MIT To End Open-Network Policy In Response To Recent Attacks 144
An anonymous reader writes "MIT announced that despite a long history of running an open network (so that any student can run a server on any port, without any questions asked), it will now end this policy due to recent denial-of-service attacks and gunman hoax. From a letter sent by Executive Vice President and Treasurer Israel Ruiz: 'I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems. Together with our colleagues dedicated to campus safety and security, with the support of senior academic leadership and in collaboration with the campus community, we are deploying all necessary resources to this effort. It will require the dedication of all of us to promote safety awareness, complete necessary emergency training, and adhere to reinforced cyber security guidelines. IS&T staff members are working with information technology (IT) leadership and partners across campus in making the changes described above. We continue to explore all opportunities to further strengthen our preparedness, and will communicate additional information as these plans evolve.'"
Re:Lame. (Score:5, Insightful)
Re: (Score:1, Insightful)
Terrorists didn't win you say? Consider that the next time you're at the airport.
We did that of our own free will, which is perhaps more damning. But no terrorist demanded or coerced us into fortifying our airports with questionably useful security. That's my only point: We never gave in to terrorist demands. We may have responded in a less than thrilling and intelligent manner, but we didn't just cave.
Re: (Score:2)
I'm not getting this. The gunman hoax didn't issue an ultimatum that MIT close their network. MIT did that of their own free will*. Just as the hijackers of 9/11 didn't demand that we send travellers through enhanced patdowns at the airport. We did that of our own free will. What's the difference?
*Hell, the demands linked to the DDoS demanded the opposite - a greater commitment to the same spirit that led MIT to create the open network policy in the first place.
Re: (Score:1)
We responded by being terrorized (demanding ineffective security).
We caved.
That whole 'he who sacrifices liberty for security achieves neither' quoteish thing? Yea, we did that.
They won. // Captcha: "censor"
Re: (Score:1)
We gave into the demands of terrorists. They just happened to be elected into office, and we pretend they serve us.
They don't. They're criminals operating outside the law.
Re: (Score:2)
Free will, eh?
But of course. Nobody in the US has ever acted irrationally before.
Re: (Score:3)
We did that of our own free will, which is perhaps more damning. But no terrorist demanded or coerced us into fortifying our airports with questionably useful security. That's my only point: We never gave in to terrorist demands. We may have responded in a less than thrilling and intelligent manner, but we didn't just cave.
Holy Mother of God.
Do you even understand what you are saying?
Re: (Score:2)
Didn't he once, a long time ago, mention something about saving the town by destroying it?
Re: (Score:2)
What demands? I never heard what the 9/11 terrorists demands actually were and I just got nothing with a "what were the 9/11 hijackers demands?" google search...
Re: (Score:2)
Re: (Score:2, Funny)
Terrorists didn't win you say? Consider that the next time you're at the airport.
Yup, that's what the terrorists REALLY wanted, forget all the religious, ideological, or political crap; annoying airport security procedures. They sure showed us!
Re:Lame. (Score:4, Insightful)
The TSA is just the tip of a very large iceberg. It's an indicator that they were pretty successful in subverting our open society. They have caused us to ignore our founding ideals.
This is especially troublesome in Boston.
It's kind of like opening a Boston Baked Beans factor in Mecca.
Re:Lame. (Score:5, Insightful)
You ruined your own argument halfway through the rant. It's not about "Fuck the terrorists. We don't negotiate. Ever." It's about reacting knee-jerk to terrorism by altering values, restricting freedoms, and generally making the society more closely resemble the repression of the terrorists' own culture. So actually the "country as a whole" did in fact give into terrorism. We have the Patriot Act (still) and a whole tanker fleet full of other repressive and invasive institutions and programs that either didn't exist at all beforehand or were mere shadows of what they are now.
The terrorists did win, regardless of per capita casualty stats. Our society now looks a bit more like their ideal than it did in 2000, not the other way around.
What MIT has done here is exactly the same behavior.
Re: (Score:3)
What MIT has done here is exactly the same behavior.
You're saying two wrongs make a right. The government failed, therefore MIT should also follow in their fail-steps, thus leading to The Right Thing.
Re: (Score:2)
I didn't say anything of the sort. I said your argument failed. :-)
Re: (Score:2)
Re: (Score:2)
> Do you know ANYTHING about Islamic extremism? Are you serious?
It's very much like Xian extremism really, or even Jewish extremism. The sort of "let's ban everything" approach that the TSA has brought it is actually very similar to any number of extreme religious groups.
Re: (Score:3)
No, the terrorists didn't win. We both lost. We lost as you noted above. The terrorists wanted the US out of the Middle East and instead got us even more involved.
Not quite. Among other things, what bin Laden primarily demanded was that the US leave Saudi Arabia.
His demands were met, as the US hastily closed its Saudi bases after 9/11 and moved into Iraq.
Since Iraq was a secular state with no Muslim holy sites of any significance, Al Qaeda never gave a hoot about it. It was only in the aftermath of the US
Re:Lame. (Score:4, Insightful)
Would we say that because MIT locks some of the doors to some of their rooms some of the time that the thieves and burglars have won long ago? Would we say that MIT "caved" to the thieves and burglars?
Re: (Score:3)
Would we say that because MIT locks some of the doors to some of their rooms some of the time that the thieves and burglars have won long ago? Would we say that MIT "caved" to the thieves and burglars?
You're making a strawman argument here. I have thieves and burglars in my neighborhood. It doesn't mean I hide under the couch, stroking my gun, and mumbling "The time of purification is soon..." There is this thing called proportional response: And considering the massive benefits of the open-network policy in terms of the innovations that have come out of MIT versus the uncommon and not terribly harmful issues that have come up because of it, it's a terrible decision. The very start of hacking and humanit
Re:Lame. (Score:5, Insightful)
Okay. Since you want to make this personal. No, you're a fool.
MIT's open policy was simply a convenient exception to most institutions. However, the risk of the open policy interfering with productive use of the network has now, in the judgement of adults, exceeded the value of letting anyone run a child porn service (or similar, including DDOS attacks) on/from MIT's network. Early mass produced automobiles didn't have door locks or ignition locks - do you expect to have a door lock on a new car you buy? Time moves on.
Serious students who want to develop whatever they want to will simply set up N virtual machines on their laptop on a local virtual network to do whatever they need to do. If they want to expose it to the world, they will either apply for the "opt out" option with MIT or just use AWS or something like that to open it up to the broader world and end up launching the next Google or Facebook. It's not 1995 anymore - grow up - automobiles have door locks now.
Re: (Score:2)
This is really a commentary on how insecure the Internet is.
The Internet was born at MIT and places like it. MIT's forte is technology. Students at MIT can be expected to understand technology better than other people, because even in cases where they don't major in technology, they're still within easy reach of plenty of people who do.
And even with all that, the students can't make things safe enough.
What's really sad is that the IT professionals at MIT aren't going to be that much better at it. What they
Re: (Score:1)
A little nitpick, the Internet was born in places like Lawerence Livermore, and White Sands. Military research bases. They were not connected to Universities until much later, and by then most of the key infrastructure and technology you use today was already invented.
There is no reason in 2013 that a place like MIT should be running a Wild-West Network. In fact, its downright negligent if they do.
Re: (Score:2)
It's not 1995 anymore - grow up - automobiles have door locks now.
About once a month I find a car in a parking lot with its lights left on, outside a restaurant or a bar, etc. If the door is unlocked, I simply turn them off and go about my business. If the door is locked, I simply go about my business.
All of these things are a risk/benefit calculation. I leave my car doors unlocked, but I purposely chose to live in a low-crime locale, so some of my bets are hedged.
This is MIT's admission that they can't
Re: (Score:2)
Re: (Score:2)
Erm the 9/11 guys didn't want to negotiate at all.
In fact even if the military/politicians were going to negotiate, it had all happened before they noticed anything was wrong.
There was no opportunity at all for negotiations.
Re: (Score:1)
There was no opportunity at all for negotiations.
There were many years of opportunities to avoid that attack (if it was in fact from outside).
Re: (Score:2)
There was no opportunity at all for negotiations.
There were many years of opportunities to avoid that attack (if it was in fact from outside).
That had nothing to do with negotiating.
While it's no guarantee that 9/11 would have been averted, there had been an attempt to pound the terrorist training camps into the ground during the late '90's. They were derided as an attempt to "wag the dog" and interfere in the more vitally important matter of whether Clinton fooled around on his wife.
The concept of airliner kamikaze wasn't even novel. A similar plot out of the Philippines was headed off circa 1998.
Re: Don't even try to justify thier actions (Score:2)
Re: (Score:1)
Racist.
Re: (Score:1)
slant.. you know like a slanted view? biased? lol. the world we live in.
Re: (Score:2)
Whoosh!
Optional (Score:5, Insightful)
Apparently, the new policy is just by default:
Those engaged in research, teaching and learning activities will be given the option to opt out of the default network security policy through a self service mechanism.
Basically, it looks like someone in administration finally asked "What if we're actually a target?" and the response was "we're royally screwed". Yes, it's nice to give open access to everything, but I doubt most college students, even at MIT, follow reasonable security procedures. So now, they're going to block everything by default, and if someone wants to open access, they can do it themselves. Best case, there's no problems and nobody notices. Worst case, MIT's network isn't such a help during an attack.
So a university changed its default security policy. Big deal. I don't see how this is newsworthy.
Re:Optional (Score:5, Interesting)
It sounds to me like students were allowed to run arbitrary servers before, and that group is not included in the passage you quoted, therefore students will no longer have this option at all unless it's for an assignment.
Re:Optional (Score:4, Funny)
Students aren't engaging in "learning activities"? What exactly are they doing at college, then?
...I ask as I take another sip of my beer...
Re: (Score:2)
Exactly. Running your public Minecraft server doesn't have anything to do with "learning" except in the broadest possible sense.
Re: (Score:2, Insightful)
I learned more running a public nethack server than I did in half the required classes for my CS degree. (Admittedly, I didn't go to MIT.)
CS is not networking not IT / severs and not deskt (Score:2)
CS is not networking not IT / severs and not desktop / help desk work.
Now maybe if you where a programmer then the classes would of helped you more.
Re: (Score:1)
Re: (Score:3)
CS is not networking not IT / severs
Part of it very much is (especially networking). How can you design an application to make effective use of a network without at least understanding the basics of how a network works?
It's all intertwined, and any good CS program DOES have some options to help you learn those things. But it's not like additional learning does not help.
Re: (Score:2)
Exactly. Running your public Minecraft server doesn't have anything to do with "learning" except in the broadest possible sense.
Making available a public and shared resource does lead to things that aren't strictly in-scope, but can you tell me you don't play flash games at work? Or post to a certain technology website to take a mental break from the tedium of what you're supposed to be working on, so you can come back to it refreshed?
Google gives its employees part of their workday off to do whatever they want, and it's resulted in some rather amazing products. And none of the company's resources used during that time is strictly f
Re: (Score:1)
All of what you said is utterly irrelevant.
Re: (Score:1)
You are correct, that Minecraft is the perfect escape from building robots and programs. I cannot count the number of hours I have spent fighting mobs when I could have been coding something.
My choice, and I make it freely. But I don't sugar coat it.
Re:Optional (Score:5, Insightful)
Cute, but wrong.
Minecraft (and other game) servers are just as good at learning proper administration techniques as the IRC servers I ran in my college days. The admins must go through the configuration process, think about uptime, anticipate resource needs, and put some concern into security, while carefully handling (or intentionally not) the interpersonal conflicts that arise among users... all the same tasks a good admin must mind in the real world of IT.
Coincidentally, I'm currently mentoring a high-school student preparing for an IT program at college. We're going over some basic admin skills in advance of his classes, focusing on the real-life experiences from my day job as an IT admin at a finance company. His main service is actually a Minecraft server... but behind the scenes, he's running Bash scripts for backup & housekeeping, Apache for a web-based world map, Nagios to alert him if/when something crashes, and some Perl hacks (that I wrote) to add a few server functions.
Of course, that's just for a silly little game, but it doesn't really matter what the user-facing service is. The demands of IT administration are pretty generic. I use similar services daily, though the backups are done less with Bash and more with Enterprise Agentless Backup Manager Plus Professional Ultimate Corporate Edition.
Re: (Score:2)
Now you're just being obtuse and begging the question. If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT for and there's nothing stopping you from getting it hosted at a colo somewhere.
It's a hobby, which may be interesting and even valuable, but ultimately MIT has to make sure their network is serving classes, faculty, research, &c (that being what people are paying for). It's a matter of pr
Re: (Score:1)
The whole point of an academic environment is to be allow people to learn in their own ways, not just follow directions given from high up. So yes, the ability to experiment with network servers that are not directly later to any class the students are taking is precisely why the MIT (and a lot of ther universities that still understand academic ideals) don't stop students from running network servers.
Re: (Score:2)
You're right. University administrators are too interested in CYOA to actually do the right thing. They are assholes.
Oh, and if you were referring to the "terrorists" (as others have put it), well, no, they don't have the power to do jack squat, so they're clearly not the assholes who ruined things for everyone. It's the University administrators that cowered and changed policy. And it's not like gu
Re: (Score:2)
Also, if the reputation of MIT as a pressure cooker is true, you won't be a student at MIT for too long if you waste your time running and administrating your own game server.
Re: (Score:1)
Near as I can tell, the people chiming in about Minecraft servers didn't go to MIT.
Re: (Score:1)
I attended MIT. You'd be *amazed* at how many chances they give you to hang yourself before finally cutting you off. 1 in 4 students does not gradutate, but I'd be shocked if it was more than 1 in 500 who was expelled or permanently suspended for misbehavior.
And their security has traditionally been horrible. Go ahead. Scan MIT's /8 network for NFS servers. Until a month ago, you'd have been *amazed* at how many public facing NFS servers you could find, with private correspondence from professors and studen
Paying for Nothing (Score:3)
If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT
You are there to learn, why does it have to be only through classes? What is the point of computer labs and a fast network if not to help you learn? That's part of the REASON you go to a college, so that you have access to facilities you would not otherwise. May as well burn down the library also, or only allow check-out of course approved books!
I
Re: (Score:2)
Passwords (Score:4, Insightful)
Bad form to reply to myself, I know, but I did find one noteworthy detail in that memo upon further inspection:
Passwords will also be tested to ensure a minimum level of complexity; existing weak passwords will be required to be changed.
...so MIT stores its passwords in a form that allows complexity testing... Interesting.
They could just be brute-forcing 7 characters and calling it a day, or adding something to a commonly-used login system... but if it's feasible to test how complex an existing password is, I have to wonder about how the passwords are being stored.
Re: (Score:2)
You know, it's possible to check a password's complexity /before/ hashing it. Various Linux distros and Windows do it that way.
Re: (Score:2)
For the "existing" passwords that the memo says they'll be checking, they should be stored already hashed, so it's too late for that. If it's a check done at login (before the client hashes), that implies that there's a feasible way to inject code to access the unhashed password, and frankly that worries me more.
Linux distros and Windows will happily keep existing simple passwords, if you've set them before enabling complexity requirements. After enabling the requirements, the old passwords aren't re-checke
Re: (Score:2)
My guess is that they're consulting rainbow tables, then. Got to be plenty of those out there for various hashes.
Re: (Score:2)
Congratulations. You've flunked encryption 101. You never send the plaintext password over the wire, because you can't trust the middleman. Salt and encrypt on the client end, then salt and encrypt on the server end.
SSL is better than anything you could cook up on the client-side, ya dummy.
Re: (Score:2)
Re: (Score:3)
Or they could simply be running a password cracker, and you're putting too much weight on exact wording. In fact, I'd almost bet it was that; after all, the point is to make passwords hard to crack, so testing whether they are makes more sense than some arbitrary rules.
Re: (Score:2)
You can capture weak passwords during login when you've confirmed the hashes match. If it is weak, flag the account as having a weak password.
Re: (Score:2)
MIT is almost certainly using Kerberos for their authentication since a) they invented it and b) that's what they were using at least as recently as 2005. In any event, how Kerberos stores passwords depends on the exact implementation, but in at least some implementations (admittedly old) you could decrypt the password database on the Kerberos key server with a key stored in a file in /etc. The Kerberos server is supposed to be kept extremely secure, with Kerberos being the only service running on it and
Re: (Score:2)
IME most kerberos servers store the database key in what they term a "stash file". That's current practise too.
Unless you need the level of security that you have to go upto the console and present a key when the system reboots or the KDC service restarts, there isn't any other way. Essentially, for most real world systems, the kerberos primary and slaves need to be regarded as machines to be kept highly secure or it's game over.
Is AD any different?
Re: (Score:2)
Hardly. They know what hash/salt/whatever they're using, and it's trivial to throw the list of common stupid passwords through it and pull a list of all users with matching hashes.
Re: (Score:3)
As a preeminent place for the exploration of ideas, MIT held a refreshingly open attitude towards all forms of intellectual curiosity, collaboration and information exchange - both ancient and emerging. That spirit is what I associate with people like Richard Feynman, Noam Chomsky and Richard Stallman, who not only have fundamentally i
Re: (Score:1)
Translation: I was turned down by MIT and bear a (somewhat incoherent) grudge...
History rhymes (Score:2)
A few assholes can and will ruin a good thing for everyone.
Re: (Score:1)
No. Freedom & Liberty will persist until the day cowards are required to make sacrifices to preserve them. Unfortunately, once a coward shirks their responsibility to persevere, the damage is permanent loss of ground to the enemy.
You will never prevent people from acting like assholes provided the opportunity, but you can choose how you react to those people; based on principle, or without it.
It's not enough to elect the lesser of two evils, we should be choosing the most principled of two libertarians.
Re:History rhymes (Score:4, Funny)
BINGO!
Hah, got my card filled out that time.
Re: (Score:2)
A few assholes can and will ruin a good thing for everyone.
The assholes are the people who impose restrictions, not the people the assholes point to for justification.
Re: (Score:2)
Riiiiight. The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.
Libertarians can be so simple-minded about their religion.
Re: (Score:2)
The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.
Well, the government is certainly the one trying to stop them from polluting in that example, but that doesn't mean they're wrong for imposing the restrictions. I don't believe anyone is saying that restrictions are always bad.
Clearly some people here do think MIT is wrong since innocents are being punished as well.
Re: (Score:2)
Riiiiight. The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.
I thought we were talking about situations where the freedoms of innocent people are restricted in response to the malicious or negligent actions of others — for example, MIT restricting network access to non-attackers and non-hoaxers.
Re: (Score:2)
You are, the river is everyone's to use, now the US gov just made a rule saying that no one can have a drain from their backyard in the river because company X is using it to get rid of dioxins..
Re: (Score:2)
You are, the river is everyone's to use, now the US gov just made a rule saying that no one can have a drain from their backyard in the river because company X is using it to get rid of dioxins..
That's a good example of the kind of distinction I was making. I don't know if the situation you described is actual or hypothetical, but either way — as long as the individual property owner's discharge meets the same stormwater [epa.gov] and/or effluent guidelines [epa.gov] that the EPA applies to industry/municipalities, I don't see any legitimate reason for prohibition that supersedes the individual's right to use the river.
Courage is in short supply. (Score:4)
The "Home of the Brave" is a joke at MIT, and U.S. universities across America. Once the wussy administrators take hold, all is lost without a fight. Wussy administrators will use security and safety as they cudgels, They will hide behind their desks and enact policy that eliminates any freedom that may challenge the status quo.
This is, in fact, what America deserves unless and until we ALL have the courage to fight it everywhere it is. I would say "Shame On You" to MIT, but I would be decades late.
Re: (Score:2)
Reminds me of my time in college.
/Begin Rant
I don't know how many of you have had to deal with the Cisco Security Agent, but it's a nightmare.
It's a service that runs on windows boxes that requires AV software has been updated to the latest version, and that the user logs in.
The product docs explicitly say it allows remote code execution by the network administrator, and it sucks at it's main purpose. That's because the only AV software that the university seems to recognize is McAfee.
Thankfully CSA is a b
Re: (Score:2)
Only on the old version. The new version does some sort of fingerprinting. It's bad enough that the Apple guys can't run VMware fusion without it triggering and thinking they're running windows.
This will not end well (Score:2)
MIT students really like the freedom that they have on their nets, and in fact, have come to take it for granted. I forsee massive disobedience to this, along with protests. and I'll be standing there right beside them.
Re: (Score:2)
Any MIT student that protests this instead of hacking his way around it doesn't deserve to be an MIT student.
Try reading the actual article (Score:5, Informative)
I mean, yes, this is Slashdot, so the kneejerk reactions are appropriate, but if you bother to read the article, the changes are just plain common sense. They are going to enforce reasonable passwords, and if you want to have an externally accessible server, you either need to use a VPN, or opt out of the security policy. All this foaming at the mouth about the end of academic freedom sounds a lot like the NRA freaking out when someone proposes limiting how many rounds you can fire off at a time without reloading.
MOD PARENT UP (Score:2)
And since I need to have something in the message body, I think we could all learn from the NRA's mastery of agitprop:
http://tpmmuckraker.talkingpointsmemo.com/2013/04/nra_magazine_covers.php [talkingpointsmemo.com]
Re: (Score:2)
The sad thing is I'm convinced that a lot of the people shrieking about how evil MIT is for doing this are the same ones who respond to posts about DDOSes by shrieking how it's all the administrators fault for not properly locking down their networks.
Re: (Score:2)
Bad analogy. You can't "opt out" of gun control limits, you can "opt out" of MIT's network policy.
A dark day for MIT (Score:3)
Here they admit they don't understand the Internet, by limiting incomming "connections" and acting if there was a difference between a server and a client. It's a testament that freedom and education are now less important than stupidity and the fear of imaginary dangers.
Re: (Score:2)
Here they admit they don't understand the Internet, by limiting incomming "connections" and acting if there was a difference between a server and a client. It's a testament that freedom and education are now less important than stupidity and the fear of imaginary dangers.
Well, if they at least educate their students to do some research before spouting off on a subject, like... reading an article..., then they're a step up on a lot of people, it seems.
Faculty (Score:2)
One of the "wishes" was... (Score:2)
a commitment to a “free and unfettered internet.”
We had a "free and unfettered internet"...and then the spammers-, virus coders-, and hackers-for-profit moved in.
"Cybersecurity", "cyberwar", "cyberthis and that" (Score:1)
I'm dismayed that MIT, of all places, uses the thoroughly awkward term "cyber security" in its official correspondence. Outside of a few sci-fi novels, "cyber" seems to be the province of clueless congressmen and the reporters who love them. It's a buzzword for media outlets, politicians, and consultants who don't understand the net, want to profit from others' lack of understanding of the net, or both.
This is news? (Score:1)
Security through boredom (Score:1)
Re: (Score:1)
What liberty? MIT owns the network. They can do what they want with it, including setting rules and terms of access and use.
Property rights are the ultimate form of liberty. If it's my property, I can do what I want with it, and control who can access and use it and for what purpose.
Can you explain... (Score:2)