Re: University credentials used by third parties

[Guy Pace <gpace () SBCTC EDU>]

None of the Washington State schools are currently listed, fortunately. And, with Washington's stance on online 
gambling, it is very doubtful this outfit would make any inroads here. Aside from the fact that offering up the user ID 
and password of a student's account is completely contrary to our AUPs both at each institution and on the education 
network here.

I still have some heartburn over not classifying this as blatant online gambling. Skill or no skill, the house is still 
making money here, so the risk is about the same as with any other gambling site. Ultrinsic is just making money on the 
basis that 90 percent of the students who would participate have no idea of the statistics and probability at work  and 
have no understanding that the whole thing is rigged in the house's favor. What surprises me is the number of colleges 
listed would participate in this, thus condoning it. Of course, that assumes that the colleges listed are knowingly 
participating and allowing this third party access to student records.

Fortunately, in our situation, even if a student attempted to participate without sanction from one of our colleges and 
our governance board, Ultrinsic would not be able to access the data. And, the student would be dealt with for 
violation of the AUP.

Guy L. Pace, CISSP
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724
gpace () sbctc edu

"Great art is a practice. Turn it into a process and the result is a paint-by-numbers system." Bob Lewis

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin 
Sherenco
Sent: Tuesday, August 17, 2010 10:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] University credentials used by third parties

Hello,
Recently a local on-line news site 
(http://www.annarbor.com/news/university-of-michigan-students-can-wager-on-grades-via-website/) wrote an article about 
a new website that lets students bet on their own grades.  The betting aspect aside I was intrigued by this line "they 
have to register and upload their schedules to grant the site access to school records."  To investigate further I went 
through the account set up process and found that the student has the option to allow the site to automatically 
download their student records (see attached ultinsic2.jpg).  It actually asks for their academic user name and 
password!  EMU is currently not on their list of supported schools but they mention will be rolling out nationally.  We 
have policies and standards in place that say don't give out you password and in my opinion giving credentials to this 
site would violate them.  Are there any other Universities investigating the use of usernames and passwords used by 
third party web applications not sanctioned by the University?  Any talk on actually blocking a site like this from 
automatically logging in (system stability/privacy/security issues?) or is this more of users choice?


Regards,
Justin

-------------------------------------
Justin Sherenco, CISSP
Easten Michigan University
Security Analyst
http://it.emich.edu/security