新坑~

The myth of cyber-security

网络安全的神话

COMPUTER security is a contradiction in terms. Consider the past year alone: cyberthieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an internet firm, by Verizon, a telecoms firm, was nearly derailed by two enormous data breaches; and Russian hackers interfered in the American presidential election.

计算机安全是一个矛盾的词语。单单是去年一年，网络黑客从孟加拉国中央银行偷取了 8100 万美元；电信企业 Verizon 以 48 亿美元收购网络公司 Yahoo 的计划差点因为两个严重的数据入侵而失败；俄罗斯黑客干涉了美国总统选举。

Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is booming. The problem is about to get worse. Computers increasingly deal not just with abstract data like credit-card details and databases, but also with the real world of physical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into everything from road signs and MRI scanners to prosthetics and insulin pumps. There is little evidence that these gadgets will be any more trustworthy than their desktop counterparts. Hackers have already proved that they can take remote control of connected cars and pacemakers.

除去这些大新闻，网络勒索，雇佣黑客以及盗窃数字商品的黑市正在爆炸性地增长。问题变得越来越严重。计算机变得不仅仅是处理信用卡账单或者数据库这样的单纯数据，并且开始进入真实的物理世界以及脆弱的人体。现代汽车就是有轮子的计算机，飞机就是带翅膀的计算机。“物联网”的到来将会把计算机植入到从道路标识到核磁共振扫描仪或者胰岛素泵等一切事物中。没有证据表明这些东西会比桌面计算机更加让人值得信任。黑客已经证实他们可以远程控制车辆和心脏起搏器。

It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for heightened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind of cultivated paranoia which does not come naturally to non-tech firms. Companies of all stripes should embrace initiatives like “bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of.

坚信安全问题可以通过巧妙的技术措施或者提高警惕的办法来解决的想法很有吸引力。可以确定的是许多公司并没有在安全问题上足够用心。对于一般非技术公司而言这就类似与得了多疑病而显得并不现实。各行各业的公司都应当主动开展类似“bug bounty”这样的计划，依靠这个计划，公司可以奖励那些有道德的黑客以帮助公司发展那些安全漏洞，以便在这些漏洞被利用之前就得到修复。

But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must manage around 2bn lines of source code—errorsare inevitable. The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry. Such weaknesses are compounded by the history of the internet, in which security was an afterthought .

但是没有方法可以使得计算机绝对安全。软件是极度巨大和复杂的。在其所有产品中，Google 必须维护大约 20 亿行的代码，错误就不可避免。平均每个软件有 14 个独立的漏洞，每一个都可能成为非法入侵的方式。这些弱点伴随着互联网的历史而产生，安全仅仅是之后的事情。