pls like.👍_老虎社区_美港股上老虎

2021-08-18

pls like.👍

BlackBerry resisted announcing major flaw in software powering cars, hospital equipment<blockquote>黑莓拒绝宣布为汽车和医院设备提供动力的软件存在重大缺陷</blockquote>

免责声明：上述内容仅代表发帖人个人观点，不构成本平台的任何投资建议。

精彩评论

我们需要你的真知灼见来填补这片空白

发表看法

{"i18n":{"language":"zh_CN"},"detailType":1,"isChannel":false,"data":{"magic":2,"id":833299016,"tweetId":"833299016","gmtCreate":1629243738635,"gmtModify":1631893982232,"author":{"id":3573519539005968,"idStr":"3573519539005968","authorId":3573519539005968,"authorIdStr":"3573519539005968","name":"chongyeetan","avatar":"https://static.tigerbbs.com/58f6eb6730af7768ad82093944f2351a","vip":1,"userType":1,"introduction":"","boolIsFan":false,"boolIsHead":false,"crmLevel":12,"crmLevelSwitch":0,"individualDisplayBadges":[],"fanSize":31,"starInvestorFlag":false},"themes":[],"images":[],"coverImages":[],"extraTitle":"","html":"<html><head></head><body>pls like.👍</body></html>","htmlText":"<html><head></head><body>pls like.👍</body></html>","text":"pls like.👍","highlighted":1,"essential":1,"paper":1,"likeSize":6,"commentSize":1,"repostSize":0,"favoriteSize":0,"link":"https://laohu8.com/post/833299016","repostId":1154306015,"repostType":4,"repost":{"id":"1154306015","kind":"news","pubTimestamp":1629242909,"share":"https://www.laohu8.com/m/news/1154306015?lang=zh_CN&edition=full","pubTime":"2021-08-18 07:28","market":"us","language":"en","title":"BlackBerry resisted announcing major flaw in software powering cars, hospital equipment<blockquote>黑莓拒绝宣布为汽车和医院设备提供动力的软件存在重大缺陷</blockquote>","url":"https://stock-news.laohu8.com/highlight/detail?id=1154306015","media":"Politico","summary":"The former smartphone maker turned software firm resisted announcing a major vulnerability until aft","content":"The former smartphone maker turned software firm resisted announcing a major vulnerability until after federal officials stepped in.<blockquote>这家前智能手机制造商转型为软件公司，直到联邦官员介入后才拒绝宣布重大漏洞。</blockquote> <img src=\"https://static.tigerbbs.com/4cffcb9f2de035d65d5586f3be4c0053\" tg-width=\"1160\" tg-height=\"773\" width=\"100%\" height=\"auto\">BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers. | Matt Dunham/AP Photo<blockquote>黑莓将QNX授权给“原始设备制造商”，后者反过来使用它为客户制造产品和设备。|马特·邓纳姆/美联社照片</blockquote> A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months.<blockquote>黑莓制造的软件缺陷导致2亿辆汽车以及关键的医院和工厂设备容易受到黑客的攻击，该公司选择将其保密数月。</blockquote> On Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May.<blockquote>周二，黑莓宣布，其旗舰产品之一（一款名为QNX的操作系统）的旧版本但仍被广泛使用，包含一个漏洞，可能会让黑客削弱使用该漏洞的设备。但其他受到同样缺陷影响的公司（名为BadAlloc）在5月份公开了这一消息。</blockquote> Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software.<blockquote>两名熟悉黑莓与联邦网络安全官员之间讨论的人士（包括一名政府雇员）表示，该公司最初否认BadAlloc对其产品有任何影响，后来拒绝公开声明，尽管它无法识别所有使用该软件的客户。</blockquote> The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.<blockquote>黑莓和政府之间的反复凸显了抵御网络攻击的一个主要困难，这些设备越来越多地连接到互联网，从机器人吸尘器到废水处理厂管理系统。当黑莓等公司向设备制造商出售软件时，他们很少提供进入软件的代码的详细记录——这让硬件制造商、他们的客户和政府对最大的风险在哪里一无所知。</blockquote> BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from&nbsp;factory machinery&nbsp;and&nbsp;medical devices&nbsp;to&nbsp;rail equipment&nbsp;and&nbsp;components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.<blockquote>黑莓最出名的可能是让老式智能手机因其手动键盘而备受喜爱，但近年来它已成为工业设备软件的主要供应商，其中包括QNX，该公司为从工厂机械和医疗设备到铁路设备和国际空间站上的组件等各种产品提供动力。BadAlloc可以为黑客提供进入其中许多设备的后门，允许不良行为者征用它们或破坏它们的操作。</blockquote> Microsoft security researchers&nbsp;announced in April that they’d discovered the vulnerability&nbsp;and found it in a number of companies’ operating systems and software. In May, many of those companies worked with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to&nbsp;publicly reveal&nbsp;the flaws and urge users to patch their devices.<blockquote>微软安全研究人员四月份宣布，他们发现了该漏洞，并在许多公司的操作系统和软件中发现了该漏洞。今年5月，其中许多公司与国土安全部网络安全和基础设施安全局合作，公开披露了这些缺陷，并敦促用户修补他们的设备。</blockquote> BlackBerry wasn’t among them.<blockquote>黑莓不在其中。</blockquote> Privately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.<blockquote>据两位人士透露，黑莓代表今年早些时候私下告诉CISA，他们不认为BadAlloc影响了他们的产品，尽管CISA得出的结论是确实影响了他们的产品。两人都匿名发言，因为他们无权公开讨论此事。在过去的几个月里，CISA敦促黑莓接受这个坏消息，最终让他们承认漏洞的存在。</blockquote> Then BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.<blockquote>随后黑莓表示不打算上市处理该问题。该公司告诉CISA，它计划私下联系其直接客户，并就QNX问题向他们发出警告。</blockquote> Technology companies sometimes prefer private vulnerability disclosures because doing so doesn’t tip off hackers that patching is underway — but also because it limits (or at least delays) any resulting public backlash and financial losses.<blockquote>科技公司有时更喜欢私下披露漏洞，因为这样做不会向黑客暗示补丁正在进行中，还因为它限制（或至少延迟）任何由此产生的公众反弹和财务损失。</blockquote> But that outreach would only cover a fraction of the affected companies, because BlackBerry also told CISA that it couldn’t identify everyone using its software in order to warn them.