Author Topic: University of Minnesota Linux code security issues; banned and to be removed  (Read 13478 times)

0 Members and 1 Guest are viewing this topic.

Offline rstofer

  • Super Contributor
  • ***
  • Posts: 9963
  • Country: us
In the FPGA universe, it is common to build test benches to verify component behavior.  I don't know that program code gets this level of testing.  Maybe...

If builders built buildings like programmers write programs, the first woodpecker to come along would destroy civilization.
 

Offline tunk

  • Super Contributor
  • ***
  • Posts: 1099
  • Country: no
The "Call For Papers" for this symposium is below; all submitted papers
are reviewed (no description of what this means). This paper was accepted,
so the review process can't be very rigorous. And maybe IEEE should
reconsider the acceptance?

https://www.ieee-security.org/TC/SP2021/cfpapers.html
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
In the FPGA universe, it is common to build test benches to verify component behavior.
And the review in this case was focused on the component. The issues are introduced in the integration part.

If FPGA process was so good, we would not have erratas. Yet there are pages of them for simplest of the MCUs.

And buildings also experience issues that need fixing occasionally. Get off your high horse and don't assume you are somehow better than everyone else.
Alex
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
From the earliest days, the Kernel devs have made it clear that you must not waste their time with submitting code that does not work as advertised. Anyone with even an outer-orbit involvement of the Linux kernel knows this.

The uni scrambled to put together a statement so as to avoid getting sued. If that had happened to a tech company, not a community as such, the uni would be getting sued back into the stone age. Notice the difference if your were to 'test' the IT infrastructure of a govt department. Someone's ass would be heading for jail.

The uni dept heads are culpable because they should have peer-reviewed code sent up stream and thus been aware of the malicious intent. Either that or they are lying about knowing.

Greg KH's response is justified.
iratus parum formica
 
The following users thanked this post: newbrain

Offline DrG

  • Super Contributor
  • ***
  • !
  • Posts: 1199
  • Country: us
There is being an asshole and there is being an asshole who has done something tangibly wrong in a moral, ethical and legal sense, that you can prove.

There has to be a sound and clearly stated reason to be punitive and the degree of punishment needs to at least appear to be commensurate with the wrongdoing.

So, what, if anything, do you do to this fellow and his supervisor if you are the University?

I believe the author has admitted wasting their time and apologized. Some rationale about not knowing how else to demonstrate what he wanted to demonstrate.  Looks like there is no big argument here, but how much punishment can be meted out for that?

Let's say the University can and does withdraw the paper - they need to have some sound reasons to do that, if they already approved the submission (passively or actively). The question becomes, what new information has come to light since then that can justify that action?

Let's say the proceedings folks cancel it - same situation...if it was accepted, what has changed?

IOW, would either party say....well we screwed up and did not know what we were clearing.....whoa.

Let's say it is determined that the IRB should not have granted a human use waiver, or, if it is in their jurisdiction, should have found it be unethical. If they now say that it constitutes human use, there is a whole shitload of ramifications. If they now decide it is unethical, what changed?

So, trying to un-ring the bell has some serious problems. Adding new regs....added agreements, signed promises, however you want to say it - yeah, that can certainly be done.

Somebody want to start litigation of some kind - ok, now show damages.

We all know that we put more checks and balances in place than the resources to manage, let alone, enforce them

There may be a lot of poor judgement here, especially by the author, and I would not want to be in that fellow's shoes or his supervisor....but I don't see that something very severe will be done...and I may find out otherwise as it is story that is unfolding.
« Last Edit: April 25, 2021, 02:10:19 am by DrG »
- Invest in science - it pays big dividends. -
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
The code was submitted under the banner of the name of the Uni. Not as an individual.

iratus parum formica
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado


There may be a lot of poor judgement here, especially by the author, and I would not want to be in that fellow's shoes or his supervisor....but I don't see that something very severe will be done...and I may find out otherwise as it is story that is unfolding.

