Library computer security 2.0?

In a comment Jeremy from Canada raises the question of security in the Library 2.0 world. He raises some good points, and the most important in my opinion is:

I think it’s great that people are waving the flag for Library 2.0, but they have to start documenting the security that goes along with it or us IT people are going to take the blame for the problems that will inevitably arise.

The real issue here, apart form security, is that unless Library 2.0 involves all the various people who work in and around libraries it will fail from lack of support from the really important people. If the ICT-staff feels excluded from the discussion, I doubt that the technology part of Library 2.0 will ever lift off from the ground. Any library attempting to implement Library 2.0 without involving the expertise of the ICT-staff, support personell or any group (including users) have not understood the core concepts of openness, radical trust and communication that are the heart of Library 2.0.

Now to the security issue. There is definetly one, but I think that it might be useful to reconsider the way we view security. In the library public PCs are the gateway to the library resources and they are usually tested to the limit both of resources and security. I have myself picked chewing-gum from the keyboard, removed files from a supposedly locked harddisk, run restore routines and generally been frustrated by the sheer magnitude of keeping a public PC in a public library alive and running. So Jeremy definetly has a case when he writes:

Right now I get requests from staff/patrons for DVD burners, unrestricted USB/floppy access on PCs, little or no restrictions on internet PCs, the ability to install their own software, unrestricted wireless access (aka. hello BitTorrent, goodbye bandwidth), open network shares for patrons with unrestricted quotas, MP3 filesharing terminals, and more. All this in the interests of supporting a 2.0 way of life with little or no concern for the security and/or legal interests of the users or perhaps even the staff

Both the security and legal aspects does need to be considered. Security can be based on “worst case scenario” as in “unrestricted wireless access (aka. hello BitTorrent, goodbye bandwidth)” but this needs to be supported by evidence and experience. I have not heard of extreme misuse of bandwidth in any of the academic or public libraries that offers free and open wireless access here in Norway. It might be time for a different and more trusting approach, where the library staff understands that the ICT-staff is NOT responsible for the problems that may occur if there is instances of misuse. IF the trust is misplaced and major misuse occurs, the the policy has to be reconsidered, but I do believe that it is better to trust first and sanction later. “If you trick me once, shame on you, if you trick me twice, shame on me.”

The issue is also divided into the security of public access computers in the library, and the access and services that the library offers in and outside of the library. The first part is a problem that will be with us for the forseeable future, and not one which I have the knowledge and background to suggest any solutions for, but I also see a trend that will take some of the pressure of the public access PCs and that is the move toward mobile computing.

The proliferation of small computers that use any kind of connectivity, wifi or 3G, to connect their Palm, PocketPC, mobile phone, OrigamiPC, iPod 6G, PSP or DS to use the library services will present two challenges to the library, first the library has to provide services that are compatible with smaller display technology and in platform independent formats, and secondly the importance of the public access PC will decrease, but may be even more important to the people who has no other means of access, which in turn challenges the library to provide PCs that gives the user most of the usability the private units have.

The legal aspect of opening up the library as a communications and information network node are interesting, but not one I´m able to go into now. Sufficient to say that we must first have instances of use that are legally troublesome before we raise the bar for all legal use.

About these ads

I'm a norwegian librarian.

Posted in Library 2.0, Security, Users
6 comments on “Library computer security 2.0?
  1. Magnus says:

    “we must first have instances of use that are legally troublesome before we raise the bar for all legal use”

    Hm, not quite sure I can agree with this approach of “let’s tackle the problems as they arise”. Trust will be a critical issue if we are going to involve our users more than we do today, and when the first “instances of use that are legally troublesome” arise that trust may be severely damaged, discouraging users from further involvment, no matter how loudly we announce that the problems are being dealt with.

    This might be related to the “perpetual beta” philosophy that some people are pushing for library 2.0 – I think seeing that as an invitation to be sloppy is really dangerous. I think that any service that we provide to the public should be thoroughly tested and as secure and trusworthy as is humanly possible. Otherwise it might come back to bite us…

  2. “Security can be based on ‘worst case scenario’ … but this needs to be supported by evidence and experience. I have not heard of extreme misuse of bandwidth in any of the academic or public libraries that offers free and open wireless access here in Norway.”

    Perhaps this is more prevalent in the US and Canada, where ISPs have begun to take it upon themselves to block BitTorrent packets on their networks, even though the act of transferring files is not illegal. Regardless of this, a wireless network provides people with a way to anonymously host or download files that could be illegal as well. We can’t look over their shoulder obviously and the idea of doing so concerns me, but what really bothers me about it is not WHAT they are downloading, but how it impacts the library. If I have a T3 connection, but all the bandwidth in the building is going to some guy on his laptop downloading a movie at 10 Mb/sec, that’s great for him, but it’s killing everyone else. I’ve seen a lot of people talking about ways of configuring firewalls for wireless policies but I’m starting to think the best medicine is to not block anything at all. Instead, segregate the wireless users from the staff subnets (and even the public PACs), give them a warning that they’re on their own, and then use a throttling solution to keep them at a rate that’s reasonable for surfing the net (we choose 5 Kb/sec) but not downloading 100 Gb of porn in under a day.

    As far as evidence of wireless bandwidth abuse goes, certainly the interest in “war chalking” and people having to learn about password protecting their SSIDs on wireless routers is evidence enough that where there is free bandwidth, there are users who are ready to use it. Certainly the practise of “worst case scenario” is the most common rule of thumb when it comes to network security. If we circumvent that, we fly in the face of everything we’ve been taught as network admins and deserved to be hacked silly.

    “It might be time for a different and more trusting approach, where the library staff understands that the ICT-staff is NOT responsible for the problems that may occur if there is instances of misuse.”

    In our case, we post a sign that basically states, “you’re on wireless and you’re using it at your own risk – good luck out there” and leave it at that.

    As for trust, I think that if the staff get their files deleted or credit cards sniffed out, they’re going to feel a lot more than upset with us. We owe it to them to look out for their safety. After all, you can have 1000 people using the network without a hint of malice, but it only takes one person to ruin it for the rest of them.

  3. Let me leave you with another comment. I think what I’d like to see is some kind of forum or website where IT admins can get together and talk about methods of securing their staff and public PCs, networks, firewall, etc.

    This would give us a chance to compare methods of protection (ie. chatting about products like WinSelect, Discover Stations, etc.) and see what kinds of costs and configurations are available. I think this would be great for smaller libraries that don’t have smaller budgets and can’t afford large IT admin teams to research this stuff. The downside is that potential malicious hackers could view the site, but I think it’s a small concern. The upside is that more libraries would benefit from better security methods.

    This isn’t something that I have the time to initiate but I think that if Library 2.0 becomes a larger concern, some kind of forum will have to exist to support these aspects or we’ll be drowning in a collective sea of confusion on how to protect against ourselves.

  4. In my blog, I just added another chart on Unified theory of Web 2.0. Again, with permission from the original author. I hope this is useful in your study.
    How’s your work progressing? Keep me posted.
    Best, Mohamed

  5. Dannis Jones says:

    Regardless of this, a wireless network provides people with a way to anonymously host or download files that could be illegal as well. We can’t look over their shoulder obviously and the idea of doing so concerns me, but what really bothers me about it is not WHAT they are downloading, but how it impacts the library.

  6. John Cooper says:

    I want to preface any comments I make by saying that there is no excuse whatsoever for what the hacker did to MiLE. It’s a case of malicious vandalism.

    However, that doesn’t change the fact that there are malicious vandals. It also doesn’t change the fact that library systems contain sensitive patron information. TLN is responsible for two major failures.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Pages
April 2006
M T W T F S S
« Mar   May »
 12
3456789
10111213141516
17181920212223
24252627282930
The Librarian

Follow

Get every new post delivered to your Inbox.

Join 1,626 other followers

%d bloggers like this: