Hacked MIT Server Used To Stage Attacks

← Back to Stories (view on slashdot.org)

Hacked MIT Server Used To Stage Attacks

Posted by timothy on Sunday November 6, 2011 @11:40AM from the always-hurt-the-ones-you-love dept.

wiredmikey writes "A compromised server at the Massachusetts Institute of Technology (MIT) has been identified as being used as a vulnerability scanner and attack tool, probing the Web for unprotected domains and injecting code. According to researchers, the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular crime kit used by criminals online. The attacks started in June, and an estimated 100,000 domains could have been compromised. Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites. These types of attacks are how BlackHat SEO scams are propagated, which target search results in order to spread rogue anti-virus or other malware. In addition, compromised hosts are also leveraged for other schemes, such as spam or botnet control."

75 comments

Min score:

Reason:

Sort:

Luckily it wasn't the important server there by hessian · 2011-11-06 11:49 · Score: 4, Interesting

http://fuck-the-skull-of-jesus.mit.edu/

--
Futurist Traditionalism
1. Re:Luckily it wasn't the important server there by Anonymous Coward · 2011-11-06 12:08 · Score: 0
  
  Well either it's been taken down or there's some sort of effect of posting links on Slashdot...
2. Re:Luckily it wasn't the important server there by tywjohn · 2011-11-06 12:21 · Score: 1
  
  Don't click the Princess Di link if you are at work... I just found out the hard way
3. Re:Luckily it wasn't the important server there by Anonymous Coward · 2011-11-06 14:13 · Score: 0
  
  It was definitely hard.
4. Re:Luckily it wasn't the important server there by adolf · 2011-11-06 18:13 · Score: 1
  
  I've been reading alt.fuck.the.skull.of.jesus.binaries.pictures.erotica ever since it got newgrouped, and never realized there was an associated website.
  Thanks!
  
  --
  Kid-proof tablet..
Let me guess, it wasn't running OpenBSD. by Anonymous Coward · 2011-11-06 11:53 · Score: 1, Funny

These kind of exploits just don't happen when you're running OpenBSD. OpenBSD is THE ONLY safe option for any publically-accessible server.
1. Re:Let me guess, it wasn't running OpenBSD. by Xugumad · 2011-11-06 12:01 · Score: 5, Funny
  
  If you think OS choice is the biggest issue with academic network security, you clearly haven't met enough academics...
2. Re:Let me guess, it wasn't running OpenBSD. by Drollia · 2011-11-06 12:21 · Score: 1
  
  If only I had mod points. I don't think that a better comment could be made about the state of Academic Security, or just IT systems period.
3. Re:Let me guess, it wasn't running OpenBSD. by the+linux+geek · 2011-11-06 13:07 · Score: 2
  
  Or HP-UX, or AIX, or GCOS 7, or z/OS, or OS 2200, or NSK...
  
  Or a properly configured Windows or Linux. Proper administration matters far more than OS choice.
4. Re:Let me guess, it wasn't running OpenBSD. by Anonymous Coward · 2011-11-06 15:30 · Score: 0
  
  You don't get out much, do you?
  As soon as you start handling SSH keys managed by idiots, admins who share passwords with their significants, admins who leave their screens unlocked because "they trust the people they work with" and who refuse to engage in any security of scripting or passwords or backup "because if they're inside our network, we allready have much worse problems, you're vulnerable to even ordinary phishing and script kiddies. OpenBSD is no defense against SSH keys with no passphrase and using HTTP instead of HTTPS or using ordinary user logins for FTP servers or leaving passwords embedded in "expect" scripts for monitoring tools
  I'm dealing with OpenBSD servers, billed as "secure", where the admins are committing *every single one* of those sins. Wasting your time installing OpenBSD instead of more basic security steps is basically putting in airbags for your spare tire. Your spare tire is safe, but who cares?
5. Re:Let me guess, it wasn't running OpenBSD. by Anonymous Coward · 2011-11-06 15:41 · Score: 0
  
  When I was a grad student we had a couple small robots (Nomadics Scouts) in the lab. They were running RH 5.2 and they had a tendency to just be left on, plugged into their chargers. Needless to say we didn't pay a lot of attention to keeping them up to date and eventually they were pwned. I always found it amusing, the attackers probably had no idea what they'd hacked.
6. Re:Let me guess, it wasn't running OpenBSD. by Nursie · 2011-11-06 17:32 · Score: 1
  
  You don't have to go that exotic to find clueless pwners...
  My home NAS box that I hacked debian on to had really weak passwords at first, and got pwned. The attacker made a ram disk and dumped a shoutcast server binary on to the machine. An x86 binary, on an ARM machine. It appears that they got stumped and gave up at that point.
7. Re:Let me guess, it wasn't running OpenBSD. by Anonymous Coward · 2011-11-06 18:38 · Score: 0
  
  Exactly. Work with people at Boston University. They put all their internal applications in the DMZ. ???????????
8. Re:Let me guess, it wasn't running OpenBSD. by Anonymous Coward · 2011-11-06 23:32 · Score: 0
  
  If you think OS choice is the biggest issue with academic network security, you clearly haven't met enough academics...
  Oh, I'm quite sure Slashdot happily had made it the biggest issue if this was a Windows Server.
Not very smart by Anonymous Coward · 2011-11-06 12:15 · Score: 1

That's not very smart.
1. Re:Not very smart by DigiShaman · 2011-11-06 12:25 · Score: 1, Interesting
  
  Please. Money can buy just about anything. Many of these criminals are either unemployed experienced programmers with a CS background or highly educated skilled people looking for a name for themselves banking a six figure income. Some do it simply because it pays more than the legal private sector. Odds are, no university no matter how well educated the staff and students are can fend off being a target. Not possible.
  
  --
  Life is not for the lazy.
2. Re:Not very smart by Anonymous Coward · 2011-11-06 13:16 · Score: 0
  
  still not a valid excuse
3. Re:Not very smart by sjames · 2011-11-06 13:30 · Score: 1
  
  They gotta pay those student loans somehow. This is just the magical free market solving the problem.
4. Re:Not very smart by hedwards · 2011-11-06 14:12 · Score: 1
  
  And unfortunately with student loans those don't have a statute of limitations and typically can't be discharged by bankruptcy.
  So, if you get a bum education, and can't get a job that pays well enough to pay the loan, you're screwed with garnishments for possibly the rest of your work life.
MIT server by Anonymous Coward · 2011-11-06 12:25 · Score: 0

Thats some good admin work there Lou.
1. Re:MIT server by Anonymous Coward · 2011-11-06 14:42 · Score: 0
  
  Thanks, Chief.
2. Re:MIT server by Anonymous Coward · 2011-11-06 17:44 · Score: 0
  
  Kiss me hard, Lou. Kiss me hard and long.
We're doomed by Anonymous Coward · 2011-11-06 12:25 · Score: 0

If MIT can't secure their system, how will I ever secure mine?
1. Re:We're doomed by orphiuchus · 2011-11-06 12:31 · Score: 1
  
  Just make sure to use systems so old and useless that nobody could ever want to compromise them.
  _
  Sent from my Nokia N-Gage
2. Re:We're doomed by Ethanol-fueled · 2011-11-06 12:40 · Score: 1
  
  My alumnus was a MIT physics grad. He expanded what should have been a simple problem to 14 steps across both boards when the whole class deduced the answer at the second step and was already yawning and walking out when he finally hit the punchline.
  
  MIT FTW.
3. Re:We're doomed by hedwards · 2011-11-06 14:13 · Score: 3, Insightful
  
  I'm pretty sure you don't have an alumnus, slavery is illegal.
4. Re:We're doomed by DarkTempes · 2011-11-06 20:38 · Score: 1
  
  Just because something is illegal doesn't mean it can't happen.
5. Re:We're doomed by Anonymous Coward · 2011-11-07 01:43 · Score: 0
  
  I said, pretty sure. sheesh.
6. Re:We're doomed by metalgamer84 · 2011-11-07 03:42 · Score: 1
  
  Windows Me it is then.
7. Re:We're doomed by djdanlib · 2011-11-07 06:54 · Score: 1
  
  Well, the point was to have something that YOU could use, too.
16million+ "MIT" ip addresses by Anonymous Coward · 2011-11-06 12:42 · Score: 0

MIT owns an entire Class A range of ip addresses (18.*.*.*). Of course there are going to be compromised machines when every student and his grandmother is allowed to set up multiple servers. Back when I ran servers on that network, I reported scans from compromised machines every couple of weeks.
Congrats for noticing that neglected machines get compromised. News at '11.
1. Re:16million+ "MIT" ip addresses by Smallpond · 2011-11-06 13:33 · Score: 1
  
  I've reported hacked machines on networks at CMU and NASA. Scientists and engineers know enough to set up servers but not enough about security.
Why is this news? by Anonymous Coward · 2011-11-06 12:47 · Score: 0

Servers everywhere are compromised all the time. I get port scans from US Military machines hourly. It's been this way since at least 2000.
1. Re:Why is this news? by Anonymous Coward · 2011-11-06 15:00 · Score: 0
  
  Wish I had a link to the paper itself, but I once read that the statistics were run on one of the root DNS servers showing that something like 60% of all traffic was coming from misconfigured US milnet boxes.
"Hacked" by Baloroth · 2011-11-06 12:51 · Score: 3, Funny

Are we quite sure this server was hacked? I wouldn't put it past some college student, or possibly even a network admin, to do this personally. While that may technically still be "hacking", it wouldn't qualify for it in the popular-media definition (which is the way TFA seems to be using it... or maybe not, maybe the writer is using the term deliberately.) The proper term is "cracked."

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
1. Re:"Hacked" by Anonymous Coward · 2011-11-06 13:17 · Score: 1
  
  The work 'hack' / 'hacker' is gone... Don't bother trying to get it back...
  See the movie "Clerks 2" and look at Randal's use of 'porch monkey' for why it will fail.
2. Re:"Hacked" by Anonymous Coward · 2011-11-06 14:11 · Score: 0
  
  Sheyudup... The battle over the meaning of the word hacker ended like 20 years ago.
3. Re:"Hacked" by ralphdaugherty · 2011-11-06 14:22 · Score: 1
  
  There were two hacked servers at MIT, I noted their IP addresses when they tried to spam my little website weeks apart.
4. Re:"Hacked" by TubeSteak · 2011-11-06 14:24 · Score: 1
  
  Are we quite sure this server was hacked?
  Universities have an enormous attack surface.
  It didn't even take me 30 seconds to find two MIT websites that have been exploited
  Both of these redirect to online pharmacies
  open at your own risk
  advocacy.mit.edu/coulter/?qq=3502
  education.mit.edu/ar/ar/ar.php?q=541
  You can find more if you like, just change "viagra" to whatever spammy keyword you can think of
  https://encrypted.google.com/search?q=site:mit.edu viagra
  
  --
  [Fuck Beta]
  o0t!
5. Re:"Hacked" by Anonymous Coward · 2011-11-06 14:56 · Score: 0
  
  Yes, a thousand times yes, this is a hacked server, and there's about a 0% chance someone uses their own personally attributable machine to do large-scale hacking.
  When you have probably 10k people at the university: news flash: there are vulnerable machines.
  MIT proactively scans its own network for vulnerabilities and evidence of well known attacks, like many other responsible organizations do, but it's not like they (or anyone else) is perfect. Stuff gets missed, like these servers.
  I am surprised this is somehow newsworthy on slashdot; it's not like there aren't hundreds of thousands of machines that get pwn3d every day and get turned into exploit-o-matics and botnet control nodes.
6. Re:"Hacked" by Anonymous Coward · 2011-11-06 15:12 · Score: 0
  
  That's the funny thing: Nobody cares about what you're saying. Your "opinion" is gone. It's "cracked" and "cracker".
  Oh, and "nigger" is a person from around the river Niger, or what did you think, you racist cunt?
7. Re:"Hacked" by Anonymous Coward · 2011-11-06 15:28 · Score: 0
  
  This is not even a server. A quick look at the MIT records shows that this is a workstation of a civil engineering grad student. This is a non-story, it's just someone's computer with some malware.
8. Re:"Hacked" by CAIMLAS · 2011-11-06 18:47 · Score: 1
  
  Spam and exploits from .edu is incredibly common. Pretty much everyone who had "internet" access prior to around 1994 has a very, very large network (for their size). Most corporations have probably sold back their addresses by now, but it's not unheard of for small schools to have /22 or /20 networks, because "that's all they'd ever need". Public access to the Internet was still unheard of.
  The result is that, even today, many (most? all the ones I have seen) campus dorms give their students public IP addresses (or, at least, they did as recent as 2004, which was the last time I had an eye into such an environment. Now I'm starting to feel old...) Not only do all servers often (unnecessarily) have public addresses, with little more than a router between them and the Internet-At-Large, but staff workstations are, as well. Usually, the amount of policing on these networks is less marked than what your average ISP provides.
  The organizations/companies which run the networks which many schools get on can be said to be largely responsible for this poor state of affairs, I feel. They've been too liberal in allowing certain allotments to the institutions, and don't hold them responsible for serious network problems they cause.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
9. Re:"Hacked" by Anonymous Coward · 2011-11-07 02:20 · Score: 0
  
  "cracker" only works in like minded circles. You're just being a stubborn jackass if you think the public at large wants to recognize "cracker" instead of "hacker". No one gives enough shits to warrant changing their current lingo
Hacked or Research by Anonymous Coward · 2011-11-06 13:37 · Score: 0

And we're certain this is not a research project, because?
1. Re:Hacked or Research by allo · 2011-11-07 01:27 · Score: 1
  
  because being hacked has nothing to do with research.
Not work acceptable, duh. by Anonymous Coward · 2011-11-06 13:45 · Score: 1

For Christ's sake man, you are visiting a site with "Fuck The Skull Of Jesus" in the domain name, but you're worried about a blow job picture? You are what's wrong with America.
1. Re:Not work acceptable, duh. by tywjohn · 2011-11-06 14:26 · Score: 1
  
  You are what's wrong with America.
  That's funny because I've never been there before
2. Re:Not work acceptable, duh. by Anonymous Coward · 2011-11-06 14:46 · Score: 1
  
  Oh Lord, they're everywhere.
News? by Anonymous Coward · 2011-11-06 14:00 · Score: 0

How is this news? Servers get hacked all the time when someone misses a security update on a package. Just because it happened to be at MIT doesn't mean anything.
Remarkable by Anonymous Coward · 2011-11-06 14:14 · Score: 1

They use windows as servers at MIT. Not all they (MIT) are cracked up to be apparently.
The last time I was attacked by MIT... by billstewart · 2011-11-06 14:19 · Score: 5, Funny

I used to keep a couple of honeypot open servers on the DSL line in my lab in the late 90s. Nobody ever bothered the Win95 box, but the unpatched Red Hat 6.x box was broken into and brutally killed enough weeks in a row I ended up naming it "Kenny". It got attacked by some machine in Sweden and was pinging home to check in and receive further commands, so I and the admin there cleaned up our machines. I forget if the attack on the wu-ftpd daemon came from Washington University or was used to attack them. The bad guy thought they had covered their tracks by replacing the ps and ls commands, but I noticed their extra directories with "find", and their processes with "echo /proc/*" :-)
So one week the attack was coming from MIT. I tried going through mit.edu's website to find a sysadmin to talk to, didn't get a response, so I sent email to a security researcher I knew there, who already knew about the problem. It turns out that the attack wasn't actually from MIT - it was from somebody in Japan who was using a compromised Sun server, and there was a byte order problem in the attack code. So the attacker wanted my machine to be pinging him at x.y.z.18, but instead my responses were going to 18.z.y.x at MIT.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
1. Re:The last time I was attacked by MIT... by PartyBoy!911 · 2011-11-06 22:59 · Score: 1
  
  > the unpatched Red Hat 6.x box was broken into and brutally killed enough weeks in a row I ended up naming it "Kenny"
  That's what you get for running unreleased versions, Red Hat 6.x wasn't released until the very late 10's..... november 2010 if I remember correctly
2. Re:The last time I was attacked by MIT... by RadioTV · 2011-11-06 23:31 · Score: 2
  
  NO. RHEL 6 wasn't released in the 90's, but Red Hat 6 was. Red Hat has changed names and re-started their version numbers.
  
  --
  I have great faith in fools - self confidence my friends call it. - Edgar Allan Poe
3. Re:The last time I was attacked by MIT... by billstewart · 2011-11-10 09:33 · Score: 1
  
  RadioTV is correct - this was under the earlier numbering system.
  
