Your argument would make sense if all exploits were equal. Think of it more like infecting people with weakened/dead forms of potentially deadly diseases so they will be better protected against that disease. The weakened form, while it may not be risk free, is not equal to the harm of a full own infection.
> Think of it more like infecting people with weakened/dead forms of potentially deadly diseases so they will be better protected against that disease.
If these guys want to be regarded as researchers, they need to act like them and be accountable like them. No ethics committee would ever approve a test like this.
The IRB as it currently stands it too strict with its regulations. Also, why should the researchers be regulated when the ones producing the things that are initially putting people into danger are not regulated (or are regulated by bureaucrats who couldn't tell you the difference between a buffer overflow and a SQL injection).
