Linus Torvalds Responds to Linux Banning University of Minnesota
Hello Everybody, I am still trying to understand the reason 'why' would anyone even want to do this ? Here is some context: https://portswigger.net/daily-swig/ill-advised-research-on-linux-kernel-land... And follow up from Linus himself: https://www.tomshardware.com/news/linus-torvalds-responds-to-linux-banning-u... I am also thinking if these two guys actually managed to do this they should be part of the community responsible for linux security ? Or we just hang them high and pour honey all over them and set loose bees and wasps on them ? I am torn two ways. My heart says shoot them. My brain says hire them ? Sigh... Just thought everyone would want to know so sharing :-) Aruna
It is EVIL to represent yourself as something you are not. I am sure there are many who would like to see the operating system which drives the Internet, FAIL on a desperate and massive scale. It is EVIL to knowingly sabotage open source in this manner. I hope and wish that ALL Opens Source Programmers BAN University of Minnesota for LIFE. I am sure that there are many Nation States or LARGE corporations that has, in the past, infiltrated many open source projects in this same fashion and I am sure that they are all EVIL for the damage and destruction they cause to human freedom on a planetary scale. Deception, power, control and narcissistic. Hire these types of people? Hell No! They, and their institution, are now known worldwide for being ethically challenged. On Sat, 24 Apr 2021 11:55:00 -0400 Aruna Hewapathirane via talk <talk@gtalug.org> wrote:
Hello Everybody,
I am still trying to understand the reason 'why' would anyone even want to do this ?
Here is some context: https://portswigger.net/daily-swig/ill-advised-research-on-linux-kernel-land...
And follow up from Linus himself: https://www.tomshardware.com/news/linus-torvalds-responds-to-linux-banning-u...
I am also thinking if these two guys actually managed to do this they should be part of the community responsible for linux security ? Or we just hang them high and pour honey all over them and set loose bees and wasps on them ?
I am torn two ways. My heart says shoot them. My brain says hire them ? Sigh...
Just thought everyone would want to know so sharing :-)
Aruna
| From: Aruna Hewapathirane via talk <talk@gtalug.org> Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.) | I am still trying to understand the reason 'why' would anyone even want to | do this ? The first question is "what, exactly, is 'this'?". I've ONLY read media reports and their recent apology. So I'm not the most informed. <https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u> Some reactions. The apology starts with: "We sincerely apologize for any harm our research group did to the Linux kernel community." This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had used "the" or "all", I would interpret it as a genuine apology. Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message> "We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps." I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good. - they don't think that they actually added a vulnerability - they demonstrated how adding a vulnerability could be done GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.) He's reverting 190 commits that were not declared to be part of this experiment. It is claimed, in the apology, that those ones were done in good faith. I do find it odd that the "research" was done last August but that the hoax was only revealed recently. Looking more closely at a claim in the apology message: * This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper. What "message board"? Do they mean the Linux Kernel Mailing List (not a message board)? What does "stopped" actually mean? My understanding was that these changes were actually committed. Perhaps I'm wrong. This is intriguing: * We understand the desire of the community to gain access to and examine the three incorrect patches. Doing so would reveal the identity of members of the community who responded to these patches on the message board. Therefore, we are working to obtain their consent before revealing these patches. So there *must* be more disclosure. Until then, we cannot be satisfied.
On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Aruna Hewapathirane via talk <talk@gtalug.org>
Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.)
| I am still trying to understand the reason 'why' would anyone even want to | do this ?
The first question is "what, exactly, is 'this'?".
I've ONLY read media reports and their recent apology. So I'm not the most informed. <https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u>
Some reactions.
The apology starts with:
"We sincerely apologize for any harm our research group did to the Linux kernel community."
This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had used "the" or "all", I would interpret it as a genuine apology.
Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message>
"We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps."
I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good.
- they don't think that they actually added a vulnerability
- they demonstrated how adding a vulnerability could be done
GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.)
As someone actually affected by these reverts :-). Greg KH did not over react. These guys did not do the community a service. They did add vulnerabilities (those have been reverted since) and they did not tell us anything. I myself have left old code in the kernel when trying to get rid of some of my stuff. And I was not trying to inject a bug. They did not tell me anything I did not already know. It is easy to get bugs into the kernel. Let me link to the paper and their "contributions". https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceIn... -- VIII A By its nature, OSS openly encourages contributors. Com- mitters can freely submit patches without liability. We believe that an effective and immediate action would be to update the code of conduct of OSS, such as adding a term like “by submitting the patch, I agree to not intend to introduce bugs.” Only committers who agreed to it would be allowed to go ahead to submit the patches. By introducing the liability, the OSS would not only discourage malicious committers but also raise the awareness of potential introduced bugs for benign committers. -- This is a mitigation. Have contributors claim they are not introducing bugs (at least intentionally). The rest of the mitigations are equally bizarre. They are not telling us anything we don't know. There is nothing original in this work (except for the human experimentation aspect of it.) Now let's talk about the negative impact. It is already hard enough to contribute to the linux kernel. It is built on trust. They have destroyed any trust we had in code coming from UMN. How do we know we are not being experimented for research? Like Greg pointed out, it is much easier for us to ignore all their stuff. I don't have enough seconds in my minute to get my day job done. On top of that, any new comer will have to face a much higher bar, making it even more hostile. (I actually see it as a negative, because it is easier to ignore the newcomer as opposed to doing the extra work. And generally most newcomers with some work turn out to be darn good contributors.) It will make it harder to look at non corporate contributions seriously. And as far as UMN is concerned, this is not the first time they have been involved in questionable experiments. The last time had much more serious consequences. https://en.wikipedia.org/wiki/Death_of_Dan_Markingson Dhaval
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach. On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <talk@gtalug.org> wrote:
On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Aruna Hewapathirane via talk <talk@gtalug.org>
Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.)
| I am still trying to understand the reason 'why' would anyone even
want to
| do this ?
The first question is "what, exactly, is 'this'?".
I've ONLY read media reports and their recent apology. So I'm not the most informed. < https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC7...
Some reactions.
The apology starts with:
"We sincerely apologize for any harm our research group did to the Linux kernel community."
This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had used "the" or "all", I would interpret it as a genuine apology.
Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message>
"We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps."
I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good.
- they don't think that they actually added a vulnerability
- they demonstrated how adding a vulnerability could be done
GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.)
As someone actually affected by these reverts :-). Greg KH did not over react. These guys did not do the community a service. They did add vulnerabilities (those have been reverted since) and they did not tell us anything. I myself have left old code in the kernel when trying to get rid of some of my stuff. And I was not trying to inject a bug. They did not tell me anything I did not already know. It is easy to get bugs into the kernel. Let me link to the paper and their "contributions".
https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceIn... -- VIII A By its nature, OSS openly encourages contributors. Com- mitters can freely submit patches without liability. We believe that an effective and immediate action would be to update the code of conduct of OSS, such as adding a term like “by submitting the patch, I agree to not intend to introduce bugs.” Only committers who agreed to it would be allowed to go ahead to submit the patches. By introducing the liability, the OSS would not only discourage malicious committers but also raise the awareness of potential introduced bugs for benign committers. -- This is a mitigation. Have contributors claim they are not introducing bugs (at least intentionally).
The rest of the mitigations are equally bizarre. They are not telling us anything we don't know. There is nothing original in this work (except for the human experimentation aspect of it.)
Now let's talk about the negative impact. It is already hard enough to contribute to the linux kernel. It is built on trust. They have destroyed any trust we had in code coming from UMN. How do we know we are not being experimented for research? Like Greg pointed out, it is much easier for us to ignore all their stuff. I don't have enough seconds in my minute to get my day job done. On top of that, any new comer will have to face a much higher bar, making it even more hostile. (I actually see it as a negative, because it is easier to ignore the newcomer as opposed to doing the extra work. And generally most newcomers with some work turn out to be darn good contributors.) It will make it harder to look at non corporate contributions seriously.
And as far as UMN is concerned, this is not the first time they have been involved in questionable experiments. The last time had much more serious consequences. https://en.wikipedia.org/wiki/Death_of_Dan_Markingson
Dhaval --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 4/25/21 1:46 PM, Aruna Hewapathirane via talk wrote:
On Sun, Apr 25, 2021 at 12:46 PM Ansar Mohammed via talk <talk@gtalug.org <mailto:talk@gtalug.org>> wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
Zero Tolerance allows one to live. They need to be shot !
