General > General Technical Chat

University of Minnesota Linux code security issues; banned and to be removed

<< < (11/23) > >>

hans:

--- Quote from: magic on April 25, 2021, 06:24:53 am ---You guys are funny :P

The offending patches have not been submitted form the university's domain, but from throwaway gmail accounts. It's all described in the paper, but of course no one who has an opinion about the paper has actually read it, as usual.

The patches were never meant to damage anything, they say they informed the maintainers about the experiment as soon as the malicious patches received approval on the mailing list and suggested correct fixes.

Unfortunately we won't get to see the details of those exchanges without some extensive digging, because they have been redacted from the paper to protect the guilty maintainers. That was indeed done to calm down the ethics review guys.

--- End quote ---

That still doesn't change the situation for the better. You can prove that personal information won't be gathered from your test subjects, however, that is par of the course in any scientific experiments regarding test subjects (maintainers in this case).

The thing that disgusts me the most is that the test subjects did not agree to be experimented on; there is no mutual consent; which is quite clearly described by unethical human experiments and very clearly in human subject rights.

Certainly I'm citing documents for medical tests that may involve needles or new medicines. However, I don't really see why engineering should be an exception to that rule. It's just not common practice in our field to worry about these things..

Like I said.. you can only do these kinds of experiments in controlled environments on toy projects.


--- Quote from: magic on April 25, 2021, 06:24:53 am ---OTOH, the paper is perhaps not very useful and the solutions they propose are either "no shit Sherlock" or plain dumb. But I would say it may still be worth it for the publicity stunt alone >:D Perhaps a lesson has been learned, do such things anonymously and don't brag about them under your real name later.

--- End quote ---

Yep... I still really don't understand what novelty the paper is trying to show ;) . Review processes are not airtight processes, because they are controlled by humans. This happens in academia, will happen in code reviews, and probably also just as often in budget approvals within companies.
I'm too lazy to look it up rn, but I'm pretty sure that psychology, (engineering) philosophy and/or behavioural science has done research on controlling review processes and associated cognitive biases.

Even student supervisors or (direct) colleagues can't always catch fraudulent entities. This happens plenty of times in academia, unfortunately. Some students or profs are feeling they're on their back foot in terms of research progress, number of publications, their time frame, etc. Some may also feel they deserve more recognition and thereby force the results. And it's a very trivial thing to do... Being impartial e.g. cherry picking hypotheses that fits the curve is just as bad as making stuff up.

bd139:
All this is academic. Excuse the pun.

Are you aware of any real adversaries who have an ethical experimentation framework? Nope!

This has exposed a huge vulnerability in the process which was an extremely valuable activity. And people are  complaining at the university here. Where is the vitriol for the kernel team? Our entire society is built on their work and they fucked up monumentally.

Ed.Kloonk:

--- Quote from: bd139 on April 25, 2021, 08:30:13 am ---All this is academic. Excuse the pun.

Are you aware of any real adversaries who have an ethical experimentation framework? Nope!

This has exposed a huge vulnerability in the process which was an extremely valuable activity. And people are  complaining at the university here. Where is the vitriol for the kernel team? Our entire society is built on their work and they fucked up monumentally.

--- End quote ---

Nar.

It gets back to my original point. Don't fuck with the kernel devs.

There are many more peeps reviewing the code than there are those risking excommunication by serving up a shit show.

Go watch Meet the Fockers. Embrace the concept of circle of trust.

 :)

DrG:

--- Quote from: magic on April 25, 2021, 06:24:53 am ---You guys are funny :P

The offending patches have not been submitted form the university's domain, but from throwaway gmail accounts. It's all described in the paper, but of course no one who has an opinion about the paper has actually read it, as usual.

The patches were never meant to damage anything, they say they informed the maintainers about the experiment as soon as the malicious patches received approval on the mailing list and suggested correct fixes.

Unfortunately we won't get to see the details of those exchanges without some extensive digging, because they have been redacted from the paper to protect the guilty maintainers. That was indeed done to calm down the ethics review guys.

They passed ethics review by insisting that no personal information will be collected or published and they only test "the development process" as such.


Finally, all the patches nuked by Greg were patches from random students looking for issues or playing with static analyzers. Most appear to have been accepted, a few have been found suboptimal, a few were rejected because they don't work.

I'm disappointed that Greg hasn't followed up with the obvious and requested a review of patches submitted from other students around world (and from random strangers with gmail accounts). Like they should be doing in the first place :P


OTOH, the paper is perhaps not very useful and the solutions they propose are either "no shit Sherlock" or plain dumb. But I would say it may still be worth it for the publicity stunt alone >:D Perhaps a lesson has been learned, do such things anonymously and don't brag about them under your real name later.

--- End quote ---

As the song goes...lotta people funny - now you funny too.

I did read the original paper and no I did not try to study it intently and yes, you and a kazillion other nerds know much more about Linux than I. I thought the ban was against .edu and maybe I am wrong...probably I am wrong even.

In your indictment about funny people above, "The patches were never meant to damage anything, they say they informed the maintainers about the experiment as soon as the malicious patches received approval on the mailing list and suggested correct fixes." and

"Finally, all the patches nuked by Greg were patches from random students looking for issues or playing with static analyzers. Most appear to have been accepted, a few have been found suboptimal, a few were rejected because they don't work."

So, I just read this: https://lore.kernel.org/linux-nfs/YH%2F8jcoC1ffuksrf@kroah.com/

"> > > They introduce kernel bugs on purpose. Yesterday, I took a look on 4
> > > accepted patches from Aditya and 3 of them added various severity security
> > > "holes".
> >
> > All contributions by this group of people need to be reverted, if they
> > have not been done so already, as what they are doing is intentional
> > malicious behavior and is not acceptable and totally unethical.  I'll
> > look at it after lunch unless someone else wants to do it..."

Yes, there are snips and so on and it is hard to follow the thread, but it does not look like these are all from random students, as you said. It looks like these are from a known and small group of students. [edit: the ones that really pissed people off]

There also appear to have been two rounds of this and "the paper" is distinct from the "analyzer" round. Even though you mentioned the analyzer, you don't seem to appreciate that difference when you suggest "it's all in the paper'.

It is difficult to unravel all the facts and I have repeatedly stated that I want to understand clearly what was done and why is it wrong...so even as I continue to get details wrong, I am not that funny.

DrG:
From: Kangjie Lu <kjlu@umn.edu>
To: open list <linux-kernel@vger.kernel.org>
Cc: Qiushi Wu <wu000273@umn.edu>, Aditya Pakki <pakki001@umn.edu>
Subject: An open letter to the Linux community
Date: Sat, 24 Apr 2021 17:30:50 -0500

An apology, posted yesterday....https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod