rene_mobile’s avatarrene_mobile’s Twitter Archive—№ 7,131

        1. …in reply to @kengiter
          @kengiter @IEEESSP Understood, but that unfortunately doesn't answer my question.
          Permalink On twitter.com Twitter logo rene_mobile’s avatar ❤️ 19 Favorites Mood 0
      1. …in reply to @rene_mobile
        @kengiter @IEEESSP To be clear: without having seen the paper yet (is it already available?), I would consider this to have been an experiment on uninformed human subjects (the maintainers who were asked to merge the code). Therefore the question: did this go through an ethics review board?
        Permalink On twitter.com Twitter logo rene_mobile’s avatar ❤️ 33 Favorites Mood +1 🙂
    1. …in reply to @rene_mobile
      @kengiter @IEEESSP Followup: I have now seen the paper preview (thanks to the authors for sharing) and still think this was an experiment on uninformed human subjects. Our review processes need to improve to catch such oversight. CC @thorstenholz for visibility
      Permalink On twitter.com Twitter logo rene_mobile’s avatar Mood +3 🙂
  1. …in reply to @rene_mobile
    @kengiter @IEEESSP @thorstenholz Additionally, there was the chance that only the malicious patch (but not the follow-up patch to fix the intentionally introduced vulnerability) could have been merged and caused real harm to users / third parties. This risk, if considered, was explicitly accepted.
    On twitter.com Twitter logo rene_mobile’s avatar Mood -3 🙁
    1. …in reply to @rene_mobile
      @kengiter @IEEESSP @thorstenholz Reflecting (dl.acm.org/doi/10.1145/358198.358210 seems appropriate) a bit more on the process part: the whole sad story is disappointing exactly because IRB and peer review processes have not caught a bad experiment in the respective phases. We need to do better. (CC @SarahJamieLewis)
      Permalink On twitter.com Twitter logo rene_mobile’s avatar ❤️ 1 Favorite Mood -3 🙁
      1. …in reply to @rene_mobile
        @kengiter @IEEESSP @thorstenholz @SarahJamieLewis Finishing up with an important point: Don't blame the authors (and definitely don't insult or threaten them personally!) - we all make mistakes, and a small team cannot think of all eventualities. Our whole IT security academic community is responsible for process failures.
        Permalink On twitter.com Twitter logo rene_mobile’s avatar Mood +2 🙂
        1. …in reply to @rene_mobile
          @kengiter @IEEESSP @thorstenholz @SarahJamieLewis And it's quite possible that an ethics review board would agree with the experimental setup when discussed in all detail (Twitter is a bad medium for that). However, I would not trust myself and my small team to decide that for our own experiments. IRBs are our friends/insurance.
          Permalink On twitter.com Twitter logo rene_mobile’s avatar Mood -3 🙁
          1. …in reply to @rene_mobile
            @kengiter @IEEESSP @thorstenholz @SarahJamieLewis (With a shout-out and many thanks to the thorough and patient @torproject Research Safety Board members, who have recently reviewed the second iteration of our proposed experiment on hidden service protocol details. This interaction has helped us learn and design a better setup.)
            Permalink On twitter.com Twitter logo rene_mobile’s avatar Mood +5 🙂