Security for a public-use touchscreen



  • There’s a museum near where I live, for which I’m pretty much the software guy: it has a couple of touchscreens for interactive exhibits, and except for one, they all run stuff I’ve cobbled together to meet the museum’s needs. The other one was supplied as-is by some or another part of the provincial government, to run an interactive history-type presentation. As far as I know, more of these screens, with the same software on it, were given to other museums and similar organisations.

    The museum staff have long complained about this particular screen, because visitors often manage to break out of the presentation and get to the desktop of the Windows it runs on, and somebody then has to get it back to full screen again. I finally looked into it today, and though the fixes weren’t that hard, the whole setup was one big :wtf: that makes me think nobody ever thought about what people may actually try to do with a touchscreen in a public place.

    Let’s start from the first impression. The presentation was running in Internet Explorer; when I noted this, I was told it was supposed to run in Chrome (the museum staff member I was with, though fairly computer-savvy, doesn’t know enough about these sorts of things to fix them himself). It also wasn’t running in kiosk mode — I don’t know if IE can do that, but it certainly wasn’t, as its title bar and the Windows task bar were on screen. Great.

    The touchscreen appears to have with its own on-screen keyboard software, which handily includes things like a :fa_windows: key. The keyboard isn’t needed for the presentation at all, because as far as I can tell, there is no text entry in it at all. But the thing pops up if you tap the screen a certain way. It’s clear this is how people get out of the browser.

    Starting up Chrome, I get a notice that it wasn’t the default browser, would I like to make it that? That could wait for later — let’s see how this presentation is actually set up first, since it doesn’t load when I open Chrome.

    It turns out to be a directory full of subdirs and other stuff, with an index.html that’s loaded locally. This directory is on the desktop — I’m told that the way the presentation is normally started, is to open the directory, double-click (double-tap?) on index.html and manually put the browser into full-screen mode :headdesk:

    Let’s solve that later as well — on to more important concerns first: what can people actually do on this machine once they get out of the web browser? A picture is worth a thousand words in this case:

    0_1503595794973_IMG_2131.jpg

    Yes, it’s running in an administrator account with no password on it. When it was delivered to the museum, the man who brought it said the machine should be hooked up to the internet, else the presentation would lack some functionality. He received the reply that there was no way that was going to happen, because they most certainly didn’t want someone setting it to play porn or something. Apparently, this had not occurred to him (but he apparently also wasn’t much more than the guy told to drop it off).

    My quick-fix consisted of first putting a password on the admin account, followed by making a new user with parental controls that disallow everything except Chrome. Then I moved the directory with the presentation to the My Documents directory of the locked-down account, set Chrome's start page to the index.html file, put Chrome into the startup items of that account, and added the flag to run in kiosk mode.

    That left only that pesky keyboard to contend with, that’s at the root of all this.

    I’m not entirely sure it was supplied by the touchscreen software, but it wasn’t Windows’ own on-screen keyboard that you get from the Easy Access entry in the Start menu. The keyboard turned out to have an Options menu, which opened a window in which you can choose when it should appear; when I unchecked all of those, I couldn’t get it back on the screen. This is good, but also a nice bonus :wtf:: if you provide an on-screen keyboard, it would be handy if there is some way in which it can be opened even if the automatic ways have been disabled …

    The only thing I couldn’t work out, is how to disable secondary clicks (done on the touchscreen by pressing for a second or two). This still opens Chrome’s secondary-click menu, and gives access to the developer’s tools. That incidentally, also seemed to show the supposed lack in functionality from not being on the internet: 44 FILE_NOT_FOUND errors. However, all of them turned out to be for local files …



  • @gurth said in Security for a public-use touchscreen:

    The only thing I couldn’t work out, is how to disable secondary clicks (done on the touchscreen by pressing for a second or two). This still opens Chrome’s secondary-click menu, and gives access to the developer’s tools

    At my previous job, I created kiosk. Now you know why I coded my own full-screen browser with Qt and Webkit. No secondary menu, no response to right-click, etc.

    Also, I replaced the explorer shell with my own program that would just start the browser and restart it in case it crashed.

    N.B.: You can test your kiosk setup using this tool: http://ikat.ha.cked.net/



  • TRWTF is that Microsoft does not provide any easy to use "kiosk mode" for Windows.


  • SockDev

    @anonymous234 Not for desktop Windows, but there are embedded versions available that are much more suited to kiosks.



  • @raceprouk Last one I worked with was Windows POS Ready 2009.

    It was Win XP with some things missing (like Paint) and a license that forbids you to run MS Office on it :rolleyes:


  • SockDev

    @timebandit said in Security for a public-use touchscreen:

    a license that forbids you to run MS Office on it

    Not that you'd run Office on a cash till anyway, but that's a stupid licensing restriction.



  • @raceprouk said in Security for a public-use touchscreen:

    but that's a stupid licensing restriction.

    Yes. MS was afraid people would use it to replace WinXP, since it's the same thing really and will receive security updates until April 9, 2019.

    You can get security fixes for XP with a simple registry hack



  • @anonymous234

    Well, there is this...



  • @timebandit Opera had a kiosk mode too. Too bad they killed that feature, along with the rest of the browser.

    @raceprouk Sure, but is it easy to use?

    Any idiot can buy a desktop Windows license on a store (or use the OEM one that came with the computer), install it, and launch the browser. They already know it.

    How many people do you think can figure out their weird Windows Embedded/IoT line? With the product names changing on every generation, and the obscure, almost meaningless descriptions on its website. And then, you need to find a local "distributor" to buy it (:wtf:), and then god knows how you have to install and configure those things.


  • SockDev

    @anonymous234 said in Security for a public-use touchscreen:

    @raceprouk Sure, but is it easy to use?

    Let's just say I wouldn't choose it.



  • @alexmedia Oooh, I see.

    Well, I guess I was wrong then.

    Once again, thank you :fa_android: for forcing :fa_windows: to implement basic OS features, even if 20 years too late.


  • SockDev

    This post is deleted!

  • SockDev

    @alexmedia said in Security for a public-use touchscreen:

    @anonymous234

    Well, there is this...

    does that work with any app or just "Modern" UI apps?


  • SockDev

    @anonymous234 I'll try that again.

    Looks like you XP does have a Kiosk mode, but it's not exactly simple to set up.



  • @raceprouk That's basically what I did, but I went further and replaced the shell, since Explorer would still respond to special key combos like CTRL-ALT-DEL, etc

    And if your program crashed, you got back to a functional desktop.



  • @gurth said in Security for a public-use touchscreen:

    The only thing I couldn’t work out, is how to disable secondary clicks (done on the touchscreen by pressing for a second or two). This still opens Chrome’s secondary-click menu, and gives access to the developer’s tools.

    This strikes me as one of the very, very rare cases where you should disable right-click. And since the HTML files are all stored locally, it should be pretty easy to edit them...

    Also, this seems awfully similar to what you're describing...



  • @accalia Just "Windows Store" apps:

    Administrators can use assigned access to restrict a selected user account to access a single Windows Store app.

    Oh, and Microsoft Edge is not in the list.


  • SockDev

    @chaostheeternal said in Security for a public-use touchscreen:

    @accalia Just "Windows Store" apps:

    Administrators can use assigned access to restrict a selected user account to access a single Windows Store app.

    ah. so basically useless unless it's a published store app.

    Good Jorb M$



  • @chaostheeternal said in Security for a public-use touchscreen:

    Oh, and Microsoft Edge is not in the list.

    That's a good thing :trolleybus:



  • @gurth said in Security for a public-use touchscreen:

    The only thing I couldn’t work out, is how to disable secondary clicks (done on the touchscreen by pressing for a second or two).

    Since you seem to have an Elo touchscreen, you can disable it in the Elo settings.
    They call that "Right Click on Hold" from memory.

    Edit: In the control panel, you should have a "Elo touchscreen" icon



  • @chaostheeternal said in Security for a public-use touchscreen:

    Oh, and Microsoft Edge is not in the list

    Well, that page's for Windows 8.1, Edge didn't exist back then.



  • @anonymous234 I checked on Windows 10, and Edge is not in the list there (Windows 8/8.1 had IE as a Modern app, and from what I found it didn't show up either). I even tried downloading another browser from the Windows Store, and it too didn't appear in the list. Microsoft probably made it so a browser can't be the Assigned Access app.

    Though I did look again and there apparently is a way to (supposedly) set Windows 10 up in a kiosk mode with standard applications, but it requires Windows 10 Enterprise or Education edition. The mention of "Pro" in the article is only for the Assigned Access feature.



  • status: making popcorn.



  • @chaostheeternal Well, that sucks.

    If you can get it to work with non-Store applications you can always make a simple wrapper around your website I guess.

    Or boot Linux. This is the perfect use case for it.



  • @captain said in Security for a public-use touchscreen:

    status: making popcorn.

    Status: mixing up threads :P

    Or, predicting drama in this thread? I hope not.



  • @anonymous234 I suspect there are going to be a lot of entertaining kiosk WTFs.



  • @timebandit I didn't even know we had a web filter (meraki) at work until I clicked that link, which is apparently blocked for "adult and pornograpghy". :\



  • @aapis at my job it's also blocked, but because it's known to distribute malware (it is a tool to hack a kiosk, after all)



  • @anonymous234 said in Security for a public-use touchscreen:

    Or boot Linux. This is the perfect use case for it.

    That's what I did at the end. Debian stable.

    The beauty of Qt: basically a recompile :smile:


  • BINNED

    @timebandit said in Security for a public-use touchscreen:

    @anonymous234 said in Security for a public-use touchscreen:

    Or boot Linux. This is the perfect use case for it.

    That's what I did at the end. Debian stable.

    The beauty of Qt: basically a recompile :smile:

    I wonder of you can use that newfangled BootToQt (or whatever the marketing wording for it is) thing on a regular x86 machine now...



  • @timebandit said in Security for a public-use touchscreen:

    At my previous job, I created kiosk. Now you know why I coded my own full-screen browser with Qt and Webkit. No secondary menu, no response to right-click, etc.

    Too much effort for something like this :)

    N.B.: You can test your kiosk setup using this tool: http://ikat.ha.cked.net/

    Thanks for that, I’ll be sure to take a look at it.

    @anotherusername said in Security for a public-use touchscreen:

    This strikes me as one of the very, very rare cases where you should disable right-click.

    I fully intend to, but with the limited searching I did yesterday, I couldn’t find a way other than:

    And since the HTML files are all stored locally, it should be pretty easy to edit them...

    That thought had also crossed my mind, but would require figuring out how the whole thing is put together. Probably I’d just have to call one small script from the index.html file, but for all I know each page is a separate file that needs editing to make this work. Probably not, but I haven’t looked into it. It simply seemed easier to disable right-clicking in Chrome or Windows entirely.

    Also, this seems awfully similar to what you're describing..

    It is, but that wasn’t me :)

    @timebandit said in Security for a public-use touchscreen:

    Since you seem to have an Elo touchscreen, you can disable it in the Elo settings.
    They call that "Right Click on Hold" from memory.

    All I could find was EloConfig.exe which appears to mostly be concerned with calibrating the screen (and is one of those atrociously looking programs that seem to have been designed with no heed for platform conventions).

    Edit: In the control panel, you should have a "Elo touchscreen" icon

    Good point … why didn’t I check the Control Panel? Will do when I go back.

    @anonymous234 said in Security for a public-use touchscreen:

    Or boot Linux. This is the perfect use case for it.

    That’s what I’m using for the touchscreen thing I’m working on now — though the chief reason for it is because it meant saving on buying a copy of Windows.



  • @gurth said in Security for a public-use touchscreen:

    @anonymous234 said in Security for a public-use touchscreen:

    Or boot Linux. This is the perfect use case for it.

    That’s what I’m using for the touchscreen thing I’m working on now — though the chief reason for it is because it meant saving on buying a copy of Windows

    If you need help with this, let me know. My solution in the end was almost bullet-proof. They're still using it without modifications a couple years later.



  • @gurth said in Security for a public-use touchscreen:

    It is, but that wasn’t me :)

    It was posted a couple of years ago. How old is the kiosk? It'd be funny if it was asked by the yahoo who set it up. Not too awfully likely, but it'd be funny.

    Also, one of the replies linked to a Chrome extension that someone created to block the secondary menu:



  • @anotherusername said in Security for a public-use touchscreen:

    How old is the kiosk?

    A couple of years, but I don’t recall when it was brought in (it’s not like I was there).

    It'd be funny if it was asked by the yahoo who set it up. Not too awfully likely, but it'd be funny.

    Looking at the question and the asker’s profile, I kind of doubt it. But it’d be ironic, at least, if it were the same person.

    Also, one of the replies linked to a Chrome extension that someone created to block the secondary menu:

    Yes, I saw that. Unfortunately the screen is completely isolated (the only cable running to it is for power) so I can’t download from the web store. Well, not unless I roll out about 15–20 meters of network cable, which is probably a good idea to do anyway in order to run some updates on this computer.



  • @timebandit Fair enough.



  • @accalia said in Security for a public-use touchscreen:

    @chaostheeternal said in Security for a public-use touchscreen:

    @accalia Just "Windows Store" apps:

    Administrators can use assigned access to restrict a selected user account to access a single Windows Store app.

    ah. so basically useless unless it's a published store app.

    Good Jorb M$

    Not sure that it applies to published store apps.

    And basically all you need is an app with a webview - that's something you can whip up inside of 10 minutes (most of that is reading how to do that). Bonus point when doing that: You can whitelist URIs you want, everything else would be unavailable.


  • Impossible Mission Players - A

    @gurth said in Security for a public-use touchscreen:

    Yes, I saw that. Unfortunately the screen is completely isolated (the only cable running to it is for power) so I can’t download from the web store. Well, not unless I roll out about 15–20 meters of network cable, which is probably a good idea to do anyway in order to run some updates on this computer.

