This is a great statement, they confirm they're aware of the issue, they acknowledge the concerns and they set out their intention to gather the full facts whilst suspending the operation of the research in the meantime. They also acknowledge the systematic way the need to deal with this.
I hope their follow up is as thorough but I want to applaud this, it's a good approach.
This statement rings true because it is the wordsmith'd version of exactly what the department head probably said when he first heard, which probably went something like "what the f*k did you do, who the f*k thought this was a good idea, and who the f*k told you you could do this?"
Yeah, i thought the same thing.
This is basically someone yelling in an office put through a diplomacy filter, which is what you would expect happened.
I'm pretty sure the biggest program at UMN is Social Sciences. Conducting research experiments on unwitting subjects (the kernel maintainers) is a huge ethics violation.
I can only imagine the other department heads screaming at the head of the, relatively speaking, small CS department.
When I was in grad school for a branch of social sciences, we had a whole class on how to conduct research experiments on unwitting subjects. It's something that social scientists do all the time.
(Tangentially, it's something that computer people do even more often, and probably with fewer ethics controls. A/B testing, for one prominent example.)
But it's typically only allowed when it's clear that the risk of harm to the participants is pretty much negligible. Which is clearly not the case here. As others have said, it's probably the case that the reason this got past the IRB is not because the research was clandestine, but because the team lied about how it might affect people. And probably also, I'm guessing, the IRB had their guard down because they weren't expecting that particular department to be conducting social science field experiments.
It is a good statement, and I believe they'll follow through, but it's missing something important that is often missing from otherwise professional communication.
The last line is "We will report our findings back to the community as soon as practical." It should be followed by "and we will provide an update in no more than 30 days".
Without any explicit time frame, holding them publicly accountable becomes trickier. At any point they can just say "we're still investigating" until enough time has passed people aren't paying attention any more.
Note that the companies that do ongoing incident updates on status sites best all do this -- "We will provide an update by 10:30pm PST".
> The last line is "We will report our findings back to the community as soon as practical." It should be followed by "and we will provide an update in no more than 30 days".
I don't really think this is a worthwhile distinction. Personally, it comes off as trying to nanny a process that involves the Linux kernel maintainers and UMN Admins. There's a ban on UMN, probably until they show they can head off ethical issues. The public doesn't need to be sitting around demanding an update in 30 days or less. They'll act when they have confidence in their facts and the outcome, and the Linux community will undoubtedly act in kind.
I disagree. The associate department head named in the statement linked it on Twitter, immediately following up his comments with
> I very much welcome feedback from the participants who brought this to our attention: that's why I tagged @gregkh
. Obviously, we would appreciate any guidance as to how we can get the Univ. of Minnesota contribution ban lifted.
I don't understand the question. By fast I mean that they had a statement up on the website within 24 hours and the associate head of the department is already pinging members of the kernel team on Twitter to ask how they can get unbanned. That's moving very quickly by academic standards.
> They need to act to get the ban rescinded, they can't just ignore this issue away.
I doubt that - in the other thread, someone noted that the last non-hostile kernel contribution from @umn.edu was in 2014. I don't think they are champing at the bit to get legit kernel contributions merged - or at least haven't in the past 7 years. At this point, it is purely a reputation/PR problem with little urgency - the ban is not blocking anyone's work at the university (except for the suspended research project)
The real urgency is they need to protect their reputation. So long as they do a proper investigation and take proper action they can spin this as a rouge professor and be forgiven. We as a community should give them time to investigate and figure out how to handle and prevent this, and then if done correctly forgive them. If they make this statement and then there is no action within a year, then we should assume this is a token attempt to sweep things under the rug and continue with more bans.
For now I'll accept their apology, but if there is no action in the future I'll retract that.
It's a common misspelling, and I find it particularly grating (that, and "tounge" *shivers*). However, I've been getting better at reflexively requesting corrections as I also have some words I constantly misspell.
Well ya know you have to find out the details to make a decision, no? Snap decisions are almost always wrong until you know the facts, no just one side, but all sides. This is the same shit that happens in the 24/7 newscycle "now now now"
As the pressure is already on them to rectify the situation, there's no need to for an artificial deadline. It adds nothing, but could delay their announcement or force them to publish an incomplete response.
