So are you saying that it is not a viable research field to determine if there are possibilities to establish viable attack vectors by means of code contribution?

Why not prevent .... say vehicle safety inspection tests from doing anything that the vehicle manufacturer hasn't authorized explicitly?

And you don't see how this might defeat the purpose of the study?

The real "crime" here is not what they did but that they were overly lousy and superficial with it. It doesn't even amount to making an effort, and as such, actually constitutes very little danger... if any...

At worst, this is nothing more than some spam that some people are getting paid to filter through. It is nothing exceptional, it is a part of our contemporary daily reality.

The research is valid, but the method they used was illegal. They needed to get permission from Linus, or someone at that level of the project.

Same as if you decide to try to test the security of your local grocery store. When you're caught with the vodka bottle in your coat, you need a piece of paper authorising you to be doing the act.

In any case, there are thousands of known bugs that have been introduced into the kernel, with full documentation and history. There is no obvious academic justification for trying to add a one new one, even with permission. It even fails scientific method - you'd need to add a dozen patches, with different approaches to see what gets caught and what doesn't.

The reality here same students were involved prior reported problem. Universities do have the right to dismiss students for breach of ethics. If it a case a problem has been reported the University has failed to correct it then yes its ban University time. Universities are meant to supervisor/punish their students correctly failure to-do so results in University banned.

The first paper was really seriously wrong and in a lot ways the students and supervisors should have still be on probation not allowed open internet access to-do the next 200.

I agree they don't need to scrutinise every action but they do need to take when a party been caught doing the wrong thing very serous-ally and possible scrutinze every action of someone who has been caught doing something wrong until they prove they are not going to repeat the same stupidity.

Sorry but that's not even remotely unlaughable.

If it was a criminal action, that's subject to the justice system, not the linux foundation. And if you want a quality inspection, the element of surprise is essential.

Are they pressing criminal charges against a select group of individuals responsible, are they launching a lawsuit, or are they resorting to a blanket ban, an action about as stupid as the reason that prompted it in the first place?


I am not sure if that is the case. For example, you can even commit a citizen's arrest without explicit authorization, which I dare say is more severe than testing whether or not you can pocket a bottle of alcohol.

Honestly, I'd be OK if I catch someone with a bottle of vodka in his coat, as long as it is wrapped with a printed paper that ahead of time clarifies this is just a test and the vodka would be returned if the attempt at theft was successful.

Naturally, I also distinguish between one time occurrences and someone figuring this could be used as a common alibi.

I don't really see this any more harmful than say, the practice of intelligent agencies to sell shiploads of usable weapons to criminals so they can "trace" them. And hey, nobody banned the CIA for doing it, over and over again, over the course of many years.

This situation is a victimless transgression, the effort was nowhere near to doing any actual harm.

It is not worse than the undoubtedly countless instances of code, useful and sophisticated enough to actually hide backdoors in plain sight, which remain unbanned, and their contributiosn flowing, just because they do have actual nefarious intent and expend enough efforts to do it right.

To be clear. Yes, it is a criminal act under law (as far as I can tell - IANAL).

They probably wouldn't go to jail, but they would be found guilty and probably be made to pay a few hundred dollars in costs. It will result in them having a record.

That their University Ethics board didn't spot this is ridiculous.

You're missing the point. The maintainer is now faced with a problem that a number of bad-faith commits have come from various umn.edu addresses. He knows something bad is going on there, but he doesn't know the entire set of people who are involved, and he doesn't want to risk accepting any more nefarious commits. So, banning all umn.edu commits would provide some measure of protection from further mischief by those individuals. It's far from fool-proof, since they could presumably switch to alternate addresses.

The other obvious function it serves is as a lever to spur action by UMN faculty, staff, and students against the group perpetrating the nefarious commits. Further, it serves as a warning to others that such activities may be dealt with harshly.

If you stop and think about it, for a minute, sending such a message is quite a sensible tactic. Obviously, it'd be bad if he follows through on a complete revert and ban of all UMN commits, but issuing the threat does make a lot of sense.

So, you are not a lawyer, and you provide no viable source for your claim, which by process of elimination means you are a psychic.

You are clearly intrinsically, immutably and indisputably competent and correct on the subjects of, amongst everything else, explicitly - law, technology and ethics.

I do hope them pesky criminals get their heads on spikes, that will surely teach future offenders to know better.


Also, quite a lot of "bad faith" mentions here - that doesn't seem correct IMO. Bad faith could be the case only if there was nefarious intent. Did they have a criminal motive to do what they did?

To test whether something is vulnerable in order to inform the party responsible for addressing that if it was the case - that is not bad faith, it is good faith... if there is even such a thing.

Well.... I don't need to be a lawyer to suspect that there is some kind of law against deliberately injecting security vulnerabilities in to a software project. In the UK there's the misuse of computers act which is pretty broad. I suspect that if the Kernel developers wanted to press charges, they'd be within their rights.

From the rest of what you wrote, I take the ad-hominem attacks to be an admission that you are wrong.

Except that they did not inject anything. They put something that could not possibly pass inspection on the inspection line. And if this thing got merged and caused damage, it would be the product of reviewer and maintainer incompetence and failure to do their job at a proper level.

If you consider sarcastically pointing out the act of you over-dramatically making stuff up and claiming it to be morally and legally correct as an ad-hominem attack in order for you to find an excuse to disregard a countering opinion, so you can continue living with your current self rather than take a lesson - knock yourself out. Whatever helps you sleep at night

I didn't mean to offend you, I just went for stooping to your level, since discussing from mine appears to whoosh a bit too much.

Yes - what you wrote is a childish way of admitting you are wrong (in my experience).

My only point is: they did something without written permission that looks an awful lot like something the FBI sometimes investigates. That wasn't smart on the part of their Ethics board.