Among a great many other things, I work on computers for people. Something that has always bothered me is that the client has to give me his password(s) for the computer before I can work on it.
That’s a security violation.
The rule [not that we “do” rules, here, of course 🙂 ] is that you never give your password to any body for any reason. Except that the Mighty Computer Industry forget to set it up so that the typical user can follow that rule. Geez…
For an industry so “dedicated” to computer security(1), this seems unconscionable to me. I don’t like having other peoples’ passwords. I have a trained “forgettery” for such matters, but still, it’s asking the client to put a lot of trust in me. And — dare I say it? — not every one who works on computers is worthy of such trust. Alas…
(The problem gets even worse with the new fad: biometrics — a fabulously worse idea than passwords. “Yeah, I’ll need to reboot your computer several times while I’m working on it, so just leave your thumb here, and you can have it back when the job is done.” Yeah, right.)
I have a solution for this problem (sharing passwords, not thumbs). I am very, very disappointed that the industry itself hasn’t implemented this long and long ago, but then the industry doesn’t seem all that concerned with making computers easy to be fixed. In fact, one suspects that they really don’t want computers being fixed. But perhaps that is another issue…
Primary Solution: When a client drops off his computer, before relinquishing it, he sets up temporary account, with full access to the machine but with no existing passwords being compromised. (It could be made VERY simple for the user to do this.) I, the tech, can use that temporary account to gain full access(2) to do what ever is needed. After a fixed amount of time that account expires. Time interval might be set by the owner, in consultation with the tech perhaps, when the temp account is set up, or it might be defaulted to 24 hours, etc.
This is not a total solution, as there are times when the computer won’t even turn on, and creating such an account would not be possible prior to leaving it with the tech.
Other solutions: a built-in, very limited, alternate account that is just good enough to see that the computer will boot up (when the central problem has been fixed), maybe run a few diagnostics. Unlike Apple’s “terminal console” this should *not* allow critical access to the machine’s hard drive, and other facilities.
Or… A thumb drive that comes with the computer or is set up just after pulling the machine out of the box, that allows access to the machine going-around the passwords. You hand it to the tech, and he can get in, without knowing any passwords. There are issues with this one, both ways, but they can be solved.
Or… another variation, the tech has a “tech-only thumb drive” that, when the client drops off his computer, this thumb drive is plugged into any handy computer in the shop and the client punches in his passwords as necessary, preferably with the tech not watching. The thumb drive is then used by the tech to access the computer. Passwords are heavily encrypted, and expire automatically after 48 hours or 3 hours or what ever is realistic in each case.
Not a Solution: don’t even dare to suggest a temporary account can be set up “in the cloud” or some such nonsense. It’s bad enough that Microsoft now requires a Microsoft Account to even turn your computer on the first time (in the “Home” edition of windows, which it isn’t — it’s a small office edition, there is no Home edition, in fact), and that’s a Big Security Flaw right there. (I won’t get into it right now, but trust me, it isn’t for your security that they make you do this.) What happens if it’s the WiFi that has failed on the computer? The Mighty Industry needs to quit assuming that every user has access to multiple Internet-capable devices. It’s only so-so true. What happens when (not “if” but “when”) internet service is down, which happens now and then, in some places even frequently. And so on.
That’s just off the top of my head. There are fiddly details to be worked out, but they’re minor(3).
My point: there are ways to solve this issue. But first the Mighty Industry has to recognize that this is a serious issue, that “tech support” has become the biggest opening for Cyber Terrorism on the Consumer there is (4).
Addressing this issue has the potential to fix both taking your machine to the corner fix-it shop and for handling those phone calls that “need access to your computer.”(5) You let them in only on the temp account.
(And another fix for the problem is to have what ever software that the might-have-been-a-scam phone call used to get access to your computer (the remote desktop software) totally erase all access to the machine by that caller after a given interval or whenever the legitimate user says. In fact, all these remote access thingies should have a Nuke Button plainly visible on the screen, that the user need only click on [or hit a hot-key combination on the keyboard, ’cause the mouse can get locked out to the user sometimes] that will break the connection, change any and all access data and even report that caller’s IP address to the user for possible forwarding to the FBI, the user’s Bank or other agencies or interested parties. So there…)
The computer industry didn’t use to need to have ideas handed to it. It used to come up with ideas faster than any one could keep up with. Solutions presented themselves before the problem could even be noticed by the media. What a shame that’s no longer the case.
[30]
(1) Computer security is actually an illusion. Like the speed of light, it can be approached but never achieved. Like copy protection on movie DVDs: impossible. That doesn’t prevent computer security from being a billion dollar industry all by itself, though, and filled with a lot of products that just don’t benefit you in any real way.
(2) Assuming it’s that kind of temporary account. In fact, the concept of a temporary account opens up a whole lot of options, including possible security from those naught-naughty “tech support phone calls” that are really just scams and theft. You could have temporary accounts with limited access, specific kinds of access to the computer, or, in the case of a computer tech fixing what ever the “naughty phone support call” just did, full access.
(3) Actually, they’re not all minor. Another Big Elephant in the Room being roundly ignored by the Mighty Industry and Sundry is that public-private encryption and other current forms of encryption are not 100% secure any more. It’s not a Big Problem yet, but will be “soon.” But that’s another story, really. I won’t get any further into it now because it tends to make people very, very angry, sometimes at me, as if I created the problem. The Sillies.
(4) That is, short of the cyber warfare Russia, America, China and others are currently engaged in. World War III is being fought right now, folks. Only it’s happening over various computer networks (“the Internet” being just one of many — did you know that?) and isn’t being covered in the media at all. Probably that’s just as well… for now.
(5) You have to educate the consumer to recognize that anyone — especially over the phone — who wants access to your account, rather than the tech/support account, on the computer is not to be trusted. But that’s a simple matter, if the Mighty Industry would get off its Bits and start serving the Consumer instead of itself.