General > General Technical Chat
University of Minnesota Linux code security issues; banned and to be removed
<< < (14/23) > >>
bjbb:
18USC1030(a)(5) and (b)
 
I am just a simple-minded engineer, but I can read. My (legally worthless) opinion is that this Lu person could be prosecuted as part of a conspiracy to intentionaly commit a felony described by the above statute. That said, this law is bad because it is, by design, overly broad code intended to cast a wide net such that the feds can easily go after any hacker that pisses them off.

There is only way that is both ethical and enables actual research. Inform a senior officer of the organization that you want to submit bad stuff, explain your research process, and request permission. This is the defacto process for many penetration research projects.

The 'research' students lied about about the nature of the submitted kernel patches, thus expulsion is an academic (IRB) requirement; to wit, the kernel people accused the linux kernel people of "making wild accusations that are bordering on slander" in writing. This alone casts the doubt on any an all computer science 'research' programs at that school. The chain of messages indicates other lies and misrepresentations after the kernel people called them out. And There are other messages in the list that claim no changes made it to stable, but at least one did.

I have been criticized in this venue per my comments on the generally poor performance of academia, and I sincerely do not intend to insult educators. But wrong is wrong, and disingenuous actions are not mitigated by 'good' intentions. 
DrG:

....We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method & the process by which this research method was approved, determine appropriate remedial action, & safeguard against future issues, if needed....


From the University's 'official' response (4 days ago in case you missed it) https://twitter.com/UMNComputerSci/status/1384948683821694976
ataradov:
They can apologize all they want. They say nothing about retracting the article, especially from IEEE conference. The authors should not benefit from this, otherwise it just legitimizes the approach of doing something and then apologizing later. You know, Silicon Valley approach of moving fast and breaking things.

For the same reason as illegally obtained evidence is not admisible in the court. They don't say "this was bad, but since we've got it, lets use it". No, they just reject it without questions to not encourage more of the same behaviour.
magic:

--- Quote from: DrG on April 25, 2021, 03:41:37 pm ---"Finally, all the patches nuked by Greg were patches from random students looking for issues or playing with static analyzers. Most appear to have been accepted, a few have been found suboptimal, a few were rejected because they don't work."

So, I just read this: https://lore.kernel.org/linux-nfs/YH%2F8jcoC1ffuksrf@kroah.com/

...

It is difficult to unravel all the facts and I have repeatedly stated that I want to understand clearly what was done and why is it wrong...so even as I continue to get details wrong, I am not that funny.

--- End quote ---
Yes, you are very boring, trying to understand stuff instead of getting triggered :D

This thread does make the ban look more reasonable, but the nature of Aditya Pakki's patches is still unclear. He/she is not one of the authors of the "hypocrite commits" paper and those didn't post from their .edu addresses. It's not clear how Leon Romanovsky made the connection, save for the obvious similarity in the technical quality of said patches.

Here Greg quotes from appears to be the AP's answer to the shitshow, the archive doesn't contain the original email for some reason.
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/

--- Quote ---On Wed, Apr 21, 2021 at 02:56:27AM -0500, Aditya Pakki wrote:
> Greg,
>
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.
>
> These patches were sent as part of a new static analyzer that I wrote and
> it's sensitivity is obviously not great. I sent patches on the hopes to get
> feedback. We are not experts in the linux kernel and repeatedly making
> these statements is disgusting to hear.
>
> Obviously, it is a wrong step but your preconceived biases are so strong
> that you make allegations without merit nor give us any benefit of doubt.
>
> I will not be sending any more patches due to the attitude that is not only
> unwelcome but also intimidating to newbies and non experts.
--- End quote ---

So either their ethics review board greenlighted a next level project which includes working in the open and lying blatantly, or perhaps it really is another group this time, principally honest but perhaps not as competent as they considered themselves to be ::)

Hence my remark, why stop at one university, just review everything that gets submitted, you never know what's there :P

I wonder if Theo de Raadt has posted anything. On one hand, he would probably enjoy taking the piss at Linux security. On the other, it could nivite attention...
magic:
https://lore.kernel.org/linux-nfs/20210423214850.GI10457@fieldses.org/

Just as expected :-DD :popcorn:
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod