Linux bans University of Minnesota for sending buggy patches in name of research

So, this actually has nothing to do with politics or the usual ats topics, but that stuff gets kind of tiring, so why not? And it's kinda relevant, this also happened in Minnesota.

The University of Minnesota has been not only banned from contributing to the Linux kernel, but all previous patches submitted from the University are being audited and potentially removed.

Why?

Well, some researchers thought it would make for an interesting experiment to see what would happen if they willingly submitted obfuscated malicious code to an open source project. They chose the Linux kernel. Some of these patches were merged into the mainline code and could have potentially caused critical security holes in millions of systems from everything to banking systems, to well, Linux is used in a lot of places...Well, turns out, if you do that kind of thing, you get your entire University blackballed from contributing to Linux.

www.neowin.net...

Greg Kroah-Hartman, who is one of the head honchos of the Linux kernel development and maintenance team, has banned the University of Minnesota (UMN) from further contributing to the Linux Kernel. The University had apparently introduced questionable patches into the kernel of Linux.

The UMN had worked on a research paper dubbed "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits". Obviously, the "Open-Source Software" (OSS) here is indicating the Linux kernel and the University had stealthily introduced Use-After-Free (UAF) vulnerability to test the susceptibility of Linux. So far so good perhaps as one can see it as ethical experimenting.

However, the UMN apparently sent another round of "obviously-incorrect patches" into the kernel in the form of "a new static analyzer" causing distaste to Greg Kroah-Hartman who has now decided to ban the University from making any further contributions.

So, they sent some letters to eachother in which the researcher tries to lie and pull some bull#, then play the victim card.

Greg,

I respectfully ask you to cease and desist from making wild accusations that are bordering on slander.

These patches were sent as part of a new static analyzer that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the linux kernel and repeatedly making these statements is disgusting to hear.

Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts.

After which...Linux's head kernel developer calls him out and utterly wrecks him...

You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.

Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

They obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all. So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?

When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.

A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid "fix" is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create.

Our community welcomes developers who wish to help and enhance Linux. That is NOT what you are attempting to do here, so please do not try to frame it that way.

Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

Well, ya know, I guess Minnesota is not the place to go for a computer science education any more. Good job guys, stellar research...

a reply to: dug88

Totally unethical.
The computer code equivalent of intentionally setting fires....must be a Minnesota thing...

And then the a-hole has the gall to play victim....

What a bunch of selfish asshoes.

originally posted by: M5xaz
a reply to: dug88

Totally unethical.
The computer code equivalent of intentionally setting fires....must be a Minnesota thing...

And then the a-hole has the gall to play victim....

Yea, when the term "pre conceived bias" was pulled we all knew.....lulz

a reply to: dug88

Disgusting and not this is not research but something far more malicious.

I wonder how much Gates have given to them behind the scenes.

Also I wonder how many other contributors are compromised as this could also open up back doors in the operating system that any number of nefarious forces could use.

A VERY serious issue and one that definitely need's legal action and criminal prosecutions to take place.

This is NOT the kind of thing a university get's up to, it IS however the kind of thing a Hacker gets up to if they want a back door through which they can access information, implant malicious code such as botnets to mine bit coin etc.

And of course it is also the kind of thing you would expect out of an Intelligence agency not a university.

Now this pisses me off.

It could also be an illegal act. Knowingly sending malicious code is considered a cybercrime. They should be charged. God knows how much damage their bull# caused.

originally posted by: seeker1963

originally posted by: M5xaz
a reply to: dug88

Totally unethical.
The computer code equivalent of intentionally setting fires....must be a Minnesota thing...

And then the a-hole has the gall to play victim....

Yea, when the term "pre conceived bias" was pulled we all knew.....lulz

Right.
See, it's only because the code itself has...black skin color....yeah, that's it, that's the ticket.....

a reply to: projectvxn

Linux is used even in things like those self driving cars, medical equipment, and a bunch of other safety critical systems. This could have potentially killed people or caused serious injury. It's hard to describe just how irresponsible this was...

People writing malicious code should have been 'dealt with' in a manner that would incite such fear that no one would ever even think of doing it.

Another country's citizens do it, and that country doesn't clean up its own mess: call it an act of war.

a reply to: dug88

I'm pretty sure that anybody who downloaded a deliberately bugged version could sue in much the same way that you could sue a virus or malware writer. If not criminal, then certainly civil.

a reply to: dug88

Indeed.

I just informed my engineering team about it because we run linux on multiple devices.

We're a biomedical company and can't afford surreptitiously placed code for some asshole's hackerman cred.

originally posted by: AaarghZombies
a reply to: dug88

I'm pretty sure that anybody who downloaded a deliberately bugged version could sue in much the same way that you could sue a virus or malware writer. If not criminal, then certainly civil.

