Global Constant

I’m glad that they’ve made the changes.  Otherwise I was going to create an open source Java (or something else as easily portable) program to do the same thing, and advertise it for free.  I think it’s wrong to charge $70 for such a service.  (And probably not exactly in agreement with University policy, but that’s, at best, a grey area.)

More than anything though, this is a good move on the part of the University to protect students.  It’s a very bad idea to give out your university username and password.  Anyone who used direct deposit effectively gave the guy their bank account number.  Not to mention their social security number, home phone number, address, parents’ names, and a ton of other identifying information. Oh, and best of all?  He’s tying it all to their Facebook account.

If any one of the people who have used his service were to have their identity stolen, they’d be the first and biggest suspects.  I doubt they considered the enormous liability they took on when they opened up the site to the public.  In the end, the University might have kept these guys out of trouble in the long run.

Besides, their idea wasn’t new.  They didn’t create the first script to grab classes when they opened up; it was just the first foolish enough to go public.  I don’t think BYU copied anything they’ve done, but they realized that if they didn’t meet a need of people to try and get into a class when there was an opening, people would try to do it themselves.  (Necessity is the mother of invention.)  Better that BYU do it right (and fairly) than let students put themselves in a dangerous situation.

Anyway, that’s my take on the situation.  I think BYU did the right thing, and I think the changes only benefit (and protect) students.  I hope I didn’t hijack your post, but wanted to share by thoughts with ya.

Great post.  I love reading peoples opinions about my website.  It was a great project but it isn’t dead yet, we are already working on a fix for the captch business.  

@mchasej:disqus , It’s important to understand that you don’t have to be the first at something to become the most successful.  We also never collected bank account information or social security numbers.  There is actually very little important information like that on your route y account, probably less useful information when compare to Facebook.
It’s interesting to see all these changes happening.  It really shows that progress is only made when there is competition.

My statement was too blunt, you’re right. I merely mean to point out that the security implications of divulging a password to anyone are serious. Even if I knew you personally and trusted you, I would still be wary of giving you a password simply because your database could be compromised by an attacker. You’ve taken on a lot of responsibility.

I didn’t know you had so many users; you’ve been quite successful. Competition is indeed good for progress.

@Brandon, Of course your scripts aren’t programmed to go out and steal SS number and bank account information.  But the information is there for the taking if you’ve got their username and password.  (If they’ve worked on campus, the information is easy to get.)  And like Steven points out, it might not be all y’all that take it, but someone might steal your database and then steal people’s information.  And like you point out, there’s a lot of info on Facebook too–and you’ve linked all that information with the information accessible through their Route-Y.

I’m a bit curious: has S-Snatch been reduced to checking at midnight of a person’s registration and either registering them for classes or putting them in wait lists?  I mean, with the new wait list feature, it’s no longer useful to re-check classes for dropped seats so that you can register–it’s most beneficial to simply put yourself in the wait list as soon as you can and pray that enough people drop the class.
Beyond all of this technical stuff, what if the University were to come out with a new Terms of Service that contained a clause forbidding the use of services like S-Snatch?  They can obviously track users of the service easily, and they could flag them and drop every one of their classes (if the hypothetical new terms said they would do so).  They could also block your IP if they decided that your service was against those terms.  (Does anyone know where such terms now exists?  I tried looking and couldn’t find them–but I didn’t look super hard.)Oh, and to the statement “if BYU hadn’t made the changes it would have been near impossible to get the classes you wanted without it.”:  I went through my entire undergraduate education and was in every single class I wanted.  Granted, I had zero desire to be in Bott’s mission prep class, but still: got into every classes I needed.  And the kicker?  I never went on at midnight, and a couple times, I forgot until the next day.

And @Disqus, why must you default to a ordering that makes all of the comments make no sense? Silly Disqus.

I hope that everyone understands that I’m not trying to cut down anyone, except maybe Disqus and their default comment ordering.  I’m just wary of a service that has access (potentially) to too much of my personal information.  I stopped using Mint.com for the same reasons.  And it’s an interesting topic.  And the conversation has gotten interesting.

How _do_ you take payment, anyway?

Steve Nay

@mchasej:disqus You bring up an interesting point. I trust Mint.com right now, perhaps because they’re an established player in the financial software business (Intuit), and perhaps because they openly display evidence of third-party security audits. If they were compromised, I’d be in big trouble. Yet I trust them. So why not a homegrown service like Schedule Snatcher?

“what if the University were to come out with a new Terms of Service that contained a clause forbidding the use of services like S-Snatch”
As far as BYU goes, there isn’t anything Schedule Snatcher is doing that is illegal or against their policies.  They do have in there online policy something that says a student can’t give out his/her Route Y credentials though.

To answer your question, I’ll first refer to your own comment: “they openly display evidence of third-party security audits.”  And they have a Privacy Policy.  And a Terms of Service.  And security professionals.  And professional developers.

S-Snatch needs all of those things, starting with the privacy policy and moving forward.  When you whois the domain, it’s behind BlueHost’s privacy registration.  It should lead me to an LLC or something.  (@Brendon, If you’re going to keep developing the service, you guys should really form an LLC and do everything in its name, move the domain registration to it’s name, etc.  An LLC would protect you from liability, to a degree, and that could be very important.)

In short, Mint.com is a professional product that I can trace back to a professional entity who would (and could) assume liability if something disastrous were to happen.  Schedule Snatcher feels like a basement project.  There’s no way that it could handle the fallout if a security breach were to happen.

“We’ve come up with a large list of new features that have yet to be implemented that will completely revolutionize the way a college student registers for classes.”
Lucky Steve Jobs left something to be “completely revolutionized.” It seems like he was doing that a lot.

Steve Jobs quotes aside, I’m wondering if any of your rest-of-the-iceberg revolutionary features just increase ease of use without decreasing fairness, or if Schedule Snatcher will always be a “money talks” application.

Also, it seems like it wouldn’t be too hard to distribute a program to individuals who pay for your service where they can run the program and log in locally and get the same functionality without you having to collect and store their credentials (which goes against BYU’s online policy, as Brandon pointed out, of students not being allowed to share their credentials with anyone). Are those plans anywhere in the iceberg?

Interesting, didn’t know you could access those things.

I believe the weakest part of any system though is the people themselves.  It’s a lot easier to trick a person than to crack a password.  The more people you have with access to the system the weaker you become.  With Schedule Snatcher there is only one person with any access to any of the information. 

Waitlisting has been on the enhancement list for a long time.  Many other universities already have this feature.  (UVU to name just one.)  Despite the damage it might do the SS egos, the timing had nothing to do with them in particular.  The change was in the works before SS appeared on the scene. 

The real issue with SS that triggered the captcha change is that, like many automated processes, it puts too much load on BYU systems – kind of like a DOS attack.  This makes the system worse for students (actual humans) trying to register for classes because SS consumes too much resource.  So if SS circumvents the captcha change, BYU will be forced to find another way to block their automated traffic.

Regarding surrendering one’s username and password, I would agree with Steve Nay’s original premise that you would have to be dumb to give up that information to just any third party.  Enough information is available that identity theft would be child’s play. 

FWIW, I believe that BYU’s policy of not sharing credentials is to protect the individual, not the institution.  BYU never set out to “ruthlessly quash [outside] developers.”  BYU has a responsibility to maintain systems that are useable by our students, faculty and staff.  SS was diminishing overall customer satisfaction by robbing cycles from everyone but their customers.

No. It really is quite dumb to use this service. People don’t seem to understand how stupid it is to give out your net id and password.

You are correct. There’s nothing groundbreaking here. SS is not even the first bot to charge people to use it. They just advertised it more (and got all of them shut down). This problem is that classes are scarce. SS doesn’t change this. SS provides nothing of value. For everyone who used SS to add a class there is someone else who didn’t get into the class. These guys are just trying to make money by wasting other peoples resources, and in the end making it worse for everyone. Might as well be running a spam email server.

I believe that BYU would be very open to creating a next generation system that uses a publish/subscribe model. I agree that would reduce the strain so systems like SS would raise far fewer eyebrows.  The questions are funding and timing.

I agree with you about OAuth; I am surprised that more third parties don’t use the OAuth model.

Isn’t that life for you?  For every winner there is a loser? Isn’t that a free market?  Find something people want and find a way to get them the solution.  

In all honesty, the weakest point in any network is the people who administer it.  Also, the larger the project the harder it is to cover all your security risks.  Compare BYU to Schedule Snatcher, BYU has more administrators and a much larger system.

John mentioned that the wait list feature had been in the works for a while, but it’s only now coming to fruition. I think it’s valuable to have independent developers like you pushing the envelope, simply because you are more agile than a bureaucracy-laden institution. You’re helping define the market and show what features students really care about.

Unfortunately, slow development seems to be the eternal curse of an organization as big as OIT. That’s another reason it would be nice to have a more open system that welcomes outside developers.

I am curious if anyone here has any ideas on how to actually improve the registration problem. There’s probably a dissertation or two to be earned in figuring out how to apply economic theory to scheduling classes.

What problem does this solve though? If BYU is interested in having a “fair” registration system (whatever that means) I don’t see how throwing out a signal to race for a spot is better than waitlisting or even just letting users stumble across openings. It would reduce automated traffic I guess, but there are other ways to do that.

Exactly, it kind of sucks.  I had this in my highschool.   We gave them a list of classes we wanted with alternates and the school created the schedule for you.  Makes everyone happy but gets rid of some freedom.  Guess it’s similiar to a big government vs a small government, fixed market or a open market.  Lots of economics behind it I think

My high school did the same thing. I was actually kind of surprised when I got to college and learned that I could choose my own schedule. It was a rather daunting task the first time or two.

I’ve had that same question. When are they going to open up wait list registrations? Does that really make it any more fair? Probably; I don’t know.

The benefit of having an evented model (this is getting into programming and systems design stuff, rather than economics) is that the system can be more efficient while still supporting internal and external developers. It’s just a different design decision, but it does open the door for people like Brendon to develop applications without wasting system resources.