lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202105061042.E99B414F0A@keescook>
Date:   Thu, 6 May 2021 11:40:41 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Pavel Machek <pavel@....cz>
Cc:     linux-kernel@...r.kernel.org, Kangjie Lu <kjlu@....edu>,
        tech-board@...ts.linux-foundation.org
Subject: Re: Report on University of Minnesota Breach-of-Trust Incident

On Thu, May 06, 2021 at 10:26:16AM +0200, Pavel Machek wrote:
> Hi!
> 
> > Report on University of Minnesota Breach-of-Trust Incident
> > 
> > 	or
> > 
> > "An emergency re-review of kernel commits authored by members of the
> >  University of Minnesota, due to the Hypocrite Commits research paper."
> > 
> > May 5, 2021
> 
> Thanks for doing this. I believe short summary is that there was some
> deception from UMN researches in 2020:
> 
> > 2020 August:
> >   - "Hypocrite Commits" patches from UMN researchers sent to kernel developers
> >     under false identities:
> >     - Aug 4 13:36-0500
> > 	https://lore.kernel.org/lkml/20200804183650.4024-1-jameslouisebond@gmail.com
> >     - Aug 9 17:14-0500
> > 	https://lore.kernel.org/lkml/20200809221453.10235-1-jameslouisebond@gmail.com
> >     - Aug 20 22:12-0500
> > 	https://lore.kernel.org/lkml/20200821031209.21279-1-acostag.ubuntu@gmail.com
> >     - Aug 20 22:44-0500
> > 	https://lore.kernel.org/lkml/20200821034458.22472-1-acostag.ubuntu@gmail.com
> >     - Aug 21 02:05-0500
> > 	https://lore.kernel.org/lkml/20200821070537.30317-1-jameslouisebond@gmail.com
> 
> But there was no deception from UMN in 2021. Yet, we were
> spreading... let's say inaccurate information as late as this:
> 
> > 2021 April 29:
> >   - Greg posts an update on the re-review along with some more reverts.
> > 	https://lore.kernel.org/lkml/20210429130811.3353369-1-gregkh@linuxfoundation.org
> 
> # Commits from @umn.edu addresses have been found to be submitted in "bad
> # faith" to try to test the kernel community's ability to review "known
> # malicious" changes.

I would agree that the phrasing here is sub-optimal in that it could
more clearly separate a few related things (e.g. "malicious change" vs
"valid fix"). If I were writing this, I would have said something along
the lines of:

  Commits from UMN authors have been found to be submitted with intentional
  flaws to try to test the kernel community's ability to review "known
  malicious" changes. ...
  During review of all submissions, some patches were found to be
  unintentionally flawed. ...
  Out of an abundance of caution all submissions from this group must be
  reverted from the tree and will need to be re-review again. ...

I would also note that in that thread Greg reviewed all the mentioned
patches, clearing all but two of them (which were duplicates to earlier
review).

> UMN apologized. Our reaction to their apology was:
> 
> https://lore.kernel.org/lkml/YIV+pLR0nt94q0xQ@kroah.com/#t
> 
> Do we owe them apology, too?

I will defer to Greg on what he thinks his duties are there, but in
trying to figure out who "we" is, I'll just point out that I attempted
to clarify the incorrect assumptions about the intent of historical UMN
patches, and spoke for the entire TAB (Greg included) here:
https://lore.kernel.org/lkml/202104221451.292A6ED4@keescook/
The report repeated this in several places, and we explained our need
for due diligence.

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