现实的恶意软件解决方案

The real solution to malware

现实的恶意软件解决方案

Author: Chad Perrin

作者：Chad Perrin

翻译：endurer，2009-09-24 第2版

Category: Malware, Policy, Privacy, Security

分类：恶意软件，策略，隐私，安全

来源：​​http://blogs.techrepublic.com.com/security/?p=1561&tag=nl.e101​​

The solution to malware is closer, and easier, than you probably realize.

恶意软件的解决办法比你可能了解的更近，更方便。

 I’ve already pointed out that there is no legal solution to malware. The social problems of a solution predicated upon the idea that we can hunt down and kill enough malware writers to cause the remaining few to give up the pursuit entirely, out of fear for their lives, are effectively insurmountable — at least within an even nominally free society. That’s not to say we shouldn’t try to identify malware writers and take legal action to protect others from them, but simply that legal measures are fundamentally incapable of providing an acceptable, comprehensive solution.

　　我已经指出法律并不能解决恶意软件带来的问题。我们可以追捕和干掉足够多的恶意软件编写者，促使其余编写者因担心性命而完全放弃，但我们生活在自由社会中。这并不是说我们不应该尝试找出恶意软件编写者并采取法律行动，从而保护其他人，只不过是因为法律措施根本无法提供一个可以接受的、全面的解决办法。

 《endurer注：1、hunt down：追捕到

2、hit upon an idea：突然有了主意》

 The technical solution is, really, the most effective solution. If malware never achieves any success at all, nobody will ever bother writing any. The way to defeat malware writers, and to get them to stop doing what they do, is to take steps to eliminate our vulnerability to their malware. Part of a technical solution to malware is actually a social solution, too, but it’s a social solution that involves the would-be victims rather than the perpetrators. We must engage the “good guys” in taking an interest in a technical defense of their rights, rather than simply taking an interest in “punishing” the bad guys.

　　 实际上，技术层面给出的解决方案才是最有效的方法。只要恶意软件没有取得丝毫成功，就没有人会去写了。击败恶意软件编写者、并使其停止编写的方法，是采取措施消除他们的恶意软件所利用的漏洞。恶意软件技术解决方法中也包含有一部分社会化的解决方法，但社会化解决方法涉及到的可能是受害者，而不是肇事者。我们必须让“好人”乐于对采取技术维护自身权益，而不是简单地旨在“惩罚”坏人。

 《endurer注：1、take steps：采取步骤,采取措施

2、engage in：从事干(参加)》

 One of the social problems that must be overcome is that of the user that thinks he or she shouldn’t ever have to think about security, and thus refuses to think about it at all. It’s true that, in a perfect world, security would be something we’d never have to think about, but we live in the real world. Here, inattentiveness to security leaves one unsecured. Failing to defend oneself effectively doesn’t mean one deserves to be assaulted, but it does mean that one is more likely to suffer assault. Taking the hands-off attitude that one doesn’t ever have to think about security — not just that one shouldn’t have to think about security, but that one shouldn’t think about it at all — is a losing strategy, and if we want to solve the malware problem we need to solve this problem first.

　　一个必须克服的社会问题是，用户认为他或她不应该任何时候都必须考虑安全，进而完全拒绝去考虑它了。实际情况是，在一个完美的世界中，安全会是我们从来不需要考虑的事情之一，但我们生活在现实世界中。在这里，不注意安全就无保障。未能有效地保卫自身并不意味着其一定会受到攻击，但它确实意味着其更容易遭受攻击。一个人在任何时候都不考虑安全，采取放手不管的态度——不只是不愿意考虑到安全，而是完全不考虑——是一个失败的战略，如果我们要解决恶意软件的问题，我们需要首先解决这个问题。

 《endurer注：1、Fail to：未能》

 The solution is, in concept, incredibly simple. Operating systems and applications that accept infected files without question, that try to do too much for the user and as a result end up making disastrous decisions that leave us vulnerable; users who are trained by security nagware to just click “OK” or “Yes” all the time without thinking about it; systems that impose no effective privilege speparation: these are all part of the problem that could very easily be swept away, if we but had the will and determination to do so. Users who insist on using such software are part of the problem, whether they mean to be or not. If users on the whole could be elevated above such thoughtless acceptance of poor security practices, we would have taken significant steps toward solving the malware problem. Add to this a culture of secure software development, where software vendors no longer pushed such security opiates, and the malware problem would all but disappear.

　　在概念上，解决办法令人难以置信的简单。操作系统和应用程序为了帮助用户做更多的工作，毫无疑问地接受被感染的文件，这导致了灾难性结果，令我们易受伤害；用户在安全试用软件的调教下只需不假思索地一直单击“确定”或“是”；系统没有采用强制特权有效分离的措施：只要我们有意愿和决心这样做，这些问题可以很容易被解决。用户们坚持使用这种软件是该问题的一部分，无论他们是不是故意的。如果用户总体上认识到上述这种轻率接受、安全性差的做法，我们将可以采取重大步骤，解决恶意软件问题。加上安全软件开发方面的发展，软件供应商不再推出这样的安全鸦片，恶意软件的问题都将消失。

 《endurer注：1、nagware：【电脑】一种以非常频繁且自动的方式提醒使用者注册并付费的试用软件

2、all the time：一直

3、sweep away：清除掉

4、elevate above the soil：伸出地面》

Instead, we are plagued by “convenient” software development, by people who have never encountered secure development techniques, giving us “security” by constantly nagging us with unnecessary questions that ultimately train us to just approve everything, and by operating systems that allow applications to access pretty much whatever the heck they want to. It’s really easy to solve the problem of vulnerability to malware, if we but make the effort, if we only care enough to bother. There is software in the world that is significantly hardened against such threats, even without being inconvenient to use, but we must choose to use it.

　　相反，我们所受的困扰，来自“方便”的软件开发，来自从未遇到了解安全开发技术的人，他们给我们的“安全”是不断向我们唠叨不必要的问题，最终促使我们只会对一切表示同意，还来自操作系统，允许应用程序访问相当完美，无论他们想做什么。只要我们付出努力，只要我们对麻烦足够关心，受到恶意软件利用这个问题真的容易解决。这世界上有不断强化来对抗这种威胁的软件，即使使用起来不方便，但我们必须选择使用它。

The major problem may be how software vendors define “convenience”. Convenience is not malware infection, but much of what major software vendors call “convenience” is a substantial part of the reason malware is so prevalent and damaging in this world. Software is meant to remove drudgery from our lives, by automating tasks that humans don’t like to do. The tasks we automate should not be core decision-making tasks. Don’t let the software make your decisions for you; instead, let it help simplify the decisions. Autorun for CDs is a travesty of security practice, as is application selection by the software when you double-click a file. So too is a system that just automatically downloads and installs software updates without even asking.

　　主要问题可能是，软件厂商如何界定“方便”。方便不等于容许恶意软件感染，但主要软件厂商所称的“方便”导致了恶意软件盛行和破坏的重要原因之一。软件存在的目的是消除我们的生活中的单调沉闷，将人类不喜欢做的事做为自动化任务。我们的自动化任务不应是核心决策任务。不要让软件替您作决定，而是让它帮助简化决策。自动决策是一个滑稽的安全做法，就像您双击一个文件，让软件选择相应的应用程序。同样的错误也存在于系统的自动下载功能上，不需询问就自动下载并安装软件更新。