<blockquote>但这种外联活动只会覆盖一小部分受影响的公司，因为黑莓还告诉CISA，它无法识别使用其软件的每个人的身份来警告他们。</blockquote> That’s because BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers, just as Microsoft sells its Windows operating system to HP, Dell and other computer makers. BlackBerry told the government it doesn’t know where its software ends up, and the people using it don’t know where it came from. Its known customers are a comparatively small group.<blockquote>这是因为黑莓将QNX授权给“原始设备制造商”，后者反过来使用它为客户构建产品和设备，就像微软将其Windows操作系统出售给惠普、戴尔和其他计算机制造商一样。黑莓告诉政府，它不知道它的软件最终去了哪里，使用它的人也不知道它来自哪里。其已知客户是一个相对较小的群体。</blockquote> “Their initial thought was that they were going to do a private advisory,” said a CISA employee. Over time, though, BlackBerry “realized that there was more benefit to being public.”<blockquote>“他们最初的想法是做私人咨询，”CISA的一名员工说。然而，随着时间的推移，黑莓“意识到公开有更多的好处”。</blockquote> The agency produced a PowerPoint presentation, which POLITICO reviewed,stressing thatmany BlackBerrycustomers wouldn’t know aboutthe danger unless the federal government or the original equipment manufacturers told them. CISA even cited potential risks to national security and noted that the Defense Department had been involved in finding an acceptable timing for BlackBerry’s announcement.<blockquote>该机构制作了一份PowerPoint演示文稿，POLITICO对其进行了审查，强调许多黑莓客户不会知道这种危险，除非联邦政府或原始设备制造商告诉他们。CISA甚至提到了国家安全的潜在风险，并指出国防部已参与为黑莓的声明寻找可接受的时间。</blockquote> CISA argued that BlackBerry’s planned approach would leave out many users who could be in real danger. A few weeks ago, BlackBerry agreed to issue a public announcement. On Tuesday, the company&nbsp;published an alert about the vulnerability&nbsp;and urged customers to upgrade their devices to the latest QNX version. CISA&nbsp;issued its own alert&nbsp;as well.<blockquote>CISA认为，黑莓计划的方法将遗漏许多可能处于真正危险中的用户。几周前，黑莓同意发布公告。周二，该公司发布了关于该漏洞的警报，并敦促客户将他们的设备升级到最新的QNX版本。CISA也发布了自己的警报。</blockquote> In a statement to POLITICO, BlackBerry did not deny that it initially resisted a public announcement. The company said it maintains “lists of our customers and have actively communicated to those customers regarding this issue.”<blockquote>在给POLITICO的一份声明中，黑莓没有否认它最初拒绝公开声明。该公司表示，它维护着“我们的客户名单，并已就此问题与这些客户积极沟通”。</blockquote> “Software patching communications occur directly to our customers,” the company said. “However, we will make adjustments to this process in order to best serve our customers.”<blockquote>“软件修补通信直接发生在我们的客户身上，”该公司表示。“不过，我们会对这一流程进行调整，以便更好地为客户服务。”</blockquote> QNX “is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly-sensitive systems,” Eric Goldstein, the head of CISA’s cyber division, said. “While we are not aware of any active exploitation, we encourage users of QNX to review the advisory BlackBerry put out today and implement mitigation measures, including patching systems as quickly as possible.”<blockquote>CISA网络部门负责人埃里克·戈尔茨坦(Eric Goldstein)表示，QNX“用于多种产品，其泄露可能导致恶意行为者控制高度敏感的系统”。“虽然我们不知道有任何主动利用，但我们鼓励QNX用户查看黑莓今天发布的建议并实施缓解措施，包括尽快修补系统。”</blockquote> Goldstein declined to address CISA’s conversations with BlackBerry but said the agency “works regularly with companies and researchers to disclose vulnerabilities in a timely and responsible manner so that users can take steps to protect their systems.”<blockquote>Goldstein拒绝回应CISA与黑莓的对话，但表示该机构“定期与公司和研究人员合作，及时、负责任地披露漏洞，以便用户可以采取措施保护他们的系统。”</blockquote> Asked about whether the company originally believed QNX was unaffected, Blackberry said its initial investigation into affected software “identified several versions that were affected, but that list of impacted software was incomplete.”<blockquote>当被问及该公司最初是否认为QNX未受影响时，黑莓表示，其对受影响软件的初步调查“确定了受影响的几个版本，但受影响软件的列表并不完整。”</blockquote> BlackBerry is hardly the first company to disclose a bug in widely used industrial software, and cybersecurity experts say such flaws are to be expected occasionally in highly complex systems. But resolving the QNX problem will be a major task for BlackBerry and the government.<blockquote>黑莓并不是第一家披露广泛使用的工业软件中存在漏洞的公司，网络安全专家表示，在高度复杂的系统中偶尔会出现此类缺陷。但解决QNX问题将是黑莓和政府的一项重大任务。</blockquote> In a June announcement about QNX’s integration into 195 million vehicles,BlackBerry called&nbsp;the operating system “key to the future of the automotive industry” because it provides “a safe, reliable, and secure foundation” for autonomous vehicles. BlackBerry bragged that QNX was the embedded software of choice of 23 of the top 25 electric vehicle makers.<blockquote>在6月份关于QNX集成到1.95亿辆汽车中的公告中，黑莓称该操作系统是“汽车行业未来的关键”，因为它为自动驾驶汽车提供了“安全、可靠和可靠的基础”。黑莓吹嘘说，QNX是前25家电动汽车制造商中23家首选的嵌入式软件。</blockquote> The QNX vulnerability also has the Biden administration scrambling to prevent major fallout. Vulnerabilities in this code could have significant ripple effects across industries — from automotive to health care — that rely heavily on the software. In some cases, upgrading this software will require taking affected devices offline, which could jeopardize business operations.