Comment by kdbg

It's not _the_ problem, but it's an actual problem. If you follow the thread, it seems they did manage to get a few approved:

https://lore.kernel.org/linux-nfs/YH%2F8jcoC1ffuksrf@kroah.c...

I agree this whole thing paints a really ugly picture, but it seems to validate the original concerns?

They did go to the UMN IRB per their paper and received a human subjects exempt waiver.

Edit: I am not defending the researchers who may have misled the IRB, or the IRB who likely have little understanding of what is actually happening

The irony is that the IRB process failed in the same way that the commit review process did. We're just missing the part where the researchers tell the IRB board they were wrong immediately after submitting their proposal for review.

IRB review: "Looks good!"

If you actually read the PDF linked in this thread:

* Is this human research? This is not considered human research. This project studies some issues with the patching process instead of individual behaviors, and we did not collect any personal information. We send the emails to the Linux community and seek community feedback. The study does not blame any maintainers but reveals issues in the process. The IRB of UMN reviewed the study and determined that this is not human research (a formal IRB exempt letter was obtained).

Do IRBs typically have a process by which you can file a complaint from outside the university? Maybe they never thought they would need to even check up on computer science faculty...

According to their website[0]:

> IRB exempt was issued

[0]: https://www-users.cs.umn.edu/~kjlu/

>>>On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits Qiushi Wu, and Kangjie Lu. To appear in Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland'21). Virtual conference, May 2021.

from Lu's list of publications at https://www-users.cs.umn.edu/~kjlu/

Seems like a conference presentation at IEEE at minimum?

IMNAL. In addition to possibly cause the research paper retracted due to the ethical violation, I think there are potentially civil or even criminal liability here. The US law on hacking is known to be quite vague (see Aaron Swartz’s case for example)

IRB (as in Institutional Review Board) is a local (as in each research institution has one) regulatory board that ensures that any research conducted by people employed by the institution follows the federal government's common rule for human subject research. Most institutions receiving federal funding for research activities have to show that the funded work follows common rule guidelines for interaction with human subjects.

It is unlikely that a business conducting A/B testing or a parent interacting with their children are receiving federal funds to support it. Therefore, their work is not subject to IRB review.

Instead, if you are a researcher who is funded by federal funds (even if you are doing work on your own children), you have to receive IRB approval for any work involving human interaction before you start conducting it.

> wouldn’t every single A/B test done by a product team be considered unethical?

Potentially yes, actually.

I still think it should be possible to run some A/B tests, but a lot depends on the underlying motivation. The distance between such tests and malicious psychological manipulation can be very, very small.

> it seems to me this is more about medical experiments

Psychology and sociology are both subject to the IRB as well.

Regardless of their department, this feels like a psychology experiment.

> Applied strictly, wouldn’t every single A/B test done by a product team be considered unethical?

I would argue that ordinary A/B tests, by their very nature, are not "experiments" in the sense that restriction is intended for, so there is no reason for them to be considered unethical.

The difference between an A/B test and an actual experiment that should require the subjects' consent is that either of the test conditions, A or B, could have been implemented ordinarily as part of business as usual. In other words, neither A nor B by themselves would need a prior justification as to why they were deployed, and if the reasoning behind either of them was to be disclosed to the subjects, they would find them indistinguishable from any other business decision.

Of course, this argument would not apply if the A/B test involved any sort of artificial inconvenience (e.g. mock errors or delays) applied to either of the test conditions. I only mean A/B tests designed to compare features or behaviours which could both legitimately be considered beneficial, but the business is ignorant of which.

> Applied strictly, wouldn’t every single A/B test done by a product team be considered unethical?

Assuming this isn't being asked as a rhetorical question, I think that's exactly what turned the now infamous Facebook A/B test into a perceived unethical mass manipulation of human emotions. A lot of folks are now justifiably upset and skeptical of Facebook (and big tech) as a result.

So to answer your question: yes, if that test moves into territory that would feel like manipulation once the subject is aware of it. Maybe especially so because users are conceivably making a /choice/ to use said product and may switch to an alternative (or simply divest) if trust is lost.

It should be for all science done for the sake of science, not just medical work. When I did experiments that just involved people playing an existing video game I still had to get approval from IRB and warn people of all the risks that playing a game is associated with (like RSI, despite the gameplay lasting < 15 minutes).

