cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Grey hat "security research," Linux, and U of Minnesota

This is a big and messy fight, with a lot of points to make about how we should, and shouldn't, conduct security.

 

A particular program in the University of Minnesota Department of Computer Science and Engineering is run by professor Kangjie Lu. At least two students from this program, apparently with the knowledge of the professor, have been submitting what they refer to as "hypocrite commits" to the core Linux repository. (In other words, some form of malware, at least in terms of the code not being what it purports to be.)

This type of thing is not exactly new. We know of, and use, red team attacks, and pen tests of various types. No less a luminary than Fred Cohen initially thought that teaching students to write viruses could be beneficial (although he later change his mind when he found that the students weren't learning all that much about security from the exercise). The University of Calgary had a virus writing program at one time (with somewhat less control).

 

But this attempt, while addressing a slightly different aspect of the concept behind "Reflections on Trusting Trust" and supply chains, seems to have both fewer controls, and potentially much greater consequences (as well as a pretty massive disregard for the work of the Linux volunteers and users all over the world). The students involved seem to have offered some half-hearted apologies over the issue.

 

For more details:
https://nakedsecurity.sophos.com/2021/04/22/linux-team-in-public-bust-up-over-fake-patches-to-introd...
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/

 


The next VanTUG Security Series meeting (details of series: https://community.isc2.org/t5/C/V/m-p/42919 , meeting link for May 4th, 7 pm [PDT] meeting: https://is.gd/dA1c3O ) is on the topic of "Infosec Ethics," so this issue is a bit of a gift, and will be used as one of the main "case studies" for discussion.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468