MIT Launches Three-pronged Effort To Thwart Cyber Attacks

← Back to Stories (view on slashdot.org)

MIT Launches Three-pronged Effort To Thwart Cyber Attacks

Posted by samzenpus on Saturday March 14, 2015 @09:12AM from the that-should-do-it dept.

alphadogg writes MIT is attacking cybersecurity from three angles: technical, regulatory and managerial through three programs and in partnership with major corporations. The initiatives include participants from across several MIT schools as well as from outside the university with a goal of making it harder for attackers to succeed in efforts to break into networks, disrupt them, and steal and destroy data. The technical challenge will be met by the school's Computer Science and Artificial Intelligence Laboratory (CSAIL) in cooperation with a group of industry partners – BAE Systems, BBVA, Boeing and Raytheon – that will meet periodically to be briefed about ongoing research."

43 comments

Min score:

Reason:

Sort:

The Real Problem by Anonymous Coward · 2015-03-14 09:20 · Score: 1

Engineers have a responsibility to themselves, their profession, and to everybody that comes after them. Our fathers and grandfathers realized this when they invented reliable electronics. If this generation were to make electronics it would be hit and miss, maybe it works or it doesn't, and who cares? Engineers have to make things rock solid and reliable in order to move the profession and the future of the profession forward.
I am so frickin disappointed in the current state of things. Things should be rock solid, reliable, trustworthy. It aint!
The solution being totally obvious .. by DougPaulson · 2015-03-14 09:24 · Score: 2

“How to keep critical infrastructure safe from potentially life-threatening attacks”

The solution being to not download and run other peoples code on your 'computer', not connect your critical infrastructure to the Internet and to ask the NSA/QCHQ to stop devising methods to dilute security on the Internet.
1. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 09:33 · Score: 1
  
  Like I posted before, the root cause of this problem is that Engineers don't care anymore. They spew crap like they are terminally on the toilet. Real Engineers like the ones who put men on the moon would be able to devise secure systems. They would be able to protect privacy. They wouldn't create crap that crashes all the time. They would care more about their craft and their reputation than about big brother.
2. Re:The solution being totally obvious .. by CaptainDork · 2015-03-14 09:36 · Score: 2
  
  Yes. Those listed are not serious except to waste money on funding.
  Any real attempts to "thwart" attacks from the outside would START with identifying the external actors.
  That's:
  1.) Our government
  2.) Their government
  3.) Big business
  4.) Organized crime
  5.) Cyber gangs
  6.) Kiddies
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 09:45 · Score: 0
  
  What a shame Engineers let things get so out of control that you can make a list like this and it is true!! Hang your head in shame Engineers, I suspect mostly "Software Engineers". You are NOT REAL Engineers. Engineers make things that are reliable, repeatable, and useful. My respect for "Software Engineers" just went down, and I didn't think that was possible.
  At least Hardware Engineering is still a real profession. If I buy a chip I know it will be reliable. With Software Engineering, who knows?
4. Re: The solution being totally obvious .. by Anonymous Coward · 2015-03-14 09:50 · Score: 0
  
  Putting a man on the moon is not are difficult task than this.
5. Re: The solution being totally obvious .. by Anonymous Coward · 2015-03-14 10:10 · Score: 0
  
  Please don't feed the troll
6. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 10:11 · Score: 1
  
  What a shame Engineers let things get so out of control that you can make a list like this and it is true!! Hang your head in shame Engineers, I suspect mostly "Software Engineers". You are NOT REAL Engineers. Engineers make things that are reliable, repeatable, and useful. My respect for "Software Engineers" just went down, and I didn't think that was possible.
  At least Hardware Engineering is still a real profession. If I buy a chip I know it will be reliable. With Software Engineering, who knows?
  Blame software engineers and their unholy worship of Java and their managers unbridled greed and incompetence to plan a software project. Clicky-clicky is all the managers want to hear and the "engineers" can't handle a real programming language that does not require seven levels of redirection. It would be an "Amen!" moment if those software engineers and architects died at the hands of their "design patterns" and "frameworks" and model-view-controllers.
7. Re: The solution being totally obvious .. by Anonymous Coward · 2015-03-14 10:13 · Score: 0
  
  it is not are, lol.
8. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 10:15 · Score: 0
  
  Has MIT started locking the closet doors yet?
9. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 10:18 · Score: 1
  
  LOL Although I can see a use for these things at some level you couldn't be more right. It's absolutely how ridiculous how many needless layers get into projects just because there were that many needless people working on them due to a total lack of proper planning in the first place. Of course that's because the people who know how to design the systems are never the people who manage their development. YMMV.
10. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 10:23 · Score: 1
  
  >>
  At least Hardware Engineering is still a real profession. If I buy a chip I know it will be reliable. With Software Engineering, who knows?
  Well, you know your chip is reliable, except when it's not. :)
  There are plenty of counterexamples to chips always being reliable. E.g. the recent Rowhammer problem (repeated writing to memory locations changing the memory in other locations of the RAM chip, with demonstrated exploitable security risks). Or the Intel floating point arithmetic bug. Etc.
11. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 10:33 · Score: 0
  
  “How to keep critical infrastructure safe from potentially life-threatening attacks”
  The solution being to not download and run other peoples code on your 'computer', not connect your critical infrastructure to the Internet and to ask the NSA/QCHQ to stop devising methods to dilute security on the Internet.
  The solution is to have no internet and no computers.
12. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 11:05 · Score: 0
  
  yup, i guess even the original Apple computer could be melted by an algorithm, which should not ever happen. a few mistakes. i guess maybe i'm frustrated at all of the problems of the internet and security. i can't believe that with the brain power we have that this can't be just solved and 'Managment' won't have to get into it.
13. Re:The solution being totally obvious .. by CaptainDork · 2015-03-14 11:40 · Score: 3, Informative
  
  I've been at this shit since Moby Dick was a minnow.
  I remember when there was no local area network -- way before the Internet.
  Malicious programs got circulated by 5 1/4" floppies via MSDOS.
  That's when the problem started and that's how far back we have to go.
  I can foresee some improvement if we move toward the dumb terminal/mainframe architecture by way of sand-boxed apps that can be pulled from a centralized location if they go rogue.
  Bill Gates, Steve Jobs, and Steve Wozniak were part of the Digital Revolution where they wanted to decentralize data and put computers in the hands of the people.
  Now it looks like we need a backlash.
  
  --
  It little behooves the best of us to comment on the rest of us.
14. Re:The solution being totally obvious .. by penguinoid · 2015-03-14 13:45 · Score: 1
  
  Real engineers *get paid to* make things that are reliable, tested, and safe, because the company could be sued into bankruptcy if things go wrong. Some software engineers *get paid to* make things that are reliable, tested, and safe, because the company could be sued into bankruptcy if things go wrong. Other software engineers *get paid to* get it done by tomorrow, because if something goes wrong no one but a few nerds gives a crap. But none of that could possibly be the fault of the managers.
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
15. Re:The solution being totally obvious .. by Anonymous Coward · 2015-03-14 18:00 · Score: 0
  
  1) CyberStatic. Broadcast encrypted static (packets) that looks like it has a payload, and timing breaks between packets that looks like these breaks are significant.
  2) On the fly substitution. Program to inject false information to Advertiser / Snoops to contaminate their collections.
  3) Certificate Games. Blow the whistle when man in the middle attacks are in progress.
  4) Name and Shame Vendors using falsely signed modules
  5) Add Immutable security extensions that lock down standard systems.
  6) Publish what the AV Vendors are choosing NOT to reveal
  7) Fake logger Tool. Edit the logs. Make yourself look hacked.
16. Re:The solution being totally obvious .. by linkdude64 · 2015-03-14 18:53 · Score: 1
  
  "centralized locations are good" " they wanted to decentralize data and put computers in the hands of the people. Now it looks like we need a backlash."
  Would you happen to be selling a Cloud "App" or Subscription-Based software service perchance? All I need to do is sign up now for a 10% discount** to a program I won't have to do anything to maintain, right?
  I can see that you have a point, but right now, with the state of privacy what it is, air-gapped or firewalled local area networks and local storage are the most secure places for my data, as far as I'm concerned. No grandma is going to set up a Home "mainframe-style architecture" to look at cats on the internet. She would sooner sign up for MS Windows "We Promise*** it's safe**** with us" Edition for all of her OS and "App" needs, and with internet speeds becoming faster, I fear that your suggested model is one we are moving toward.
  **Discount may not be combined with any other offer or personal/technological freedom of any kind
  ***MS not liable for any violations of privacy
  ****Not safe from any advertising agency or governmental inquiries
17. Re:The solution being totally obvious .. by Lodragandraoidh · 2015-03-14 19:53 · Score: 1
  
  Bill Gates, Steve Jobs, and Steve Wozniak were part of the Digital Revolution where they wanted to decentralize data and put computers in the hands of the people.
  Now it looks like we need a backlash.
  No, the solution isn't centralization of our data systems. You can already see where that is leading with the high profile exposures today (Sony, Target, et al). It is a fallacy to assume corporations have all the answers, or will act in the general public's best interests. Short term profit is the only thing that has any meaning in that system.
  At the same token we can't continue going along like we are - as that is already proven to fail.
  The very thing that makes the internet useful for communications and commerce for large populations spread all over the globe, is the same thing that is at the core of it's weakness: public key encryption. To be more specific, computers are designed not to be random, and the systems we've devised to get around this problem have limits that may be exploited. When paired with encryption these limits open up potential exposure, and advancements in computing technology allow those exploits to be more readily used. For certain short term transactions, this level of exposure may be an acceptable risk - for data that is transient in nature, and not useful to someone at some future point in time. However, much of the data we trust to encryption could be useful to a 3rd party in the future.
  We could ensure our systems (personal or corporate - doesn't matter) are completely secure from a remote attacker - by placing them inside a Faraday cage, and disconnecting them from the internet. While the data would be secure, it wouldn't be very useful in the broader context of communication and commerce - but for some types of information it might be an appropriate approach, and I imagine is what some sensitive government networks opt for their classified systems. For all other systems it would be as useful as throwing them into the deepest part of the Pacific Ocean - secure, but useless.
  In order to communicate on the wider stage then, we must accept a certain amount of risk. I think we are all in agreement that the current risks are unacceptable the way they are today. I also think there is no single magic bullet. I think you will see the teams focus on the following areas, assuming corporate interests are not overly impacted by the potential solutions:
  Tools - tools need to be devised that don't allow neophyte application programmers to shoot themselves in the foot.
  Training - training has to be developed based upon new approaches, and made available widely.
  Willpower - everyone - corporations down to individual developers - must have the willpower to do some things that might be hard at first (e.g. code reviews of all code - including libraries, refactoring/rewriting same in light of security issues etc) - and these things need to become habit.
  Whatever the outcome, there will be no silver bullet.
  
  --
  
  Lodragan Draoidh
  The more you explain it, the more I don't understand it. - Mark Twain
18. Re: The solution being totally obvious .. by gtall · 2015-03-15 00:54 · Score: 1
  
  Mr. Apple meet Mr. Orange...what??? You two cannot compare each other? Imagine that.
19. Re:The solution being totally obvious .. by CaptainDork · 2015-03-15 03:08 · Score: 1
  
  I think MS Windows is obsolete. That was sorta my whole point. Windows has its roots in an unsecure paradigm.
  Maybe we can move forward if all apps (business/consumer) are sand-boxed where malicious activity can be neutralized.
  
  --
  It little behooves the best of us to comment on the rest of us.
20. Re:The solution being totally obvious .. by CaptainDork · 2015-03-15 03:14 · Score: 1
  
  tl;dr, but you mentioned Sony and Target.
  I don't give a flying fuck about Sony and Target. Those guys can worry about themselves.
  My immediate concern is things like ransomware.
  I want my (business/consumer) programs and data to be safe.
  Eventually, market evolution will take care of the weak Sony and Target entities if they can't adapt.
  
  --
  It little behooves the best of us to comment on the rest of us.
21. Re:The solution being totally obvious .. by linkdude64 · 2015-03-15 05:55 · Score: 1
  
  I suppose where I disagreed with you was with your statement,
  "Bill Gates, Steve Jobs, and Steve Wozniak were part of the Digital Revolution where they wanted to decentralize data and put computers in the hands of the people."
  Which is a contradictory statement.
  Once the above companies stop supporting their software, it becomes insecure, and because it is closed-source, we are forced to upgrade. That's software centralization and control if there ever was such a thing.
  Perhaps unwittingly, we both bought into the idea (at least in the scope of this discussion) that the software they offered was ever "ours" to begin with. That their offerings were ever "in the hands of the people" which non-free software certainly isn't.
  So the "Centralized software" idea is already farther along than I realized initially, and perhaps farther along than you realized initially. What it isn't, is sandboxed; a good suggestion.
  So the centralization aspects would be functional in a manner that you suggest, but only under two conditions:
  1) it is GNU/Free as in GNU/Freedom (lol)
  2) Private
  and for sandboxing, clearly the only option is to get rid of things like systemd. Like that one guy's sig, "If anyone knows why GNOME chose to depend on systemd, please tell me." If we don't know why, we don't have control, if we don't have control, etc., etc.
  So I think we've reached an understanding, here.
The program is funded by $15 million... by turkeydance · 2015-03-14 09:33 · Score: 2

Silly security rabbit. Program is for funding.
I just shat The Big One by Anonymous Coward · 2015-03-14 09:34 · Score: 0

I feel relieved..
The first task is impossible ... by CaptainDork · 2015-03-14 09:40 · Score: 1

... go back and build all of the systems from scratch and do it right this time.

--
It little behooves the best of us to comment on the rest of us.
1. Re:The first task is impossible ... by Anonymous Coward · 2015-03-14 09:51 · Score: 0
  
  This is what needs to be done. We need to dump the current internet. We need to fire all the flaky things that call themselves "Software Engineers". At least hardware engineers know the value of testing and reliability - Maybe put them in charge. Create a new network that is reliable, secure, private, and that serves people instead of intimidate/abuse people. Using technology needs to be a pleasant, wonderful experience or all real engineers will perish. Get your cr#p together "Engineers" - you may be entitled pieces of garbage but you are responsible for building on the shoulders of great mean who sacrificed and worked incredibly hard so you can have your fluffy little job.
2. Re:The first task is impossible ... by Zontar+The+Mindless · 2015-03-14 10:05 · Score: 1
  
  And this, kids, is why you don't drink a 6-pack on the golf course and then post on Slashdot.
  
  --
  Il n'y a pas de Planet B.
3. Re:The first task is impossible ... by Anonymous Coward · 2015-03-14 10:33 · Score: 0
  
  vodka, to be accurate. all software engineers i've ever met sucked, and i met many. they cut corners, bs all the time, and do shoddy work. the only thing they are good at is finding somebody to blame their incompetence on when needed. At least Hardware Engineers know that things either work or they don't and there is a lot less BS floating around.
A 3 pronged attack. by Anonymous Coward · 2015-03-14 09:58 · Score: 0

That's 1 prong, 2 prongs, 3 prongs. 3 prong attack!!!!1
1. Re:A 3 pronged attack. by Anonymous Coward · 2015-03-14 10:29 · Score: 1
  
  My electrical plugs are all three-prong. Maybe thy can assist with this new three-pronged initiative.
true intentions by Gravis+Zero · 2015-03-14 10:04 · Score: 2

let's be clear here, the people these corporations work are not looking to thwart cyber attacks, they are looking to thwart cyber attacks against themselves. the rest of us will still be considered their cannon fodder.

--
Anons need not reply. Questions end with a question mark.
1. Re:true intentions by sociocapitalist · 2015-03-16 00:50 · Score: 1
  
  let's be clear here, the people these corporations work are not looking to thwart cyber attacks, they are looking to thwart cyber attacks against themselves. the rest of us will still be considered their cannon fodder.
  Not MIT - they'll be in it for whatever patents come out if the work that they can make money on - presumably by deploying the resulting products / services as widely as possible - and for a fee.
  
  --
  blindly antisocialist = antisocial
Yeah but... by Anonymous Coward · 2015-03-14 10:12 · Score: 0

Is one of the prongs badgering the hacker into killing themselves?
Or just that one time...
Managerial by Anonymous Coward · 2015-03-14 10:44 · Score: 1

Managerial Effort To Thwart Cyber Attacks
Now I am Officially in Dilbert Land
I am so ashamed to have ever known a Software Engineer in my life.
1. Re: Managerial by jd2112 · 2015-03-14 13:09 · Score: 1
  
  Is the managerial approach "give the security team the budget and authority to do their jobs"? If not i can't see this working.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
May the Swartz be with them by Anonymous Coward · 2015-03-14 11:42 · Score: 1

http://en.wikipedia.org/wiki/Aaron_Swartz
The Green Manalishi by Anonymous Coward · 2015-03-14 11:50 · Score: 0

And the three-pronged Fleetwood Mac attack!
Odd by Anonymous Coward · 2015-03-15 02:38 · Score: 0

Anyone notice of those four third party business, three are rather common US government contrators. I see yet another conflict of interest.
The MIT approach by Anonymous Coward · 2015-03-15 03:10 · Score: 0

Is to use a slimy morally depraved prosecutor to drive the hacker to suicide.
be better people. by Anonymous Coward · 2015-03-15 03:42 · Score: 0

Some attackers do so because they believe you DESERVE to be attacked. And for MIT, one reason some may decide to do this would be Aaron's death because MIT were asshats (they started it, so the fact that after a vote-hunting bigot attorney got it as a vote winner campaign they had no avenue for stopping it doesn't absolve them of it).
So one method to reduce (not eliminate, because it's only a few doing it for this reason) the problem is to be better people, and ignore "MIT made me do it" corporate shielding. Your employer can't make you do shit if it isn't in the job description, you have to let them.
Yes, yes, your boss can then fire you and you're fucked, but that's really because you've willingly fucked the employee's rights in your political dream that you're not peons, you're temporarily disadvantaged barons. Suck it up, and live a better life and you'll be less successful, but you'll have fewer regrets on your deathbed. And maybe by changing how the game is allowed to be played, you can leave a legacy you can be proud of.
they're behind by Kishin · 2015-03-15 03:55 · Score: 1

They're way behind other efforts. Anyone interested in this stuff look at crash-safe.org and Google Cambrige's CHERI processor project. CHERI already runs a port of FreeBSD. There's also numerous prototypes that put crypto in for confidentiality and integrity protection, some running Linux already. The recent Control Pointer Integrity work is pretty clever and was applied to FreeBSD userland.
Long story short, we already have a bunch of good solutions just waiting to be put into silicon and marketed. I'll be interested in seeing what MIT comes up with. Yet, BAE (with SAFE), Cambrige, and others have largely solved our main problems with usable prototypes. Gotta wonder why the best of INFOSEC research rarely makes press but organizations' promises do.
Nick P.