Why installing software updates makes us WannaCry

来源: https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667

为什么安装软件更新让我们“WannaCry”

视频链接:https://www.youtube.com/watch?v=muvwozXpyx4

5月份WannaCry病毒肆虐全球,很多学校,医疗和个人系统被入侵,至今余波未平。为什么会有这么多电脑被感染,本文提供了一个新的角度——人们出于种种理由不愿安装更新。作者也呼吁软件公司的更新更加人性化。与此同时,作者也在致力于用寓教于乐视频edutainment video的方式告知大众安装更新的重要性。

[1] The global ransomware attack called “WannaCry,” which began last week and continues today, could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The attack’s spread demonstrates how hundreds of thousands of computers in more than 150 countries are running outdated software that leaves them vulnerable. The victims include Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry俄罗斯内政部.
ransomware n. 勒索软件 Our product cleans and blocks all manner of malware including Trojan Horses, Worms, Spyware, Adware, Ransomware, Keyloggers, Backdoors, Password Stealers and many more.
我们的产品清除并阻止所有,方式的恶意软件包括蠕虫木马,间谍软件,广告软件,勒索,键盘记录,后门,密码大盗等等。
vulnerable adj. 易受攻击的, 易受伤害的
Vulnerable groups 弱势群体 vulnerable species 易危物种
Logistics n. 物流,后勤 logistics management物流管理;后勤管理

[2] The security flaw安全漏洞 that allowed the attack to occur was fixed by Microsoft in March. But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers黑客 who said they had stolen the information from the U.S. National Security Agency美国国家安全局.

[3] Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies人类习性 and corporate policies公司政策 worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.
Encrypt v. 把…编码;把…加密
Collectively adv. as a group集体地,共同地
Tendency n. 倾向,趋势

Updating is a pain

[4] All people had to do to stay safe from WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their experiences of installing software updates.
Install v. 安装 installed a new phone in my department, intall a new anti-virus software

[5] Nearly half of them said they had been frustrated updating software; just 21 percent had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – always the second Tuesday of every month, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible.”
Frustrate v. 挫败;懊恼
Workflow n. 工作流程

[6] Some people may also be concerned that updating software could cause problems with programs they rely on regularly. This is a particular concern for companies with large numbers of computers running specialized software.
Concern vt. 涉及,关系到;使担心 n. 关系;关心;关心的事;忧虑

Is it necessary?

[7] It can also be very hard to tell whether a new update is truly necessary. The software that fixed the WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that people ignore repeated security warning messages. Consequently, these monthly updates may be especially easy to ignore.

[8] The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the WannaCry fix, half were rated “critical,” and the rest were labeled “important.” That leaves users with little information they could use to prioritize their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.
Critical adj. 危急的, 批评的,评论的 critical thinking 重要等级
Prioritize v. 确定 (任务) 优先顺序,按优先顺序列出 priority
Family is my first/top priority. 孩子是我们的头等大事。Family always comes first.

[9] Even security experts struggle to prioritize. The day the fix was released, Microsoft watcher Chris Goettel suggested prioritizing four of the 18 updates – but not the one fixing WannaCry. Security company Qualys also failed to include that specific update in its list of the most important March updates.
clock watcher n. 盼望下班的人

Security pros, and everyone else
pros and cons正反两方面;赞成者和反对者

[10] The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only 64 percent of security experts update their software automatically or immediately upon being notified a new version is available. Even fewer – just 38 percent – of regular users do the same.
Notify v. 正式通知,告知 notice v. 注意到,察觉n. 通知

[11] Another research project analyzed software-update records from 8.4 million computers and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: From the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.
Expertise n. 专业技能; 专业知识 expert

Making updates easier

[12] Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts.
Annoyance n. 烦恼,烦人的事物 annoy

[13] Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, installs updates silently and automatically – downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.
Seamless adj. 流畅的,浑然一体的
Disruptive adj. 妨碍的; 扰乱的 disruptive behaviour 破坏性的行为

[14] That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.
shut down 停工,关闭,使停业,停机

Getting the message out

[15] So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by producing and evaluating entertaining and informative videos about computer security.

[16] In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviors such as our edutainment video, or even security comics, may be a first step toward helping us stay safer online.
Firm n. 公司 company corporation enterprise

下载PDF版

来源: https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667


下载音频

相关视频: https://www.youtube.com/watch?v=muvwozXpyx4

5月份WannaCry病毒肆虐全球,很多学校,医疗和个人系统被入侵,至今余波未平。为什么会有这么多电脑被感染,本文提供了一个新的角度——人们出于种种理由不愿安装更新。作者也呼吁软件公司的更新更加人性化。与此同时,作者也在致力于用寓教于乐视频edutainment video的方式告知大众安装更新的重要性。

[1] The global ransomware attack called “WannaCry,” which began last week and continues today, could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The attack’s spread demonstrates how hundreds of thousands of computers in more than 150 countries are running outdated software that leaves them vulnerable. The victims include Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry.

[2] The security flaw that allowed the attack to occur was fixed by Microsoft in March. But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers who said they had stolen the information from the U.S. National Security Agency.

[3] Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.

Updating is a pain

[4] All people had to do to stay safe from WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their experiences of installing software updates.

[5] Nearly half of them said they had been frustrated updating software; just 21 percent had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – always the second Tuesday of every month, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible.”

[6] Some people may also be concerned that updating software could cause problems with programs they rely on regularly. This is a particular concern for companies with large numbers of computers running specialized software.

Is it necessary?

[7] It can also be very hard to tell whether a new update is truly necessary. The software that fixed the WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that people ignore repeated security warning messages. Consequently, these monthly updates may be especially easy to ignore.

[8] The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the WannaCry fix, half were rated “critical,” and the rest were labeled “important.” That leaves users with little information they could use to prioritize their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.

[9] Even security experts struggle to prioritize. The day the fix was released, Microsoft watcher Chris Goettel suggested prioritizing four of the 18 updates – but not the one fixing WannaCry. Security company Qualys also failed to include that specific update in its list of the most important March updates.

Security pros, and everyone else

Pic1

[10] The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only 64 percent of security experts update their software automatically or immediately upon being notified a new version is available. Even fewer – just 38 percent – of regular users do the same.

[11] Another research project analyzed software-update records from 8.4 million computers and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: From the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.

Making updates easier

[12] Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts.

[13] Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, installs updates silently and automatically – downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.

[14] That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.

Getting the message out

[15] So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by producing and evaluating entertaining and informative videos about computer security.

[16] An entertainment-education video about software updating produced by researchers at the University of Maryland. In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviors such as our edutainment video, or even security comics, may be a first step toward helping us stay safer online.

下载PDF版