← Back to context

Comment by gspr

4 years ago

> While it is maybe "scientifically interesting", intentionally introducing bugs into Linux that could potentially make it into production systems while work on this paper is going on, could IMO be described as utterly reckless at best.

I agree. I would say this is kind of a "human process" analog of your typical computer security research, and that this behavior is akin to black hats exploiting a vulnerability. Totally not OK as research, and totally reckless!

9 comments

gspr

Reply
gnfargbl  4 years ago

Yep. To take a physical-world analogy: Would it be okay to try and prove the vulnerability of a country's water supply by intentionally introducing a "harmless" chemical into the treatment works, without the consent of the works owners? Or would that be a go directly to jail sort of an experiment?

I share the researchers' intellectual curiosity about whether this would work, but I don't see how a properly-informed ethics board could ever have passed it.

  • Avamander  4 years ago

    > Would it be okay to try and prove the vulnerability of a country's water supply by intentionally introducing a "harmless" chemical into the treatment works, without the consent of the works owners?

    The question should also be due to who's neglect they gained access to the "water supply". If you also truly want to make this comparison.

    • corty  4 years ago

      The question is also: "Will this research have benefits?" If the conclusion is "well, you can get access to the water supply and the only means to prevent it is to closely guard every brook, lake and river, needing half the population as guards". Well, then it is useless. And taking risks for useless research is unethical, no matter how minor those risks might be.

      2 replies →

chrisjc  4 years ago

Out of interest, is there any way to have some sort of automated way to test this weak link that is human trust? (I understand how absurd this question is)

It's awfully scary to think about how vulnerabilities might be purposely introduced into this important code base (as well as many other) only to be exploited at a later date for an intended purpose.

Edit: NM, see st_goliath response below

https://news.ycombinator.com/item?id=26888538