跨平台开源威胁：开源真的更安全？

Cross-platform open source threat: Is open source really more secure?
跨平台开源威胁：开源真的更安全？

Blogger: John McCormick
博客：John McCormick
翻译：endurer

英文出处：http://blogs.techrepublic.com.com/security/?p=237&tag=nl.e101

Category: Security, Microsoft, Hacking, Office, Macintosh, linux, open source
分类：安全，微软，非法访问，办公，苹果机，linux，开源

Tags: Linux, Open Source, Sophos Plc., Microsoft Corp., John McCormick
标签：Linux，开源，Sophos，微软，John McCormick

Sophos has disclosed the existence of a proof-of-concept worm (StarOfficeBadbunny) that attacks through a vulnerability in OpenOffice and other programs using StarBasic macros. According to Sophos, this is a multi-platform threat affecting Windows, Mac OS, and Linux. It is written in several scripting languages, including Perl.
Sophos已经揭示通过使用StarBasic宏的OpenOffice和其它程序的缺陷进行攻击的概念验证蠕虫（StarOfficeBadbunny）的存在。在Sophos看来，这是一个影响Windows、Mac OS和Linux的多平台威胁。它用多种脚本语言编写，包括Perl。

《endurer注：1。Proof of Concept：概念验证
2。StarOfficeBadbunny：SB/BadBunny-A Worm Description
SB/BadBunny-A is a multi-platform worm written in several scripting languages and distributed as an OpenOffice.org document containing a StarBasic macro.
http://www.sophos.com/security/analyses/sbbadbunnya.html》

While this particular threat is minor, it does illustrate a growing problem. I am all in favor of open source code, but I have never bought into the idea that it was less vulnerable to attack.
尽管此个别威胁较小，但它说明了一个日益增长的问题。我完全支持开源代码，但我从未接受其可被用于攻击的缺陷少的观念。

《endurer注：1。be all：全部
2。in favor of：赞成(支持,有利于,较大)》
 
Just to start out on the right foot with open source fans, I like OpenOffice, and I often recommend it to small business clients and individuals who need Microsoft Office-like applications but don’t like Microsoft prices. I also like and use Firefox and Linux, and I recommend both as well as other open source software.
与开源爱好者顺利开始，我喜欢OpenOffice，并且经常向需要类似微软Office的软件但不喜欢微软的定价的小型企业客户和个人推荐。我也喜欢并使用火狐和Linux，并且推荐两者及其它开源软件。
《endurer注：1。start out：开始(出发,着手进行)
 2。start off on the right foot: 一开始就顺利(一开始就留下好印象)》
 
Sometimes the more security-savvy of my friends and customers say to me, “Oh, you recommend OpenOffice (Linux, etc.) because you think it is safer!” In a practical, everyday sense, yes — if you run Linux, you are less likely to be hacked.
有时朋友和客户们的更多安全常识告诉我，“噢，你推荐OpenOffice (Linux, 等。)因为你觉得它更安全！”在实践中，日常体验，是的——如果你运行Linux，被黑的可能就小。
《endurer注：1。everyday sense：日常体验
2。likely to:可能(像是要)》

But I feel the need to explain that I have no idea whether it is inherently safer. I’m not convinced that Firefox or Linux is actually safer than Microsoft products in any absolute meaning of the term.
但我觉得有必要解释一下，我一点也不知道它是否天生就更安全。在术语没有明确定义的情况下，我不确信火狐或Linux确实比微软产品更安全。

《endurer注：1。have no idea：一点不知道(听也没有听过)》
 
We seldom hear of big threats to open source platforms, but that isn’t the same thing as saying they are inherently more secure. They may merely be attacked less often. Pointing out that they are “not being targeted as much as Microsoft” doesn’t PROVE they are less vulnerable. They may be less vulnerable, but that only PROVES that they are “not being targeted as much as Microsoft.”
我们很少听说对开源平台的大威胁，但这不等于说它们天生就更安全。它们可能只是不经常被攻击。要指出的是它们“未被当成微软那样的目标”并不证明它们缺陷少。它们可能缺陷少，但这只能证明它们“未被当成微软那样的目标”。

Open source is certainly cheaper if you don’t need much support – although even that is highly debatable if you need to support a lot of users on open source operating systems or applications, especially if you (or they) are trying to do anything even slightly out of the ordinary. (Don’t forget training costs: How many of your new workers learned Linux and OpenOffice in school? Most of the ones I see have been trained — if badly – on Microsoft.)
如果你不需要支持，开源软件是比较便宜的——然而如果你需要支持使用开源操作系统或应用程序的许多用户时，这很可能成问题，特别是如果你（或他们）正试图做即使是轻微超常的事情时。（别忘记培训成本：有多少新员工在校时学过Linux和OpenOffice？如果严重地话，我想其中大多数已经按微软培训过。）

Open source vs. Microsoft security is an OLD argument, but two recent developments have brought a different focus to the question. First is this multi-platform malware I just described. Second is the fact that Dell just announced it would begin selling Linux-loaded computers at Wal-Mart.
开源软件 vs. 微软安全是一个由来已久的争论，但两个近期发展已引起该问题的不同的焦点。第一件是我已经描述过的这个多平台恶意软件，第二件是戴尔宣布将开始在沃尔马销售预装Linux的电脑。

