On July 15, 2020, Twitter Inc. suffered a cyberattack during which three Florida teenagers took control of several high-profile Twitter accounts, including those of Joe Biden, Barack Obama, Elon Musk and Bill Gates. The teenagers were able to gain such high-profile access by carrying out a social engineering scheme against one of Twitter’s employees.

2020年7月15日，Twitter Inc. 遭受网络攻击，在此期间，三名佛罗里达州青少年控制了几个备受瞩目的Twitter帐户，包括Joe Biden，Barack Obama，Elon Musk和Bill Gates的帐户。 通过对Twitter的一名员工实施一项社会工程计划，这些少年能够获得如此高调的访问权限。

Software currently used to build large-scale online software was designed in a different era and for an entirely different threat model.

当前用于构建大规模在线软件的软件是在不同的时代针对完全不同的威胁模型设计的。

While this particular attack was promoting a cryptocurrency scam, a similar one just as easily could have been used to cause social unrest or even start a war, if the attackers targeted one of the world’s political leaders.

尽管这种特殊攻击正在促进一种加密货币骗局，但如果攻击者瞄准了世界上一位政治领导人，那么类似的攻击就很容易被用来引发社会动荡甚至发动战争。

Software currently used to build large-scale online software was designed in a different era and for an entirely different threat model. It is because of this that our collective information security is coming apart at the seams, as new threats are emerging every day. This constitutes a real crisis that can only be addressed through radical innovation.

当前用于构建大规模在线软件的软件是在不同的时代针对完全不同的威胁模型设计的。 正因为如此，随着每天都出现新的威胁，我们的集体信息安全正在四分五裂。 这构成了真正的危机，只有通过彻底的创新才能解决。

The innovation that can deliver the solution to this problem is the emerging field of containerized secure software development infrastructure. Such an infrastructure can serve to both increase the degree of data security, and to make it more transparent, enabling us to make educated choices related to our use of global information technology.

可以为该问题提供解决方案的创新是容器化安全软件开发基础结构的新兴领域。 这样的基础架构既可以提高数据安全性，又可以使其更加透明，从而使我们能够做出与使用全球信息技术相关的明智选择。

(重新)定义数据安全性 ((Re)Defining data security)

To the majority of us, the term “information security” evokes hacking, two-factor authentication, and the Equifax data breach. This view, however, is too narrow, and the issues at hand are far more complex and nuanced. First, proliferation of corrupt, unverifiable, an un-deletable data drains our ability to ensure safety from political and social meddling; second, high-security software is currently so hard to use, that it becomes all but inaccessible to ordinary users; third, companies such as Twitter still have the “god mode” — operator privileges that enable attackers to cause almost unlimited damage; fourth, it is not possible for users to reliably ascertain the degree of reliability of the information with which they interact, preventing coordination and collaboration. All of these are real concerns that currently fall outside of the traditional approaches to information security.

对于我们大多数人来说，“信息安全”一词会引起黑客攻击，两因素身份验证和Equifax数据泄露。 但是，这种观点过于狭,，眼下的问题更加复杂和细微。 首先，腐败，无法核实，无法删除的数据的扩散耗尽了我们确保免受政治和社会干预的安全的能力； 其次，高安全性软件目前很难使用，普通用户几乎无法使用它。 第三，Twitter等公司仍然拥有“上帝模式”，即操作员特权，使攻击者能够造成几乎无限的破坏； 第四，用户不可能可靠地确定与其交互的信息的可靠性程度，从而无法协调和协作。 所有这些都是真正的关注点，目前不在传统的信息安全方法之列。

As the Cambridge Analytica scandal demonstrates, the most damaging abuses don’t involve hacking. While Facebook provides ostensible account-level security, it lacks the bigger-picture protections, such as the “do-not-forward” tagging of information or secure data deletion. As a result, Facebook was able to grant access to its user data to someone who should never have had that access. It is not relevant whether this was done by malice or by negligence: it shouldn’t have been possible at all.

正如Cambridge Analytica丑闻所表明的那样，最具破坏性的滥用行为与黑客无关。 尽管Facebook提供了表面上的帐户级别的安全性，但它缺乏更大范围的保护，例如信息的“请勿转发”标记或安全的数据删除。 结果，Facebook能够将其用户数据的访问权限授予不应有该访问权限的人。 这是恶意还是疏忽都无关紧要：这根本不可能。

W

w ^

Or take the Hillary Clinton email scandal. A busy presidential candidate, she was supposed to spend part of her overbooked schedule logging into her government-provided email account that only worked on the laptop and required a hard-to-use second-factor dongle. What Clinton did was what any of us would do: when faced with the inconvenience of maintaining a high degree of digital security, she switched to using her personal email, because it was fast and convenient. That account was subsequently hacked. Clinton’s high security email account was not insecure in the traditional sense, but because it was difficult to use, the outcome was just the same as if it were.

或参加希拉里·克林顿(Hillary Clinton)电子邮件丑闻。 作为一位忙碌的总统候选人，她本应将超出预定的时间表的一部分用于登录政府提供的电子邮件帐户，该帐户只能在笔记本电脑上工作，并且需要难以使用的第二因素加密狗。 克林顿所做的就是我们每个人都会做的事情：面对维护高度数字安全的不便之处，她转而使用个人电子邮件，因为它既快速又方便。 该帐户随后遭到黑客入侵。 克林顿的高安全性电子邮件帐户在传统意义上并不是不安全的，但是由于它难以使用，因此结果就好像是一样。

Or consider the fact that deep-fake videos and pictures are now reaching the new level of quality and accessibility. What is to prevent images of fake porn, fake murders, fake police brutality from causing social and political damage? We are seeing the emergence of a brand new kind of warfare, the one one in which malicious data can be used as a weapon on the global scale.

或考虑一下事实，即虚假视频和图片现在已达到质量和可访问性的新水平。 如何防止假色情，假谋杀，假警察暴行的图像造成社会和政治损失？ 我们正在看到一种全新的战争，一种可以将恶意数据用作全球规模武器的战争。

Here is how one can solve the problem of deep fakes: digital camera and smartphone manufacturers can include cryptographic chips into their devices. Such chips can securely sign every image taken, and the signature can later be used for verification. This is just one illustration of how the holistic approach to security works: it must be applied to every device out there, or it won’t work.

这是解决伪造品问题的方法：数码相机和智能手机制造商可以在其设备中包含加密芯片。 这样的芯片可以安全地对拍摄的每张图像进行签名，并且签名以后可以用于验证。 这只是整体安全方法工作方式的一个例证：必须将其应用于那里的每台设备，否则将无法工作。

需要新方法 (The need for a new approach)

To begin addressing the global security crisis, we must build systems that fulfill several novel security requirements. First, security can no longer exclude the user. If the system is cumbersome to use, it must be treated as insecure. The future software systems must be good at creating complex user-centric workflows that make them appropriate for general use.

要开始解决全球安全危机，我们必须构建满足几个新安全要求的系统。 首先，安全性不能再排除用户。 如果系统使用起来很麻烦，则必须将其视为不安全的系统。 未来的软件系统必须善于创建复杂的以用户为中心的工作流程，使其适合于一般用途。

Second, security can no longer be thought of in the context of each component independently of others. All too often a system with a high degree of security sends sensitive data to a mere shell script. All data must be protected in all places it visits, and the new generation of secure software must enable such multi-node, multi-agent analysis.

其次，在每个组件的上下文中不再能够独立考虑安全性。 通常，具有高度安全性的系统会将敏感数据发送到纯Shell脚本。 所有数据都必须在其访问的所有位置得到保护，并且新一代安全软件必须启用这种多节点，多代理分析。

Even the most trustworthy and reliable operators can be compromised.

即使是最值得信赖和最可靠的运营商也会受到损害。

Third, the new generation of systems must enable users to independently verify the security of the entire software stack, in a striking contrast with the current architectures that provide no transparency beyond the web-server. (Footnote: the lack of holistic software-stack-wide protection is a problem even in decentralized blockchain systems. Example: the hacks of individual accounts carried out by compromising the internet DNS infrastructure)

第三，新一代系统必须使用户能够独立验证整个软件堆栈的安全性，这与当前的架构形成了鲜明的对比。 (注：即使在分散的区块链系统中，缺乏整体软件堆栈范围的保护也是一个问题。例如：通过破坏互联网DNS基础设施对个人帐户进行黑客攻击)

Fourth, we must learn to build systems without the “god mode.” Even the most trustworthy and reliable operators can be compromised. The “god mode” makes it possible for the attackers to cause unlimited damage, which is no longer acceptable. A truly secure system must instead have auditable and verifiable business rules defining the operator role.

第四，我们必须学会构建没有“上帝模式”的系统。 即使是最值得信赖和最可靠的运营商也会受到损害。 “神模式”使攻击者有可能造成无限损失，这已不再是可以接受的。 相反，真正安全的系统必须具有定义操作员角色的可审核和可验证的业务规则。

Fifth and finally, it is critical to acknowledge that all software, almost without exception, must be treated as secure software. Building secure software must be easy and inexpensive. We can no longer afford the view that security is a narrow and specialized field.

第五，最后，至关重要的一点是，必须将所有软件几乎毫无例外地视为安全软件。 构建安全软件必须简单且便宜。 我们再也不能认为安全是一个狭窄而专业的领域。

None of this is possible with the current tools, which is why we need to build new ones. This type of innovation has happened many times before, at critical junctures when the existing approach to software engineering became unsuitable for the new usage patterns. We did this back when machine code became too complex for people to understand, and compilers were invented. Then again, when bare metal software became untenable and operating systems were created.

当前的工具无法实现所有这些，这就是为什么我们需要构建新的工具。 当现有软件工程方法变得不适用于新的使用模式时，这种创新已经在关键时刻发生了很多次。 当机器代码变得太复杂以至于人们无法理解并且发明了编译器时，我们就这样做了。 再者，当裸机软件变得站不住脚并创建操作系统时。

Docker is an interesting recent example of this kind of innovation. Difficulties of package management caused a persistent low-degree drain on engineers’ attention and diminished the overall system reliability. Docker was the difference between 99.8% reliability and 99.9999% reliability. This might not seem like a big difference, but when the cloud became the prevalent deployment modality, this meant that companies could dramatically increase the number of nodes they operated, without the decrease in reliability.

Docker是这种创新的有趣例子。 软件包管理的困难导致工程师的注意力持续低落，并降低了整体系统的可靠性。 Docker是99.8％可靠性和99.9999％可靠性之间的差异。 这似乎没有太大的区别，但是当云成为流行的部署方式时，这意味着公司可以在不降低可靠性的情况下大大增加其运营的节点数量。

Something similar must now happen in secure software development. The new approach we take must be similar to Docker in its approach to component isolation, standardization, complexity management, and fault reduction. Two recent advances lead to our emerging ability to do so: trust technology and containerized programming models.

现在，安全软件开发中必须发生类似的事情。 我们采用的新方法在组件隔离，标准化，复杂性管理和故障减少方面必须与Docker类似。 最近的两项进步使我们有能力做到这一点：信任技术和容器化编程模型。

Trust technology enables an agent to trust a remote piece of software that the agent doesn’t control. It enables multi-system security analysis and transitive security, without which the new level of internet security is impossible. Trust technology is now widely available in the form of TEEs, hardware components that serve as the security layer around critical software. It is hard to underestimate the importance of this technology.

信任技术使代理能够信任该代理无法控制的远程软件。 它支持多系统安全性分析和可传递安全性，没有它们，互联网安全的新水平是不可能的。 如今，信任技术以TEE的形式广泛可用，TEE 是用作关键软件安全层的硬件组件 。 很难低估这项技术的重要性。

Containerized programming technology provides a way to develop secure business logic in the context of trust containers, such as TEEs. It is worth the effort to understand and to examine containerized programming systems at length, because they are both so new, and so important to solving the data security crisis.

容器化编程技术提供了一种在信任容器(例如TEE)的上下文中开发安全业务逻辑的方法。 值得深入理解和研究容器化的编程系统，因为它们既新又对解决数据安全危机至关重要。

Adopting the new paradigm

采用新范式

Containerized programming frameworks shift the emphasis from expressive power to ease of analysis and verification.

容器化的编程框架将重点从表达能力转移到易于分析和验证。

A containerized programming infrastructure is the “docker” of secure programming. It is a set of tools for development and deployment of secure software that is standardized, analysable, and specifically designed to manage complexity. It uses an approach very different from the traditional approach to software development, because it is designed to reduce, not increase, the spectrum of programming possibilities. It simplifies security analysis of complex software by turning to dry and restrictive programming models and by designing a new generation of communication protocols appropriate for multi-agent software analysis.

容器化的编程基础架构是安全编程的“码头工人”。 它是用于开发和部署安全软件的一组工具，这些工具是标准化，可分析的，并且专门设计用于管理复杂性。 它使用的方法与传统的软件开发方法非常不同，因为它旨在减少而不是增加编程可能性的范围。 通过使用干式和限制性编程模型，并设计适用于多代理软件分析的新一代通信协议，它简化了复杂软件的安全性分析。

Containerized programming frameworks shift the emphasis from expressive power to ease of analysis and verification. This comes at a necessary cost. Software designed for holistic security typically comes with new programming languages and specialized processes, introducing a steep learning curve for developers. But to learn these models is time well spent, because it leads to systems achieving an entirely new level of security guarantees.

容器化的编程框架将重点从表达能力转移到易于分析和验证。 这需要一定的成本。 专为整体安全性而设计的软件通常带有新的编程语言和专门的流程，从而为开发人员带来了陡峭的学习曲线。 但是学习这些模型花费了很多时间，因为它导致系统达到全新的安全保证水平。

Here are some examples of containerized software frameworks currently being built.

这是当前正在构建的容器化软件框架的一些示例。

• Haja Networks, a Finland-based startup is developing a highly advanced and holistically-secure framework based on the Ambients Calculus and Total Functional Programming. It is clever, and fits the profile exactly. It has all the hallmarks of security-enabling software for the next millennium in terms of multi-component analysis and complexity management. (UPD: apparently the latest on Haja is that the team has moved to a different company and is now developing a similar product under a different umbrella.)

  Haja网络 ，一个芬兰的启动是开发基于环境温度是微积分和总函数式编程非常先进和全面地安全框架。 它很聪明，并且完全适合该配置文件。 就多组件分析和复杂性管理而言，它具有下一个千年的安全支持软件的所有标志。 (UPD：显然，关于Haja的最新消息是，该团队已移至另一家公司，并且正在另一伞下开发类似产品。)

• Urbit, a San Francisco-based startup founded in early 2000s by Curtis Yarvin, a controversial computer scientist, who has designed, and his team has implemented, an incredibly clever containerized software stack entirely from scratch. Rather than relying on existing academic work, Yarvin designed his own primitive computation calculus he called Nock, which operates on binary trees. Urbit is a fascinating project with a bright potential to address some insidious security concerns of existing consumer internet software.

  Urbit是一家总部位于旧金山的创业公司，由有争议的计算机科学家Curtis Yarvin于2000年代初创立，他设计并由他的团队实施了一个极其聪明的容器化软件堆栈，完全是从头开始的。 Yarvin不再依赖现有的学术工作，而是设计了自己的原始计算演算(称为Nock)，该演算在二叉树上运行。 Urbit是一个引人入胜的项目，具有巨大的潜力，可以解决现有消费者互联网软件的一些隐患。

• My own project, ADAPT, is being built as a system for rapid development of secure enterprise and mobile data-management components. Its primary goal is to offer companies a possibility of a deep security upgrade, by rewriting small critical components using the new framework. ADAPT will enable secure data containerization across a broad spectrum of environments: secure enclaves, browser add-ons, and IoT software.

  我自己的项目ADAPT正在构建为快速开发安全企业和移动数据管理组件的系统。 其主要目标是通过使用新框架重写小的关键组件，为公司提供深度安全升级的可能性。 ADAPT将在广泛的环境中实现安全的数据容器化：安全的飞地，浏览器插件和IoT软件。

If this work is not prioritized, everyone’s safety and wellbeing will become increasingly endangered by both mistakes and malicious cyber-activity on the rise globally.

如果不优先进行这项工作，那么全球范围内错误和恶意网络活动将使每个人的安全和福祉日益受到威胁。

All three of these projects are offering something radically new and advanced. Much like Docker, whose usefulness only became obvious in retrospect, containerized secure programming systems will seem like a no-brainer in the next ten years. To enable safe use of data at the modern scale, a shift must take place, marked by an increased understanding that we can no longer approach security as a matter isolated to a single software component, or exclude the user from our security reasoning.

所有这三个项目都提供了全新的高级功能。 就像Docker，其用途只是在回顾中才变得显而易见，在接下来的十年中，容器化的安全编程系统似乎毫无疑问。 为了在现代规模上安全地使用数据，必须进行转变，其特征是人们越来越了解到，我们不能再将安全性视为孤立于单个软件组件的问题，也不能将用户排除在安全性推理之外。

This shift has already begun, and it will serve to ensure safety of users and indeed anyone in the world by guaranteeing that systems we use to communicate with one another, to share information, and coordinate critical activity are suitably secure for their purposes. If this work is not prioritized, everyone’s safety and wellbeing will become increasingly endangered by both mistakes and malicious cyber-activity on the rise globally.

这一转变已经开始，它将通过确保我们用来互相通信，共享信息和协调关键活动的系统对于他们的目的而言是适当安全的，从而确保用户以及世界上所有人的安全。 如果不优先进行这项工作，那么全球范围内错误和恶意网络活动将使每个人的安全和福祉日益受到威胁。

This article does not constitute endorsement or investment advise. Special thanks to Katia Rossi for editing help.

本文不构成背书或投资建议。 特别感谢 Katia Rossi 提供的编辑帮助。