lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210506082616.GA20224@duo.ucw.cz>
Date:   Thu, 6 May 2021 10:26:16 +0200
From:   Pavel Machek <pavel@....cz>
To:     Kees Cook <keescook@...omium.org>
Cc:     linux-kernel@...r.kernel.org, Kangjie Lu <kjlu@....edu>,
        tech-board@...ts.linux-foundation.org
Subject: Re: Report on University of Minnesota Breach-of-Trust Incident

Hi!

> Report on University of Minnesota Breach-of-Trust Incident
> 
> 	or
> 
> "An emergency re-review of kernel commits authored by members of the
>  University of Minnesota, due to the Hypocrite Commits research paper."
> 
> May 5, 2021

Thanks for doing this. I believe short summary is that there was some
deception from UMN researches in 2020:

> 2020 August:
>   - "Hypocrite Commits" patches from UMN researchers sent to kernel developers
>     under false identities:
>     - Aug 4 13:36-0500
> 	https://lore.kernel.org/lkml/20200804183650.4024-1-jameslouisebond@gmail.com
>     - Aug 9 17:14-0500
> 	https://lore.kernel.org/lkml/20200809221453.10235-1-jameslouisebond@gmail.com
>     - Aug 20 22:12-0500
> 	https://lore.kernel.org/lkml/20200821031209.21279-1-acostag.ubuntu@gmail.com
>     - Aug 20 22:44-0500
> 	https://lore.kernel.org/lkml/20200821034458.22472-1-acostag.ubuntu@gmail.com
>     - Aug 21 02:05-0500
> 	https://lore.kernel.org/lkml/20200821070537.30317-1-jameslouisebond@gmail.com

But there was no deception from UMN in 2021. Yet, we were
spreading... let's say inaccurate information as late as this:

> 2021 April 29:
>   - Greg posts an update on the re-review along with some more reverts.
> 	https://lore.kernel.org/lkml/20210429130811.3353369-1-gregkh@linuxfoundation.org

# Commits from @umn.edu addresses have been found to be submitted in "bad
# faith" to try to test the kernel community's ability to review "known
# malicious" changes.

UMN apologized. Our reaction to their apology was:

https://lore.kernel.org/lkml/YIV+pLR0nt94q0xQ@kroah.com/#t

Do we owe them apology, too?

Best regards,
									Pavel
-- 
http://www.livejournal.com/~pavelmachek

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