The whole thing reads like what I see on some social platforms.
Here's the exchange between Aditya Pakki, who is a Ph.D. student of Computer Science and Engineering at UMN, and Greg Kroah-Hartman. Pakki had written:
Greg,
I respectfully ask you to cease and desist from making wild accusations that are bordering on slander.
These patches were sent as part of a new static analyzer that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the linux kernel and repeatedly making these statements is disgusting to hear.
Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts.
To which Greg Kroah-Hartman has responded:
You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.
Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?
They obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all. So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?
When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.
A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid "fix" is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create.
Our community welcomes developers who wish to help and enhance Linux. That is NOT what you are attempting to do here, so please do not try to frame it that way.
Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.
Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.
that I wrote and it's sensitivity is obviously not great
On an almost complete non sequitur, is it really that hard for a PhD to spell "its" (possessive) correctly, rather than using "it's" (contraction of "it is")?
It is an easy mistake to make. Apostrophe s is also possessive when used with proper names - eg Fred's widget is correct usage. Words like "it" where 's is a contraction are exception to the rules, not the rule.
Ignoring the silly linguistic problem that English has with counting (pairs of) panties, some pedants like to wash their panties occasionally, making it useful to own a second pair. Or even more. All of which might be in a twist.
Even if you were to restrict it to the panties currently worn by the pedant: The occasional pedant may well be wearing more than one pair of panties at a time, possibly including a second pair for incontinence mitigation, and possibly including a second pair on the head.
Also, it's quite possible that Qiushi Wu and Kangjie Lu, the paper's authors, and Aditya Pakki, the person in the post, didn't grow up with English as their first language. I mean, just a wild guess there...
No, the only time itâ(TM)s an easy mistake is when autocorrect switches the intent, something that does happen and can be easy to miss. But when youâ(TM)re reading, the wrong form stands out. I have returned supposedly edited textbooks when I run into this.
It's an easy mistake to make, but once corrected, it's also an easy mistake to remember not to make. What's more, all modern operating systems have some form of grammar checking that will reliably identify this mistake. Unless he wrote this comment on a Speccy, he at least had the option to verify its correctness, which, given that he was communicating in a professional environment, is something I would have expected of him.
that I wrote and it's sensitivity is obviously not great
On an almost complete non sequitur, is it really that hard for a PhD to spell "its" (possessive) correctly, rather than using "it's" (contraction of "it is")?
Possibly a non native speaker. Possibly someone who realize that the point of language is to communicate and not to adhere to some prescriptive grammar rules. "Its" vs "its" is a debate that was over a long time ago when people started using them both, largely interchangeably.
Math is racist? Wow that's a new one on me, especially given that math is my profession. Language evolves. Largely due to cell phones "its" and "it's" are interchangeable (it's a lot harder to type "it's" than "its"). This kind of evolution has been going on since language first existed.
I guess the point here is that if you use language to communicate, you're more effective if you use it correctly, particularly in a professional environment.
No, the point is that there is no definition of "correctly". At best there is language considered correct at some point in time. But language evolves, so what was correct yesterday, may not be correct tomorrow. Language has always evolved in this manner -- words change meaning, language gets simplified (e.g. subjunctives are no longer used), punctuation changes, etc, etc.
> On an almost complete non sequitur, is it really that hard for a PhD to spell "its" (possessive) correctly, rather than using "it's" (contraction of "it is")?
If we ignore the issue of legasthenics, who nowadays are allowed to advance in society and even get PhDs despite what you probably consider a severely crippling disability, the rhetorical question whether it's hard to get the its/it's distinction right makes little sense because for a lot of people this isn't the problem at all. In my experience,
Looks at Jill Biden's "dissertation". You were saying? Not all PHD's are worthless, and of those that tend to be it doesnt apply to all schools, but it is still a depressingly common state of being.
So technically speaking Jill Biden does not have a Ph.D (I am in no way disparaging her degree by that comment). Her degree is an Ed.D, which can be awarded for professional work, not research. I have no idea which was here emphasis (research or professional).
Having been through a Ph.D. prorgram, what I can say is that no-one in my cohort, or the cohorts that I knew before me, did "easy" degrees, or just had to "stay in school longer". It's a rigorous and demanding process that changes the way you think
Did you seriously read a 100+ page dissertation just so you can make snide comments about its contents on the Internets? That's a very strange thing to do. Or did you not read it, and just decided to comment on it nevertheless? That would be an even stranger thing to do. Either way, your comment tells me a lot more about you than it does about people who have PhDs and still can't tell the difference between "its" and "it's" (which, coincidentally, Jill apparently can, judging by her dissertation, even thoug
Greg is Linus's designated successor. He's been taking over more and more of what Linus used to do.
Being Linus junior, I suspect he's not all THAT concerned about offending some college student who admits they intentionally tried to put bugs in the kernel.
How do you think his co-worker/mentor Linus Torvalds would have handled it?
How do you think his co-worker/mentor Linus Torvalds would have handled it?
Linus would have gone on a far longer and far less diplomatic rant. In effect, he would've ripped the guy a new one. It would've been the first time I thought his vitriol was warranted.
If you are going to do something like that, you should contact first an officer of the project you are going to send faulty patches to. Otherwise you can't make the difference between bad actors and good actors. And you need tracability back to the bad commits to remove them afterward.
Agreed. This could have been a valuable research project if they had handled it correctly. But instead, they seemed to opt for the sleaziest way of handling things, with a "better to ask for forgiveness than for permission" attitude. After all, the maintainer might have said "no".
Now that this has come to light, maybe someone will be taking a closer look at the ethics board that rubber-stamped this idiocy. It deserves to be censured. Of course, given the apparently weak grasp on ethical behavior, maybe no one there will give a shit.
What's particularly disgusting to me is how the Ph.D. student turns around and *attacks* the kernel maintainers, accusing them of making false accusations and acting in an unfriendly and intimidating manner. I mean, damn, once the game is up, at least have the decency to acknowledge what you were doing, and apologize for any inconvenience. These people are without any shred of ethics, and deserve their ban. And the University of Minnesota deserves shame for allowing it to happen.
anyone remember all the talks and papers about "free software" really meaning "free to be as bad as you want it (software) to be"? Privilege without responsibility is a bitch.
Personally, I believe that's a bullshit cover story. I'm curious what makes you believe it. It was neatly taken apart by Greg Kroah-Hartman. That "static analysis" claim looked suspicious to him due to the varied nature of the issues "caught " Moreover, most static analysis doesn't fix issues automatically. And even then, they were actually introducing bugs? No one reviewed or caught the errors before submission? The developer in question is either negligent, incompetent, or lying. There's really no other choice here.
At the very least, being affiliated with a group that has intentionally introduced bugs in the Linux kernel, the burden falls on this student to demonstrate exactly how that particular static analysis tool found and subsequently introduced bugs, without any review that caught obvious errors being introduced. Let's see a reproduction of the process, which he should easily be able to do if this is a valid research project. Of course, if my suspicion is correct, there's no way he can do that.
Were I so accused, I would reproduce exactly how these mistakes occurred, and I'd be a hell of a lot more apologetic for introducing bugs instead of turning around and attacking the maintainer. Even if he were innocent, which I very much doubt, the kernel developers are well within their right to ban them on sheer incompetence or negligence. Imposing a public and embarrassing sanction against the entire university is the best way to prevent this sort of nonsense from happening again at a different university.
Nope, sorry. Not buying it for a nanosecond. The Linux kernel development community will do just fine without these guys.
Wow man you are right I guess they only get to pick from people who donâ(TM)t try to deliberately sneak bugged code into the kernel. Now that they have eliminated the bottom 100 of their millions of possible contributors, the Linux project is assuredly over.
I guess this ham handed witch hunt will change the minds of far more than 100 students about whether they should have anything to do with the Linux Kernel community, ever.
If those students are from the same ilk as this sorry bunch of malignant twits then that will be a very good thing. They should indeed have nothing to do with the Linux Kernel community, ever. The Linux Kernel community will be much better off without them.
You should stop digging the hole you are standing in any deeper, by the way. It is, although entertaining to watch, not doing you any good.
Unfortunately, pretty much everything you wrote is wrong.
GregKH claimed: "You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work."
Yes, GregKH claimed that, and it is an entirely factual statement. It bears noting that the very next sentence from GregKH in that same message is "Now you submit a new series of obviously-incorrect patches again, so
what am I supposed to think of such a thing?"
Funny how that sentence provides the actual context. I can see why you omitted it.
But Aditya Pakki in fact is in a different group, working to find and fix bugs via static analysis.
No, Aditya Pakki in fact is in the same group as Kangjie Lu (assistant professor) and Qiushi Wu (PhD student), authors of the paper mentioned by GregKH. Pakki claims to be working to find and fix bugs via static analysis, but there is no "group" at UMN doing that. It's just him.
Here [umn.edu] is professor Kangjie Lu's page at UMN. You will note that Aditya Pakki's name appears alongside Lu's as an author of four papers listed on Lu's page.
Just because Pakki wasn't a named author of the Lu/Wu paper doesn't mean he's not in the same group as Lu/Wu. He quite clearly is. They are all systems security researchers working under the same assistant professor in the same floor in the same building in the same academic department at UMN.
So that is already wrong, and directly accusing the student of malicious intent is very wrong.
In this message [kernel.org] on the mailing list, Leon Romanovsky says:
Yesterday, I took a look on 4
accepted patches from Aditya and 3 of them added various severity security
"holes".
Those spurious "patches" don't include the patch Aditya Pakki submitted that reintroduced a old vulnerability and kicked off the entire shitstorm.
The original Lu/Wu paper was published months ago, and the linux devs made their displeasure known about the methods employed by the researchers. It completely stretches credulity to think that Pakki believed he wasn't doing anything wrong by pushing yet another bogus "patch" into the pipeline months later.
So I understand the student's reaction.
Your understanding is based on faulty assumptions/reasoning. Maybe you should try understanding the reactions of the expert devs whose valuable time was wasted by this "researcher".
Unfortunately, the student is now being hounded by an angry mob, apparently fired up by someone who should know better.
Uh huh. Are there linux devs hounding or harassing Pakki? What's your proof that Aditya Pakki is being hounded by anyone? Or is this just something you think might be happening?
IMO, the Linux development community has every right to be angry. These UMN "researchers" acted unethically and possibly criminally. If the only consequences they face as a result of their behavior are some nasty e-mails, they should consider themselves lucky.
Where does the Linux kernel community get its supply of new developers? Primarily from universities just like this one.
Now, what student is going to want to get anywhere near the kernel community?
Hopefully students will learn a valuable lesson from Aditya Pakki's actions and only contribute code that actually fixes bugs instead of introducing or reintroducing them for the purposes of their "research".
The Linux kernel community primarily gets its supply of new developers from industry.
Industry does not in general train kernel developers, the vast majority are hired straight out of school, having learned their kernel skills under enthusiasts like Kangjie Lu. Did I say enthusiast? Sorry, never mind, I meant ex-enthusiast. Neither industry nor the Linux kernel community can afford to burn bridges with the academic institutions of the world.
None of which is "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits".
So what? The UMN "group" is assistant professor Lu, 5 PhD students, 3 master's, and one undergrad. Aditya Pakki [github.io] and Qiushi Wu, [github.io] whose name IS on the paper, share the same damn office.
There is absolutely nothing inaccurate about GregKH saying they are in the same "group". You have to be severely mentally challenged to believe otherwise.
He said as much, but you have your fingers in your ears.
LOL! Fingers in my ears? Your head so far up your ass you have to peer through your navel to see anything at all, and your ears are so clogged with your own shit you
Now that this has come to light, maybe someone will be taking a closer look at the ethics board that rubber-stamped this idiocy. It deserves to be censured. Of course, given the apparently weak grasp on ethical behavior, maybe no one there will give a shit.
To be fair, I looked at the rules of my IRB board at $LOCALINSTITUION and it is not clear that this study would have been found to need an IRB at all because the study would not the study would not collect personal confidential information that were not already publicly disclosed.
Maybe the scope of these ethical board need to be extended. But as stated, it is not clear that our board would have caught it.
Oh, it's worse than that. It's not good research if there are biases in the study that cannot be allowed for.
In other words, you cannot determine ahead of time the desirability or aversion to patches from UMinn, so it is not fully randomised. Since the level of aversion changes unpredictably with each faulty submission, you can't correct for it. As different projects do different levels of code review, and as you can't know the precise level any given patch gets, you can't make any generalized conclusion from this one attack.
So as a study, it's absolutely useless. It tells you nothing about the ability to insert malicious code into open source software. All it tells you is that someone involved was either a paid schill for a rival OS (and it's probably not going to be Theo) or that the UMinn is simply not capable of credible research. This is Utah's Cold Fusion level of gross incompetence.
The one thing they might have got right, being a university, they got wrong. But at least they got the full set.
So as a study, it's absolutely useless. It tells you nothing about the ability to insert malicious code into open source software.
Well, they published it at S&P, so clearly it is a good study that has been thoroughly peer-reviewed.
I am actually in a mixed semi-sarcastic mode. On one hand, I believe you are right. On the other hand, S&P is indeed an A* (uber-top-tier) conference that is supposed to have competent reviewers.
Greg Kroah-Hartman, right to the throat on that one. A very good response to this kind of bullshit. The *plonk* at the end was just the icing on the cake.
Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt
Note to anyone. Anything in bad faith means that "benefit of the doubt" is no longer an option for you. That's literally something applicable in legal proceedings as well as pretty much every social norm. Fuck this university with a firepole.
I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts
No. You know what? The firepole is being too nice.
Oh come on. That's an asshole PhD student (and probably an asshole PhD advisor).
Although it apparently passed through IRB review, I am certain that no one else at the university understood what they were doing.
I mean, it usually takes people some back-and-forth with IRB to approve a study that involves a simple online survey or a study that asks people to come in and test a user interface and provide feedback.
Many many moons ago, I actually submitted a patch for a driver via Alan Cox... It was for the driver for the Apple/Farallon LocalTalk PC card, which was an 8 bit ISA card that allowed PC machines to connect to Apple LocalTalk networks. I was a complete noob and knew nothing about the kernel, but figured out this oddity in the driver that wasn't quite right. If I recall, it was a case of something being a "" comparison, rather than "=" or similar. Anyhow, it's my one contribution to the kernel, which is lon
A lot of newbs became experts after interacting with the kernel devs. I have fond memories of Alan Cox and his desire to share knowledge as much as possible.
The fact that the Linux kernel folks take the exact opposite attitudes to yours is one of the reasons Linux is a success. Back when i had more free time in my life, I saw some of the best known kernel devs of day get help from more senior kernel devs and taught how to do things the kernel way. I saw people taught good coding practice and also how to write secure code. Even Linus himself is much harder on people who should know better than newbies. In fact, the only time I've ever seen them react badly w
Whining about politics is neither necessary nor appropriate here.
