Not all security research is the same. There’s a lot of room for nuance in this discussion.
I think there’s a lot of things that many people would agree should be protected. For instance, people who report vulnerabilities they just happen to stumble upon.
But on the other end of the spectrum, there are a lot of pen testing activities that are pretty likely to be disruptive. And some of them would be disruptive, even on otherwise secure systems, if we gave the entire world carte blanche to perform these activities.
There are certainly some realms of security where technology can solve anything, like cryptographic algorithms. But at the interface of technology and society, security still highly relies on the rule of law and living in a high trust society.
The ideal scenario is that a responsible security engineer finds the problem, and doesn’t cause a power outage. Power outages aren’t necessarily just an inconvenience, they can cause serious economic damage, and kill people.
I think there’s a better solution somewhere in between doing nothing, and letting bumbling idiots recklessly fool with things they shouldn’t be messing with.
Sure, we should avoid people purposely doing harmful things, but they should be given the benefit of the doubt unless it can be proven they were intentionally doing harm beyond just testing the security.
One thing that is not a good option is the status-quo we're discussing here, in which a "bumbling idiot" can take down a city power grid. If that's how things are, the we shouldn't cower and hope we remain safe from every idiot out there, we need to shake things up and find the problems now. Hopefully without actually taking out any power grid.
People accidentally doing harm can cause significant problems too -- that's why many professions require licensing and we don't let random people practice medicine, even if they have good intentions.
The problem here is that most security testing is not just the hollywood narrative of "some people running nmap and finding critical vulnerabilities that take down the power grid". Plenty of the real-world security vulnerabilities in large-scale systems that do exist are at the interface between technology and humans, and those are the vulnerabilities that computer science often can't reasonably fix: social engineering, trust systems, physical-layer exploits, etc.
In securing any large system, there are going to be many low-impact issues that do exist but aren't necessarily important (or even desirable) to fix because the impact to fix them is too high, and the likelihood of exploit is low because it is impractical as an attack vector. But legalizing the exploit of these edge cases would guarantee you'd see issues, because you're creating a financial opportunity where there was previously not one.
For example: we don't need to incentivize a wave of thousands of script kiddies fiddling with their power meters, trying to social engineer support staff, running DoS scripts against the public website, etc. Those things aren't helpful in improving critical infrastructure, they're just going to cause a nuisance and make things difficult for people.
> DDoS is not valid security research, it's just destruction.
I didn't say anything about DDoS in my comment. DoS is a term referring to a loss of availability. Availability is one of the three fundamental parts to the CIA triad, so yes, it is absolutely something security researchers evaluate.
> Also, we need to clarify the scenario because you said:
> the likelihood of exploit is low
> but you also mention the need to stop people "accidentally" exploiting the system, so which is it?
I said "accidentally doing harm". For a real world exploit to happen, you have to have a couple of different things align. First, you need a vulnerability. Second, you need some way that somebody could exploit that vulnerability. Third, you need a reason that somebody's going to do it. A vulnerability simply existing isn't enough to make it a problem.
Now, in an academic lab environment, most people don't really care about the likelihood of exploit or the motivations of an attacker. Because the point is academic computer science.
But the people who secure systems in the real world have to care about the likelihood of exploitations in the motivations of their attackers. Because it's not possible to secure everything in a production environment, where you also have to ensure the availability of the system and the usability of the system to your stakeholders. You always have to make a compromise between the two.
So, in the real world: the locality of the attacker, the legal environment, and the impact of the exploit all play very significant roles in how someone might weigh a significance of an exploit.
To make up a contrived example:
Let's say that all I have to do to cancel electricity service, create an online account using the information from a power bill, and press the cancel button. There's an obvious exploit here. I could dig through my neighbor's trash, get a copy of their bill, create an account, and shut off their power.
Do we wanna legalize this activity? No, I don't think so. Are we at risk of a nation state exploiting this? No, probably not because they don't have access to everyone's trash everywhere. Also, you couldn't really do this at scale because it would be obviously not intended. Should we require more authentication just to say we've plugged the hole? Also, probably not. Electricity service has to be accessible to people. We can't require onerous authentication, when many of the customers may be elderly, disabled, etc. Instead, we as a society solve this problem by making this activity a crime. In this works just fine, because anyone who has physical access is already in that legal jurisdiction as well.
I'm sure you can imagine dozens of other similar scenarios. The point is that information security is a lot more complicated than just adding authentication to a webpage. Information security isn't a technology problem. It's a people using technology problem.