    If it has a USB port, burn a flash drive with wsusonline so you at least get the major stuff.

    You should also be able to download the .crx file manually and drag it into the Chrome window to install it.

    You can expect my bill in the mail within two to six weeks.



  • I went back to the museum today to get rid of the right-clicking ability, and failed due to Chrome’s obstinance.

    A post above recommended disabling the right-click ability in the Control Panel entry for the Elo touchscreen, but I couldn’t, because that Control Panel item just launched the EloConfig.exe I’d discovered earlier. However, Windows’ own pen and tablet settings did allow me to disable holding-for-right-click.

    Problem solved! Except that, on testing, it turns out Chrome implements its own touch-sensitivity … Holding down didn’t pop up a menu when I tried it on the Windows desktop, but it still did in Chrome. I then found out you can disable Chrome’s detection of touchscreens in chrome://flags, though.

    Problem solved! Except that this made the presentation unusable … It has some horizontal bars that “roll down” to full-window height when clicked on — when Chrome’s touchscreen detection is not disabled. Turn it off, and they roll down maybe a centimeter :/ I’m not sure what’s fucked up here, but something is.

    Having run out of options I could actually try there and then, and the museum’s air conditioning having been switched off (again) so I was getting uncomfortably hot, I decided to call it a day.

    (For the record, I didn’t try downloading the Chrome extension because I don’t seem to have a UTP cable long enough to get to the nearest network jack, and the screen is bolted down. However, this probably going to be the only recourse left.)

    @tsaukpaetra said in Security for a public-use touchscreen:

    You should also be able to download the .crx file manually and drag it into the Chrome window to install it.

    From the StackOverflow page linked to above, I get the impression Chrome won’t accept it unless it’s downloaded from the store. Though maybe I could fool it by just downloading it on my own computer and copying the file to the right directory on the touchscreen?



    1. Install a roboclicker to step through the kiosk in a presentation like manner
    2. Bolt a sheet of plexiglass over the tablet
    3. This is why we can't have nice things

  • Impossible Mission Players - A

    @gurth said in Security for a public-use touchscreen:

    From the StackOverflow page linked to above, I get the impression Chrome won’t accept it unless it’s downloaded from the store. Though maybe I could fall it just downloading it on my own computer and copying the file to the right directory on the touchscreen?

    Only if you unpack it first.

    Useful link:



  • Chrome already has a -kiosk switch which launches it in fullscreen and disables the context menu.


  • I survived the hour long Uno hand

    @coldandtired said in Security for a public-use touchscreen:

    Chrome already has a -kiosk switch

    @gurth said in Security for a public-use touchscreen:

    set Chrome's start page to the index.html file, put Chrome into the startup items of that account, and added the flag to run in kiosk mode.

    I don't think that' working out for him so far



  • @yamikuronue D'oh! AutoHotkey it is, then!



  • Give a homeless guy a ball peen hammer, and a sandwich, plant him next to the tablet. If anyone fucks with the tablet, he can smash their fingers.



  • @yamikuronue said in Security for a public-use touchscreen:

    @coldandtired said in Security for a public-use touchscreen:

    Chrome already has a -kiosk switch

    @gurth said in Security for a public-use touchscreen:

    set Chrome's start page to the index.html file, put Chrome into the startup items of that account, and added the flag to run in kiosk mode.

    I don't think that' working out for him so far

    Isn't 'startup items' just some lnk files if you do it right? Because you can totally put command-line arguments in those.


  • I survived the hour long Uno hand

    @pie_flavor yeah, like the kiosk mode flag, which he wrote that he put in the startup item



  • @coldandtired said in Security for a public-use touchscreen:

    Chrome already has a -kiosk switch which launches it in fullscreen and disables the context menu.

    Yep, and I used that. It doesn’t disable the context menu, whether you use a touchscreen or a real mouse. (Unless, of course, this behaviour got fixed in a later version. The one on this machine is several years old. If they did, it’s certainly a reason to run some updates.)



  • @gurth I tried it yesterday in Chrome 60 and both the right-click and the middle-click are disabled, so only one tab can be open (the new tab keyboard command sends you to the homepage in the current tab).



  • @coldandtired Tried it myself on my computer at home now (with Chrome 60.something), and you’re right, with the -kiosk flag it doesn’t respond to right-clicks anymore. Either that was introduced after the version on my touchscreen was released, or Chrome’s touchscreen functionality (at least in that version) doesn’t respect it — I’ll need to check next time.



  • @gurth said in Security for a public-use touchscreen:

    The one on this machine is several years old.

    In that case, it probably won't object if you install the Chrome extension from a flash drive instead of from the store.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.