Linux專家警告開源軟件日益吸引黑客

Linux專家警告開源軟件日益吸引黑客

purple endurer注：1、warn of:警告(發出);2、appeal to:對...有吸引力；對...產生吸引力》

by John McCormick

作者：John McCormick 翻譯；Purple Endurer

英文來源：http://articles.techrepublic.com.com/5100-1009_11-6130846.html?tag=nl.e101

Tags: Linux | Open source | Hacking | Security threats | Patches

標簽： Linux | 開源 | Hacking | 安全威脅 | 補丁

Takeaway: Alan Cox, a well-respected Linux developer, warned attendees of London's LinuxWorld that open source software is becoming more attractive to commercial hackers. In this edition of the IT Locksmith, John McCormick fills you in on Cox's statement and tells you about a new organization aiming to stop zero-day exploits.

導讀：很受尊敬的Linux開發人員Alan Cox，警告參加倫敦Linux世界會議的人員，開源軟件對商業黑客正越來越有吸引力。在本期IT鎖匠裡，John McCormick向你傳輸Cox的聲明，並告訴你一個新組織旨在停止零日攻擊。

purple endurer注：1、attractive to:對…具有吸引力的;2、fill in:填寫

A Linux guru cautions that open source's growing popularity is attracting the unwanted attention of more hackers. Meanwhile, a new organization aims to stop zero-day exploits by making patches available sooner.

一位Linux領袖警告，開源軟件的日益流行對更多黑客有不必要的吸引力。同時，一個新組織旨在通過更迅速地制作補丁來停止零日攻擊。

Details

詳情

Linux expert Alan Cox warned attendees of London's LinuxWorld conference last week that hackers were putting a lot of money and effort into cracking Linux and other open source projects. Cox, who works for Red Hat, was especially critical of uninformed media statements about how open source software is more secure and reliable. While some well-known open source projects are e secure, the same doesn't hold true for lesser known projects.

Linux開發人員Alan Cox警告參加上周倫敦Linux世界會議的人員，黑客正投入更多的資金和努力破解Linux和其它開源項目。為紅帽子工作的Cox,特別批判了聲稱開源軟件如何更安全理工可靠的不知情媒體。盡管一些眾所周知的開源項目確實安全，但對一些不太為人所知的項目則未必如此。

purple endurer注：1、critical of:對…挑剔的

2、 It is universal truth that holds true for the whole world.這是一條放之四海而皆准的普遍真理。

The veteran developer also took a shot at the European Commission's Software Quality Observatory for Open Source Software (SQO-OSS). The newly launched project aims to monitor the quality of open source development. It will release the core code under the BSD license.

這位老練的開發人員也回應了SQO-OSS。這個新啟動的項目旨在監視開源發展的質量。它將在BSD許可協議下發行核心代碼。

purple endurer注：1、take a shot:開槍，照相，投球;2、European Commission：歐盟委員會3、Software Quality Observatory for Open Source Software（SQO-OSS）該聯盟是由研究機構、從事開放源代碼項目的機構組成的，它一半的資金來自成員機構，另一半資金則來自歐盟委員會。 SQO-OSS的目標之一是提供源代碼質量標准，幫助證明開放源代碼適合在企業部署。它還將根據自己的檢測發布報告，為開放源代碼軟件打分.

Several observers say that SQO-OSS, which boasts a 2.47 million Euro budget, focuses on the wrong metrics of quality and security, particularly by counting all bugs as equal. The overall goal of SQO-OSS is to improve the acceptance and competitiveness of EU software development projects by demonstrating their security. For a list of the project's goals, check out this fact sheet.

若干觀察家說號稱247萬歐元預算的SQO-OSS，把注意力集中在錯誤的質量和安全標准上，特別是不分大小地計算所有的bug。SQO-OSS的總目標是通過展示安全性來增強歐盟軟件開發項目的認同和競爭能力。按項目目標列表檢驗情況。

purple endurer注：1、check out:離開(登記,檢驗,合格,計算總價並收錢,開支票付款,死);2、fact sheet:情況說明書．

Less than zero?

少於零？

Becoming increasingly more concerned about businesses that are ignoring cyberattacks until they reach the point of wide exploitation, security experts have coined a new term—the "less than zero-day" attack. Zero-day attacks are ones that take place between the time of an exploit's publication and the release of the initial patch or antivirus/malware signature.

對商業公司忽略網絡攻擊直至其泛濫憂慮日益增加，安全專家們已造出了一個新術語—“小於零”攻擊。零日攻擊發生於漏洞公布日到發布補丁或反病毒/惡意軟件特征碼日之間。

purple endurer注：1、concern about:對…的關心／憂慮

But rather than waiting until "official" vendor patches become available, a new online organization—the Zeroday Emergency Response Team (ZERT)—aims to respond to release reliable non-vendor "emergency" patches for exploits as soon as they appear to pose a serious risk of exploitation. Of special interest to many users may be the ZProtector framework for patching zero-day vulnerabilities for Windows—beginning with Windows 95! As you probably know, this range includes a number of platforms no longer supported by Microsoft.

但不必等到官方補丁可用，一個新的在線組織—零日緊急響應小組（ZERT）—致力於針於可能產生嚴重風險的漏洞發布可靠的非官方緊急補丁。對一些用戶特別有趣的可能是針對Windows零日漏洞打補丁的 ZProtector framework——從Windows 95開始。你也許知道，這個范圍包括許多微軟不再支持的平台。

purple endurer注：1、rather than:寧可...也不願(與其...倒不如,而不是)；2、appear to:看來像是(看來似乎)

Although ZERT works with a number of security tool vendors, the organization has no direct affiliation with any particular vendor. To see how ZERT approaches emergency patching of zero-day threats as compared to the official Microsoft patches, check out this ZERT analysis PDF document of the recently patched CVE-2006-4868 vulnerability.

ZERT盡管與許多安全工具提供商協作，這個組織不直接與特定提供商打交道。想看看與微軟件官方補丁相比，ZERT如何處理零日威脅緊急補丁，就找近期ZERT對CVE-2006-4868 vulnerability漏洞補丁的分析PDF文檔罷。

purple endurer注：1、affiliate with:交往；2、as compared to:相比(同...比較起來)

Final word

結束語

It should be obvious that the growing adoption of Linux by many businesses and government organizations means a lot of serious commercial hackers will be turning their attention to exploiting any flaws they can locate. However, it will likely take a number of public statements from respected Linux developers to really draw attention to this fact.

顯而易見，一些商業公司和政府組織采用Linux的增長意味著大量商業黑客將把注意力轉向利用其可定位的漏洞。然而，這同樣使來自受尊敬的Linux開發人員的大量公開聲明轉向真正注意這個事實。

purple endurer注：1、draw attention to:促使...注意(引起對...的注意)

And speaking of obvious, it should go without saying that cyberthreats are most dangerous before an official patch is available. Unfortunately, many network managers aren't paying enough attention to this reality—even though their networks are the ones most at risk. I like the idea behind ZERT, but the project is in its infancy. Only time will tell if ZERT really has the solution.

說到明顯，不用說，在官方補丁可用前網絡威脅是最嚴重的。不幸地是，一些網絡管理員c對此不夠注意——即使他們的網絡是最危險的。我喜歡ZERT的主意，但該項目還處於初期，只有時間會說明ZERT是否真的有解決方法。

purple endurer注：1、speaking of:說到,談到,至於....