Spying on the Library
by solemneyed
The following information is provided purely for research purposes and the author takes no responsibility for its use or misuse by readers.
The Los Angeles Public Library (LAPL) system (www.lapl.org) is comprised of 71 branches, each of which offers free Internet access to the public.
Until recently one only needed to present some form of ID (driver's license, library card, school ID) in order to sign up for either an hour or a half hour of net time.
This sign up protocol proved too time consuming and contentious, so the administration is gradually implementing an automated sign up procedure.
Under the new system, a reservation for Internet time can be made from any Internet-connected computer up to three days in advance. All one needs is an active library card (i.e., one that has been used recently - old/inactive cards are dropped from the database after a year or so) and the ZIP Code specified when the card was obtained.
One can sign up for a maximum of two hours of Internet time per day (assuming one has only one library card).
While this system has alleviated many of the headaches experienced by librarians and clerks who used to have to sign people up and adjudicate disputes between patrons about whose turn it was at a given moment, there is still some administrative overhead with the new system.
Occasionally the system hiccups, and librarians need to be able to see a list of who is signed up for a particular computer on a given day, or to extend a person's block of time if they experienced a problem, etc.
(Note that the system obviously stores data about which person will be at a certain computer at a certain branch on a certain day in the future. As far as I know this data is not retained once the appointed time has passed; at least, it is not visible/accessible to librarians and clerical staff. It is certainly possible that a log is kept indefinitely, however.)
This brings us to the subject of this article: manipulating the administrative module of the computer scheduling software.
Sadly, this functionality is nothing more complex than a publicly accessible URL which points to a login for a web app: http://reserve.lapl.org/cgi-bin/libadmin.exe
Instead of restricting the IP range that can access this site, those responsible for maintaining the system have evidently chosen to rely on the principle of "security through obscurity," as well as their rudimentary username/password conventions.
This last is not entirely their fault; they have tried to construct username/password combinations which will be consistent, easy for staff to remember, and non-intuitive for the general public.
With this in mind they have opted to use the following form:
What the hell does this mean, you may ask?
It is based on the fact that each of the system's branches has its own two-digit number and six-letter abbreviation (see notes).
For example, the El Sereno branch is number 21 and its abbreviation is ELSRNO.
This number and abbreviation are used on routing slips inserted into books which are being transferred to another branch to be used by a patron (i.e., someone in El Sereno calls Northridge branch and asks them to send a copy of The South Beach Diet so a staff member at Northridge grabs the book, inserts a slip indicating its destination as ELSRNO 21, and tosses it on the truck).
Since library staff are already accustomed to this system, it has been used to define the computer reservation system credentials for a particular branch.
Staff at El Sereno branch would login as:
So what's the problem?
Well, given a list of branch numbers and abbreviations, a malicious person could login as staff of any branch and view/alter reservations at that branch.
This could include printing a list of who is scheduled to use the Internet, deleting patrons' reservations, issuing remote workstation administration commands (such as logoff, shutdown, reboot) that would be inconvenient and/or disastrous for the person using the system), and much, much more.
This configuration does not exactly inspire confidence.
Branch Numbers and Abbreviations (As of April 27, 2005)