Comment by ansible

4 years ago

But we have always known that someone with sufficient cleverness may be able to slip vulnerabilities past reviewers of whatever project.

Exactly how clever? That varies from reviewer to reviewer.

There will be large projects, with many people that review the code, which will not catch sufficiently clever vulnerabilities. There will be small projects with a single maintainer that will catch just about anything.

There is a spectrum. Without conducting a wide-scale (and unethical) survey with a carefully calibrated scale of cleverness for vulnerabilities, I don't see how this is useful research.

2 comments

ansible

Reply
fouric  4 years ago

> But we have always known that someone with sufficient cleverness may be able to slip vulnerabilities past reviewers of whatever project.

...which is why the interestingness of this project depends on how clever they were - which I'm not able to evaluate, but which someone would need to before they could possibly invalidate the idea.

> (and unethical)

How is security research unethical, exactly?

  • jc2it  4 years ago

    >How is security research unethical, exactly?

    Those being researched must consent.

    The goal should be to further society. This research attempted to sabotage infrastructure.

    Research should avoid unnecessary suffering. Kernel maintainers are overworked volunteers.

    They must be allowed to discontinue the research if the stress becomes more than they can bear.

    Read more on University of Minnesota's website and look at page 4. https://www.ahc.umn.edu/img/assets/26104/Research_Ethics.pdf