I don't think we want to legalize activity similar to what is in my above scenario. That's the kind of situation where people may be accidentally causing harm that they wouldn't be doing now, because they would go to jail. But if you legalize it, people are going to do it in an attempt to monetize it.
The criteria by which something is "sexual" may be debated, but there is one thing that is 100% certain: it doesn't revolve around your personal preferences.
> It's sexual for a decent proportion of people - just the fact that this article was tagged NSFW shows that.
Most workplaces would find there to be many categories of inappropriate things other than sexual content: violence, profanity, non-sexual imagery of people in unprofessional contexts, etc.
The license snippet you quoted means that they have given YOU the right to copy, change (or compile), and redistribute, distribute anything you've created from it. Nothing about that implies contributors are required to give you binaries.
This isn't all that uncommon -- usually open source licenses only apply to the source.
> comically easy to bypass and literally forces someone to automate a github mirror that builds new releases. Your essentially enforcing the existence of a fork. They even provide the github actions necessary to do so in their repo already...
Yeah, cloning and building software is something that is straightforward for software developers to do. Traditionally people would clone software to their own machine, but you can use GitHub or whatever tools you want to work with the source. I'm not sure if I would call this a "bypass" -- this is the typical way FOSS software has always worked, and it's part of the reason why FOSS is popular :)
>I'm not sure if I would call this a "bypass" -- this is the typical way FOSS software has always worked, and it's part of the reason why FOSS is popular :)
Any other packages you know of that are open source but have a trap license where if you download it through the package manager you owe them money? :)
Plus the license mentions the binaries have to be distributed with the same license. Attaching a "if you click this download button you owe us $10000" button doesn't seem very typical to common FOSS values :) I'd say a big reason FOSS is so popular is the free and open source nature :)
> Any other packages you know of that are open source but have a trap license where if you download it through the package manager you owe them money? :)
It's pretty common in Google Play and the Apple App Store. The only difference here is that payment is on the honors system.
> Plus the license mentions the binaries have to be distributed with the same license.
Sure, but there's nothing in that license that says you can't ask for money for the binaries. The only requirement of distribution in the license is:
> (A) Reciprocal Grants- For any file you distribute that contains code from the software (in source code or binary format), you must provide recipients the source code to that file [...]
It doesn't say: "if you distribute source, you must distribute binaries"
You are free to ask for money for the binaries. Now, due to the terms of the license, anyone else could distribute that binary. But it doesn't require you to do it for free.
> Attaching a "if you click this download button you owe us $10000" button doesn't seem very typical to common FOSS values :) I'd say a big reason FOSS is so popular is the free and open source nature :)
FOSS distributions have been commercially sold for many decades. I bought my first copy of Linux. FOSS has traditionally only applied to source code and any related activities have long been left open for commercial opportunity. This is how FOSS companies afford to operate.
Maybe an American wants to be over-employed, has felony convictions, wants to work in ITAR field but married to Russian immigrant, whatever. Some reason to launder the identity.
How much worse is the crime because of North Korea? Would it be markedly different for Russia/Iran vs a formerly close ally like Canada.
Why would they need to be involved in the scam? A hiring manager or recruiter is already incentivized to hire. This is the danger in hiring people who are fully remote without meeting them in person, which some companies do.
>Consumer reports found that HEV's were the most reliable, and PHEV"s the least reliable. That's nonsensical, there's little difference between the two.
Eh, it's not so much nonsensical, as it is that you're just misinterpreting the data.
This conversation here is specifically about powertrain reliability, but that isn't what consumer reports measures. They measure complaints about any feature on the vehicle, including ancillary accessories unrelated to the vehicle's ability to transport people.
But also as you point out, shitty engineering (Stellantis's specialty) is a bigger issue than any particular drivetrain type.
That's a common misconception, but hybrids are almost never as complicated as an ICE powertrain plus an EV powertrain. E.g. most hybrids are able to eliminate many parts that ICE vehicles require, like, starters, drive belts, multi-ratio transmissions, alternators, etc. Because of this, many hybrids surpass ICE-only vehicles in reliability.
I think there’s a lot of things that many people would agree should be protected. For instance, people who report vulnerabilities they just happen to stumble upon.
But on the other end of the spectrum, there are a lot of pen testing activities that are pretty likely to be disruptive. And some of them would be disruptive, even on otherwise secure systems, if we gave the entire world carte blanche to perform these activities.
There are certainly some realms of security where technology can solve anything, like cryptographic algorithms. But at the interface of technology and society, security still highly relies on the rule of law and living in a high trust society.