Forgot your password?
typodupeerror
Security Education

MIT To End Open-Network Policy In Response To Recent Attacks 144

Posted by samzenpus
from the ruining-it-for-everybody dept.
An anonymous reader writes "MIT announced that despite a long history of running an open network (so that any student can run a server on any port, without any questions asked), it will now end this policy due to recent denial-of-service attacks and gunman hoax. From a letter sent by Executive Vice President and Treasurer Israel Ruiz: 'I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems. Together with our colleagues dedicated to campus safety and security, with the support of senior academic leadership and in collaboration with the campus community, we are deploying all necessary resources to this effort. It will require the dedication of all of us to promote safety awareness, complete necessary emergency training, and adhere to reinforced cyber security guidelines. IS&T staff members are working with information technology (IT) leadership and partners across campus in making the changes described above. We continue to explore all opportunities to further strengthen our preparedness, and will communicate additional information as these plans evolve.'"
This discussion has been archived. No new comments can be posted.

MIT To End Open-Network Policy In Response To Recent Attacks

Comments Filter:
  • Optional (Score:5, Insightful)

    by Sarten-X (1102295) on Wednesday April 03, 2013 @09:45PM (#43354535) Homepage

    Apparently, the new policy is just by default:

    Those engaged in research, teaching and learning activities will be given the option to opt out of the default network security policy through a self service mechanism.

    Basically, it looks like someone in administration finally asked "What if we're actually a target?" and the response was "we're royally screwed". Yes, it's nice to give open access to everything, but I doubt most college students, even at MIT, follow reasonable security procedures. So now, they're going to block everything by default, and if someone wants to open access, they can do it themselves. Best case, there's no problems and nobody notices. Worst case, MIT's network isn't such a help during an attack.

    So a university changed its default security policy. Big deal. I don't see how this is newsworthy.

    • Re:Optional (Score:5, Interesting)

      by Nimey (114278) on Wednesday April 03, 2013 @09:49PM (#43354551) Homepage Journal

      It sounds to me like students were allowed to run arbitrary servers before, and that group is not included in the passage you quoted, therefore students will no longer have this option at all unless it's for an assignment.

      • Re:Optional (Score:4, Funny)

        by Sarten-X (1102295) on Wednesday April 03, 2013 @09:52PM (#43354567) Homepage

        Students aren't engaging in "learning activities"? What exactly are they doing at college, then?

        ...I ask as I take another sip of my beer...

        • by Nimey (114278)

          Exactly. Running your public Minecraft server doesn't have anything to do with "learning" except in the broadest possible sense.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            I learned more running a public nethack server than I did in half the required classes for my CS degree. (Admittedly, I didn't go to MIT.)

            • CS is not networking not IT / severs and not desktop / help desk work.

              Now maybe if you where a programmer then the classes would of helped you more.

              • by Anonymous Coward
                CS students NEED that stuff though before they overuse resources on shared machines/networks. BTW, it's clear you skipped your English classes. "Would of" is not a contraction for "would have", but "would've" is.
              • CS is not networking not IT / severs

                Part of it very much is (especially networking). How can you design an application to make effective use of a network without at least understanding the basics of how a network works?

                It's all intertwined, and any good CS program DOES have some options to help you learn those things. But it's not like additional learning does not help.

          • Exactly. Running your public Minecraft server doesn't have anything to do with "learning" except in the broadest possible sense.

            Making available a public and shared resource does lead to things that aren't strictly in-scope, but can you tell me you don't play flash games at work? Or post to a certain technology website to take a mental break from the tedium of what you're supposed to be working on, so you can come back to it refreshed?

            Google gives its employees part of their workday off to do whatever they want, and it's resulted in some rather amazing products. And none of the company's resources used during that time is strictly f

            • by Nimey (114278)

              All of what you said is utterly irrelevant.

            • You are correct, that Minecraft is the perfect escape from building robots and programs. I cannot count the number of hours I have spent fighting mobs when I could have been coding something.

              My choice, and I make it freely. But I don't sugar coat it.

          • Re:Optional (Score:5, Insightful)

            by Sarten-X (1102295) on Wednesday April 03, 2013 @10:16PM (#43354699) Homepage

            Cute, but wrong.

            Minecraft (and other game) servers are just as good at learning proper administration techniques as the IRC servers I ran in my college days. The admins must go through the configuration process, think about uptime, anticipate resource needs, and put some concern into security, while carefully handling (or intentionally not) the interpersonal conflicts that arise among users... all the same tasks a good admin must mind in the real world of IT.

            Coincidentally, I'm currently mentoring a high-school student preparing for an IT program at college. We're going over some basic admin skills in advance of his classes, focusing on the real-life experiences from my day job as an IT admin at a finance company. His main service is actually a Minecraft server... but behind the scenes, he's running Bash scripts for backup & housekeeping, Apache for a web-based world map, Nagios to alert him if/when something crashes, and some Perl hacks (that I wrote) to add a few server functions.

            Of course, that's just for a silly little game, but it doesn't really matter what the user-facing service is. The demands of IT administration are pretty generic. I use similar services daily, though the backups are done less with Bash and more with Enterprise Agentless Backup Manager Plus Professional Ultimate Corporate Edition.

            • by Nimey (114278)

              Now you're just being obtuse and begging the question. If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT for and there's nothing stopping you from getting it hosted at a colo somewhere.

              It's a hobby, which may be interesting and even valuable, but ultimately MIT has to make sure their network is serving classes, faculty, research, &c (that being what people are paying for). It's a matter of pr

              • by Anonymous Coward

                The whole point of an academic environment is to be allow people to learn in their own ways, not just follow directions given from high up. So yes, the ability to experiment with network servers that are not directly later to any class the students are taking is precisely why the MIT (and a lot of ther universities that still understand academic ideals) don't stop students from running network servers.

              • ... it ties into my point in a different thread that a few assholes are going to ruin things for everyone.

                You're right. University administrators are too interested in CYOA to actually do the right thing. They are assholes.

                Oh, and if you were referring to the "terrorists" (as others have put it), well, no, they don't have the power to do jack squat, so they're clearly not the assholes who ruined things for everyone. It's the University administrators that cowered and changed policy. And it's not like gu

              • by rmstar (114746)

                If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT for and there's nothing stopping you from getting it hosted at a colo somewhere.

                Also, if the reputation of MIT as a pressure cooker is true, you won't be a student at MIT for too long if you waste your time running and administrating your own game server.

                • Near as I can tell, the people chiming in about Minecraft servers didn't go to MIT.

                • by Anonymous Coward

                  I attended MIT. You'd be *amazed* at how many chances they give you to hang yourself before finally cutting you off. 1 in 4 students does not gradutate, but I'd be shocked if it was more than 1 in 500 who was expelled or permanently suspended for misbehavior.

                  And their security has traditionally been horrible. Go ahead. Scan MIT's /8 network for NFS servers. Until a month ago, you'd have been *amazed* at how many public facing NFS servers you could find, with private correspondence from professors and studen

              • If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT

                You are there to learn, why does it have to be only through classes? What is the point of computer labs and a fast network if not to help you learn? That's part of the REASON you go to a college, so that you have access to facilities you would not otherwise. May as well burn down the library also, or only allow check-out of course approved books!

                I

          • by dbIII (701233)
            Dunno about that - I learnt a bit about networking from multiplayer Quake.
    • Passwords (Score:4, Insightful)

      by Sarten-X (1102295) on Wednesday April 03, 2013 @09:50PM (#43354555) Homepage

      Bad form to reply to myself, I know, but I did find one noteworthy detail in that memo upon further inspection:

      Passwords will also be tested to ensure a minimum level of complexity; existing weak passwords will be required to be changed.

      ...so MIT stores its passwords in a form that allows complexity testing... Interesting.

      They could just be brute-forcing 7 characters and calling it a day, or adding something to a commonly-used login system... but if it's feasible to test how complex an existing password is, I have to wonder about how the passwords are being stored.

      • by Nimey (114278)

        You know, it's possible to check a password's complexity /before/ hashing it. Various Linux distros and Windows do it that way.

        • by Sarten-X (1102295)

          For the "existing" passwords that the memo says they'll be checking, they should be stored already hashed, so it's too late for that. If it's a check done at login (before the client hashes), that implies that there's a feasible way to inject code to access the unhashed password, and frankly that worries me more.

          Linux distros and Windows will happily keep existing simple passwords, if you've set them before enabling complexity requirements. After enabling the requirements, the old passwords aren't re-checke

          • by Nimey (114278)

            My guess is that they're consulting rainbow tables, then. Got to be plenty of those out there for various hashes.

          • by drkstr1 (2072368)
            Yeah, don't worry about it. That's actually how it's supposed to be done. Passwords should be sent over SSL and hashed server-side. Using some half baked client-side crypto is not the way to do it.
          • by ultranova (717540)

            For the "existing" passwords that the memo says they'll be checking, they should be stored already hashed, so it's too late for that.

            Or they could simply be running a password cracker, and you're putting too much weight on exact wording. In fact, I'd almost bet it was that; after all, the point is to make passwords hard to crack, so testing whether they are makes more sense than some arbitrary rules.

            If it's a check done at login (before the client hashes), that implies that there's a feasible way to inject

      • You can capture weak passwords during login when you've confirmed the hashes match. If it is weak, flag the account as having a weak password.

      • by fgodfrey (116175)

        MIT is almost certainly using Kerberos for their authentication since a) they invented it and b) that's what they were using at least as recently as 2005. In any event, how Kerberos stores passwords depends on the exact implementation, but in at least some implementations (admittedly old) you could decrypt the password database on the Kerberos key server with a key stored in a file in /etc. The Kerberos server is supposed to be kept extremely secure, with Kerberos being the only service running on it and

        • IME most kerberos servers store the database key in what they term a "stash file". That's current practise too.

          Unless you need the level of security that you have to go upto the console and present a key when the system reboots or the KDC service restarts, there isn't any other way. Essentially, for most real world systems, the kerberos primary and slaves need to be regarded as machines to be kept highly secure or it's game over.

          Is AD any different?

      • Hardly. They know what hash/salt/whatever they're using, and it's trivial to throw the list of common stupid passwords through it and pull a list of all users with matching hashes.

    • It's noteworthy. It represents the end of an era which, I appreciate, many Slashdot readers are too young to have experienced. That doesn't mean that it was unimportant.

      As a preeminent place for the exploration of ideas, MIT held a refreshingly open attitude towards all forms of intellectual curiosity, collaboration and information exchange - both ancient and emerging. That spirit is what I associate with people like Richard Feynman, Noam Chomsky and Richard Stallman, who not only have fundamentally i
  • A few assholes can and will ruin a good thing for everyone.

    • by Anonymous Coward

      No. Freedom & Liberty will persist until the day cowards are required to make sacrifices to preserve them. Unfortunately, once a coward shirks their responsibility to persevere, the damage is permanent loss of ground to the enemy.

      You will never prevent people from acting like assholes provided the opportunity, but you can choose how you react to those people; based on principle, or without it.

      It's not enough to elect the lesser of two evils, we should be choosing the most principled of two libertarians.

    • by cffrost (885375)

      A few assholes can and will ruin a good thing for everyone.

      The assholes are the people who impose restrictions, not the people the assholes point to for justification.

      • by Nimey (114278)

        Riiiiight. The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.

        Libertarians can be so simple-minded about their religion.

        • The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.

          Well, the government is certainly the one trying to stop them from polluting in that example, but that doesn't mean they're wrong for imposing the restrictions. I don't believe anyone is saying that restrictions are always bad.

          Clearly some people here do think MIT is wrong since innocents are being punished as well.

        • by cffrost (885375)

          Riiiiight. The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.

          I thought we were talking about situations where the freedoms of innocent people are restricted in response to the malicious or negligent actions of others — for example, MIT restricting network access to non-attackers and non-hoaxers.

          • You are, the river is everyone's to use, now the US gov just made a rule saying that no one can have a drain from their backyard in the river because company X is using it to get rid of dioxins..

            • by cffrost (885375)

              You are, the river is everyone's to use, now the US gov just made a rule saying that no one can have a drain from their backyard in the river because company X is using it to get rid of dioxins..

              That's a good example of the kind of distinction I was making. I don't know if the situation you described is actual or hypothetical, but either way — as long as the individual property owner's discharge meets the same stormwater [epa.gov] and/or effluent guidelines [epa.gov] that the EPA applies to industry/municipalities, I don't see any legitimate reason for prohibition that supersedes the individual's right to use the river.

  • by mlwmohawk (801821) on Wednesday April 03, 2013 @10:03PM (#43354635)

    The "Home of the Brave" is a joke at MIT, and U.S. universities across America. Once the wussy administrators take hold, all is lost without a fight. Wussy administrators will use security and safety as they cudgels, They will hide behind their desks and enact policy that eliminates any freedom that may challenge the status quo.

    This is, in fact, what America deserves unless and until we ALL have the courage to fight it everywhere it is. I would say "Shame On You" to MIT, but I would be decades late.

    • Reminds me of my time in college.

      /Begin Rant

      I don't know how many of you have had to deal with the Cisco Security Agent, but it's a nightmare.
      It's a service that runs on windows boxes that requires AV software has been updated to the latest version, and that the user logs in.
      The product docs explicitly say it allows remote code execution by the network administrator, and it sucks at it's main purpose. That's because the only AV software that the university seems to recognize is McAfee.

      Thankfully CSA is a b

  • MIT students really like the freedom that they have on their nets, and in fact, have come to take it for granted. I forsee massive disobedience to this, along with protests. and I'll be standing there right beside them.

    • by mwvdlee (775178)

      Any MIT student that protests this instead of hacking his way around it doesn't deserve to be an MIT student.

  • by murdocj (543661) on Wednesday April 03, 2013 @10:17PM (#43354709)

    I mean, yes, this is Slashdot, so the kneejerk reactions are appropriate, but if you bother to read the article, the changes are just plain common sense. They are going to enforce reasonable passwords, and if you want to have an externally accessible server, you either need to use a VPN, or opt out of the security policy. All this foaming at the mouth about the end of academic freedom sounds a lot like the NRA freaking out when someone proposes limiting how many rounds you can fire off at a time without reloading.

  • by Casandro (751346) on Wednesday April 03, 2013 @11:25PM (#43354929)

    Here they admit they don't understand the Internet, by limiting incomming "connections" and acting if there was a difference between a server and a client. It's a testament that freedom and education are now less important than stupidity and the fear of imaginary dangers.

    • by tgd (2822)

      Here they admit they don't understand the Internet, by limiting incomming "connections" and acting if there was a difference between a server and a client. It's a testament that freedom and education are now less important than stupidity and the fear of imaginary dangers.

      Well, if they at least educate their students to do some research before spouting off on a subject, like... reading an article..., then they're a step up on a lot of people, it seems.

  • What is the faculty's response to this response?
  • One of the "wishes" was

    a commitment to a “free and unfettered internet.”

    We had a "free and unfettered internet"...and then the spammers-, virus coders-, and hackers-for-profit moved in.

  • I'm dismayed that MIT, of all places, uses the thoroughly awkward term "cyber security" in its official correspondence. Outside of a few sci-fi novels, "cyber" seems to be the province of clueless congressmen and the reporters who love them. It's a buzzword for media outlets, politicians, and consultants who don't understand the net, want to profit from others' lack of understanding of the net, or both.

  • Honestly after the whole Swartz case we knew it wasn't a 'free network.' You know, it would have been nice if they "secured it" to their liking before they harassed someone to death for using it.
  • When I worked at MIT (admittedly, years ago), we left things open because to do otherwise was to challenge students to attack. Security through boredom worked - until the outside world caught up to the point where they presented a significant threat.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...