How about something like a go-fund-me kind of service that distributes the money to the successful contract killer? I am sure something can be done over a blockchain. If we could add in spammers I would be most happy. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Sun, Apr 25, 2021, 11:27 AM Alvin Starr via talk <talk@gtalug.org> wrote:
On 4/25/21 1:46 PM, Aruna Hewapathirane via talk wrote:
On Sun, Apr 25, 2021 at 12:46 PM Ansar Mohammed via talk <talk@gtalug.org> wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
Zero Tolerance allows one to live. They need to be shot !
How about something like a go-fund-me kind of service that distributes the money to the successful contract killer?
I am sure something can be done over a blockchain.
If we could add in spammers I would be most happy.
Please don't even joke about that. I have friends who have received death threats (on email and phone) and it is not the slightest bit funny. Dhaval
-- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133alvin@netvel.net ||
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Sun, Apr 25, 2021 at 3:07 PM Dhaval Giani via talk <talk@gtalug.org> wrote:
On Sun, Apr 25, 2021, 11:27 AM Alvin Starr via talk <talk@gtalug.org> wrote:
On 4/25/21 1:46 PM, Aruna Hewapathirane via talk wrote:
On Sun, Apr 25, 2021 at 12:46 PM Ansar Mohammed via talk <talk@gtalug.org> wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
Zero Tolerance allows one to live. They need to be shot !
How about something like a go-fund-me kind of service that distributes the money to the successful contract killer?
I am sure something can be done over a blockchain.
If we could add in spammers I would be most happy.
Please don't even joke about that. I have friends who have received death threats (on email and phone) and it is not the slightest bit funny.
Dhaval
I will take responsibility for that Dhaval. My use of the term 'shoot' possibly caused Alvin to respond in the manner he did. So I humbly withdraw all prior 'shoot' statements and we will allow them to live. I also learned a very valuable lesson, what we say or write can cause unexpected reactions in passionate and dedicated folk ? So let them live with what they have done. We sleep peacefully at night, can they ?
-- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133alvin@netvel.net ||
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 2021-04-25 3:07 p.m., Dhaval Giani wrote:
On Sun, Apr 25, 2021, 11:27 AM Alvin Starr via talk <talk@gtalug.org <mailto:talk@gtalug.org>> wrote:
On 4/25/21 1:46 PM, Aruna Hewapathirane via talk wrote:
On Sun, Apr 25, 2021 at 12:46 PM Ansar Mohammed via talk <talk@gtalug.org <mailto:talk@gtalug.org>> wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
Zero Tolerance allows one to live. They need to be shot !
How about something like a go-fund-me kind of service that distributes the money to the successful contract killer?
I am sure something can be done over a blockchain.
If we could add in spammers I would be most happy.
Please don't even joke about that. I have friends who have received death threats (on email and phone) and it is not the slightest bit funny.
The comment was meant in jest and I did not mean to offend and for that I am truly sorry. You are correct in that threats of harm or death are not funny. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On 2021-04-25 2:27 p.m., Alvin Starr via talk wrote:
On 4/25/21 1:46 PM, Aruna Hewapathirane via talk wrote:
On Sun, Apr 25, 2021 at 12:46 PM Ansar Mohammed via talk <talk@gtalug.org <mailto:talk@gtalug.org>> wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
Zero Tolerance allows one to live. They need to be shot !
How about something like a go-fund-me kind of service that distributes the money to the successful contract killer?
I am sure something can be done over a blockchain.
If we could add in spammers I would be most happy.
Absolutely nauseating. Shocking and horrifying. "Zero tolerance" means at the very least, that advocating murder is cause for immediate and permanent banning from this list, is it not? No, Toronto does not have the prevalence of firearms in the hands of people who casually say they want people shot or the people who casually agree with them, but our cousins to the south are an extremely important lesson that we do not want to emulate.
On Mon, 26 Apr 2021 10:03:50 -0400 El Fontanero via talk <talk@gtalug.org> wrote: <snip lotsa really cool stuff here>
How about something like a go-fund-me kind of service that distributes the money to the successful contract killer? I am sure something can be done over a blockchain. If we could add in spammers I would be most happy. Absolutely nauseating. Shocking and horrifying. "Zero tolerance" means at the very least, that advocating murder is cause for immediate and permanent banning from this list, is it not? No, Toronto does not have the prevalence of firearms in the hands of people who casually say they want people shot or the people who casually agree with them, but our cousins to the south are an extremely important lesson that we do not want to emulate.
who said anything about firearms/guns? most contract killers I see on movies use poison, some have a stringy type thingy where they hook it over the victims heads, others use a knife (apparently killing is then more personal or enjoyable - go figure, there are so many really and truly weird people out there...) I saw a movie the other day where the evil people placed the to be killed victim in a box with spikes... YIKES!! and, anyway, as I understand the original post, it is intended as humour, okay, well I guess you have to be weird like me to read is as such? or is this thread now truly in the weeds?
