University of Minnesota tries to corrupt Linux kernel

[cyrano]

The University of Minnesota has been banned from contributing to the Linux kernel for introducing bugs in unneeded patches under the guise of research:

https://www.phoronix.com/scan.php?page=news_item&px=University-Ban-From-Linux-Dev

Greg Kroah-Hartman has banned a US university from trying to mainline Linux kernel patches over intentionally submitting questionable code with security implications and other "experiments" in the name of research.

Stemming from this research paper where researchers from the University of Minnesota intentionally worked to stealthy introduce vulnerabilities into the mainline Linux kernel. They intentionally introduced use-after-free bugs into the kernel covertly for their research paper.

But even after this paper, there has been a new round of patches from University of Minnesota researchers that claim to come from "a new static analyzer" but without any real value to the patches. These new, questionable patches don't appear to have any real value -- for good or bad -- and at the very least are just wasting time by upstream developers. This has led Greg to calling them out and "banning" them from trying to contribute to the Linux kernel in the future.

 

[john12ax7]

Why would they do this? I can understand trying to break something in a research environment. But to use the public for this? Very irresponsible, perhaps even malicious.

 

[Bo Deadly]

Sometimes the only way to draw attention to something that's breakable is to deliberately break it. It being the Linux patch system I guess.

I think the greatest software threat vector, which is largely being completely overlooked, is code that has an approved process for being installed but has no mechanism for validation or the validation is just not sufficient to identify bad code. Specifically, I mean "apps" or "extensions" where you go to some app store or marketplace and install a third party application. No matter how well the platform tries to isolate these applications, it is very difficult to stop bad behavior or even identify it as bad.

Think about how easy it is to add a back door to something like an app for your phone. Generally phone apps are not servers but as a client it can just as easily be triggered to download and execute something. At least with Linux people can mostly see the code (minus little blobs of firmware for chips).

And I'm not just talking about individuals. There are many server applications used by businesses and governments that allow installing third party extensions. Take Salesforce for example. It has "appexchange". My understanding is that the revenue of Salesforce apps and associated support far exceeds the revenue of Salesforce itself. Companies blindly install these things like they're trusted just because they're hosted by Salesforce's "appexchange". That is a BIG mistake and one of these days, mark my words, that chicken is going to come home to roost.

 

[cyrano]

Sometimes the only way to draw attention to something that's breakable is to deliberately break it. It being the Linux patch system I guess.

So they proved the patch system is good, cause they got caught twice?

The first time they disguised it as a research project, the second time they were sending in useless patches?

Maybe they're expecting a rather large grant from the likes of Microsoft?

 

[gyraf]

Agree, there's something very fishy in this

Does not make sense from any research perspective - wouldn't pass first line of defense of the research-ethical oversight boards.

Which means that it was authorized from a higher level - that is, if system is like here.

This probably also why it was made an institution-wide ban

/Jakob E.

 

[Tubetec]

In many ways our own respective governments , most especially in Ireland , through so called 'light touch'regulation has set the tone for how social media/marketing uses our data . On many levels the public interest hasnt been served , you have politicians who want to use the power of social media to further their career and at the same time keep the hungry Data aggre(gators) sweet , its a blatant conflict of interest.

If governments worldwide are allowing what really amounts to a form of mental slavery and control through data why wouldnt every two bit hood and huxter get in for a cut of the pie ?
I agree with Jacob , its the wrong signals being sent down from the top . Data protection legislation and GDPR can just as easily get twisted into reasons to deny people access to data and we've seen a lot of that over the years here in Ireland .

 

[cyrano]

The dark side of Linux is twofold:

1. The Linux foundation is subsidised by money from Microsoft and a few other big companies. The Linux foundation's CEO is an ex-Microsoft lawyer.

2. Redhat's biggest customer, by far, is the US army.

Why do you think Redhat has been pushing really hard to get a complicated monolithic piece of software like systemd into every distro? Fortunately, some oldtimer BOFHs have been resisting this.

I was there when the US army threatened Canadian software maker Zero Knowledge Systems into selling tor (which was called "Freedom" back then) to them. Afterwards, they started luring everyone into thinking tor would benefit dissidents in China, Russia and other not so democratic countries.

It's the same thing over and over again. If they can't control it, they'll corrupt it.

Another weird thing: the US army is still owner of around 7% of the ipV4 address space. In literally the last minutes of the Trump reign, they transferred control (not ownership) to a dormant Florida based company that was into email marketing before. That makes that company the biggest operator in the ipV4 address space (AS8003), by far.

Now they're trying to tell us it's an experiment in safety.

Some of this unused address space was used by US companies to send data from their client's network systems to the companies servers. Of course, they had no permission, but as these millions of ip's were never used, it's a fairly widespread practice.

Why to an obscure company and why at that precise moment?

Nanog operators (North American Network Operators Group) had these questions too. Immediately, some execs from Redhat and a few other companies that never were very active on the Nanog list, showed up.

Something's up. And Linux is a thorn in the side of the powers that be.

 

[JohnRoberts]

I have always been suspicious of anything free.... no free lunch, yadda yadda

JR

 

[ruffrecords]

The dark side of Linux is twofold:

1. The Linux foundation is subsidised by money from Microsoft and a few other big companies. The Linux foundation's CEO is an ex-Microsoft lawyer.

2. Redhat's biggest customer, by far, is the US army.

Fortunately, Linux is not The Linux Foundation, nor is it RedHat who are merely one of many providers of a Linux distribution. Both are contributors to Linux but the are not Linux themselves.

Cheers

Ian

 

[cyrano]

While I agree, Ian, this is from the Linux Foundation's site:

The Linux Foundation is the only organization with a comprehensive platform that provides the tooling and analytics capabilities to streamline project operations and community engagement, automate technology infrastructure, simplify project management, and facilitate the scale of community awareness and enterprise-wide adoption.

Any idea how big their budget is?

$54.1B
total shared value created from the collective contributions of the Linux Foundation community

Agreed, that's not their budget. That's the value of Linux, that they boast about, while it's not their product.

Have you seen their member list?

https://www.linuxfoundation.org/en/join/members/

Hec, even our national brewer, AB Inbev is there, as a platinum contributor (annual cost: 500.000$). They've never contributed to Linux. Yet they're willing to spend a bundle to belong to this club. A lot of money, but it gets a vote who will be on the board. Lesser members have no vote.

Every day, some real longtime Linux developer gets railroaded or leaves the community out of sheer despair, to be replaced by devs from big corporations. Ever heard of Jacob Applebaum?

https://www.theverge.com/2019/10/2/20895270/jacob-appelbaum-peter-todd-rape-allegations-defamation-bitcoin-tor

While the kernel itself is still being developed by Linus and a faithful bunch of volunteers, I can see it coming that it will be taken away from him. Already, an Applebaum-like case against Linus is being prepared. After all, Linus is known to be very direct, rude, some say. And we can't have that, can we?

This is an article from 2016 about the issues:

https://www.information-age.com/linux-foundation-causes-uproar-quietly-removing-community-representation-its-board-123460821/

The Linux community has effectively been driven out of the foundation, to be replaced by industry execs who have no experience with open source.

 

[ruffrecords]

The Linux community has effectively been driven out of the foundation, to be replaced by industry execs who have no experience with open source.

One thing the big batters do not grok is that Linux IS  the community. Drive Linus out and he will simply fork and the community will follow. Plenty of prior examples of this.

Cheers

Ian

 

[cyrano]

Just like Jacob was the developer core of tor.

When he got involved with Wikileaks, he had to go, so they fabricated some anonymous nonsense accusations. Can't have an American involved in Wikileaks, can we?

I can see the same kind of case being built against Linus.

 

[cyrano]

Response from the University of Minnesota:

https://drive.google.com/file/d/1z3Nm2bfR4tH1nOGBpuOmLyoJVEiO9cUq/view

We welcome your letter regarding recent work done by researchers from The University of Min-
nesota. We agree that this work clearly did not use appropriate methods—specifically, it did not

seek or gain permission from the Linux community—and therefore, it was harmful to the commu-
nity, as the researchers have acknowledged explicitly: An open letter to the Linux community

They seem to agree with the findings, but completely ignore the fact that they kept submitting unneeded meaningless patches after being warned.

Is this sheer stupidity or maliciousness? Or are they simply hoping the other developers have already forgotten about it?

Wait and see, I guess.

 

[ruffrecords]

Response from the University of Minnesota:

https://drive.google.com/file/d/1z3Nm2bfR4tH1nOGBpuOmLyoJVEiO9cUq/view

They seem to agree with the findings, but completely ignore the fact that they kept submitting unneeded meaningless patches after being warned.

Is this sheer stupidity or maliciousness? Or are they simply hoping the other developers have already forgotten about it?

Wait and see, I guess.

Well, Linus still oversees commits to the kernel so I guess his response will be as robust as usual 

Cheers

Ian

 

[cyrano]

In this case, it's someone else: Greg Kroah-Hartman, responsible for stable kernel releases.

Linus' "robust" replies are a reason why some want him out of development. I can't see that happen anytime soon, but they are building a case, very slowly.

 

[cyrano]

A new piece of the puzzle, found by a Chinese security company:

https://www.securityweek.com/stealthy-rotajakiro-backdoor-targeting-linux-systems

Did some digging...

The malware delivery server resides in Reston, Virginia...

Control and command from Ukraine.

Now who would be the operators?