Tutorial 7 Activities

Activities

Task 1: Linux Kernel Vulnerability Testing

In 2021, there was an interesting case study directly related to transparency - in a piece of software that MANY of us use on a daily basis!

An article by Monica Chin (2021) for The Verge, detailing the entire case study, is provided as an optional reading here.

A synopsis is provided here for your convenience, with quotes where necessary:

The Linux kernel is “at a basic level, the core of any Linux operating system”. Think of it as the low-level technical system software used in Linux devices, which also includes, say, Android phones.

Now, “The kernel is open-source, meaning its millions of lines of code are publicly available for anyone to view and contribute to” - which means it is good for transparency; as it can be audited by professionals, and any issues or improvements to the code can be submitted for review and inclusion in the next version.

Because of the complexity (and widespread use) of the kernel, “A submission needs to pass through a large web of developers and ‘maintainers’… before it ultimately ends up in the mainline [code] repository… goes through a long testing period before eventually being incorporated into the “stable release,” which will go out to mainstream operating systems”. In short, “It’s a rigorous system designed to weed out both malicious and incompetent actors”.

However, researchers at the University of Minnesota have been “able to introduce vulnerabilities into the Linux kernel by submitting patches that appeared to fix real bugs but also introduced serious problems… The explicit goal of this experiment, as the researchers have since emphasized, was to improve the security of the Linux kernel by demonstrating to developers how a malicious actor might slip through their net.”

In other words, to demonstrate the security vulnerabilities in the overall process of Linux kernel development, the researchers introduced pieces of code which themselves are a potential security vulnerability to the system!

As a result:

From the Linux developers: This has wasted genuine researchers time to remove “190 submissions from Minnesota affiliates [and]… 68 couldn’t be reverted but still needed manual review”. The entire University of Minnesota has been banned from contributing to future code (due to an email address blanket ban).

The overall issue here is summarized by Chin (2021): “From the University of Minnesota researchers’ perspective, they didn’t set out to troll anyone — they were trying to point out a problem with the kernel maintainers’ review process. Now the Linux community has to reckon with the fallout of their experiment and what it means about the security of open-source software.”

Exercise

Discuss in your groups:

• were the processes and decisions the researchers undertook (i.e. introducing problematic, and potentially dangerous code into an actual piece of software in common use) ethical?

• did the intended objective of the research justify the actions taken? (i.e. University of Minnesota researchers claim that their outcomes were for the betterment of the overall security of the Linux kernel development process)

• were the actions to ban the University of Minnesota for future participation justified?

Task 2: Facebook Ads

Facebook, the social media tech giant, does customise and tailor advertising according to their target audience.

Consider any one of the following news articles.

In the interest of time, we recommend dividing the news articles to be read across your group, as they may take up to 10 minutes each to read.

• CNBC: “How to control and limit the ads Facebook shows you” (Salvador Rodriguez, 2019)

• Washington Post: “Facebook will now show you exactly how it stalks you — even when you’re not using Facebook” (Geoffrey A. Fowler, 2020)

• CNET: “Facebook can see your web activity. Here’s how to stop it” (Katie Conner, 2020)

These articles illustrate the features Facebook uses to target advertising to users. For example, if I looked up sites about cars (which use Facebook advertising), or ‘liked’ pages about cars on Facebook, or if I used an app for buying cars - it is likely that I will see further ads about cars in my Facebook feed.

Exercise

Discuss in your groups:

• do you think Facebook has been transparent to users (like yourself) that these ad technologies are used behind the scenes? Do you know this is happening, and to what extent?

• what are your reactions when you found out about the extent of the tracking by social media companies? Does it surprise you at all?

• is it ethical / legal for these companies to retain that much information?

Optional task in your own time. Not assessed.

If you’re interested and have a Facebook account, review the recommendations by the news sites above on how you can optimise your settings for maximum privacy.

Note

As always, post your answers on the forum discussion.