My understanding is the linux community does have standard practices for novices who want feedback on their own uncertain work. To push such things as genuine fixes of "something" without an accompanying analyst to explain their reasoning is unethical and unprofessional. Sadly, it fits the stereotype of people whose inferior skills makes them unfit for industry, yet somehow they slip into academics.
Name checks out. Absolutely nothing to do with CoCs or 'SJWs'.
But throw some turds regardless, because you're an obsessive retard.
I've seen enough of the weaponization of rules crap invoked across a number of forums that I wanted to comment on it. I understand why it would be interpreted as and fully expected my remarks to be modded flame bait however this was not my intention.
A certain subset of people will reach for whatever they can to achieve their aims and the second you have a rulebook you can expect it to also be leveraged. This is a universal constant across all manner of domains most notably sports where concepts like worki
But the 'research paper' was a success in having a very definite outcome. I bet they get an A - wait do they still give out grades or just participation trophies?
I'd like to see what ethics committee signed off on this. It's more likely this guy cut a few corners with his research methodology and deserves whatever happens as a result.
They know nothing about the risks of OSS. They failed to randomise variables. They failed to determine how biases vary according to stimulus, other than observing that they do. They failed to determine differences in code review practices between projects. There's no obvious methodology. There's no obvious baseline. There's no way of measuring degree of success. The experiment is unrepeatable. The hypothesis (if there even is one) is unfalsifiable.
For that, I'd want the supervisor forced to do six months hard labour as primary school janitor.
But the 'research paper' was a success in having a very definite outcome. I bet they get an A - wait do they still give out grades or just participation trophies?
They got an A+, actually.
S&P is a very competitive and prestigious conference with A* (uber-top-tier) ranking.
That's a pretty bad ethics violation, and a fairly reasonable response.
It might be a bit worse than that.
IANAL (or even a U.S. citizen), but they're in the U.S. so this https://www.law.cornell.edu/us... [cornell.edu] may be applicable.
"(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;"
If their problematic patched ended up in an actual production computer, this section of the Computer Fraud and Abuse Act might cause them trouble...
That would not qualify as "intentionally causes damage" unless you both get someone to run the code AND you exploit it. Otherwise, they just ran buggy code that otherwise works. It's not "intentionally leaves room for damage."
Sometimes, in the law, "intentional" is not used in the same way that laymen use it, e.g. if you "intentionally" did something, and a likely consequence of that was "causes damage" then you might actually be on the hook.
If were an experimental psychologist working at a university who conducted an experiment on human participants without consent, you would very likely be fired (at best); probably fired, sued, and possibly charged criminally.
OTOH, if you're a computer scientist at the UMN you can conduct experiments on human participants without consent and everything is fine?
OTOH, if you're a computer scientist at the UMN you can conduct experiments on human participants without consent and everything is fine?
Nope. They just went around the rules to an amazing degree.
A regular form survey, even if the only personal information it requires is limited to things freely available on LinkedIn (name, job title, etc.) absolutely requires an approval by IRB.
Ethics???
Isn't that part of the motto of famous billionaires like buffet and gates, they were on a pbs series together w/another billionaire, soros?
The entire motto is: Ethics? We've heard of it.
speaking of hypocrites (Score:5, Informative)
That's a pretty bad ethics violation, and a fairly reasonable response.
Re:speaking of hypocrites (Score:5, Informative)
The whole thing reads like what I see on some social platforms.
Here's the exchange between Aditya Pakki, who is a Ph.D. student of Computer Science and Engineering at UMN, and Greg Kroah-Hartman. Pakki had written:
Greg,
I respectfully ask you to cease and desist from making wild accusations that are bordering on slander.
These patches were sent as part of a new static analyzer that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the linux kernel and repeatedly making these statements is disgusting to hear.
Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts.
To which Greg Kroah-Hartman has responded:
You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.
Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?
They obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all. So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?
When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.
A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid "fix" is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create.
Our community welcomes developers who wish to help and enhance Linux. That is NOT what you are attempting to do here, so please do not try to frame it that way.
Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.
Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.
*plonk*
Re:speaking of hypocrites (Score:4, Insightful)
On an almost complete non sequitur, is it really that hard for a PhD to spell "its" (possessive) correctly, rather than using "it's" (contraction of "it is")?
Re: (Score:1, Flamebait)
Re: (Score:3, Insightful)
It is an easy mistake to make.
Bullshit.
Re: (Score:2)
Re: speaking of hypocrites (Score:2)
Not quite.
her .. hers .. hes .. his .. its
he
it
It is perfectly logical, although hes changed over the years.
(although hes and his sound the same, with older British accents)
Re: (Score:2)
who
girls
And don't even get me started on https://en.wikipedia.org/wiki/... [wikipedia.org]
It should be "Ph.D." (Score:2)
If you are going to quibble, quibble correctly.
Re:speaking of hypocrites (Score:5, Funny)
It is an easy mistake to make.
No its not.
Re: (Score:2)
Re: speaking of hypocrites (Score:2)
Ahem... Possessive plural would be:
pedants'
Just sayin'
Re: speaking of hypocrites (Score:2)
Re: (Score:2)
I knew my post would get all the pedant's panties in a twist. LOL
Ahem... Possessive plural would be: pedants'
Why do you assume he's referring to more than one pedant?
The use of "all" would be redundant if they were talking about a single pedant.
Re: (Score:2)
Ignoring the silly linguistic problem that English has with counting (pairs of) panties, some pedants like to wash their panties occasionally, making it useful to own a second pair. Or even more. All of which might be in a twist.
Even if you were to restrict it to the panties currently worn by the pedant: The occasional pedant may well be wearing more than one pair of panties at a time, possibly including a second pair for incontinence mitigation, and possibly including a second pair on the head.
Re: speaking of hypocrites (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: speaking of hypocrites (Score:1)
Re: (Score:1)
Re: (Score:2)
As my father used to say, "Sometimes, a PhD just means you're a well educated idiot."
Re: (Score:2)
Other times it means you're not a very well-educated idiot.
Re: (Score:3)
We used to know them as "post hole diggers"
Re:speaking of hypocrites (Score:5, Funny)
On an almost complete non sequitur, is it really that hard for a PhD to spell "its" (possessive) correctly, rather than using "it's" (contraction of "it is")?
Its difficult.
Re: (Score:2)
Its an intentionally buggy spelling for research purposes!
Seriously, though, you'd expect programmers to be a lot more careful with their spelling, given how unforgiving compiler and interpreters are.
http://www.catb.org/~esr/faqs/... [catb.org]
Re: (Score:2, Insightful)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: speaking of hypocrites (Score:1)
Re: (Score:2)
Re: (Score:2)
> On an almost complete non sequitur, is it really that hard for a PhD to spell "its" (possessive) correctly, rather than using "it's" (contraction of "it is")?
If we ignore the issue of legasthenics, who nowadays are allowed to advance in society and even get PhDs despite what you probably consider a severely crippling disability, the rhetorical question whether it's hard to get the its/it's distinction right makes little sense because for a lot of people this isn't the problem at all. In my experience,
Re: (Score:2)
Re: (Score:2)
Re: speaking of hypocrites (Score:2)
If they had not defended the PhD, it would never have been granted; itâ(TM)s a critical part of the process!
Re: speaking of hypocrites (Score:2)
Looks at Jill Biden's "dissertation". You were saying? Not all PHD's are worthless, and of those that tend to be it doesnt apply to all schools, but it is still a depressingly common state of being.
Re: (Score:2)
So technically speaking Jill Biden does not have a Ph.D (I am in no way disparaging her degree by that comment). Her degree is an Ed.D, which can be awarded for professional work, not research. I have no idea which was here emphasis (research or professional).
Having been through a Ph.D. prorgram, what I can say is that no-one in my cohort, or the cohorts that I knew before me, did "easy" degrees, or just had to "stay in school longer". It's a rigorous and demanding process that changes the way you think
Re: (Score:1)
Re:speaking of hypocrites (Score:5, Insightful)
Greg's not a subject of the university in question, is he?
He told the clown to fuck off in far more diplomatic terms than I would if I were in his place.
-jcr
Greg is Linus's successor (Score:3)
Greg is Linus's designated successor. He's been taking over more and more of what Linus used to do.
Being Linus junior, I suspect he's not all THAT concerned about offending some college student who admits they intentionally tried to put bugs in the kernel.
How do you think his co-worker/mentor Linus Torvalds would have handled it?
Re: (Score:1)
How do you think his co-worker/mentor Linus Torvalds would have handled it?
Something like this? [gfycat.com]
Re: (Score:2)
How do you think his co-worker/mentor Linus Torvalds would have handled it?
Linus would have gone on a far longer and far less diplomatic rant. In effect, he would've ripped the guy a new one. It would've been the first time I thought his vitriol was warranted.
Re:speaking of hypocrites (Score:5, Insightful)
If you are going to do something like that, you should contact first an officer of the project you are going to send faulty patches to. Otherwise you can't make the difference between bad actors and good actors. And you need tracability back to the bad commits to remove them afterward.
Re:speaking of hypocrites (Score:5, Insightful)
Agreed. This could have been a valuable research project if they had handled it correctly. But instead, they seemed to opt for the sleaziest way of handling things, with a "better to ask for forgiveness than for permission" attitude. After all, the maintainer might have said "no".
Now that this has come to light, maybe someone will be taking a closer look at the ethics board that rubber-stamped this idiocy. It deserves to be censured. Of course, given the apparently weak grasp on ethical behavior, maybe no one there will give a shit.
What's particularly disgusting to me is how the Ph.D. student turns around and *attacks* the kernel maintainers, accusing them of making false accusations and acting in an unfriendly and intimidating manner. I mean, damn, once the game is up, at least have the decency to acknowledge what you were doing, and apologize for any inconvenience. These people are without any shred of ethics, and deserve their ban. And the University of Minnesota deserves shame for allowing it to happen.
Re: (Score:1)
Re:speaking of hypocrites (Score:5, Insightful)
What's particularly disgusting to me is how the Ph.D. student turns around and *attacks* the kernel maintainers ...
I imagine the guy's thesis is on the line -- and *that's* what he cares about, not Linux or the patches per se.
Re:speaking of hypocrites (Score:4, Insightful)
Personally, I believe that's a bullshit cover story. I'm curious what makes you believe it. It was neatly taken apart by Greg Kroah-Hartman. That "static analysis" claim looked suspicious to him due to the varied nature of the issues "caught " Moreover, most static analysis doesn't fix issues automatically. And even then, they were actually introducing bugs? No one reviewed or caught the errors before submission? The developer in question is either negligent, incompetent, or lying. There's really no other choice here.
At the very least, being affiliated with a group that has intentionally introduced bugs in the Linux kernel, the burden falls on this student to demonstrate exactly how that particular static analysis tool found and subsequently introduced bugs, without any review that caught obvious errors being introduced. Let's see a reproduction of the process, which he should easily be able to do if this is a valid research project. Of course, if my suspicion is correct, there's no way he can do that.
Were I so accused, I would reproduce exactly how these mistakes occurred, and I'd be a hell of a lot more apologetic for introducing bugs instead of turning around and attacking the maintainer. Even if he were innocent, which I very much doubt, the kernel developers are well within their right to ban them on sheer incompetence or negligence. Imposing a public and embarrassing sanction against the entire university is the best way to prevent this sort of nonsense from happening again at a different university.
Nope, sorry. Not buying it for a nanosecond. The Linux kernel development community will do just fine without these guys.
Re: speaking of hypocrites (Score:2)
Wow man you are right I guess they only get to pick from people who donâ(TM)t try to deliberately sneak bugged code into the kernel. Now that they have eliminated the bottom 100 of their millions of possible contributors, the Linux project is assuredly over.
Re: (Score:1)
I guess this ham handed witch hunt will change the minds of far more than 100 students about whether they should have anything to do with the Linux Kernel community, ever.
If those students are from the same ilk as this sorry bunch of malignant twits then that will be a very good thing. They should indeed have nothing to do with the Linux Kernel community, ever. The Linux Kernel community will be much better off without them.
You should stop digging the hole you are standing in any deeper, by the way. It is, although entertaining to watch, not doing you any good.
Re: (Score:2)
Who in their right mind would now chart a computer science career that involves interacting with the Linux kernel community?
No one at the University of Minnesota, apparently.
Re:speaking of hypocrites (Score:4, Insightful)
GregKH claimed: "You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work."
Yes, GregKH claimed that, and it is an entirely factual statement. It bears noting that the very next sentence from GregKH in that same message is "Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?"
Funny how that sentence provides the actual context. I can see why you omitted it.
But Aditya Pakki in fact is in a different group, working to find and fix bugs via static analysis.
No, Aditya Pakki in fact is in the same group as Kangjie Lu (assistant professor) and Qiushi Wu (PhD student), authors of the paper mentioned by GregKH. Pakki claims to be working to find and fix bugs via static analysis, but there is no "group" at UMN doing that. It's just him.
Here [umn.edu] is professor Kangjie Lu's page at UMN. You will note that Aditya Pakki's name appears alongside Lu's as an author of four papers listed on Lu's page.
Just because Pakki wasn't a named author of the Lu/Wu paper doesn't mean he's not in the same group as Lu/Wu. He quite clearly is. They are all systems security researchers working under the same assistant professor in the same floor in the same building in the same academic department at UMN.
So that is already wrong, and directly accusing the student of malicious intent is very wrong.
In this message [kernel.org] on the mailing list, Leon Romanovsky says:
Those spurious "patches" don't include the patch Aditya Pakki submitted that reintroduced a old vulnerability and kicked off the entire shitstorm.
The original Lu/Wu paper was published months ago, and the linux devs made their displeasure known about the methods employed by the researchers. It completely stretches credulity to think that Pakki believed he wasn't doing anything wrong by pushing yet another bogus "patch" into the pipeline months later.
So I understand the student's reaction.
Your understanding is based on faulty assumptions/reasoning. Maybe you should try understanding the reactions of the expert devs whose valuable time was wasted by this "researcher".
Unfortunately, the student is now being hounded by an angry mob, apparently fired up by someone who should know better.
Uh huh. Are there linux devs hounding or harassing Pakki? What's your proof that Aditya Pakki is being hounded by anyone? Or is this just something you think might be happening?
IMO, the Linux development community has every right to be angry. These UMN "researchers" acted unethically and possibly criminally. If the only consequences they face as a result of their behavior are some nasty e-mails, they should consider themselves lucky.
Where does the Linux kernel community get its supply of new developers? Primarily from universities just like this one.
Yeah...you don't know what you're talking about. The Linux kernel community primarily gets its supply of new developers from industry. [linuxfoundation.org]
Now, what student is going to want to get anywhere near the kernel community?
Hopefully students will learn a valuable lesson from Aditya Pakki's actions and only contribute code that actually fixes bugs instead of introducing or reintroducing them for the purposes of their "research".
Re: (Score:1)
The Linux kernel community primarily gets its supply of new developers from industry.
Industry does not in general train kernel developers, the vast majority are hired straight out of school, having learned their kernel skills under enthusiasts like Kangjie Lu. Did I say enthusiast? Sorry, never mind, I meant ex-enthusiast. Neither industry nor the Linux kernel community can afford to burn bridges with the academic institutions of the world.
Re: (Score:3)
None of which is "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits".
So what? The UMN "group" is assistant professor Lu, 5 PhD students, 3 master's, and one undergrad. Aditya Pakki [github.io] and Qiushi Wu, [github.io] whose name IS on the paper, share the same damn office.
There is absolutely nothing inaccurate about GregKH saying they are in the same "group". You have to be severely mentally challenged to believe otherwise.
He said as much, but you have your fingers in your ears.
LOL! Fingers in my ears? Your head so far up your ass you have to peer through your navel to see anything at all, and your ears are so clogged with your own shit you
Re: (Score:2)
Now that this has come to light, maybe someone will be taking a closer look at the ethics board that rubber-stamped this idiocy. It deserves to be censured. Of course, given the apparently weak grasp on ethical behavior, maybe no one there will give a shit.
To be fair, I looked at the rules of my IRB board at $LOCALINSTITUION and it is not clear that this study would have been found to need an IRB at all because the study would not the study would not collect personal confidential information that were not already publicly disclosed.
Maybe the scope of these ethical board need to be extended. But as stated, it is not clear that our board would have caught it.
Re:speaking of hypocrites (Score:5, Insightful)
Oh, it's worse than that. It's not good research if there are biases in the study that cannot be allowed for.
In other words, you cannot determine ahead of time the desirability or aversion to patches from UMinn, so it is not fully randomised. Since the level of aversion changes unpredictably with each faulty submission, you can't correct for it. As different projects do different levels of code review, and as you can't know the precise level any given patch gets, you can't make any generalized conclusion from this one attack.
So as a study, it's absolutely useless. It tells you nothing about the ability to insert malicious code into open source software. All it tells you is that someone involved was either a paid schill for a rival OS (and it's probably not going to be Theo) or that the UMinn is simply not capable of credible research. This is Utah's Cold Fusion level of gross incompetence.
The one thing they might have got right, being a university, they got wrong. But at least they got the full set.
Re: (Score:2)
So as a study, it's absolutely useless. It tells you nothing about the ability to insert malicious code into open source software.
Well, they published it at S&P, so clearly it is a good study that has been thoroughly peer-reviewed.
I am actually in a mixed semi-sarcastic mode. On one hand, I believe you are right. On the other hand, S&P is indeed an A* (uber-top-tier) conference that is supposed to have competent reviewers.
Re:speaking of hypocrites (Score:4)
Damn.
Greg Kroah-Hartman, right to the throat on that one. A very good response to this kind of bullshit. The *plonk* at the end was just the icing on the cake.
Re: (Score:2)
Here's the exchange between Aditya Pakki, who is a Ph.D. student of Computer Science and Engineering at UMN, ...
"These patches were sent as part of a new static analyzer that I wrote and it's sensitivity is obviously not great ..."
So... a Ph.D. in CS from UMN is either really good or really, really bad.
Re: (Score:3)
Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt
Note to anyone. Anything in bad faith means that "benefit of the doubt" is no longer an option for you. That's literally something applicable in legal proceedings as well as pretty much every social norm. Fuck this university with a firepole.
I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts
No. You know what? The firepole is being too nice.
Re: (Score:2)
Fuck this university with a firepole.
Oh come on. That's an asshole PhD student (and probably an asshole PhD advisor).
Although it apparently passed through IRB review, I am certain that no one else at the university understood what they were doing.
I mean, it usually takes people some back-and-forth with IRB to approve a study that involves a simple online survey or a study that asks people to come in and test a user interface and provide feedback.
Re: speaking of hypocrites (Score:1)
Scientific advisor [umn.edu]
Re:speaking of hypocrites (Score:4, Insightful)
"Newbies and non-experts" have no business submitting anything any more than some random toddler.
They should be "intimidated" and stay in their lane for the very good reason they're not competent.
Re: (Score:3)
Many many moons ago, I actually submitted a patch for a driver via Alan Cox... It was for the driver for the Apple/Farallon LocalTalk PC card, which was an 8 bit ISA card that allowed PC machines to connect to Apple LocalTalk networks. I was a complete noob and knew nothing about the kernel, but figured out this oddity in the driver that wasn't quite right. If I recall, it was a case of something being a "" comparison, rather than "=" or similar. Anyhow, it's my one contribution to the kernel, which is lon
Re: (Score:2)
You don't sound like a noobie, and you also sound like an expert.
Re: (Score:2)
A lot of newbs became experts after interacting with the kernel devs. I have fond memories of Alan Cox and his desire to share knowledge as much as possible.
Re: (Score:2)
The fact that the Linux kernel folks take the exact opposite attitudes to yours is one of the reasons Linux is a success. Back when i had more free time in my life, I saw some of the best known kernel devs of day get help from more senior kernel devs and taught how to do things the kernel way. I saw people taught good coding practice and also how to write secure code. Even Linus himself is much harder on people who should know better than newbies. In fact, the only time I've ever seen them react badly w
Re: (Score:2)
Whining about politics is neither necessary nor appropriate here.
My understanding is the linux community does have standard practices for novices who want feedback on their own uncertain work. To push such things as genuine fixes of "something" without an accompanying analyst to explain their reasoning is unethical and unprofessional. Sadly, it fits the stereotype of people whose inferior skills makes them unfit for industry, yet somehow they slip into academics.
Of course, incompetence is the fig leaf to
Re: (Score:2, Insightful)
Name checks out.
Absolutely nothing to do with CoCs or 'SJWs'.
But throw some turds regardless, because you're an obsessive retard.
I've seen enough of the weaponization of rules crap invoked across a number of forums that I wanted to comment on it. I understand why it would be interpreted as and fully expected my remarks to be modded flame bait however this was not my intention.
A certain subset of people will reach for whatever they can to achieve their aims and the second you have a rulebook you can expect it to also be leveraged. This is a universal constant across all manner of domains most notably sports where concepts like worki
Re:speaking of hypocrites (Score:4, Insightful)
Re:speaking of hypocrites (Score:4, Interesting)
I'd like to see what ethics committee signed off on this. It's more likely this guy cut a few corners with his research methodology and deserves whatever happens as a result.
Re: (Score:2)
Re:speaking of hypocrites (Score:5, Insightful)
I assume by definite outcome you mean the ban.
Now, onto the academic side:
They know nothing about the risks of OSS.
They failed to randomise variables.
They failed to determine how biases vary according to stimulus, other than observing that they do.
They failed to determine differences in code review practices between projects.
There's no obvious methodology.
There's no obvious baseline.
There's no way of measuring degree of success.
The experiment is unrepeatable.
The hypothesis (if there even is one) is unfalsifiable.
For that, I'd want the supervisor forced to do six months hard labour as primary school janitor.
Re: (Score:2)
University janitors have it worse...
Re: (Score:3)
Yes, but that might contravene the prohibition on cruel and unusual punishment.
Re: (Score:1)
Community College janitor for a year. Because there's nothing like 8,000 guys jacking off all at once at 7 AM every day to deal with.
Re: speaking of hypocrites (Score:2)
So what you're saying is they're still in a better position scientifically speaking than 99.999% of the papers coming out of the sociology department.
Re: (Score:2)
But the 'research paper' was a success in having a very definite outcome. I bet they get an A - wait do they still give out grades or just participation trophies?
They got an A+, actually.
S&P is a very competitive and prestigious conference with A* (uber-top-tier) ranking.
Re:speaking of hypocrites (Score:5, Interesting)
That's a pretty bad ethics violation, and a fairly reasonable response.
It might be a bit worse than that. IANAL (or even a U.S. citizen), but they're in the U.S. so this https://www.law.cornell.edu/us... [cornell.edu] may be applicable. "(5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;" If their problematic patched ended up in an actual production computer, this section of the Computer Fraud and Abuse Act might cause them trouble...
Re: (Score:2)
That would not qualify as "intentionally causes damage" unless you both get someone to run the code AND you exploit it. Otherwise, they just ran buggy code that otherwise works. It's not "intentionally leaves room for damage."
Re: (Score:2)
I agree, it was probably only wire fraud
Re: (Score:2)
Re: speaking of hypocrites (Score:1)
Re:human science researchers would be fired (Score:3, Insightful)
If were an experimental psychologist working at a university who conducted an experiment on human participants without consent, you would very likely be fired (at best); probably fired, sued, and possibly charged criminally.
OTOH, if you're a computer scientist at the UMN you can conduct experiments on human participants without consent and everything is fine?
Buggy software. (Score:2)
OTOH, if you're a computer scientist at the UMN you can conduct experiments on human participants without consent and everything is fine?
Already have that. They're called...beta testers.
Re: (Score:2)
OTOH, if you're a computer scientist at the UMN you can conduct experiments on human participants without consent and everything is fine?
Nope. They just went around the rules to an amazing degree.
A regular form survey, even if the only personal information it requires is limited to things freely available on LinkedIn (name, job title, etc.) absolutely requires an approval by IRB.
Re: (Score:2)
Isn't that part of the motto of famous billionaires like buffet and gates, they were on a pbs series together w/another billionaire, soros?
The entire motto is: Ethics? We've heard of it.
Re: speaking of hypocrites (Score:1)