"and we admit that a full accounting for these actions is necessary before our ban is rescinded" is a valid (albeit even less common) form of making sure that they are held accountable. Nonetheless, it is important that the accused admits it.
The common case today is that admitting you are due to account for your actions is the same as admitting that you are at fault. I have been denied jobs because I have admitted that to being accountable for my decisions, whereas I got the distinct impression had I simply not accounted for them they wouldn't have cared.
It is a good PR statement, but it doesn't touch on any of the Linux Kernel community's concerns. It makes no committment to working with the community or, like you said provide any kind of explicit time frame.
Instead, the statement is there to prevent journalists from putting "UWN puts the entire internet at risk" on their front page. Instead, it frames the incident into a boring "Students offended the Linux Kernel community while trying to help out by doing security research, we will investigate" story.
Well put. It’s taken me the last hour to realise that it really is refreshingly transparent.
To me, it’s like the distinction between offence caused and actually showing some genuine reflection as to why there might be offence caused. This statement, to me, is firmly in the former camp.
This statement is in the former camp, stating that they do not have enough data yet to be able to be in the latter camp. They're stating that they'll be working toward it. It's a statement that they needed to put out asap before being able to state affirmatively what actually happened, since that can take time.
They need not promise to have results in a particular time frame, but they should commit to giving an update by a particular date, even if that update is just, "We've made progress investigating this incident, but we are not yet ready to report our findings. We will give our next update no later than $DATE."
I have also seen many times a university happy to throw a student or even a faculty member under the bus, and in this case it seems extremely clear that they were running an unethical sociological experiment that was probably not reviewed by the IRB there. That's grounds for the university very rapidly turning on you.
Violating IRB ethics is a very serious issue, and has timelines in place once a complaint is filed. I expect that this statement was intended to be fast, short, and direct because of the time sensitivity.
Which means either they mislead the IRB, or the IRB also needs reform. That investigation should take a while either way to figure out how that is possible.
My experience with anything that involves other faculty (at worse, tenured faculty) is that it will get done some time between later and never. With prioritization slipping the further you venture from your home department.
And this is by definition a matter that will involve a lot of parties. At minimum, as everyone in the chain tries to ensure their ass is covered and how it's not really their fault, because it wasn't really their job to say no to this.
While I disagree with you in this specific instance (because I think it'd be hard for them to be so specific this early on), I think you've made a very good point about building trust in the face of handling things.
It's an example of an organization making a promise to take action to respond to feedback from the community, not providing a time frame, and then just never doing it.
For the sake of discussion, I'll grant the example, but the fact that org A acts in bad faith has no bearing on whether org B acts in bad faith.
If Mozilla had ties to UMN CS&E you might have had a (tenuous) point, but...
Plus, this has come out in the last 48hrs or so? And you're somehow saying that's comparable to 3 years? Sure, if they haven't issued a further statement in 1 month, 3 months, etc. then you might be justified.
"Ability to commit to the Linux kernel with my school email" isn't likely to be a major issue for many. It's a non-issue for undergrad work, and even most grad students are unlikely to be affected. Other than this research, only one other person associated with UMN has committed code to the kernel.
This impacts any direct school-sponsored research work, but if some random student wants to write a patch, they'll just do it from a personal address - no kernel committer is going to go do social media stalking of every contributor.
Maybe practically this doesn’t prevent most students or faculty from doing anything, but it is a huge reputation problem. How many universities (or organizations in general) are banned from contributing to the Linux kernel? When people search for why, they’ll find a research group basically screwing over their collaborators and anyone else who uses Linux. That that exists at UMN could be viewed as a serious cultural problem at the university and dissuade prospective students and collaborators from contact with UMN. That in real terms costs the university prestige and money.
I feel you're overvaluing the ability to contribute to the linux kernel - this is definitely a bad thing and the university should work to correct the situation. But when I was looking at colleges and universties (for undergrad - I didn't pursue a grad degree) I didn't ever ask if the university was blacklisted by any open source organizations.
I don't think anyone would notice this ban - it'd just be an odd curiosity and impediment to any student that tried to submit a patch... that is assuming it doesn't hit the main news circuit.... But, if I hear about this on Colbert tonight I'll be amazed.
The fact that the FBI raided Steve Jackson Games[1] over GURPS: Cyberpunk is, I think, completely absent from general public knowledge at this point - even though that incident[2] led to the creation of the EFF which most folks on HN will certainly be familiar with. Notoriety is a fickle thing and no matter how negative the incident is it'll usually either fade into nothingness or give a positive boost to the organization - this is where the concept of "there's no such thing as bad press" comes from. I, at least, am far more aware of UMN now than I was this morning.
> I feel you're overvaluing the ability to contribute to the linux kernel - this is definitely a bad thing and the university should work to correct the situation. But when I was looking at colleges and universties (for undergrad - I didn't pursue a grad degree) I didn't ever ask if the university was blacklisted by any open source organizations.
You are not looking at it the right way. This is an issue for the President and the Provost because of alumni donations.
When the choice is between firing an adjunct/assistant and not getting a 100k from alumni the adjunct/assistant has no chance.
The question isn't whether they need to be able to commit to the Linux kernel. Probably they don't. But the question is, what reputation does a CS department (and consequently a university) have, that has been banned from submitting patches to one of the most prolific open source projects around?
I think you underestimate the shade this puts on the UMN name. I've never even heard of UMN before, but I doubt I'll ever forget hearing about this university fraudulently trying to sabotage the Linux project, and will probably treat anything and anyone with an UMN background with great suspicion in the future.
Very appropriate. Until yesterday I was happy to have a CS degree from the UMN. Now that is tainted and I want to hide who gave me the degree. I have to wonder if they taught me some things that were unethical that I'm not doing without knowing better. I wouldn't hire a UMN grad because of their reputation.
For now I'm assuming that my degree was more than 20 years ago, and things change in that time (most of the professors I remember best are dead...). However this is doubt in my mind.
If this was just one patch and it was caught early, it could be excused as a rogue solo stunt. But papers have been published. IRB board granted exemptions. A whole team worked on it. Too many people conspiring on pissing in the pool and wasting kernel maintainers time and casting doubt on 190+ commits indicates a complete institutional failure. No colleagues, co-students or supervisors stopped to ask if this behavior was appropriate? It taints the entire UMN.
What if a car or medical device running linux turns out to have buggy mutex locking either due to a malicious commit or a now-hastily reverted commit? As a Linux user of both computers, appliances and vehicles, I am not impressed.
I don't think that's the case (due to how fame works) and I don't even think it's particularly productive to bring up that point.
Their actions should be rectified since they did wrong - not out of fear of a punishment. When we bring only a specific punishment in as a consequence then the question of how to respond can be shifted over to a "which is worse" proposition which means that the punishment needs to be properly proportioned.
At any rate - I doubt admissions would be appreciably impacted even if they handled this incident extremely poorly - some potential grad students might look elsewhere while most would likely be ignorant of the whole incident.
I certainly wouldn't do so - this looks like it was a research topic by one professor and one grad student... So nearly no one with a degree from UMN was involved with this. Even the specific grad student was college aged at the time and we all did stupid stuff when we were young. I think this only really rubs off on the professor since they clearly should've known better. Honestly I think the biggest blow to the university will be when it comes to hiring CS professors - those are the only folks likely to do the due diligence on this topic or be passively aware of it.
I’ve read and re-read that statement, and it seems like the ban is the focus – not what led to the ban.
I get that they may not know anything, but there are other ways to word that without admitting liability, making it seem less like the focus is on the ban and more on the allegedly shady stuff.
Not once do they talk about getting the ban removed, instead they talk about figuring out why it happened and how to be better at having research done being ethical.
Was the ban the trigger to them (the heads) looking into it ? Of course since they do already have safeguards and review processes in place, this happened despite those, so they're saying they will investigate them to figure out how this project was validated and make sure to strengthen these processes as needed.
The end goal they give themselves in that message is not a ban removal but "safeguard against future [such] issues".
> Not once do they talk about getting the ban removed, instead they talk about figuring out why it happened and how to be better at having research done being ethical.
I feel as if we’re discussing two different statements.
> The research method used raised serious concerns in the Linux Kernel community and, as of today, this has resulted in the University being banned from contributing to the Linux Kernel.
Here the cause is that "the research method used raised serious concerns in the Linux Kernel community"
Not that it was unethical, or potentially how it was. It’s not that something clearly went wrong. The cause can be read as the response, rather than the action.
Yes that's called the trigger. You have a trigger, that leads you to focus on and review what caused said trigger, and reach conclusions.
The ban is the trigger. The review is about to happen, so they really can't talk about its result yet. For all you and me know, said review will say their processes are just fine which I would personally disagree with but it could happen. Then, if there was an issue, they will update their processes, which is the end goal stated.
So your quote:
> the ban is the focus – not what led to the ban
The ban is the trigger that starts it, but the focus, the thing on which they will work, is their process. "Something important happened so we will spend lots of time figuring it out how it could have happened despite our processes made to protect against it" makes it pretty clear the focus, the thing they will spend their time on, is the review of their processes.
I think we’re mostly in agreement. The ban is clearly the trigger, and it’s pretty transparent.
> For all you and me know, said review will say their processes are just fine which I would personally disagree with but it could happen.
Agreed. For what it’s worth, I don’t actually think there’s much they can really do besides acknowledge it and make sure their ethics board is competent and consulted.
> the ban is the focus – not what led to the ban
I was talking about the ban being the focus of the statement, as it’s the point at which there’s a clear shift from the situation to the fix. This is unfortunate, because to me it is placing the emphasis on the trigger, rather than the cause.
I believe it could have been written in a way that mentioned the ban, left room to investigate, but made it crystal clear that the community concerns and the ban were not the problem. It makes it feel to me as though their primary motivation to investigate is to get unbanned – which, to be fair, it probably is – rather than to be committed to root out alleged unethical practices. Even if the short-term consequences are the same, it’s a subtle but important distinction.
I suppose it’s a form of honesty, and I could instead embrace its transparency.
I'm not sure how you get that. The ban is mentioned as part of a single sentence that acknowledges the current state of the situation, which seems obligatory, so of course it's there. Then the whole second paragraph is talking about how they're shutting down the activity that led to that situation while they work on getting to the bottom of it.
This seems like an entirely appropriate balance of text and emphasis for a statement that is short and to the point. Which is also appropriate and laudable. Typically when an organization says any more, it's to try and do some spin doctoring.
> The research method used raised serious concerns in the Linux Kernel community and, as of today, this has resulted in the University being banned from contributing to the Linux Kernel.
> We take this situation extremely seriously.
I think it’s because the last bit of the first paragraph – the ban – flows onto the second paragraph – the situation.
Once you’ve had the two linked, it’s like one of those ambiguous optical illusions, where you just can’t see the other.
If I were writing that statement, I’d be concerned it looked that had there been no ban, there would be no situation. Said statement doesn’t do that for me.
> I think it’s because the last bit of the first paragraph – the ban – flows onto the second paragraph – the situation.
So, as long as you ignore the formatting they presented it with and decide to read it without it, you can come to a different conclusion?
I don't think contortions such as that to link sentences is fair, nor the fault of the organization that put forth for a statement specifically separating them.
> So, as long as you ignore the formatting they presented it with and decide to read it without it, you can come to a different conclusion?
No. It reads that way with the formatting they provided. You can’t take that paragraph break out without putting one back exactly there. It’s refreshingly transparent, and perfect if you expect them not to care about the underlying cause as much as they care about the ban.
> I don't think contortions such as that to link sentences is fair, nor the fault of the organization that put forth for a statement specifically separating them.
It’s not a contortion, it’s just how it reads to me. I’m not taking some deliberately contrarian stance – I was really quite shocked at the multiple comments saying how great the statement was when it inadvertently or otherwise conveyed the very message I believe they should have avoided – the one where they simply do the least they need to do to get unbanned, which may well be closer to the real objective. It’s the difference between being shamed into action and recognising why action is necessary.
I would not want to be the person to have to write such a statement
> You can’t take that paragraph break out without putting one back exactly there.
Exactly. And paragraphs are used to separate concepts and statements into conceptual units. That you're letting a concept and interpretation from one apply to and influence the reading of another as if there is no break is the problem.
> It’s not a contortion, it’s just how it reads to me.
I think you have some interesting ideas of how to read. I don't think that follows necessarily for the majority of other people, and I don't think that's what was intended by the writer.
At he same time, I'm not entirely surprised. This is why writing is hard, and sometimes thankless. Regardless of intention and how clear you think you're being, someone will always read it otherwise. It's just the nature of the medium, to some degree. It can happen through something like this, where you're inferring intent across boundaries where I think that boundary is intended to clearly separate it, and it can happen if they are absolutely literally clear and denounce other stances, because people will read those denouncements as indicators of the opposite, as crazy as that sounds ("The lady doth protest too much, methinks").
I think you're better off taking a separate paragraph for what it usually meant to be. A way to separate statements so they are clearly distinct.
> Exactly. And paragraphs are used to separate concepts and statements into conceptual units. That you're letting a concept and interpretation from one apply to and influence the reading of another as if there is no break is the problem.
Their second paragraph says they "take the situation very seriously".
The focus is rescinding the ban, but they acknowledge that the way to do so is review their actions and set up safeguards to prevent similar things from happening. There's too much bureaucracy involved for them to already publicly review their actions.
Why else would they take the ban extremely seriously and take the actions mentioned? I guess it's possible they're worried about the ban spreading, but rescinding the ban seems more likely.
Or, maybe they don't want to be in a position where they are getting banned just in general? Like, maybe you don't mind getting banned from a specific bar, but you do mind being the kind of person that is getting banned from bars.
Of course, no PR person with anything would allow such a thing into their statements. The UMN is far too big to allow someone without some competency in PR.
My take on that is that it's up to the kernel maintainers to unban them. If they end up the investigation with: "Yeah, that was bad but we won't do anything about it", it's unlikely to get the banning side to move an inch.
I agree, and given that they have only just started to look into it, I think it shows an appropriate amount of concern and urgency. They'll at least want to talk to the researchers and get their point of view, before committing any further. This is about the best you could expect at this point, they'll want to proceed methodically.
I think it’s more accurate to say that “we know that they approved something. Whether or not that something turns out to be exactly that this professor and his student did here is I gather a different question.
The "hypocrite commit" preprint/abstract was a controversy which broke late last year. Prof. Lu at that point published an FAQ stating that he didn't think it was Human Subject Research (HSR) and got a post hoc review from the UMN IRB giving him a free pass, agreeing that attempting to con humans is apparently not HSR by their lights. This is three month old news at this point, and is quite well established.
What triggered the ban now is another set of suspicious commits was sent by a graduate student in the same research group.
Thanks, I didn't know that background (shame on me for not reading through all the history I guess). Odd decisions appear to have been made here by all parties. Though I was born in Iowa, I grew up in Minnesota and have a lot of friends who went there (Twin Cities campus, mostly).
Have you ever drafted a public response for an issue receiving a lot of attention on social media when you don’t know the whole story but, from what little you do know, things aren’t looking great for the entity you represent?
You vastly underestimate how much effort and attention was put into writing that “single paragraph” because I promise you it sure does take much.
Too early. The shit storm is less than a day old. You wouldn't accept an insincere apology right? So we shouldn't demand an apology before a sincere one could possibly be issued.
They have to investigate and also apologize accordingly in the name of the university.
Saying the researcher is the only responsible of a work that is managed by the university (with things such as probably funds and for sure resources) is just wrong.
>but I think an apology would be in order - perhaps left out because it can be considered an admission of guilt.
I think an apology before they've had a chance to review everything that occurred would be rather empty, don't you? "I'm sorry you're upset"?
I far prefer what they've stated they're going to do which is stop the activity they know about immediately, and to review how we got to this point.
If, on the off chance, the professor was being honest about ensuring they weren't wasting anyone's time, and ensuring no bad code made it into the kernel, then the situation becomes a bit more murky. They'd need to go through all of the associated emails both public and internal to validate that.
If on the other hand this is in fact a duck, I would expect them to both to issue a meaningful apology at that point, as well as lay out the steps they've taken to ensure it doesn't happen again (which they've indicated is their plan). And hopefully restore the trust of the OSS community.
They could investigate and determine that they did nothing wrong, but they aren't the final arbiter of justice. This is not like the police investigating themselves. The OSS community can come to a different conclusion and still punish them.
The job of UMN is to get the facts first, and then determine actions. If the OSS community (and others) feel like the actions don't match the facts (or if they feel the facts don't match what actually happened) they can apply their own set of actions.
Apologies are overrated. Are these leaders actually sorry for something they likely weren’t aware of before today? Doubtful. Who are they apologizing to? The public?
When the issue has gotten actual attention an apology to the kernel mailing list might be appropriate, but as someone who has been apologized to many times it all just becomes meaningless, who cares if you say you’re sorry. I care what you’ll do about it.
Immediate knee-jerk apologies are usually worthless because the person apologizing usually has no idea what's going on and can't make a reasoned statement. They're just trying to do damage control.
The best apologies are the ones that are done after some reflection, not under duress, and not purely for reputation.
There was one thing that I found to be lacking from their statement. They never said that what they had done was wrong. The university already knows what the researchers did and are aware of the paper that was written about the subject by those same researchers. [1]
The department heads just learn of what is happening. They cannot say "we didn't do anything wrong!!!" without investigation because it will make the university in a very negative light (it is a serious ramifications). They need to get all the facts and knowing how it happens and who is responsible for this. So this way they can make a concise action and they will make a proper statement. They are taking "investigation first and comment after" cautiously and seriously.
It's a bit unclear who complained to whom about this - and I'd expect looking into this to be part of the review. i.e. I could easily see "some people reached out to IRB concerned about lack of its involvement, IRB talked to researcher and went through process, came to result for whatever reasons" happening and not being something that is reported up the chain, because it was "resolved".
I'm up for "wait and see". From an administrative perspective, removed from what is happening, I can see investigating first before admitting fault. I'd much rather people understanding why they were wrong, even if it takes some time.
They shouldn't have. This appears to be a pretty clear cut case, but made up outrage-bait has made it to the top of HN before. Investigating claims is the correct thing to do.
> I would argue that first requires investigation.
Why do you think that enough of an investigation hasn't been performed in order to understand culpability?
Thay already know what happened and want to learn why it was approved.
That was what their comment said.
Take a look at the actual PDF from the researchers, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" [1]
The prof overseeing the paper clarified that they initially did not seek IRB approval, and then received an IRB exemption [0]. I'd want to ask the IRB why they approved that, for starters. Maybe because they'd already done the research and hoped it would blow over, vs. the controversy of rejecting it when they'd already done the work?
Honestly I’m guessing this kind of situation didn’t match any existing policy for the review board and a few people made a bad call.
We need to make sure to be supportive of people making mistakes and learning from them instead of raising pitchforks for every misstep. Failure is never completely avoidable and responding properly to failure is way more important than never failing.
From my reading of the threads in the kernel mailing lists, it seems the IRB thought "is it bioscience with experimentation on live animals? No? Then it's all fine".
Yeah, especially considering that the IRB said the research was out of scope (specifically that it was not "human subject research") rather than indicating that it was ethical. Kind of like the distinction between a court not having jurisdiction and a court declaring you didn't break any laws.
I think they misrepresented the project so that it would be classified as “not human research”. It’s unclear whether the misrepresentation was intentional (to obtain the exemption) or unintentional (they were genuinely unaware of the human impact).
> We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed.
The "if needed" tells me they aren't sure what if anything is wrong yet. It would surprise me if they have done that much of an investigation in the few hours since they might have learned about this beyond scheduling meetings with involved parties and compiling relevant documents in a folder.
I think they are at the point of having a bunch of angry emails and a few news articles from certain publications. I don't blame them wanting a bit more than that before saying anything.
This is what innocent until proven guilty looks like. I, for one, agree with the approach. I don't want to live in a world where people are fired and projects shutdown on the basis of allegations alone.
Don't jump to conclusions, and say I am guilty of something that I didn't write. I never said to fire people and shutdown projects based upon allegations alone. You may not have read the article for this comment page, but they admit that the action took place. The researchers, themselves, elsewhere admitted it took place.
Pardon me. I did not mean to imply you were calling for anything. And I agree, the facts look pretty damning. Nevertheless, I fully support a slow, deliberate, and comprehensive evaluation by any authority when evaluating serious accusations. Further, I strongly believe in presumptive innocence, regardless of initial impressions.
Btw, I'm not suggesting you don't believe in any of the above.
It’s too early for that. I expect their followup will have details on failures but first they need to figure out exactly what happened. That will take some time and effort.
At least now they’re burning UMN time and not kernel maintainer time.
They have just learned about the details of the research conducted:
> Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel.
I'm going to say that the odds are that the faculty member in question is not going to be a faculty member anymore especially if the ban remains in place as the said faculty member probably at best fibbed the leadership before about his research.
I hope their follow up is as thorough but I want to applaud this, it's a good approach.