Linux Foundation bans University after it intentionally submits "nonsense" patches

Honestly their hypothesis of contributing malicious code to open source projects and seeing if it sticks is worth exploring, but the way they behaved was incredibly poor. I think it's even likely that malicious patches have been merged to major open source projects.


Also:
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.
LOL
 
I'm glad Linux as a whole put their foot down and made an example out of them. You could very easily make your own fork and try things yourself, not introduce experimemts to the production branch.
 
looz said:
Honestly their hypothesis of contributing malicious code to open source projects and seeing if it sticks is worth exploring, but the way they behaved was incredibly poor. I think it's even likely that malicious patches have been merged to major open source projects.


Also:
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.
LOL
Click to expand...

It is an interesting thing to explore. But from the other side, they are intentionally trying to ruin projects and are wasting the time and effort of developers.

If I were an open-source developer affected by that, I'd cut that group off and label them as a bunch of actively unhelpful idiots as well. While the research is worth exploring, they deserve what they got. IMHO
 
WYP said:
It is an interesting thing to explore. But from the other side, they are intentionally trying to ruin projects and are wasting the time and effort of developers.

If I were an open-source developer affected by that, I'd cut that group off and label them as a bunch of actively unhelpful idiots as well. While the research is worth exploring, they deserve what they got. IMHO
Click to expand...
Yep, no questions about the decision to cut them off - completely warranted. And they're completely unreasonable, they should assist in fixing the mess they've created instead of calling it slander.

But the supply chain of something like the Linux kernel needs to be scrutinized, the fact that some of the garbage patches were mainlined is worrying.
 
Yeah while whoever this is has clearly not conducted themselves appropriately for the task at hand, with almost troll-like communication, if some of these patches have been mainlined then that is the much more worrying revelation here imo, it could have been someone with much more malicious intent, and much more desire to hide their actions, than whichever grad student(s) decided to pull this off, for all we know now it could have already happened with genuine malice many times before.
 
looz said:
Yep, no questions about the decision to cut them off - completely warranted. And they're completely unreasonable, they should assist in fixing the mess they've created instead of calling it slander.

But the supply chain of something like the Linux kernel needs to be scrutinized, the fact that some of the garbage patches were mainlined is worrying.
Click to expand...

I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.
 
WYP said:
I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.
Click to expand...
I wouldn't be surprised if pentesting companies did that.

But in this case it's clear that fixing issues isn't the guy's motivation, instead he wanted a paper out of it and proceeded to be difficult to deal with.
 
WYP said:
I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.
Click to expand...

You can submit bad code to a non production branch and with the higher ups knowledge they can watch it and see how their developer's are working. If they catch it, submit it to production, etc. Then they can see where there development cycle has flaws whether it be human error or something else.

This way research can be done and everybody benefits.
 
I'm not super familiar with how someone gets approval to push changes to the Linux kernel, but surely that's the vulnerability here. Once your commits are trusted you can obfuscate malicious code.

Edit: a more interesting paper would be if an anonymous source could do this not someone using a prestigious institution to hide behind.
 
You must log in or register to reply here.

Similar threads

J
Is LTT forum is choke full of spooks ?
Replies
5
Views
433
hmmblah
hmmblah
Zoot
100TB New(ish) Home Server Build
Replies
6
Views
3K
hmmblah
hmmblah
P
Do some people never learn from the past?
Replies
2
Views
811
Pugsport
P
WYP
Intel submits initial patches for USB4 to the Linux Kernel
Replies
0
Views
533
WYP
WYP
dazbobaby
Monitor over Ethernet
Replies
2
Views
1K
jnemesh
J
Back
Top