>> Good engineering involves thinking about how things can be made to work.
>>好的工程包括思考如何使事物工作。
The security mindset involves thinking about how things can be made to fail.
安全心态包括思考事情是如何失败的。
It involves thinking like an attacker, an adversary or a criminal.
它包括像攻击者、对手或罪犯那样思考。
You don't have to exploit the vulnerabilities you find, but if you don't see the worldthat way, you'll never notice most security problems.
您不必利用您发现的漏洞,但是如果您不这样看待这个世界,您将永远不会注意到大多数安全问题。
These thoughts come from Bruce Schneier,internationally-renowned cryptographer and security technologist.
这些想法来自Bruce Schneier,国际知名的密码和安全技术专家。
Using a laptop, security researchers controlled a Jeep Cherokee.
安全研究人员使用笔记本电脑控制了一辆吉普切诺基(Jeep Cherokee)。
Cold air was blasted from the vents.
冷风从通风口吹出。
Next up on the blasting list was hip hop music from the speakers.
排在第二名的是来自扬声器的嘻哈音乐。
Then wipers, and wiper fluid followed.
然后是雨刷和雨刷液。
The car's display then showed a picture of the hackers.
汽车的显示屏上显示了黑客的照片。
After the car went out on the highway, the hackers cut the transmission.
汽车驶上高速公路后,黑客切断了传输。
The car was now completely stopped.
汽车现在完全停了下来。
This was actually the second time the driver allowed the researchersto use him as a crash test dummy.
这实际上是司机第二次允许研究人员把他当作碰撞测试的假人。
Previously, they had disabled the brakes, made the horn honk, and also had some funwith the seatbelt and steering wheel.
在此之前,他们已经关闭了刹车,按响了喇叭,还玩起了安全带和方向盘。
After Chrysler's you connect vulnerabilities were uncovered by these researchers,Chrysler mailed over a million USB drives to owners through the USPS.
在这些研究人员发现克莱斯勒的you connect漏洞后,克莱斯勒通过USPS向用户发送了超过100万个USB驱动器。
That was a great thing!
这是一件伟大的事情!
For hackers, who can now send fake USBs out,and get owners to plug malicious devices into their vehicles.
对于黑客来说,他们现在可以发送假的USBs,并让车主将恶意设备插入他们的车辆。
United Airlines gave two hackers a million frequent flyer milesfor discovering software vulnerabilities, bog down a few programs,allowing hackers to identify security issues, and reward them,has become a real business model today.
美国联合航空公司(United Airlines)给了两名黑客100万英里的飞行里程,奖励他们发现软件漏洞,阻止一些程序,让黑客识别安全问题,并给予奖励,这已成为当今一种真正的商业模式。
Implemented by big companies in many different industries, like United Airlines.
由许多不同行业的大公司实施,如联合航空公司。
All across the world, researchers were able to hack an internet-connected toilet in Japan.
世界各地的研究人员都成功侵入了日本的一个联网厕所。
Potential damage includes flushing the toilet and bringing up the owner's water bill,flipping the toilet lid up and down, and running the bidetand air-dry functions causing discomfort or distress, in the words of the researchers.
用研究人员的话说,潜在的危害包括冲马桶、把主人的水费账单拿出来、上下翻动马桶盖、使用坐浴盆和风干功能,造成不适或痛苦。
From a hospital and medical perspective, researchers found drug infusion pumpsthat can have dosages changed, defibrillators that can give shocks,or prevent the shock, via Bluetooth.
从医院和医学的角度来看,研究人员发现可以改变剂量的药物输注泵,可以通过蓝牙提供电击或防止电击的除颤器。
X-rays that were accessible.
x射线是可以接近的。
Refrigerators storing blood and drugs that can have temperatures changed.
储存血液和药物的冰箱会改变温度。
Digital medical records that can be altered causing misdiagnoses or incorrect prescriptions,as well as tons of other vulnerabilities.
可以被修改的数字医疗记录会导致误诊或错误的处方,以及大量其他漏洞。
Of course, crashing systems and bringing them down was also possible.
当然,系统崩溃并使其崩溃也是可能的。
These systems all shared poor or no authentication.
这些系统都共享较差的身份验证或没有身份验证。
Weak, default, or hard-coded passwords, as well as embedded web interfaces for ease of hacking.
弱密码、默认密码或硬编码密码,以及便于黑客攻击的嵌入式web接口。
What would General Tzu have said about all of this?
慈济将军会怎么说呢?
In a real attack, not by researchers, hackers controlled a baby monitorand even injected audio into the baby's room.
在真正的攻击中,黑客控制了一个婴儿监视器,甚至把音频注入婴儿的房间,而不是研究人员所为。
The frantic parents stormed in fearing the worst.
疯狂的父母们怒气冲冲地进来,唯恐发生最坏的情况。
There are websites that show live streams from unsecured websites all across the world.
有些网站显示来自世界各地不安全网站的实时流。
Webcams that haven't had their default username and password combination changed.
没有更改默认用户名和密码组合的网络摄像头。
Businesses, public spaces, and even schools, daycare centers,and you know this was common, homes.
商业,公共空间,甚至学校,日托中心,你知道这很常见,家庭。
They're all visible for anyone to watch.
每个人都可以看到它们。
There are even categories for users to pick from, like bar, restaurant, kitchen, religion,barber shop, mall, beach, airline, traffic, laundry, pool...and much more.
甚至还有可供用户选择的类别,如酒吧、餐厅、厨房、宗教、理发店、购物中心、海滩、航空公司、交通、洗衣、游泳池……等等。
转载于:https://www.cnblogs.com/sec875/articles/10246882.html
相关资源:Cloud.Computing.Security.Foundations.and.Challenges