Language Selection

English French German Italian Portuguese Spanish

Here’s Why University of Minnesota is Likely to be Banned from Contributing to Linux Kernel Code

The researchers were testing the feasibility of stealthily introducing vulnerabilities in OSS via hypocrite commits, i.e., seemingly beneficial commits that in fact introduce other critical issues.

And they chose the Linux kernel project to carry out their experiments.

Al Viro found that the ‘useless patch’ from Aditya Pakki was likely to be part of this research. Greg Kroah-Hartman (GKH), the second-in-command of the Kernel project after Linus Torvalds, advised not to waste the kernel maintainer’s time such patches.

Read more

University Banned From Contributing To Linux Kernel

  • University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs

    Greg Kroah-Hartman has banned a US university from trying to mainline Linux kernel patches over intentionally submitting questionable code with security implications and other "experiments" in the name of research.

    Stemming from this research paper where researchers from the University of Minnesota intentionally worked to stealthy introduce vulnerabilities into the mainline Linux kernel. They intentionally introduced user-after-free bugs into the kernel covertly for their research paper.

    [...]

    So those from the University of Minnesota are no longer welcome to contribute to the upstream Linux kernel development.

    In a follow up message is indeed confirmation that the prior University of Minnesota patches to the Linux kernel are going to be reverted.

Slashdot pointing to Neowin

Linux Kernel dev bans University of Minnesota...

  • Linux Kernel dev bans University of Minnesota for sending malicious patches

    Here is your daily dose of WTF. Linux Kernel developer Greg Kroah-Hartman has called out "researchers" from the University of Minnesota and banned them from submitting code to the Linux Kernel.

    This story is pretty wild and completely ridiculous. In the name of some apparent research and a written paper titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits", the people involved have now been called out on "sending known-buggy patches to see how the kernel community would react to them".

    Part of it goes further, as patches have continued to roll in after the paper was published so they are "continuing to experiment on the kernel community developers by sending such nonsense patches" with the patches not actually doing anything at all.

  • Laura Abbott: Untrustworthy research methods

    So by now many people have seen the report that researchers from the University of Minnesota have a paper about trying to introduce bugs in the Linux kernel by submitting malicious patches. The goal was to demonstrate how likely it was for an attacker to be able to introduce bugs without maintainers noticing. At a high level this is a pertinent question that the kernel community has been asking itself for some time. “Linus’ law” about code review finding bugs has been repeated ad nauseam. The issue for many subsystems is figuring out how to scale that review.

    The problem with the approach the authors took is that it doesn’t actually show anything particularly new. The kernel community has been well aware of this gap for a while. Nobody needs to actually intentionally put bugs in the kernel, we’re perfectly capable of doing it as part of our normal work flow. I, personally, have introduced bugs like the ones the researchers introduced, not because I want to bring the kernel down from the inside but because I am not infallible. The actual work that needs to be done is figuring out how to continue to scale efforts like KernelCI to fully test and find issues before they get committed.

    “But isn’t this a supply chain attack” Yes, again, this is a possible attack vector but it’s one the kernel community is well aware of. Actually turning this into an attack would probably involve getting multiple coordinating patches accepted and then waiting for them to show up in distributions. That’s potentially a multi-year time frame depending on the distribution in question. This also assumes that the bug(s) won’t be found and fixed in the mean time. One of the patches submitted by the researchers was cited as being fixed after fuzzing with syzkaller. I don’t know for certain if the original patch was one of the intentionally buggy patches but the point is there’s no guarantee that code you submit is going to stay in the form you want. You’d really have to be in it for the long haul to make an attack like this work. I’m certain there are actors out there who would be able to pull this off but the best fix here is to increase testing and bug fixing, something Greg has been requesting for a long time. (I have other thoughts about the Rust specific bits but the letting people work on bugs part is solid).

Linux Foundation Bans University

  • Linux Foundation Bans University After It Intentionally Submitted Buggy Patches

    The University of Minnesota isn't making any friends in the Linux community. Phoronix reported that Greg Kroah-Hartman, the Fellow at the Linux Foundation responsible for stable releases of the Linux kernel, has banned the University from contributing to that kernel after two students purposely added faulty code to it.

    The students in question published a research paper titled "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" on February 10. Those so-called "hypocrite commits" were defined as "seemingly beneficial commits that in fact introduce other critical issues."

    Although the paper was ostensibly focused on open source software generally, the students devoted much of their attention to the Linux kernel specifically because it's so popular. The kernel is practically ubiquitous—it's found in everything from single-board computers like the Raspberry Pi to the most powerful supercomputers.

Greg Kroah-Hartman bans University of Minnesota

  • Greg Kroah-Hartman bans University of Minnesota from Linux development for deliberately buggy patches

    Thanks to the Solarwinds security breach, software supply chain attacks have become an important issue. Naturally enough, there's a lot of research being done into these attacks. Two graduate students at the University of Minnesota working on a paper entitled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" tried to put the Use-After-Free (UAF) vulnerability into the Linux kernel. This kind of Red Team security testing is commonplace… when the project includes people who know what's going on beforehand. That wasn't the case here. When they tried it again, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, had had enough.

Uni group slammed over submitting known buggy patches to Linux

  • Uni group slammed over submitting known buggy patches to Linux kernel

    A group from the University of Minnesota have come in for a tongue-lashing from the normally mild-mannered Linux developer Greg Kroah-Hartman, the maintainer of the stable kernel.

    Kroah-Hartman blew up after the group submitted patches to the kernel which were known to be buggy.

    He said in a post addressed to Aditya Pakki at the university that he, and his group, had sent the buggy patches to see how the kernel community would react, and put out a paper based on that.

    The university has now reacted by saying that it has suspended this line of research.

Linux Kernel Developers Were Not Amused By Faulty Patches Sent

  • Linux Kernel Developers Were Not Amused By Faulty Patches Sent By University of Minnesota Researchers

    Researches from the American University of Minnesota submitted a series of faulty patches to the Linux kernel last year and published a research paper about their effort. They tried to send more faulty patches to the Linux Kernel Mailing List earlier this month. Greg Kroah-Hartman, Trond Myklebust and other seasoned kernel developers were not amused.

    [...]

    The Linux kernel is a huge software project with nearly thirty million lines of code and hundreds of patches floating around on the Linux Kernel Mailing List (LKML) at any given time. Some patches are included, some are flat out rejected, and some go through eight or more revisions before they are accepted.

    Qiushi Wu and Professor Kangjie Lu at the American University of Minnesota wanted to learn just how easy it is to get intentionally faulty patches past the Linux kernel maintainers and into the mainline Linux kernel. They came up with a "vulnerability-introducing method", sent patches introducing security holes and published a research paper on it titled "Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits" (OpenSourceInsecurity.pdf, 443 KiB), in LaTeX, and published it on February 10th, 2021.

    The researches at the American University of Minnesota were not content with wasting the Linux kernel community's time by experimenting on them for the purpose of writing just one research paper. They just had to try again with a useless patch titled [PATCH] SUNRPC: Add a check for gss_release_msg on April 6th, 2021.

PhD students willfully committed known malicious changes...

  • PhD students willfully committed known malicious changes to mainline Linux

    We just reported about the Linux 5.12 changelog with a focus on Arm, MIPS and RISC-V targets on Tuesday, and at the time, the expectation was a delay of about one week after Linux 5.12-rc8 was outed on Sunday, April 18.

    But Linux 5.12 could be further delayed due to shenanigans from two Ph.D. students doing a research project on open-source vulnerability at the University of Minnesota. This was announced by Greg Kroah-Hartman on the Linux kernel mailing list.

University duo thought it would be cool to sneak bad code...

  • University duo thought it would be cool to sneak bad code into Linux as an experiment. Of course, it absolutely backfired

    Computer scientists at the University of Minnesota theorized they could sneak vulnerabilities into open-source software – but when they tried subverting the Linux kernel, it backfired spectacularly.

    And now their entire school – or at least anyone using a umn.edu email address – has been banned from offering future Linux kernel contributions.

    Qiushi Wu, a doctoral student in computer science and engineering at the American college, and Kangjie Lu, assistant professor at the school, penned a paper titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" [PDF], which is slated to be presented at the Proceedings of the 42nd IEEE Symposium on Security and Privacy next month.

    The paper describes how the authors submitted what's described as subtly subversive code contributions that would introduce error conditions into the operating system software, and it claims the researchers contacted Linux maintainers to prevent any bad code making it into an official release of the kernel.

    It further states that the experiment was vetted by the university's Institutional Review Board (IRB), which determined that the project did not constitute human research and thus granted an ethical review waiver.

    [...]

    In a statement released on Wednesday afternoon, the University of Minnesota Department of Computer Science & Engineering said it has suspended the research project and plans to look into the approval process to determine whether remedial action and future safeguards are needed.

University of Minnesota Banned from Linux Kernel

University Responds to Ban On Linux Contributions

  • University Responds to Ban On Linux Contributions

    The University of Minnesota Department of Computer Science and Engineering announced that it's looking into a ban on contributing to the Linux kernel that was issued after its research attracted the ire of the stable release channel's steward.

    That ban was issued on Wednesday by Greg Kroah-Hartman, a Linux kernel developer responsible for the stable channel's release due to a project that intentionally added bugs to the Linux kernel in the name of security research.

    "We take this situation extremely seriously," UMN computer science and engineering head Mats Heimdahl and associate department head Loren Terveen said in a statement, adding that they "immediately suspended this line of research" after the ban was announced.

Ill-advised research on Linux kernel lands....

  • Ill-advised research on Linux kernel lands computer scientists in hot water

    Computer scientists who submitted supposed security patches that actually added security vulnerabilities to the Linux kernel have been placed under investigation by their university.

    Qiushi Wu and Kangjie Lu ran the experiment with so-called ‘hypocrite commits’ to establish that they could act a vector for stealthily introducing vulnerabilities in open source software.

    More specifically, the University of Minnesota duo successfully offered use-after-free vulnerabilities that were accepted as seemingly beneficial commits to the Linux kernel.

    The researchers argued the exercise offered evidence that the Linux patch-review process is flawed.

    Kernel developers ain’t no lab rats

    The research attracted criticism back in December while the work was still ongoing, although the drama only escalated over recent days with the publication of the research (PDF).
    According to the researchers, all of the “bug-introducing patches stayed only in the email exchanges, without being adopted or merged into any Linux branch”, so no harm to users resulted from the exercise.

Linux kernel developer locks out an entire university

  • Academics face backlash after trying to sneak dodgy code into Linux

    A couple of computer scientists at the University of Minnesota riled up veteran Linux kernel developers by intentionally submitting questionable code to the mainline kernel.

    The scientists introduced what are known as use-after-free bugs into the kernel for the purposes of their research, aptly titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits."

    The paper describes how the authors submitted dubious code that would introduce error conditions into the kernel. The researchers claim they subsequently contacted Linux maintainers to prevent any of their code ending up in the official kernel release.

University of Minnesota banned from contributing to Linux kernel

  • University of Minnesota banned from contributing to Linux kernel

    The University of Minnesota has been banned from contributing to the Linux kernel by one of its maintainers after researchers from the school apparently knowingly submitted code with security flaws.

    Earlier this year, two researchers from the university released a paper detailing how they had submitted known security vulnerabilities to the Linux kernel in order to show how potentially malicious code could get through the approval process. Now, after another student from the university submitted code that reportedly does nothing, kernel maintainer and Linux Foundation fellow Greg Kroah-Hartman has released a statement calling for all kernel maintainers to reject any code submissions from anyone using a umn.edu email address.

    In addition to not accepting any new code from the university, all of the code submitted in the past is being removed and re-reviewed. It seems like it will be a massive amount of work, but Kroah-Hartman has made it clear that the developer community doesn’t appreciate “being experimented on” and that all of the code from the university has been called into question due to the research.

A statement on the UMN mess

  • A statement on the UMN mess

    Speaking for the Linux Foundation Technical Advisory Board, Kees Cook has posted a brief statement on the controversy over patches submitted from the University of Minnesota.

More on this blunder

  • The University of Minnesota has been banned from Linux development for deliberately introducing vulnerabilities

    Curious what has happened this week in the world of Linux development. The University of Minnesota has been banned from Linux development by introduce vulnerabilities on purpose. The reason is a research work being carried out by Qiushi Wu (PhD student) and Kangjie Lu (Assistant Professor) on the feasibility of sneaking vulnerabilities into open source software.

  • Linux bans University of Minnesota for committing malicious code

    In a rare, groundbreaking decision, Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project.

    The move comes after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux codebase, as a part of their research activities.

    Additionally, the Linux kernel project maintainers have decided to revert any and all code commits that were ever submitted from an @umn.edu email addresses.

University Of Minnesota Investigates Ethically Questionable...

  • University Of Minnesota Investigates Ethically Questionable Linux Kernel Research

    Yesterday we reported on a Linux kernel developer "banning" the University of Minnesota from providing patches to the kernel. However, this did not come out of the blue as some faculty and students had performed questionable research that wasted Linux kernel maintainers’ time and effort. It appears staff at UMN are now looking into the issue and have taken it quite seriously.

    In the last few months, researchers out of the University of Minnesota have been conducting computer science research, leading to multiple papers being published. One of these papers was about the feasibility of introducing vulnerabilities into open-source software, such as the Linux kernel, by sneaking them by reviewers. Effectively, this is human research in a way and likely should not have been carried out in that manner.

Linus Torvalds Responds to Linux Banning University of Minnesota

  • Linus Torvalds Responds to Linux Banning University of Minnesota

    Saying the University of Minnesota's ban from contributing to the Linux kernel has been a popular topic of conversation among the open source community would be an understatement. Now, Linux creator Linus Torvalds has weighed in on the issue, and his response was milder than one might expect.

    Whatever he did seems to have worked. Torvalds reportedly told iTWire that "I don't really know what to say" about the University of Minnesota ban. "I think the email thread is likely the most relevant information. [...] I don't think it has been a huge deal _technically_, but people are pissed off, and it's obviously a breach of trust."

    Interestingly enough, Torvalds, according to The New Yorker, stepped aside from Linux in 2018 because he was seeking help "after years of verbally abusing programmers" who contributed to the Linux kernel.

    Linux developers are still looking through code submitted as part of the college's research project, as well as other contributions associated with the University of Minnesota. Right now it seems like this was a one-off issue, as Linux Foundation Technical Advisory Board member Kees Cook said in an email to the Linux kernel mailing list.

"Hypocrite Commit" Researchers [sic]

  • University of Minnesota Linux "Hypocrite Commit" Researchers Publish Open Letter

    The drama in kernel land this week was University of Minnesota being banned from Linux kernel development over research they previously carried out looking at "hypocrite commits" and the possibility of intentionally introducing vulnerabilities (such as use-after-free bugs) into the kernel source tree. This weekend those researchers involved published an open latter to the Linux kernel community.

    Word of these university researchers having done a research paper on "hypocrite commits" and carried out their actions with seemingly little to no external oversight and having wasted upstream developer resources and potentially risked the kernel's security raised many concerns in the community.

    In addition to "banning" University of Minnesota from contributing to the upstream kernel, Greg Kroah-Hartman planned to revert all umn.edu patches. However, so far that has yet to happen on the mainline tree. So far the vast majority of the University of Minnesota patches contributed to mainline over the years were found to be done in good faith.

Saboteurs' diploma mill University of Minnesota still reeling

  • University of Minnesota Researchers Send Apology to Linux Kernel Mailing List

    Earlier this week Greg Kroah-Hartman of the Linux kernel development team banned the University of Minnesota from contributing after researchers there submitted what he called "obviously-incorrect patches" believed to be part of a research project into whether buggy code would be accepted.

    Today the professor in charge of that project, as well as two of its researchers, sent an email to the Linux kernel mailing list saying they "sincerely apologize for any harm our research group did to the Linux kernel community."

Banned UMN Researchers Apologize to Linux Community

  • Banned UMN Researchers Apologize to Linux Community

    University of Minnesota (UMN) assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki, apologized to the Linux community on Saturday for the controversial research into "hypocrite commits" that got the entire university system banned from contributing to the Linux kernel.

    In an email to the Linux kernel mailing list, the trio said that the research in question, which sought to highlight one of the ways open source projects such as Linux can be undermined, was carried out in August 2020. The findings were published to GitHub on February 10; they didn't appear to attract much attention for several months.

    Then last week, Greg Kroah-Hartman, the Linux developer who oversees the stable release channel, banned UMN from contributing to the Linux kernel. He also said in an email to Pakki that he'd have to "rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems."

    This quickly became a hot-button issue among the Linux developer community, and the UMN Department of Computer Science and Engineering (CSE) apologized for the incident a day later. But the need to double-check all of the university's contributions to the Linux kernel still raised the ire of many already-quite-busy Linux developers.

A letter from the UMN researchers

  • A letter from the UMN researchers

    The University of Minnesota researchers who have stirred up the kernel community with various types of bad patches have sent an open letter to the linux-kernel list.

Uni bid to patch up with Linux kernel project

  • Uni bid to patch up with Linux kernel project fails to move maintainer

    The maintainer of the stable Linux kernel, Greg Kroah-Hartman, has snubbed an effort by a group at the University of Minnesota to get back in his good graces, after the group submitted known buggy patches to him in order to write a paper based on it.

    The two students who wrote the paper — Kangjie Lu and Qiushi Wu — and their instructor, Aditya Pakki, sent an "open letter to the Linux community" on 24 April, apologising for what they had done and claiming that they had noble goals for doing so.

    But Kroah-Hartman gave them short shrift, saying: "As you know, the Linux Foundation and the Linux Foundation's Technical Advisory Board submitted a letter on Friday [23 April] to your University outlining the specific actions which need to happen in order for your group, and your University, to be able to work to regain the trust of the Linux kernel community.

No use

University of Minnesota security researchers apologize...

  • University of Minnesota security researchers apologize for deliberately buggy Linux patches

    Last week, some University of Minnesota (UMN) security researchers kicked a hornet nest, when it was revealed that they'd tried to insert deliberately buggy patches into Linux. Greg Kroah-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only them but any UMN-connected developers from contributing to the Linux kernel. Now, the researchers have sort of, kind of, apologized for their mistakes: "We sincerely apologize for any harm our research group did to the Linux kernel community."

    [...]

    They then explained, "The "hypocrite commits" work was carried out in August 2020; it aimed to improve the security of the patching process in Linux. As part of the project, we studied potential issues with the patching process of Linux, including causes of the issues and suggestions for addressing them."

    And, in any case, "This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper. ["On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"].

LF Letter

  • The Linux Foundation's demands to the University of Minnesota for its bad Linux patches security project [Ed: ZDNet isn't disclosing that it has been working as a marketing/front group of the Linux Foundation, i.e. a collective of openwashing corporations]

    To say that Linux kernel developers are livid about a pair of University of Minnesota (UMN) graduate students playing at inserting security vulnerabilities into the Linux kernel for the purposes of a research paper "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" is a gross understatement.

    Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch and well-known for being the most generous and easy-going of the Linux kernel maintainers, exploded and banned UMN developers from working on the Linux kernel. That was because their patches had been "obviously submitted in bad faith with the intent to cause problems."

    The researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department of the UMN then apologized for their Linux kernel blunders.

Linux kernel team rejects University of Minnesota researchers...

  • Linux kernel team rejects University of Minnesota researchers’ apology

    Last week, senior Linux kernel developer Greg Kroah-Hartman announced that all Linux patches coming from the University of Minnesota would be summarily rejected by default.

    This policy change came as a result of three University of Minnesota researchers—Qiushi Wu, Kangjie Lu, and Aditya Pakki—embarking on a program to test the Linux kernel dev community's resistance to what the group called "Hypocrite Commits."

    [...]

    Last week, senior Linux kernel dev Greg Kroah-Hartman reverted 68 patches submitted by folks with umn.edu email addresses in response to these "Hypocrite Commits." Along with reverting these 68 existing patches, Kroah-Hartman announced a "default reject" policy for future patches coming from anyone with an @umn.edu address.

    Kroah-Hartman went on to allow exceptions for such future patches if "they provide proof and you can verify it," but he went on to ask "really, why waste your time doing that extra work?"

    The University of Minnesota Department of Computer Science and Engineering responded to the ban by immediately "suspend[ing] this line of research," promising to investigate the researchers' method—and the process by which it was approved.

Trust and Taint - University of Minnesota Banned By Linux

  • Trust and Taint - University of Minnesota Banned By Linux

    The irony of this situation is that the controversial project that led to loss of trust in the University of Minnesota was intended to improve the security of Linux. The research, conducted in August 2020, was by Kangije Lu, Assistant Professor and graduate student Qjushi Wu and their paper "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" has been accepted for 42nd IEEE Symposium on Security and Privacy. The research, which was supported by the NSF (National Science Foundation), included explicit safeguards to ensure that no bugs were merged into the Linux Kernel as a result of the experiment, although it now seems that a mutex close error many have slipped though, an error that has been fixed.

    The ban however wasn't made as a response to this paper. Instead the trigger was a more recent set of "obviously-incorrect patches" submitted by Aditya Pakki, another of Lu's Ph.D students who has explained that they were submitted as a result of his work on "a new static analyzer".

    For Kroah-Hartmann, who as the main Linux kernel maintainer, has the ultimate responsibility for its safety and security, the submission of new buggy patches was the last straw and his suspicion was that it again part of some research experiment as reflected in his tweet:

Linux Foundation on University of Minnesota

  • Linux Foundation demands action from university found meddling with kernel

    Following the recent “Hypocrite Commits” row, it’s now being reported that the Linux Foundation's Technical Advisory Board, representing the interests of the kernel community, has asked the University of Minnesota (UMN) to undertake certain actions before their people will be allowed to contribute to Linux again.

