Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web Kiosks

From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Mon, 11 Aug 2003 09:15:18 -0700
We don't have such things at UCOP (yet) but if we were to, I would
strongly prefer to develop and deploy them in house.  If not, I would
require that they have private, external Internet connections.  All
we would provide would be space and power - much like a vending
machine.

What occurs to me is to wonder what the machine is actually
programmed to do?  Who configures it, maintains/upgrades it, etc.?
Will you even have access to the system, much less the code source?
It's bad enough having to defend against MSWin "bugs" - at least
there are a lot of other folks in the same boat.  But a few
externally provided black boxes, strategically placed on my network,
just doesn't seem worth the risk.  Call me paranoid...

       David
-----
At 5:33 PM -0500 on 8/7/03, Bruhn, Mark S. wrote:


Specifically, kiosks accessible to anyone, placed on campus, by a
company called Nanonation.

I just met with our Student Union folks, and they have contracted
with this company to place 5 or 6 of these in our Union.  They allow
web access to anything, anywhere.  It's a given that we would
isolate these from the rest of our network.  But, there are issues
about what people can do from these, using/against external sites.
When I described to the Union staff what this could mean, in order
to make sure they know what they're getting into, they also became
very concerned.  Especially when I described that other areas have
chosen to install some level of authentication (such as the
Library), and that these devices will most likely become the new
haven for nefarious-deed-doers (those that have migrated to the
county library as we installed authentication on campus may migrate
back!)

This company says they have 27 colleges and universities as
customers.  They listed a few, and will send me the rest -- I start
with the Big Ten campuses they mentioned:  Michigan State,
Northwestern, Ohio State, Purdue is apparently negotiating.  Others
were Penn and Kansas.

I wondered if I could get a sense of  1) how many security officers
know about these types of kiosks on their campuses, and 2)  if so,
do you know what the thinking was related to security and abuse?
How were those concerns handled or were they explicitly recognized
and accepted?

If you want to reply to me, I can sanitize and summarize for the lists.

Thanks,
M.


--
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu



********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: