UNT IT help desk and Virtualization Service

Initial Request on 16 OCT 2022

Initial Request on 16 OCT 2022

Reply the Next Day with my follow-up response.

Second Response of the same confusion.

Four rounds of this nonsense... please just read my message.

Then they sent me the questionnaire for the satisfaction survey.

Well, are you happy?

Umm, NO. Not happy. Please read my messages when I send them.

Then they marked it resolved... without any resolution!

Finally two days later, someone replies...

Two days later: "Oh we have a different virtualization service through the business school!

Can your service do what I need it to do?

With all the gusto of "Let's go down the rabbit hole again and contact a new IT department", I reached out to the Citrix service manager. However, contrary to initial expectations, I found that I was corresponding with a responsive and well informed person who could make things happen if all the boxes on his checklist were filled... only they the boxes still are not filled.

Let's get all the stakeholders involved...

And so there it is... UNT, the school which is not in want of defined process. It is a well managed school.

University of North Texas Collects Social Security Numbers for Multi-Factor Authentication

As part of its security framework, the University of North Texas (UNT) is rolling out DUO. DUO is a personal device approval system for accessing university leased software-as-service offerings. From a business point of view, if the University needs to verify or limit the use of leased licenses to only registered (qualified) individuals (at the behest of the software leasing agency, or in consequence to possible greater financial liability) then the approach makes sense. Duo falls under a broad category of multi-factor authentication (MFA) tools. Some user must use two communication tools to access some knowledge or digital service. MFA is seen as a "best current practice" in the security field. However, it is, from a user's perspective, perhaps the most annoying addition to our lives. It presumes that one has not only the computer that is trying to access the service but also that the person has a cell-based mobile device, and that that device is currently connected to a larger network. It is not clear to me that DUO is not actively recording and reporting other neighboring bluetooth devices as facebook's apps have been reported to do. That is, the security leak that DUO has the potential to be is perhaps just as much as the risk to networks with single factor authentication. The exact technical nature of DUO's "verification" process are not transparent. I have been using DUO at the University of Oregon for over a year.

The UNT process of rolling out DUO requires that potential users enter their US social security number (SSN) into the website during the verification process. This bit of personally identifying information seems to be over-reach or poor information architecture. The UNT web-application collecting the information does not explain to the user:

  • how the SSN is processed (why it is needed), or
  • how it is stored, or
  • when they will dispose of the information submitted on the form.

A student's SSN is part of the federally protected student information and is in general a valuable piece of information to have. Requesting the SSN via a website after a student has already been admitted to the University seems like it opens the University up for a targeted attack on that particular web application. This process put the SSN in the realm of data-in-transit where previously the SSN was only data-at-rest. The clever attacker would not try to spoof DUO or access the UNT network, but rather sniff the data in transit as it is communicated for the purposes of creating an authentication system. Reporting my SSN for the process of creating a DUO account was not necessary when I made my DUO account at the University of Oregon.

When I called the UNT IT office to ask about this I was put in a hold que by an automated answering service and then the automated service terminated the call without a response from me.