Be sure to follow us on Google News!
We do often include affiliate links to earn us some pennies. See more here.

Linux Kernel dev bans University of Minnesota for sending malicious patches

By -

Here is your daily dose of WTF. Linux Kernel developer Greg Kroah-Hartman has called out "researchers" from the University of Minnesota and banned them from submitting code to the Linux Kernel.

This story is pretty wild and completely ridiculous. In the name of some apparent research and a written paper titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits", the people involved have now been called out on "sending known-buggy patches to see how the kernel community would react to them".

Part of it goes further, as patches have continued to roll in after the paper was published so they are "continuing to experiment on the kernel community developers by sending such nonsense patches" with the patches not actually doing anything at all. Kroah-Hartman certainly wasn't holding back:

Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

In a further post Kroah-Hartman sent in a patch to revert a bunch of changes done from the group, so they can go over them fully to ensure they're safe and actually do something.

From a certain point of view, it's nice to know that the Kernel team are good at picking up malicious code and attempts to introduce bugs - but doing this to such a huge important project, live and in the open in the name of research? That's just not right.

Update: so the plot thickens it seems! Sarah Jamie Lewis, the Executive Director of Open Privacy, pointed out on Twitter (be sure to read the thread) that they and others expressed concerns about it in 2020 in a co-signed letter to the IEEE S&P (IEEE Symposium on Security and Privacy). It really doesn't look good.

Update 2: Leadership in the University of Minnesota Department of Computer Science & Engineering department released a statement on Twitter, noting that it has suspended the research and will be looking into how it got approved in the first place.

Article taken from GamingOnLinux.com.
Tags: Kernel, Misc
39 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
43 comments
Page: «2/5»
  Go to:

Mohandevir Apr 21, 2021
View PC info
Quoting: Alm888
Quoting: MohandevirSo, following that logic, we are better served with closed source proprietary code that got well know unpatched and exploited flaws for years... Yeah right!

Edit: Wondering who paid for this non-sense "research"? Could we follow the money, please?
What mind-bending yoga has made you to come to this conclusion? Since when prohibiting "scientific" rm -rf /* patches leads to "closed source proprietary code" propaganda?
There are other means of code audition/inspection/scrutiny than willful injection of malicious code into working industry-level software possibly managing critical infrastructure objects like hospitals, nuclear power plants, stock exchange servers or ship navigation systems.
It is all joy and games only until someone gets killed due to this kind of "research".

You are probably right it's probably just this:

Quoting: LoftyEveryday we step closer to the brink of idiocracy.

I tend to give too much credit to some people...

Edit: Still... What I don't understand is that the Minnesota University gave it a "Go!"? How come?!


Last edited by Mohandevir on 21 April 2021 at 6:11 pm UTC
TheSHEEEP Apr 21, 2021
View PC info
  • Supporter Plus
Daily WTF worthy, indeed.
redneckdrow Apr 21, 2021
View PC info
Good grief, now the script-kiddies are coming from actual accredited universities with ~49,000 students! Is this really what the world has come to? Lord, I hope not.

This should be added to UMN's Wikipedia page, it's egregious enough!
jens Apr 21, 2021
  • Supporter
I hope those kids and especially their mentors at that university will never get again a food down in IT. I have really no understanding for this "supposed to be innocent" behavior.
Cyril Apr 21, 2021
View PC info
Just WTF. It's not funny, I can't see this as a serious work of research, it's just plain stupid.
What did they thought? That the Kernel is widely open to everyone who can write anything without verification?
#Facepalm
seanbutnotheard Apr 21, 2021
View PC info
  • Supporter
This is a pretty ridiculous way to test the Linux community, but also shows that the kernel devs need to stay top of their game... just imagine what could happen when (not if) malicious code does slip through the review process. (Reminds me a bit of the so-called "Grievance studies affair").
Liam Dawe Apr 21, 2021
View PC info
  • Admin
The plot thickens and it's not good on the side of the researchers: https://twitter.com/SarahJamieLewis/status/1384871385537908736

It was condemned ethically back in 2020, seems they didn't care enough.
wvstolzing Apr 21, 2021
View PC info
Another 'experiment' was conducted on PyPi earlier this year: https://www.theregister.com/2021/03/02/python_pypi_purges/ — not as spectacularly stupid & irresponsible as the one on kernel devs, though.
wvstolzing Apr 21, 2021
View PC info
Quoting: Liam DaweThe plot thickens and it's not good on the side of the researchers: https://twitter.com/SarahJamieLewis/status/1384871385537908736

It was condemned ethically back in 2020, seems they didn't care enough.

I don't understand all the details in that thread, but as someone in academia (in a field unrelated to CS), my heart sinks once again to see the lengths that people will go to, to churn out a few more papers, & inflate their CVs by a couple more lines.

Inventing clever ways to waste other people's time to advance one's career is a vital skill in today's academia.
Liam Dawe Apr 21, 2021
View PC info
  • Admin
Update 2: Leadership in the University of Minnesota Department of Computer Science & Engineering released a statement on Twitter, noting that it has suspended the research and will be looking into how it got approved in the first place.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.
★ Support Us
Popular this week
Search or view by category
Contact
Buy Games
Buy games with our affiliate / partner links:
Latest Comments
Latest Forum Posts
Misc