    This follows the recent incident where a couple of UMN computer scientists riled up Linux developers by intentionally submitting questionable code to the mainline kernel.

    The dubious code submissions were done for the purposes of a research paper, titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits."

  • The Linux Kernel Team May Not Be Entirely Happy with University of Minnesota’s Apology

    Recently, University of Minnesota was banned from contributing to Linux Kernel code.

    If you have been following up with that news, you probably know that it was all supposedly a part of study (research) to review the process of submitting Linux kernel patches and assessing the security risks associated.

    However, without consulting the Linux Kernel maintainers or taking any permission, it was a breach of trust, which is a big deal for the Linux developers.

The Hacker News

  • Minnesota University Apologizes for Contributing Malicious Code to the Linux Project

    Researchers from the University of Minnesota apologized to the maintainers of Linux Kernel Project on Saturday for intentionally including vulnerabilities in the project's code, which led to the school being banned from contributing to the open-source project in the future.

    "While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission," assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki, said in an email.

    "We did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches," they added.

University of Minnesota responds

  • University of Minnesota responds to Linux security patch requests

    If you're just catching up on this story, here's the quick recap: University of Minnesota researchers deliberately submitted patches that would have put the Use-After-Free (UAF) vulnerability into the Linux kernel. When it appeared they were trying once more to put garbage patches into the kernel, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, banned UMN developers from submitting to the kernel and pulled existing suspicious UMN patches. The Linux Foundation followed up with a list of requests for the UMN to comply with if they wanted to work with the Linux kernel again. Now, ZDNet has obtained a copy of UMN's response to the Linux community.

Linux kernel security uproar

  • University Of Minnesota Apologizes To Unwavering Linux Community Over Kernel Kerfuffle

    Last week, we reported on a Linux Kernel developer banned The University of Minnesota for some ethically questionable research. Since then, UMN issued an apology and started an investigation into how this all happened, but some people are having none of it. This week in the Linux Kernel security saga, Greg Kroah-Hartman announced that the Linux Foundation and its Technical Advisory Board sent a letter to UMN outlining what must be done to regain the trust of the Linux community, and no further discussion will be had.

    Earlier this year, three researchers from UMN published a paper that proved that vulnerabilities could be slipped past Linux Kernel maintainers. The team used three easily fixed bugs in the Linux kernel, which all had the trappings of becoming a vulnerability, and submitted them to see if the maintainers detected a problem. Once the maintainers replied to the patch, the UMN researchers explained the bug and gave an actual patch instead of the one originally submitted.

  • The Linux Foundation Has a Few Demands for Banned University

    The researchers who got the University of Minnesota (UMN) banned from contributing to the Linux kernel are going to have to do more than apologize for their actions. ZDNet reported that the Linux Foundation’s Technical Advisory board sent a list of demands the university will have to meet before it can seek forgiveness.

    A quick recap: UMN researchers contributed intentionally flawed code to the Linux kernel in August 2020 for a paper on these so-called “hypocrite commits” that was published in February. A separate project meant to “automatically identify bugs introduced by other patches” then drew the ire of Greg Kroah-Hartman, the developer who oversees the Linux kernel’s stable release channel last week.

    Kroah-Hartman banned the entire UMN system from contributing to the Linux kernel as a result of the research projects. That decision was followed by an apology from the UMN Department of Computer Science and Engineering (CSE), a significant amount of discussion amongst the Linux community, and then a separate apology from the faculty and students who actually conducted the controversial research.

  • Linux kernel security uproar: What some people missed

    Recently the Linux kernel community was aflame due to efforts by researchers at the University of Minnesota to intentionally torpedo Linux security by submitting faulty patches. While the University's Department of Computer Science apologized, the damage was done, and Linux kernel maintainer Greg Kroah-Hartman banned the University from contributing to the kernel.

    However you feel about what these researchers did (Chris Gaun, for example, argued, "A researcher showed how vulnerabilities can EASILY make it through [the] approval process"), this isn't really about Linux, or open source, security. It's always been the case that it's possible to get bad code into good open source projects. Open source software isn't inherently secure. Rather, it's the open source process that is secure, and while that process kicks in during development, it's arguably most potent after vulnerabilities are discovered.

How To Get A University Banned From The Linux Kernel

  • How To Get A University Banned From The Linux Kernel

    Once again the Linux kernel was in the news and not for anything good, but they weren't the cause, the cause was a certain University, the University of Minnesota that allowed for a fairly questionable study to take place of the course of the previous year.

Submitting known buggy Linux patches 'ethical, noble and brave'

  • Submitting known buggy Linux patches 'ethical, noble and brave'

    A developer known as Giacomo Tesio has backed the actions of students and staff from the University of Minnesota, who sent known buggy patches to the stable Linux kernel maintainer Greg Kroah-Hartman, writing that the act was "not just ethical, but noble and brave".

    "All the livor and drama that followed your research proves that the Linux Foundation failed to learn the lessons of Heartbleed," Tesio said in a post to the kernel mailing list.

    He was referring to a 2014 vulnerability in OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption. The flaw would have allowed attackers to monitor all information that flows between a user and a Web service, and could even decrypt past traffic collected. The bug was discovered by three researchers from security firm Codenomicon and Neel Mehta, a security researcher at Google.

    Tesio said what the students — Qiushi Wu and Aditya Pakki — and their instructor — Kangjie Lu — had done was a valuable discovery "for all of us".

"Full disclosure" from the University of Minnesota

  • "Full disclosure" from the University of Minnesota

    The researchers at the University of Minnesota have posted a description of the work they did [PDF] as part of their "hypocrite commits" project. It includes a list of the buggy commits they posted and how they were handled.

UMN security researchers apologize to the Linux community

  • UMN security researchers apologize to the Linux community

    The University of Minnesota’s Computer Science and Engineering Department security researchers are facing intense scrutiny from the Linux community for intentionally trying to insert bugs into Linux patches. The buggy patches were a part of the research paper On the Feasibility of Stealthily Introducing Vulnerabilities in Open Source Software via Hypocrite Commits.

    The paper stated: “As proof of concept, we take the Linux kernel as target OSS and safely demonstrate that it is practical for a malicious committer to introduce use-after-free bugs. Furthermore, we systematically measure and characterize the capabilities and opportunities of a malicious committee. At last, to improve the security of OSS, we propose mitigations against hypocrite commits, such as updating the code of conduct for OSS and developing tools for patch testing and verification.”

    However, the experiment did not go over as planned and was not well received from the community. Linux kernel maintainer Greg Kroah-Hartman tweeted that: “Linux kernel developers do not like being experimented on, we have enough real work to do.”

Uni group reveals the sordid buggy Linux kernel patch story

  • Uni group reveals the sordid buggy Linux kernel patch story

    Students and the staff member at the University of Minnesota who were involved in submitting known buggy patches to the Linux kernel project have released a statement which they claim details the full history behind their actions which were geared towards writing a research paper.

    In the statement, which was not attributed to anyone and dated 27 April, they said that the research paper had been withdrawn. It was linked online by the Linux Weekly News website, run by Jonathan Corbet, a developer himself.

    It said the group would detail two aspects: the message log of disclosure of the findings to the community; and the patches submitted.

    "By showing the details of the patches and the exchange of messages, we wish to help the community to confirm that the buggy patches were 'stopped' during message exchanges and not merged into the actual Linux code," the statement claimed.

