Hacker News new | past | comments | ask | show | jobs | submit login

The Linux team found the source of a security threat and have taken steps to prevent that security threat from continuing to attack them.

You can't break into someone's house through their back window, tell the owners what you did, and not expect to get arrested.

People don't scream "how are we going to know that people can break into houses through broken windows without these heros!?"




Does nobody here even understand what actually happened?

Really losing my faith in the accuracy of HN if such a huge thread is full of misinformation.

Basically (as I understand it, feel free to correct me) this is what happened:

Researcher emailed maintained with flawed code, maintainer LGTMed it, researcher told maintainer that the code is buggy and not to merge it. The researchers confirmed that the code was not merged or commited anywhere. Paper gets published. Nothing of note happens.

Now, one of the researchers grad students has submitted stuff to linux oh his own volition- he does not appear to be associated with the previous research. These commits are "obviously bad" according to linux maintainers and claim that the grad student is just continuing the "merge bad shit" research. These commits do not appear to be intentionally flawed but rather newbie mistakes (so claims the student)- which is why he feels the linux community is unwelcoming to newcomers.

Now how on earth did that warp to whatever everyone here is smoking?


You too have missed some of the details, but then so have many others.

The paper you’re referring to was from last year. Two of the three patches that they emailed in under fake author names were rejected; they wrote a paper about the experience. All that happened as a result was that everybody told them that it was a terrible idea, and they tweaked the wording of the paper a bit.

Now _this_ year, a different PHD student with the same advisor posted a really dubious patch which would introduce one or more use–after–free bugs. This patch was also rejected by the maintainers. Greg noticed that it looks like another attempt to do the same kind of experiment again. Nobody but them know if that’s true or not, but the student reacted by calling it “slander”, which was not very advisable.

The methodology in the original paper had one redeeming feature; after any patch was accepted, they would immediately email back withdrawing the patch. That doesn’t appear to have happened in this case, but then this patch was rejected.

As a result of this, all future contributions from people affiliated with UMN are being rejected, and all past contributions (about 250) are being reviewed. Most of those are simply being backed out wholesale, unless someone speaks up for individual changes. A handful of those changes have already been vouched for.

That is pretty drastic, because there will certainly be acceptable patches that will need to be re–reviewed and possibly recommitted. On the other hand, if you discover a malicious actor, wouldn’t you want to investigate everything they’ve been involved with? On the gripping hand, there are such things as autoimmune diseases.

I guess we’ll have to see how it plays out.


> Now how on earth did that warp to whatever everyone here is smoking?

There's no other option when someone on the same research team later sends them 4 diffs, 3 of which have security holes, than to assume they're still doing research in the same area.

This is what happens when you do a social experiment without at least informing someone in the organization beforehand. There's no way to verify whether it was well intentioned diffs or not. So you must assume it's not.


Its not someone on the same team. Its someone working underneath one of the research members- a grad student who likely had no knowledge of what his supervisor did.

https://lore.kernel.org/lkml/YIBBt6ypFtT+i994@pendragon.idea...

> These are two different projects. The one published at IEEE S&P 2021 has > completely finished in November 2020. My student Aditya is working on a new > project that is to find bugs introduced by bad patches. Please do not link > these two projects together. I am sorry that his new patches are not > correct either. He did not intentionally make the mistake.


There's a reply to the LKML from the researcher in question admitting that the new student is also working under him doing research. He claims it's not related, but it's not clear how much his word is worth now...

https://lore.kernel.org/lkml/YIBBt6ypFtT+i994@pendragon.idea...


I read everything I could find, in short, researchers did not give any options for maintainers not to participate in research.

The best analogy I could come with so far is; someone offered you compelling job offer, and when you where ready to sign up they would be yeah, that was research project, sorry - would you be ok with such behavior ?

This not ok, because you did not consent to waste your time on someone else's research project.


They addressed this in the paper by making the change small (5 lines). Obvsiously time is still wasted, but the team felt that the research warranted it. This is up to debate and should not be used solely as a reason to crucify them.


> Really losing my faith in the accuracy of HN if such a huge thread is full of misinformation.

What is the point of dubbing yourself the arbiter of the moral high ground and spreading mis-information in the very next breath?

I am less puzzled by you spreading misinformation than I am by the fact you have this outrage at the very thing you are doing and don't hesitate to attack the character of people you disagree with.

> A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.

It turns out the researchers DID allow the bad faith commits to be merged and that is a big problem that is still being unwound.

https://fosspost.org/researchers-secretly-tried-to-add-vulne...


This seems like exactly what happened to me. I do still think the researcher should have gotten approval from maintainers or the foundation before going ahead, and the way he did the research was pretty shitty.

But you also forgot the part where Greg throws a hissy fit and decides to revert every commit from umn emails, including 3+year old commits that legitimately fix security vulns.[0] Great job keeping mainline bug free with your paranoid witchhunt!

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...


That one has already been vouched for; I doubt it will actually be reverted: https://lore.kernel.org/lkml/b27a43bb-36bc-4b9-42de-c39a5b68...

If you know of any others that shouldn’t be reverted, you should email the list and point them out.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: