Re: Malicious commits to Linux kernel as part of university study

["David A. Wheeler" <dwheeler () dwheeler com>]

Peter Bex:
> The university of Minnesota has been banned from making any commits to
> the Linux kernel after it was found out they'd been submitting bogus
> patches to the LKML to knowingly introduce security issues:
> https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX () kroah com/

I support research, but I personally think this work goes way beyond any ethical boundaries.
While I don’t know if it’s *illegal* (I’m not a lawyer!), it seems clear to me that these
U of MN researchers were conducting experiments on people without their prior consent.
In the US, experiments on people without their consent is generally forbidden.
These researchers did their experiment *before* even consulting their Institutional Review Board (IRB),
a *huge* no-no, and then their IRB approved the non-consensual experiment anyway (!!!).

GregKH’s response to this attack from the U of MN here:
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX () kroah com/
which reads in part:
> Our community welcomes developers who wish to help and enhance Linux.
> That is NOT what you are attempting to do here...
> Our community does not appreciate being experimented on...

More discussion: https://news.ycombinator.com/item?id=26887670

Peter Bex:
> I don't know the scope of this research, but it could involve other OSS
> projects, now or in the future, as well.  Hence this e-mail.  If you feel
> it's spam or needless drama, feel free to ignore.

Since the researchers failed to get prior consent from the people
being experimented on, I don’t think we can presume ethical behavior.
I have no faith that these researchers limited their attacks.
I hope they did, but I think we can take more proactive measures.

I used the following shell command to search for potentially-concerning commits in git:

git shortlog --summary --numbered --email | grep -E '(wu000273|kjlu|@umn.edu)'

I recommend other OSS projects do something similar, just in case, unless
we can have better verification that no other OSS projects were attacked.
I welcome improved methods to find concerning proposals or patches;
this is just a quick attempt to detect potential damage.


On Thu, Apr 22, 2021 at 11:44:49AM +0200, Albert Veli wrote:
> Supply chain attacks are a real threat to open source projects.

I completely agree. My work title is “Director of Open Source Supply Chain Security”,
so I guess I’d have to say that :-), but I agree anyway :-).

*ALL* OSS projects should review proposed changes for potential security
issues, and harden their software & supply chain against attacks.
I also welcome research to make that better!
But we don’t need researchers who perform attacks
on production systems without authorization, or perform
attacks on developers without their consent.

--- David A. Wheeler