An exacerbating circumstance is that home users MAY wake up to the incredible cost of converting to Vista (and the tiny advantage) and begin actively seeking an alternative. Put the Dell name and reputation behind inexpensive Linux-based PCs in a discount setting, and they are going to sell. Add the cost of Vista (including the need for much more powerful hardware), and Wal-Mart Linux Dells may sell A LOT!
一个激化状况是家庭用户可能意识到转换到Vista的难以置信的费用（和微小的先进性），并开始积极地寻找替代品。在打折环境下，将戴尔的名字和声誉置诸脑后，他们准备销售便宜的基于Linux的PC。加之Vista的成本（包括对更强硬件的需要），沃尔马的Linux 戴尔的东东将热销！

《endurer注：1。wake up to:认识到，意识到
2。put behind one:vi. 拒绝考虑(置诸脑后)》

Heck, I expect to buy at least one myself. And based on that, I may recommend them to clients, but that doesn’t mean there is no potential downside. Currently, I would much rather try to secure a Linux environment mainly running mainstream open source applications, but that may change if Linux becomes more popular outside the controlled business setting.
见鬼，至少我自己期待购买。如此一来，我可能向客户们推荐，但这不意味没有潜在下降趋势。现在，我更想去尝试使运行主流开源应用程序的主要Linux环境更安全，但如果Linux在控制企业环境之外变得更流行，这可能会改变。

《endurer注：1。Heck：［hell的委婉语］见鬼》
 
For example, if Wal-Mart starts selling a lot of Linux boxes to home users who are then open to exploitation as zombies, we can expect a lot more directed attacks. As the target grows larger, it will become more tempting to take an occasional shot at it. And that’s when we will begin to see whether open source really is inherently less vulnerable in the real world where Microsoft operates.
例如，如果沃尔马开始销售大量Linux盒子，家庭用户购买后打开而被利用为僵尸，我们可以预见大量直接地攻击。因为目标大幅增长，采取非常攻击将更具诱惑。这时我们将开始看到在微软主宰的真实世界里开源软件是否真的天生少缺隐。
 
Although a lot of businesses and advanced users already have Linux and use non-Microsoft browsers and office applications, I still consider this to be a hothouse environment. That is, it is running (and running very well) in a restricted and relatively safe world.
尽管大量企业和高级用户已经有Linux，并使用非微软浏览器和办公应用程序，我仍然视之为温室环境。也就是，它正运行（并且运行得很好）于一个受限制且相对安全的世界。

If you are supporting a Linux office, I BET your network is sitting behind a well-maintained firewall! When Linux is on millions of home user machines connected to cable boxes, it will be out in the jungle where Microsoft users get slashed every day.
如果你正支持Linux office，我打赌你的网络位于维护良好的防火墙之后！当许许多多家庭用户机器上的Linux连接到电缆箱（分线盒），它将步入丛林，微软的用户每天都在这里受伤/减少。

《endurer注：1。be out：离开(出门)
2。in the jungle：在丛林里》
 
So should those of us who actually use and especially support Linux, Firefox, and open source applications really be pleased to see a flood of novice users? Pride aside, is it a good idea from a business standpoint? Am I being selfish to want Linux and great open source applications to remain the favorites of relatively few users and most of them (us) highly security-conscious?
所以我们中实际上使用和特别支持Linux，火狐和开源应用程序的人们会高兴看到无经验使用者充斥吗？撇开自豪感，从商业立场看这是一个好点子吗？我私地里想让Linux和大量开源应用程序仍然是相对新用户们的最爱，并且他们（我们）大多数仍然有高的安全意识？

《endurer注：1。novice user：无经验使用者》
 
It is far from certain that non-Microsoft platforms and applications will eventually become popular and vulnerable targets for malware producers. I am fairly certain that, unless a lot of them get into the hands of home users and clueless business users, there won’t be much incentive for the bad guys to begin to explore potential vulnerabilities.

要确定非微软平台和应用程序将最终流行并成为恶意软件生产者的攻击目标为时尚早。我相当肯定地是，除非它们大量落到家庭用户和无能的企业用户手中，坏家伙开始探寻潜在缺陷的动机将不存在。

《endurer注：1。be far from：毫不,一点也不,远非
2。get into the right hands：落到适当人手里》

Today I’d much prefer to be in charge of securing a Linux-based office than a Microsoft office – just as I prefer strolling around in a nice, safe neighborhood where lots of people aren’t prowling the alleys out to mug me. (It’s always so annoying having to explain all the muggers’ injuries to any cops who don’t know me. GRIN.)
今天，我倾向于主管基于Linux的办公环境胜于基于微软的办公环境——正如我喜欢四处闲逛于令人愉快、安全的邻近，这儿没有许多在巷子里游荡的人攻击我。（总得向不认识我的警察说明强盗造成的伤害，这太苦恼了。露齿而笑。）

《endurer注：1。Prowled the alleys of the city after dark：天黑后在城市的巷子里游荡》

Keeping a good thing to yourself can be considered selfish, but in business sometimes it’s just a matter of common sense. So, while some will cheer to see Dell and Wal-Mart selling Linux boxes to the masses, I won’t be among them. I already know how to load Linux on a bare box — something that, even today, few home users are able to do for themselves.
独享好东东可能会被视为自私，但在商业中有时这只是普通常识。所以，当一些人喜于看见戴尔和沃尔马向大众销售Linux盒时，我将不在此列。我已经知道如何在裸盒上引导Linux——要知道，即使在今天，能独立完成的家庭很少。

《endurer注：1。Keep to yourself:不告诉(保密,与他人不交往)
 2。good thing:赞成的东西(幸运的事情,有利可图的交易)
 3。a matter of common practice:普通常事
 4。common sense:常识
 5。the masses:大众；民众》