Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. Uh, how?? It's clearly human subjects research under the conventional federal definition[1] and obviously posed a meaningful risk of harm, in addition to being conducted deceptively. Someone has to have massively been asleep at the wheel at that IRB.

[1] https://grants.nih.gov/policy-and-compliance/policy-topics/h...

The ultimate problem is that it's easy to fake stuff so you have to use heuristics to see who you can trust. You sort of sum up your threat score and then decide how much attention to apply. Without doing something like that, the transaction costs dominate and certain valuable things can't be done. It's true that Western universities are generally a positive component to that score and students under a professor there are another positive component to the score.

It's like if my wife said "I'm taking the car to get it washed" and then she actually takes the car to the junkyard and sells it. "Ha, you got fooled!". I mean, yes, obviously. She's on the inside of my trust boundary and I don't want to live a life where I'm actually operating in a way immune to this 'exploit'.

I get that others object to the human experimentation part of things and so on, but for me that could be justified with a sufficiently high bar of utility. The problem is that this research is useless.

(2021) Discussion at the time (3025 points, 1954 comments) https://news.ycombinator.com/item?id=26887670

The stupid thing about the experiment was that it's never been a secret that the kernel is vulnerable to malicious patches. The kernel community understood this long before these academics wasted kernel maintainer time with a silly experiment.

>Then, there’s the dicier issue of whether an experiment like this amounts to human experimentation. It doesn’t, according to the University of Minnesota’s Institutional Review Board. Lu and Wu applied for approval in response to the outcry, and they were granted a formal letter of exemption.

I had to apply for exemptions often in grad school. You must do so before performing the research -- it is not ethical to wait for outcry then apply after the fact. Any well run CS department trains it's incoming students on IRB procedures during orientation, and Minnesota risks all federal funding if they continue to allow researchers to operate in this manner.

(Also "exempt" usually refers to exempt from the more rigorous level of review used for medical experiments -- you still need to articulate why your experiment is exempt to avoid people just doing whatever they want then asking for forgiveness after the fact)

Imo, the experiment was worthwhile, it exposed a risk, hopefully the kernel is better armed against similar attacks now.

Pretty ridiculous. If I send them an email with a stupid question wasting their time on purpose just to see if they'll reply is that "human experimentation"? What a loose definition.

More to the point; are they salty because the author has possibly proved that it's most certainly possible to get critical flaws into the Linux kernel with social engineering? How else is something like that meant to be tested?

If you give them a heads-up they'll pay more attention for a short duration of time.

Did they ever get un-banned ? IIRC, that Univ has/had great Computer Science Dept.

But there is always the BSDs.

While I did see some problems with their approach (i.e. doing the IRB reviews retroactively instead of doing them ahead of time, and not properly disclosing the experiments afterwards), I think this research is valuable, and I don't think the authors were too unethical. The event that this most reminds me of the Sokal Squared scandal, where researchers sent bogus papers to journals in order to test those journal's peer review standards.

Wasting time — it’s just burning trust, and the reaction was entirely predictable.

a/b testing the insertion of vulnerable code is not a good idea.

undefined

The uni should just donate to the Linux maintainers for damages - however much time was wasted - and just move on its merry way.

Money is money and buys time, no harm done, useful research conducted, and a whole lot of publicity gained.

> If a sufficiently motivated, unscrupulous person can put themselves into a trusted position of updating critical software, there’s honestly little that can be done to stop them,” says White, the security researcher.

That says a lot about Linux kernel safety.