Don't get me wrong. The ban won't be forever. I expect that trust will resume once a change of leadership has happened. It's up to them.
iratus parum formica
 

Offline DrG

  • Super Contributor
  • ***
  • !
  • Posts: 1199
  • Country: us


There may be a lot of poor judgement here, especially by the author, and I would not want to be in that fellow's shoes or his supervisor....but I don't see that something very severe will be done...and I may find out otherwise as it is story that is unfolding.

Don't get me wrong. The ban won't be forever. I expect that trust will resume once a change of leadership has happened. It's up to them.

No, I think I understand what you are saying. The ban is for submissions from their .edu. So, how damaging is that for the Univ? I don't know who gets really hurt there...one way of telling is if the Univ says...we have done x y z to prevent this from happening ....and then the ban gets lifted.

edited: I mean, the Linuxites seem to be within their rights....we got these bogus patch requests from your .edu and they wasted our time, so we are not going to accept such requests from your .edu. How bad is that and for whom?
« Last Edit: April 25, 2021, 02:35:52 am by DrG »
- Invest in science - it pays big dividends. -
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
So, what, if anything, do you do to this fellow and his supervisor if you are the University?
Get them out. Do so with the review board too. They should know better that unethical behaviour does not just starts at human experimentation. And if they really think it does - they need to go just for that reason.

I think it is not too late for the University to resolve the issue in general, just talk to the kernel people in private.

Let's say the proceedings folks cancel it - same situation...if it was accepted, what has changed?
The understanding that this childish behaviour should not be encouraged. Because even if kernel people are no longer talking to you, presenting that at a conference may be a decent "get" anyway.

If they now decide it is unethical, what changed?
This "research" is clear waste of time and money. To anyone with half a brain, it should be obvious that you can get the bad code into the kernel. This happens all the time unintentionally. Obviously doing so intentionally is even easier. How is this not obvious? The topic of the paper is just dumb, it demonstrates absolutely nothing, as there is no way to address the supposed issue.

Somebody want to start litigation of some kind - ok, now show damages.
I would not. Why waste time? Not dealing with people that intentionally waste my time is the best I can do.
Alex
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
I don't know who gets really hurt there...one way of telling is if the Univ says...we have done x y z to prevent this from happening ....and then the ban gets lifted.
I'm pretty sure this is resolvable. The University just need to talk in private, and not issue more stupid suggestions to update the code of conduct. Get someone who is not too woke to do that.
Alex
 

Offline DrG

  • Super Contributor
  • ***
  • !
  • Posts: 1199
  • Country: us
I don't know who gets really hurt there...one way of telling is if the Univ says...we have done x y z to prevent this from happening ....and then the ban gets lifted.
I'm pretty sure this is resolvable. The University just need to talk in private, and not issue more stupid suggestions to update the code of conduct. Get someone who is not too woke to do that.

I think the author was the one who made the suggestion to update the code of conduct (maybe the Univ did also). But, what are they going to say in private? I don't think they want the attention period, but if they really screwed up somewhere along the line - and I do not know that they did, they will have to change something I would think.
- Invest in science - it pays big dividends. -
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
I think the author was the one who made the suggestion to update the code of conduct (maybe the Univ did also). But, what are they going to say in private? I don't think they want the attention period, but if they really screwed up somewhere along the line - and I do not know that they did, they will have to change something I would think.
Just promise to change the review process and not submit malicious code would be enough. This just needs to come from high enough level at the Uni.

The public reaction of the kernel developers is fully justified. If they let it slide, there will be a competition among haxors who can submit the biggest hole into the kernel unnoticed. This behavior needs to be nipped in the bud. People need to understand that there is not much to be gained and quite a bit to be lost here.

Zero tolerance policies may appear cruel at times, but they are often the only way to prevent unwanted behaviour.
« Last Edit: April 25, 2021, 02:47:26 am by ataradov »
Alex
 

Offline DrG

  • Super Contributor
  • ***
  • !
  • Posts: 1199
  • Country: us
So, what, if anything, do you do to this fellow and his supervisor if you are the University?
Get them out. Do so with the review board too. They should know better that unethical behaviour does not just starts at human experimentation. And if they really think it does - they need to go just for that reason.

