查看原文
其他

双语阅读|计算机安全全面失守

2017-04-21 编译/吴越 翻吧

OVER a couple of days in February, hundreds of thousands of point-of-sale printers in restaurants around the world began behaving strangely. Some churned out bizarre pictures of computers and giant robots signed, “with love from the hacker God himself”. Some informed their owners that, “YOUR PRINTER HAS BEEN PWND’D”. Some told them, “For the love of God, please close this port”. When the hacker God gave an interview to Motherboard, a technology website, he claimed to be a British secondary-school pupil by the name of “Stackoverflowin”. Annoyed by the parlous state of computer security, he had, he claimed, decided to perform a public service by demonstrating just how easy it was to seize control.

今年二月的几天里,世界各地餐馆的数千上台小票打印机纷纷出现故障。有些打出了电脑和巨型计算机人等怪异图像,末尾写着“来自黑客之神的问候”。有些则写着:“你的打印机已沦陷”。有些打出了“看在上帝的份上,请关闭这个端口”。这位黑客之神后以“Stackoverflowin”之名接受了Motherboard网站的采访时,称自己是一名英国中学生。他说自己很恼火计算机安全性太差,决定这次公益行动,想以此证明控制这些计算机要多容易就有多容易。


Not all hackers are so public-spirited, and 2016 was a bonanza for those who are not. In February of that year cyber-crooks stole $81m directly from the central bank of Bangladesh—and would have got away with more were it not for a crucial typo. In August America’s National Security Agency (NSA) saw its own hacking tools leaked all over the internet by a group calling themselves the Shadow Brokers. (The CIA suffered a similar indignity this March.) In October a piece of software called Mirai was used to flood Dyn, an internet infrastructure company, with so much meaningless traffic that websites such as Twitter and Reddit were made inaccessible to many users. And the hacking of the Democratic National Committee’s e-mail servers and the subsequent leaking of embarrassing communications seems to have been part of an attempt to influence the outcome of the American elections.

不是所有的黑客都如此有公德心。事实上,2016年是恶意黑客攻击集中爆发年。2016年2月,网络骗子直接从孟加拉国中央银行盗走了8100万美元,要不是当时打错关键字,还可能盗走更多。同年8月,美国国家安全局(NSA)眼睁睁看着自己开发的黑客工具被一个自称“影子经纪人”(Shadow Brokers)的黑客团体泄露到网上。(中情局今年三月也遭受了类似的羞辱。)同年10月,一款名为“未来(Mirai)”的病毒软件造成了美国DNS服务提供商迪恩公司(Dyn)业务瘫痪。DNS可以看作互联网“交通管理中心”,作用是将数字组成的IP地址转换成人们容易记住的域名。用户在网络浏览器输入网址后,通过DNS的地址解析服务,就可以前往要访问的页面。“未来”攻击DNS服务器并使其瘫痪,地址解析无法完成,“交通管理”作用失灵,许多用户无法访问Twitter和Reddit等网站。美国民主党全国委员会的电子邮件服务器也曾遭黑客入侵,不少敏感通信泄露,这可能也是有心之人企图影响美国选举结果的计划之一。


Away from matters of great scale and grand strategy, most hacking is either show-off vandalism or simply criminal. It is also increasingly easy. Obscure forums oil the trade in stolen credit-card details, sold in batches of thousands at a time. Data-dealers hawk “exploits”: flaws in code that allow malicious attackers to subvert systems. You can also buy “ransomware”, with which to encrypt photos and documents on victims’ computers before charging them for the key that will unscramble the data. So sophisticated are these facilitating markets that coding skills are now entirely optional. Botnets—flocks of compromised computers created by software like Mirai, which can then be used to flood websites with traffic, knocking them offline until a ransom is paid—can be rented by the hour. Just like a legitimate business, the bot-herders will, for a few dollars extra, provide technical support if anything goes wrong.

除了大规模和有目的的黑客事件之外,大多数黑客攻击都是炫耀性的破坏行为或纯粹的犯罪行为。黑客攻击也越来越容易。偷窃信用卡信息在不起眼的论坛上肆意传播,一次就可以批量销售成数千条。数据交易商公开售卖“战利品”,即代码缺陷,允许恶意攻击者篡改系统。人们能买到“赎金软件”——该软件将别人计算机上的照片和文档加密,以此勒索赎金来换取数据密钥。这些黑客技术的市场非常成熟,只要人们想地到,完全可以获取计算机加密技术。傀儡机,也就是被像“未来”一样的病毒软件感染和控制的计算机,可以按小时租用,用于攻击网站,使网站瘫痪,直到赎金到账。就像合法的生意一样,如果出了问题,买主还可以多花点钱,请傀儡机的机主帮忙解决。


The total cost of all this hacking is anyone’s guess (most small attacks, and many big ones, go unreported). But all agree it is likely to rise, because the scope for malice is about to expand remarkably. “We are building a world-sized robot,” says Bruce Schneier, a security analyst, in the shape of the “Internet of Things”. The IoT is a buzz-phrase used to describe the computerisation of everything from cars and electricity meters to children’s toys, medical devices and light bulbs. In 2015 a group of computer-security researchers demonstrated that it was possible to take remote control of certain Jeep cars. When the Mirai malware is used to build a botnet it seeks out devices such as video recorders and webcams; the botnet for fridges is just around the corner.

这些黑客攻击的花费要多少只是个人猜测(大多数小规模攻击和许多大规模攻击都没有公开)。但是,所有人都认为黑客攻击行为的成本会上升,因为恶意行为的范围将显著扩大。安全分析师布鲁斯•施尼尔(Bruce Schneier)说:“我们正在建造一个‘物联网’形式的世界级机器人”。“物联网”通常指将汽车、电表到儿童玩具、医疗设备和灯泡通过电脑连接起来。2015年,一些计算机安全研究人员发现,某些吉普车可以实现远程控制。将“未来”恶意软件用来制造傀儡机时,必须借助于诸如录像机和网络摄像机之类的设备;就在不远的将来,连冰箱都能成为它的“傀儡”。


Not OK, computer

不行,电脑


“The default assumption is that everything is vulnerable,” says Robert Watson, a computer scientist at the University of Cambridge. The reasons for this run deep. The vulnerabilities of computers stem from the basics of information technology, the culture of software development, the breakneck pace of online business growth, the economic incentives faced by computer firms and the divided interests of governments. The rising damage caused by computer insecurity is, however, beginning to spur companies, academics and governments into action.

剑桥大学计算机科学家罗伯特·沃森(Robert Watson)说道:“这个默认的假设前提是一切电子设备都能入侵。”其中原因比较复杂。致使计算机易遭攻击的原因可能源于信息技术的基础层面,软件开发文化,在线交易发展的突飞猛进,计算机企业面临的经济诱惑以及政府利益的分散化。然而,黑客入侵所造成的损失不断上升,不少企业、学术界和政府纷纷采取行动。


Modern computer chips are typically designed by one company, manufactured by another and then mounted on circuit boards built by third parties next to other chips from yet more firms. A further firm writes the lowest-level software necessary for the computer to function at all. The operating system that lets the machine run particular programs comes from someone else. The programs themselves from someone else again. A mistake at any stage, or in the links between any two stages, can leave the entire system faulty—or vulnerable to attack.

通常情况下,现代计算机芯片由一家公司设计,另一家公司制造,然后再安装在由第三方制造的电路板上,而且芯片不止一个,往往分属不同企业。还有一家企业写一个最基础的软件,让计算机能运行起来。能让计算机能运行特定程序的操作系统则来自另一家企业。这其中出现的任何错误,或任何两个阶段衔接时出现错误都可能使整个计算机系统发生故障,换句话说,容易受到攻击。


It is not always easy to tell the difference. Peter Singer, a fellow at New America, a think-tank, tells the story of a manufacturing defect discovered in 2011 in some of the transistors which made up a chip used on American naval helicopters. Had the bug gone unspotted, it would have stopped those helicopters firing their missiles. The chips in question were, like most chips, made in China. The navy eventually concluded that the defect had been an accident, but not without giving serious thought to the idea it had been deliberate.

不过,不是每一次都能轻易找到出错环节。“新美国”智囊团的一位专家彼得·辛格(Peter Singer)讲述了一个实例,2011年美国海军直升机上使用的一些芯片晶体管发现存在制造缺陷。如果不是及时发现缺陷,直升机将不能正常射击导弹。与不少其他芯片一样,这些问题芯片属于中国制造。虽然美国海军最终认定制造缺陷属于意外,不过也不是没有认真思考过中方故意为之的可能性。


Most hackers lack the resources to mess around with chip design and manufacture. But they do not need them. Software offers opportunities for subversion in profusion. In 2015 Rachel Potvin, an engineer at Google, said that the company as a whole managed around 2bn lines of code across its various products. Those programs, in turn, must run on operating systems that are themselves ever more complicated. Linux, a widely used operating system, clocked in at 20.3m lines in 2015. The latest version of Microsoft’s Windows operating system is thought to be around 50m lines long. Android, the most popular smartphone operating system, is 12m.

大多数黑客没有在芯片设计和制造环节上动手脚的条件,不过,他们也用不着在芯片上做鬼。软件为他们提供了太多可发挥的空间。2015年,谷歌公司工程师瑞秋·波特文(Rachel Potvin)表示,谷歌旗下各种产品代码总量约20亿行。这些代码进而必须在更复杂的计算机操作系统上运行。Linux是一个使用广泛的操作系统,2015年,其代码长度就达到20.3米,最新版本的Windows操作系统的代码数据估计长达50米,而最流行的智能手机操作系统安卓的代码长12米。


Getting each of those lines to interact properly with the rest of the program they are in, and with whatever other pieces of software and hardware that program might need to talk to, is a task that no one can get right first time. An oft-cited estimate made by Steve McConnell, a programming guru, is that people writing source code—the instructions that are compiled, inside a machine, into executable programs—make between ten and 50 errors in every 1,000 lines. Careful checking at big software companies, he says, can push that down to 0.5 per 1,000 or so. But even this error rate implies thousands of bugs in a modern program, any one of which could offer the possibility of exploitation. “The attackers only have to find one weakness,” says Kathleen Fisher, a computer scientist at Tufts University in Massachusetts. “The defenders have to plug every single hole, including ones they don’t know about.”

要一次就成功完成每一行代码与所在程序的其他代码正常交互,并且还能与其他可能需要协同的软硬件交互,没有人能做到。编程大师史蒂夫·麦康奈尔(Steve McConnell)曾估计,在源代码的编写中,也就是将计算机指令编成可执行程序的过程中,每1000行代码中就有10到50个错误。这一言论曾受到他人多次引用。他还表示,大型软件企业通过仔细检查可以把错误概率降低到每1000行0.5个左右。但是,即使是如此低的错误率也会给最新的程序带来数千个错误,其中任何一个都可能成为黑客利用和攻击的对象。马萨诸塞州塔夫茨大学计算机科学家凯瑟琳·费舍尔(Kathleen Fisher)说:“攻击者只需找到一个漏洞就行,而防守者却必须堵住每个漏洞,甚至包括他们根本不知道的那些。”


All that is needed is a way to get the computer to accept a set of commands that it should not. A mistake may mean there are outcomes of a particular command or sequence of commands that no one has foreseen. There may be ways of getting the computer to treat data as instructions—for both are represented inside the machine in the same form, as strings of digits. “Stackoverflowin”, the sobriquet chosen by the restaurant-printer hacker, refers to such a technique. If data “overflow” from a part of the system allocated for memory into a part where the machine expects instructions, they will be treated as a set of new instructions. (It is also possible to reverse the process and turn instructions into unexpected streams of data. In February researchers at Ben-Gurion University, in Israel, showed that they could get data out of a compromised computer by using the light that shows whether the hard drive is working to send those data to a watching drone.)

黑客需要的只是用某种方法让计算机接受一组不应该接受的命令。计算机出错可能是因为执行了某项特殊命令,或某些命令的顺序出现颠倒而导致的结果,而且无人预见出来。数据和指令在计算机内都表现为相同形式的数字串,因此可能能够让计算机将数据视为指令。袭击餐厅小票打印机的高中生给自己起的网名“Stackoverflowin”指的就是这样一种技术。如果数据从系统内存部分“溢出”到计算机接受指令的部分,这部分数据就会被视为一组新指令。(这个过程也可以反向进行,将计算机指令转化为意想不到的数据流。今年二月,以色列本-古里安大学的研究人员表示,他们可以用一种能够显示硬盘运行状态的光线从被病毒感染的计算机中获取数据,并将这些数据发送给无人侦查机。)


Shutting down every risk of abuse in millions of lines of code before people start to use that code is nigh-on impossible. America’s Department of Defence (DoD), Mr Singer says, has found significant vulnerabilities in every weapon system it examined. Things are no better on civvie street. According to Trustwave, a security-research firm, in 2015 the average phone app had 14 vulnerabilities.

在数百万行代码中抢在用户使用代码之前发现并修复其中每一个漏洞,这几乎是不可能的事。辛格表示,美国国防部在检查武器系统时曾发现每个都存在严重的漏洞。普通老百姓的电子设备也不安全。据一家名为Trustwave的安全研究公司介绍,2015年,平均每一个手机应用程序都含有14个漏洞。


Karma police

网络安全监管靠天不靠人


All these programs sit on top of older technologies that are often based on ways of thinking which date back to a time when security was barely a concern at all. This is particularly true of the internet, originally a tool whereby academics shared research data. The first versions of the internet were policed mostly by consensus and etiquette, including a strong presumption against use for commercial gain.

所有这些程序都是在之前的技术上发展起来的,而在这些技术开发的思维方式中,根本不会考虑计算机安全。互联网更是如此,因为它原本只是学者共享研究数据的工具。最初的互联网没有监管系统,全靠用户自觉遵守共识和礼法,包括一致强烈反对数据用于商业盈利。


When Vint Cerf, one of the internet’s pioneers, talked about building encryption into it in the 1970s he says his efforts were blocked by America’s spies, who saw cryptography as a weapon for nation-states. Thus, rather than being secure from the beginning, the net needs a layer of additional software half a million lines long to keep things like credit-card details safe. New vulnerabilities and weaknesses in that layer are reported every year.

互联网先驱之一温特·瑟夫(Vint Cerf)谈到,他在20世纪70年代开发网络加密技术时,受到美国间谍的阻碍,而那些间谍视密码学为民族-国家观念 的武器。因此,网络自建立起初就不安全,人们信用卡信息的安全需要靠一个包含五十万行代码的附加安全软件来保护。然而,这个安全软件每年都发现有新漏洞和缺点。


The innocent foundations of many computer systems remain a source for concern. So does the innocence of many users. Send enough people an innocuous-looking e-mail that asks for passwords or contains what look like data, but is in fact a crafty set of instructions, and you have a good chance that someone will click on something that they should not have done. Try as network administrators might to instil good habits in their charges, if there are enough people to probe, the chances of trust, laziness or error letting a malefactor get in are pretty high.

不少计算机系统的根基不牢,仍然是引发人们的担忧。此外,一部分计算机用户缺乏安全意识,这也同样令人担忧。当收到一份看上去无害的电子邮件,询问用户密码,或包含看上去像数据的指令,不少人很可能就点开了本不应该点开的东西。无论网络管理员多么努力工作,仍会有相当一部分用户受错误引导或者因错误操作,让恶意软件入侵电脑。


Good security cultures, both within software developers and between firms and their clients, take time to develop. This is one of the reasons to worry about the Internet of Things. “Some of the companies making smart light bulbs, say, or electricity meters, are not computing companies, culturally speaking,” says Graham Steel, who runs Cryptosense, a firm that carries out automated cryptographic analysis. A database belonging to Spiral Toys, a firm that sells internet-connected teddy bears through which toddlers can send messages to their parents, lay unprotected online for several days towards the end of 2016, allowing personal details and toddlers’ messages to be retrieved.

软件开发商之间以及企业与客户之间要培养良好的计算机安全文化需要时间。这也是物联网令人担心的一点。自动加密分析企业Cryptosense的老板Graham Steel说道:“从互联网文化层面来说,那些制造智能灯泡或电表的企业不能算作计算机公司。”美国有一家售卖一款能连网的泰迪熊玩具的公司Spiral Toys,幼儿可以通过泰迪熊向父母发送消息。这家公司的数据库直到2016年底前有几天一直都是在线开放状态,所有的个人信息和和幼儿的个人信息都能访问。


Even in firms that are aware of the issues, such as car companies, nailing down security can be hard. “The big firms whose logos are on the cars you buy, they don’t really make cars,” points out Dr Fisher. “They assemble lots of components from smaller suppliers, and increasingly, each of those has code in it. It’s really hard for the car companies to get an overview of everything that’s going in.”

即使汽车等企业意识到了这些安全问题,也很发现这些安全性问题。“在汽车上贴着车标的汽车大公司其实并不真正生产汽车。“费雪尔博士说道。”他们组装小供应商提供的汽车零件,然而,越来越多的实际情况是,每一个汽车原件都有自身代码。因此,汽车企业很难监管到每个方面。”


On top of the effects of technology and culture there is a third fundamental cause of insecurity: the economic incentives of the computer business. Internet businesses, in particular, value growth above almost everything else, and time spent trying to write secure code is time not spent adding customers. “Ship it on Tuesday, fix the security problems next week—maybe” is the attitude, according to Ross Anderson, another computer-security expert at the University of Cambridge.

除了技术和文化的影响之外,还有第三个导致计算机不安全的根本原因:互联网企业的经济诱惑,尤其是,互联网企业的估值高于一切,而花时间编写安全代码就等于放弃了争取客户的时间。剑桥大学的另一位计算机安全专家罗斯·安德森(Ross Anderson)称,大家对计算机安全问题的态度普遍是:“这周星期二发货,下周再修复安全问题——看时间”。


The long licence agreements that users of software must accept (almost always without reading them) typically disclaim any liability on the part of a software firm if things go wrong—even when the software involved is specifically designed to protect computers against viruses and the like. Such disclaimers are not always enforceable everywhere. But courts in America, the world’s biggest software market, have generally been sympathetic. This impunity is one reason why the computing industry is so innovative and fast-moving. But the lack of legal recourse when a product proves vulnerable represents a significant cost to users.

软件的用户必须接受长长的用户协议(几乎没有人会看),通常会对出现问题时,声称企业不承担任何责任——即便是杀毒和安全保护软件也一样。这种免责声明并普遍适用。不过,作为全球最大的软件市场,美国的法院一般倾向于保护软件公司的利益,这也是促使美国计算机行业创新发展迅速的原因之一。然而,当产品确实具有安全漏洞时,不能依法追赔,对于软件用户来说将是一笔巨大的损失。


If customers find it hard to exert pressure on companies through the courts, you might expect governments to step in. But Dr Anderson points out that they suffer from contradictory incentives. Sometimes they want computer security to be strong, because hacking endangers both their citizens and their own operations. On the other hand, computers are espionage and surveillance tools, and easier to use as such if they are not completely secure. To this end, the NSA is widely believed to have built deliberate weaknesses into some of its favoured encryption technologies.

通常情况下,若用户很难通过法庭对企业施加压力,那么他们可能希望政府介入。可是,安德森博士指出,政府所采取的行动很可能会与用户的预期南辕北辙。原因在于,政府有时希望计算机足够安全,因为黑客危害了公众利益,妨碍了政府自己的行动;但是,电脑同时也是政府进行间谍和监视活动的工具,电脑有安全漏洞对他们更有利。为此,许多人认为国家安全局故意在网络加密技术中留下了一些漏洞。


Increasingly paranoid android

越来越偏执的安卓


The risk is that anyone else who discovers these weaknesses can do the same. In 2004 someone (no authority has said who) spent months listening to the mobile-phone calls of the upper echelons of the Greek government—including the prime minister, Costas Karamanlis—by subverting surveillance capabilities built into the kit Ericsson had supplied to Vodafone, the pertinent network operator.

可以说,任何人只要能发现这些漏洞,那么他们理论上也能制造这些漏洞,这也是一大威胁。2004年,有人(官方没有透露姓名)恶意篡改了爱立信公司向移动电话运营商沃达丰公司供应的套件,使之具有监控功能,借此窃听包括希腊总理科斯塔斯·卡拉曼利斯 (Costas Karamanlis)在内的希腊政府高官的手机电话,窃听时间长达几个月。


Some big companies, and also some governments, are now trying to solve security problems in a systematic way. Freelance bug-hunters can often claim bounties from firms whose software they find fault with. Microsoft vigorously nags customers to ditch outdated, less-secure versions of Windows in favour of newer ones, though with only limited success. In an attempt to squash as many bugs as possible, Google and Amazon are developing their own versions of standard encryption protocols, rewriting from top to bottom the code that keeps credit-card details and other tempting items secure. Amazon’s version has been released on an “open-source” basis, letting all comers look at the source code and suggest improvements. Open-source projects provide, in principle, a broad base of criticism and improvement. The approach only works well, though, if it attracts and retains a committed community of developers.

