That's the cybersecurity equivalent of testing the construction techniques of a functioning dam, by trying to stress it with dynamite! And without clearing it with either those responsible for maintaining it or those potentially affected by its failure!

Furthermore, informed consent is one of the hallmarks in research ethics, which you & the perpetrators seem to be completely missing!

If self-interest disqualified kernel contributions, then kiss goodbye most contributions from most corporate contributors!

Anyway, here are a few that aren't tied to using Linux in a MS context or with MS-specific technologies:

• https://www.phoronix.com/scan.php?pa...ity-Linux-5.12
• https://www.phoronix.com/scan.php?pa...vileged-Chroot
• https://www.phoronix.com/scan.php?pa...-PRM-OSFC-2020

As opposed to what? What would you have us use, instead? How should Linux deal with corporate contributors, and what kind of effect do you suppose that would have?

Do you think Linux would really be better if they took little interest in it? I remember those days, and it was not fun to have to wonder if it would run stably on your hardware, and if all the basic features of your machine would work properly.

It's wrong to lump together harm resulting from a "tragedy of the commons" with destructive actions taken out of direct self-interest. It's like you're using unintended negative consequences to justify all acts of wrongdoing.

I know you're smarter than that, but your cynicism dial seems to be turned up to 11. If you're aiming to play a constructive role in these discussions, consider trying to post when you're in a better mood. If you're just here to blow off steam, I'd suggest finding another outlet for that.

I see, since you can't prove me wrong, the next best thing you have in your arsenal is to claim I actually proved myself wrong. Now that's true genius at work...

What's more, you pick that anemic and exceedingly childish attempt at faux argumentation as the place to refer to me as childish, or if you will - unknowingly exposing yourself further by resorting to by-the-book projection of your personal flaws onto those that make you rightfully feel uncomfortable for them. Or the good old "I am not it, you are it" in its subconscious, involuntary form.

In addition to the "you wrong because 'something entirely unrelated to the actual subject'", you exhibit another prominent childish behavior pattern - not knowing how little you know. Having a sense of humor doesn't in any capacity render people right or wrong, you know, neither does politeness, correctness, manners, personal beliefs or anything.

You know, in perfect good faith - you are not really doing yourself any favors, you are catering to and reinforcing your flaws. You may spend years and hundreds of thousands of dollars on psychiatrists without ever hearing as much of what you need to hear, that's actually how altruistic I am My gift to you, take it or leave it.

It absolutely isn't. It is the equivalent to attempt to sneak in a bag of "dynamite" branded confetti to see if the dam security will do its job properly and stop you.

I'll fully admit I didn't read the paper. Whether or not it contains valuable findings is beside the point. The value of a paper's findings don't justify ethics violations in the underlying research. Furthermore, if the research was conducted in an unethical manner, there are likely procedural errors, as well. And that should cast doubts on whatever conclusions it claims to draw,

There were other ways to do that research that wouldn't be unethical or pose risks to large numbers of non-consenting parties. These guys just took the easy, lazy, and cheap option.

It certainly has, but since you've apparently been living under a rock for like 50 years, here's some reading for you:

https://www.google.com/search?q=ethi...ds+in+research

That's why ethical standards have been established -- specifically so that researchers know what is expected of them. It is also necessary that they be sanctioned, when they violate these standards, as a deterrent for others.

This is kind of like my theory that extremely cynical people just like to believe that everyone else is as unscrupulous as they are, in order to make themselves feel better about their own self-dealing.

Wow - you do see why I think you are admitting you are wrong (most people stop when it is pointed it out and get back to the point).

To summarise:
- I agree with you that researching how security vulnerabilities get into the Linux Kernel is valuable.


The stuff I am pointing out, and you are ignoring:
- Deliberately attempting to add malicious code to a software project is (likely) some kind of criminal act.
- University researchers must remain within the law. Most obviously by getting written approval from Linus or someone (which is what penetration testers do).
- That their motivation was good wouldn't stop them being found guilty, although it would affect a sentencing (they won't go to jail).
- There are plenty of existing vulnerabilities that have been introduced and found in the Kernel that can be studied for the research, adding one additional bug won't expand human knowledge.

No. And neither has RedHat or any other kernel contributor ever, or Linus Torvalds himself. That's how open source is intended to work: people can modify the project or collaborate on it in order to get some benefit for themselves (financial, operational, reputational or otherwise).

Considering that the ONLY alternative is to be reduced to an irrelevant toy system for hobbyists, I'm more than happy with that. It lets me exercise the Four Freedoms in full. As Stallman once said, the point is not to stop people from making money developing software; it's to let people make money developing Free Software.

This has nothing to do with the cancel culture. It has everything to do with malicious software developers purposefully damaging the kernel.

Enough with all this horseshit feel-good virtue signalling.

If it were one of Microsoft's open source projects or even the Windows code that was targeted by the researchers, most of people people in here will singing a goddamned different tune.

I don't think anyone is disagreeing with the value of researching how vulnerabilities get into software. The problems is that the University allowed the students to do it without getting some kind of authorisation, which is standard for penetration testing. That leaves them open to all kinds of legal problems.