How To Get A University Banned From The Linux Kernel

"What even could go wrong?" Said the professor before everything went wrong

They should be banned until they make a large donation

What a breach of trust :-\
Banning the university is the only way to go here.

Seems like a ccp opp to see if the Chinese commies could infiltrate the Linux community. Or the Cia and other glowbois

Sad that happened after they striked Linus for his choice of words 2 years ago or so. Would have been fun to read his unfiltered 5 cents about the issue :-)

I’d say the response is sensible even disregarding any emotions. At least if you look at it from a game theory point of view :-). Generally I prefer the idea of tit for tat behaviour, which can be effective, but the difference in costs and payoffs for both parties here point to stricter measures.

Greg lost trust in the university once they have the ok on the paper

If they were indeed pointing out that the patches were flawed after they were approved, but before they were merged, than I don't think they did anything egregiously wrong here. I mean, yes they could have warned some of the maintainers to make it more ethical, and yes some time was wasted which is unfortunate. But In a way, is it not a good thing to keep the linux program on its toes and more security conscience? As there is far worse out there that may want to backdoor the Linux kernel.

Jannies made the right call for once? Is it the revelation and why am I still here?

If they are this bad at checking code maybe they should check every commit what the did wasn't pog but I think it really proved something

PLM. Penguin Lives Matter !

A ban is not only appropriate but necessary. And that ban should be permanent.
Nothing would be gained by showing tolerance for deceit and inviting further exploitation.
This isn't about money or rules for their own sake. This is not even directly political. It is simply not practical to tolerate patterns of behavior that puts so much effort into dire t threat of being ruined. And only actions and reactions make a difference. This was not an excusable mistake and an institution capable of such insanity cannot be expected to behave differently in the future. The should cost U of M. And those employed there who allied this study to happen need to be demoted and disempowered.

Isn't a key part of white hat hacking that the organisation knowingly consents to the attack? The university's approval doesn't mean anything if there was no communication with the linux community about doing such an attack.

This is part of security research whether GKH accepts reality. The contributors notified the KML and patch reviewer not to apply the patches. This experiment proves the Linux kernel maintenance process is flawed. The maintainer team needs security reviewers as part of their team.

There are a ton of ethics that come into play when you're doing penetration testing, which seems like what they're doing on the most basic level. It feels like they didn't seem to care at all about those ethics.

This is like a nurse switching out new born in a hospital and then telling the parents "Ayy lmao, it was just a test. You can still trust me tho".

The ban was fair. Not irredeemable, but close.

You know the old adage of "Trust, but Verify" seems relevant here. Ya, you can trust people that don't have a history of malicious action or appear to be from a reputable source, but that is no reason to not VERIFY they are so.

No joke this is the most complete video I've found on the subject. Thank you :)

The research could be genuine but was handled bad. But because of what is going on every day we have to assume the worst.

IMO schools and universities are undermined and more "w0ke". With this mindset more and more people don't follow any rules or morals anymore.
Everything must be dumbed down. They will do anything more and more as long there are no consequences. Like Durahell-bunnies or zombies.
If they are caught they already have some made up excuse to try to shame you into accepting their way of doing things.
Or they say that it was just a joke, or some "important research".

In these times were there is so much ideology seeping into software development we must be very aware and not be intimidated by people doing stupid stuff.
Just recently I had an software update where they replaced two words "Master" and "Slave" with "Far" and "Near". O.o

Many things that would been considered satire 20 years ago is now everyday occurrence.
So I find the ban very reasonable.

I've been trying to justify this in my head, but I don't think I can.
Everyone can submit a patch. So that opens them up for this sort of attack.
What if the email of someone trusted gets compromised?
A malicious actor won't ask for permission. (this is the worst part)

I think I'd possibly be ok with this if it was one or two, but not all 3 of these: And a umn email adres and pretending to fix while breaking and not notifying anyone.

Sure it wastes time, but we don't live in a perfect world. I'm sure everyone would love not having to spend on any security.
The resources used building barriers are also needed elsewhere, but I don't think we can live without them.

I ban contributors from my projects for lesser offenses. If you commit code that actively makes the project worse even unintentionally, your time and effort isn't desired, bye. The maintainers are entirely within their rights heck the extent of the social engineering damage done was higher than the initial reports suggested. Mind I'm just some small nobody on the internet and the Linux kernel is of foundational importance to the modern tech and IT industry.
As many other commenters pointed out it was a complete bait and switch, then giving the fake South Park "I'm sowwy." excuse. Heck this isn't the first time the incompetents from Minnesota caused them trouble.

Thank you, Brodie. Good coverage. Greg, once more, has acted clearly and promptly. I am disgusted by UMI's conduct.

This is unacceptable, just imagine that wants to test the safety of your car, they broke the window steal your radio and then tell you they did just research. What really shows up, it's starting to be a common way to conduct paper nowadays. It terrifies me.

It's a shame the U of M did this. They seemed pretty reputable before. They were the birth place of the gopher protocol.

Liberalism kills everything. Always a waste of resources. The punishment was well-deserved.

wow...just wow.

Theres nothing that says that people in power positions cant change side. Security should be tight internal and external. If this whole situation was right or not im not going to comment on but it should have opened some eyes.

Having sat on my university Institutional Review Board in the past, I would have to question this research being classified as not human subjects research. If the researchers were trying to get something past a group of people, then humans are involved, even though you are not collecting identifiable information about people, the research involved the high probability of harm being done to human being. I would think slipping bugs past someone, not only annoys and angers (harm), but also wastes their time in repairing the damage (harm), it can harm the reputation of the kernel volunteers, I think the list could go on. The board of the Linux kernel should report this to the UMN IRB.

The ban was fair and they made a good example of what happens to those that abuse a community.

The review board was dead wrong. This is clearly human research on the means of using social engineering to introduce vulnerabilities into Linux. They were specifically using the trust inherent in the process as their vector.

I hope students of that university can still submit commits outside of the university emails and projects. Otherwise it's just a collective punishment - thing that is never ever justified.

Looking back, this research is not just a Computer Science research paper, it became straight up an Ethical Hacking situation disguised as a research. The worst part is when they didnt even let the Linux maintainers know they were gonna do so

What a disaster lmao

man everyone in these images is being so nice I can't even believe this is the internet, and TWITTER of all places.

This video doesn't explain how then patch made it through even though greg was againts it. The ban is fair but it doesn't show code review process has issues and I need to know what those issues are and are they fixed. The patch should have never made if through after Greg pointed out how suspicious they were.

Whoever pays the maintainers should hire a legal team and not resort to responses that penalize students.

Instead of submitting bad patches and telling that they were bad after they've been approved, breaking the trust, they should've just tried to have a direct communication set up to one of the maintainers and explain this shit in detail, giving some pointers to improving the patch submission process. They would've gotten their research without accidentally harming the project and community, would only help, and wouldn't be banned from future contributions

Is this human research?

No, we studied Linux maintainers

I have a BA in Psychology and further training in behavioural analysis. You would not believe how often IRBs let BS slide through. Whether it's the group's that accepted passages from Mein Kampf as actual research, or it is the psych department accepting bogus assertions with zero evidence as unqualified truth, IRBs function solely to perpetuate an ingroup/outgroup situation, increasing nepotism and favouritism at an institutional level.

Screw the university. Linux doesn't need them. Don't go to Minnesota for computer science courses anymore. Ever. I hope their program tanks and they lose accreditation over this bull.

IRBs need watchdogs themselves because right now they are entirely unrestrained entities causing more harm than good.

This black mark can't be removed.
The University allowed this behavior. It's a demostration of a lack of morality from the authorities.
The path taken is no only correct but necessary.
Great video.

Whether the kernel devs appreciate it or not... It's perfectly valid research.

100% justified in banning the university. It's not like this was some rogue person who just happened to have gotten hold of a university email. This was done with the knowledge and blessing of the university, seemingly on university time with university resources in the pursuit of research for/relating to the university. It is one thing to bring up concerns with the process, it's another to actively inject malicious code into a project just to prove a point. I don't think it's necessarily an invalid method especially if "bringing up concerns" isn't working (though it doesn't sound like they even did that in this case), but you can't expect to remain in good standing after doing it. I mean, banning people or organizations that abuse their authority to submit malicious code seems like the most basic level of security imaginable, once you've done that you can start working on the issues that their actions exposed.

If you want to do an experiment like this it has to be cleared at some level with the organization you're doing it to. Collaborative testing of this nature would probably be welcome.