一些大公司以及一些国家政府正在试图系统地解决安全问题。白帽发现软件漏洞后,经常向该软件公司索取奖金。微软不厌其烦地给用户发通知,请他们将过时的、安全性较低的Windows系统版本换成较新版本,但效果一般。为了尽可能地减少程序漏洞,谷歌和亚马逊正在开发自己的标准加密协议版本,为了保护信用卡信息和其他有用信息的安全,从头到尾重写代码。亚马逊的版本是基于“开源”的原则,任何人都能看到源代码,提出改进建议。虽然开源项目原则上提供了平台同,可以广泛接收批评和改进的建议,但是,只有吸纳并留住一个相对稳定的程序开发人员群体,这种方法才能奏效。


More fundamental is work paid for by the Defence Advanced Research Projects Agency (DARPA), a bit of the DoD that was instrumental in the development of the internet. At the University of Cambridge, Dr Watson has been using this agency’s money to design CHERI, a new kind of chip that attempts to bake security into hardware, rather than software. One feature, he says, is that the chip manages its memory in a way that ensures data cannot be mistaken for instructions, thus defanging an entire category of vulnerabilities. CHERI also lets individual programs, and even bits of programs, run inside secure “sandboxes”, which limit their ability to affect other parts of the machine. So even if attackers obtain access to one part of the system, they cannot break out into the rest.

美国国防部下属指导互联网发展的国防部高级研究计划署(DARPA)正在投资一项更为基础性的工作。在英国剑桥大学,沃森(Watson)博士一直在使用该机构的资金设计CHERI芯片——这种芯片试图增加硬件安全性而不是软件安全性。沃森博士表示,这种芯片的特点之一就是芯片可以合理管理内容,确保数据不会误认为指令,从而消灭这一类漏洞。CHERI芯片还允许单个程序,甚至一些程序的部分内容在安全的“沙箱”中运行,从而限制它们影响计算机其他部分运行的能力。因此,即使攻击者获得了对系统某一部分的访问权限,他们也无权访问系统的其他部分。


Sandboxing is already used by operating systems, web browsers and so on. But writing sandboxing into software imposes performance penalties. Having a chip that instantiates the idea in hardware gets around that. “We can have a web browser where every part of a page—every image, every ad, the text, and so on—all run in their own little secure enclaves,” says Dr Watson. His team’s innovations, he believes, could be added fairly easily to the chips designed by ARM and Intel that power phones and laptops.

沙盒在操作系统、网络浏览器中得到运用。但是,在软件使用“沙盒”机制会致使其性能下降。不过,一个和CHERI类似的芯片可以避免这个问题。沃森博士说:“我们可以设计一个这样的网页浏览器,在这个浏览器上,页面上的每个部分——图像,广告,文本等等都可以在自己小小的Secure Enclave安全模块中运行”。他认为,他的团队的创新成果可以相当容易地添加到ARM公司和英特尔公司为手机和笔记本电脑设计的芯片当中。


Another DARPA project focuses on a technique called “formal methods”. This reduces computer programs to gigantic statements in formal logic. Mathematical theorem-proving tools can then be applied to show that a program behaves exactly as its designers want it to. Computer scientists have been exploring such approaches for years, says Dr Fisher, but it is only recently that cheap computing power and usable tools have let the results be applied to pieces of software big enough to be of practical interest. In 2013 Dr Fisher’s team developed formally verified flight-control software for a hobbyist drone. A team of attackers, despite being given full access to the drone’s source code, proved unable to find their way in.

DARPA的另一个项目着重于研发一种称为“形式方法”的技术。这种技术将大块头计算机程序减少为多条形式逻辑语句,然后应用数学定理证明方法,使一个程序的运行与其设计者的预期完全一致。费舍尔博士表示,计算机科学家多年来一直在探索这种方法,直到最近,低成本的计算能力和可用的工具才使研究结果能够应用到大型实用软件上。2013年,费舍尔博士的团队为一种业余无人机开发了经官方认证的飞行控制软件。在安全性测试中,虽然黑客团队具有访问无人机全部源代码的权限,最终却没能黑进系统。


“It will be a long time before we’re using this stuff on something as complicated as a fully fledged operating system,” says Dr Fisher. But she points out that many of the riskiest computing applications need only simple programs. “Things like insulin pumps, car components, all kinds of IoT devices—those are things we could look at applying this to.”