Of course those people that have suffered financial loss, lost of data including irreplaceable family photo's etc may have ground's to sue that university for every penny it is worth and then some.

The university's action was malicious and in breech of open source agreement's and commitment's (breach of contract, an accidental bug is not but this deliberate malicious code is actually criminal).

The university is not covered by the Linux user agreement so may very well be fully liable for losses incurred as a result of this malicious behaviour.

a reply to: dug88

I'm safe from this sort of thing.

I use Windows.

ahhlol

a reply to: jerich0

I use windows but only for compatibility, actually Linux except for this situation is far more secure, most stable, more virus and malware proof, this was some prick's putting back doors and deliberately damaging code into it for there own agenda.
Usually Linux is the better system.

originally posted by: dug88
So, this actually has nothing to do with politics or the usual ats topics, but that stuff gets kind of tiring, so why not? And it's kinda relevant, this also happened in Minnesota.

The University of Minnesota has been not only banned from contributing to the Linux kernel, but all previous patches submitted from the University are being audited and potentially removed.

Why?

Well, some researchers thought it would make for an interesting experiment to see what would happen if they willingly submitted obfuscated malicious code to an open source project. They chose the Linux kernel. Some of these patches were merged into the mainline code and could have potentially caused critical security holes in millions of systems from everything to banking systems, to well, Linux is used in a lot of places...Well, turns out, if you do that kind of thing, you get your entire University blackballed from contributing to Linux.

www.neowin.net...

Greg Kroah-Hartman, who is one of the head honchos of the Linux kernel development and maintenance team, has banned the University of Minnesota (UMN) from further contributing to the Linux Kernel. The University had apparently introduced questionable patches into the kernel of Linux.

The UMN had worked on a research paper dubbed "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits". Obviously, the "Open-Source Software" (OSS) here is indicating the Linux kernel and the University had stealthily introduced Use-After-Free (UAF) vulnerability to test the susceptibility of Linux. So far so good perhaps as one can see it as ethical experimenting.

However, the UMN apparently sent another round of "obviously-incorrect patches" into the kernel in the form of "a new static analyzer" causing distaste to Greg Kroah-Hartman who has now decided to ban the University from making any further contributions.

So, they sent some letters to eachother in which the researcher tries to lie and pull some bull#, then play the victim card.

Greg,

I respectfully ask you to cease and desist from making wild accusations that are bordering on slander.

These patches were sent as part of a new static analyzer that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the linux kernel and repeatedly making these statements is disgusting to hear.

Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts.

After which...Linux's head kernel developer calls him out and utterly wrecks him...

You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.

Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

They obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all. So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?

When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.

A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid "fix" is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create.

Our community welcomes developers who wish to help and enhance Linux. That is NOT what you are attempting to do here, so please do not try to frame it that way.

Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

Well, ya know, I guess Minnesota is not the place to go for a computer science education any more. Good job guys, stellar research...

Honestly they should get into some serious legal trouble for this.

Over reaction. This shows that the pr process works. I'm glad that someone is poking to make sure merge requests arent getting approved willy nilly.

Let's not all forget how a busted (and very vulnerable) wireguard port almost got merged into the FreeBSD kernel because that pr process was one of almost no pr. Just "trust" that Macy guy wouldnt write # code. Well turns out he didn't, but that didnt stop it from getting shipped with pfsense lol.

I am going to ask the stupid question.....

If UoM has managed to get shady stuff through the net of protection, what is to stop anyone else?

a reply to: TwistedPsycho
Not much.

But unless you are willing to go back to writing your own code at the machine code level you can never be certain what is really in all those huge program's and operating systems.

Most of the code in them is likely very poorly compiled and full of unnecessary crap code, duplicate subroutines and algorithms etc.

But look how many man hours it takes to write them and that is in high level languages that are then compiled down, no single human being would be likely to be able to do it in there own lifetime as teams of often thousands of programmers work on them, this in turn creates even more waste code than they should have in them and using other programs to try to prune them down is probably not as good as if they had been programmed at assembly code level all along.

Sadly there are not many Jeff Minter's left in the world, that guy could get a commodore 64 or ZX Spectrum to do impossible things and his kind of programming skill is lacking today with those that have a similar gift mostly going into hacking as a pass time instead of using there ability's in that more creative fashion, though I suspect if he was among today's elite of programming and hacking guy's minter would be a trillionaire or something and own the bit coin markets and the access codes to just about every financial institute out there.

a reply to: dug88

There is more to this story. We will find out soon. I’m just glad they found out and are dealing with this fraud. Linux runs literally the world, that’s some effed up bs.

a reply to: AScrubWhoDied

No, several of the patches.were actually committed

lore.kernel.org...

It actually goes to show, even with a pr system on a big community project, some bad prs still get committed.