Comment by andrewzah
4 years ago
No. There are processes to do such sorts of penetration testing. Randomly sending buggy commits or commits with security vulns to "test the process" is extremely unethical. The linux kernel team are not lab rats.
4 years ago
No. There are processes to do such sorts of penetration testing. Randomly sending buggy commits or commits with security vulns to "test the process" is extremely unethical. The linux kernel team are not lab rats.
It's not simply unethical, it's a national security risk. Is there a proof that the Chinese government was not sponsoring this ,,research '' for example?
Linux kernel vulnerabilities affect the entire world. The world does not revolve around the U.S., and I find it extremely unlikely a university professor in the U.S. doing research for a paper did this on behalf of the Chinese government.
It's far more likely that professor is so out of touch that they honestly think their behavior is acceptable.
The bio of the assistant professor, Kangjie Lu, is here: https://www-users.cs.umn.edu/~kjlu/
It probably IS from being out of touch, or perhaps desperation to become tenured. However, he is also an alumnus of Chongqing University: http://www.cse.cqu.edu.cn/info/2095/5360.htm
6 replies →
If that's the case, why would they publish a paper and announce their "research" to the world?
> There are processes to do such sorts of penetration testing.
What's the process then? I doubt there is such a process for the Linux kernel, otherwise the response would've been "you did not follow the process" instead of "we don't like what you did there".
Well, if there's no process, then it's not ethical (and sometimes, not legal) to purposefully introduce bad commits or do things like that. You need consent.
Firstly, it accomplishes nothing. We already all know that PRs and code submission is a potential vector for buggy code or security vulnerabilities. This is like saying water is wet.
Secondly, it wastes the time of the people working on the linux kernel and ruins the trust of code coming from the university of minnesota.
All of this happened due to caring about one's own research more than the ethics of doing this sort of thing. And continuing to engage in this behavior after receiving a warning.
First of all, whether something is ethical is an opinion, and in my opinion, it is not unethical.
Even if I considered it unethical, I would still want this test to be performed, because I value kernel security above petty ideological concerns.
If this is illegal, then I don't think it should be illegal. There's always debates about the legality of hacking, but there's no doubt that many illegal (and arguably unethical) acts of hacking have improved computer security. If you remember the dire state of computer security in the early 2000s, remember that the solution was not throw all the hacker kids in jail.
6 replies →