Comment by willtemperley
4 years ago
This would absolutely be true if this were an authorised penetration test, however it was unauthorised and therefore unethical.
4 years ago
This would absolutely be true if this were an authorised penetration test, however it was unauthorised and therefore unethical.
How exactly do you "authorize" these tests? Giving advance notice would defeat the purpose, obviously.
"We're writing research on the security systems involved around the Linux kernel, would it be acceptable to submit a set of patches to be reviewed for security concerns just as if it was a regular patch to the Linux kernel?"
This is what you do as a grownup and the other side is expected to honor your request and perform the same thing they do for other commits... the problem is that people think of pen testing as an adversarial relationship where one person needs to win over the other one.
That's not really testing the process, because now you have introduced bias. Once you know there's a bug in there, you can't just act as if you didn't know.
I guess you could receive "authorization" from a confidante who then delegates the work to unwitting reviewers, but then you could make the same "ethical" argument.
Again, from a hacker ethos perspective, none of this was unethical. From a "research ethics committee", maybe it was unethical, but that's not the standard I want applied to the Linux kernel.
7 replies →
To play Devil's Advocate, I suspect that this would if different results because people behave differently when they know that there is something going on.
3 replies →
Perhaps the research just simply shouldn't be done. What are the benefits of this research? Does it outweigh the costs?
What's the harm exactly? Greg becomes upset? Is there evidence that any intentional exploits made it into the kernel? The process worked, as far I can see.
What's the benefit? You raise trust in the process behind one of the most critical pieces of software.
4 replies →