Educause Security Discussion mailing list archives
Re: University credentials used by third parties
From: Greg Schaffer <schaffer () MTSU EDU>
Date: Tue, 17 Aug 2010 13:13:40 -0500
I did not get the impression that the institutions listed were actually willing participants; surely that can't be? Greg Greg Schaffer, CISSP Assistant Vice President Network and Information Technology Security Middle Tennessee State University 615 898-5753 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Guy Pace Sent: Tuesday, August 17, 2010 1:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] University credentials used by third parties None of the Washington State schools are currently listed, fortunately. And, with Washington's stance on online gambling, it is very doubtful this outfit would make any inroads here. Aside from the fact that offering up the user ID and password of a student's account is completely contrary to our AUPs both at each institution and on the education network here. I still have some heartburn over not classifying this as blatant online gambling. Skill or no skill, the house is still making money here, so the risk is about the same as with any other gambling site. Ultrinsic is just making money on the basis that 90 percent of the students who would participate have no idea of the statistics and probability at work and have no understanding that the whole thing is rigged in the house's favor. What surprises me is the number of colleges listed would participate in this, thus condoning it. Of course, that assumes that the colleges listed are knowingly participating and allowing this third party access to student records. Fortunately, in our situation, even if a student attempted to participate without sanction from one of our colleges and our governance board, Ultrinsic would not be able to access the data. And, the student would be dealt with for violation of the AUP. Guy L. Pace, CISSP Security Administrator Information Technology Division WA State Board for Community and Technical Colleges (SBCTC) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () sbctc edu "Great art is a practice. Turn it into a process and the result is a paint-by-numbers system." Bob Lewis From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Sherenco Sent: Tuesday, August 17, 2010 10:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] University credentials used by third parties Hello, Recently a local on-line news site (http://www.annarbor.com/news/university-of-michigan-students-can-wager-on-g rades-via-website/) wrote an article about a new website that lets students bet on their own grades. The betting aspect aside I was intrigued by this line "they have to register and upload their schedules to grant the site access to school records." To investigate further I went through the account set up process and found that the student has the option to allow the site to automatically download their student records (see attached ultinsic2.jpg). It actually asks for their academic user name and password! EMU is currently not on their list of supported schools but they mention will be rolling out nationally. We have policies and standards in place that say don't give out you password and in my opinion giving credentials to this site would violate them. Are there any other Universities investigating the use of usernames and passwords used by third party web applications not sanctioned by the University? Any talk on actually blocking a site like this from automatically logging in (system stability/privacy/security issues?) or is this more of users choice? Regards, Justin ------------------------------------- Justin Sherenco, CISSP Easten Michigan University Security Analyst http://it.emich.edu/security
Current thread:
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties, (continued)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Semmens, Theresa (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Eric Case (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Adam Carlson (Aug 25)
- Experience with EPO and endpoint encryption David Grisham (Aug 25)
- Re: Experience with EPO and endpoint encryption Gibson, Nathan J. (HSC) (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Darren Fallis (Aug 24)
- Re: University credentials used by third parties Greg Schaffer (Aug 17)
- Re: University credentials used by third parties Flynn, Gary - flynngn (Aug 17)
- Re: University credentials used by third parties Paul Kendall (Aug 18)
- Re: University credentials used by third parties Bradley, Stephen W. Mr. (Aug 18)
- Re: University credentials used by third parties Bristol, Gary L. (Aug 18)
- Re: University credentials used by third parties Ken Connelly (Aug 18)
- Re: University credentials used by third parties Guy Pace (Aug 18)
- Re: University credentials used by third parties Nate johnson (Aug 18)
- Re: University credentials used by third parties Allison Dolan (Aug 18)