The ultimate problem is that it's easy to fake stuff so you have to use heuristics to see who you can trust. You sort of sum up your threat score and then decide how much attention to apply. Without doing something like that, the transaction costs dominate and certain valuable things can't be done. It's true that Western universities are generally a positive component to that score and students under a professor there are another positive component to the score.
It's like if my wife said "I'm taking the car to get it washed" and then she actually takes the car to the junkyard and sells it. "Ha, you got fooled!". I mean, yes, obviously. She's on the inside of my trust boundary and I don't want to live a life where I'm actually operating in a way immune to this 'exploit'.
I get that others object to the human experimentation part of things and so on, but for me that could be justified with a sufficiently high bar of utility. The problem is that this research is useless.
Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. Uh, how?? It's clearly human subjects research under the conventional federal definition[1] and obviously posed a meaningful risk of harm, in addition to being conducted deceptively. Someone has to have massively been asleep at the wheel at that IRB.
> Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. .... in addition to being conducted deceptively
There are cases where deception (as they call it) can be approved (even by ethics boards). Based on the Verge's article, this research setup should not have been approved even by then. But the topic itself seems as relevant as ever with the xz case and all.
The stupid thing about the experiment was that it's never been a secret that the kernel is vulnerable to malicious patches. The kernel community understood this long before these academics wasted kernel maintainer time with a silly experiment.
Agree, to me this "research" is like proving grocery stores are vulnerable to theft by sending students to shoplift. If review process guaranteed that vulnerabilities can't pass, wouldn't that mean that the current kernel should be pristinely devoid of them?
I believe most people believe that the Linux kernel couldn’t be compromised because there is multiple approval process and highly professional people vetoing.
It seems like a big vulnerability, if a teacher assistant could do that, there is no doubt that government agencies can too.
While I did see some problems with their approach (i.e. doing the IRB reviews retroactively instead of doing them ahead of time, and not properly disclosing the experiments afterwards), I think this research is valuable, and I don't think the authors were too unethical. The event that this most reminds me of the Sokal Squared scandal, where researchers sent bogus papers to journals in order to test those journal's peer review standards.
>Then, there’s the dicier issue of whether an experiment like this amounts to human experimentation. It doesn’t, according to the University of Minnesota’s Institutional Review Board. Lu and Wu applied for approval in response to the outcry, and they were granted a formal letter of exemption.
I had to apply for exemptions often in grad school. You must do so before performing the research -- it is not ethical to wait for outcry then apply after the fact. Any well run CS department trains it's incoming students on IRB procedures during orientation, and Minnesota risks all federal funding if they continue to allow researchers to operate in this manner.
(Also "exempt" usually refers to exempt from the more rigorous level of review used for medical experiments -- you still need to articulate why your experiment is exempt to avoid people just doing whatever they want then asking for forgiveness after the fact)
> If a sufficiently motivated, unscrupulous person can put themselves into a trusted position of updating critical software, there’s honestly little that can be done to stop them,” says White, the security researcher.
thats literally like 90% of anything. This is open source, code maintained in large swaths by volunteers. Obviously there is not extensive background checks that are being done, the amount of resources that would require is not something the Linux Foundation probably has.
Pretty ridiculous. If I send them an email with a stupid question wasting their time on purpose just to see if they'll reply is that "human experimentation"? What a loose definition.
More to the point; are they salty because the author has possibly proved that it's most certainly possible to get critical flaws into the Linux kernel with social engineering? How else is something like that meant to be tested?
If you give them a heads-up they'll pay more attention for a short duration of time.
20 comments
[ 2.2 ms ] story [ 52.3 ms ] threadIt's like if my wife said "I'm taking the car to get it washed" and then she actually takes the car to the junkyard and sells it. "Ha, you got fooled!". I mean, yes, obviously. She's on the inside of my trust boundary and I don't want to live a life where I'm actually operating in a way immune to this 'exploit'.
I get that others object to the human experimentation part of things and so on, but for me that could be justified with a sufficiently high bar of utility. The problem is that this research is useless.
[1] https://grants.nih.gov/policy-and-compliance/policy-topics/h...
There are cases where deception (as they call it) can be approved (even by ethics boards). Based on the Verge's article, this research setup should not have been approved even by then. But the topic itself seems as relevant as ever with the xz case and all.
But there is always the BSDs.
I believe most people believe that the Linux kernel couldn’t be compromised because there is multiple approval process and highly professional people vetoing.
It seems like a big vulnerability, if a teacher assistant could do that, there is no doubt that government agencies can too.
I had to apply for exemptions often in grad school. You must do so before performing the research -- it is not ethical to wait for outcry then apply after the fact. Any well run CS department trains it's incoming students on IRB procedures during orientation, and Minnesota risks all federal funding if they continue to allow researchers to operate in this manner.
(Also "exempt" usually refers to exempt from the more rigorous level of review used for medical experiments -- you still need to articulate why your experiment is exempt to avoid people just doing whatever they want then asking for forgiveness after the fact)
Money is money and buys time, no harm done, useful research conducted, and a whole lot of publicity gained.
That says a lot about Linux kernel safety.
More to the point; are they salty because the author has possibly proved that it's most certainly possible to get critical flaws into the Linux kernel with social engineering? How else is something like that meant to be tested?
If you give them a heads-up they'll pay more attention for a short duration of time.