DEV Community


Discussion on: LINUX KERNEL: Researchers from University of Minnesota had no bad intentions- lift ban

stereoplegic profile image
Mike Bybee

I used to be an ethical hacker (key word: ethical), before I moved to dev full time. It was a lot of fun breaking (into) things and exposing what I broke (into). I ALWAYS had approval beforehand. If I didn't, I would have been fired or worse.

Another relevant concept from InfoSec: Responsible disclosure. Say you do find a vulnerability. If you legitimately care about security (and not just being 1337 on teh internets), you exploit the vuln in a way which doesn't affect others, you make a good faith effort to disclose the vuln to responsible parties - and then provide an ample window for them to patch it - before publicizing it (and only if they don't acknowledge and patch in a reasonable timeframe).

What these "researchers" did was violate, in essence, both of the above principles. They got no authorization from affected parties. They didn't disclose their efforts, and they willingly introduced known vulnerabilities to something which gets shipped (eventually) to everyone using Linux. That this flew under the radar of a department chair is even more concerning.