News Banned UMN Researchers Apologize to Linux Community

[Admin]

University of Minnesota researchers apologized to the Linux community for their recent work on "hypocrite commits."

Banned UMN Researchers Apologize to Linux Community : Read more

 

[ginthegit]

I am going to post again what I put on the other Forum as I find this article is downplaying the Universities role in trying to insert Code to the Kernel that could damage the security.

this is just another downplay of the truth

The following was written about the issue

The Linux Foundation has banned the entire University of Minnesota from contributing to the Linux kernel. The expulsion comes after researchers from the school published a paper titled "Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits."

This implies that they were banned for bad reason, but I more likely believe this one.

Greg Kroah-Hartman bans University of Minnesota from Linux development for deliberately buggy patches

Which is happening alot in this Bi partisan world, where Leftist technocrats want to control or have a backdoor to everything. The CIA and FBI have always tried, but LINUX is free and for the people. And if Greg did this, I am sure that it was for good reason, and the Woke! University has been caught red handed. Greg has shown that he takes his job seriously and has checked every line of code and found that the University's programmers have been nafarious.

 

[CerianK]

The activity of UMN would have been perfectly acceptable if had been done with full knowledge of (perhaps only a few) leaders in the Linux community as part of a broader security audit, with specifically defined goals and controls.

Failing that, I take the stance that Linux, and other open-source projects, should treat the code as if it personally belonged to each individual, therefore would never intentionally introduce code that is contrary to the code integrity.

How the above logic would not be obvious to legitimate researchers escapes me. That lapse might be the topic for a whole other discussion.

 

[Kamen Rider Blade]

I think the entire Open Source Community should just Black List those specific Contributors and the entire University of Minnesota as well just to be safe.

Spread the word, have them Black Listed for life.

 

[ginthegit]

The activity of UMN would have been perfectly acceptable if had been done with full knowledge of (perhaps only a few) leaders in the Linux community as part of a broader security audit, with specifically defined goals and controls.

Failing that, I take the stance that Linux, and other open-source projects, should treat the code as if it personally belonged to each individual, therefore would never intentionally introduce code that is contrary to the code integrity.

How the above logic would not be obvious to legitimate researchers escapes me. That lapse might be the topic for a whole other discussion.

I don't want to be Racist here, its more the political Ideology I wish to get at. Look at the names and nationalities of the Contributors from the UMN. Chinese, and China have been causght with thier fingers in the cookie jars fairly often recently. Windows is so buggy even script Kiddies can hoax people into running malicious code and spying with the result.

Greg, the guy in charge who got them banned, said it was nothing to do with their written article, it was purly on him checking their code, line by line, and finding code that was redundant. When checking the code more closely, he could see that is was not only weakening the Kernel, it was intentionally adding security Flaws.

This cover story is down playing the truth... GO TO THE SOURCE, GO TO GREG'S MESSAGE AS HE WAS THE ONE THAT BANNED THEM...

There is conjecture of Bull crap narrative, and there is the truth... and Greg said the truth!

 

[CerianK]

... When checking the code more closely, he could see that is was not only weakening the Kernel, it was intentionally adding security Flaws.

I wasn't aware of that. If that is the case, then the time needs to be taken to write and publish an exploit against the commit(s). Then the argument takes on a new life and UMN needs an additional slap with it.

Failing that, and regarding racism/political ideology you mentioned... that computer science researchers are Chinese is not surprising at a university (unless the university uses racist quotas for admission)... a significant fraction of the researchers in my area of computer science expertise are Chinese (and some of my Chinese friends in this country are the most passionate anti-socialists, which is why they came to this country in the first place) .

 

[cryoburner]

The activity of UMN would have been perfectly acceptable if had been done with full knowledge of (perhaps only a few) leaders in the Linux community as part of a broader security audit, with specifically defined goals and controls.

It's possible that those leaders wouldn't want there to be a paper highlighting how vulnerable open source software is to malicious contributions though, and would go out of their way to make sure that the code gets caught, even if it wouldn't have been otherwise. It's in their best interest to have people believe that their software is secure, after all, so they can't necessarily be trusted to not manipulate the results in their favor.

Realistically, there's probably malicious code inside widely-used open-source software that manages to get past audits and go undiscovered. When there are organizations spending billions to actively seek out ways to compromise devices, you can be almost sure that the operating system used on the vast majority of the world's servers has been compromised to at least some degree.

 

[ginthegit]

I wasn't aware of that. If that is the case, then the time needs to be taken to write and publish an exploit against the commit(s). Then the argument takes on a new life and UMN needs an additional slap with it.

Failing that, and regarding racism/political ideology you mentioned... that computer science researchers are Chinese is not surprising at a university (unless the university uses racist quotas for admission)... a significant fraction of the researchers in my area of computer science expertise are Chinese (and some of my Chinese friends in this country are the most passionate anti-socialists, which is why they came to this country in the first place) .

Not all Ethic Chinese are communists, But the rich ones that get money seemingly from nowhere, these are the ones to take note of.
China sends many of its young learners here and expect them to return to the communist revolution of the world.. But like some of my Chinese pals from my Uni days, they had no intention of returning after they completed their degree.

 

[ginthegit]

Greg Kroah-Hartman bans University of Minnesota from Linux development for deliberately buggy patches. Some researchers tried to slip bad patches into the Linux kernel as a "test." When they kept trying, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, put an end to their efforts.5 days ago

The fact that the press completely changed the narrative tells you alot. Then this excuse was made that was completely different...

We were just testing you Greg.... OVER AND OVER AND OVER AGAIN... Never thinking to tell you if one managed to get though. Greg the Hero Kicks Azz.

Greg Kroah-Hartman bans University of Minnesota from Linux ...

Greg Kroah-Hartman bans University of Minnesota from Linux development for deliberately buggy patches

Some researchers tried to slip bad patches into the Linux kernel as a "test." When they kept trying, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, put an end to their efforts.

www.zdnet.com

 

[ottonis]

The involved researchers have broken all rules of good scientific practices by not telling anyone what they intend to do and without asking anyone for permission to do so. Actually, such unscrupulous people should be banned from doing scientific research at all.
It would have been extremely easy to talk to Linus Torvalds or some other person and discuss with them the proposed research project: "Look, we want to test the hypothesis that a malevolent person could introduce some patches with a backdoor or other bugs and thus compromise the Liux kernel. Let us test this hypothesis by submitting anonymously such faulty patches and let's have look if the Linux kernel team will be able to detect the malicious code parts or not."

This would have been the only right way to do that kind of research. Does the university of Minnesota even have some sort of research ethics committee? Is there an instance that checks the ethical implications of the research conducted at this university? Doesn't seem so, or there is no good use of it, it seems.

I mean, Linux is used in all kind of computers and machines and introducing a bug that would lead to a malfunction could harm goods or even put people's lives in danger.

Inexcusable!

 

[ottonis]

I think the entire Open Source Community should just Black List those specific Contributors and the entire University of Minnesota as well just to be safe.

Spread the word, have them Black Listed for life.

I fully agree, and on top of that these guys should be banned from doing any scientific work at all. They have disregarded all good scientific practices and potentially may have put human lives at risk (for example if a Linux based machine that is involved in some medical processes gets compromised and turns out wrong numbers)

 

[TJ Hooker]

AFAIK there isn't really any evidence that anyone at UMN was actually trying to get a know-bad patch into the kernel. The only patches that we know had deliberate vulnerabilities were the ones discussed in the published paper (K. Lu, Q. Wu), where they took steps to ensure the changes would never actually be merged (and submitted corrected versions of the patches after the initial 'malicious' patches had been reviewed). The later patches submitted by A. Pakki (which were the subject of the email thread where Greg KH ultimately banned UMN), don't seem to be deliberately malicious. More like he tried to write an analysis tool and either did a half-assed job testing/validating it or was trying to get the kernel maintainers/community to do the job of testing it for him. The methods of the former were questionable and the behavior of the latter was unprofessional (to say the least), and I can see why it pissed off the maintainers. But I don't see either as trying to get known-bad code into the kernel. For example, I don't think pull requests for any of these patches were ever created (which is done to start the process of getting the patches integrated in the kernel). It seems the patches were just submitted for review via email and never went further than that.

Talk by Greg KH of ripping contributions out of the kernel were referring to all patches submitted by people with umn.edu email address ever, not just the "hypocrite commit" patches, and not just the 3 people mentioned in this article.

 

[ginthegit]

AFAIK there isn't really any evidence that anyone at UMN was actually trying to get a know-bad patch into the kernel. The only patches that we know had deliberate vulnerabilities were the ones discussed in the published paper (K. Lu, Q. Wu), where they took steps to ensure the changes would never actually be merged (and submitted corrected versions of the patches after the initial 'malicious' patches had been reviewed). The later patches submitted by A. Pakki (which were the subject of the email thread where Greg KH ultimately banned UMN), don't seem to be deliberately malicious. More like he tried to write an analysis tool and either did a half-assed job testing/validating it or was trying to get the kernel maintainers/community to do the job of testing it for him. The methods of the former were questionable and the behavior of the latter was unprofessional (to say the least), and I can see why it pissed off the maintainers. But I don't see either as trying to get known-bad code into the kernel. For example, I don't think pull requests for any of these patches were ever created (which is done to start the process of getting the patches integrated in the kernel). It seems the patches were just submitted for review via email and never went further than that.

Talk by Greg KH of ripping contributions out of the kernel were referring to all patches submitted by people with umn.edu email address ever, not just the "hypocrite commit" patches, and not just the 3 people mentioned in this article.

Though I cannot say you are wrong with the assumption you made, but being part of the academic circle my self, i think it unlikely. Greg made it manifest that he saw the code that he banned them for was deliberate and malicious. If you have a look at the justification they made to Greg, and the Lies they then published, Greg said that they were trying to say that they deliberately put the code in to test Greg and his team. This is not only unethical, but also unlikely. You do not put code of this nature in a Kernel, that is not a test as the Nature of the Kernel is critical to running the system and security. They would have said nothing had greg and his team missed the code, and this would make that KERNEL version corrupt and a security Flaw.

This practice is one that always uses this excuse when causght, particularly by hackers trying to defend their actions in caught. Had this been windows Kernel, there would be a law suit. But open source can only really result in a BAN!

This was intentional, it was deliberate, and though it is conjecture for me to say it was deliberate, I believe 99% that these are guys working for some 3rd party goal, and possibly that 3rd party is China or the FBI/CIA trying to force their backdoors into software they cannot control due to it being open source.

In my opinion, and I use Linux, Greg is a Hero in his own way. When someone does his job to this level of detail, it is worth a medal. He has saved many uses from security breaches that could have been used to steal Identities etc...

 

[ottonis]

This was intentional, it was deliberate, and though it is conjecture for me to say it was deliberate, I believe 99% that these are guys working for some 3rd party goal, [...]

Being in the scientific circles myself, too I can only confirm this. What these guys did is not science. That's not the way people do scientific experiments. There is an established set of rules for scientific conduct and dismissing these rules means that a researcher may be even get banned from his work.
For example: if someone slipped some faulty code into the firmware of a Boeing plane navigation system -he would be immediately accused of terrorism and a SWAT team would appear behind his house.
Compromising the Linux kernel in any shape or form is not fundemantally different from compromising the flight software of plane, because there are innumerable critical systems nation- and worldwide that are based on a Linux kernel.

I really hope that the public prosecution bodies will investigate this case. And I also hope that investigative journalists will also try to pull some more background information on this scandal.

 

[ginthegit]

Being in the scientific circles myself, too I can only confirm this. What these guys did is not science. That's not the way people do scientific experiments. There is an established set of rules for scientific conduct and dismissing these rules means that a researcher may be even get banned from his work.
For example: if someone slipped some faulty code into the firmware of a Boeing plane navigation system -he would be immediately accused of terrorism and a SWAT team would appear behind his house.
Compromising the Linux kernel in any shape or form is not fundemantally different from compromising the flight software of plane, because there are innumerable critical systems nation- and worldwide that are based on a Linux kernel.

I really hope that the public prosecution bodies will investigate this case. And I also hope that investigative journalists will also try to pull some more background information on this scandal.

I think certain academic professors with Chinese name, MIGHT be taking a flight back to the motherland. But on the other hand, if this was endorced by the FBI/CIA to have a back door everywhere, then they will not be prosecuted, and this whole thing goes away.

It would also explain why this false narrative of the "They didn't like a paper we wrote a while back" which then turned into a " We were just testing you" nonsense. Even Greg Himself dismisses these claims.