Our library has a bunch of really nice book scanners, which let you save your scan to a USB flash drive, or email the scan to yourself. The scanners are operated by a computer with a touch screen. A normal user probably wouldn't even notice that there is a "real" computer in there, because the touch interface is pretty straightforward to use. That is, until it fails with a helpful error message ("This program has encountered a problem and needs to close"), and dies taking with it everything I've scanned so far.

But that's not the end of the story. When the touch-screen UI dies, it exposes a standard Windows XP desktop underneath. And guess what? It's running under the Administrator account. Okay, keep that in mind in case you want to have some fun with it later.

So I reboot the machine, and the touch-screen UI starts again. I try Alt+Tab, Win+R, Win+D, Ctrl+Shift+Esc; nothing works. I guess the software swallows any keyboard shortcuts to prevent such curious exploration. Oh well. I try to scan my papers again, and again the UI crashes. Fiddlesticks.

Another reboot. This time I hit Win+R before the touch-screen UI is fully loaded, and start an instance of cmd. Sure enough, now I can Alt+Tab between the UI and cmd, and I can launch anything I want from cmd. Let's take a look at the C:\ drive. Whoa, 200 MB free out of 50GB? That might be why it was crashing. So I look around and find the temp directory for the scanner UI, and sure enough it's full of temp files, gigabytes of them. They look like raw bitmaps from previous scans. I delete them all; the scanner UI works again, and I am able to finish my work.

Lessons learned:

1. The machine runs on an unprotected Windows admin account, wide open for whatever abuse you might want to throw at it.
2. The scanner UI prevents simple attempts to get around it (like Win+R), but the machine is still vulnerable in the small time window after Windows has finished booting, but before the UI auto-starts.
3. The UI seems to store raw copies of everything it ever scans. Massive privacy hole. (It's possible that it deletes the temp files if the scan is successful, and only leaves them when it fails, but that's still pretty bad.)
4. In so many years of desktop computing, we are still caught by surprise when the disk gets full. (A few years back, KDE would fail to log me in without any explanation. It turned out my /home/ was full. Even Mars rovers have failed when their disks got full.) There has to be a better way to handle things. Temp directories that are wiped on reboot are a good first step. Watchdogs might work for desktop users, but not on an embedded system. What else could we do?