Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties

[David Gillett <gillettdavid () FHDA EDU>]

  True as far as it goes, but you can still get value (or at least a
perception of value ...) from FaceBook while declining all such "requests"
(as I have done).

David Gillett

-----Original Message-----
From: David L. Wasley [mailto:dlwasley () EARTHLINK NET]
Sent: Tuesday, August 24, 2010 09:37
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Back on topic.... Re: [SECURITY]
Universitycredentials used by third parties

I don't recall anyone noting that FaceBook, LinkedIn, etc. "social
networking" sites also ask for your email userid and password "so we can
notify your contacts about your new account!"
(sic).  How many students have FaceBook accounts?
How many userids/passwords has FaceBook acquired?
Hmm...

        David

-----
At 12:08 PM -0400 on 8/24/10, Joel Rosenblatt wrote:

> Just to thorough another thought into this mix, does anyone prevent
> their students (or other
> users) from turning over their credentials to Gmail or Blackberry?
>
> We see lots of authenticated logins from these services - and if I were
> to come down hard on this Ultrinsic using our sharing of password
> policy (which we do have) I'm sure that this would amount to having to
> change our policy to - you can't share your credentials - except with
> (gmail, Blackberry, etc.)
>
> I really hate inconsistent enforcement of policies, so it's either
> change the policy or cut off everyone.
>
> Comments?
>
> Thanks,
> Joel
>
> --On Tuesday, August 24, 2010 3:36 PM +0000 "Flynn, Gary - flynngn"
> <flynngn () JMU EDU> wrote:
>
> > In the terms and conditions Ultrinsic says, " Access to School
> > Account. By providing Ultrinsic with your username and password for
> > your online school account, you authorize Ultrinsic to access the
> > account and to view and record any information in your account."
> >
> > If the university AUP prohibits revealing credentials to third
> > parties, does a student have the legal authority to authorize
> > Ultrinsic to access the university system? And if not, wouldn't this
> > be unauthorized access of a university system by Ultrinsic with
> > attendant legal repercussions, particularly at state universities? A
> > disclaimer on login pages could reinforce this. For example,
> > > ©¯For interactive use by university students, employees, registered
> > > affiliates, and alumni only. All other use and access prohibited.
> > > Violators will be prosecuted.©—
> >
> > How would one go about blocking Ultrinic's access to your student
> > information system? The address they use for their web site might not
> > be the same one they use to source logins to your student system. It
> > might turn into a case of whack-a-mole.
> >
> > This kind of thing furthers the argument for more widely mandated
> > certificate or 2-factor based authentication to all Internet exposed
> > services that are access controlled...even self-service ones. In this
> > case, more as an enforcement AUP restrictions on giving out
> > authentication credentials than of any type of hacking.
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security Columbia
> Information Security Office (CISO) Columbia University, 612 W 115th
> Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel