Educause Security Discussion mailing list archives

Back on topic.... Re: [SECURITY] University credentials used by third parties

From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Tue, 24 Aug 2010 15:36:38 +0000

In the terms and conditions Ultrinsic says, " Access to School Account. By
providing Ultrinsic with your username and password for your online school
account, you authorize Ultrinsic to access the account and to view and
record any information in your account."

If the university AUP prohibits revealing credentials to third parties, does
a student have the legal authority to authorize Ultrinsic to access the
university system? And if not, wouldn't this be unauthorized access of a
university system by Ultrinsic with attendant legal repercussions,
particularly at state universities? A disclaimer on login pages could
reinforce this. For example,

³For interactive use by university students, employees, registered affiliates,
and alumni only. All other use and access prohibited. Violators will be
prosecuted.²


How would one go about blocking Ultrinic's access to your student
information system? The address they use for their web site might not be the
same one they use to source logins to your student system. It might turn
into a case of whack-a-mole.

This kind of thing furthers the argument for more widely mandated
certificate or 2-factor based authentication to all Internet exposed
services that are access controlled...even self-service ones. In this case,
more as an enforcement AUP restrictions on giving out authentication
credentials than of any type of hacking.

Current thread:

Re: Password Expatriation notification, (continued)
- - - Re: Password Expatriation notification SCHALIP, MICHAEL (Aug 19)
    - Re: Password Expatriation notification Eric Case (Aug 19)
    - Re: Password Expatriation notification Eric Case (Aug 19)
    - Re: Password Expatriation notification Morrow Long (Aug 19)
    - Re: Password Expatriation notification Allison Dolan (Aug 19)
    - Re: Password Expatriation notification Ullman, Catherine (Aug 19)
    - Re: Password Expatriation notification James Farr '05 (Aug 19)
    - Re: Password Expatriation notification Russell Fulton (Aug 20)
    - Re: Password Expatriation notification Dergenski, Todd A. (Aug 23)
    - Re: Password Expatriation notification Ozzie Paez (Aug 23)
    - Back on topic.... Re: [SECURITY] University credentials used by third parties Flynn, Gary - flynngn (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Joel Rosenblatt (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Guy Pace (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties David L. Wasley (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 24)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Semmens, Theresa (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Eric Case (Aug 25)
    - Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Adam Carlson (Aug 25)

(Thread continues...)