On Nov 28, 2007, at 10:11 AM, Richard T Houang wrote:
> MSU, as owner of MSUnetIDs, should investigate as they are asking
> for MSUnetIDs and passwords. It will be very easy for the site to
> keep the information.
This has been a longstanding issue. So long as we don't filter
traffic to/from the KDC/IMAP/POP or any other standard service we
provide which authenticates users, leakage is impossible to control.
AllMSU.com has been providing services like this for years, which
encourage students to provide their MSUNetID and password. I have
always discouraged using these types of services for the obvious
security reasons, but from a technical perspective, this credential
leakage is unmanageable.
./mk
--
Matt Kolb <[log in to unmask]>
Academic Computing & Network Services
Michigan State University
|