From oss-security Thu Apr 22 15:02:11 2021 From: "David A. Wheeler" Date: Thu, 22 Apr 2021 15:02:11 +0000 To: oss-security Subject: Re: [oss-security] Malicious commits to Linux kernel as part of university study Message-Id: <4DCB6EF3-73EE-4038-8437-FEB339F20F90 () dwheeler ! com> X-MARC-Message: https://marc.info/?l=oss-security&m=161910379100879 Peter Bex: > The university of Minnesota has been banned from making any commits to > the Linux kernel after it was found out they'd been submitting bogus > patches to the LKML to knowingly introduce security issues: > https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ I support research, but I personally think this work goes way beyond any = ethical boundaries. While I don=E2=80=99t know if it=E2=80=99s *illegal* (I=E2=80=99m not a = lawyer!), it seems clear to me that these U of MN researchers were conducting experiments on people without their = prior consent. In the US, experiments on people without their consent is generally = forbidden. These researchers did their experiment *before* even consulting their = Institutional Review Board (IRB), a *huge* no-no, and then their IRB approved the non-consensual = experiment anyway (!!!). GregKH=E2=80=99s response to this attack from the U of MN here: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ which reads in part: > Our community welcomes developers who wish to help and enhance Linux. > That is NOT what you are attempting to do here... > Our community does not appreciate being experimented on... More discussion: https://news.ycombinator.com/item?id=3D26887670 Peter Bex: > I don't know the scope of this research, but it could involve other = OSS > projects, now or in the future, as well. Hence this e-mail. If you = feel > it's spam or needless drama, feel free to ignore. Since the researchers failed to get prior consent from the people being experimented on, I don=E2=80=99t think we can presume ethical = behavior. I have no faith that these researchers limited their attacks. I hope they did, but I think we can take more proactive measures. I used the following shell command to search for potentially-concerning = commits in git: git shortlog --summary --numbered --email | grep -E = '(wu000273|kjlu|@umn.edu)' I recommend other OSS projects do something similar, just in case, = unless we can have better verification that no other OSS projects were = attacked. I welcome improved methods to find concerning proposals or patches; this is just a quick attempt to detect potential damage. On Thu, Apr 22, 2021 at 11:44:49AM +0200, Albert Veli wrote: > Supply chain attacks are a real threat to open source projects. I completely agree. My work title is =E2=80=9CDirector of Open Source = Supply Chain Security=E2=80=9D, so I guess I=E2=80=99d have to say that :-), but I agree anyway :-). *ALL* OSS projects should review proposed changes for potential security issues, and harden their software & supply chain against attacks. I also welcome research to make that better! But we don=E2=80=99t need researchers who perform attacks on production systems without authorization, or perform attacks on developers without their consent. --- David A. Wheeler