Announcement

Collapse
No announcement yet.

University of Minnesota Linux "Hypocrite Commit" Researchers Publish Open Letter

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • coder
    replied
    Originally posted by ddriver View Post
    I suggest you put precedence on what people do rather than what they say.
    Well, all we have is your words.

    Originally posted by ddriver View Post
    I have no urges to see things any better or worse than they are. I am fine with acknowledging reality with its problems, because you cannot solve problems you aren't willing or able to acknowledge, and most problems you cannot really escape.
    It's good to hear that you're interested in being a realist, but extreme cynicism leads to apathy, which runs contrary to the sort of pragmatic ethos of a true problem-solver.

    Originally posted by ddriver View Post
    I do not consider myself unscrupulous, even back in my days of graphics design, I do recall putting quite a lot of attention and care into "single pixel" trivial matters
    There's a difference between being a perfectionist and being principled. In the worst case, perfectionism can act as a sort of licensing behavior, leading one to commit transgressions elsewhere.

    Originally posted by ddriver View Post
    than I've seen medical professionals utilize when dealing with human lives, which IMO is something extremely unethical and worthy of extreme criminal punishment. I honestly do wish when my times comes to receive medical care, it is from someone with my degree of unscrupulousness.
    This is a funny analogy, because it highlights exactly how little the real issue is one of ethics. Do you care about the ethics of people working the assembly line who assembled your cell phone? No, because there are systems in place to ensure the quality of the end product. Likewise, the problem with the quality of medical care isn't so much the ethics of the practitioners as the lack of the same kinds of systems to ensure consistency and quality of the results.

    Originally posted by ddriver View Post
    It is 99% about money and 1% about power, we have an entire medical industry ...
    We're no longer talking about computer security, at this point, and you're being awfully vague while providing zero references. So, I'm going to suggest leaving that subject for a different time and place.

    Originally posted by ddriver View Post
    ... and nobody seems to have an ethical issue with that.

    But you have an ethical issue with some students doing a study
    When did you ever ask anyone here if they have such ethical concerns? How else can you presume to know?

    And, again, it seems as though you believe that if one person gets away with unethical behavior that we should stop trying to hold anyone to any sort of ethical standard. That sounds to me like a slippery slope towards anarchy.

    Originally posted by ddriver View Post
    if you believe that human morals or ethics are allowed to take precedence to money and power,
    The standards of ethical research are well-established and routinely enforced. As an avowed realist and a pragmatist, I'm sure you're not one to let "perfect" be the enemy of "good". So, the answer is to hold people accountable and try to uphold these standards to the best of our collective ability. It's not perfect and it won't make the world a utopia, but it's a lot better than it'd be, otherwise.

    You don't see all police quitting their jobs just because a handful of criminals get away with murder, do you?

    Leave a comment:


  • gigi
    replied
    This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper.
    this is unpardonable and full of sarcasm.

    Leave a comment:


  • ddriver
    replied
    Originally posted by leo_sk View Post

    Sure, but it is more akin to a situation like a component manufacturer sends bad components to the vehicle manufacturer, who is unaware of the defects in those components, just to research how easily those components are included in the final vehicle that are sold to customers.
    Is it okay for the safety of customers to be compromised?
    If you need to check if the quality inspection of that manufacturer, then yes - that is the way. If it is a critical component, you cannot base safety on a long chain of "it is supposedly tested" - it has to be tested at every step. And how can you verify that it is tested at every step other than to... test every testing step. And you can't do that without sending defective units, to see if those get detected.

    Such a thing can easily be done properly - by taking into account the manufacturing cycle, and making sure to inform of the procedure long before the product reaches end users. And if the manufacturer was lousy at testing, it would serve them right, the extra cost of inspecting the entire affected batch outta teach them to know better next time.

    Obviously, if you inform in advance that there will be faulty units for the sake of testing, you can expect that they take extra effort to do it, which is a big NO NO, because that kind of scrutiny is a MUST 100% of the time, not something you have to educate people to get into on explicit notice.

    There is this thing called "acceptable" casualties. You know, it wouldn't cost all that much to make cars 100 times safer. The airplanes that carry bombs are much safer than airplanes that carry civilian passengers. Because PROFIT. They cut corners to come within some range of "acceptable loss of human lives" balanced against making good profits. The industry is already willing to let preventable deaths take place for profit. How does this realization stack with your noble ethics?

    How come some people see a bigger ethical issue with something that realistically couldn't have harmed anyone than with things that already cost human lives based on conscious decisions?

    And lastly, what does linux care about people getting killed? Is there some GNU clause that linux can't be used to kill people? Because I am pretty sure there's linux in most machines that kill. Or maybe, it is only OK when it is intentional? I don't recall licensing mentioning any sort of warranty or accountability for linux whatsoever.
    Last edited by ddriver; 25 April 2021, 06:39 AM.

    Leave a comment:


  • blackiwid
    replied
    Originally posted by ddriver View Post
    You know, this is how prisons get full of people who haven't really done anything worse than being silly, and for that they are put in a place that has extremely good change of forcing them to become real criminals out of necessity.
    You can't make excuses for crimes just because your prison and law system sucks, I know that is a very emotional subject so I would argue that rape sentences (maximum sentences) are way to high, like 10 times of here in germany, but not only that but the prisons are so horrible and torture that they are unbearable.

    But that can't mean that we get all people out of prison even if they are torture facilities is the US, with no good reintegration assistence afterwards, basicilly it's the slavery system kept alive for prisoners, including like they did not give black slaves the vote they take it from prisoners, too. (also uthinkable here)

    But you have to solve this by changing the laws not by looking away when crimes happen, that said if the sentence is high enough and it's not likely to repeat, I also would suggest to not press charges especially if there were no bad intend or the person did the crime while beeing subject to alcohol and not in full control of his actions.

