undefined | Better HN

0 pointsWrtCdEvrydy4y ago0 comments

I just want you to know that this is extremely unethical to create a paper where you attempt to discredit others by just using your university's reputation to try to create vulnerabilities on purpose.

I back your decision and fuck these people. I will additionally be sending a strongly worded email to this person, their advisor and their whoever's in charge of this joke of a computer science school. Sometimes I wish we had the ABA equivalent for computer science.

0 comments

dang4y ago

Please don't fulminate on HN (see https://news.ycombinator.com/newsguidelines.html). It's not what this site is for, because it leads to considerably worse conversation.

Even if you're justifiably steaming about something, please wait to cool down before posting here.

We detached this subthread from https://news.ycombinator.com/item?id=26889743.

WrtCdEvrydyOP4y ago

Are you serious? If I publish a paper on the social engineering vulnerabilities we have used over the last three months to gain access to your password and attempt to take over Hacker News, you would be fine with it? No outburst, no angrily banning my account...

burnished4y ago

It seems odd that you are responding with a threat, or at least a threatening hypothetical to a (the?) moderator.

The way I understand it is that unnecessarily angry or confrontational posts tend to lower the overall tone. They are cathartic/fun to write, fast to write, and tend to get wide overall agreement/votes. So if they are allowed then most of the discussion on a topic gets pushed down beneath that sort of post.

Hence why we are asked to refrain, to permit more room for focused and substantive discussion.

1 more reply

DyslexicAtheist4y ago

just write to irb@umn.edu and ask if this was a) reviewed and b) who approved it. It seems they have anyway violated the Human Research Protection Program Plan.

The researchers should not have done this, but ultimately it's the faculty that must be held accountable for allowing this to happen in the first place. They are a for-profit institution and should not get away with harassing people who are contributing their personal time. So nail them to the proverbial cross but make sure the message is heard by those who slipped up (not the researchers who should have been stopped before it happened).

mbauman4y ago

Don't harass people.

WrtCdEvrydyOP4y ago

I'm not harassing anyone... I'm politely reminding this person that ethics are a real thing.

jdsully4y ago

Unless you are an involved party you're just adding to the mob. The kernel maintainers said their piece there's no need for everyone to pile on.

2 more replies

incrudible4y ago

I completely disagree with this framing.

A real malicious actor is going to be planted in some reputable institution, creating errors that look like honest mistakes.

How do you test if the process catches such vulnerabilities? You do it the just the way that these researchers did.

Yes, it creates extra homework for some people with certain responsibilities, that doesn't mean it's unethical. Don't shoot the messenger.

WrtCdEvrydyOP4y ago

> A real malicious actor

They introduced a real vulnerability in a codebase that lowers world-wide cybersecurity used by billions so they could jerk themselves off over a research paper.

They are a real malicious actor and I hope they hit by the CFAA.

toomuchtodo4y ago

There is a specific subsection of the CFAA that applies to this situation (deployment of unauthorized code that makes its way into non consenting systems).

This was a bold and unwise exercise, especially if you’re an academic in country on a revocable visa who participated.

1 more reply

andrewzah4y ago

No. There are processes to do such sorts of penetration testing. Randomly sending buggy commits or commits with security vulns to "test the process" is extremely unethical. The linux kernel team are not lab rats.

xiphias24y ago

It's not simply unethical, it's a national security risk. Is there a proof that the Chinese government was not sponsoring this ,,research '' for example?

2 more replies

incrudible4y ago

> There are processes to do such sorts of penetration testing.

What's the process then? I doubt there is such a process for the Linux kernel, otherwise the response would've been "you did not follow the process" instead of "we don't like what you did there".

1 more reply

willtemperley4y ago

This would absolutely be true if this were an authorised penetration test, however it was unauthorised and therefore unethical.

incrudible4y ago

How exactly do you "authorize" these tests? Giving advance notice would defeat the purpose, obviously.

2 more replies

hctaw4y ago

These are real malicious actors.

incrudible4y ago

You don't know that, but that's also irrelevant. There's always plausible deniability with such bugs. The point is that you need to catch the errors no matter where they come from, because you can't trust anyone.

3 more replies

michelpp4y ago

It is unethical. You cannot experiment on people without their consent. Their own university has explicit rules against this.

j / k navigate · click thread line to collapse

0 comments

dang4y ago

Please don't fulminate on HN (see https://news.ycombinator.com/newsguidelines.html). It's not what this site is for, because it leads to considerably worse conversation.

Even if you're justifiably steaming about something, please wait to cool down before posting here.

We detached this subthread from https://news.ycombinator.com/item?id=26889743.

WrtCdEvrydyOP4y ago

burnished4y ago

It seems odd that you are responding with a threat, or at least a threatening hypothetical to a (the?) moderator.

Hence why we are asked to refrain, to permit more room for focused and substantive discussion.

1 more reply

DyslexicAtheist4y ago

just write to irb@umn.edu and ask if this was a) reviewed and b) who approved it. It seems they have anyway violated the Human Research Protection Program Plan.

mbauman4y ago

Don't harass people.

WrtCdEvrydyOP4y ago

I'm not harassing anyone... I'm politely reminding this person that ethics are a real thing.

jdsully4y ago

Unless you are an involved party you're just adding to the mob. The kernel maintainers said their piece there's no need for everyone to pile on.

2 more replies

incrudible4y ago

I completely disagree with this framing.

A real malicious actor is going to be planted in some reputable institution, creating errors that look like honest mistakes.

How do you test if the process catches such vulnerabilities? You do it the just the way that these researchers did.

Yes, it creates extra homework for some people with certain responsibilities, that doesn't mean it's unethical. Don't shoot the messenger.

WrtCdEvrydyOP4y ago

> A real malicious actor

They introduced a real vulnerability in a codebase that lowers world-wide cybersecurity used by billions so they could jerk themselves off over a research paper.

They are a real malicious actor and I hope they hit by the CFAA.

toomuchtodo4y ago

There is a specific subsection of the CFAA that applies to this situation (deployment of unauthorized code that makes its way into non consenting systems).

This was a bold and unwise exercise, especially if you’re an academic in country on a revocable visa who participated.

1 more reply

andrewzah4y ago

xiphias24y ago

It's not simply unethical, it's a national security risk. Is there a proof that the Chinese government was not sponsoring this ,,research '' for example?

2 more replies

incrudible4y ago

> There are processes to do such sorts of penetration testing.

What's the process then? I doubt there is such a process for the Linux kernel, otherwise the response would've been "you did not follow the process" instead of "we don't like what you did there".

1 more reply

willtemperley4y ago

This would absolutely be true if this were an authorised penetration test, however it was unauthorised and therefore unethical.

incrudible4y ago

How exactly do you "authorize" these tests? Giving advance notice would defeat the purpose, obviously.

2 more replies

hctaw4y ago

These are real malicious actors.

incrudible4y ago

3 more replies

michelpp4y ago

It is unethical. You cannot experiment on people without their consent. Their own university has explicit rules against this.

j / k navigate · click thread line to collapse