← Back to context

Comment by motohagiography

4 years ago

On the other thread, I suggested this was an attack on critical infrastructure using a university as cover and that this was a criminal/counter-intellgence matter, and then asked whether any of these bug submitters also suggested the project culture was too aggressive and created an unsafe environment, to reduce scrutiny on their backdoors.

Talk about predictive power in a hypothesis.

13 comments

motohagiography

Reply
CoolGuySteve  4 years ago

Given its ubiquity in so many industries, tampering with Linux kernel security sounds an awful lot like criminal sabotage under US law.

Getting banned from contributing is a light penalty.

  • _n_b_  4 years ago

    > criminal sabotage under US law

    It is pretty comfortably not sabotage under 18 USC 105, which requires proving intent to harm the national defense of the United States. Absent finding an email from one of the researchers saying "this use-after-free is gonna fuck up the tankz," intent would otherwise be nearly impossible to prove.

    • dragonwriter  4 years ago

      > It is pretty comfortably not sabotage under 18 USC 105, which requires proving intent to harm the national defense of the United States.

      Presumably, this reference is intended to be to 18 USC ch. 105 (18 USC §§ 2151-2156). However, the characterization of required intent is inaccurate; the most relevant provision (18 USC § 2154) doesn’t require intent if the defendant has “reason to believe that his act may injure, interfere with, or obstruct the United States or any associate nation in preparing for or carrying on the war or defense activities” (emphasis added) during either a war or declared national emergency.

      It wouldn’t take much more than showing evidence that the defendant was aware (or even was in a position likely to be exposed to information that would make him aware) that Linux is used somewhere in the defense and national security establishment to support the mental state aspect of the offense.

      https://www.law.cornell.edu/uscode/text/18/2154

    • LinuxBender  4 years ago

      Intent would be hard to prove without emails / chat conversations for sure. As for damages, Linux is used by DoD, NASA and a myriad of other agencies. All the 2 and 3 letter agencies use it. Some of them contribute to it.

    • rvba  4 years ago

      If congress wasn't full of old people who don't understand computers, that university professor could spend years in jail or be executed for treason.

andrewzah  4 years ago

"I suggested this was an attack on critical infrastructure using a university as cover and that this was a criminal/counter-intellgence matter"

There is absolutely zero evidence of this. None. In my opinion it's baseless speculation.

It's far more likely that they are upset over being called out, and are out of touch with regards as to what is ethical testing.

  • mratsim  4 years ago

    Sure, don't attribute to malice what can be attributed to ignorance. But you have to admit that backdooring Linux would be huge and worth billions.

    • webinvest  4 years ago

      Yes, Hanlon’s razor is apt but if you read TFA, you can see heavy amounts of both malice and ignorance.

      From TFA: “The UMN had worked on a research paper dubbed "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits". Obviously, the "Open-Source Software" (OSS) here is indicating the Linux kernel and the University had stealthily introduced Use-After-Free (UAF) vulnerability to test the susceptibility of Linux.”

  • SuoDuanDao  4 years ago

    GP had a hypothesis and made a prediction based on it. The prediction turned out to be right. What more do you want?

    • andrewzah  4 years ago

      I want proof that the motive was in any way, shape, or form, related to or sponsored by a foreign government under the cover of university research. Not speculation based -solely- on the nationality or ethnicity of the accused.

      2 replies →