Comment by fossuser
4 years ago
I hope they take this bad publicity and stop (rather than escalating stupidity by using non university emails).
What a joke - not sure how they can rationalize this as valuable behavior.
4 years ago
I hope they take this bad publicity and stop (rather than escalating stupidity by using non university emails).
What a joke - not sure how they can rationalize this as valuable behavior.
It was a real world penetration test that showed some serious security holes in the code analysis/review process. Penetration tests are always only as valuable as your response to them. If they chose to do nothing about their code review/analysis process, with these vulnerabilities that made it in (intentional or not), then yes, the exercise probably wasn't valuable.
Personally, I think all contributors should be considered "bad actors" in open source software. NSA, some university mail address, etc. I consider myself a bad actor, whenever I write code with security in mind. This is why I use fuzzing and code analysis tools.
Banning them was probably the correct action, but not finding value requires intentionally ignoring the very real result of the exercise.
I agree. They should take this as a learning opportunity and see what can be done to improve security and detect malicious code being introduced into the project. What's done is done, all that matters is how you proceed from here. Banning all future commits from UMN was the right call. I mean it seems like they're still currently running follow up studies on the topic.
However I'd also like to note that in a real world penetration test on an unwitting and non-consensual company, you also get sent to jail.
Everybody wins! The team get valuable insight on the security of the current system and unethical researchers get punished!
A non-consensual pentest is called a "breach". At that point it's no longer testing, just like smashing a window and entering your neighbour's house is not a test of their home security system but just breaking and entering.
A real world penetration test is coordinated with the entity being tested.
Yeah - and usually stops short of causing actual damage.
You don't get to rob a bank and then when caught say "you should thank us for showing your security weaknesses".
In this case they merged actual bugs and now they have to revert that stuff which depending on how connected those commits are to other things could cost a lot of time.
If they were doing this in good faith, they could have stopped short of actually letting the PRs merge (even then it's rude to waste their time this way).
This just comes across to me as an unethical academic with no real valuable work to do.
8 replies →
The result is to make sure not to accept anything with the risk of introducing issues.
Any patch coming from somebody having intentionally introduced an issue falls into this category.
So, banning their organization from contributing is exactly the lesson to be learned.
I agree, but I would say the better result, most likely unachievable now, would be to fix the holes that required a humans feelings to ensure security. Maybe some shift towards that direction could result from this.
Next time you rob a bank, try telling the judge it was a real world pentest. See how well that works out for you.
> It was a real world penetration test that showed some serious security holes in the code analysis/review process.
So you admit it was a malicious breach? Of course it isn't a perfect process. Everyone knows it isn't absolutely perfect. What kind of test is that?
What exactly did they find?