In Survey of American Universities, MIT Scores Worst In Cybersecurity 47
An anonymous reader writes: In a cybersecurity survey of 485 large colleges and universities, the Massachusetts Institute of Technology came in at the bottom of the list. In a report released today, SecurityScorecard analyzed the educational institutions based on web application security, network security, endpoint security, IP reputation, patching, and other security indicators. That might not seem intuitive, but according to the linked article, it's not purely mistaken. Some of that low ranking can be chalked up to things like intentional security holes created in the course of researching vulnerabilities, but some of it comes from "exposed passwords, old legacy systems, and a bunch of administrative subdomains that seem to have been forgotten about," as well as pockets of malware.
Is this proportional to the number of systems? (Score:2)
Re: (Score:3)
Well, the summary does state "In a cybersecurity survey of 485 large colleges and universities"
Which would at least imply that their targets were all of a similar size...
Re:Is this proportional to the number of systems? (Score:5, Interesting)
I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account.
That might have been true fifteen years ago, but really these days computers are ubiquitous everywhere. I think it's more likely to do with two things: an early embrace of computers combined with an almost uniquely dysfunctional administrative culture that makes change even harder than it would be most places. It's what comes from taking a group of people who are used to being right when everyone around them is wrong and make them run a large, complex institution. The results are astounding, sometimes in a good way but by no means always.
Re:Is this proportional to the number of systems? (Score:5, Interesting)
So... I'm at another university and have another take on this, which is that freedom and security are often inversely related.
My university is pretty locked down when it comes to security, and it's also annoying as @#(! if you need to do anything creative or nonstandard research-wise. Sure, it's secure as @#$*, but also Orwellian and ignorant as @#$* also.
That is, if you want to have an institutional culture that's built around "hey! take this stuff and play around with it without any restrictions" you can't also be saying "hey! don't do that!" to every thing they do.
My guess is something like that is going on.
Re: (Score:2)
That's how I remember it. When I was at MIT, there wasn't really a centralized IT administration per se. I mean sure there was for the general campus-wide network and the public computer labs. But if your research lab wan
Re: (Score:2)
I have encountered a wide spectrum of administration styles, from "unless it has an IT sticker on it, has all the corpware and can be managed by domain GPOs, it doesn't get near a Wi-Fi AP or a switch" to "Here is your subnet/subdomain in DNS, if something happens, don't blame us."
Some autonomy is good. If a network is isolated from everything else [1], with an IDS/IPS watching the exit traffic just in case there is an infection, someone can be notified if it wasn't part of a test, then if the segment gets
Re: (Score:1)
I know a guy who works for the local university IT department, and at the beginning of every semester, there's the hassle of ensuring minimum security/virus protection protocols on all the new computers and laptops (and probably tablets too) that students bring to campus.
You'd be surprised by the number of students who get a case of the chapped ass over installing the mandated virus protection before using the university's network.
Re: (Score:1)
mandated virus protection before using the university's network.
Your university makes them install Linux?
Re: (Score:2)
My guess is something like that is going on.
The network is extremely open by design (ref: Aaron Schwarz), as is the physical campus.
Re:Is this proportional to the number of systems? (Score:4, Interesting)
laissez-faire has been the status quo for networking at MIT for decades. The attitude seems to be that "policies" just get in the way. I was a sys admin there a long time ago, there were no firewalls, no nothing. We didn't have DHCP. We got IP addresses for the systems and we hardcoded them. Of course it was a mess. But the professors and grad students are 100% focused on their theses and projects and they really didn't care about anything as long as they could get their work done, so it was all very very sloppy. I always felt that they needed much more structure and I am really surprised that it seems like nothing has changed there.
Re:Is this proportional to the number of systems? (Score:4, Interesting)
Sounds to me like that's probably the attitude in a high-performance, high-pressure environment ("policies get in the way of getting work done"), and if the culture hasn't changed since your time there, then the attitude has only scaled up with the complexity of the system.
Not a knock on you, of course, and I hope you don't take it that way. You still have to rely on the user base to be the last lines of security within a system.
Re: (Score:3)
i can't think of anything more counterproductive in a research environment than a firewall. its
actually just security theater.
If you let people set up their own systems, you are gonna get nasty local packet storms from misconfigured systems, firewalls keep the stuff from taking over the whole campus network - voice of experience here
Re: (Score:3)
No security is better than bad security. Bad Security is false security, where no security doesn't.
If everyone knows the system isn't secure, then they take all the steps needed to be secure by themselves.
Re: (Score:2)
If everyone knows the system isn't secure, then they take all the steps needed to be secure by themselves.
No, they don't do anything at all. When you are up to your eyeballs in your master's thesis you don't care about security or backups or clean clothing or deodorant or any of those things. You expect someone else to do it for you, but guess what? Due to budget cuts, there is nobody tasked to make backups or update systems. Welcome to university life.
Re: (Score:2)
laissez-faire has been the status quo for networking at MIT for decades. The attitude seems to be that "policies" just get in the way. I was a sys admin there a long time ago, there were no firewalls, no nothing. We didn't have DHCP. We got IP addresses for the systems and we hardcoded them. Of course it was a mess.
Yes, and much of that is still the same. MIT has the entire 18.x.x.x block. There are plenty of direct IP addresses to give out to every single computer on campus, and I believe that's still the case [mit.edu].
If you have a look at the Ars Technica story [arstechnica.com] on this report, they identify major components of the ranking, which include things like:
Network security: a score based on the number of vulnerable services running directly exposed to the Internet, based on a scan that audits version numbers of exposed software and open ports on those systems correlated with a database of known exploits, according to SecurityScorecard Chief of Research Alex Heid.
Hacker chatter: a score based on the frequency with which the school was mentioned in hacker forums, and amount of user credentials, e-mail addresses and other breached data circulating on those forums over the observed period.
Password exposure: the degree to which students, faculty, and employees are using weak passwords). This score was in part based on the user credential data discovered in hacker chatter."Our signals and sensors found 6 credentials for accounts associated with student and employee email discovered in 4 data leaks," SecurityScorecard reported.
In other words, they dropped MIT to the bottom of the list because they have most computers and systems on actual IP addresses connected directly to the internet, and because
Re:This reminds me of Our Savior, Richard Stallman (Score:4, Interesting)
It was common knowledge that rms's password on mit-mc was rms. I think a lot of people learned macsyma by using rms's account.
Re: (Score:2)
I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account. Not reading the actual TFA because it requires me to register or something dumb like that.
As I think anyone who has ever done IT to support an engineering or software team would attest, supporting these teams is about like herding cats. We all want to use whatever technology we know, that does the function we want it to do. We will not tolerate anything Microsoft or Oracle (mostly becaus
Misleading (Score:1)
Their whole network's just a honeypot, as Aaron Swartz found out.
Apples and Oranges (Score:2)
The difference is that when their shit breaks, they can fix it.
Re: (Score:2)
Except that you can't recover data once it is stolen...
Being able to fix a problem is not the point.... any monkey can fix a hacked computer by wiping it and re-installing the OS. It is the data that is important...
Security only where it really matters? (Score:5, Interesting)
As an MIT alum, I'm gratified that the postings here didn't turn into a giant attack on MIT. Heaven knows the place is far from perfect, but I did get an outstanding education that stood me well in the course of a long career.
Although this is purely anecdotal, some people I talked to tell me this. There's a lot of freedom at MIT (and there always has been), and the emphasis is on breakthrough creativity. So for the most part security issues, strict rules, locking things down, etc., all take a back seat.
But there are a few systems--- just a few--- that are highly protected and known in the culture to be strictly off-limits. Have we heard of major data breaches and MIT student data being stolen on a large scale? I haven't. I suspect it's because the emphasis is on security in those few places where it really matters.
Can someone who is currently at MIT comment on this? As I said, this is anecdotal and could be dated and/or inaccurate.
Occupational Therapy (Score:2)
That's because MIT is trying to prepare students for the corporate environment. It's job training, really.
OBVIOUSLY (Score:2)
Don't waste time downloading the "Full Report" (Score:2)
It is a tech college of course it will (Score:1)
Re: (Score:2)
ai.mit.edu has ssh access open
[CronoCloud ~]$ ssh ai.mit.edu
The authenticity of host 'ai.mit.edu (128.52.32.80)' can't be established.
RSA key fingerprint is SHA256:s2JBWJC3Mg1/fNR2qEZQk1Nr8szla0NZ9leWLO/E1aA.
RSA key fingerprint is MD5:0f:59:9d:f4:cf:52:be:19:f6:51:87:63:91:a6:af:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ai.mit.edu,128.52.32.80' (RSA) to the list of known hosts.
Password:
prep.ai.mit.edu still runs an ftp server.
I figure MIT is the sort of place t
Re: (Score:2)
yes there's a need for FTP but MIT doesn't need to run one on every subdomain they have! For example:
http://prep.ai.mit.edu/pub/gnu... [mit.edu]
ftp://aeneas.mit.edu/pub/gnu/ [mit.edu]
http://prep.ai.mit.edu/pub/gnu... [mit.edu]
ftp://aeneas.mit.edu/pub/gnu/c... [mit.edu]
and don't forget:
ftp://rtfm.mit.edu/pub/ [mit.edu]
Re: (Score:2)
Not everyone runs FTP. There are much better, secure alternatives. You can use Dropbox-like ones like Owncloud, or use sftp variants instead of straight ftp. Even webdav secured with SSL and backend authentication is better than FTP.
Not surprising (Score:2)
I am guessing the nature of MIT lends itself to having lots of odd and end networks around. I would hope whomever runs the segment that contains administration is at least securing their network (student data, financial data, financial transactions, grading, etc.).