LSU's poor state of network security. >A publically, or even semi-publically available >network is usually a nightmare for sysadmins, >especially if it uses Windoze for the user OS. > >When I was at USL (a long time ago), we had Sun boxen >for user terminals (guess they still do), and those >boxes worked great. You could run apps and store data, >though the data was kept on a central server, not the >local machine. Expensive, but SunOS was a heck of a >lot more secure than Windows 3.1 (at that time). The >Sun optical mouse in 1990 was like science fiction to >me! > > > I don't need to put a box outside my firewall. I'm > > sure that the pros can > > already break through anything I put up. I'll bet > > that even yahoos like you > > and Dustin can break through my poor little 486 > > without much effort. > >Then why can't you see that what you are proposing is >a bad idea? A compromised machine means that the >user's data and privacy is also compromised, and since >it is a public environment, their identity is >compromised as well. I think that a person could be >more secure if their home machine was compromised, >because at least their identity would be harder to >determine visually. > > > Help me out, what am I missing? I understand that > > giving people shell > > accounts increases vulnerability. I know that > > sophisticated users can use > > local exploits to gain root. What I don't see is > > the harm in it that merits > > the loss of all that can be had. It seems that a > > system can be designed that > > assumes it will be broken anyway and protect the > > things that will be lost > > before it happens. Giving a shell account to a library patron is like giving a comb to a bald man... there is just not much need for it (no offence to bald people, i'm sure that will be me in a few years). Remeber what I said about most of them "never having had a computer" and "no computer skills". Not to mention the fact that when most average users get on a computer 99% of common sense leaves the imeadiate area. Most of the time they didn't know what to do with the "press ctrl+alt+del to login" and that even comes with a nice pretty picture of a hand pressing the keys. I have had to resort to using tweakUI to autologin the public user account so we would have to stop explaining the ctrl+alt+del to login question. > >Agreed, a system can be and should be designed in this >manner, which was the original point of the >discussion. But my point is that there is not a lot to >be gained by offering lots of applications to public >library users. Most people use these computers for web >browsing, web based email, some word processing and >for younger users; educational software and games. >Allowing users to keep their private data and/or >identity on a public library's computer is more >trouble than it is worth, as there are plenty of web >applications (via SSL) that do a much better job of >this. Public libraries simply do not have the funding >to do it, given the current state of local computer >security on most operating systems (especially >Windoze, but including Linux as well). > >My wife was the sysadmin for the Ascension Parish >Public Library for a couple of years. The setup there >was to restore a default disk image to the public >machines every morning. This took care of a range of >problems: no viruses, no legal liabilities concerning >privacy, software configurations would be returned to >default, etc. And if a machine got screwed up during >the day (being M$ boxen, they did), she could simply >reinstall the image in about 10 minutes. > >In summary: Offering a service to the public means >that offering entity accepts responsibility for that >service. What you are proposing is too expensive for >public libraries to offer at this time to do properly >and not get sued. Blame the poor state of computer >security for this. Which brings me back to "people will sue for anything and everything these days" Well said John! > >John Hebert > > > On Thursday 06 May 2004 07:43 pm, John Hebert wrote: > > > The term "hax0r heaven" comes to mind here. > > > > > > C'mon Will, are you serious? Libraries are very > > > concerned with the legal issues concerning > > information > > > technology and privacy. Linux is not as secure as > > you > > > might think, especially if someone has local > > access to > > > your machine. > > > > > > Let me put it this way: why don't you put one of > > your > > > Linux boxes outside of your firewall and then post > > a > > > message to alt.warez.never.enough.drive.space that > > you > > > are offering free accounts? I'm sure you will > > learn a > > > lot. > > >
