Re: University credentials used by third parties

[Greg Schaffer <schaffer () MTSU EDU>]

I did not get the impression that the institutions listed were actually
willing participants; surely that can't be?

 

Greg

 

Greg Schaffer, CISSP

Assistant Vice President

Network and Information Technology Security

Middle Tennessee State University

615 898-5753

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Guy Pace
Sent: Tuesday, August 17, 2010 1:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] University credentials used by third parties

 

None of the Washington State schools are currently listed, fortunately. And,
with Washington's stance on online gambling, it is very doubtful this outfit
would make any inroads here. Aside from the fact that offering up the user
ID and password of a student's account is completely contrary to our AUPs
both at each institution and on the education network here.

 

I still have some heartburn over not classifying this as blatant online
gambling. Skill or no skill, the house is still making money here, so the
risk is about the same as with any other gambling site. Ultrinsic is just
making money on the basis that 90 percent of the students who would
participate have no idea of the statistics and probability at work  and have
no understanding that the whole thing is rigged in the house's favor. What
surprises me is the number of colleges listed would participate in this,
thus condoning it. Of course, that assumes that the colleges listed are
knowingly participating and allowing this third party access to student
records.

 

Fortunately, in our situation, even if a student attempted to participate
without sanction from one of our colleges and our governance board,
Ultrinsic would not be able to access the data. And, the student would be
dealt with for violation of the AUP.

 

Guy L. Pace, CISSP 
Security Administrator

Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 

gpace () sbctc edu 

 

"Great art is a practice. Turn it into a process and the result is a
paint-by-numbers system." Bob Lewis

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Sherenco
Sent: Tuesday, August 17, 2010 10:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] University credentials used by third parties

 

Hello,

Recently a local on-line news site
(http://www.annarbor.com/news/university-of-michigan-students-can-wager-on-g
rades-via-website/) wrote an article about a new website that lets students
bet on their own grades.  The betting aspect aside I was intrigued by this
line "they have to register and upload their schedules to grant the site
access to school records."  To investigate further I went through the
account set up process and found that the student has the option to allow
the site to automatically download their student records (see attached
ultinsic2.jpg).  It actually asks for their academic user name and password!
EMU is currently not on their list of supported schools but they mention
will be rolling out nationally.  We have policies and standards in place
that say don't give out you password and in my opinion giving credentials to
this site would violate them.  Are there any other Universities
investigating the use of usernames and passwords used by third party web
applications not sanctioned by the University?  Any talk on actually
blocking a site like this from automatically logging in (system
stability/privacy/security issues?) or is this more of users choice?  

 

 

Regards,

Justin

 

-------------------------------------

Justin Sherenco, CISSP

Easten Michigan University

Security Analyst

http://it.emich.edu/security