Hacker News new | past | comments | ask | show | jobs | submit | nwelna's comments login

As an Alumni of the University of Minnesota's program I am appalled this was even greenlit. It reflects poorly on all graduates of the program, even those uninvolved. I am planning to email the department head with my disapproval as an alumni, and I am deeply sorry for the harm this caused.


I am wondering if UMN will now get a bad name in Open Source and any contribution with their email will require extra care.

And if this escalate to MSM Media it might also damage future employment status from UMN CS students.

Edit: Looks like they made a statement. https://cse.umn.edu/cs/statement-cse-linux-kernel-research-a...


> Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel.

- Signed by “Loren Terveen, Associate Department Head”, who was a co-author on numerous papers about experimenting on Wikipedia, as pointed out by: https://news.ycombinator.com/item?id=26895969


Their name is not in the author list for the paper.

Edit: Parent comment originally referenced the paper that caused this mess.


Yep, sorry, I double-checked and edited it quickly. Sorry about that!


It should. Ethics begins at the top, and if the university has shown itself to be this untrustworthy then no trust can be had on them or any students they implicitly endorse.

As far as I'm concerned this university and all of its alumni are radioactive.


Their graduates have zero culpability here (unless they were involved). Your judgement of them is unfair.


> Their graduates have zero culpability here

It's not about guilt, it's about trust. They were trained for years in an institution that violates trust as a matter of course. That makes them suspect and the judgement completely fair.


Lots of universities have had scandals. I could probably dig one up from your alma mater. They're big places with long histories. Collective punishment achieves little productive and should be avoided.


Its not about collective punishment. Universities sell reputation, both good and bad. It just so happens that they sold bad reputation.


Collective punishment is a clear and unilateral signal that something is extremely wrong and not within the punisher's power to unwind properly (or prevent in the future). Until it's clear that this university can be trusted, they should not be. I would feel the same about any schools that I attended, and I would not have issues with blanket bans for them either if this was the kind of activity they got up to.


> They were trained for years in an institution that violates trust as a matter of course.

"As a matter of course" is a big leap here.


Their graduates might not have been directly involved, but it's not possible to ig ore that those graduates were the product of an academic environment where this kind of behavior was not only sanctioned from the top but also defended as an adequate use of resources.


Adequate use of resources seems like a bizarre reasoning. Do you also evaluate how a candidates alma mater compensates its football staff before you hire?


you actually believe that all of those adult engineers can't decide on their own?

you think students believe in everything that profs do/say?


This is only slightly better than judging from the skin color or location of birth.


Isn't academics part of how you are evaluating a candidate for a job ?


That's a bit much, surely. I think the ethics committee probably didn't do a great job in understanding that this was human research.


Ok...then is everybody who graduated from MIT radioactive, even if they graduated 50 years ago, since Epstein has been involved?

Your logic doesn't make ANY sense.


It makes perfect sense once you realize that universities are in the business of selling reputation.

When someone graduates from the university, that is the same as the university saying "This person is up to our standards in terms of knowledge, ethics and experience."

If those standards for ethics are very low, then it naturally taints that reputation they sold.


no, when somebody graduates from X school, then it means he was capable to either pass or cheat all exams.


Why is the university where you put the line? You could as well say every commit coming from Minnesota is radioactive or, why not, from the US.

It is unfair to judge a whole university for the behavior of a professor or a department. Although I'm far from having all the details, it looks to me like the university is taking the right measures to solve the problem, which they acknowledge. I would understand your position if they tried to hide this or negated it, but as far as I understood that's not the case at all. Did I miss something?


Linux kernel is blocking contributions from the university mail addresses, as this attack has been conducted by sending patches from there.

It doesn't block patch submissions from students of professors using their private email, since that assumes they are contributing as individuals, and not as employees or students.

It's as close as practically possible to blocking an institution and not the individuals.


I think that is a reasonable measure by the LK team. In my opinion, it is the right solution in the short term, and the decision can be revised if in the future some student or someone else have problems to submit non-malicious patches. But I was specifically referring to this comment:

> As far as I'm concerned this university and all of its alumni are radioactive.

That is not a practical issue, but a too broad generalization (although, I repeat, I may have missed something).


I don't read it like this. Alumnis and students are not banned from contributing, as long as they use their private emails. It's the university email domain that is "radioactive". The Assumption here is that someone who uses university email is submitting a patch on behalf of the said university, and that may be in a bad faith. It's up to the said university to show they have controls in place and that they are trustworthy.

It's the same as with employees. If I get a patch request from xyz@ibm.com I'll assume that it comes from IBM, and that person is submitting a patch on behalf of IBM, while for a patch coming from xyz@gmail.com I would not assume any IBM affiliation or bias, but assume person contributing as an individual.


> Alumnis and students are not banned from contributing, as long as they use their private emails. It's the university email domain that is "radioactive".

That's not what the comment I was responding to said. It was very clear: "As far as I'm concerned this university and all of its alumni are radioactive". It does not say every kernel patch coming from this domain is radioactive, it clearly says "all of its alumni are radioactive".

You said before that alumni from the university could submit patches with their private emails, but according to what djbebs said, he would not. Do we agree that this would be wrong?


What if the same unethical people who ran the study submit patches from their gmail accounts?


That seems to me like an unjustified and unjust generalization.


I think current context of the world as it is is full of unjustified and unjust generalization.

And as unfortunate as it sound it look like all victim of such generalization, the alumni would have to fight the prejudice associated to their choice of university.


That's a ridiculously broad assertion to make about the large number of staff and students who've graduated or are currently there, that is unwarranted and unnecessarily damaging to people who've done nothing wrong.


By that logic, whenever data is stolen I will blame thr nearest Facebook employee or ex-employee.

And any piss I find, i will blame on amazon


That's a witch hunt, and is not productive. A bad apple does not spoil the bunch, as it were. It does reflect badly on their graduate program to have retained an advisor with such poor judgement, but that isn't the fault of thousands of other excellent graduates.


It's discomforting to see "bad apple" metaphor being used to say "isolated instance with no influence to its surroundings".

That is exact opposite of how rot in literal bunch of apples behave. Spoil spreads throughout the whole lot very, very quickly.


Also the common phrase is “a bad apple spoils the bunch.”


Both variations are common. "It was just a few bad apples" is the one you more often see today. But it only became common after refrigeration made it so that few people now experience what is required to successfully pack apples for the winter.


Undoubtedly I am in the minority here, but I think it's less a question of ethics, and more a question of bad judgement. You just don't submit vulnerabilities into the kernel and then say "hey, I just deliberately submitted a security vulnerability".

The chief problem here is not that it bruises the egos of the Linux developers for being psyched, but that it was a dick move whereby people now have to spend time sorting this shit out.

Prof Liu miscalculated. The Linux developers are not some randos off the street where you can pay them a few bucks for a day in the lab, and then they go away and get on with whatever they were doing beforehand. It's a whole community. And he just pissed them off.

It is right that Linux developers impose a social sanction on the perpetrators.

It has quite possibly ruined the student's chances of ever getting a PhD, and earned Liu a rocket up the arse.


> it's less a question of ethics, and more a question of bad judgement.

I disagree. I think it's easier to excuse bad judgment, in part because we all sometimes make mistakes in complicated situations.

But this is an example of experimenting on humans without their consent. Greg KH specifically noted that the developers did not appreciate being experimented on. That is a huge chasm of a line to cross. You are generally required to get consent before experimenting on humans, and that did not happen. That's not just bad judgment. The whole point of the IRB system is to prevent stuff like that.


Ah, so people do actually use the expression backwards like that. I had seen many people complain about other people saying “just a few bad apples”, but I couldn’t remember actually seeing anyone use the “one/few bad apple(s)” phrase as saying that it doesn’t cause or indicate a larger problem.


> A bad apple does not spoil the bunch, as it were.

What? That's exactly how it works. A bad apple gives off a lot of ethylene which ripens (spoils) the whole bunch.


Ethylene comes from good apples too and is not a bad thing. The thing that bad apples have that spoils bunches is mold.


How not to get tenure 101


Based on my time in a university department you might want to cc whoever chairs the IRB or at least oversees its decisions for the CS department. Seems like multiple incentives and controls failed here, good on you for applying the leverage available to you.


I'm genuinely curious how this was positioned to the IRB and if they were clear that what they were actually trying to accomplish was social engineering/manipulation.

Being a public university, I hope at some point they address this publicly as well as list the steps they are (hopefully) taking to ensure something like this doesn't happen again. I'm also not sure how they can continue to employ the prof in question and expect the open source community to ever trust them to act in good faith going forward.


first statement + commentary from their associate department head: https://twitter.com/lorenterveen/status/1384954220705722369


Wow. Total sleazeball. This appears to not be his first time with using unintentional research subjects.

Source:

https://scholar.google.com/scholar?hl=en&as_sdt=0%2C22&q=Lor...

This is quite literally the first point of the Nuremberg code research ethics are based on:

https://en.wikipedia.org/wiki/Nuremberg_Code#The_ten_points_...

This isn't an individual failing. This is an institutional failing. This is the sort of thing which someone ought to raise with OMB.

He literally points to how Wikipedia needed to respond when he broke the rules:

https://en.wikipedia.org/wiki/Wikipedia:What_Wikipedia_is_no...


As far as I can tell, the papers he co-authored on Wikipedia were unlike the abuse of the kernel contribution process that started last year in that they did not involve active experiment, but passive analysis of contribution history.

Doesn't mean there aren't ethical issues related to editors being human subjects, but you may want to be more specific.


I didn't see any unethical work in a quick scan of the Google Scholar listing. I saw various works on collaboration in Wikipedia.

What did you see that offended you?


You realise that the GP went through the trouble to point out that research on people should involve consent, and that they [wikipedia] needed to release a statement saying this. What does that tell you about the situation that gave rise to that statement?


Got it, and @Tobu's comment describes the issue perfectly. Thanks!


They claim they got the IRB to say it's IRB-exempt.


Which would suggest the IRB’s oversight is broken in that institution somehow, right?


Well, the university of Minnesota managed to escape responsibility after multiple suicides and coercion of subjects of psychiatric research. From one regent: “[this] has not risen to the level of our concern”.

https://www.startribune.com/markingson-case-university-of-mi...


Wow, very interesting read (not finished yet though), thank you. To me, this seems like it should be considered as part of UNM's trustworthiness as a whole and completely validates GKH's decision (not that any was needed).


A lot of IRBs are a joke.

The way I've seen Harvard, Stanford, and a few other university researchers dodge IRB review is by doing research in "private" time in collaboration with a private entity.

There is no effective oversight over IRBs, so they really range quite a bit. Some are really stringent and some allow anything.


>It reflects poorly on all graduates of the program

how it does?


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: