Really mad about this Linux kernel - academic research kerfuffle. See: lore.kernel.org/linux-nfs/YH%2

TL;DR: researchers at UMN introduced patches to Linux kernel that contained known-buggy code TO WRITE A PAPER and the UMN IRB didn't consider it human subjects research :blobangery:

Wtaf were these researchers thinking? How did the IRB not consider this human subjects resaerch? How did someone think this was an ethical thing to do?

hey @VickyRampin ! just wanted to point out for people citing this thread that, according to www-users.cs.umn.edu/~kjlu/pap , they did not apply for IRB *before* the study.

(Which is exemplary of how there is a severe lack of ethics considerations in empirical software engineering research.)

Then, when they did apply, IRB did not consider it human subjects research, as you point out. But there was another major flaw in the process before that one (= not seeking approval).

@zacchiro @VickyRampin I've been an academic social science researcher. It's essential to understand that the core competence of a university IRB is the ethics of _medical_ research. That's what they were created to handle.

The kinds of unethical research they understand, therefore, are the kind where the experiment directly causes bodily harm to participants, and the kind where the researchers' files contain embarrassing secrets about the participants (think "Patient J has syphilis").

@zacchiro @VickyRampin I can very easily see how the UMN IRB didn't think this was human subjects research. The _kernel_ is harmed if the bad patches are applied, but that's not harm to a person.

Making Greg K-H do a bunch of extra work to weed the bad patches back out of the kernel _is_, I would argue, harm to a person, but not the kind of harm they're institutionally set up to recognize.

@zwol @zacchiro @VickyRampin In other threads about this there was talk about trust. And that's the thing here: This research is manipulating the kernel development community by misusing trust, and while the product in question is code, there's a social process built around that. The attack is not targeted at technology, it's targeted at people and the conventions of their community.
I'm little surprised some of those working in "computer" sciences might not want to see the difference though.

@galaxis

I think that what these researcher did was noble and highly ethical: they proved an (obvious and) dangerous operational issue that was likely exploited before without anybody noticing.

All this drama is just the king that, fooled by thieves, is crying loud that the kids pointing at his nudity must be executed.

@zwol @zacchiro @VickyRampin

@Shamar @galaxis @zacchiro @VickyRampin The experiment may have been worth doing, but the execution was botched. They've both invalidated their own results, and poisoned the well for anyone wanting to do similar research in the future. This in turn means that genuinely malicious actors will probably find it *easier* to get their changes into Linux now.

Follow

@zwol

Why you talk at future tense?

If a bunch of University students got their bugs in the 's stable tree, it's plain obvious they were not the first.

Also I do not follow your reasoning: why they invalidated their result? How that would facilitate malicious attackers?

To be honest I think that the Linux developers should thank them for showing that such obvious risks were not just theoretical.

Instead, they stop accepting patches from that university.

It's like when a led in your car shows that your engine needs oil... and you cover the led.

@galaxis @zacchiro @VickyRampin

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.