I think it is not too late for the University to resolve the issue in general, just talk to the kernel people in private.

Let's say the proceedings folks cancel it - same situation...if it was accepted, what has changed?
The understanding that this childish behaviour should not be encouraged. Because even if kernel people are no longer talking to you, presenting that at a conference may be a decent "get" anyway.

If they now decide it is unethical, what changed?
This "research" is clear waste of time and money. To anyone with half a brain, it should be obvious that you can get the bad code into the kernel. This happens all the time unintentionally. Obviously doing so intentionally is even easier. How is this not obvious? The topic of the paper is just dumb, it demonstrates absolutely nothing, as there is no way to address the supposed issue.

Somebody want to start litigation of some kind - ok, now show damages.
I would not. Why waste time? Not dealing with people that intentionally waste my time is the best I can do.

The thing is, and I am really not trying to be confrontational, is that if you are being administrative and being official, you can can't start withdrawing papers that you already cleared (assuming they did) because it was childish.

"clear waste of time and money" IYO but the defense is that "we did it to show this dangerous situation and blah blah blah" - again, not trying to contradict you but I have to point out that some of what your saying is really opinionated and would not, necessarily,"litigate" well. If it was specified very well, operationally defined, concisely, it could be codified I suppose...but that is a lot of work.
« Last Edit: April 25, 2021, 03:09:27 am by DrG »
- Invest in science - it pays big dividends. -
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
you can start withdrawing papers that you already cleared (assuming they did) because it was childish.
But this already happens all the time. Most of the time it happens because results were not interpreted correctly, or experiment was not clean.

The article can absolutely be pulled by the University. And from the IEEE conference. In fact, if they did not do this already, it kind of shows that they want to burn the bridges entirely.

would not, necessarily,"litigate" well.
It is great that kernel developers are just a private people that can chose to not deal with a certain organization "just because". They don't need to litigate.
Alex
 

Offline DrG

  • Super Contributor
  • ***
  • !
  • Posts: 1199
  • Country: us
I think the author was the one who made the suggestion to update the code of conduct (maybe the Univ did also). But, what are they going to say in private? I don't think they want the attention period, but if they really screwed up somewhere along the line - and I do not know that they did, they will have to change something I would think.
Just promise to change the review process and not submit malicious code would be enough. This just needs to come from high enough level at the Uni.

The public reaction of the kernel developers is fully justified. If they let it slide, there will be a competition among haxors who can submit the biggest hole into the kernel unnoticed. This behavior needs to be nipped in the bud. People need to understand that there is not much to be gained and quite a bit to be lost here.

Zero tolerance policies may appear cruel at times, but they are often the only way to prevent unwanted behaviour.

OK, let me come at iy differently because I do think that you are more right than wrong, but when you want to regulate something (or stop something) you have to be down right brilliant in how you codify it or you will get all kinds of unintended effects.

What, should have happened to have prevented this? Hypothetically...s supervisor saying "I do not support this line of research, or this methodology (or both) because I don't thing it is novel or significant or likely to yield information of real value".  That should have stopped it and that happens all the time (much to the dismay of graduate students). But what if the supervisor does not feel that way?

I had a dissertation proposal meeting and it lasted for hours...it was not just my supervisor, it was 4-5 others including someone not at the Univ....that was the SOP. So, at that proposal meeting, you hashed out any problems with your plan...you had to show all sorts of stuff...feasibility, statistical expertise and an analysis plan, preliminary or supporting data - the whole ball game, and you, of course, you had to have the blessing of your supervisor.

A mini version of all of that had to take place if you wanted to any research.

So, did that happen here? Should it have - I'm sure you would say yes, but academic freedom is a big deal as I'm sure you know. It is very complicated and you, in general, want to keep it that way so that you are not turning out factory style work (some would argue that happens anyways).

So, my point, assuming I have one, is that I don't want to see a lot of new restrictions put in place that are not need and will have other consequences and will suck up resources.

