如果沒有程序員或計算機專家的知識,我怎麼能知道某個特定程序或任何軟件通常是否沒有隱藏的有害功能,從而損害了隱私和安全性?
如果沒有程序員或計算機專家的知識,我怎麼能知道某個特定程序或任何軟件通常是否沒有隱藏的有害功能,從而損害了隱私和安全性?
You can know whether some software does only what it announces in the same way that you can know whether the food they serve you at restaurants is poisoned or not. In plain words, you cannot, but Society has come up with various schemes to cope with the issue:
All of these can be directly transposed into the world of software. Extreme methods of ascertaining software quality and adherence to its published behaviour include very expensive and boring things like Common Criteria which boil down to, basically, knowing who made the program and with what tools.
Alternative answer: every piece of software has bugs, so it is 100% guaranteed that it does not do exactly what it is supposed to do. (This assertion includes the software which runs in the dozen or so small computers which are embedded in your car, by the way.)
You can't, at least not with 100% accuracy. Speaking as a programmer, it's very easy to code in whatever I want, and it's not necessarily just what's advertised.
Not all unexpected activity, however, is malicious. I'm assuming you're worried more about malicious activity. Even that is not 100% possible to detect all the time, but there's hope.
You can use software that monitors things like network traffic, file activity, etc, to find clues that software is behaving in an unexpected way. For example (and I know this is just a basic tool) you can use Fiddler to see if a particular application is accessing the Internet via http(s). (Yes, I know there are better tools out there, though. Fiddler is just the first that comes to mind.) On Windows, you can use Process Monitor to get even more insight. Similar tools exist for other platforms.
There are also several other services that are available for you to use that will perform the analysis for you.
Especially as software becomes larger and more complicated, it becomes impossible* for even experts to answer that. To that extent, privacy and security from an application are best handled by using sandbox or Mandatory Access Control methods. The idea is behind these methods is that the software is run in a system that controls what it can do and you permit it to only do what you expect it to do. Done properly, you can limit possible connections, and be notified if the program ever tries to access files you didn't expect it to. Very advanced methods can be used to monitor memory or decrypt network traffic through a proxy service.
In short, if you can't understand everything it does, the answer is to restrict everything it can do with something it runs inside of (the operating system).
肯·湯普森(Ken Thompson)在廣為人知的ACM圖靈獎講座“對信任的反思”(現在正好是30年前!)中說:“您不能相信自己並未完全創建自己的代碼。”實際上,商業軟件也不例外,其他商業產品也不例外,因為在市場上享有良好聲譽的生產商提供的軟件通常具有更高的更好的可能性。但是,沒有絕對的保證。幾十年前,我從一個有病毒的知名生產商那裡得到了軟盤。在那種情況下,我個人認為這不是公司內部任何人的惡意行為,而是公司的某些計算機受到了外部病毒的感染。但是,很顯然,總的來說,不可能100%排除公司內部人員將後門引入軟件的可能性,而不管其首席執行官是否知道。如今,網絡戰爭日益迫在眉睫,後門可能成為恕我直言的極為關鍵的問題。政府的秘密機構可以通過某種方式(通過金錢,脅迫或什至是惡意軟件)進行管理,以將這種後門植入某些軟件中,這些軟件通常用於確保通信的安全性(例如與數字簽名有關的那些)並被出售。向某些不友好或潛在不友好的國家使用,並立即或在以後的某個適當時間點(“定時炸彈”等)利用後門以實現破壞目標國家的關鍵基礎設施等目標。等等。Stuxnet,Flame和Gauss是幾個名稱,應該能說明潛在惡意軟件的能力。
不幸的是,您無法...
一個好的程序員可能會被他的用戶稱為 嚮導 ,一個好的木馬會完全偽造正常環境,使受害人安靜。
某些病毒/特洛伊木馬會清除受害系統,以確保
所以,你不能!如有疑問,請諮詢!!!
It ultimately comes down to trust. Do you trust the reputation of the company releasing the software. If it is open source, is it used by enough developers that they would be raising flags if there were issues. There is a certain amount of strength in numbers since a commonly used product is more likely to have extensive research done on if it is trustworthy. Unless you are very paranoid, generally looking at what the community has to say about a particular piece of software is the best bet, but there will still always be bugs and there will still always be mistakes.
As pointed out by others, there is no guaranteed way to know. A lot of the time, you have to trust the integrity and reputation of the vendor. Following secure practices, such as only installing software from sources you trust can help, but just like real life, sometimes, we trust the wrong people.
In the end, I think we should adopt a certain level of paranoia. If you install an app on your phone, don't just accept or say yes when your phone OS informs you the phone wants access to your private information, your location, etc. Ask yourself, why does it need that access. If you feel the access the application is requesting is justified based on what you are expecting it to do, then saying yes maybe OK. On the other hand, if it seems to be requesting access to information or services which are way outside what it should need or be interested in, then be a little suspicious and consier carefully before just saying yes.