<blockquote>QNX漏洞也让拜登政府争先恐后地防止重大影响。此代码中的漏洞可能会对严重依赖该软件的行业（从汽车到医疗保健）产生重大连锁反应。在某些情况下，升级此软件需要使受影响的设备离线，这可能会危及业务运营。</blockquote> “By compromising one critical system, [hackers] can potentially hit thousands of actors down that line globally,” said William Loomis, an assistant director at the Atlantic Council’s Cyber Statecraft Initiative. “This is a really clear example of a good return on investment for those actors, which is what makes these attacks so valuable for them.”<blockquote>大西洋理事会网络治国计划助理主任威廉·卢米斯(William Loomis)表示：“通过危害一个关键系统，[黑客]可能会攻击全球数千名参与者。”“这是这些行为者获得良好投资回报的一个非常明显的例子，这就是这些攻击对他们来说如此有价值的原因。”</blockquote> After analyzing the industries where QNX was most prevalent, CISA worked with those industries’ regulators to understand the “major players” and warn them to patch the vulnerability, the agency employee said.<blockquote>该机构员工表示，在分析了QNX最流行的行业后，CISA与这些行业的监管机构合作，了解“主要参与者”并警告他们修补漏洞。</blockquote> Goldstein confirmed that CISA “coordinated with federal agencies overseeing the highest risk sectors to understand the significance of this vulnerability and the importance of remediating it.”<blockquote>Goldstein证实，CISA“与监管最高风险部门的联邦机构协调，以了解这一漏洞的重要性以及修复它的重要性。”</blockquote> CISA also planned to brief foreign governments about the risks, according to the PowerPoint presentation.<blockquote>根据PowerPoint演示文稿，CISA还计划向外国政府简要介绍风险。</blockquote> BlackBerry is far from unique in knowing little about what happens to its products after it sells them to its customers, but for industrial software like QNX, that supply-chain blindness can create national security risks.<blockquote>黑莓并不是唯一一家对其产品出售给客户后会发生什么知之甚少的公司，但对于像QNX这样的工业软件来说，供应链盲目性可能会造成国家安全风险。</blockquote> “Software supply chain security is one of America’s greatest vulnerabilities,” said Andy Keiser, a former top House Intelligence Committee staffer. “As one of the most connected societies on the planet, we remain one of the most vulnerable.”<blockquote>“软件供应链安全是美国最大的漏洞之一，”前众议院情报委员会高级工作人员安迪·凯瑟说。“作为地球上联系最紧密的社会之一，我们仍然是最脆弱的社会之一。”</blockquote> But rather than expecting vendors to identify all of their customers, security experts say, companies should publish lists of the types of the code included in their software, so customers can check to see if they’re using code that has been found to be vulnerable.<blockquote>但安全专家表示，公司不应期望供应商识别所有客户，而应公布其软件中包含的代码类型列表，以便客户可以检查他们是否使用了被发现存在漏洞的代码。</blockquote> “BlackBerry cannot possibly fully understand the impact of a vulnerability in all cases,” said David Wheeler, a George Mason University computer science professor and director of open source supply chain security at the Linux Foundation, the group that supports the development of the Linux operating system. “We need to focus on helping people understand the software components within their systems, and help them update in a more timely way.”<blockquote>George Mason大学计算机科学教授、Linux基金会开源供应链安全总监David Wheeler表示：“黑莓不可能在所有情况下都完全了解漏洞的影响。”操作系统。“我们需要专注于帮助人们了解他们系统中的软件组件，并帮助他们更及时地进行更新。”</blockquote> For years, the Commerce Department’s National Telecommunications and Information Administration has been&nbsp;convening industry representatives to develop the foundation&nbsp;for this kind of digital ingredient list, known as a “software bill of materials.” In July, NTIA published&nbsp;guidance on the minimum elements needed for an SBOM, following a directive from President Joe Biden’s cybersecurity executive order.<blockquote>多年来，商务部国家电信和信息管理局一直在召集行业代表为这种数字成分列表（称为“软件材料清单”）奠定基础。7月，根据乔·拜登总统网络安全行政命令的指示，NTIA发布了关于SBOM所需最低要素的指南。</blockquote> Armed with an SBOM, a car maker or medical device manufacturer that learned of a software issue such as the QNX breach could quickly check to see if any of its products were affected.<blockquote>有了SBOM，得知QNX漏洞等软件问题的汽车制造商或医疗设备制造商可以快速检查其产品是否受到影响。</blockquote> SBOMs wouldn’t prevent hackers from discovering and exploiting vulnerabilities, and the lists alone cannot tell companies&nbsp;whether a particular flaw actually poses a risk&nbsp;to their particular systems. But these ingredient labels can dramatically speed up the process of patching flaws, especially for companies that have no idea what software undergirds their products.<blockquote>SBOM不会阻止黑客发现和利用漏洞，仅靠列表无法告诉公司某个特定缺陷是否真的对其特定系统构成风险。但是这些成分标签可以大大加快修补缺陷的过程，特别是对于那些不知道什么软件支持他们的产品的公司来说。</blockquote> “Buying software is only the start of the transaction. It is not the end,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.<blockquote>大西洋理事会网络治国倡议主任特雷·赫尔说，“购买软件只是交易的开始。它并不是结束。”</blockquote> “It's not a new problem,” Herr added. “It’s not a problem that’s going away, and what we are doing right now is insufficient for the scale of that problem.”