First, I want to know precisely what was done wrong here.
- Invest in science - it pays big dividends. -
 

Offline DrG

  • Super Contributor
  • ***
  • !
  • Posts: 1199
  • Country: us
you can start withdrawing papers that you already cleared (assuming they did) because it was childish.
But this already happens all the time. Most of the time it happens because results were not interpreted correctly, or experiment was not clean.

The article can absolutely be pulled by the University. And from the IEEE conference. In fact, if they did not do this already, it kind of shows that they want to burn the bridges entirely.

would not, necessarily,"litigate" well.
It is great that kernel developers are just a private people that can chose to not deal with a certain organization "just because". They don't need to litigate.

Hang on a minute. Papers are not routinely withdrawn because "results were not interpreted correctly, or experiment was not clean." - a paper like that, should not have been cleared, submitted, reviewed and accepted. Having to withdraw it means that something happened in the meantime and in my world that was a huge rarity and I never withdrew a paper like that, ever. Now, I can remember telling someone to remove my name from a presentation unless you do this or that because I am not going to be part of those conclusions given those data and those analyses...that was more than enough...and all that took place before it was submitted for local clearance.

I am not saying the Univ can't withdraw the paper (I did say, assuming that they can). Let's stipulate that they can...they have to state a reason...they can't say, after they allowed it to be submitted, well we want it withdrawn because they are childish - you get what I am saying?

The Linuxites are well within their rights to reject patch requests from an .edu and whether they have to or not, they did give a reason. I would add, when people or entities engage in punitive action without giving a reason, it invites trouble.
« Last Edit: April 25, 2021, 03:14:11 am by DrG »
- Invest in science - it pays big dividends. -
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
But what if the supervisor does not feel that way?
That is fine. You start by going to Linus or anyone on top in charge and disclose the proposal. Or even ask more than just the supervisor. Peer review your proposal. But in that specific place IRB was supposed to be that review, which has also failed. And that is something Uni should address.

If Linus agrees that this may be a valid test, he will outline exact boundaries (I bet it would exclude the code reaching stable kernel). I would trust Linus to not tell everyone to expect this check (unlike most of the certification checks I've been a part of at various jobs).

I had a dissertation proposal meeting and it lasted for hours...it was not just my supervisor, it was 4-5 others including someone not at the Univ....that was the SOP. So, at that proposal meeting, you hashed out any problems with your plan...you had to show all sorts of stuff...feasibility, statistical expertise and an analysis plan, preliminary or supporting data - the whole ball game, and you, of course, you had to have the blessing of your supervisor.
Exactly. And this means that this system failed. And that is what you go as a Uni - admit that you pushed the edge too far and promise to do a better job reviewing this stuff.

And if all of those people did not just robber-stamp this and for real though it was a valid thing to do, then their qualification should be questioned too.

So, my point, assuming I have one, is that I don't want to see a lot of new restrictions put in place that are not need and will have other consequences and will suck up resources.
But because of malicious "research" like this, kernel developers now have to suck up more resources on their side to prevent others from trying the same stunt.

Just to be clear, I'm not saying that this article somehow revealed that it is easy to push bad patches. No, this is well known, and I'm sure state actors take advantage of that already. The point is to prevent flood gates of low grade crap like this.

First, I want to know precisely what was done wrong here.
In short - poor experiment setup passed the review process.

If anything, I fee like this shows disconnect between industry and academia. Academics think that no bad code must ever pass the review. But this is not attainable in real life without stopping the development process entirely. This does not just affect OSS project. Commercial projects suffer from the same issue. So may be review board need to include more people from the industry with a realistic view of the world.
« Last Edit: April 25, 2021, 03:20:03 am by ataradov »
Alex
 

Offline DrG

  • Super Contributor
  • ***
  • !
  • Posts: 1199
  • Country: us
Well, I appreciate the dialog. But, what you are saying, as I understand it, is that the Univ has to own up to some mistakes and take solid corrective measures....well maybe they will, but we'll see. :)
- Invest in science - it pays big dividends. -
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
Hang on a minute. Papers are not routinely withdrawn because "results were not interpreted correctly, or experiment was not clean." - a paper like that, should not have been cleared, submitted, reviewed and accepted.

