MIT To End Open-Network Policy In Response To Recent Attacks

An anonymous reader writes "MIT announced that despite a long history of running an open network (so that any student can run a server on any port, without any questions asked), it will now end this policy due to recent denial-of-service attacks and gunman hoax. From a letter sent by Executive Vice President and Treasurer Israel Ruiz: 'I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems. Together with our colleagues dedicated to campus safety and security, with the support of senior academic leadership and in collaboration with the campus community, we are deploying all necessary resources to this effort. It will require the dedication of all of us to promote safety awareness, complete necessary emergency training, and adhere to reinforced cyber security guidelines. IS&T staff members are working with information technology (IT) leadership and partners across campus in making the changes described above. We continue to explore all opportunities to further strengthen our preparedness, and will communicate additional information as these plans evolve.'"

Lame.

[girlintraining]

"over a gunman... blah blah... blah..."

Okay, thanks MIT. You just let the terrorist win. Giving into fear is a stance the country as a whole has never given into. Even after 9/11, the most destructive terrorist attack on US soil ever, we said "Fuck the terrorists. We don't negotiate. Ever." And yet, here you are, one of the premier educational institutions in the country, where our best and brightest come to learn, caving like a house of cards.

You're pathetic.

Re:Lame.

[Wookie+Monster]

Terrorists didn't win you say? Consider that the next time you're at the airport.

Re:Lame.

[girlintraining]

Terrorists didn't win you say? Consider that the next time you're at the airport.

We did that of our own free will, which is perhaps more damning. But no terrorist demanded or coerced us into fortifying our airports with questionably useful security. That's my only point: We never gave in to terrorist demands. We may have responded in a less than thrilling and intelligent manner, but we didn't just cave.

Re:Lame.

[Nimey]

Racist.

Re:Lame.

Fuck the terrorists. We don't negotiate. Ever.
 
Perhaps we don't negotiate. I'm not sure about that. But we did suck a lot of al Qaeda dick with the TSA and the Patriot Act. Bush bowed down. Obama bowed down. Next to no one in the federal legislature questioned it. Even after more than a decade later with Osama Bin Dyin' out of the picture and all our senior "leadership" saying that al Qaeda is a done deal we're still sucking at the teat of false security.
 
Just one power grab after another turning us into a nation of slaves. The one party system tricking you into giving up your guns, your privacy and your humanity. Who's hands will the blood be on when Big Brother is rationing out chocolates and feeding you newspeak?

Re:Lame.

[macraig]

You ruined your own argument halfway through the rant. It's not about "Fuck the terrorists. We don't negotiate. Ever." It's about reacting knee-jerk to terrorism by altering values, restricting freedoms, and generally making the society more closely resemble the repression of the terrorists' own culture. So actually the "country as a whole" did in fact give into terrorism. We have the Patriot Act (still) and a whole tanker fleet full of other repressive and invasive institutions and programs that either didn't exist at all beforehand or were mere shadows of what they are now.

The terrorists did win, regardless of per capita casualty stats. Our society now looks a bit more like their ideal than it did in 2000, not the other way around.

What MIT has done here is exactly the same behavior.

Re:Lame.

I'm not getting this. The gunman hoax didn't issue an ultimatum that MIT close their network. MIT did that of their own free will*. Just as the hijackers of 9/11 didn't demand that we send travellers through enhanced patdowns at the airport. We did that of our own free will. What's the difference?

*Hell, the demands linked to the DDoS demanded the opposite - a greater commitment to the same spirit that led MIT to create the open network policy in the first place.

Re:Lame.

[girlintraining]

What MIT has done here is exactly the same behavior.

You're saying two wrongs make a right. The government failed, therefore MIT should also follow in their fail-steps, thus leading to The Right Thing.

Re:Lame.

Actually, he didn't say much about whether it was The Right thing at all. It's only you who have been dragging right and wrong into this. You just made a flawed metaphor and now have an entire thread of discussion about it.

Re:Lame.

[macraig]

I didn't say anything of the sort. I said your argument failed. :-)

Re:Lame.

[uncqual]

Would we say that because MIT locks some of the doors to some of their rooms some of the time that the thieves and burglars have won long ago? Would we say that MIT "caved" to the thieves and burglars?

Re:Lame.

slant.. you know like a slanted view? biased? lol. the world we live in.

Re:Lame.

[dbIII]

That's right, you have a choice of the scanner with uncertain radiation emissions or getting blackballed (if the TSA guy squeezes too hard).

Re:Lame.

We responded by being terrorized (demanding ineffective security).

We caved.

That whole 'he who sacrifices liberty for security achieves neither' quoteish thing? Yea, we did that.

They won. // Captcha: "censor"

Re:Lame.

We gave into the demands of terrorists. They just happened to be elected into office, and we pretend they serve us.

They don't. They're criminals operating outside the law.

Re:Lame.

[elashish14]

Free will, eh?

But of course. Nobody in the US has ever acted irrationally before.

Re:Lame.

[cheater512]

Erm the 9/11 guys didn't want to negotiate at all.

In fact even if the military/politicians were going to negotiate, it had all happened before they noticed anything was wrong.
There was no opportunity at all for negotiations.

Re:Lame.

Terrorists didn't win you say? Consider that the next time you're at the airport.

Yup, that's what the terrorists REALLY wanted, forget all the religious, ideological, or political crap; annoying airport security procedures. They sure showed us!

Re:Lame.

altering values, restricting freedoms, and generally making the society more closely resemble the repression of the terrorists' own culture

Are we still talking about U.S. airport security?!

Do you know ANYTHING about Islamic extremism? Are you serious?

Re: Lame.

No. The 9/11 terrorist demanded that we get out of Saudi Arabia. .... Which we promptly did.

Re:Lame.

[girlintraining]

Would we say that because MIT locks some of the doors to some of their rooms some of the time that the thieves and burglars have won long ago? Would we say that MIT "caved" to the thieves and burglars?

You're making a strawman argument here. I have thieves and burglars in my neighborhood. It doesn't mean I hide under the couch, stroking my gun, and mumbling "The time of purification is soon..." There is this thing called proportional response: And considering the massive benefits of the open-network policy in terms of the innovations that have come out of MIT versus the uncommon and not terribly harmful issues that have come up because of it, it's a terrible decision. The very start of hacking and humanity's first foray into artificial intelligence got its start because of that open policy.

If you wanna throw that away because of some burglars and thieves, you're a fool.

Re:Lame.

[X.25]

We did that of our own free will, which is perhaps more damning. But no terrorist demanded or coerced us into fortifying our airports with questionably useful security. That's my only point: We never gave in to terrorist demands. We may have responded in a less than thrilling and intelligent manner, but we didn't just cave.

Holy Mother of God.

Do you even understand what you are saying?

Re:Lame.

[Forty+Two+Tenfold]

There was no opportunity at all for negotiations.

There were many years of opportunities to avoid that attack (if it was in fact from outside).

Re:Lame.

[uncqual]

Okay. Since you want to make this personal. No, you're a fool.

MIT's open policy was simply a convenient exception to most institutions. However, the risk of the open policy interfering with productive use of the network has now, in the judgement of adults, exceeded the value of letting anyone run a child porn service (or similar, including DDOS attacks) on/from MIT's network. Early mass produced automobiles didn't have door locks or ignition locks - do you expect to have a door lock on a new car you buy? Time moves on.

Serious students who want to develop whatever they want to will simply set up N virtual machines on their laptop on a local virtual network to do whatever they need to do. If they want to expose it to the world, they will either apply for the "opt out" option with MIT or just use AWS or something like that to open it up to the broader world and end up launching the next Google or Facebook. It's not 1995 anymore - grow up - automobiles have door locks now.

Re:Lame.

[StoneyMahoney]

Didn't he once, a long time ago, mention something about saving the town by destroying it?

Re:Lame.

Still, nobody is as bad as North Korea right now. The bullshit those people go through...

I wonder if they are still up for starting a war again.
Goooogle news, here I come.

Re:Lame.

well yeah, except there is no spoon^Wterrorists

Re:Lame.

(s)he attened the Michael Moore institute of global solutions.

Re:Lame.

[__aaltlg1547]

If you succeed in fucking up somebody else's life but don't ever get what you want how is that winning?

Re:Lame.

[xclr8r]

Why don't they just setup a number of VLANS, one for Faculty Staff, one for Students primary machines, one for research projects and one for open devices. I'm sure they already have a couple in place. Was their I.T. group consulted? Student Government and Faculty? I hope this wasn't an excuse to submit to CALEA http://www.fcc.gov/encyclopedia/communications-assistance-law-enforcement-act . Higher Ed does not have to abide by it but some Universities do it anyways. [quote]"After thorough review, the final court decision appears to allow for most, if not all, campus networks to be exempt from compliance". [/quote] http://www.educause.edu/library/calea

Re:Lame.

If you succeed in fucking up somebody else's life but don't ever get what you want how is that winning?

"Better to Reign in Hell than to Serve in Heaven".

Re:Lame.

Oh please. Don't even try to justify thier actions. There is no justification. And I can tell you with a great degree of certainty that it came from the outside. No one (not even Bush) would perpetrate an attack against thier own people. Every time we have an incident (this happened with Pearl Harbor too) folks want to speculate about false flag and whatnot. These guys were terrorists. The did what terrorists do which is use violence to promote their agenda. You can't negotiate with these guys. They've taken a vow to eliminate all of the infidels. In case you're not aware of what that means let me spell it out for you. An infidel in their mind is anyone who does not subscribe to their brand of Islam and sharia law. These are the same dipwads that whine about how our foreign policy creates these enemies. Don't forget they have no problem with our foreign policy when it consists of receiving aid money. Usually they sign an agreement that they duefully ignore anyway (see Iran, Iraq (pre 9/11), N. Korea, and a whole host of other countries) to get our aid dollars, and then complain that we're trying to control the world and tell other people what to do. It's a bunch of crap. What we need to do is just flat cut these guys off and say do whatever you want, but if it impacts us we're gonna take you out. It's far passed time to end this flippin farce.

Re:Lame.

[RabidReindeer]

This is really a commentary on how insecure the Internet is.

The Internet was born at MIT and places like it. MIT's forte is technology. Students at MIT can be expected to understand technology better than other people, because even in cases where they don't major in technology, they're still within easy reach of plenty of people who do.

And even with all that, the students can't make things safe enough.

What's really sad is that the IT professionals at MIT aren't going to be that much better at it. What they mostly do is provide a smaller, more tightly regulated target.

Re:Lame.

Terrorists didn't win you say? Consider that the next time you're at the airport.

Or walk down the street, go to the hardware store, deposit money in a bank... Its effected every aspect of our lives.

Re:Lame.

[Nimey]

Whoosh!

Re:Lame.

No. There weren't. Regardless of what you might think, there is no opportunity that could have avoided 9.11

Re:Lame.

[jedidiah]

The TSA is just the tip of a very large iceberg. It's an indicator that they were pretty successful in subverting our open society. They have caused us to ignore our founding ideals.

This is especially troublesome in Boston.

It's kind of like opening a Boston Baked Beans factor in Mecca.

Re:Lame.

[jedidiah]

> Do you know ANYTHING about Islamic extremism? Are you serious?

It's very much like Xian extremism really, or even Jewish extremism. The sort of "let's ban everything" approach that the TSA has brought it is actually very similar to any number of extreme religious groups.

Re:Lame.

[Zeromous]

A little nitpick, the Internet was born in places like Lawerence Livermore, and White Sands. Military research bases. They were not connected to Universities until much later, and by then most of the key infrastructure and technology you use today was already invented.

There is no reason in 2013 that a place like MIT should be running a Wild-West Network. In fact, its downright negligent if they do.

Re:Lame.

[RabidReindeer]

There was no opportunity at all for negotiations.

There were many years of opportunities to avoid that attack (if it was in fact from outside).

That had nothing to do with negotiating.

While it's no guarantee that 9/11 would have been averted, there had been an attempt to pound the terrorist training camps into the ground during the late '90's. They were derided as an attempt to "wag the dog" and interfere in the more vitally important matter of whether Clinton fooled around on his wife.

The concept of airliner kamikaze wasn't even novel. A similar plot out of the Philippines was headed off circa 1998.

Re:Lame.

You ruined your own argument halfway through the rant. It's not about "Fuck the terrorists. We don't negotiate. Ever." It's about reacting knee-jerk to terrorism by altering values, restricting freedoms, and generally making the society more closely resemble the repression of the terrorists' own culture. So actually the "country as a whole" did in fact give into terrorism. We have the Patriot Act (still) and a whole tanker fleet full of other repressive and invasive institutions and programs that either didn't exist at all beforehand or were mere shadows of what they are now.

The terrorists did win, regardless of per capita casualty stats. Our society now looks a bit more like their ideal than it did in 2000, not the other way around.

No, the terrorists didn't win. We both lost. We lost as you noted above. The terrorists wanted the US out of the Middle East and instead got us even more involved.

Re:Lame.

[scarboni888]

What demands? I never heard what the 9/11 terrorists demands actually were and I just got nothing with a "what were the 9/11 hijackers demands?" google search...

Re:Lame.

If you succeed in fucking up somebody else's life but don't ever get what you want how is that winning?

Unless what you want is to fuck up somebody else's life. Then you did win.

Re:Lame.

[bill_mcgonigle]

It's not 1995 anymore - grow up - automobiles have door locks now.

About once a month I find a car in a parking lot with its lights left on, outside a restaurant or a bar, etc. If the door is unlocked, I simply turn them off and go about my business. If the door is locked, I simply go about my business.

All of these things are a risk/benefit calculation. I leave my car doors unlocked, but I purposely chose to live in a low-crime locale, so some of my bets are hedged.

This is MIT's admission that they can't secure a network without locking it down. Note that those are two different things, just that doing one makes the other simpler. MIT can't make their network a low-crime locale, which is different that the trajectory they were on in the early 90's, where they had people doing the very best work on secure networks.

Re:Lame.

[Man+On+Pink+Corner]

No, the terrorists didn't win. We both lost. We lost as you noted above. The terrorists wanted the US out of the Middle East and instead got us even more involved.

Not quite. Among other things, what bin Laden primarily demanded was that the US leave Saudi Arabia.

His demands were met, as the US hastily closed its Saudi bases after 9/11 and moved into Iraq.

Since Iraq was a secular state with no Muslim holy sites of any significance, Al Qaeda never gave a hoot about it. It was only in the aftermath of the US invasion, when it became apparent that the secular nature of the country was up for grabs, that Al Qaeda became involved.

Re:Lame.

Wait.

MIT = Smart Tech Guys, right?

Then why the hell can't they harden their own network well enough to at least keep an attack quiet (like everyone else does)? You mean the billion-dollar future of IT is in the hands of this?

Isn't it just about time for the decisions to come out? Is this just a marketing ploy, kinda like the MIT Gangnam Style?

Re:Lame.

Yes. MIT didn't used to lock the doors of their offices. They started in around 1992. It was never the same as back when you walked into someone's office if you needed their book.

Optional

[Sarten-X]

Apparently, the new policy is just by default:

Those engaged in research, teaching and learning activities will be given the option to opt out of the default network security policy through a self service mechanism.

Basically, it looks like someone in administration finally asked "What if we're actually a target?" and the response was "we're royally screwed". Yes, it's nice to give open access to everything, but I doubt most college students, even at MIT, follow reasonable security procedures. So now, they're going to block everything by default, and if someone wants to open access, they can do it themselves. Best case, there's no problems and nobody notices. Worst case, MIT's network isn't such a help during an attack.