<blockquote>“这不是一个新问题，”赫尔补充道。“这不是一个会消失的问题，我们现在所做的还不足以解决这个问题的规模。”</blockquote>","source":"lsy1629242905336","collect":0,"html":"<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no\"/>\n<meta name=\"format-detection\" content=\"telephone=no,email=no,address=no\" />\n<title>BlackBerry resisted announcing major flaw in software powering cars, hospital equipment<blockquote>黑莓拒绝宣布为汽车和医院设备提供动力的软件存在重大缺陷</blockquote></title>\n<style type=\"text/css\">\na,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,\nem,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,\nobject,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{ font:inherit;margin:0;padding:0;vertical-align:baseline;border:0 }\nbody{ font-size:16px; line-height:1.5; color:#999; background:transparent; }\n.wrapper{ overflow:hidden;word-break:break-all;padding:10px; }\nh1,h2{ font-weight:normal; line-height:1.35; margin-bottom:.6em; }\nh3,h4,h5,h6{ line-height:1.35; margin-bottom:1em; }\nh1{ font-size:24px; }\nh2{ font-size:20px; }\nh3{ font-size:18px; }\nh4{ font-size:16px; }\nh5{ font-size:14px; }\nh6{ font-size:12px; }\np,ul,ol,blockquote,dl,table{ margin:1.2em 0; }\nul,ol{ margin-left:2em; }\nul{ list-style:disc; }\nol{ list-style:decimal; }\nli,li p{ margin:10px 0;}\nimg{ max-width:100%;display:block;margin:0 auto 1em; }\nblockquote{ color:#B5B2B1; border-left:3px solid #aaa; padding:1em; }\nstrong,b{font-weight:bold;}\nem,i{font-style:italic;}\ntable{ width:100%;border-collapse:collapse;border-spacing:1px;margin:1em 0;font-size:.9em; }\nth,td{ padding:5px;text-align:left;border:1px solid #aaa; }\nth{ font-weight:bold;background:#5d5d5d; }\n.symbol-link{font-weight:bold;}\n/* header{ border-bottom:1px solid #494756; } */\n.title{ margin:0 0 8px;line-height:1.3;color:#ddd; }\n.meta {color:#5e5c6d;font-size:13px;margin:0 0 .5em; }\na{text-decoration:none; color:#2a4b87;}\n.meta .head { display: inline-block; overflow: hidden}\n.head .h-thumb { width: 30px; height: 30px; margin: 0; padding: 0; border-radius: 50%; float: left;}\n.head .h-content { margin: 0; padding: 0 0 0 9px; float: left;}\n.head .h-name {font-size: 13px; color: #eee; margin: 0;}\n.head .h-time {font-size: 12.5px; color: #7E829C; margin: 0;}\n.small {font-size: 12.5px; display: inline-block; transform: scale(0.9); -webkit-transform: scale(0.9); transform-origin: left; -webkit-transform-origin: left;}\n.smaller {font-size: 12.5px; display: inline-block; transform: scale(0.8); -webkit-transform: scale(0.8); transform-origin: left; -webkit-transform-origin: left;}\n.bt-text {font-size: 12px;margin: 1.5em 0 0 0}\n.bt-text p {margin: 0}\n</style>\n</head>\n<body>\n<div class=\"wrapper\">\n<header>\n<h2 class=\"title\">\nBlackBerry resisted announcing major flaw in software powering cars, hospital equipment<blockquote>黑莓拒绝宣布为汽车和医院设备提供动力的软件存在重大缺陷</blockquote>\n</h2>\n<h4 class=\"meta\">\n\nPolitico2021-08-18 07:28\n\n</h4>\n</header>\n<article>\nThe former smartphone maker turned software firm resisted announcing a major vulnerability until after federal officials stepped in.<blockquote>这家前智能手机制造商转型为软件公司，直到联邦官员介入后才拒绝宣布重大漏洞。</blockquote> <img src=\"https://static.tigerbbs.com/4cffcb9f2de035d65d5586f3be4c0053\" tg-width=\"1160\" tg-height=\"773\" width=\"100%\" height=\"auto\">BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers. | Matt Dunham/AP Photo<blockquote>黑莓将QNX授权给“原始设备制造商”，后者反过来使用它为客户制造产品和设备。|马特·邓纳姆/美联社照片</blockquote> A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months.<blockquote>黑莓制造的软件缺陷导致2亿辆汽车以及关键的医院和工厂设备容易受到黑客的攻击，该公司选择将其保密数月。</blockquote> On Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May.<blockquote>周二，黑莓宣布，其旗舰产品之一（一款名为QNX的操作系统）的旧版本但仍被广泛使用，包含一个漏洞，可能会让黑客削弱使用该漏洞的设备。但其他受到同样缺陷影响的公司（名为BadAlloc）在5月份公开了这一消息。</blockquote> Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software.<blockquote>两名熟悉黑莓与联邦网络安全官员之间讨论的人士（包括一名政府雇员）表示，该公司最初否认BadAlloc对其产品有任何影响，后来拒绝公开声明，尽管它无法识别所有使用该软件的客户。</blockquote> The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.<blockquote>黑莓和政府之间的反复凸显了抵御网络攻击的一个主要困难，这些设备越来越多地连接到互联网，从机器人吸尘器到废水处理厂管理系统。当黑莓等公司向设备制造商出售软件时，他们很少提供进入软件的代码的详细记录——这让硬件制造商、他们的客户和政府对最大的风险在哪里一无所知。</blockquote> BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from&nbsp;factory machinery&nbsp;and&nbsp;medical devices&nbsp;to&nbsp;rail equipment&nbsp;and&nbsp;components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.<blockquote>黑莓最出名的可能是让老式智能手机因其手动键盘而备受喜爱，但近年来它已成为工业设备软件的主要供应商，其中包括QNX，该公司为从工厂机械和医疗设备到铁路设备和国际空间站上的组件等各种产品提供动力。BadAlloc可以为黑客提供进入其中许多设备的后门，允许不良行为者征用它们或破坏它们的操作。</blockquote> Microsoft security researchers&nbsp;announced in April that they’d discovered the vulnerability&nbsp;and found it in a number of companies’ operating systems and software. In May, many of those companies worked with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to&nbsp;publicly reveal&nbsp;the flaws and urge users to patch their devices.<blockquote>微软安全研究人员四月份宣布，他们发现了该漏洞，并在许多公司的操作系统和软件中发现了该漏洞。今年5月，其中许多公司与国土安全部网络安全和基础设施安全局合作，公开披露了这些缺陷，并敦促用户修补他们的设备。</blockquote> BlackBerry wasn’t among them.<blockquote>黑莓不在其中。</blockquote> Privately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.<blockquote>据两位人士透露，黑莓代表今年早些时候私下告诉CISA，他们不认为BadAlloc影响了他们的产品，尽管CISA得出的结论是确实影响了他们的产品。两人都匿名发言，因为他们无权公开讨论此事。在过去的几个月里，CISA敦促黑莓接受这个坏消息，最终让他们承认漏洞的存在。</blockquote> Then BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.<blockquote>随后黑莓表示不打算上市处理该问题。该公司告诉CISA，它计划私下联系其直接客户，并就QNX问题向他们发出警告。</blockquote> Technology companies sometimes prefer private vulnerability disclosures because doing so doesn’t tip off hackers that patching is underway — but also because it limits (or at least delays) any resulting public backlash and financial losses.<blockquote>科技公司有时更喜欢私下披露漏洞，因为这样做不会向黑客暗示补丁正在进行中，还因为它限制（或至少延迟）任何由此产生的公众反弹和财务损失。</blockquote> But that outreach would only cover a fraction of the affected companies, because BlackBerry also told CISA that it couldn’t identify everyone using its software in order to warn them.<blockquote>但这种外联活动只会覆盖一小部分受影响的公司，因为黑莓还告诉CISA，它无法识别使用其软件的每个人的身份来警告他们。</blockquote> That’s because BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers, just as Microsoft sells its Windows operating system to HP, Dell and other computer makers. BlackBerry told the government it doesn’t know where its software ends up, and the people using it don’t know where it came from. Its known customers are a comparatively small group.<blockquote>这是因为黑莓将QNX授权给“原始设备制造商”，后者反过来使用它为客户构建产品和设备，就像微软将其Windows操作系统出售给惠普、戴尔和其他计算机制造商一样。黑莓告诉政府，它不知道它的软件最终去了哪里，使用它的人也不知道它来自哪里。其已知客户是一个相对较小的群体。</blockquote> “Their initial thought was that they were going to do a private advisory,” said a CISA employee. Over time, though, BlackBerry “realized that there was more benefit to being public.”<blockquote>“他们最初的想法是做私人咨询，”CISA的一名员工说。然而，随着时间的推移，黑莓“意识到公开有更多的好处”。</blockquote> The agency produced a PowerPoint presentation, which POLITICO reviewed,stressing thatmany BlackBerrycustomers wouldn’t know aboutthe danger unless the federal government or the original equipment manufacturers told them. CISA even cited potential risks to national security and noted that the Defense Department had been involved in finding an acceptable timing for BlackBerry’s announcement.<blockquote>该机构制作了一份PowerPoint演示文稿，POLITICO对其进行了审查，强调许多黑莓客户不会知道这种危险，除非联邦政府或原始设备制造商告诉他们。CISA甚至提到了国家安全的潜在风险，并指出国防部已参与为黑莓的声明寻找可接受的时间。</blockquote> CISA argued that BlackBerry’s planned approach would leave out many users who could be in real danger. A few weeks ago, BlackBerry agreed to issue a public announcement. On Tuesday, the company&nbsp;published an alert about the vulnerability&nbsp;and urged customers to upgrade their devices to the latest QNX version. CISA&nbsp;issued its own alert&nbsp;as well.<blockquote>CISA认为，黑莓计划的方法将遗漏许多可能处于真正危险中的用户。几周前，黑莓同意发布公告。周二，该公司发布了关于该漏洞的警报，并敦促客户将他们的设备升级到最新的QNX版本。CISA也发布了自己的警报。</blockquote> In a statement to POLITICO, BlackBerry did not deny that it initially resisted a public announcement. The company said it maintains “lists of our customers and have actively communicated to those customers regarding this issue.”<blockquote>在给POLITICO的一份声明中，黑莓没有否认它最初拒绝公开声明。该公司表示，它维护着“我们的客户名单，并已就此问题与这些客户积极沟通”。</blockquote> “Software patching communications occur directly to our customers,” the company said. “However, we will make adjustments to this process in order to best serve our customers.”<blockquote>“软件修补通信直接发生在我们的客户身上，”该公司表示。“不过，我们会对这一流程进行调整，以便更好地为客户服务。”</blockquote> QNX “is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly-sensitive systems,” Eric Goldstein, the head of CISA’s cyber division, said. “While we are not aware of any active exploitation, we encourage users of QNX to review the advisory BlackBerry put out today and implement mitigation measures, including patching systems as quickly as possible.”<blockquote>CISA网络部门负责人埃里克·戈尔茨坦(Eric Goldstein)表示，QNX“用于多种产品，其泄露可能导致恶意行为者控制高度敏感的系统”。“虽然我们不知道有任何主动利用，但我们鼓励QNX用户查看黑莓今天发布的建议并实施缓解措施，包括尽快修补系统。”</blockquote> Goldstein declined to address CISA’s conversations with BlackBerry but said the agency “works regularly with companies and researchers to disclose vulnerabilities in a timely and responsible manner so that users can take steps to protect their systems.”<blockquote>Goldstein拒绝回应CISA与黑莓的对话，但表示该机构“定期与公司和研究人员合作，及时、负责任地披露漏洞，以便用户可以采取措施保护他们的系统。”</blockquote> Asked about whether the company originally believed QNX was unaffected, Blackberry said its initial investigation into affected software “identified several versions that were affected, but that list of impacted software was incomplete.”<blockquote>当被问及该公司最初是否认为QNX未受影响时，黑莓表示，其对受影响软件的初步调查“确定了受影响的几个版本，但受影响软件的列表并不完整。”</blockquote> BlackBerry is hardly the first company to disclose a bug in widely used industrial software, and cybersecurity experts say such flaws are to be expected occasionally in highly complex systems. But resolving the QNX problem will be a major task for BlackBerry and the government.<blockquote>黑莓并不是第一家披露广泛使用的工业软件中存在漏洞的公司，网络安全专家表示，在高度复杂的系统中偶尔会出现此类缺陷。但解决QNX问题将是黑莓和政府的一项重大任务。</blockquote> In a June announcement about QNX’s integration into 195 million vehicles,BlackBerry called&nbsp;the operating system “key to the future of the automotive industry” because it provides “a safe, reliable, and secure foundation” for autonomous vehicles. BlackBerry bragged that QNX was the embedded software of choice of 23 of the top 25 electric vehicle makers.<blockquote>在6月份关于QNX集成到1.95亿辆汽车中的公告中，黑莓称该操作系统是“汽车行业未来的关键”，因为它为自动驾驶汽车提供了“安全、可靠和可靠的基础”。黑莓吹嘘说，QNX是前25家电动汽车制造商中23家首选的嵌入式软件。</blockquote> The QNX vulnerability also has the Biden administration scrambling to prevent major fallout. Vulnerabilities in this code could have significant ripple effects across industries — from automotive to health care — that rely heavily on the software. In some cases, upgrading this software will require taking affected devices offline, which could jeopardize business operations.<blockquote>QNX漏洞也让拜登政府争先恐后地防止重大影响。此代码中的漏洞可能会对严重依赖该软件的行业（从汽车到医疗保健）产生重大连锁反应。在某些情况下，升级此软件需要使受影响的设备离线，这可能会危及业务运营。</blockquote> “By compromising one critical system, [hackers] can potentially hit thousands of actors down that line globally,” said William Loomis, an assistant director at the Atlantic Council’s Cyber Statecraft Initiative. “This is a really clear example of a good return on investment for those actors, which is what makes these attacks so valuable for them.”<blockquote>大西洋理事会网络治国计划助理主任威廉·卢米斯(William Loomis)表示：“通过危害一个关键系统，[黑客]可能会攻击全球数千名参与者。”“这是这些行为者获得良好投资回报的一个非常明显的例子，这就是这些攻击对他们来说如此有价值的原因。”</blockquote> After analyzing the industries where QNX was most prevalent, CISA worked with those industries’ regulators to understand the “major players” and warn them to patch the vulnerability, the agency employee said.<blockquote>该机构员工表示，在分析了QNX最流行的行业后，CISA与这些行业的监管机构合作，了解“主要参与者”并警告他们修补漏洞。</blockquote> Goldstein confirmed that CISA “coordinated with federal agencies overseeing the highest risk sectors to understand the significance of this vulnerability and the importance of remediating it.”<blockquote>Goldstein证实，CISA“与监管最高风险部门的联邦机构协调，以了解这一漏洞的重要性以及修复它的重要性。”</blockquote> CISA also planned to brief foreign governments about the risks, according to the PowerPoint presentation.<blockquote>根据PowerPoint演示文稿，CISA还计划向外国政府简要介绍风险。</blockquote> BlackBerry is far from unique in knowing little about what happens to its products after it sells them to its customers, but for industrial software like QNX, that supply-chain blindness can create national security risks.<blockquote>黑莓并不是唯一一家对其产品出售给客户后会发生什么知之甚少的公司，但对于像QNX这样的工业软件来说，供应链盲目性可能会造成国家安全风险。</blockquote> “Software supply chain security is one of America’s greatest vulnerabilities,” said Andy Keiser, a former top House Intelligence Committee staffer. “As one of the most connected societies on the planet, we remain one of the most vulnerable.”<blockquote>“软件供应链安全是美国最大的漏洞之一，”前众议院情报委员会高级工作人员安迪·凯瑟说。“作为地球上联系最紧密的社会之一，我们仍然是最脆弱的社会之一。”</blockquote> But rather than expecting vendors to identify all of their customers, security experts say, companies should publish lists of the types of the code included in their software, so customers can check to see if they’re using code that has been found to be vulnerable.<blockquote>但安全专家表示，公司不应期望供应商识别所有客户，而应公布其软件中包含的代码类型列表，以便客户可以检查他们是否使用了被发现存在漏洞的代码。</blockquote> “BlackBerry cannot possibly fully understand the impact of a vulnerability in all cases,” said David Wheeler, a George Mason University computer science professor and director of open source supply chain security at the Linux Foundation, the group that supports the development of the Linux operating system. “We need to focus on helping people understand the software components within their systems, and help them update in a more timely way.”<blockquote>George Mason大学计算机科学教授、Linux基金会开源供应链安全总监David Wheeler表示：“黑莓不可能在所有情况下都完全了解漏洞的影响。”操作系统。“我们需要专注于帮助人们了解他们系统中的软件组件，并帮助他们更及时地进行更新。”</blockquote> For years, the Commerce Department’s National Telecommunications and Information Administration has been&nbsp;convening industry representatives to develop the foundation&nbsp;for this kind of digital ingredient list, known as a “software bill of materials.” In July, NTIA published&nbsp;guidance on the minimum elements needed for an SBOM, following a directive from President Joe Biden’s cybersecurity executive order.<blockquote>多年来，商务部国家电信和信息管理局一直在召集行业代表为这种数字成分列表（称为“软件材料清单”）奠定基础。