The definition of "all the time" is vague, so I withdraw that :) But it happens quite a bit. That's why sites like https://retractionwatch.com/ exist.


One of the most recent example of such "research" is this - https://retractionwatch.com/2021/04/21/journal-retracts-paper-suggesting-smoking-is-linked-to-lower-covid-19-risk/ . I'm not involved with the scientific process, so I'm not too familiar with it, but this article should have never made it out of the door of any legit institution.

I would add, when people or entities engage in punitive action without giving a reason, it invites trouble.
The reason - you wasted their time. At first having to deal with the fallout of the bogus article, and then having to remove all the previously submitted code as potentially vulnerable.
Alex
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
And this behaviour overall is reminding me of the researches attempting to show that peer review is also questionable by submitting and passing review on AI generated garbage articles.

Again, seemingly shows vulnerability of the system. In reality it shows nothing. Sure, it would be better if peer review process caught complete nonsense. But at the same time, who cares if that nonsense is of no real significance.
Alex
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Well, I appreciate the dialog. But, what you are saying, as I understand it, is that the Univ has to own up to some mistakes and take solid corrective measures....well maybe they will, but we'll see. :)

I think that due to the personal situation of those involved, public opinion may force Greg KH to walk back his statement.
iratus parum formica
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
You guys are funny :P

The offending patches have not been submitted form the university's domain, but from throwaway gmail accounts. It's all described in the paper, but of course no one who has an opinion about the paper has actually read it, as usual.

The patches were never meant to damage anything, they say they informed the maintainers about the experiment as soon as the malicious patches received approval on the mailing list and suggested correct fixes.

Unfortunately we won't get to see the details of those exchanges without some extensive digging, because they have been redacted from the paper to protect the guilty maintainers. That was indeed done to calm down the ethics review guys.

They passed ethics review by insisting that no personal information will be collected or published and they only test "the development process" as such.


Finally, all the patches nuked by Greg were patches from random students looking for issues or playing with static analyzers. Most appear to have been accepted, a few have been found suboptimal, a few were rejected because they don't work.

I'm disappointed that Greg hasn't followed up with the obvious and requested a review of patches submitted from other students around world (and from random strangers with gmail accounts). Like they should be doing in the first place :P


OTOH, the paper is perhaps not very useful and the solutions they propose are either "no shit Sherlock" or plain dumb. But I would say it may still be worth it for the publicity stunt alone >:D Perhaps a lesson has been learned, do such things anonymously and don't brag about them under your real name later.
« Last Edit: April 25, 2021, 06:31:53 am by magic »
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
You guys are funny :P

The offending patches have not been submitted form the university's domain, but from throwaway gmail accounts. It's all described in the paper, but of course no one who has an opinion about the paper has actually read it, as usual.



Can you point to the spot in said paper?

Gmail accounts are historically how Linux people communicate.
iratus parum formica
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
You start with downloading the PDF and then CTRL+F gmail :P

Section VI on page 8.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11905
  • Country: us
    • Personal site
It does not matter what emails were used. The work is endorsed by the University.  And the "publicity stunt" is the reason why that uni should be forever banned from submitting anything. It would start a war of one upping each other. There must be real consequences for publicity stunts.

It is like gender reveal parties. The further it goes, the stupider and more dangerous it gets.

And their recent apology letter should be followed up by withdrawing that article from the IEEE conference. As it stands, their words still say one thing, and the actions say completely the opposite.

The work on the article started quite some time ago. Those things have a pipeline. So who knows what other articles they were working on, and what consecutive patches from them are trying to test other things? It is safer to just remove all of them. Especially given that their contributions were not significant in any way.
« Last Edit: April 25, 2021, 06:53:09 am by ataradov »
Alex
 
The following users thanked this post: Ed.Kloonk, hans, newbrain


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf