I wonder if you feel this way. Today's computer viruses are getting more and more attacked, and hackers are getting more and more powerful. If the computer does not install anti-virus software, it cannot be guaranteed to work normally, because it may be infected with some terrible computer virus someday. If the computer network is not strictly protected, maybe that day will be hit by a dark arrow, and sometimes, even if you take various measures, you still cannot escape the bad luck of intrusion. People have to ask: What's the problem?
The root cause of the problem lies in the software. In the words of Professor Mike Groo, a computer security expert, there are too many bad software ". From the user's point of view, we always hope that software developers will continue to innovate and shorten the development cycle of new software. Professor Mike Groo warned that once the development of application software is too hasty and hasty, it will inevitably lead to one or more defects in the design process, and various hidden dangers will be buried, resulting in frequent access by hackers.
After graduating from the Department of Philosophy at the University of Virginia, Professor mcgroo obtained a dual doctorate degree in computer science and cognitive science from the University of India and then worked in a software technology company, he has published a monograph on Java security and is well-known in the world of computer security. Recently, he was interviewed by some network media and gave his views on computer software and computer security issues. The following is the transcript of this interview.
Q: You think the key to computer security risks lies in various problems in software development. How can this happen?
A: There are three reasons. First, the current software is much more complex than in the past. Windows 3.1 only has 2.5 million lines of code, and Windows XP has 40 million lines of code. The best way is to count the number of lines of program code. A simple principle is: the more lines, the more design defects. Second, the Internet is everywhere, and every line of code today exists in the network. Third: system scalability. Because the system has such performance, the program code may pop up from somewhere and modify the system environment one day.
Q: Can I give an example?
A: Java Virtual Machine in a web browser is the best example. For example, the. Net virtual machine, and the built-in j2_micro virtual machine in the telephone and PDA. These systems are scalable. Jave and. Net constitute the basic system. Various extension functions are transmitted from the network and combined and used in the basic system. What are the characteristics of mobile code?
The design concept is that users cannot foresee all the programs that need to run on mobile phones, so they design them into a scalable system so that they can accept the code they need. This design is very cost-effective and indeed good, but it may also lead to some terrible consequences.
Q: What problems do programmers face when preparing secure program code?
A: The compiled procedures are extremely meticulous. There are many problems to understand. There are not many good methods to develop secure and stable programs. The tools that developers can use are not good. Programming is a very difficult task. From a security perspective, popular computer languages such as C and C ++ are very bad. Of course, it should be said that the emergence of various security problems is the result of the combination of multiple factors.
Q: Who should be responsible for this problem?
A: If you look at who is engaged in computer security today, you will find that IT professionals are basically people related to the Internet and know network knowledge. So who is developing the software? Software designers and developers. Generally, these people do not communicate with computer security personnel or network management personnel. They are not even in one department. In addition, the Internet is no longer a new thing, but many software is still developed in a non-network environment. Most programmers do not understand security issues at all, this causes repeated problems of the same type, such as buffer overflow.
Q: You have repeatedly pointed out that the computer industry lacks security education. How should we make up for this defect?
A: Some universities offer computer security and software security courses, such as the University of California Davis, the University of Virginia, the University of Pudu and Princeton. However, the world is developing. If we want to see more information about computer security, we must pay more attention to software security issues.
Q: If I didn't pay enough attention to software security issues in the past, where should I focus?
A: firewall.
Q: isn't the firewall software?
A: It is software, but this type of software is only designed to partially solve security problems. Each port is opened when accessing the internet. The firewall software is installed to enhance port protection. Many people think that after the computer is installed with firewall software, you can rest assured. A big mistake. Installing firewall software can only be a good start. Note that firewall software may also contain vulnerabilities. People actually know that computer security problems are related to software defects, such as (Microsoft's) IIS network server software, but the preventive measures they take are incorrect, for example, install a firewall and use encryption software.
The problem with encryption software is that it is indeed a good security tool and cannot completely solve the problem. It does not solve the problem of software security, but only solves the security problem of communication channels. In fact, according to some researchers, encryption can only solve 15% of serious problems.
If you want to ask a computer user how to enhance security protection, he will say three things: Firewall, encryption program and anti-virus software. Even if three things are installed on a computer, they cannot solve all the problems.
Q: What is the root cause of the problem?
A: The software quality is not high. Why is BIND (Berkeley Internet Domain Name System) attacked by hackers? Isn't it because the design is too poor ?! When programmers designed this system, they only wanted to make it competent for a variety of "cool" tasks, but seldom considered security issues. This is a reflection of the trend in software design, and everyone is concerned about the functionality of the software over its security performance. Neither Microsoft nor Linux. For software vendors, what is the best selling? Naturally, the more features, the better to sell