7月，根据乔·拜登总统网络安全行政命令的指示，NTIA发布了关于SBOM所需最低要素的指南。</blockquote> Armed with an SBOM, a car maker or medical device manufacturer that learned of a software issue such as the QNX breach could quickly check to see if any of its products were affected.<blockquote>有了SBOM，得知QNX漏洞等软件问题的汽车制造商或医疗设备制造商可以快速检查其产品是否受到影响。</blockquote> SBOMs wouldn’t prevent hackers from discovering and exploiting vulnerabilities, and the lists alone cannot tell companies&nbsp;whether a particular flaw actually poses a risk&nbsp;to their particular systems. But these ingredient labels can dramatically speed up the process of patching flaws, especially for companies that have no idea what software undergirds their products.<blockquote>SBOM不会阻止黑客发现和利用漏洞，仅靠列表无法告诉公司某个特定缺陷是否真的对其特定系统构成风险。但是这些成分标签可以大大加快修补缺陷的过程，特别是对于那些不知道什么软件支持他们的产品的公司来说。</blockquote> “Buying software is only the start of the transaction. It is not the end,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.<blockquote>大西洋理事会网络治国倡议主任特雷·赫尔说，“购买软件只是交易的开始。它并不是结束。”</blockquote> “It's not a new problem,” Herr added. “It’s not a problem that’s going away, and what we are doing right now is insufficient for the scale of that problem.”<blockquote>“这不是一个新问题，”赫尔补充道。“这不是一个会消失的问题，我们现在所做的还不足以解决这个问题的规模。”</blockquote>\n<div class=\"bt-text\">\n\n\n 来源：<a href=\"https://www.politico.com/news/2021/08/17/blackberry-qnx-vulnerability-hackers-505649\">Politico</a>\n为提升您的阅读体验，我们对本页面进行了排版优化\n\n\n</div>\n</article>\n</div>\n</body>\n</html>\n","type":0,"thumbnail":"","relate_stocks":{"BB":"黑莓"},"source_url":"https://www.politico.com/news/2021/08/17/blackberry-qnx-vulnerability-hackers-505649","is_english":true,"share_image_url":"https://static.laohu8.com/e9f99090a1c2ed51c021029395664489","article_id":"1154306015","content_text":"The former smartphone maker turned software firm resisted announcing a major vulnerability until after federal officials stepped in.\nBlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers. | Matt Dunham/AP Photo\nA flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months.\nOn Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May.\n\n\nTwo people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software.\n\n\nThe back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.\nBlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.\nMicrosoft security researchers announced in April that they’d discovered the vulnerability and found it in a number of companies’ operating systems and software. In May, many of those companies worked with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to publicly reveal the flaws and urge users to patch their devices.\nBlackBerry wasn’t among them.\nPrivately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.\nThen BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.\nTechnology companies sometimes prefer private vulnerability disclosures because doing so doesn’t tip off hackers that patching is underway — but also because it limits (or at least delays) any resulting public backlash and financial losses.\nBut that outreach would only cover a fraction of the affected companies, because BlackBerry also told CISA that it couldn’t identify everyone using its software in order to warn them.\nThat’s because BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers, just as Microsoft sells its Windows operating system to HP, Dell and other computer makers. BlackBerry told the government it doesn’t know where its software ends up, and the people using it don’t know where it came from. Its known customers are a comparatively small group.\n“Their initial thought was that they were going to do a private advisory,” said a CISA employee. Over time, though, BlackBerry “realized that there was more benefit to being public.”\nThe agency produced a PowerPoint presentation, which POLITICO reviewed,stressing thatmany BlackBerrycustomers wouldn’t know aboutthe danger unless the federal government or the original equipment manufacturers told them. CISA even cited potential risks to national security and noted that the Defense Department had been involved in finding an acceptable timing for BlackBerry’s announcement.\nCISA argued that BlackBerry’s planned approach would leave out many users who could be in real danger. A few weeks ago, BlackBerry agreed to issue a public announcement. On Tuesday, the company published an alert about the vulnerability and urged customers to upgrade their devices to the latest QNX version. CISA issued its own alert as well.\nIn a statement to POLITICO, BlackBerry did not deny that it initially resisted a public announcement. The company said it maintains “lists of our customers and have actively communicated to those customers regarding this issue.”