← Back to context

Comment by simias

4 years ago

It does seem rather unethical, but I must admit that I find the topic very interesting. They should definitely have asked for consent before starting with the "attack", but if they did manage to land security vulnerabilities despite the review process it's a very worrying result. And as far as I understand they did manage to do just that?

I think it shows that this type of study might well be needed, it just needs to be done better and with the consent of the maintainers.

19 comments

simias

Reply
bezout  4 years ago

“Hey, we are going to submit some patches that contain vulnerabilities. All right?”

If they do so, the maintainers become more vigilant and the experiment fails. But, the key to the experiment is that maintainers are not vigilant as they should be. It’s not an attack to the maintainers though, but to the process.

  • tapland  4 years ago

    In penetration testing you are doing the same thing, but you get the go-ahead for someone responsible for the project or organization since they are interested in the results as well.

    A red team without approval is just a group of criminals. They must have been able to find active projects with a centralized leadership they could ask for permission.

    • bezout  4 years ago

      I don’t know much about penetration testing so excuse me for the dumb question: are you required to disclose the exact methods that you’re going to use?

      8 replies →

  • simias  4 years ago

    If the attack surface is large enough and the duration of the experiment long enough it'll return to baseline soon enough I think. It's a reasonable enough compromise. After all if the maintainers are not already considering that they might be under attack I'd argue that something is wrong with the system, a zero-day in the kernel would be invaluable indeed.

    And well, if the maintainers become more vigilant in the long run it's a win/win in my book.

  • ale_jrb  4 years ago

    The maintainers are the process, as they are reviewing it, so it's absoutely attacking the maintainers.

  • zaarn  4 years ago

    "We're going to, as part of a study, submit various patches to the kernel and observe the mailing list and the behavior of people in response to these patches, in case a patch is to be reverted as part of the study, we immediately inform the maintainer."