image

More on Keyboard Shortcuts

April 26, 2012 by · Comments Off
Filed under: Security 

Keyboard ShortcutsMost kiosk-unfriendly keyboard shortcuts are either disabled by eCrisper or can be disabled through Mac OS X System Preferences.

However, some combinations involving the Eject key are not covered by these two methods:

Option-Command-Eject Put the computer to sleep
Control-Command-Eject Restart the computer
Control Option-Command-Eject Shut down the computer

 

The solution is to use a free software utility for keyboard customization called KeyRemap4MacBook. This awesome utility allows you to re-map just about any key and works on all Mac OS X platforms.

For our kiosk problem, we need to re-map the Eject key to something else. Here is how.

  1. Download and  install KeyRemap4MacBook (Download Link).
  2. Restart your computer.
  3. Go to System Preferences – a new icon should be there in the “Other” section at the bottom. Click on it.
  4. Under the Change Key tab, expand the Change Eject Key section.
  5. Check Eject to F15 – it could be anything but F15 does the job.

If you find any other key combinations that negatively affect your kiosks, please let me know.

For a complete list of Mac OS X keyboard shortcuts see http://support.apple.com/kb/HT1343

Disable Keyboard Shortcuts

August 17, 2010 by · Comments Off
Filed under: Security 


Keyboard ShortcutsIn a previous posting, I explained how to make your kiosks more secure. One important aspect was left out: disabling Keyboard Shortcuts.

First go to System Preferences and select Keyboard (under Hardware). Then select the Keyboard Shortcuts tab. Uncheck (disable) all of the existing shortcuts. That’s all there is to it.

System Preferences

Physically securing your iMac kiosk

July 7, 2010 by · Comments Off
Filed under: Security 

Securing an iMacOnce your iMac kiosk is secured with eCrisper, the issue of physical security remains.

One solution is to use flexible cables, locks, and adhesives (see Tryten for some examples). This offers a simple and inexpensive solution.

I also found a clever solution at http://www.ianchor.net. The iAnchor physically fixes an iMac computer to a tabletop or desk surface. It also secures the keyboard and mouse cables so that these devices stay with your Mac.

iAnchor

If your iMac does get stolen, there is some hope – there is a software solution called Undercover (http://www.orbicule.com/undercover/mac/) – Have a look at their guided tour – pretty neat stuff.

Note that I haven’t actually tried these solutions and there is probably more that can be found on the Internet.

User accounts, prepaid cards, etc…

June 17, 2010 by · Comments Off
Filed under: Security 

Central User DatabaseYour own central user database
eCrisper makes it easy to setup your own central user database using resources you may already have. If your current web hosting service includes MySQL and PHP, like most do, your database could be up and running in no time and at no extra cost.

Having a central user database allows you to create accounts (username/password) that can be used to access any of your kiosks.

How it works
When a user enters a valid username and password, the account balance is retrieved from the database and displayed in the form of a timer at the bottom of the screen. When the session ends, the database is updated with the new balance and the account can be used again in the future. A session may end because the user clicks on the Quit button, because the balance reaches 0, or because of an inactivity timeout.

The components
The recommended database engine is MySQL since it is included in most web hosting packages. However, since eCrisper talks to the database through server scripts that you can modify, any database engine could be used.

The database includes only two tables:

Users: Username, Password, Balance in Seconds, Expiry Date
Sessions: Username, Kiosk ID, Seconds Used, Start Time, End Time

The server side scripts are written using the widely-used general-purpose scripting language PHP. Two PHP scripts currently exist:

startsession: When a user enters a username and password, these two values are sent to this script. The script validates the username and password, retrieves the balance, and create a record in table Sessions.

endsession: When a session ends, the number of seconds used is sent to the endsession script to update the account with the new balance and to update the Sessions record.

If you are using a demo version, you can try the access mode requiring an account (set in the Access section of the Preferences window). You can use the account username user with password password.

How can this be used
The database can be used to create prepaid cards either sold to users or distributed for free. The accounts can be created using phpMyAdmin, a web based interface to your MySQL database, or you can create your own customized web page and script.

A web page could also be created to allow your customers to purchase an account online possibly using Paypal as a method of payment. A button to this page could be displayed on the main menu. The user would create the account then use it to login. This could be a quick way to implement credit card payments without the need for a card reader and merchant accounts. Features could also include recharging an account, viewing balance, reports, etc…

This was designed to be flexible and customizable, to allow kiosk owners to use it as the foundation for their own development or to allow 3rd party developers to build new tools.

This will also be the foundation for new development such as support for cash payments with coin and bill acceptors and credit card readers, or even fingerprint scanners.

Setting up your own database
Once you have access to a server with MySQL and PHP, follow these steps:

  1. Your hosting service should give you access to phpMyAdmin. Use it to create a database and to run the following script to create the 2 tables – Download SQL script.
  2. Download the PHP scripts and copy them to your web server possibly under a PHP subdirectory. You will need to edit the file config.php with your own values – Download PHP script.
  3. Update the values in the Preferences window. The Authentication string is a form of password to ensure that only your kiosks can access the PHP scripts. The value in config.php should match the value in the Preferences window.User Database Setup
  4. Once your database is up and running, you can use phpMyAdmin to add users with the following SQL statement: insert into users (username,password,balance,created,updated) values (“john”,”somepassword”,3000,null,null)

Stay tuned for more info on this topic…

Limiting access & content filter

June 15, 2010 by · Comments Off
Filed under: Security 

You will greatly reduce the risk of unauthorized access to your kiosks by running eCrisper from an account with reduced access.  You can also use the Mac’s Parental Controls feature to control the applications and content a kiosk user may use or view.

Managed account with parental control

  1. Install eCrisper first.
  2. Launch System Preferences.
  3. Click the Accounts icon to open the Accounts preferences pane.
  4. Click the lock icon (bottom left corner). You will be asked to provide the password for the administrator account you are currently using. Enter your password, and click the OK button. You may have to repeat this during the process.
  5. Click the plus (+) button located below the list of user accounts.
  6. The New Account sheet will appear.New Account Sheet
  7. Select Managed with Parental Controls from the New Account dropdown menu at the top of the sheet.
  8. Enter a name for this account in the Name and Nickname fields – for example kioskuser.
  9. Enter a password for this account in the Password field and descriptive hint if you wish.
  10. Click on the Create Account button. You should be back to the Accounts pane with your new account selected and Enable parental controls checked. Do not check Allow user to administer this computer. Click on Open Parental Controls.
  11. Select the user you want to modify, in this case kioskuser, if it is not already selected.
  12. Under System check Simple Finder and Only allow selected applications. Uncheck all Applications except eCrisper under Other.
  13. Unckeck ‚Can Administer printersCan burn CDs and DVDs, and Can Change Password.
  14. Select the Content tab. The Content section of Parental Controls lets you control which web sites the managed user may visit. It also lets you place a filter on the included Dictionary application, to prevent access to profanity. Web sites containing adult content will be restricted according to a proprietary method that Apple uses. You can click the Customize button to add specific web sites to allow or never allow lists.Restrict web content
  15. Go back (left arrow at the top) and click on Login Options (bottom of the account list). Set the new account as Automatic login and enter the password when required.Login Options
  16. That’s it. Next time you reboot it should use this new managed account. If you checked Launch automatically in the General pane of eCrisper settings, it should start as a kiosk.
  17. One more thing you might do: reduce the size of the taskbar to 0 in case it is displayed for a second or 2 when rebooting.


Apple Open Firmware

June 12, 2010 by · Comments Off
Filed under: Security 

Secure Public Access TerminalOnce eCrisper is up and running, it prevents users from accessing the desktop and the file system. This will be enough for most kiosks or public access terminals but additional security can be easily added to minimize the risk of unauthorized access. This can be used with any kiosk software.

Apple Open Firmware

Open Firmware Password Protection blocks the following features. Don’t worry if you don’t know what these features are, it really doesn’t matter. Just know that they exist and bad people might use them:

  • C key to start up from an optical disc.
  • D key to start up from the Diagnostic volume of the Install DVD.
  • N key to start up from a NetBoot server.
  • T key to start up in Target Disk Mode.
  • Start up in Verbose mode by pressing the Command-V key combination.
  • Start up a system in Single-user mode by pressing the Command-S key combination.
  • Blocks a reset of Parameter RAM by pressing the Command-Option-P-R key combination.
  • Blocks the ability to start up in Safe Boot mode by pressing the Shift key during startup.
  • Requires the password to use the Startup Manager, accessed by pressing the Option key during startup.

How to enable the Open Firmware Password

  1. Insert the Mac OS X Install DVD in your internal DVD drive.
  2. Restart your computer and hold the C key while it is restarting to boot from the DVD.
  3. Select a language as the main language.
  4. From the main menu at the top, select the Firmware Password Utility from the Utilities submenu. Enter a password.
  5. Quit the utility then quit the install application to restart your computer

For more info, go to http://support.apple.com/kb/ht1352