    Yet I don't see anything apply to that case, and you cannot do this criminal charges but the university could fire somebody responsible and let go the researches and dismiss them from studying.

    They do the same with barely accusations of rape, a smaller crime because this changes could cost somebodies live, rape especially as broad as it's defined in the US and universities, usually don't have that problem in place.

    So if students get more or less automatically kicked from the university because a women accuses them and they find not very good proof that she lied, (reverse of burden of proof) I expect the university to do similar actions in this case where the guiltiness of the at least moral crime is not in question.

    I read only this news so maybe they specifically apologized for the racist claims because that would also be very important to let them back, such claims from people speaking in the name of the university are unacceptable, too.

    If they kick at least somebody if not all involved I could see reducing the banning to some time frame like 5 years maybe even less, but I would not allow them to bully / pressure with this open letter to feel pity for them, to just give them again what they want.

    They must learn that bad doings have bad consequences and a apology alone is never good enough, if I rub some ladies handbag, a apology is also not good enough.

    Leave a comment:


  • OneTimeShot
    replied
    Originally posted by ddriver View Post

    Lastly - responsible for what exactly? I don't see an offense here whatsoever.
    As myself and countless other people have been telling you:
    - Attempting to introduce malicious code into a software project without written consent may cause legal problems for these students.

    It probably isn't even a legal grey area - it'll be "turn up in court and admit that they did it". Sure they wouldn't get much in terms of punishment.

    In any case, the University messed up hard by leaving them exposed.

    Leave a comment:


  • ddriver
    replied
    Originally posted by leo_sk View Post

    I see you are trying to excessively extrapolate to create a weak argument where none exists, but it would be more helpful to your case if you rather explain why the University should not be held responsible.
    It is a combination of two common literary device called exaggeration and juxtaposition. It doesn't serve to invent a point where there isn't one, but to amplify and outline an existing one. A procedure, warranted by the obvious inability of some individuals to identify the issue without it. Alas, still insufficient for some.

    But still, if you consider exaggeration bad, you should also have a problem with the linux foundation exaggerating this far more than I exaggerate their exaggeration. Since you know, context, intent and end result is clearly irrelevant, and we are dealing with immutable absolutes here.

    Lastly - responsible for what exactly? I don't see an offense here whatsoever.

    Is there a tangible way to determine if the quality control is going to reject code that violates the "ethics" for contribution without contributing in a way that violates said ethics? That is not a rhetorical question.

    There wasn't bad intent here, nor any inflicted damage. It wasn't some covert operation, it was a legit study sanctioned by a legit university, whose only fault was not realizing the willingness of the linux foundation to spin silly theatrics. Decent chance those people have many ways to make better use of their time and energy.

    The only harm done here is that, done by the linux foundation by over-dramatizing the matter.

    Leave a comment:


  • slightEdge
    replied
    Originally posted by andyprough View Post
    They should be unbanned. Cancel culture has no place in a software movement whose foundational concepts are all derived from freedom of speech.
    What is the difference between "cancel culture" and holding a subject accountable?

    Have we gotten to a point where people are so sensitive that they do not want to be called out for misdeeds now?
    Rebels w/o a cause? Wanna be revolutionaries? False visionaries?
    The University...
    • owned up to its mistakes
    • had no problem being called out
    • apologized
    • promised to do better
    • identified what it learned for the experience
    If my child or younger siblings took responsibility like this, I would consider the healing process to be in motion.
    If they exclaimed "cancel culture", I would not.
    The University and the people within are not children obviously. Hopefully, the main point is not lost.

    Leave a comment:


  • OneTimeShot
    replied
    Originally posted by ddriver View Post

    But you have an ethical issue with some students doing a study to see whether quality control will catch bad commits as they should, the world for that is drama queen. And if you believe that human morals or ethics are allowed to take precedence to money and power, you are a naive child at best. I am not saying that they shouldn't, just that they don't outside of the context of public theatrics and comforting wishful thinking.
    No one has an ethical issue with students researching QA processes of the Linux Kernel. A few people have issues with the University "Ethics Committee" allowing them to potentially break the law by not following standard penetration testing authorisation procedures.

    If Linus replied to the thread and said "don't worry - they discussed this project with me and I thought it was valuable, there was no chance that the patch would get through to the final tree" there would be no (or at least, far less of) a problem.

    As is, these students did the computer security equivalent of a doctor performing an operation without the patent's approval. Nothing bad actually happened, but they are still potentially in legal difficulties.

    Leave a comment:


  • coder
    replied
    Originally posted by Sonadow View Post
    Enough with all this horseshit feel-good virtue signalling.
    How is it virtue signalling if no one here knows who I am and if I don't give a damn what they think about me, anyway?

    I'm here precisely because it lets me discuss ideas and topics I care about or find interesting, without a whole bunch social baggage!

    Originally posted by Sonadow View Post
    If it were one of Microsoft's open source projects or even the Windows code that was targeted by the researchers, most of people people in here will singing a goddamned different tune.
    I wouldn't, nor do I suspect most others would. I'll grant you that some would, but not most.

    Leave a comment:


  • jaxa
    replied
    Originally posted by OneTimeShot View Post
    Hmm... They do not get it....

    (1) What they did is a CRIME.

    (2) They face JAIL TIME.

    If you want to research how bad code gets into the Kernel (deliberately or otherwise), there's a massive list of existing patches and Git logs for your research. You don't need to submit your own bugs. Penetration testing without authorisation is colloquially called "computer hacking".
    CFAA ยง1030? Good luck with that. I think the prosecutors in Minnesota are busy right now. xD

    Leave a comment:

Working...
X