Preview Mode Links will not work in preview mode

Apr 27, 2021

@pageinSec on Twitter


Dan Kaminsky obit:


Spencer Geitzen:

Seems like a number of patches were added (~190) and each had to be reviewed response to researchers

Linux Kernel mailing list:

@sarahJamieLewis shows the change they submitted in their paper: (appears the researcher deleted this paper from their site.) (researcher deleted this paper from their site.)
“Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned---Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.”

NSF Grant application (thank you Page!) 

NSF IRB requirements (from 2007):

Might be more recent - Human Subjects | NSF - National Science Foundation

The researchers issued an apology today 25 April: *thanks to Zach Whittacker’s security mailing list..*

Thought provoking question for your show: is it realistically possible for an organization to build and scale a culture of code review that catches malicious insertions through (1) expert analysis; (2) adversarial mindset?

Co-author of :


Introduction of bugs (meaningful or otherwise) caused more work for devs.

Revert list of 190 patches (threaded): 

Quick overview of using deception in research from Duke’s IRB: Using Deception in Research | Institutional Review Board (

Is this better? Where’s the line on this?