So a university changed its default security policy. Big deal. I don't see how this is newsworthy.

Re:Optional

[Nimey]

It sounds to me like students were allowed to run arbitrary servers before, and that group is not included in the passage you quoted, therefore students will no longer have this option at all unless it's for an assignment.

Re:Optional

[Sarten-X]

Students aren't engaging in "learning activities"? What exactly are they doing at college, then?

...I ask as I take another sip of my beer...

Re:Optional

[Nimey]

Exactly. Running your public Minecraft server doesn't have anything to do with "learning" except in the broadest possible sense.

Re:Optional

I learned more running a public nethack server than I did in half the required classes for my CS degree. (Admittedly, I didn't go to MIT.)

Re:Optional

[girlintraining]

Exactly. Running your public Minecraft server doesn't have anything to do with "learning" except in the broadest possible sense.

Making available a public and shared resource does lead to things that aren't strictly in-scope, but can you tell me you don't play flash games at work? Or post to a certain technology website to take a mental break from the tedium of what you're supposed to be working on, so you can come back to it refreshed?

Google gives its employees part of their workday off to do whatever they want, and it's resulted in some rather amazing products. And none of the company's resources used during that time is strictly for business either. Sometimes, loosening up regulations just a bit results in a lot of liquidity that can be leveraged to get bigger and more useful projects off the ground that otherwise wouldn't pick up enough momentum.

And Minecraft is a perfect escape for the kinds of people that build robots and program in their dorms -- they're still building things, just abstractly.

Re:Optional

[Nimey]

All of what you said is utterly irrelevant.

Re:Optional

[Sarten-X]

Cute, but wrong.

Minecraft (and other game) servers are just as good at learning proper administration techniques as the IRC servers I ran in my college days. The admins must go through the configuration process, think about uptime, anticipate resource needs, and put some concern into security, while carefully handling (or intentionally not) the interpersonal conflicts that arise among users... all the same tasks a good admin must mind in the real world of IT.

Coincidentally, I'm currently mentoring a high-school student preparing for an IT program at college. We're going over some basic admin skills in advance of his classes, focusing on the real-life experiences from my day job as an IT admin at a finance company. His main service is actually a Minecraft server... but behind the scenes, he's running Bash scripts for backup & housekeeping, Apache for a web-based world map, Nagios to alert him if/when something crashes, and some Perl hacks (that I wrote) to add a few server functions.

Of course, that's just for a silly little game, but it doesn't really matter what the user-facing service is. The demands of IT administration are pretty generic. I use similar services daily, though the backups are done less with Bash and more with Enterprise Agentless Backup Manager Plus Professional Ultimate Corporate Edition.

Re:Optional

[Nimey]

Now you're just being obtuse and begging the question. If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT for and there's nothing stopping you from getting it hosted at a colo somewhere.

It's a hobby, which may be interesting and even valuable, but ultimately MIT has to make sure their network is serving classes, faculty, research, &c (that being what people are paying for). It's a matter of priorities (classrooms and research being a higher priority than a random student's hobby), and it ties into my point in a different thread that a few assholes are going to ruin things for everyone.

Re:Optional

Students aren't engaging in "learning activities"? What exactly are they doing at college, then?

Not in a majority of US colleges or public schools they aren't.

Re:Optional

[dbIII]

Dunno about that - I learnt a bit about networking from multiplayer Quake.

Re:Optional

The whole point of an academic environment is to be allow people to learn in their own ways, not just follow directions given from high up. So yes, the ability to experiment with network servers that are not directly later to any class the students are taking is precisely why the MIT (and a lot of ther universities that still understand academic ideals) don't stop students from running network servers.

Re:Optional

[starfishsystems]

It's noteworthy. It represents the end of an era which, I appreciate, many Slashdot readers are too young to have experienced. That doesn't mean that it was unimportant.

As a preeminent place for the exploration of ideas, MIT held a refreshingly open attitude towards all forms of intellectual curiosity, collaboration and information exchange - both ancient and emerging. That spirit is what I associate with people like Richard Feynman, Noam Chomsky and Richard Stallman, who not only have fundamentally interesting ideas to share but are particularly outspoken about the freedom to be outspoken.

It's significant that the MIT Lisp Machine and its various exotic descendents provided no authentication. This was a fairly extreme design decision that, in my view, only makes sense in this particular social context. Many of us objected to that decision on technical grounds, but in fact no one knew whether it would turn out to be a brilliant move or a naive one.

Well, now we know. The letter from Israel Ruiz gives a nod to the original spirit of the Internet:

MIT has a long history of operating an open network environment, allowing devices on MIT's network unrestricted incoming and outgoing access to the Internet.

Re:Optional

[10101001+10101001]

... it ties into my point in a different thread that a few assholes are going to ruin things for everyone.

You're right. University administrators are too interested in CYOA to actually do the right thing. They are assholes.

Oh, and if you were referring to the "terrorists" (as others have put it), well, no, they don't have the power to do jack squat, so they're clearly not the assholes who ruined things for everyone. It's the University administrators that cowered and changed policy. And it's not like gun hoaxes or denial of services are some magically new thing that warrants *any* change in policy--just like terrorists attacking planes or destroying buildings wasn't a new thing on 9/11. No, this is just cowardly kowtowing to--well--hypothetical parents and hypothetical interest groups. What part of "I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems." doesn't scream kiss-ass, double-talk?

