login rou-tines will not display the password on the screen, so you must look at the keyboard to get any useful information.
Pure shoulder surfing can only be done under certain circumstances, such as if you are legiti-mately helping the user with a problem and you have to stand there for the user to show you what's wrong. Most of the time you will not be able to just stand behind a person without drawing suspicion to yourself; you will have to rely
on more crafty inventions.
A strategically placed mirror, in the upper cor-ner between wall and ceiling, can do the trick. It must be small enough to stay put with duct tape, but big enough to be read from a distance. Binoculars are frequently used by calling-card number thieves to illegally obtain people's code numbers, thus enabling the thieves to make free long distance phone calls. You can do the same to read passwords off keyboards. It might be necessary to tilt the keyboard to a specific orientation to better enable you to see what is typed. If the key-boards have kickstands to prop them up, make sure you use them before you take your stalking posi-tion.
You might have to do your watching outside, through a window. Before you do, make sure you won't be visible to those inside. Even at night you will be easily seen through the glass if the building has outside lights. Do some detective work before hacking; go into the computer room and see how visible someone outside
the room would be. Per-haps you can partially close the blinds or drapes, to further shield yourself from view.
Figure 8
An example of a menu on a public computer. Tricks
can be used to breakfreefrom the menu, then either
alter the menu or the application programs
to collect private user data.
An example of a menu on a public computer. Tricks
can be used to breakfreefrom the menu, then either
alter the menu or the application programs
to collect private user data.
Finally, think about this. Perhaps you don't need any of this advice at all. Over the past two weeks, every day that I've visited a certain school's computer rooms, there was at least one instance where I would switch on a terminal and find it stuck inside somebody's account. Apparently the account owners didn't know that
shutting off the terminal does not log them out of their account. Occasionally I would find more than one terminal left in a logged-in state. It was a hacker's paradise!
shutting off the terminal does not log them out of their account. Occasionally I would find more than one terminal left in a logged-in state. It was a hacker's paradise!