费舍尔博士说:“我们需要很长时间才能将这种技术应用于成熟的操作系统。”不过,她指出,其实许多高危的计算机应用需要的只是简单的程序。“我们可以考虑将这种技术应用于胰岛素泵,汽车零部件,以及各种物联网设备”,她说。


Most fundamental of all, though, is the way in which markets are changing. The ubiquity of cyber-attacks, and the seeming impossibility of preventing them, is persuading big companies to turn to an old remedy for such unavoidable risks: insurance. “The cyber-insurance market is worth something like $3bn-4bn a year,” says Jeremiah Grossman of SentinelOne, a company which sells protection against hacking (and which, unusually, offers a guarantee that its solutions work). “And it’s growing at 60% a year.”

最重要的还是市场正在变化的方式。网络攻击无处不在,几乎无法阻拦,面对这样的情况,不少大公司决定采取老办法应对:投保险。美国SentinelOne公司的杰里米亚·格罗斯曼(Jeremiah Grossman)说:“网络保险市场的价值每年约为30亿到40亿美元,每年以60%的速度增长。”该公司主营防止黑客攻击的产品(且通常为其产品的效果提供保证)。


As the costs of insurance mount, companies may start to demand more from the software they are using to protect themselves, and as payouts rise, insurers will demand the software be used properly. That could be a virtuous alignment of interests. A report published in 2015 by PwC, a management consultancy, found that a third of American businesses have cyber-insurance cover of some kind, though it often offers only limited protection.

随着保险花费增加,企业对所使用的防护软件的要求相应提高;随着保险企业支出的增加,保险企业也会要求企业正确使用防护软件。这是共同利益驱动而达成的良性一致。管理咨询公司普华永道2015年发布的一份报告发现,三分之一的美国企业购买了网络保险,不过,这些保险通常只提供有限的保护。


But it is the issue of software-makers’ liability for their products that will prove most contentious. The precedents that lie behind it belong to an age when software was a business novelty—and when computers dealt mostly with abstract things like spreadsheets. In those days, the issue was less pressing. But in a world where software is everywhere, and computerised cars or medical devices can kill people directly, it cannot be ducked for ever.

然而,软件制造商对其产品的责任问题存在一些争议。在软件还是新兴行业的时候,电脑主要处理电子表格等抽象事务,这个问题还不太紧迫。如今,软件无处不在,电脑智能化的汽车或医疗设备甚至可以直接导致人类死亡,这个问题不可能一直避而不谈。


“The industry will fight any attempt to impose liability absolutely tooth and nail,” says Mr Grossman. On top of the usual resistance to regulations that impose costs, Silicon Valley’s companies often have a libertarian streak that goes with roots in the counterculture of the 1960s, bolstered by a self-serving belief that anything which slows innovation—defined rather narrowly—is an attack on the public good. Kenneth White, a cryptography researcher in Washington, DC, warns that if the government comes down too hard, the software business may end up looking like the pharmaceutical industry, where tough, ubiquitous regulation is one reason why the cost of developing a new drug is now close to a billion dollars. There is, then, a powerful incentive for the industry to clean up its act before the government cleans up for it. Too many more years like 2016, and that opportunity will vanish like the contents of a hacked bank account.

格罗斯曼说:“这个行业将会坚决反对任何企图强行为其规定责任的行为”。除了抵制限制成本之外,硅谷的软件企业普遍持有一种自由主义观念。这种观念还可追溯至20世纪60年代兴起的反主流文化潮流。根据这种观念下的自我服务理念,任何损害创新的行为都是损害公众的利益。华盛顿特区计算机加密技术研究员肯尼斯·怀特(Kenneth White)警告称,如果政府对软件企业管制太过强硬,软件行业可能也会像医药行业一样具有十分昂贵的开发成本——现在开发新药的成本接近十亿美元。这将有力地刺激软件行业赶在政府行动之前自我整顿,不敢再创新。以后,像2016年这样的年份只会越来越多,并且就像被黑客洗劫一空的银行帐户一样,计算机软件发展的机会也会一片空白。



编译:吴越

审核:朱桀

编辑:翻吧君

来源:经济学人(点击“阅读原文”下载语音)


翻吧·与你一起学翻译微信号:translationtips 长按识别二维码关注翻吧



您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存