The most secure systems in the world are the ones that are constantly under attack. They're the ones that have to actually combat real-world threats and not just all those hypothetical, isolated ones. Evolution itself is predicated on that very idea, that nature and life is a savage world in which there's a constant struggle all-over the place and extinction-level events have occurred repeatedly. To turn tail and thinking closing off their network will solve things... No, I don't think they believe that. But, it does suddenly give the IT department--and by extension the University administration--(a) the power to deny people on a whim and (b) the power to otherwise monitor activity that they would otherwise be completely unaware of--and that's a good sign that suddenly having monitoring activity will grant them to make non-issues issues predicated on their own beliefs.

In short, the ultimate goal of University should be to enrich the lives of their students, professors, etc by broadening their horizons. No part of IT department or administration micro-management really should enter into it--and sadly, I think it happens too much already with department heads in general treating their department as their personal fiefdom, so I can see where the administrators would get the idea. What's next? Random dorm room inspections?

Re:Optional

[rmstar]

If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT for and there's nothing stopping you from getting it hosted at a colo somewhere.

Also, if the reputation of MIT as a pressure cooker is true, you won't be a student at MIT for too long if you waste your time running and administrating your own game server.

Re:Optional

[Bing+Tsher+E]

You are correct, that Minecraft is the perfect escape from building robots and programs. I cannot count the number of hours I have spent fighting mobs when I could have been coding something.

My choice, and I make it freely. But I don't sugar coat it.

Re:Optional

[Bing+Tsher+E]

Near as I can tell, the people chiming in about Minecraft servers didn't go to MIT.

Re:Optional

I attended MIT. You'd be *amazed* at how many chances they give you to hang yourself before finally cutting you off. 1 in 4 students does not gradutate, but I'd be shocked if it was more than 1 in 500 who was expelled or permanently suspended for misbehavior.

And their security has traditionally been horrible. Go ahead. Scan MIT's /8 network for NFS servers. Until a month ago, you'd have been *amazed* at how many public facing NFS servers you could find, with private correspondence from professors and student information in violation of Massachusetts law.

Re:Optional

Translation: I was turned down by MIT and bear a (somewhat incoherent) grudge...

Re:Optional

A college full of engineering students who like tech will not be able to stand up their own network? /sarcasim Yeah good luck with that.

Re:Optional

I'm a student at MIT and run my own webserver here (on the mit domain). Everything still works, ha! Funnily though I had to read about this first on Slashdot... And still haven't gotten an official announcement in my MIT email.

Re:Optional

I can see that a reaction was necessary and prudent, but
    given that it's MIT, I would have expected them to have a better reaction.

Perhaps anybody can still run a server, they just have to get a special, trivial to obtain, official connection to hook it up.
      That way the security folks know who they are, can monitor and cut it off it it causes trouble.

The folks making the next great thing should not be affected.
      They can still serve to the whole Internet.
        Perhaps even with a better pipe.

SOAP BOX
Security should be about stopping the bad guys without collateral damage to the good guys pursuit of happiness.
    Where the definition of good and bad is based on what you actually are doing or have done, not what you might do or have the ability to do.
          To state what should be obvious, preventing what one might do could well have prevented us from having neat stuff like cars and electricity. /SOAP BOX

History rhymes

[Nimey]

A few assholes can and will ruin a good thing for everyone.

Re:History rhymes

No. Freedom & Liberty will persist until the day cowards are required to make sacrifices to preserve them. Unfortunately, once a coward shirks their responsibility to persevere, the damage is permanent loss of ground to the enemy.

You will never prevent people from acting like assholes provided the opportunity, but you can choose how you react to those people; based on principle, or without it.

It's not enough to elect the lesser of two evils, we should be choosing the most principled of two libertarians. So long as we have a two party system, we will always be losing ground to politicians & policymakers who are just crooked enough to not get fired.

Re:History rhymes

[Nimey]

BINGO!

Hah, got my card filled out that time.

Re:History rhymes

[cffrost]

A few assholes can and will ruin a good thing for everyone.

The assholes are the people who impose restrictions, not the people the assholes point to for justification.

Re:History rhymes

[Nimey]

Riiiiight. The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.

Libertarians can be so simple-minded about their religion.

Re:History rhymes

[cheekyjohnson]

The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.

Well, the government is certainly the one trying to stop them from polluting in that example, but that doesn't mean they're wrong for imposing the restrictions. I don't believe anyone is saying that restrictions are always bad.

Clearly some people here do think MIT is wrong since innocents are being punished as well.

Re:History rhymes

[cffrost]

Riiiiight. The asshole is, say, the government for telling Company X they have to stop polluting waterways with dioxin and not Company X.

I thought we were talking about situations where the freedoms of innocent people are restricted in response to the malicious or negligent actions of others — for example, MIT restricting network access to non-attackers and non-hoaxers.

Re:History rhymes

[3.5+stripes]

You are, the river is everyone's to use, now the US gov just made a rule saying that no one can have a drain from their backyard in the river because company X is using it to get rid of dioxins..

Re:History rhymes

[cffrost]

You are, the river is everyone's to use, now the US gov just made a rule saying that no one can have a drain from their backyard in the river because company X is using it to get rid of dioxins..

That's a good example of the kind of distinction I was making. I don't know if the situation you described is actual or hypothetical, but either way — as long as the individual property owner's discharge meets the same stormwater and/or effluent guidelines that the EPA applies to industry/municipalities, I don't see any legitimate reason for prohibition that supersedes the individual's right to use the river.

Passwords

[Sarten-X]

Bad form to reply to myself, I know, but I did find one noteworthy detail in that memo upon further inspection:

Passwords will also be tested to ensure a minimum level of complexity; existing weak passwords will be required to be changed.

...so MIT stores its passwords in a form that allows complexity testing... Interesting.

They could just be brute-forcing 7 characters and calling it a day, or adding something to a commonly-used login system... but if it's feasible to test how complex an existing password is, I have to wonder about how the passwords are being stored.

Re:Passwords

[Nimey]

You know, it's possible to check a password's complexity /before/ hashing it. Various Linux distros and Windows do it that way.

Re:Passwords

[RyuuzakiTetsuya]

You can capture weak passwords during login when you've confirmed the hashes match. If it is weak, flag the account as having a weak password.

Re:Passwords

They probably have a table of n-digit alphanumeric passwords, hashed with their favorite salt, handy. If not, they'll generate them. Easy since they know the salt.

Re:Passwords

[Sarten-X]

For the "existing" passwords that the memo says they'll be checking, they should be stored already hashed, so it's too late for that. If it's a check done at login (before the client hashes), that implies that there's a feasible way to inject code to access the unhashed password, and frankly that worries me more.

Linux distros and Windows will happily keep existing simple passwords, if you've set them before enabling complexity requirements. After enabling the requirements, the old passwords aren't re-checked, as MIT's memo implies they will do.

Re:Passwords

[Nimey]

My guess is that they're consulting rainbow tables, then. Got to be plenty of those out there for various hashes.

Re:Passwords

You are not thinking very hard here.

Client sends password over SSL > Server decrypts
Now the server has the plain text password > Server hashes password
If the hashed password matches > Server performs complexity test on the unhashed password you just sent
If the unhashed password is weak > Server does $something requiring you to change the password.

Re:Passwords

Actually this is probably a good idea to do for all the passwords since hashing has collisions. Your 30 character password could have the same hash as a 3 letter one.

Re:Passwords

Congratulations. You've flunked encryption 101. You never send the plaintext password over the wire, because you can't trust the middleman. Salt and encrypt on the client end, then salt and encrypt on the server end.

Re:Passwords

[fgodfrey]

MIT is almost certainly using Kerberos for their authentication since a) they invented it and b) that's what they were using at least as recently as 2005. In any event, how Kerberos stores passwords depends on the exact implementation, but in at least some implementations (admittedly old) you could decrypt the password database on the Kerberos key server with a key stored in a file in /etc. The Kerberos server is supposed to be kept extremely secure, with Kerberos being the only service running on it and it being kept in a physically secure location.

Re: Passwords

all this means is that everyone whose password is passw0rd will be getting a memo.

Re:Passwords

[drkstr1]

Yeah, don't worry about it. That's actually how it's supposed to be done. Passwords should be sent over SSL and hashed server-side. Using some half baked client-side crypto is not the way to do it.

Re:Passwords

[ultranova]

For the "existing" passwords that the memo says they'll be checking, they should be stored already hashed, so it's too late for that.

Or they could simply be running a password cracker, and you're putting too much weight on exact wording. In fact, I'd almost bet it was that; after all, the point is to make passwords hard to crack, so testing whether they are makes more sense than some arbitrary rules.

If it's a check done at login (before the client hashes), that implies that there's a feasible way to inject code to access the unhashed password, and frankly that worries me more.

What client? It is pointless to do hashing on client end, and of course the system admin can inject code to their login procedure.

Re:Passwords

[drkstr1]

Congratulations. You've flunked encryption 101. You never send the plaintext password over the wire, because you can't trust the middleman. Salt and encrypt on the client end, then salt and encrypt on the server end.

SSL is better than anything you could cook up on the client-side, ya dummy.

Re:Passwords

[TarpaKungs]

IME most kerberos servers store the database key in what they term a "stash file". That's current practise too.

Unless you need the level of security that you have to go upto the console and present a key when the system reboots or the KDC service restarts, there isn't any other way. Essentially, for most real world systems, the kerberos primary and slaves need to be regarded as machines to be kept highly secure or it's game over.

Is AD any different?

Re:Passwords

No, they should be handled via *Kerberos*, which is vastly more robust than SSL and avoids the man-in-the-middle attacks now being done behind load balancers that refuse to encrypt the traffic between the load balancer and the local HTTP server for "ease of management" and "to reduce load", but mostly because "they're too cheap and lazy to put keys on the web servers".

Since Kerberos was written at MIT precisely to manage large numbers of logins being attacked by very crazy people, it works well and scales well and should have replaced user authentication via SSL decades ago. SSL should only be used for channel encryption for casual sniffing, not genuine password security.

Re:Passwords

[petteyg359]

Hardly. They know what hash/salt/whatever they're using, and it's trivial to throw the list of common stupid passwords through it and pull a list of all users with matching hashes.

Re:Passwords

Above is proof of the fact that encryption is difficult and often counter-intuitive.

You're espousing a method that adds complexity to the encryption without adding a single iota of security. When you do this, the salted/hashed password *becomes* the plaintext password. You do not need the original password using your method. If the original algorithm was exploitable by a MITM attack, so (in exactly the same way) is your supposed 'fix'.

Courage is in short supply.

[mlwmohawk]

The "Home of the Brave" is a joke at MIT, and U.S. universities across America. Once the wussy administrators take hold, all is lost without a fight. Wussy administrators will use security and safety as they cudgels, They will hide behind their desks and enact policy that eliminates any freedom that may challenge the status quo.

This is, in fact, what America deserves unless and until we ALL have the courage to fight it everywhere it is. I would say "Shame On You" to MIT, but I would be decades late.

Re:Courage is in short supply.

[EmperorArthur]

Reminds me of my time in college.

/Begin Rant

I don't know how many of you have had to deal with the Cisco Security Agent, but it's a nightmare.
It's a service that runs on windows boxes that requires AV software has been updated to the latest version, and that the user logs in.
The product docs explicitly say it allows remote code execution by the network administrator, and it sucks at it's main purpose. That's because the only AV software that the university seems to recognize is McAfee.

Thankfully CSA is a broken piece of crap, so half the time I could get an open port for my VPN, and it allows *nix boxes on with just a login page. I just hope you don't want to run an Android or BlackBerry, given that the admin decided it's not worth the time to configure the server to allow it. Oh, and don't forget the monitoring and logging of all net traffic.

Taken together, it's no surprise that most students end up paying for cable internet for there dorms. When Comcast has a University beet on speed, reliability, privacy, and customer service, you know you have a problem.

/End Rant

I really hope MIT doesn't do the same thing as the University of Alabama in Huntsville does. While I doubt that they would, primarily because they (probably) have a competent networking staff, I fear for all MIT faculty and students as they go down this ramp.

Re:Courage is in short supply.

The server-side component does this by sniffing UA on the first browser request after you connect to a network on that, so you could forge that fairly readily...

Re:Courage is in short supply.

[EmperorArthur]

Only on the old version. The new version does some sort of fingerprinting. It's bad enough that the Apple guys can't run VMware fusion without it triggering and thinking they're running windows.

Fear ...

Of those who ... know ... and do ... infinitely ... more ... than he.

Executive Vice President and Treasurer Israel Ruiz [the he] shows the length of his Penis, his most valued object that he worships 24/7 with devout devotion, is the deciding 'criteria' on anything now and forevermore MIT.

This is all about how they screwed Aaron Swartz

they were just waiting for an excuse to kill open access... this may even get rid of RMS

This will not end well

[drwho]

MIT students really like the freedom that they have on their nets, and in fact, have come to take it for granted. I forsee massive disobedience to this, along with protests. and I'll be standing there right beside them.

Re:This will not end well

[mwvdlee]

Any MIT student that protests this instead of hacking his way around it doesn't deserve to be an MIT student.

Try reading the actual article

[murdocj]

I mean, yes, this is Slashdot, so the kneejerk reactions are appropriate, but if you bother to read the article, the changes are just plain common sense. They are going to enforce reasonable passwords, and if you want to have an externally accessible server, you either need to use a VPN, or opt out of the security policy. All this foaming at the mouth about the end of academic freedom sounds a lot like the NRA freaking out when someone proposes limiting how many rounds you can fire off at a time without reloading.

Re:Try reading the actual article

[nomadic]

"I mean, yes, this is Slashdot, so the kneejerk reactions are appropriate"

The sad thing is I'm convinced that a lot of the people shrieking about how evil MIT is for doing this are the same ones who respond to posts about DDOSes by shrieking how it's all the administrators fault for not properly locking down their networks.

Re:Try reading the actual article

Why would one need more then ten ports open at a time!

Re:Try reading the actual article

[stenvar]

Bad analogy. You can't "opt out" of gun control limits, you can "opt out" of MIT's network policy.

Re:Try reading the actual article

I mean, yes, this is Slashdot, so the kneejerk reactions are appropriate, but if you bother to read the article, the changes are just plain common sense. They are going to enforce reasonable passwords, and if you want to have an externally accessible server, you either need to use a VPN, or opt out of the security policy . All this foaming at the mouth about the end of academic freedom sounds a lot like the NRA freaking out when someone proposes limiting how many rounds you can fire off at a time without reloading.

So if I want to run an externally accessible server at SHIT I can opt out of the "security policy"? Sounds good lol XD

Pro NRA/gun ownership, pro freedom/liberty, and pro free and open source all go extremely well together and if you think otherwise you might be suffering from some severe cognitive dissonance.

MOD PARENT UP

[Nimey]

And since I need to have something in the message body, I think we could all learn from the NRA's mastery of agitprop:

http://tpmmuckraker.talkingpointsmemo.com/2013/04/nra_magazine_covers.php

A dark day for MIT

[Casandro]

Here they admit they don't understand the Internet, by limiting incomming "connections" and acting if there was a difference between a server and a client. It's a testament that freedom and education are now less important than stupidity and the fear of imaginary dangers.

