Post4VPS Forum | Free VPS Provider
University of Minnesota attempted our security! - Printable Version

+- Post4VPS Forum | Free VPS Provider (https://post4vps.com)
+-- Forum: Geek World (https://post4vps.com/Forum-Geek-World)
+--- Forum: Software (https://post4vps.com/Forum-Software)
+--- Thread: University of Minnesota attempted our security! (/Thread-University-of-Minnesota-attempted-our-security)

Pages: 1 2


University of Minnesota attempted our security! - LightDestory - 04-26-2021

I know that this news is a bit old, 4 days ago, but I touches me at the core and I wanted to write about it.
If you didn't read it, don't worry I will provide a "offensive-less" summary of what the researchers of Minnesota tried to do.

On 21 April 2021 an email from Greg Kroah-Hartman announced his decision to ban University of Minnesota from the Linux development contributors and the revert their commits (= nullify all their code changes). The researchers tried to intentionally insert bugs in an unauthorised Penetration test to perform an experiement described on one of their scientific article... THEY COULD HAVE AFFECTED YOUR SECURITY. 

These ***** researcher just used the trust of the open source community to just to perform a dangerous experiment to boost their own paper-career. It is disgusting.
We should thanks the numerous reviewers who protect us by inspecting the code.

I will stop here my personal summary because I could use a offensive tone, so I would just append the "polite" email from Greg Kroah-Hartman:

Code:
I have been meaning to do this for a while, but recent events have
finally forced me to do so.

Commits from @umn.edu addresses have been found to be submitted in "bad
faith" to try to test the kernel community's ability to review "known
malicious" changes.  The result of these submissions can be found in a
paper published at the 42nd IEEE Symposium on Security and Privacy
entitled, "Open Source Insecurity: Stealthily Introducing
Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
of Minnesota) and Kangjie Lu (University of Minnesota).

Because of this, all submissions from this group must be reverted from
the kernel tree and will need to be re-reviewed again to determine if
they actually are a valid fix.  Until that work is complete, remove this
change to ensure that no problems are being introduced into the
codebase.

This patchset has the "easy" reverts, there are 68 remaining ones that
need to be manually reviewed.  Some of them are not able to be reverted
as they already have been reverted, or fixed up with follow-on patches
as they were determined to be invalid.  Proof that these submissions
were almost universally wrong.

I will be working with some other kernel developers to determine if any
of these reverts were actually valid changes, were actually valid, and
if so, will resubmit them properly later.  For now, it's better to be
safe.

I'll take this through my tree, so no need for any maintainer to worry
about this, but they should be aware that future submissions from anyone
with a umn.edu address should be by default-rejected unless otherwise
determined to actually be a valid fix (i.e. they provide proof and you
can verify it, but really, why waste your time doing that extra work?)

thanks,

greg k-h

What do you think about it?
The open source community is always friendly and open minded to new and senior contributor, but these reseachers just decided on their own to do something so dangerous that could have been affected our daily usage devices.


RE: University of Minnesota attempted our security! - deanhills - 04-26-2021

(04-26-2021, 12:10 PM)LightDestory Wrote: I know that this news is a bit old, 4 days ago, but I touches me at the core and I wanted to write about it.
If you didn't read it, don't worry I will provide a "offensive-less" summary of what the researchers of Minnesota tried to do.

On 21 April 2021 an email from Greg Kroah-Hartman announced his decision to ban University of Minnesota from the Linux development contributors and the revert their commits (= nullify all their code changes). The researchers tried to intentionally insert bugs in an unauthorised Penetration test to perform an experiement described on one of their scientific article... THEY COULD HAVE AFFECTED YOUR SECURITY. 

These ***** researcher just used the trust of the open source community to just to perform a dangerous experiment to boost their own paper-career. It is disgusting.
We should thanks the numerous reviewers who protect us by inspecting the code.

I will stop here my personal summary because I could use a offensive tone, so I would just append the "polite" email from Greg Kroah-Hartman:

Code:
I have been meaning to do this for a while, but recent events have
finally forced me to do so.

Commits from @umn.edu addresses have been found to be submitted in "bad
faith" to try to test the kernel community's ability to review "known
malicious" changes.  The result of these submissions can be found in a
paper published at the 42nd IEEE Symposium on Security and Privacy
entitled, "Open Source Insecurity: Stealthily Introducing
Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
of Minnesota) and Kangjie Lu (University of Minnesota).

Because of this, all submissions from this group must be reverted from
the kernel tree and will need to be re-reviewed again to determine if
they actually are a valid fix.  Until that work is complete, remove this
change to ensure that no problems are being introduced into the
codebase.

This patchset has the "easy" reverts, there are 68 remaining ones that
need to be manually reviewed.  Some of them are not able to be reverted
as they already have been reverted, or fixed up with follow-on patches
as they were determined to be invalid.  Proof that these submissions
were almost universally wrong.

I will be working with some other kernel developers to determine if any
of these reverts were actually valid changes, were actually valid, and
if so, will resubmit them properly later.  For now, it's better to be
safe.

I'll take this through my tree, so no need for any maintainer to worry
about this, but they should be aware that future submissions from anyone
with a umn.edu address should be by default-rejected unless otherwise
determined to actually be a valid fix (i.e. they provide proof and you
can verify it, but really, why waste your time doing that extra work?)

thanks,

greg k-h

What do you think about it?
The open source community is always friendly and open minded to new and senior contributor, but these reseachers just decided on their own to do something so dangerous that could have been affected our daily usage devices.
Great post @LightDestory Wow!  Can't believe that something like this was allowed to happen by a University.  I hope that a complaint has been submitted to the University, as that is just so very unethical, disrespectful of the community. Also completely disrespectful of any University's research protocols. I'm sure they must have been breaking their own University's rules as well. This is at the same time worrying as who knows, maybe members of their team are going to try to "prove" further security "exploits".

Good news however that someone was able to pick up on this exploit.  And to punish the offenders at the same time!


RE: University of Minnesota attempted our security! - tryp4vps - 04-27-2021

It is really making my hairs stand up in anger. It is something that should not happen in any kind of university.

Normally if the researchers just wanted to test out this kind of codes, they should commit code changes only to their own fork and then conduct the testing there, and should not request merging their commits to the master working branch at all. Smile


RE: University of Minnesota attempted our security! - LightDestory - 04-29-2021

(04-27-2021, 08:07 AM)tryp4vps Wrote: It is really making my hairs stand up in anger. It is something that should not happen in any kind of university.

Normally if the researchers just wanted to test out this kind of codes, they should commit code changes only to their own fork and then conduct the testing there, and should not request merging their commits to the master working branch at all. Smile

The researchers wanted to test the community trying to see if their bad conduct could be detected for their own agenda (just a new paper on their carrer summary). They didn't request a permission to perform such testes and, if no one detected their bad conduct these bugs could have been reached the main stream branch!

Hopefully the developer community around linux is HUGE and a lot of people worked together to sort out this crazy attempt. 

The awesome point of Open source is that you are not alone, all developer are like a big family Smile


RE: University of Minnesota attempted our security! - Sn1F3rt - 04-30-2021

Indeed this attempt was much more malicious than experimental. All the more who would expect it from university researchers like this one. Honestly, it's a shame and I'm disgusted at this. Greg definitely took the right call.

Thanks to the numerous Linux OSS contributors and reviewers that we're still safe and unaffected because of an experiment that could have affected thousands of users worldwide, all the more not even requesting permission to do so.


RE: University of Minnesota attempted our security! - tiwil - 05-01-2021

I read from Reddit that future researcher/contributor from UMN will have their PR automatically rejected. This really affect their university reputation. I don't know how angry I am if I were one of uni's head.


RE: University of Minnesota attempted our security! - mzltest - 05-02-2021

(04-27-2021, 08:07 AM)tryp4vps Wrote: It is really making my hairs stand up in anger. It is something that should not happen in any kind of university.

Normally if the researchers just wanted to test out this kind of codes, they should commit code changes only to their own fork and then conduct the testing there, and should not request merging their commits to the master working branch at all. Smile

Agreed.They are intentionally breaking the opensource community.If the want a test of their skills just do it in their sandbox not in public environment.There are jokes that saying progarmmers is the kind that making another bug after fixing this one - but it is just joke.If you made a bug that just shows your skills but if you deliberately submitting a bug you reveal your evilness.

And now they get themself banned - I believe not all the students took part in the experiment,but seems the good guys might must use their personal accounts on github.


RE: University of Minnesota attempted our security! - tiwil - 05-02-2021

(05-02-2021, 01:51 AM)mzltest Wrote: Agreed.They are intentionally breaking the opensource community.If the want a test of their skills just do it in their sandbox not in public environment.There are jokes that saying progarmmers is the kind that making another bug after fixing this one - but it is just joke.If you made a bug that just shows your skills but if you deliberately submitting a bug you reveal your evilness.

And now they get themself banned - I believe not all the students took part in the experiment,but seems the good guys might must use their personal accounts on github.

They are not testing their skills. Based on OP, they're doing research about insecurities in open source community where all can contribute to an open source repository. Therefore they test the community by releasing questionable commit.


RE: University of Minnesota attempted our security! - mzltest - 05-02-2021

(05-02-2021, 12:49 PM)tiwil Wrote: They are not testing their skills. Based on OP, they're doing research about insecurities in open source community where all can contribute to an open source repository. Therefore they test the community by releasing questionable commit.
 
But this kind of research is nonsense,since there are various people and no control groups,etc.And they could simply starting a new project with code issues and asking for a peer review,not by harming a existing project,as people basically have a good faith of kindness and they won't actually review every piece of code modified.


RE: University of Minnesota attempted our security! - tiwil - 05-03-2021

(05-02-2021, 03:39 PM)mzltest Wrote:  
But this kind of research is nonsense,since there are various people and no control groups,etc.And they could simply starting a new project with code issues and asking for a peer review,not by harming a existing project,as people basically have a good faith of kindness and they won't actually review every piece of code modified.

Absolutely. It's nonsense but also alarming us. They do research about insecurities over open source and it seems they are successful since we see that their questionable commit get approved and paper is going out.

What we can conclude here is: There might be a case someone is actually do this for bad things, and get their commit approved. We should think again about this possibilities. What do you guys think?