University Suspends Project After Researchers ...

[John Scott]

https://www.darkreading.com/application-security/university-suspends-project-after-researchers-submitted-vulnerable-linux-patches/d/d-id/1340799

-------------------------------------------

John Scott

 240.401.6574

< jms...@gmail.com >

ionchannel.io 

[David A. Wheeler]

On Apr 23, 2021, at 9:17 AM, John Scott <jms...@gmail.com> wrote:

https://www.darkreading.com/application-security/university-suspends-project-after-researchers-submitted-vulnerable-linux-patches/d/d-id/1340799

Yeah, I’m deeply deeply deeply in the middle of this nonsense. Consider where I work & my title. SIGH!!!

Some context: Some university researchers experimented on humans (Linux kernel developers) without the consent of those being experimented on. The researchers didn’t even go through an IRB, which is required for experiments on humans, before they did their experiments. They did go through an IRB *AFTER* they had performed the experiments (!), and their IRB after-the-fact approved these experiments on humans without their consent (!!). As GregKH noted, "Our community does not appreciate being experimented on”.

Don’t get me wrong, I’m pro-research, & in principle more research on countering malicious submissions is a good thing. But there are rules about this. You aren’t allowed to attack systems without the permission of the system owners, and you aren’t allowed to do research on humans without consent from those humans. Heck, at my last job I had to go through IRBs for surveys & interviews where everyone knew it was for an experiment or research (and thus expressly consented). By contrast, in this U of MN case, consent was neither requested nor granted. Saying “it’s hard to get consent” or “they might not grant consent” is no excuse, go do something else.

There are ongoing efforts to address this, preferably in a positive way. I’m hopeful.

--- David A. Wheeler

[Joe Anderson]

What's nice is that on the Mil side, we have real firm guidance on this: Attack a system without everybody's obvious and clear permission, that's a paddling.  Expose a vulnerability without notifying the owner?  Believe it or not, straight to jail.

Joe Anderson

US Army, 21st Signal Brigade

--
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
 
www.mil-oss.org

---
You received this message because you are subscribed to the Google Groups "Military Open Source Software (Mil-OSS)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mil-oss/89ACB2C5-07F1-4416-8312-0BD2562E56A9%40dwheeler.com.