Announcement

Collapse
No announcement yet.

University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #81
    Holy shit I think I lost brain cells after reading all the comments... How did you nitwits end up on the topic of supposed ""SJWs"", one goober screaming about the "CODE OF CONDUCT", and China????? It is fully possible to discuss this whole issue without going into any of that BS. Here, I'll do it myself:

    The way that this "study" was carried out was incredibly irresponsible. This was missing an essential part of any ethical pen-test: making sure the target is aware of the whole plan. I'm not sure if any of the Linux kernel maintainers would've agreed to that, or if that would've potentially "tampered" with the results, but that's the only way this could've been done without pissing everyone off. This was an unethical, non-consensual pen-test, and all in all, a very very stupid idea in the first place. Common sense is important.

    Comment


    • #82
      Originally posted by pmorph View Post

      I'd like to see that. Companies backing up those cries also need to explain how injecting vulnerabilities into their products is a good thing.
      You needn't worry about that, People have argued math's "correct vs incorrect" approach is somehow about white supremacy already. This will be a piece of cake.

      And no, I'm not joking: https://eu.monroenews.com/story/opin...ng/4628230001/

      Comment


      • #83
        What kind of research requires them to do this more than 200 times?

        Comment


        • #84
          Originally posted by Sonadow View Post

          You are already misunderstanding me. I said that the professor and his undergrads introduced malicious commits into the kernel and yet some of the kernel reviewers found that a few of these malicious commits had the unexpected effect of actually solving real bugs. How messed up can the kernel be that malicious commits end up fixing issues?
          Well, if I were to attempt to put malicious code into something, my first instinct would be to find actual problems and fix them to establish credibility, and perhaps include an additional innocuous "fix" with a subtle bug in it...

          Comment


          • #85
            Originally posted by set135 View Post

            Well, if I were to attempt to put malicious code into something, my first instinct would be to find actual problems and fix them to establish credibility, and perhaps include an additional innocuous "fix" with a subtle bug in it...
            Yah, this is basically exactly what they were doing, they discuss this concept and approach in the paper that the prof published.

            Honestly our whole western education system needs a major reset.

            Comment


            • #86
              Well. At least they're not studying school massacres or the problem with rapes on campus or something like that. That would be _really_ scary.

              Comment


              • #87
                Originally posted by indepe View Post
                What kind of research requires them to do this more than 200 times?
                You need a big enough sample size so it cannot be said to be a fluke error. I would guess they were aiming for over 1000 times at least. Of course the danger of causing a major screw up from this kind of research should have had it stopped at board of ethics are dangerous. Yes needing a broad sample size was taking a high risk of getting adverse response from Linux kernel developers.

                Originally posted by jo-erlend View Post
                Well. At least they're not studying school massacres or the problem with rapes on campus or something like that. That would be _really_ scary.
                Before universities started mandating boards of ethics there were studies of effect of rape with intentional rapes inside some university campus on female student who were about to fail out of course. So horible rapes on campus have been studied that way a long way back. No one was nuts enough to-do school massacres as far as I know I could be wrong but I hope not. Of course a well functioning board of ethics is meant to stop these levels of stupidity in their tracks.

                Comment


                • #88
                  Originally posted by pmorph View Post
                  I'd like to see that. Companies backing up those cries also need to explain how injecting vulnerabilities into their products is a good thing.
                  Horrible there is a valid Company reason to add bugs.
                  https://en.wikipedia.org/wiki/Bebugging
                  Yes it called the Bebugging process where you intentionally add bugs to beta products that testers should report if they are doing the testing they are being paid to do.

                  Of course you are not meant to-do this to final production code or without the knowledge of those making final production code.

                  pmorph there are valid and legal reasons to-do almost anything. The process the university was doing with maintainer approval would not have been problem legally but it was without approval. Like could I have this pile of known defective patches put into Linux kernel next branch to check out detecting and testing rate with the kernel developers knowing this patches have to be removed before production releases would have been Bebugging. This could be used to detect areas in the Linux kernel tree that are not getting regular testing. Of course selling this to the Linux kernel maintainers would be a uphill battle.

                  Remember you can do almost anything legally and above board just to require more paperwork and agreements and consideration risks or you can do what the University here did take the easy way out and do something illegal because you don't have the correct agreements and consideration of risks in place to control the risk.

                  Yes beta test software having a 90 day functionality time out added is one of the risk mitigation when doing Bebugging so even if a security fault is add in by the Bebugging in 90 days fault should no longer be in the wild to be exploited and this generally faster than attackers can find a fault and create the tools to take advantage of a fault. Consideration of risk and the required mitigation this is not present in this universities study or any of the actions they have been doing.

                  Comment


                  • #89
                    Originally posted by indepe View Post
                    What kind of research requires them to do this more than 200 times?
                    To know the percentage of the malicious commits that get caught.

                    Comment


                    • #90
                      Will this have an impact on the current 5.12 release plan?

                      Comment

                      Working...
                      X