MIT To End Open-Network Policy In Response To Recent Attacks

An anonymous reader writes "MIT announced that despite a long history of running an open network (so that any student can run a server on any port, without any questions asked), it will now end this policy due to recent denial-of-service attacks and gunman hoax. From a letter sent by Executive Vice President and Treasurer Israel Ruiz: 'I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems. Together with our colleagues dedicated to campus safety and security, with the support of senior academic leadership and in collaboration with the campus community, we are deploying all necessary resources to this effort. It will require the dedication of all of us to promote safety awareness, complete necessary emergency training, and adhere to reinforced cyber security guidelines. IS&T staff members are working with information technology (IT) leadership and partners across campus in making the changes described above. We continue to explore all opportunities to further strengthen our preparedness, and will communicate additional information as these plans evolve.'"

Re:Lame.

[Wookie Monster]

Terrorists didn't win you say? Consider that the next time you're at the airport.

Optional

[Sarten-X]

Apparently, the new policy is just by default:

Those engaged in research, teaching and learning activities will be given the option to opt out of the default network security policy through a self service mechanism.

Basically, it looks like someone in administration finally asked "What if we're actually a target?" and the response was "we're royally screwed". Yes, it's nice to give open access to everything, but I doubt most college students, even at MIT, follow reasonable security procedures. So now, they're going to block everything by default, and if someone wants to open access, they can do it themselves. Best case, there's no problems and nobody notices. Worst case, MIT's network isn't such a help during an attack.

So a university changed its default security policy. Big deal. I don't see how this is newsworthy.

Re:Lame.

[girlintraining]

Terrorists didn't win you say? Consider that the next time you're at the airport.

We did that of our own free will, which is perhaps more damning. But no terrorist demanded or coerced us into fortifying our airports with questionably useful security. That's my only point: We never gave in to terrorist demands. We may have responded in a less than thrilling and intelligent manner, but we didn't just cave.

Passwords

[Sarten-X]

Bad form to reply to myself, I know, but I did find one noteworthy detail in that memo upon further inspection:

Passwords will also be tested to ensure a minimum level of complexity; existing weak passwords will be required to be changed.

...so MIT stores its passwords in a form that allows complexity testing... Interesting.

They could just be brute-forcing 7 characters and calling it a day, or adding something to a commonly-used login system... but if it's feasible to test how complex an existing password is, I have to wonder about how the passwords are being stored.

Re:Optional

[Anonymous Coward]

I learned more running a public nethack server than I did in half the required classes for my CS degree. (Admittedly, I didn't go to MIT.)

Re:Lame.

[macraig]

You ruined your own argument halfway through the rant. It's not about "Fuck the terrorists. We don't negotiate. Ever." It's about reacting knee-jerk to terrorism by altering values, restricting freedoms, and generally making the society more closely resemble the repression of the terrorists' own culture. So actually the "country as a whole" did in fact give into terrorism. We have the Patriot Act (still) and a whole tanker fleet full of other repressive and invasive institutions and programs that either didn't exist at all beforehand or were mere shadows of what they are now.

The terrorists did win, regardless of per capita casualty stats. Our society now looks a bit more like their ideal than it did in 2000, not the other way around.

What MIT has done here is exactly the same behavior.

Re:Optional

[Sarten-X]

Cute, but wrong.

Minecraft (and other game) servers are just as good at learning proper administration techniques as the IRC servers I ran in my college days. The admins must go through the configuration process, think about uptime, anticipate resource needs, and put some concern into security, while carefully handling (or intentionally not) the interpersonal conflicts that arise among users... all the same tasks a good admin must mind in the real world of IT.

Coincidentally, I'm currently mentoring a high-school student preparing for an IT program at college. We're going over some basic admin skills in advance of his classes, focusing on the real-life experiences from my day job as an IT admin at a finance company. His main service is actually a Minecraft server... but behind the scenes, he's running Bash scripts for backup & housekeeping, Apache for a web-based world map, Nagios to alert him if/when something crashes, and some Perl hacks (that I wrote) to add a few server functions.

Of course, that's just for a silly little game, but it doesn't really matter what the user-facing service is. The demands of IT administration are pretty generic. I use similar services daily, though the backups are done less with Bash and more with Enterprise Agentless Backup Manager Plus Professional Ultimate Corporate Edition.

Re:Lame.

[uncqual]

Would we say that because MIT locks some of the doors to some of their rooms some of the time that the thieves and burglars have won long ago? Would we say that MIT "caved" to the thieves and burglars?

Re:Lame.

[uncqual]

Okay. Since you want to make this personal. No, you're a fool.

MIT's open policy was simply a convenient exception to most institutions. However, the risk of the open policy interfering with productive use of the network has now, in the judgement of adults, exceeded the value of letting anyone run a child porn service (or similar, including DDOS attacks) on/from MIT's network. Early mass produced automobiles didn't have door locks or ignition locks - do you expect to have a door lock on a new car you buy? Time moves on.

Serious students who want to develop whatever they want to will simply set up N virtual machines on their laptop on a local virtual network to do whatever they need to do. If they want to expose it to the world, they will either apply for the "opt out" option with MIT or just use AWS or something like that to open it up to the broader world and end up launching the next Google or Facebook. It's not 1995 anymore - grow up - automobiles have door locks now.

Re:Lame.

[jedidiah]

The TSA is just the tip of a very large iceberg. It's an indicator that they were pretty successful in subverting our open society. They have caused us to ignore our founding ideals.

This is especially troublesome in Boston.

It's kind of like opening a Boston Baked Beans factor in Mecca.