Re: Web Kiosks

["Schmidt, Eric W" <erschmid () IUPUI EDU>]

Not being a lawyer I don't know the answer to this question but my
concern would be:  If one of these kiosks is used to compromise a system
on the Internet or deploy a destructive virus, who would be potentially
liable - the university or the kiosk company?  

 

Has anyone who already has these kiosks deployed gotten a good answer to
that question?

 

 

Eric W. Schmidt, CISSP, CISM, DABFE

Information Security Officer

Indiana University School of Medicine

office:  317-278-8751

email:  erschmid () iupui edu

 

-----Original Message-----
From: David L. Wasley [mailto:david.wasley () UCOP EDU] 
Sent: Monday, August 11, 2003 11:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Web Kiosks

 

We don't have such things at UCOP (yet) but if we were to, I would
strongly prefer to develop and deploy them in house.  If not, I would
require that they have private, external Internet connections.  All we
would provide would be space and power - much like a vending machine.

 

What occurs to me is to wonder what the machine is actually programmed
to do?  Who configures it, maintains/upgrades it, etc.?  Will you even
have access to the system, much less the code source?  It's bad enough
having to defend against MSWin "bugs" - at least there are a lot of
other folks in the same boat.  But a few externally provided black
boxes, strategically placed on my network, just doesn't seem worth the
risk.  Call me paranoid...

 

        David

-----

At 5:33 PM -0500 on 8/7/03, Bruhn, Mark S. wrote:

 

        Specifically, kiosks accessible to anyone, placed on campus, by
a company called Nanonation.

        I just met with our Student Union folks, and they have
contracted with this company to place 5 or 6 of these in our Union.
They allow web access to anything, anywhere.  It's a given that we would
isolate these from the rest of our network.  But, there are issues about
what people can do from these, using/against external sites.  When I
described to the Union staff what this could mean, in order to make sure
they know what they're getting into, they also became very concerned.
Especially when I described that other areas have chosen to install some
level of authentication (such as the Library), and that these devices
will most likely become the new haven for nefarious-deed-doers (those
that have migrated to the county library as we installed authentication
on campus may migrate back!)

        This company says they have 27 colleges and universities as
customers.  They listed a few, and will send me the rest -- I start with
the Big Ten campuses they mentioned:  Michigan State, Northwestern, Ohio
State, Purdue is apparently negotiating.  Others were Penn and Kansas.

        I wondered if I could get a sense of  1) how many security
officers know about these types of kiosks on their campuses, and 2)  if
so, do you know what the thinking was related to security and abuse?
How were those concerns handled or were they explicitly recognized and
accepted?

        If you want to reply to me, I can sanitize and summarize for the
lists.

        Thanks,
        M.

         

        --
        Mark S. Bruhn, CISSP, CISM

        Chief IT Security and Policy Officer
        Interim Director, Research and Educational Networking
Information Sharing and Analysis Center (ren-isac () iu edu)

        Office of the Vice President for Information Technology and CIO
        Indiana University
        812-855-0326

        Incidents involving IU IT resources: it-incident () iu edu
        Complaints/kudos about OVPIT/UITS services: itombuds () iu edu

        
        
        ********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

 

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.