Researchers at a company could arguably be deemed as engaging in unethical research and barred from contributing to the scientific community due to unethical behavior. Even doing experiments on your kids may be deemed crossing the line.

The question I have is when does it apply. If you research on your own kids but never publish, is it okay? Does the act of attempting to publish results retroactively make an experiment unethical? I'm not certain these things have been worked out because of how rare people try to publish anything that wasn't part of an official experiment.

“Hey, we are going to submit some patches that contain vulnerabilities. All right?”

If they do so, the maintainers become more vigilant and the experiment fails. But, the key to the experiment is that maintainers are not vigilant as they should be. It’s not an attack to the maintainers though, but to the process.

Makes sense considering how open source people are treated.

>I sent patches on the hopes to get feedback

They did not say that they were hoping for feedback on their tool when they submitted the patch, they lied about their code doing something it does not.

>How does that fit in with your explanation?

It fits in the narrative of doing hypocritical changes to the project.

From GKH's response, which you linked:

    They obviously were _NOT_ created by a static analysis tool that is of
    any intelligence, as they all are the result of totally different
    patterns, and all of which are obviously not even fixing anything at
    all.  So what am I supposed to think here, other than that you and your
    group are continuing to experiment on the kernel community developers by
    sending such nonsense patches?

    When submitting patches created by a tool, everyone who does so submits
    them with wording like "found by tool XXX, we are not sure if this is
    correct or not, please advise." which is NOT what you did here at all.
    You were not asking for help, you were claiming that these were
    legitimate fixes, which you KNEW to be incorrect.

> (3). We send the incorrect minor patches to the Linux community through email to seek their feedback.

Sounds like they knew exactly what they were doing.

It’s a lie, that’s how it fits.

Disrespecting some programmers on the internet is, while not nice, also not a high crime.

Penetration testing is only ethical when you are hired by the organization you are testing.

Also, IRB review is only for research funded by the federal government. If you’re testing your kid’s math abilities, you’re doing an experiment on humans, and you’re entirely responsible for determining whether this is ethical or not, and without the aid of an IRB as a second opinion.

Even then, successfully getting through the IRB process doesn’t guarantee that your study is ethical, only that it isn’t egregiously unethical. I suspect that if this researcher got IRB approval, then the IRB didn’t realize that these patches could end up in a released kernel. This would adversely affect the users of billions of Linux machines world–wide. Wasting half an hour of a reviewer’s time is not a concern by comparison.

Consent!

Usually when an organization is pen-tested it consented to being pen-tested (likely even requesting it).

Here there were no contact with the Linux foundation to gain consent for the experiment.

I'm sure that they thought this. But this is a bit like doing unsolicited pentests or breaking the locks on somebody's home at night without their permission. If people didn't ask for it and consent, it is unethical.

And further, pretty much everybody knows that malicious actors - if they tried hard enough - would be able to sneak through hard to find vulns.

> Bad actors could exploit this, and the researchers are showing that maintainers are not paying enough attention.

And this is anything new?

And if I blow a hammer over your head while you are not suspecting it, does this prove anything else than that I am thug? Does it help you? Honestly?

Yes and?

This isn't a "gotcha" - people shouldn't do this.

> quite common in the U.S.A. to perform practice medical checkups on patients who are going under narcosis for an unrelated operations

Fascinating. Can you provide links?

Honest people don’t see a lock and think, “Ok, they don’t want me going in there, but I bet they would appreciate some free pentesting.”

It is ok to put the sign. But not for the person who transgressed to suggest 'why dont you put a sign'

Given that this conference hasn't happened yet, there should still be time for the affected people to report the inappropriate conduct to the organizers and possibly get the paper pulled.

If this is actually presented, someone present should also make the following clear: "As a result of the methods used by the presenters, the entire University of Minnesota system has been banned from the kernel development process and the kernel developers have had to waste time going back and re-evaluating all past submissions from the university system. The kernel team would also like to advise other open-source projects to carefully review all UMN submissions in case these professors have simply moved on to other projects."

I just wanted to highlight that S&P/Oakland is one of the top 3 or 4 security conferences in the security community in academia. This is a prestigious venue lending its credibility to this paper.

The guy is still putting the blame on the Kernel project for not having a "don't submit bugs" clause.[1]

And insists it was not human research. [1]

How can this type of people be professors?

[1] https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....