They don't have to be unique. MIT/JSTOR wouldn't have really cared about accidentally blocking people unfortunate enough to share Aaron's MAC address. And, the MAC address would have been perfectly reliable had Aaron not spoofed it.

With enough resources it's practically impossible to provide reliably unforgeable credentials without strong crypto, and strong crypto goes against the whole point of MIT's open network.

MAC addresses should generally be globally unique. You can change it, but they are not meant to be shared. Bad things happen when MACs are not unique.