  --
  
  Bill Stewart
  New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Big Ado About Nothing by DTemp · 2011-11-06 14:49 · Score: 2

I've seen this story posed over and over. Some computer sitting in Building 1 on campus, used by Course 1, was compromised. BFD. MIT's Information Services and Technology deal with computers like this every day, as does anyone who manages a network with tens of thousands of computers. There are dozens of machines a day that get compromised. This is not a server sitting in the racks; this is a computer sitting in a closet or under a desk in an academic building. There are multiple addresses people can use to report maliciousness on the network (abuse@mit.edu, stopit@mit.edu, security@mit.edu), and they take care of the compromised computers in an order that actually matters.
I guarantee you there are dozens of other computers on the MIT network right now that are also serving malware or acting as a point of entry for hackers, and they'll get dealt with as they get noticed.
1. Re:Big Ado About Nothing by Anonymous Coward · 2011-11-06 15:54 · Score: 0
  
  There are "dozens of other computers" hacked right now because MIT's IT department does *not* deal with it. They only act when it hits the press or actually shuts down an MIT service that a professor cares about, and even then they give the cracker subtle warnings instead of actually stopping them. If you don't believe me, take a look at the LaMacchia case about the FSP server a student was running in their most occupied computer lab and was only noticed because the disk was making so much noise, and look at the recent Aaron Schwartz case where an idiot from Harvard stuffed his laptops and hard drives and tried to mirror the JSTOR archive. MIT did *NOTHING* about these abusers for months, and passivel obstructed the criminal proceedings by pretending "we don't know nothin!" when asked for logs and testimony.
  Remember, this is the school that hired Robert T. Morris, author of the Morris worm, as a professor. It must be nice to have a daddy who runs the NSA and keep you out of jail and help you get a professorship where you just have to make up clever sounding names for projects and never actually ahve your software work. His projects are as ill-conceived and badly programmed as his worm, would potentially be as destricutive if anyone ever *used* them for anythning real.
Not that big a deal by Anonymous Coward · 2011-11-06 15:01 · Score: 0

I noticed that esi.mit.edu was hacked a few years ago (they used an old version of Joomla or something), let them know and they took it offline.
I didn't know this sort of thing makes Slashdot these slow news days.
THANK YOU by S77IM · 2011-11-06 15:14 · Score: 2

...for calling them "criminals" and not "cyber-criminals."

--
Student: Is it true that the foundation of the universe is paradox?
Master: Well, yes and no.
Re:This is what you get when you hirer IT based on by fotoguzzi · 2011-11-06 15:37 · Score: 2

Spoken like a true Engrish major.

--
Their they're doing there hair.
We should impose sancations by Anonymous Coward · 2011-11-06 15:41 · Score: 0

on US and call it a cyber criminals' haven, oh wait, this isn't China!
They have an open network policy by MITpianoman · 2011-11-06 15:56 · Score: 2

Having gone there for my undergrad, this isn't that surprising. Students' computers get fixed IP addresses on the network (and it's very straightforward to get a hostname registered). Due to the fixed IP addresses, hackers scan the network range fairly regularly looking for boxes to pop. Back in 2002 I set up a Win2k box on the network. Within 24 hours of it being online (and stupidly, unpatched), it was infected with code red.
So who is the owner of the system? by damn_registrars · 2011-11-06 15:58 · Score: 2

Who does csh-2.mit.edu belong to at MIT? For a school that large there is a very good chance that it belongs to someone who is not necessarily well versed in network security. It is entirely possible that the system was compromised because of an exploit that an admin would consider "obvious" for whatever OS was running on it.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:So who is the owner of the system? by Anonymous Coward · 2011-11-06 16:44 · Score: 0
  
  According to this list of host names to room numbers: http://mit.edu/zacheiss/dev/perl/sapprintwatch.out
  It says "10-180a" which a quick Google search reveals "Payments to the Institute can be made at the Cashier's Office (10-180)" (http://web.mit.edu/21w785/F98/HTG/finance.html).
  Not good...
2. Re:So who is the owner of the system? by belg4mit · 2011-11-06 18:30 · Score: 1
  
  That list would appear to be out of date. I queried the MOIRA database directly,
  and the record for this host (updated 2011-09-22) suggests it belongs to a student
  in civil engineering.
  
  --
  Were that I say, pancakes?
3. Re:So who is the owner of the system? by CAIMLAS · 2011-11-06 18:39 · Score: 2
  
  Having had to deal with various admins in academic institutions over the past year or so, as well as experience doing IT in academic institutions, my experience is this:
  * Nobody owns the systems. They're there. There are people there. Being an educational institution with peoples' primary purpose in being there to either teach or learn, efforts are focused elsewhere.
  * There are very few actual IT staff. Mostly, they're there to keep the systems directly responsible for education working, as well as lab computers.
  * The IT people there are overworked, particularly in the math and science departments. You'll have requests like "oh, I need an 8-year-old version of Mathematica" from a prominent math professor, or a CS professor who insists on having his VMS machines available for himself and his students.
  * The math/science/engineering departments often assume the role of IT for other departments. Sometimes, other departments don't have IT at all.
  * Most actual IT work, even outside support/maintenance/troubleshooting, is done by inexperienced students on work study (because the government pays for it, it's cheap).
  * Even many prominent schools only have one, maybe two "professionals" manning their IT staff, with the rest being students. When he goes on vacation, everything significant stops happening. Sometimes it's just a long-standing professor who enjoys the work; sometimes it's a group of skilled/experienced students.
  * Because it's academia, most decisions on maintenance and acquisitions fall on people who have no knowledge or understanding of IT. If facebook works and they're getting mail from whomever, they don't know (or care - they're only at the school until they can get their position at a much larger research institution in their field) that they've got an exploited mail server or the equipment is 8 years old.
  * This is true even for larger, well-known institutions.
  * Many of the systems in place on a campus were put in years and years ago by a singular prodigy who knew the systems well. You know, someone who knows djbdns, qmail, and cyrus backwards and forwards, and by god - why would anyone need (or want) anything else? "It's easy." Or sometimes, it's a programmer who has foolishly made it so nothign can be touched without breaking a dozen other things on the network, so nobody even tries. Meanwhile, the likelihood that someone is going to exploit the machine increases as time goes on....
  * It is not unheard of for equipment to go missing. For instance, behind drywall, only to be discovered years later. This kind of thing still happens. I remember when this story came out with fond recollection. Since that time, however, I've personally witnessed several similar WTFs: a display-driving workstation inside a wall, an important server running on wireless, "mission critical" machines running on single dedicated disks, "secure" distributed networking using wall-wort ARM systems throughout the building complex. If you can't find it, you can't update it.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
4. Re:So who is the owner of the system? by SuricouRaven · 2011-11-06 22:18 · Score: 1
  
  Found one of those myself once, inside a wall. Turned out to be the very first server the then-school ever had. At the time there was no server room, and the computer lab was one room - so the only way to keep the server from being messed with by students was to open the (conveniently hollow) wall, put the server inside, and seal the wall up again. I only found it by following network and power cables that disappeared through a hole on one side and didn't come out the other.
5. Re:So who is the owner of the system? by tlhIngan · 2011-11-07 05:37 · Score: 1
  
  Who does csh-2.mit.edu belong to at MIT?
  RMS, of course! Remember he advocates people to not use passwords and saw the mandatory passwords as draconian to freedom. (He campaigned for people to just hit enter when asked to set a password).
  Of course, I jest, and I'm not sure if RMS even believes in that anymore. Though, then again, there may be a few people leaving blank accounts just in case RMS ever needed them...
Funny...... by hesaigo999ca · 2011-11-07 02:46 · Score: 1

I think that what is the funniest part in this is that MIT is supposed to be a leader in cyber security and all that is high tech. The fact they were p0wned, to me shows that times are getting really hard to maintain that title. I guess they are not so hot any longer....eh?
MIT has its own Class A subnet by Muerte23 · 2011-11-07 07:52 · Score: 1

It's hard not to have a few hacked servers when you comprise 1/255 (approx) of IPv4 space with everything sitting on an enormous pipe. Plus there's such a high flux of students coming, setting up servers (sometimes in closets), and leaving that there is a nightmare of unpatched everything there. Plus school is a place where you are supposed to learn, and a lot of learning comes from making mistakes.
1. Re:MIT has its own Class A subnet by Anonymous Coward · 2011-11-07 08:29 · Score: 0
  
  You obviously don't know math. MIT comprises 1/256 of IPv4.
  - Coming from someone at MIT (you can check my IP), or someone who hacked into MIT :P
Security in academia is a circus by Anonymous Coward · 2011-11-07 08:45 · Score: 0

I work for an Information Security office on a campus of a major Tech college. We send out weekly vulnerability reports to the owners of all systems that have vulnerabilities and exploits (at least ones that are known). This usually amounts to thousands of reports weekly, most of which are completely disregarded and filtered straight into spam folders by end users. Granted, there are more false positives than I'd like, but we have to bash heads and go up to dean level interventions to get some of the SysAdmins on campus to do anything. Usually they cry foul that "our systems are too old to upgrade", "we are too understaffed to implement security updates", or my favorite "you are actually in violation of your own policy by scanning for vulnerabilities in the first place!"
At times, I think government gets more done than universities do...