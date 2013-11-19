from the just-kidding dept.
Last week, senior Linux kernel developer Greg Kroah-Hartman announced that all Linux patches coming from the University of Minnesota would be summarily rejected by default.
This policy change came as a result of three University of Minnesota researchers—Qiushi Wu, Kangjie Lu, and Aditya Pakki—embarking on a program to test the Linux kernel dev community's resistance to what the group called "Hypocrite Commits."
[...] The trio's scheme involved first finding three easy-to-fix, low-priority bugs in the Linux kernel and then fixing them—but fixing them in such a way as to complete what the UMN researchers called an "immature vulnerability":
[...] The three researchers would then email their Trojan-horse patches to Linux kernel maintainers to see if the maintainers detected the more serious problem the researchers had introduced in the course of fixing a minor bug. Once the maintainers responded to the submitted patch, the UMN researchers pointed out the bug introduced by their patch and offered a "proper" patch—one that did not introduce a newly exploitable condition—in its place.
Lu, Wu, and Pakki published their findings in February at the 42nd IEEE Symposium on Security and Privacy.
[...] Last week, in response to these "Hypocrite Commits," senior Linux kernel dev Greg Kroah-Hartman reverted 68 patches submitted by folks with umn.edu email addresses. Along with reverting these 68 existing patches, Kroah-Hartman announced a "default reject" policy for future patches coming from anyone with an @umn.edu address.
[...] This Saturday, the UMN research team apologized to the Linux community via an open letter posted to the Linux Kernel Mailing List. The nearly 800-word open letter comes across as more "wait, you don't understand" than apology:
[...] Kroah-Hartman acknowledged the letter Sunday but was clearly less than impressed:
(Score: 0) by Anonymous Coward on Tuesday April 27, @11:30PM
Fool me once, shame on you
Fool me twice, shame on me
(Score: 2) by Freeman on Tuesday April 27, @11:32PM (1 child)
The problem is that they weren't doing this with the Linux Kernel team's blessing. It's one thing to run security audits, it's another to do so without the permission of the project team/company/etc.
Example of how things can go wrong, even when you're pretty sure you're doing something that's okay: (Not exactly the same situation, but close enough.)
How a Turf War and a Botched Contract Landed 2 Pentesters in Iowa Jail [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday April 28, @12:18AM
But it does raise the question of what other "contributions" may have been accepted and may be lurking in the code.
These id-10-Ts came 'clean', even though worldwide any mention of this Uni on a resume will be a red flag for a long, long time to come.
Genuine bad actors would not turn around and report in, and would ensure they are well hidden, infiltrating a trusted source of patches if possible.
(Score: 2, Insightful) by anubi on Tuesday April 27, @11:48PM (1 child)
This was no accident.
It was premeditated sabotage.
This stigma will follow the University of Minnesota for a long time. Who will trust a graduate of this institution?
Trust is earned and easily destroyed. Talk to any ex-con about ever regaining a position of trust. At a bare minimum, I would expect the University to expel all involved, cancel all credits earned, retirements if staff involved, enter all details in their permanent record, in order for the University itself to try to wash their hands of this.
Stuff like this stinks of the highest order. This is far more serious than a crime against governments ( i.e. treason), this is a crime against the whole planetary public.
(Score: 2) by RamiK on Wednesday April 28, @12:44AM
Instead of complaining about the finger-pointing boy, complain about the ass naked king running around parading his royal jewels for all to see.
Fact of the matter is, they've proven the kernel review process isn't adequate in dealing with bad actors and is in dire need of adversarial reviewers that paid for finding actual bugs as opposed to maintainers that get their money for releasing on time.
(Score: 0, Disagree) by Anonymous Coward on Wednesday April 28, @12:19AM
Could have been the bigger man about it but holding a grudge is cool, too.