MIT To End Open-Network Policy In Response To Recent Attacks

An anonymous reader writes "MIT announced that despite a long history of running an open network (so that any student can run a server on any port, without any questions asked), it will now end this policy due to recent denial-of-service attacks and gunman hoax. From a letter sent by Executive Vice President and Treasurer Israel Ruiz: 'I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems. Together with our colleagues dedicated to campus safety and security, with the support of senior academic leadership and in collaboration with the campus community, we are deploying all necessary resources to this effort. It will require the dedication of all of us to promote safety awareness, complete necessary emergency training, and adhere to reinforced cyber security guidelines. IS&T staff members are working with information technology (IT) leadership and partners across campus in making the changes described above. We continue to explore all opportunities to further strengthen our preparedness, and will communicate additional information as these plans evolve.'"

Re:Lame.

[Wookie+Monster]

Terrorists didn't win you say? Consider that the next time you're at the airport.

Optional

[Sarten-X]

Apparently, the new policy is just by default:

Those engaged in research, teaching and learning activities will be given the option to opt out of the default network security policy through a self service mechanism.

Basically, it looks like someone in administration finally asked "What if we're actually a target?" and the response was "we're royally screwed". Yes, it's nice to give open access to everything, but I doubt most college students, even at MIT, follow reasonable security procedures. So now, they're going to block everything by default, and if someone wants to open access, they can do it themselves. Best case, there's no problems and nobody notices. Worst case, MIT's network isn't such a help during an attack.

So a university changed its default security policy. Big deal. I don't see how this is newsworthy.

Re:Optional

[Nimey]

It sounds to me like students were allowed to run arbitrary servers before, and that group is not included in the passage you quoted, therefore students will no longer have this option at all unless it's for an assignment.

Re:Optional

[Sarten-X]

Students aren't engaging in "learning activities"? What exactly are they doing at college, then?

...I ask as I take another sip of my beer...

Re:Optional

I learned more running a public nethack server than I did in half the required classes for my CS degree. (Admittedly, I didn't go to MIT.)

Re:Optional

[Sarten-X]

Cute, but wrong.

Minecraft (and other game) servers are just as good at learning proper administration techniques as the IRC servers I ran in my college days. The admins must go through the configuration process, think about uptime, anticipate resource needs, and put some concern into security, while carefully handling (or intentionally not) the interpersonal conflicts that arise among users... all the same tasks a good admin must mind in the real world of IT.

Coincidentally, I'm currently mentoring a high-school student preparing for an IT program at college. We're going over some basic admin skills in advance of his classes, focusing on the real-life experiences from my day job as an IT admin at a finance company. His main service is actually a Minecraft server... but behind the scenes, he's running Bash scripts for backup & housekeeping, Apache for a web-based world map, Nagios to alert him if/when something crashes, and some Perl hacks (that I wrote) to add a few server functions.

Of course, that's just for a silly little game, but it doesn't really matter what the user-facing service is. The demands of IT administration are pretty generic. I use similar services daily, though the backups are done less with Bash and more with Enterprise Agentless Backup Manager Plus Professional Ultimate Corporate Edition.

Re:Optional

[starfishsystems]

It's noteworthy. It represents the end of an era which, I appreciate, many Slashdot readers are too young to have experienced. That doesn't mean that it was unimportant.

As a preeminent place for the exploration of ideas, MIT held a refreshingly open attitude towards all forms of intellectual curiosity, collaboration and information exchange - both ancient and emerging. That spirit is what I associate with people like Richard Feynman, Noam Chomsky and Richard Stallman, who not only have fundamentally interesting ideas to share but are particularly outspoken about the freedom to be outspoken.

It's significant that the MIT Lisp Machine and its various exotic descendents provided no authentication. This was a fairly extreme design decision that, in my view, only makes sense in this particular social context. Many of us objected to that decision on technical grounds, but in fact no one knew whether it would turn out to be a brilliant move or a naive one.

Well, now we know. The letter from Israel Ruiz gives a nod to the original spirit of the Internet:

MIT has a long history of operating an open network environment, allowing devices on MIT's network unrestricted incoming and outgoing access to the Internet.

Re:Optional

[10101001+10101001]

... it ties into my point in a different thread that a few assholes are going to ruin things for everyone.

You're right. University administrators are too interested in CYOA to actually do the right thing. They are assholes.

Oh, and if you were referring to the "terrorists" (as others have put it), well, no, they don't have the power to do jack squat, so they're clearly not the assholes who ruined things for everyone. It's the University administrators that cowered and changed policy. And it's not like gun hoaxes or denial of services are some magically new thing that warrants *any* change in policy--just like terrorists attacking planes or destroying buildings wasn't a new thing on 9/11. No, this is just cowardly kowtowing to--well--hypothetical parents and hypothetical interest groups. What part of "I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems." doesn't scream kiss-ass, double-talk?

The most secure systems in the world are the ones that are constantly under attack. They're the ones that have to actually combat real-world threats and not just all those hypothetical, isolated ones. Evolution itself is predicated on that very idea, that nature and life is a savage world in which there's a constant struggle all-over the place and extinction-level events have occurred repeatedly. To turn tail and thinking closing off their network will solve things... No, I don't think they believe that. But, it does suddenly give the IT department--and by extension the University administration--(a) the power to deny people on a whim and (b) the power to otherwise monitor activity that they would otherwise be completely unaware of--and that's a good sign that suddenly having monitoring activity will grant them to make non-issues issues predicated on their own beliefs.

In short, the ultimate goal of University should be to enrich the lives of their students, professors, etc by broadening their horizons. No part of IT department or administration micro-management really should enter into it--and sadly, I think it happens too much already with department heads in general treating their department as their personal fiefdom, so I can see where the administrators would get the idea. What's next? Random dorm room inspections?

Passwords

[Sarten-X]

Bad form to reply to myself, I know, but I did find one noteworthy detail in that memo upon further inspection:

Passwords will also be tested to ensure a minimum level of complexity; existing weak passwords will be required to be changed.

...so MIT stores its passwords in a form that allows complexity testing... Interesting.

They could just be brute-forcing 7 characters and calling it a day, or adding something to a commonly-used login system... but if it's feasible to test how complex an existing password is, I have to wonder about how the passwords are being stored.

Re:Passwords

[ultranova]

For the "existing" passwords that the memo says they'll be checking, they should be stored already hashed, so it's too late for that.

Or they could simply be running a password cracker, and you're putting too much weight on exact wording. In fact, I'd almost bet it was that; after all, the point is to make passwords hard to crack, so testing whether they are makes more sense than some arbitrary rules.

If it's a check done at login (before the client hashes), that implies that there's a feasible way to inject code to access the unhashed password, and frankly that worries me more.

What client? It is pointless to do hashing on client end, and of course the system admin can inject code to their login procedure.

Re:Lame.

[macraig]

You ruined your own argument halfway through the rant. It's not about "Fuck the terrorists. We don't negotiate. Ever." It's about reacting knee-jerk to terrorism by altering values, restricting freedoms, and generally making the society more closely resemble the repression of the terrorists' own culture. So actually the "country as a whole" did in fact give into terrorism. We have the Patriot Act (still) and a whole tanker fleet full of other repressive and invasive institutions and programs that either didn't exist at all beforehand or were mere shadows of what they are now.

The terrorists did win, regardless of per capita casualty stats. Our society now looks a bit more like their ideal than it did in 2000, not the other way around.

What MIT has done here is exactly the same behavior.

Courage is in short supply.

[mlwmohawk]

The "Home of the Brave" is a joke at MIT, and U.S. universities across America. Once the wussy administrators take hold, all is lost without a fight. Wussy administrators will use security and safety as they cudgels, They will hide behind their desks and enact policy that eliminates any freedom that may challenge the status quo.

This is, in fact, what America deserves unless and until we ALL have the courage to fight it everywhere it is. I would say "Shame On You" to MIT, but I would be decades late.

Re:Lame.

I'm not getting this. The gunman hoax didn't issue an ultimatum that MIT close their network. MIT did that of their own free will*. Just as the hijackers of 9/11 didn't demand that we send travellers through enhanced patdowns at the airport. We did that of our own free will. What's the difference?

*Hell, the demands linked to the DDoS demanded the opposite - a greater commitment to the same spirit that led MIT to create the open network policy in the first place.

Re:History rhymes

[Nimey]

BINGO!

Hah, got my card filled out that time.

Re:Lame.

[girlintraining]

What MIT has done here is exactly the same behavior.

You're saying two wrongs make a right. The government failed, therefore MIT should also follow in their fail-steps, thus leading to The Right Thing.

Try reading the actual article

[murdocj]

I mean, yes, this is Slashdot, so the kneejerk reactions are appropriate, but if you bother to read the article, the changes are just plain common sense. They are going to enforce reasonable passwords, and if you want to have an externally accessible server, you either need to use a VPN, or opt out of the security policy. All this foaming at the mouth about the end of academic freedom sounds a lot like the NRA freaking out when someone proposes limiting how many rounds you can fire off at a time without reloading.

Re:Lame.

[uncqual]

Would we say that because MIT locks some of the doors to some of their rooms some of the time that the thieves and burglars have won long ago? Would we say that MIT "caved" to the thieves and burglars?

Re:Lame.

Terrorists didn't win you say? Consider that the next time you're at the airport.

Yup, that's what the terrorists REALLY wanted, forget all the religious, ideological, or political crap; annoying airport security procedures. They sure showed us!

A dark day for MIT

[Casandro]

Here they admit they don't understand the Internet, by limiting incomming "connections" and acting if there was a difference between a server and a client. It's a testament that freedom and education are now less important than stupidity and the fear of imaginary dangers.

Faculty

[puddingebola]

What is the faculty's response to this response?

Re:Lame.

[girlintraining]

Would we say that because MIT locks some of the doors to some of their rooms some of the time that the thieves and burglars have won long ago? Would we say that MIT "caved" to the thieves and burglars?

You're making a strawman argument here. I have thieves and burglars in my neighborhood. It doesn't mean I hide under the couch, stroking my gun, and mumbling "The time of purification is soon..." There is this thing called proportional response: And considering the massive benefits of the open-network policy in terms of the innovations that have come out of MIT versus the uncommon and not terribly harmful issues that have come up because of it, it's a terrible decision. The very start of hacking and humanity's first foray into artificial intelligence got its start because of that open policy.

If you wanna throw that away because of some burglars and thieves, you're a fool.

Re:Lame.

[X.25]

We did that of our own free will, which is perhaps more damning. But no terrorist demanded or coerced us into fortifying our airports with questionably useful security. That's my only point: We never gave in to terrorist demands. We may have responded in a less than thrilling and intelligent manner, but we didn't just cave.

Holy Mother of God.

Do you even understand what you are saying?

Re:Lame.

[uncqual]

Okay. Since you want to make this personal. No, you're a fool.

MIT's open policy was simply a convenient exception to most institutions. However, the risk of the open policy interfering with productive use of the network has now, in the judgement of adults, exceeded the value of letting anyone run a child porn service (or similar, including DDOS attacks) on/from MIT's network. Early mass produced automobiles didn't have door locks or ignition locks - do you expect to have a door lock on a new car you buy? Time moves on.

Serious students who want to develop whatever they want to will simply set up N virtual machines on their laptop on a local virtual network to do whatever they need to do. If they want to expose it to the world, they will either apply for the "opt out" option with MIT or just use AWS or something like that to open it up to the broader world and end up launching the next Google or Facebook. It's not 1995 anymore - grow up - automobiles have door locks now.

Re:Lame.

[jedidiah]

The TSA is just the tip of a very large iceberg. It's an indicator that they were pretty successful in subverting our open society. They have caused us to ignore our founding ideals.

This is especially troublesome in Boston.

It's kind of like opening a Boston Baked Beans factor in Mecca.

Paying for Nothing

[SuperKendall]

If you're a student, running your game server (or Net-accessible model railroad controller, or whatever) doesn't have anything to do with what you're paying MIT

You are there to learn, why does it have to be only through classes? What is the point of computer labs and a fast network if not to help you learn? That's part of the REASON you go to a college, so that you have access to facilities you would not otherwise. May as well burn down the library also, or only allow check-out of course approved books!

If you aren't allowed access to resources around you for however you want to learn, then there is REALLY no point in going to college at all. And MIT just lost a distinctive advantage that made them a better technical school. Now there is no way I could justify paying an MIT tuition with them basically treating students like criminals.

Re:CS is not networking not IT / severs and not de

[SuperKendall]

CS is not networking not IT / severs

Part of it very much is (especially networking). How can you design an application to make effective use of a network without at least understanding the basics of how a network works?

It's all intertwined, and any good CS program DOES have some options to help you learn those things. But it's not like additional learning does not help.

Re:Lame.

[Man+On+Pink+Corner]

No, the terrorists didn't win. We both lost. We lost as you noted above. The terrorists wanted the US out of the Middle East and instead got us even more involved.

Not quite. Among other things, what bin Laden primarily demanded was that the US leave Saudi Arabia.

His demands were met, as the US hastily closed its Saudi bases after 9/11 and moved into Iraq.

Since Iraq was a secular state with no Muslim holy sites of any significance, Al Qaeda never gave a hoot about it. It was only in the aftermath of the US invasion, when it became apparent that the secular nature of the country was up for grabs, that Al Qaeda became involved.