Intentionally buggy commits for fame—and papers

  • Intentionally buggy commits for fame—and papers

    Fields asked for more details, some of which were filled in by Leon Romanovsky. A paper [PDF] by Qiushi Wu and Kangjie Lu, both of the University of Minnesota, details the process of introducing use-after-free bugs into the kernel for the purposes of, essentially, showing that it can be done—and presenting a paper about it, naturally. Romanovsky continued: "Yesterday, I took a look on 4 accepted patches from Aditya [Pakki] and 3 of them added various severity security 'holes'."

    Kernel developers have enough problems with bugs being added by mistake, so patches with intentional bugs are obviously unwelcome. Kroah-Hartman said that all of the patches coming from these developers need to be reverted because "what they are doing is intentional malicious behavior and is not acceptable and totally unethical". He put together a patch set of 190 reversions that he called the "easy" reverts; there is a set of 68 additional patches that need manual review to determine what to do about them. "Some of them are not able to be reverted as they already have been reverted, or fixed up with follow-on patches as they were determined to be invalid. Proof that these submissions were almost universally wrong."

    [...]

    It is a horrifically messy situation, seemingly brought about by researchers who were not too concerned about the effects of their research on others. While Linux developers hardly need the additional work, the resulting "extra" scrutiny of new patches will be beneficial. It is a bit hard to see that as a silver lining, exactly—more like a sad but necessary outcome that was inevitable, as Roeck put it. This incident also should serve as a warning to researchers, at least hopefully, going forward: our communities are not playthings. Our code is free and open, but not for abuse.

Linux Stops Reverting Most University of Minnesota Patches

  • Linux Stops Reverting Most University of Minnesota Patches, Admits Good Faith

    In response, the UMN researchers posted an open letter apologizing to the community, followed a few days later by a summary of the work they did [PDF] as part of the "hypocrite commits" project. Five patches were submitted overall from two sock-puppet accounts, but one of those was an ordinary bug fix that was sent from the wrong account by mistake. Of the remaining four, one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid; the other three (1, 2, 3) contained real bugs. None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question.

    The paper itself has been withdrawn and will not be presented in May as was planned...

    One of the first things that happened when this whole affair exploded was the posting by Greg Kroah-Hartman of a 190-part patch series reverting as many patches from UMN as he could find... As it happens, these "easy reverts" also needed manual review; once the initial anger passed there was little desire to revert patches that were not actually buggy. That review process has been ongoing over the course of the last week and has involved the efforts of a number of developers. Most of the suspect patches have turned out to be acceptable, if not great, and have been removed from the revert list; if your editor's count is correct, 42 patches are still set to be pulled out of the kernel...

UMN used for anti-Linux FUD already

How a university got itself banned from the Linux kernel

  • How a university got itself banned from the Linux kernel - The Verge

    On the evening of April 6th, a student emailed a patch to a list of developers. Fifteen days later, the University of Minnesota was banned from contributing to the Linux kernel.

    “I suggest you find a different community to do experiments on,” wrote Linux Foundation fellow Greg Kroah-Hartman in a livid email. “You are not welcome here.”

    How did one email lead to a university-wide ban? I’ve spent the past week digging into this world — the players, the jargon, the university’s turbulent history with open-source software, the devoted and principled Linux kernel community. None of the University of Minnesota researchers would talk to me for this story. But among the other major characters — the Linux developers — there was no such hesitancy. This was a community eager to speak; it was a community betrayed.

The media uses trolling and sabotage by University of Minnesota

  • The University of Minnesota Banned by Linux – Why Open Source is Problematic

    Recently, a paper was released by the University of Minnesota written by Qiushi Wu and Kanhjie Lu titled “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits”. The paper describes how the two researchers could generate code that claims to fix one bug in the Linux kernel while intentionally introducing other bugs. The Linux kernel is open-source, and as such, can be accessed by the wider community, and anyone can suggest changes to the code via submissions.

    According to the research paper, the various code submissions were able to pass the approval process and integrated into the final kernel distributions. The goal of the research paper was to demonstrate vulnerabilities in open-source software, and how the approval process may need to be reconsidered. In the paper, the researchers identify multiple problems that open source projects such as the Linux kernel faces including the complexity of the source and the inability of maintainers to understand the system.

Hypocrite Commits...

Red Hat lambasts "unusual" University of Minnesota research...

  • Red Hat lambasts "unusual" University of Minnesota research approach in Linux feud

    Research must be closely aligned with the direction of the open source community or it risks becoming irrelevant, a senior Red Hat exec has claimed in light of the University of Minnesota controversy.

    Researchers at the University of Minnesota were excoriated by senior Linux moderators last week after being caught attempting to embed the Linux kernel with inconsequential patches and vulnerabilities.

Josh Bressers: Episode 269 – Do not experiment on the Linux...

Researchers [sic] checked bugs into the Linux kernel to see...

University of Minnesota researchers issue apology letter...

  • University of Minnesota researchers issue apology letter to the Linux community [Ed: Older but overlooked at the time]

    The University of Minnesota (UMN) researchers - Kangjie Lu, the Assistant Professor, and Qiushi Wu, Aditya Pakki, the Ph.D. students - have on Saturday issued an open apology letter seeking to bury the hatchet with the Linux community for the things which had led to the events that took place a few days back.

    One of the lead Linux kernel developers and maintainers, Greg Kroah-Hartman put the ban-hammer on the UMN for intentionally putting forward buggy patches into the Linux kernel. The researchers from the UMN were conducting a study related to the security vulnerability of Open-source software, which in this case, is Linux. However, Greg K-H was very unhappy as the researchers seemed to proceed without really seeking permission before doing so, nor before running questionable patches on the Linux kernel even after the research paper was apparently completed.

The TAB report on the UMN affair

  • The TAB report on the UMN affair

    The Linux Foundation Technical Advisory Board has issued its report on the submission of (intentionally and unintentionally) buggy patches from the University of Minnesota.

  • Report on University of Minnesota Breach-of-Trust Incident
    On April 20, 2021, in response to the perception that a group of
    University of Minnesota (UMN) researchers had resumed sending
    compromised code submissions to the Linux kernel, Greg Kroah-Hartman
    asked the community to stop accepting patches from UMN and began a
    re-review of all submissions previously accepted from the University.
    This report summarizes the events that led to this point, reviews the
    "Hypocrite Commits" paper that had been submitted for publication, and
    reviews all known prior kernel commits from UMN paper authors that had
    been accepted into our source repository.  It concludes with a few
    suggestions about how the community, with UMN included, can move
    forward.  Contributors to this paper include members of the Linux
    Foundation's Technical Advisory Board (TAB), with patch review help from
    many other members of the Linux kernel developer community.
    
    UMN worked well within the kernel community for many years, submitting
    numerous bug-fixes that were merged into past kernel releases.  Last
    year (2020), one member of the UMN community chose to do a research
    project that involved submitting patches that attempted to intentionally
    introduce flaws in the kernel.  The trust between the kernel community
    and UMN was broken when this project was made public.  The UMN
    developers went quiet for seven months and then started submitting a new
    handful of poor quality patches to the community.  Many assumed that
    trickery was afoot, engendering a reaction that caused a halt to
    acceptance of UMN kernel contributions and forced us to re-review all
    prior submissions.
    
    Due diligence required an audit to identify which authors were involved
    in different UMN research projects, identify the intent of any flawed
    patches, and remove flawed patches regardless of intent.  Reestablishing
    the community's trust in researcher groups is important as well, since
    this incident could have a wide-reaching impact on trust in both
    directions that might chill participation by any researchers in kernel
    development.  The developer community should be able to trust that
    researchers are sending quality patches meant to improve the kernel, and
    researchers should trust the developer community will not undermine the
    researchers' reputations when mistakes are made.  The recommendations in
    this report aim to move beyond this conflict, providing a way to help
    both communities to work together better.
    
    

Linux's Technical Advisory Board reports on the UMN...

  • Linux's Technical Advisory Board reports on the UMN 'Hypocrite Commits' patches

    The fire between the Linux kernel community and the University of Minnesota (UMN) is being put out. Thanks to an ill-thought-out Linux security project, two UMN graduate students tried to insert deliberately buggy patches into Linux. Greg Kroah-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only them but any UMN-connected developers from contributing to the Linux kernel. Now, UMN has addressed the Linux kernel developer's community's concerns. And, in a message to the Linux Kernel Mailing List (LKML), the Linux Foundation Technical Advisory Board (TAB) and volunteer senior Linux kernel maintainers and developers have reported on what they found when they closely and thoroughly examined patches from UMN academics.

Linux buggy patch affair ends with technical advisory board...

  • Linux buggy patch affair ends with technical advisory board report

    The technical advisory board of the Linux Foundation has asked the University of Minnesota to improve the quality of patches it submits to the kernel project and also follow a "best practices" document to be created by the board.

    [...]

    One subscriber to the Linux Weekly News website, dvrable, was not very impressed with what Kroah-Hartman had done.
    'The introduction [of the TAB report] says 'researchers should trust the developer community will not undermine the researchers' reputations when mistakes are made', but then makes no recommendations to achieve this," he wrote.

    "Greg's authoritarian tone ('I will now have to ban all future contributions from your University', which he shouldn't have the power to do so), his presumption that he speaks for all maintainers, and his accusations of unethical research remain unchallenged by this report.

Research scandal sees Linux Kernel ban 'all future contributions

  • Research scandal sees Linux Kernel ban 'all future contributions' from University of Minnesota

    Anyone sporting a University of Minnesota email has been banned from posting on the open-source Linux Kernel Archives after a group of researchers from the institution knowingly submitted buggy patches in order to gauge community reactions for their research.

    Brought to our attention via a LinusTechTips forum post, it seems it all began with some researchers from the university utilising the Linux Kernel site to gauge its level of security. The way they went about this research, however, has been considered somewhat unethical by the site's standards, resulting in the blanket ban of future contributions from the university at large.

    The researchers had been posting what the maintainer of the site, Greg Kroah-Hartman, identified as 'known-buggy' patches, after which—and without owning up to their machinations—they went on to publish a paper on the topic.

    When the site maintainer confronted them, their response was gold:

    "I respectfully ask you to cease and desist from making wild accusations that are bordering on slander."

Here is Linux Advisory Board's ruling on University of Minnesota

  • Here is Linux Advisory Board's ruling on University of Minnesota's "hypocrite commits"

    A couple of weeks ago, we reported that Greg Kroah-Hartman from the Linux kernel development and maintenance team, has banned submissions from the University of Minnesota (UMN) due to some questionable patches that they submitted. The issue received a lot of public attention particularly due to the email exchanges between Hartman and the student researchers being made public. The latter argued that the patches come in the form of "a new static analyzer", but Hartman took issue with the fact that the clearly incorrect patches had been submitted to the kernel without any warning.

    After much back and forth, the department heads for Computer Science at UMN stated that they would investigate the matter further, and soon after, the student researchers published an apology giving more context to their dubious efforts.

    Now, the Linux Technical Advisory Board (TAB) has published its own findings about the matter and its recommendations for the future.

Linux Technical Advisory Board releases report on UMN patches

  • Linux Technical Advisory Board releases report on UMN patches

    The Linux Technical Advisory Board (TAB) released a new report to show the remediation measures that were undertaken after researchers from the University of Minnesota (UMN) submitted compromised code submissions to the Linux kernel.

    UMN previously submitted many big fixes that were merged into kernel releases as part of an, but the breach of trust between the community and UMN first started when UMN researchers did an experimental research project on “Hyprocrite Commits” that involved intentionally submitting patches that caused issues with the kernel in August last year.

    As a result, Greg Kroah-Hartman, a Linux kernel maintainer, asked the community to stop accepting patches from UMN and began a re-review of all submissions previously accepted from the university after perceiving that they were sending compromised code.

    The university has since retracted the “Hypocrite Commits” paper and Kroah-Hartman posted a final set of reverts this week.

TechRadar again

  • Linux review board says rogue researchers did not successfully insert buggy patches into kernel

    The Linux Foundation's Technical Advisory Board (TAB) has prepared a report to summarize the “Hypocrite Commits” row after a thorough review of all University of Minnesota (UNM) submissions found that none of the buggy code made it to the mainline Linux kernel.

    Prepared by TAB with patch review help from several kernel developers, the report summarizes the events that led to a call for a review of all submissions from UNM, along with the findings of the review.

    Senior kernel developer Greg Kroah-Hartman asked the community to stop accepting patches from UNM and to review all of their previous contributions after catching UNM researchers deliberately sending compromised code submissions to the kernel.

Linux Technical Advisory Board Issues Findings On UMN's Shady...

  • Linux Technical Advisory Board Issues Findings On UMN's Shady Kernel Conundrum

    In April, we first reported on Linux Kernel dev and maintainer Greg Kroah-Hartman banned submissions from the University of Minnesota due to new concerning patches. It has also come to light that UMN has done questionable research on the Linux kernel team, and people were already wary. Now, the Linux Technical Advisory Board (TAB) has published its findings of the events and recommendations for the future.

    Over the rather lengthy audit of the situation, the TAB lays out a timeline of events from 2018 up through today detailing what has led to what we now face. Since that original date, UMN had submitted nearly 400 bug-fix patches centering around research papers. Two years later in August, UMN researchers submitted “hypocrite commits” under false identities, which was already concerning. Then in April of this year, new seemingly sketchy patches were being submitted again, and people were concerned, including Greg Kroah-Hartman, who called out UMN.

    After this happened, the TAB kicked off a review and investigation with some interesting findings and recommendations. Interestingly, of the UMN patches submitted, 349 were correct, 39 needed to be fixed, and 47 others either did not matter anymore or fell into other categories, which you can see here. The 39 problematic commits are to be reverted and replaced in due time before the 5.13 kernel release.

An IEEE statement on the UMN paper

  • An IEEE statement on the UMN paper

    The IEEE, whose Symposium on Security and Privacy conference had accepted the "hypocrite commits" paper for publication, has posted a statement [PDF] on the episode.

    [...]

    The statement concludes with some actions to be taken by IEEE to ensure that ethically questionable papers are not accepted again.

Linux Foundation Issues Frosty Final Judgment in UMN Scandal

  • Linux Foundation Issues Frosty Final Judgment in UMN Scandal

    The Linux Foundation Technical Advisory Board has released its findings regarding the University of Minnesota's (UMN) contributions to the Linux kernel—including those related to the research projects that got the university banned from working on that kernel. The group also explained how the school might be able to earn some forgiveness, but it won't be easy.

    A quick refresher: In mid-April, the Linux developer who oversees the kernel's stable channel, Greg Kroah-Hartman, banned the entire UMN system from contributing to the Linux kernel in response to a couple of the university's research projects that centered on purposefully introducing faulty code to the kernel. The situation quickly became a point of contention to many in the Linux developer community.

    UMN's Department of Computer Science & Engineering apologized for the research, as did the assistant professor and the graduate students who conducted it, in the days following Kroah-Hartman's announcement. But the Technical Advisory Board still had to double-check every UMN-related contribution to the Linux kernel.

Linux Review Board: Researchers fail to insert buggy patches

  • Linux Review Board: Researchers fail to insert buggy patches into kernel

    Linux kernel will issue best practices for scientists operating with the kernel community. The review board says rogue researchers did not successfully insert buggy patches into the kernel.

    The Linux Foundation‘s Technical Advisory Board (TAB) has developed a statement to review the “Hypocrite Commits” line. After that, a thorough review of all Minnesota University (UNM) submissions found that none of the buggy code made it to the mainline Linux kernel.

Minnesota seeks rethink on computing ethics after Linux sting

  • Minnesota seeks rethink on computing ethics after Linux sting

    Much of the lingering disagreement has centred on the role of institutional review boards (IRBs), which adjudicate on study proposals that involve human subjects.

    Computer science experiments generally are not regarded as subject to IRB reviews, and Minnesota’s IRB – approached by Dr Lu after the controversy became public – affirmed that position for his type of project.

    That judgement has not gone over well with Linux leadership. “As someone who was ‘researched on’ as part of this ‘experiment’, I was not happy to have this pointed out to me after the fact,” said Greg Kroah-Hartman, a Linux Foundation fellow in Amsterdam who plays a chief role in Linux maintenance.

An update on the UMN affair

  • An update on the UMN affair

    On April 20, the world became aware of a research program conducted out of the University of Minnesota (UMN) that involved submitting intentionally buggy patches for inclusion into the Linux kernel. Since then, a paper resulting from this work has been withdrawn, various letters have gone back and forth, and numerous patches from UMN have been audited. It's clearly time for an update on the situation.
    The writing of a paper on this research [PDF] was not the immediate cause of the recent events; instead, it was the posting of a buggy patch originating from an experimental static-analysis tool run by another developer at UMN. That led developers in the kernel community to suspect that the effort to submit intentionally malicious patches was still ongoing. Since then, it has become apparent that this is not the case, but by the time the full story became clear, the discussion was already running at full speed.

    The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence.

    On April 22, a brief statement was issued by the Linux Foundation technical advisory board (or TAB, of which your editor is a member) stating that, among other things, the recent patches appeared to have been submitted in good faith. Meanwhile, the Linux Foundation and the TAB sent a letter to the UMN researchers outlining how the situation should be addressed; that letter has not been publicly posted, but ZDNet apparently got a copy from somewhere. Among other things, the letter asked for a complete disclosure of the buggy patches sent as part of the UMN project and the withdrawal of the paper resulting from this work.

    In response, the UMN researchers posted an open letter apologizing to the community, followed a few days later by a summary of the work they did [PDF] as part of the "hypocrite commits" project. Five patches were submitted overall from two sock-puppet accounts, but one of those was an ordinary bug fix that was sent from the wrong account by mistake. Of the remaining four, one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid; the other three (1, 2, 3) contained real bugs. None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question.

    The paper itself has been withdrawn and will not be presented in May as was planned. One can, hopefully, assume that UMN will not be pursuing similar lines of research anytime soon.

University of Minnesota 'researchers' (vandals) fail....

  • University of Minnesota researchers fail to understand consent - Help Net Security

    You’d think with all the recent discussion about consent, researchers would more carefully observe ethical boundaries. Yet, a group of researchers from the University of Minnesota not only crossed the line but ran across it, screaming defiantly the whole way. In response, the Linux Foundation, which is the core of the open-source community, took the unprecedented step of banning the entire University of Minnesota from contributing to the Linux kernel.

    [...]

    Alternatively, they could have worked with the Linux Foundation to conduct this research as a controlled experiment. Getting the consent of that Foundation means that the admins would know which submissions were subversive, allowing them to be filtered before going live.
    While both of these options reduce the risk of a vulnerability making through to a live product that people depend on, it still skirts the ethics of what then amounts to a social experiment on individuals who donated their time and skill in good faith. This is undoubtedly better than the path they chose but still not completely ethical. Experimenting on or with human behavior is always a tricky proposition.

    As it is, the path they chose and their reasoning behind it harkens back to the earliest days of technology, when the line blurred between good-faith security testing and cybercriminal. This was the impetus for legislative intervention and a code of ethics within the hacking / cybersecurity community. Ethics are the critical line that divides a hacker / White Hat from a bad actor / a Black Hat.

    [...]

    Much like in the realm of security, the scientific community also subscribes to a set of ethical guidelines about how they conduct their research. Specifically, at UMN, they have an Institutional Review Board (IRB), which outlines what research with human subjects is acceptable and is intended to review and approve studies with human subjects.

    Apparently, the IRB at UMN does not consider the Linux Kernel developer community to be humans as, according to the research paper, they provided an exemption to the team. I am not sure how researching how a development team reacts to subversive behavior is not a study of humans or human behavior. However, my expertise is cybersecurity for a reason. We also should consider the possibility that the IRB at UMN might have been misled.

    The fact that UMN has recently launched an investigation seems to support that possibility.

The Role of Ethics in Cybersecurity Studies

  • The Role of Ethics in Cybersecurity Studies

    Nobody wants to be a proverbial guinea pig; least of all, developers donating their time and energy to making the world a better place. You’d think with all the recent discussion about consent, researchers would more carefully observe ethical boundaries. Yet, a group of researchers from the University of Minnesota not only crossed the line but ran across it, screaming defiantly the whole way.

    In response, the Linux Foundation, which is the core of the open source community, took the unprecedented step of banning the entire University of Minnesota from contributing to the Linux kernel. The open source community is built upon the principles of trust, cooperation and transparency. This group donates time and high-value industry skills to create, maintain and improve free and widely adopted software in the interest of making technology more accessible. Linux is a widely used operating system found in everything from servers to cell phones.

    Yet, a group of researchers abused this community’s trust by not only sneaking vulnerabilities into the code base but then effectively bragging about it in the name of research. In February 2021, a team from UMN published a research article outlining how they systematically and stealthily introduced vulnerabilities into open source software. They did this through comments that appeared beneficial but, in actuality, introduced critical vulnerabilities. Though stating it targeted open source as a whole, much of the researcher’s attention was aimed at the Linux Kernel. The Kernel is the foundation of the operating system and manages the interactions between hardware and applications.

Linux 5.13 Reverts + Fixes The Problematic...

  • Linux 5.13 Reverts + Fixes The Problematic University of Minnesota Patches

    One month ago the University of Minnesota was banned from contributing to the Linux kernel when it was revealed the university researchers were trying to intentionally submit bugs into the kernel via new patches as "hypocrite commits" as part of a questionable research paper. Linux kernel developers have finally finished reviewing all UMN.edu patches to address problematic merges to the kernel and also cleaning up / fixing their questionable patches.

    Sent in on Thursday by Greg Kroah-Hartman was char/misc fixes for 5.13-rc3. While char/misc fixes at this mid-stage of the kernel cycle tend to not be too exciting, this pull request has the changes for addressing the patches from University of Minnesota researchers.

Open-Source Ethics, and how the University of Minnesota...

Linux 5.13 Release Candidate 3 Fixes 37 Patches From Banned Uni

  • Linux 5.13 Release Candidate 3 Fixes 37 Patches From Banned University

    It might be time to put away the popcorn. Phoronix today reported that Linux developer Greg Kroah-Hartman reverted 37 patches associated with the University of Minnesota (UMN), which he banned from contributing to the kernel in April. This came via a pull request to Linux 5.13 Release Candidate 3 (5.13-rc3) submitted on Thursday.

    "The majority here is the fallout of the umn.edu re-review of all prior submissions," Kroah-Hartman said in the pull request for these changes. "That resulted in a bunch of reverts along with the 'correct' changes made, such that there is no regression of any of the potential fixes that were made by those individuals. I would like to thank the over 80 different developers who helped with the review and fixes for this mess."

    UMN was banned from contributing to the Linux kernel in April following two research projects — one into "hypocrite commits" and one the researchers said was meant to "automatically identify bugs introduced by other patches (not from us)"—that drew ire from the Linux developer community. The Linux Foundation Technical Advisory Board (TAB) ended up reviewing 435 contributions associated with UMN.

A quarter of all UMN patches are defects/sabotage

  • Linux 5.13 Reverts and Fixes Problematic University of Minnesota Patches

    One month ago the University of Minnesota was banned from contributing to the Linux kernel when it was revealed the university researchers were trying to intentionally submit bugs into the kernel via new patches as "hypocrite commits" as part of a questionable research paper. Linux kernel developers have finally finished reviewing all UMN.edu patches to address problematic merges to the kernel and also cleaning up / fixing their questionable patches. Sent in on Thursday by Greg Kroah-Hartman was char/misc fixes for 5.13-rc3. While char/misc fixes at this mid-stage of the kernel cycle tend to not be too exciting, this pull request has the changes for addressing the patches from University of Minnesota researchers. [...] Going by the umn.edu Git activity that puts 37 patches as having been reverted with this pull request. The reverts span from ALSA to the media subsystem, networking, and other areas. That is 37 reverts out of 150+ patches from umn.edu developers over the years.

Phoronix noted that out of the 150 or so patches....

  • It took 'over 80 different developers' to review and fix 'mess' made by students who sneaked bad code into Linux

    Phoronix noted that out of the 150 or so patches submitted by umn.edu developers over the years, only 37 ended up being reverted in this pull request. Most were either unneeded or "incorrect."

    The request brings to an end the reviewing and cleaning up of the umn.edu patches to the kernel, and we're sure the time of those "over 80 different developers" could have better been used elsewhere.

    However, questions remain over processes behind the scenes, such as those posed by Filipo Valsorda, a cryptographer and software engineer, over making trust decisions based on email domains.

More than 80 Linux devs called on to help to fix 'mess' created

  • More than 80 Linux devs called on to help to fix 'mess' created by rogue contributors

    It took over 80 developers to review the Linux kernel and ensure it was free of tainted code recently submitted by University of Minnesota (UNM) researchers.

    The “Hypocrite Commits” row erupted last month when senior kernel developer Greg Kroah-Hartman urged the community to review all contributions made by UNM after catching researchers from the university deliberately sending compromised code submissions to the kernel.

    Turning in a set of fixes for the current under development kernel release, Kroah-Hartman last week, noted that the majority of the changes are the result of the thorough review.

The University of Minnesota Linux scandal doesn’t smell right

  • The University of Minnesota Linux scandal doesn’t smell right. IBM and Microsoft’s toll on Linux development bring Windows-like experience.

    So, recently, the University of Minnesota got caught submitting bad patches to the Linux kernel, on purpose, and this led to a huge effort to review hundreds of patches that they had submitted to see which ones needed tweaked or backed out.

    In the early 2000s, there was a lot of fuss about one patch made on an obscure mirror of the kernel’s source tree, which implemented a backdoor, but was never (and would never) be merged.

    Linus Torvalds’ father, Nils Torvalds, all but admitted that Linus had been approached by the United States government asking him to backdoor Linux, at least once.

    The problem with the recent UMN scandal is not only that so many bad patches had to be backed out, or the fact that it took so many resources away from actively improving the kernel.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Software: Matrix, Ktube, and Monero P2Pool

  • Chat Bubbles on Element and Several Matrix Apps

    This simple comparison wants to help everyone adopt alternative messaging technology, Matrix, with suitable user interface to them. We call Matrix Apps to instant messengers like Element, Fluffy, Nheko, Schildi and Spectral as they are created based upon the said technology. We will start by setting up criteria first that includes chat bubbles, then going through these messengers one by one, and you will see their pictures here along with a little comments from me. I hope you can pick up the messenger with UI you love the most from here.

  • Ktube Media Downloader lets you download YouTube videos easily on Linux

    I always like to tell people about how I have been using Linux as my primary operating system for over ten years. I love Linux, I understand it, it’s free and above all, it fits my workflow in a way Microsoft’s Windows (with all its goodness) probably never will. That also means I love and am a command-line ninja but I also know one thing, a lot of people out there fear and hate the command line.

  • Monero P2Pool V1.0 Is Released

    The latest version of P2Pool, a decentralized Monero mining pool has released. This is the first official release, signaling an invitation for more users to try out the new software.

Better Support & Performance For OpenACC Kernels Is Coming To GCC

While the GNU Compiler Collection has supported OpenACC for a few years now as this parallel programming standard popular with GPUs/accelerators, the current implementation has been found to be inadequate for many real-world HPC workloads leveraging OpenACC. Fortunately, Siemens has been working to improve GCC's OpenACC kernels support. GCC's existing OpenACC kernels construct has been found to be "unable to cope with many language constructs found in real HPC codes which generally leads to very bad performance." Fortunately, improvements are on the way and could potentially be mainlined in time for next year's GCC 12 stable release. Read more

Security Leftovers

  • Database containing 106m Thailand travelers' details leaked • The Register

    A database containing personal information on 106 million international travelers to Thailand was exposed to the public internet this year, a Brit biz claimed this week. Bob Diachenko, head of cybersecurity research at product-comparison website Comparitech, said the Elasticsearch data store contained visitors' full names, passport numbers, arrival dates, visa types, residency status, and more. It was indexed by search engine Censys on August 20, and spotted by Diachenko two days later. There were no credentials in the database, which is said to have held records dating back a decade. “There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues,” wrote Comparitech editor Paul Bischoff on the company’s blog.

  • Break out your emergency change process and patch this ransomware-friendly bug ASAP, says VMware

    VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The virtualization giant also offered a workaround.

  • Reproducible Builds (diffoscope): diffoscope 185 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 185. This version includes the following changes:

    [ Mattia Rizzolo ]
    * Fix the autopkgtest in order to fix testing migration: the androguard
      Python module is not in the python3-androguard Debian package
    * Ignore a warning in the tests from the h5py package that doesn't concern
      diffoscope.
    
    [ Chris Lamb ]
    * Bump Standards-Version to 4.6.0.
    

GNOME 41 Released. This is What's New.

GNOME team announced the release of GNOME 41 with some exceptional changes and updates. We wrap up the release in this post. Read more