linux expert warns of open source's growing appeal to hackers
Linux专家警告开源软件日益吸引黑客
purple endurer注:1、warn of:警告(发出);2、appeal to:对...有吸引力;对...产生吸引力》
by John McCormick
作者:John McCormick
翻译;Purple Endurer
英文来源:http://articles.techrepublic.com.com/5100-1009_11-6130846.html?tag=nl.e101
Tags: linux | Open source | Hacking | Security threats | Patches
标签: linux | 开源 | Hacking | 安全威胁 | 补丁
Takeaway: Alan Cox, a well-respected linux developer, warned attendees of London's LinuxWorld that open source software is becoming more attractive to commercial hackers. In this edition of the IT Locksmith, John McCormick fills you in on Cox's statement and tells you about a new organization aiming to stop zero-day exploits.
导读:很受尊敬的Linux开发人员Alan Cox,警告参加伦敦Linux世界会议的人员,开源软件对商业黑客正越来越有吸引力。在本期IT锁匠里,John McCormick向你传输Cox的声明,并告诉你一个新组织旨在停止零日攻击。
purple endurer注:1、attractive to:对…具有吸引力的;2、fill in:填写
A linux guru cautions that open source's growing popularity is attracting the unwanted attention of more hackers. Meanwhile, a new organization aims to stop zero-day exploits by making patches available sooner.
一位Linux领袖警告,开源软件的日益流行对更多黑客有不必要的吸引力。同时,一个新组织旨在通过更迅速地制作补丁来停止零日攻击。
Details
详情
linux expert Alan Cox warned attendees of London's LinuxWorld conference last week that hackers were putting a lot of money and effort into cracking linux and other open source projects. Cox, who works for Red Hat, was especially critical of uninformed media statements about how open source software is more secure and reliable. While some well-known open source projects are e secure, the same doesn't hold true for lesser known projects.
Linux开发人员Alan Cox警告参加上周伦敦Linux世界会议的人员,黑客正投入更多的资金和努力破解Linux和其它开源项目。为红帽子工作的Cox,特别批判了声称开源 软件如何更安全理工可靠的不知情媒体。尽管一些众所周知的开源项目确实安全,但对一些不太为人所知的项目则未必如此。
purple endurer注:1、critical of:对…挑剔的
2、 It is universal truth that holds true for the whole world.这是一条放之四海而皆准的普遍真理。
The veteran developer also took a shot at the European Commission's Software Quality Observatory for Open Source Software (SQO-OSS). The newly launched project aims to monitor the quality of open source development. It will release the core code under the BSD license.
这位老练的开发人员也回应了SQO-OSS。这个新启动的项目旨在监视开源发展的质量。它将在BSD许可协议下发行核心代码。
purple endurer注:1、take a shot:开枪,照相,投球;2、European Commission:欧盟委员会3、Software Quality Observatory for Open Source Software(SQO-OSS)该联盟是由研究机构、从事开放源代码项目的机构组成的,它一半的资金来自成员机构,另一半资金则来自欧盟委员会。 SQO-OSS的目标之一是提供源代码质量标准,帮助证明开放源代码适合在企业部署。它还将根据自己的检测发布报告,为开放源代码软件打分.
Several observers say that SQO-OSS, which boasts a 2.47 million Euro budget, focuses on the wrong metrics of quality and security, particularly by counting all bugs as equal. The overall goal of SQO-OSS is to improve the acceptance and competitiveness of EU software development projects by demonstrating their security. For a list of the project's goals, check out this fact sheet.
若干观察家说号称247万欧元预算的SQO-OSS,把注意力集中在错误的质量和安全标准上,特别是不分大小地计算所有的bug。SQO-OSS的总目标是通过展示安全性来增强欧盟软件开发项目的认同和竞争能力。按项目目标列表检验情况。
purple endurer注:1、check out:离开(登记,检验,合格,计算总价并收钱,开支票付款,死);2、fact sheet:情况说明书.
Less than zero?
少于零?
Becoming increasingly more concerned about businesses that are ignoring cyberattacks until they reach the point of wide exploitation, security experts have coined a new term—the "less than zero-day" attack. Zero-day attacks are ones that take place between the time of an exploit's publication and the release of the initial patch or antivirus/malware signature.
对商业公司忽略网络攻击直至其泛滥忧虑日益增加,安全专家们已造出了一个新术语—“小于零”攻击。零日攻击发生于漏洞公布日到发布补丁或反病毒/恶意软件特征码日之间。
purple endurer注:1、concern about:对…的关心/忧虑
But rather than waiting until "official" vendor patches become available, a new online organization—the Zeroday Emergency Response Team (ZERT)—aims to respond to release reliable non-vendor "emergency" patches for exploits as soon as they appear to pose a serious risk of exploitation. Of special interest to many users may be the ZProtector framework for patching zero-day vulnerabilities for Windows—beginning with Windows 95! As you probably know, this range includes a number of platforms no longer supported by Microsoft.
但不必等到官方补丁可用,一个新的在线组织—零日紧急响应小组 (ZERT)—致力于针于可能产生严重风险的漏洞发布可靠的非官方紧急补丁。对一些用户特别有趣的可能是针对Windows零日漏洞打补丁的 ZProtector framework——从Windows 95开始。你也许知道,这个范围包括许多微软不再支持的平台。
purple endurer注:1、rather than:宁可...也不愿(与其...倒不如,而不是);2、appear to:看来像是(看来似乎)
Although ZERT works with a number of security tool vendors, the organization has no direct affiliation with any particular vendor. To see how ZERT approaches emergency patching of zero-day threats as compared to the official Microsoft patches, check out this ZERT analysis PDF document of the recently patched CVE-2006-4868 vulnerability.
ZERT尽管与许多安全工具提供商协作,这个组织不直接与特定提供商打交道。想看看与微软件官方补丁相比,ZERT如何处理零日威胁紧急补丁,就找近期ZERT对CVE-2006-4868 vulnerability漏洞补丁的分析PDF文档罢。
purple endurer注:1、affiliate with:交往;2、as compared to:相比(同...比较起来)
Final word
结束语
It should be obvious that the growing adoption of linux by many businesses and government organizations means a lot of serious commercial hackers will be turning their attention to exploiting any flaws they can locate. However, it will likely take a number of public statements from respected linux developers to really draw attention to this fact.
显而易见,一些商业公司和政府组织采用Linux的增长意味着大量商业黑客将把注意力转向利用其可定位的漏洞。然而,这同样使来自受尊敬的Linux开发人员的大量公开声明转向真正注意这个事实。
purple endurer注:1、draw attention to:促使...注意(引起对...的注意)
And speaking of obvious, it should go without saying that cyberthreats are most dangerous before an official patch is available. Unfortunately, many network managers aren't paying enough attention to this reality—even though their networks are the ones most at risk. I like the idea behind ZERT, but the project is in its infancy. Only time will tell if ZERT really has the solution.
说到明显,不用说,在官方补丁可用前网络威胁是最严重的。不幸地是,一些网络管理员c对此不够注意——即使他们的网络是最危险的。我喜欢ZERT的主意,但该项目还处于初期,只有时间会说明ZERT是否真的有解决方法。