Comment by tester34
4 years ago
Researcher(s) shows that it's relatively not hard to introduce bugs in kernel
HN: let's hate researcher(s) instead of process
Wow.
Assume good faith, I guess?
4 years ago
Researcher(s) shows that it's relatively not hard to introduce bugs in kernel
HN: let's hate researcher(s) instead of process
Wow.
Assume good faith, I guess?
The concept of the research is quite good. The way this research was carried out, is downright unethical.
By submitting their bad code to the actual Linux mailing list, they have made Linux kernel developers part of their research without their knowledge or consent.
Some of this vandalism has made it down into the Linux kernel already. These researchers have sabotaged other people's software for their personal gain, another paper to boast about.
Had this been done with the developers' consent and with a way to pull out the patches before they actually hit the stable branches, then this could have been a valuable research. It's the way that the research was carried out that's the problem, and that's why everybody is hating on the researches (rather than the research matter itself).
To provide some parallel on how the research was carried about:
I see it as similar to
- allowing recording of people without their consent (or warrant),
- experimenting on PTSD by inducing PTSD without people consent,
- or medical experimentation without the subject consent.
And the arguments about not having anyone know:
Try to introduce yourself in the White House and when you get caught tell them "I was just testing your security procedures".
submitting a patch for review to test the strength of the review process is not equivalent to inducing PTSD in people without consent or breaking in to the Whitehouse. You're being ridiculous. Linux runs many of the worlds financial, medical, etc etc... institutions and they have exposed how easy it is to introduce a backdoor.
If this was Facebook and not Linux everyone would look upon this very differently.
1 reply →
Wasting the time of random open source maintainers who have not consented to your experiment to try to get your paper published is highly unethical; I don't see why this is a bad faith interpretation.
State-level actors / Nation wide actors (fancy terms lately, heh) will not ask anyone for consent
This is also unethical.
There are two separate issues with this story.
One is that what the researchers did is beyond reckless. Some of the bugs they've introduced could be affecting real world critical systems.
The other issue is that the research is actually good in proving by practical means that pretty much anyone can introduce vulnerabilities into software as important and sensitive as the Linux kernel. This hurts the industry confidence that we can have secure systems even more than it already is.
While some praise may be appropriate for the latter, they absolutely deserve the heat they're getting for the former. There may be many better ways to prove a point.
It is not hard to point a gun at someone's head.
But let's assume your girlfriend points an (unknown to you) empty gun at your head, because she wants to know how you will react. What do you think is the appropriate reaction?
With that logic you can conduct research on how easy it is to rob elderly people in the street, inject poison in supermarket yogurts, etc.