Re:A dark day for MIT

"imaginary dangers"???

Get your head out of......the sand.

Re:A dark day for MIT

There is a difference between a server and client. Thats why most clients nowadays run behind a NAT. Perhaps its you that doesn't understand the Internet.

Re:A dark day for MIT

[tgd]

Here they admit they don't understand the Internet, by limiting incomming "connections" and acting if there was a difference between a server and a client. It's a testament that freedom and education are now less important than stupidity and the fear of imaginary dangers.

Well, if they at least educate their students to do some research before spouting off on a subject, like... reading an article..., then they're a step up on a lot of people, it seems.

Faculty

[puddingebola]

What is the faculty's response to this response?

One of the "wishes" was...

[ibsteve2u]

One of the "wishes" was

a commitment to a “free and unfettered internet.”

We had a "free and unfettered internet"...and then the spammers-, virus coders-, and hackers-for-profit moved in.

Re:One of the "wishes" was...

Which is actually how it should be, but then the suit-and-tie "saviours" moved in with their pseudo-econo-political bullshit and tried to cram an evolving ecosystem into a spreadsheet.

But the internet didn't die even at that point, it simply moved elsewhere. It did route around the problem.

WALLED GARDENS ARE NOT THE INTERNET NO MATTER WHAT THEY*RE CALLED.
Have you ever been on the internet?

not a brain dead one size fit all solution

From what it sounds like they are trying to be reasonable, and not a brain dead one size fit all solution

"Cybersecurity", "cyberwar", "cyberthis and that"

[gsiarny]

I'm dismayed that MIT, of all places, uses the thoroughly awkward term "cyber security" in its official correspondence. Outside of a few sci-fi novels, "cyber" seems to be the province of clueless congressmen and the reporters who love them. It's a buzzword for media outlets, politicians, and consultants who don't understand the net, want to profit from others' lack of understanding of the net, or both.

Who gives a shit what MIT does with their network?

How does this effect me? How does this effect 99.9% of the world? Who cares?

Liberty ?

Common US rule :
For your security, we are getting rid of your liberty.

Re:Liberty ?

[EmagGeek]

What liberty? MIT owns the network. They can do what they want with it, including setting rules and terms of access and use.

Property rights are the ultimate form of liberty. If it's my property, I can do what I want with it, and control who can access and use it and for what purpose.

Clear message indeed.

Shows this guy's "commitment", dunnit?

If it acts like an old woman, talks like an old woman, ...

Shit, both my grandmothers had more spine than he.

This is news?

[ThisIsSaei]

Honestly after the whole Swartz case we knew it wasn't a 'free network.' You know, it would have been nice if they "secured it" to their liking before they harassed someone to death for using it.

Re:Who gives a shit what MIT does with their netwo

It probably doesn't _affect_ you at all, since you apparently didn't get an MIT education, let alone any education.

Can you say....

False flag?

CS is not networking not IT / severs and not deskt

[Joe_Dragon]

CS is not networking not IT / severs and not desktop / help desk work.

Now maybe if you where a programmer then the classes would of helped you more.

./ Looking for new hosting

In unrelated news, Slashdot has asked the community for hosting recommendations as the current provider is changing their network policies.

Can you explain...

[wonkey_monkey]

...what you're blathering on about?

Re:CS is not networking not IT / severs and not de

CS students NEED that stuff though before they overuse resources on shared machines/networks. BTW, it's clear you skipped your English classes. "Would of" is not a contraction for "would have", but "would've" is.

What's next? Uni-issued phones and laptops?

Those who are willing to sacrifice so much freedom for so little seurity deserve to live the consequences. Now at UNIs there is as much allowes creativity and curiosity as in the toughest corporate environment.

Paying for Nothing

[SuperKendall]

If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT

You are there to learn, why does it have to be only through classes? What is the point of computer labs and a fast network if not to help you learn? That's part of the REASON you go to a college, so that you have access to facilities you would not otherwise. May as well burn down the library also, or only allow check-out of course approved books!

If you aren't allowed access to resources around you for however you want to learn, then there is REALLY no point in going to college at all. And MIT just lost a distinctive advantage that made them a better technical school. Now there is no way I could justify paying an MIT tuition with them basically treating students like criminals.

Re: Don't even try to justify thier actions

[DocSavage64109]

If you feel so strongly about your views, why are you posting A.C.? Should we really not try to analyze why events happen? And while we're at it, let's generalize with statements like "You can't negotiate with these guys"

Re:CS is not networking not IT / severs and not de

[SuperKendall]

CS is not networking not IT / severs

Part of it very much is (especially networking). How can you design an application to make effective use of a network without at least understanding the basics of how a network works?

It's all intertwined, and any good CS program DOES have some options to help you learn those things. But it's not like additional learning does not help.

Security through boredom

[rcharbon]

When I worked at MIT (admittedly, years ago), we left things open because to do otherwise was to challenge students to attack. Security through boredom worked - until the outside world caught up to the point where they presented a significant threat.

Re:"Cybersecurity", "cyberwar", "cyberthis and tha

Cyber Semantics Nazi!

This is why we can't have nice things

Someone will invariably ruin it for everyone else. Trolls are part of human nature I guess.