Technical Team

Marvin Addison, Victor Bagley, Marc DeBonis, Daniel Fisher, Karen Herrington, Kim Homer, Mike Hosig, Greg Kroll, Ken McCrery, Andrew Olson, Kevin Rooney, Brenda van Gelder

Agenda

  1. Issues, questions, and status update from development teams
  2. It has been suggested that when a user sets account recovery options, if they are told we will only notify them if they give us a 3rd party email that they will more likely give it to us. What was the reason why we chose to include emailing PID@vt.edu?
  3. Project Management Issues
    1. Need estimates of time spent on this project for budget estimate.
    2. Need more detail on tasks or activities to develop a working project plan.
    3. Work on Communications plan

Meeting Notes

Attendees: Marvin Addison, Daniel Fisher, Karen Herrington, Mike Hosig, Greg Kroll, Ken McCrery, Andrew Olson, Kevin Rooney

  1. It has been suggested that when a user sets account recovery options, if they are told we will only notify them if they give us a 3rd party email that they will more likely give it to us. What was the reason why we chose to include emailing PID@vt.edu?
    1. Several contend that PID@vt.edu is the official e-mail address for correspondence so we should always send notifications there.
    2. Is this a usability, security, or audit issue?
    3. There was a long discussion about this topic that resulted in the following draft message:
      • Notification will be sent to PID@vt.edu, if you do not forward e-mail you may want to list a third-party e-mail address for notification in case you forget your password and are locked out of your e-mail at VT.
    4. The question was asked what procedures does 4Help follow if a user calls in to report a hacked account (PID)?
    5. Action item: Kevin will make necessary changes to the software requirements specification.
  2. Status
    1. Greg still needs time estimates and task details (milestones) from most of the team.
    2. Regarding the SMS gateway. Kevin is going to contact Bulletin.net with some questions. Karen is awaiting information from Penn State. John Krallman is ready to forward Bulletin.net's terms and conditions to VT legal. Kevin, Karen and Greg attempted to contact Twilio as a alternative vendor without much success. No phone calls were answered and e-mail responses referred back to their website. We dropped Twilio from consideration.
  • No labels

2 Comments

  1. Kimberley Homer

    Feb 01, 2011

    I can't remember the reason we were going to use PID@vt.edu, but if the account has been compromised, sending email to it isn't going to help the owner. I think sending email to the third party email address is sufficient.

  2. Mary Dunker

    Feb 01, 2011

    I am just wondering what the rationale is in preventing notification using an address in the  *.vt.edu domain. I assume there still people who receive e-mail on departmental servers, linux workstations running sendmail, or who maintain separate exchange.vt.edu and vt.edu mailboxes.  Why would you restrict sending notices to these addresses?

     It seems the crux of the issue is not whether you send to <PID>@vt.edu or <e-mail>@*.vt.edu, or a 3rd party e-mail address, but whether or not the e-mail address (or mobile phone number, or other object of notification), really belongs to the owner of the PID. I'm not sure you can tell whether <pid>@vt.edu has been compromised as long as you allow people to set preferences after PIDgen anyway, but you may get complaints from departments with e-mail addresses of the form <e-mail>@*.vt.edu if you prevent using those addresses.

    Perhaps what you really want to avoid is allowing the person to have notification sent to the e-mail address to which their <PID>@vt.edu is forwarded? 

    From a security standpoint, I think everyone would like to can notify people at some pre-registered address of record or phone number that cannot be changed by an imposter. I just don't know if that can be accomplished in the self-service environment we are creating.