Re: Security with students entering own data?

From: Jon Finke <finkej_at_ts.its.rpi.edu>
Date: 1996/03/25
Message-ID: <4j7edk$15h_at_ts.its.rpi.edu>#1/1

In article <4ip26d$jc_at_ratatosk.uio.no>, torfridl_at_ulrik.uio.no (Torfrid Leek) says:
>
>We are about to implement our new student system, and the developers are
>finally ready to discuss security.
>It turns out they want students to be able to update their own demographic data,
>and register for exams etc.
>This will be done from designated workstations with a special client program.
>But the question arises, how do we pretend the students from deregistering
>anybody whose "person number" they might pick up somewhere, changing other
>people's addresses etc - in short, how can we authenticate them?
>So far we have come up with the idea of mailing them usernames and passwords
>with their admission letters - but we are told the vast majority of students
>do not read their mail and do not bring the required documentation.
>
>I would be interested to know if anybody is addressing similar issues, and how.
>In principle this is no different from letting them make a phone call to the
>student office to update this information. Maybe we should accept the fact
>that this information is not 100% trustworthy?

We were able to attack this problem from the other direction - We had to provide computer accounts (used for Unix access, and later on - pop email) to ALL students. To this end we built a system to create unix account based on info from the Registrar. Later on, we relised that we could run the relation backwards, and go from a computer account to a student number.

Our students can now get schedules, grades, degree progress reports, current library checkout info, their last phone bill, current account balance with the Bursar online, and also change local, permenant and next of kin addresses online. This is all described in more detail in the papers "Student Information Services", and "Oracle Tools" which can be found in http://www.rpi.edu/~finkej/Papers.html.

Prior to this general system, we had a way of distributing Unix accounts that required that the students provide their long distance auth code (needed to make long distance telephone calls from the campus PBX). We could crossmatch between SSNumber (boo hiss) and the Auth Code, so if the person had both, we assumed that it was them, and gave them the account. In this way, the Telecom office "authenticated" the students when they picked up their auth codes.

The auth code procedure was interesting in itself - to get an authcode, students had to sign a "Conditions of Use" form. When we started creating

( http://www.rpi.edu/campus/doc/its/conditions-of-use ) Unix accounts for everyone, we included it on the form with the Auth Code. At the start of each year, we set up a tent near the dorms and handed out authcodes, phone books, network connections, advising, etc to the new students as they moved in. (This lasts for 3 days, and gets a lot of this stuff out to the students in a hurry...)

-- 
Jon Finke                           finkej_at_rpi.edu
Senior Network Systems Engineer     http://www.rpi.edu/~finkej
Information Technology Services     518 276 8185 (voice) | 518 276 2809 (fax)
Rensselaer Polytechnic Institute    110 8th Street, Troy NY, 12180

Received on Mon Mar 25 1996 - 00:00:00 CET

This message: [ Message body ]
Next message: Mark Bluemel: "Re: SQLPLUS QUESTION"
Previous message: dboeff_at_en.com: "Problem with NT and Developer 2000"
In reply to: Torfrid Leek: "Security with students entering own data?"
Next in thread: Mark Bluemel: "Re: SQLPLUS QUESTION"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message