The most effective response would be to write a letter of complaint to their University Department’s Research Ethics Committee. These committees exist precisely to stop scenarios like this and they have the internal power to make life unpleasant for the rogue researchers. (I am assuming they did not get ethics committee approval.)
Announcement
Collapse
No announcement yet.
University of Minnesota Linux "Hypocrite Commit" Researchers Publish Open Letter
Collapse
X
-
Originally posted by coder View PostExcept not entirely, because they didn't go through the full process to get the change merged in.
More importantly, they were use-after-free bugs, rather than backdoors. Still bad, but as we all know that bugs sometimes creep into the kernel, it's not surprising that someone deliberately trying to hide them is able to do so.
They explain this in their paper, which I checked specifically to see how far the faithless patches actually got.
That was only the ones they mention in their paper. Other ones were not use after free but adding items that have performance effects.
There are more than 1 way to create a backdoor in a system.
Except not entirely, because they didn't go through the full process to get the change merged in. <<
This bit is important this means all the automated tools around the Linux kernel from Intel and others did not kick in and check their patches either. So they were only testing the human part of the Linux kernel many eyes not the automated tools part of the many eyes.
There is a important reason why the head maintainers need to be informed its not uncommon for someone to see some else patch then improve on it and then submit it themselves. They had the stupid idea there was no risk if they did not push their defective alterations all the way though. The Linux kernel maintainer know way better than that.
No matter how you look at these guys started messing with a system they don't understand and are most likely getting really shocked at how the Linux system is responding to them and how little they understood. Yes there is a case that one of their patches from the first paper had another developer pick it up and modify it and submit it without their knowledge completely to be picked up by the automated tools when he submitted it as defective.
If anything proper study of what happened to their patches from their first paper lead to to understand why the Linux kernel maintainers are pissed. They had no clue how dangerous what they were doing was and the planned controls in the paper if something went wrong were not going to work.
Intentionally introducing a bug in the Linux development process with the idea that you can decide if it enters mainline or not is foolishness to the extreme.
Only safe guard that is some what able to work is the Linux kernel 3 lead maintainers. Please note I said some what. Think of Ubuntu and its customised kernel or a android device with soc vendors customised kernel. Yes there are Linux kernel in use that contain patches cherry picked from the Linux kernel mailing list that have not been though the complete mainline Linux validation process.
The punishment for putting known unsafe patches in the Linux kernel mailing list can be quite extreme because there is insane amount of risk.
- Likes 1
Comment
-
Originally posted by cynical View PostThis letter is obviously fake. If you don’t have the common sense to realize that surreptitiously submitting bugs for inclusion into the Linux kernel was a bad thing, then certainly you don’t have the capacity to feel sorry for doing it.
This is clearly a last ditch attempt to prevent the ban and patch reversion from taking place. All patches from them should be pulled. If there are real bugs, then investigate them and write new patches. This group is not trustworthy.
- Likes 1
Comment
-
Originally posted by ddriver View PostHonestly, I'd be OK if I catch someone with a bottle of vodka in his coat, as long as it is wrapped with a printed paper that ahead of time clarifies this is just a test and the vodka would be returned if the attempt at theft was successful.
There are situations that are morally grey, but this one is very much black and white, what the "researchers" did was criminal, plain and simple.
- Likes 1
Comment
-
I believe their apology and intent was genuine and I doubt this will happen again. Moreover, it was done to prove a point - which they did, and we could learn from it. If there was any ban instituted against them, it ought to be removed.
Comment
-
Originally posted by MartinN View PostI believe their apology and intent was genuine and I doubt this will happen again. Moreover, it was done to prove a point - which they did, and we could learn from it. If there was any ban instituted against them, it ought to be removed.
Remember these guys are students working to PHD or have PHD doing masters so they have their BA already so in theory if the University courses have been structured right they should have known better without question and never tried this. The fact they tried is a failure of the University how many more of their students have not been trained correctly.
This is not like some non qualified hacker working for security company doing stupid research. This is qualified people doing stupid research with qualifications that they should have known better. Yes if they had learnt correctly in their qualifications they would not need to-do apology now.
This is a case the university need give apology with statement in how their courses are going to change so they don't generate more people with this problem. Heck this could be a mandatory class for all existing students and free online course for prior students to attempt to clean up the mess.
- Likes 3
Comment
-
Originally posted by MartinN View PostI believe their apology and intent was genuine and I doubt this will happen again. Moreover, it was done to prove a point - which they did, and we could learn from it. If there was any ban instituted against them, it ought to be removed.
- Likes 2
Comment
Comment