On Mon, Apr 26, 2021 at 10:03 AM El Fontanero via talk <talk@gtalug.org> wrote:
On 2021-04-25 2:27 p.m., Alvin Starr via talk wrote:
On 4/25/21 1:46 PM, Aruna Hewapathirane via talk wrote:
On Sun, Apr 25, 2021 at 12:46 PM Ansar Mohammed via talk <talk@gtalug.org> wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
Zero Tolerance allows one to live. They need to be shot !
How about something like a go-fund-me kind of service that distributes the money to the successful contract killer?
I am sure something can be done over a blockchain.
If we could add in spammers I would be most happy.
Absolutely nauseating. Shocking and horrifying.
Did you follow this thread from the very beginning ? If you did you would have seen my first thoughts were: "I am torn two ways. My heart says shoot them. My brain says hire them ? Sigh..." That being clarified interpretation of what is said ( in this case what was written ) may not necessarily be correct from what was meant and intended ? No one advocated for what you suggested and I personally find the term distasteful. Let me give you a clear and precise example so there is no doubt. When I said They need to be shot, you interpreted that in a manner that suggests death ? What if I exercise my freedom of choice and opinion and say but sir no-no I was saying they should be shot with the covid-19 vaccine ? See what I mean ? What is said or what is written and how it may be perceived or understood is relative. Yes I still say shoot them but if you really think I am going to grab a gun or firearm and go after them you need professional help. Most of us in the 'community' are committed and hard working volunteers who do what we do because we believe in open source and the multitude of benefits that come with it so I for one was very pisssed when I heard about this and said what I did but at no time do I wish any harm to anyone. I was angry and was letting out steam. Likewise Alvin said something in jest he was never serious. What is Absolutely nauseating and Shocking and horrifying is the fact that two PhD students from a highly respected academic research institute would do this. Linux if you did not know now runs on most everything under the sun. Imagine this 'bug' or 'vulnerability' is exploited and the system is on a motor vehicle that is on the 401 or even better 407 express way ? What do you think will happen to the person driving when the control systems and mechanisms fail ? Is that not murder ? Likewise many hospitals use linux based systems for support and analysis imagine what would happen if a patient on a ventilator has a bug hit ? What would you call that ? What is Absolutely nauseating. Shocking and horrifying is what some folk will do for personal gain and recognition with absolute and utter disregard for possible negative impacts from their actions on the entire community.
"Zero tolerance" means at the very least, that advocating murder is cause for immediate and permanent banning from this list, is it not?
No, Toronto does not have the prevalence of firearms in the hands of
It would be so easy to ban someone. What is much more difficult to do is to engage them, inform and educate them and hopefully affect behaviour change that results in actions that benefit the community. people who casually say they want people shot or the people who casually agree with them, but our cousins to the south are an extremely >>important lesson that we do not want to emulate. In 2018 which is 3 years back we had a higher homicide rate than New York. And we have more guns and weapons than you think. Ask yourself how many get shot on a daily basis here ? Wake up to reality my friend. Do some searching on Google :-) Here have a loook: https://www.blogto.com/city/2018/06/toronto-homicide-rate-now-higher-new-yor... Anyway I am moving on from this discussion. I felt it needed to be shared that is why I sent out the original email. If I said anything at anytime that has made anyone uncomfortable or think this man is advocating for and inciting sudden death I offer my humble and sincere apologies at no time was that the intention and no matter how mad or upset I may be will never be that simply because I do not prescribe to any acts of violence - period.. Peace to you all - Aruna
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 2021-04-25 1:46 p.m., Aruna Hewapathirane via talk wrote:
Zero Tolerance allows one to live. They need to be shot !
Please don't make death threats on the mailing list. They are people who are researchers who made some ill-advised decisions, nothing more. The most worrying aspect for me is that the academic supervisor got the study exempted from an IRB review. IRBs review any research that involves human subjects and are supposed to filter out research that could be unethical or exploitative. Now that this affair is all public, UMN has called a halt to this reseearch and their IRB has deemed that the work should have been reviewed by them all along. I don't believe the rumours that the supervisor never submitted the research proposal to the IRB. I'm more concerned about how the supervisor may have attempted to get around the IRB for this (now) very obvious piece of social engineering. cheers, Stewart
I am not sure I resonate. why banning an entire university program for the actions of two students? Its like saying because one doctor abused his duties, we will not let anyone seek care from St. Michael's hospital ever again. Or for a more computer reference Cloudflare's deciding I am a threat because I cannot solve their noninclusive captcha..they have a zero tolerance policy too. On Sun, 25 Apr 2021, Ansar Mohammed via talk wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <talk@gtalug.org> wrote:
On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Aruna Hewapathirane via talk <talk@gtalug.org>
Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.)
| I am still trying to understand the reason 'why' would anyone even
want to
| do this ?
The first question is "what, exactly, is 'this'?".
I've ONLY read media reports and their recent apology. So I'm not the most informed. < https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC7...
Some reactions.
The apology starts with:
"We sincerely apologize for any harm our research group did to the Linux kernel community."
This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had used "the" or "all", I would interpret it as a genuine apology.
Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message>
"We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps."
I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good.
- they don't think that they actually added a vulnerability
- they demonstrated how adding a vulnerability could be done
GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.)
As someone actually affected by these reverts :-). Greg KH did not over react. These guys did not do the community a service. They did add vulnerabilities (those have been reverted since) and they did not tell us anything. I myself have left old code in the kernel when trying to get rid of some of my stuff. And I was not trying to inject a bug. They did not tell me anything I did not already know. It is easy to get bugs into the kernel. Let me link to the paper and their "contributions".
https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceIn... -- VIII A By its nature, OSS openly encourages contributors. Com- mitters can freely submit patches without liability. We believe that an effective and immediate action would be to update the code of conduct of OSS, such as adding a term like “by submitting the patch, I agree to not intend to introduce bugs.” Only committers who agreed to it would be allowed to go ahead to submit the patches. By introducing the liability, the OSS would not only discourage malicious committers but also raise the awareness of potential introduced bugs for benign committers. -- This is a mitigation. Have contributors claim they are not introducing bugs (at least intentionally).
The rest of the mitigations are equally bizarre. They are not telling us anything we don't know. There is nothing original in this work (except for the human experimentation aspect of it.)
Now let's talk about the negative impact. It is already hard enough to contribute to the linux kernel. It is built on trust. They have destroyed any trust we had in code coming from UMN. How do we know we are not being experimented for research? Like Greg pointed out, it is much easier for us to ignore all their stuff. I don't have enough seconds in my minute to get my day job done. On top of that, any new comer will have to face a much higher bar, making it even more hostile. (I actually see it as a negative, because it is easier to ignore the newcomer as opposed to doing the extra work. And generally most newcomers with some work turn out to be darn good contributors.) It will make it harder to look at non corporate contributions seriously.
And as far as UMN is concerned, this is not the first time they have been involved in questionable experiments. The last time had much more serious consequences. https://en.wikipedia.org/wiki/Death_of_Dan_Markingson
Dhaval --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Sun, Apr 25, 2021, 12:07 PM Karen Lewellen via talk <talk@gtalug.org> wrote:
I am not sure I resonate. why banning an entire university program for the actions of two students? Its like saying because one doctor abused his duties, we will not let anyone seek care from St. Michael's hospital ever again.
Rephrasing. If you knew about a doctor abusing patients at a hospital and getting away with it, would you trust the hospital for your care or find another one? Well there is a doctor at that hospital who has given you excellent care in the past ( trust factor). So maybe you go to them then. It is the same here. The University broke the trust factor. The IRB failed to do it's job. Dhaval Or for a more computer reference Cloudflare's deciding I am a threat
because I cannot solve their noninclusive captcha..they have a zero tolerance policy too.
On Sun, 25 Apr 2021, Ansar Mohammed via talk wrote:
I know some people may think this is an over-reaction. But FWIW, I agree with the Zero Tolerance approach.
On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <talk@gtalug.org> wrote:
On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Aruna Hewapathirane via talk <talk@gtalug.org>
Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.)
| I am still trying to understand the reason 'why' would anyone even
want to
| do this ?
The first question is "what, exactly, is 'this'?".
I've ONLY read media reports and their recent apology. So I'm not the most informed. <
https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC7...
Some reactions.
The apology starts with:
"We sincerely apologize for any harm our research group did to the Linux kernel community."
This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had
used
"the" or "all", I would interpret it as a genuine apology.
Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message>
"We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps."
I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good.
- they don't think that they actually added a vulnerability
- they demonstrated how adding a vulnerability could be done
GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.)
As someone actually affected by these reverts :-). Greg KH did not over react. These guys did not do the community a service. They did add vulnerabilities (those have been reverted since) and they did not tell us anything. I myself have left old code in the kernel when trying to get rid of some of my stuff. And I was not trying to inject a bug. They did not tell me anything I did not already know. It is easy to get bugs into the kernel. Let me link to the paper and their "contributions".
https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceIn...
-- VIII A By its nature, OSS openly encourages contributors. Com- mitters can freely submit patches without liability. We believe that an effective and immediate action would be to update the code of conduct of OSS, such as adding a term like “by submitting the patch, I agree to not intend to introduce bugs.” Only committers who agreed to it would be allowed to go ahead to submit the patches. By introducing the liability, the OSS would not only discourage malicious committers but also raise the awareness of potential introduced bugs for benign committers. -- This is a mitigation. Have contributors claim they are not introducing bugs (at least intentionally).
The rest of the mitigations are equally bizarre. They are not telling us anything we don't know. There is nothing original in this work (except for the human experimentation aspect of it.)
Now let's talk about the negative impact. It is already hard enough to contribute to the linux kernel. It is built on trust. They have destroyed any trust we had in code coming from UMN. How do we know we are not being experimented for research? Like Greg pointed out, it is much easier for us to ignore all their stuff. I don't have enough seconds in my minute to get my day job done. On top of that, any new comer will have to face a much higher bar, making it even more hostile. (I actually see it as a negative, because it is easier to ignore the newcomer as opposed to doing the extra work. And generally most newcomers with some work turn out to be darn good contributors.) It will make it harder to look at non corporate contributions seriously.
And as far as UMN is concerned, this is not the first time they have been involved in questionable experiments. The last time had much more serious consequences. https://en.wikipedia.org/wiki/Death_of_Dan_Markingson
Dhaval --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <talk@gtalug.org> wrote:
On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Aruna Hewapathirane via talk <talk@gtalug.org>
Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.)
| I am still trying to understand the reason 'why' would anyone even
want to
| do this ?
The first question is "what, exactly, is 'this'?".
I've ONLY read media reports and their recent apology. So I'm not the most informed. < https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC7...
Some reactions.
The apology starts with:
"We sincerely apologize for any harm our research group did to the Linux kernel community."
This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had used "the" or "all", I would interpret it as a genuine apology.
Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message>
"We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps."
I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good.
- they don't think that they actually added a vulnerability
- they demonstrated how adding a vulnerability could be done
GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.)
As someone actually affected by these reverts :-). Greg KH did not over react. These guys did not do the community a service. They did add vulnerabilities (those have been reverted since) and they did not tell us anything. I myself have left old code in the kernel when trying to get rid of some of my stuff. And I was not trying to inject a bug. They did not tell me anything I did not already know. It is easy to get bugs into the kernel. Let me link to the paper and their "contributions".
https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceIn... -- VIII A By its nature, OSS openly encourages contributors. Com- mitters can freely submit patches without liability. We believe that an effective and immediate action would be to update the code of conduct of OSS, such as adding a term like “by submitting the patch, I agree to not intend to introduce bugs.” Only committers who agreed to it would be allowed to go ahead to submit the patches. By introducing the liability, the OSS would not only discourage malicious committers but also raise the awareness of potential introduced bugs for benign committers. -- This is a mitigation. Have contributors claim they are not introducing bugs (at least intentionally).
The rest of the mitigations are equally bizarre. They are not telling us anything we don't know. There is nothing original in this work (except for the human experimentation aspect of it.)
Now let's talk about the negative impact. It is already hard enough to contribute to the linux kernel. It is built on trust. They have destroyed any trust we had in code coming from UMN. How do we know we are not being experimented for research? Like Greg pointed out, it is much easier for us to ignore all their stuff. I don't have enough seconds in my minute to get my day job done. On top of that, any new comer will have to face a much higher bar, making it even more hostile. (I actually see it as a negative, because it is easier to ignore the newcomer as opposed to doing the extra work. And generally most newcomers with some work turn out to be darn good contributors.) It will make it harder to look at non corporate contributions seriously.
And as far as UMN is concerned, this is not the first time they have been involved in questionable experiments. The last time had much more serious consequences. https://en.wikipedia.org/wiki/Death_of_Dan_Markingson
Dhaval
Speak of the devil and he appears :-)
Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Sun, Apr 25, 2021 at 11:32 AM D. Hugh Redelmeier via talk < talk@gtalug.org> wrote:
| From: Aruna Hewapathirane via talk <talk@gtalug.org>
Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.)
Hello Hugh I never subscribed I just read it now and then :-) | I am still trying to understand the reason 'why' would anyone even want to
| do this ?
The first question is "what, exactly, is 'this'?".
I've ONLY read media reports and their recent apology. So I'm not the most informed. < https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC7...
Some reactions.
The apology starts with:
"We sincerely apologize for any harm our research group did to the Linux kernel community."
This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had used "the" or "all", I would interpret it as a genuine apology.
Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message>
"We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps."
I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good.
- they don't think that they actually added a vulnerability
- they demonstrated how adding a vulnerability could be done
GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.)
He's reverting 190 commits that were not declared to be part of this experiment. It is claimed, in the apology, that those ones were done in good faith.
I do find it odd that the "research" was done last August but that the hoax was only revealed recently.
Looking more closely at a claim in the apology message:
* This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper.
What "message board"? Do they mean the Linux Kernel Mailing List (not a message board)?
What does "stopped" actually mean? My understanding was that these changes were actually committed. Perhaps I'm wrong.
This is intriguing:
* We understand the desire of the community to gain access to and examine the three incorrect patches. Doing so would reveal the identity of members of the community who responded to these patches on the message board. Therefore, we are working to obtain their consent before revealing these patches.
So there *must* be more disclosure. Until then, we cannot be satisfied.
I think the best person who is 'qualified' to answer these questions would be Dhaval ? As he has code in the kernel and is the current Software manager at Oracle. Aruna ( Am thinking what have I started now ... )
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 4/25/21 11:32 AM, D. Hugh Redelmeier via talk wrote:
| From: Aruna Hewapathirane via talk <talk@gtalug.org>
Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.)
| I am still trying to understand the reason 'why' would anyone even want to | do this ?
The first question is "what, exactly, is 'this'?".
I've ONLY read media reports and their recent apology. So I'm not the most informed. <https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u>
Some reactions.
The apology starts with:
"We sincerely apologize for any harm our research group did to the Linux kernel community."
If the zdnet report is to be believed then There was at least one attempt to insert code after being found out and asked to stop. https://www.zdnet.com/article/greg-kroah-hartman-bans-university-of-minnesot... If the university was warned and took no action then it is perfectly reasonable for them to be black listed. Being blacklisted could effect the universities ability to draw in CS students and I wonder if they will try some kind of legal action to be allowed back in. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
| From: Alvin Starr via talk <talk@gtalug.org> | If the zdnet report is to be believed then There was at least one attempt to | insert code after being found out and asked to stop. | | https://www.zdnet.com/article/greg-kroah-hartman-bans-university-of-minnesot... See: <https://lore.kernel.org/linux-nfs/20210407001658.2208535-1-pakki001@umn.edu/> I don't think that Steven J. Vaughan-Nichols' interpretation is correct (it seems to be GKH's). If you look at the email exchange in question, the "attempt to insert code" was an attempt to submit a real bug-fix, not an attempt to add a bug. But: - the fix was to a bug that didn't exist. Careful reading of the surrounding code shows that the problem addressed could not happen. - it is hard to understand leaks and non-leaks, so this submission only shows that Pakki is not yet a good kernel programmer. - it does not introduce a vulnerability Here's the original function (from a perhaps different version of the kernel): static void gss_pipe_destroy_msg(struct rpc_pipe_msg *msg) { struct gss_upcall_msg *gss_msg = container_of(msg, struct gss_upcall_msg, msg); if (msg->errno < 0) { refcount_inc(&gss_msg->count); gss_unhash_msg(gss_msg); if (msg->errno == -ETIMEDOUT) warn_gssd(); gss_release_msg(gss_msg); } gss_release_msg(gss_msg); } The patch submitted by Pakki was: --- a/net/sunrpc/auth_gss/auth_gss.c +++ b/net/sunrpc/auth_gss/auth_gss.c @@ -848,7 +848,8 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg) warn_gssd(); gss_release_msg(gss_msg); } - gss_release_msg(gss_msg); + if (gss_msg) + gss_release_msg(gss_msg); } I don't see how gss_msg could be null, even just reading this code. So the added test doesn't change anything. No bug fixed. No bug introduced. This certainly doesn't add a vulnerability. But I think that the following code would work and be simpler. Note: my suggestion is just a guess. I don't know the semantics of the functions called. static void gss_pipe_destroy_msg(struct rpc_pipe_msg *msg) { struct gss_upcall_msg *gss_msg = container_of(msg, struct gss_upcall_msg, msg); if (msg->errno < 0) { gss_unhash_msg(gss_msg); if (msg->errno == -ETIMEDOUT) warn_gssd(); } gss_release_msg(gss_msg); } Something like this was suggested in the LKML thread.
On Sun, 25 Apr 2021 16:41:39 -0400 (EDT) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
| From: Alvin Starr via talk <talk@gtalug.org> | If the zdnet report is to be believed then There was at least one attempt to | insert code after being found out and asked to stop. https://www.zdnet.com/article/greg-kroah-hartman-bans-university-of-minnesot... See: <https://lore.kernel.org/linux-nfs/20210407001658.2208535-1-pakki001@umn.edu/> I don't think that Steven J. Vaughan-Nichols' interpretation is correct (it seems to be GKH's). If you look at the email exchange in question, the "attempt to insert code" was an attempt to submit a real bug-fix, not an attempt to add a bug. But: - the fix was to a bug that didn't exist. Careful reading of the surrounding code shows that the problem addressed could not happen.
<snip> okay, even if you are correct, there are allegedly 'multiple' submits? I have not been on kernel lists as I left in mid 2000's but, what is discussed are multiple events and not one and also that there is still more to be known and said. So, like others, I am patiently waiting to hear more and will be ignoring some of the rumours and other "info" until more is known. (like who, what, how many and what the responses are) I am however of the general opinion that Universities are held to a higher standard and that this type of "research" would have had to be authorised by the institution. Therefore my opinion simply is that an example has to be made, but my opinion does not really matter and this is an emotional and trust issue.
On 2021-04-25 4:41 p.m., D. Hugh Redelmeier via talk wrote:
| From: Alvin Starr via talk <talk@gtalug.org>
| If the zdnet report is to be believed then There was at least one attempt to | insert code after being found out and asked to stop. | | https://www.zdnet.com/article/greg-kroah-hartman-bans-university-of-minnesot...
See: <https://lore.kernel.org/linux-nfs/20210407001658.2208535-1-pakki001@umn.edu/>
I don't think that Steven J. Vaughan-Nichols' interpretation is correct (it seems to be GKH's). If you look at the email exchange in question, the "attempt to insert code" was an attempt to submit a real bug-fix, not an attempt to add a bug. But:
- the fix was to a bug that didn't exist. Careful reading of the surrounding code shows that the problem addressed could not happen.
- it is hard to understand leaks and non-leaks, so this submission only shows that Pakki is not yet a good kernel programmer.
- it does not introduce a vulnerability
This is kind of getting into the weeds. The offending paper that looks to describe what was done can be found at https://github.com/QiushiWu/qiushiwu.github.io/blob/main/papers/OpenSourceIn... The paper appears to have been posted 3 months ago along with all the other content in the site. This would appear to predate the email thread where this all blew up. On the other hand I am not sure how much to trust the github posting dates. I think https://davisjam.medium.com/ethical-conduct-in-cybersecurity-research-86d13b... provides an eloquent description of the events and actions of most of the actors involved. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
participants (9)
-
ac -
Alvin Starr -
Ansar Mohammed -
Aruna Hewapathirane -
D. Hugh Redelmeier -
Dhaval Giani -
El Fontanero -
Karen Lewellen -
Stewart C. Russell