The first rule of pentesting is to get goddamn permission before you exploit something. Come to think of it, what they did is probably federally illegal under computer abuse law.
Here’s their response:
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/
And paper:
https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Judge for yourself, but I definitely don’t think it’s a good look.
University of Minnesota issued a statement: https://cse.umn.edu/cs/statement-cse-linux-kernel-research-april-21-2021
Probably a good idea to subscribe to this issue: https://github.com/QiushiWu/qiushiwu.github.io/issues/1
An entire institution banned thanks to these guys.
Sounds kinda excessive and at the same time adequate.
I imagine they don’t want the possibility of the researcher just getting a new academic email and continuing to do it. Also, it forces the university to react since the researcher clearly isn’t willing to stop judging by their responses.
I’ve been reading the messages and it’s totally embarrassing, i can’t believe someone is messing with a kernel installed on thousands of millions of devices just to create an academic paper.
TWICE, they were trying to do it AGAIN.
Sounds like a reasonable response to a bad faith actor.
I have no idea what happened, I just know it was brutal. Damn.
deleted by creator
Link tells whole story. They submitted buggy patches to see how devs would react and published a paper on it. Now, they submitted buggy patches again.
So they were being either extremely stupid or extremely rotten by keeping giving the kernel devs more work debugging bad code?
Giving other work and making them look bad if they fail to spot errors to personal academic gains. Yes, extremely rotten.
Don’t know how ethics committees work on US, but this is the thing that should never be allowed to pass them.
deleted by creator
No problem, mate.
Removed by mod
Tell me this didn’t go live and get installed on anyone’s system
I’m guessing they’re forcing the hand of the university to do something about it, and then will unban the university except the few who worked on the patches.
They don’t want to bother investigating/punishing so they expect the university to do it for them.
It would seem unfair to ban the whole university forever.