\n“Software patching communications occur directly to our customers,” the company said. “However, we will make adjustments to this process in order to best serve our customers.”\nQNX “is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly-sensitive systems,” Eric Goldstein, the head of CISA’s cyber division, said. “While we are not aware of any active exploitation, we encourage users of QNX to review the advisory BlackBerry put out today and implement mitigation measures, including patching systems as quickly as possible.”\nGoldstein declined to address CISA’s conversations with BlackBerry but said the agency “works regularly with companies and researchers to disclose vulnerabilities in a timely and responsible manner so that users can take steps to protect their systems.”\nAsked about whether the company originally believed QNX was unaffected, Blackberry said its initial investigation into affected software “identified several versions that were affected, but that list of impacted software was incomplete.”\nBlackBerry is hardly the first company to disclose a bug in widely used industrial software, and cybersecurity experts say such flaws are to be expected occasionally in highly complex systems. But resolving the QNX problem will be a major task for BlackBerry and the government.\nIn a June announcement about QNX’s integration into 195 million vehicles,BlackBerry called the operating system “key to the future of the automotive industry” because it provides “a safe, reliable, and secure foundation” for autonomous vehicles. BlackBerry bragged that QNX was the embedded software of choice of 23 of the top 25 electric vehicle makers.\nThe QNX vulnerability also has the Biden administration scrambling to prevent major fallout. Vulnerabilities in this code could have significant ripple effects across industries — from automotive to health care — that rely heavily on the software. In some cases, upgrading this software will require taking affected devices offline, which could jeopardize business operations.\n“By compromising one critical system, [hackers] can potentially hit thousands of actors down that line globally,” said William Loomis, an assistant director at the Atlantic Council’s Cyber Statecraft Initiative. “This is a really clear example of a good return on investment for those actors, which is what makes these attacks so valuable for them.”\nAfter analyzing the industries where QNX was most prevalent, CISA worked with those industries’ regulators to understand the “major players” and warn them to patch the vulnerability, the agency employee said.\nGoldstein confirmed that CISA “coordinated with federal agencies overseeing the highest risk sectors to understand the significance of this vulnerability and the importance of remediating it.”\nCISA also planned to brief foreign governments about the risks, according to the PowerPoint presentation.\nBlackBerry is far from unique in knowing little about what happens to its products after it sells them to its customers, but for industrial software like QNX, that supply-chain blindness can create national security risks.\n“Software supply chain security is one of America’s greatest vulnerabilities,” said Andy Keiser, a former top House Intelligence Committee staffer. “As one of the most connected societies on the planet, we remain one of the most vulnerable.”\nBut rather than expecting vendors to identify all of their customers, security experts say, companies should publish lists of the types of the code included in their software, so customers can check to see if they’re using code that has been found to be vulnerable.\n“BlackBerry cannot possibly fully understand the impact of a vulnerability in all cases,” said David Wheeler, a George Mason University computer science professor and director of open source supply chain security at the Linux Foundation, the group that supports the development of the Linux operating system. “We need to focus on helping people understand the software components within their systems, and help them update in a more timely way.”\nFor years, the Commerce Department’s National Telecommunications and Information Administration has been convening industry representatives to develop the foundation for this kind of digital ingredient list, known as a “software bill of materials.” In July, NTIA published guidance on the minimum elements needed for an SBOM, following a directive from President Joe Biden’s cybersecurity executive order.\nArmed with an SBOM, a car maker or medical device manufacturer that learned of a software issue such as the QNX breach could quickly check to see if any of its products were affected.\nSBOMs wouldn’t prevent hackers from discovering and exploiting vulnerabilities, and the lists alone cannot tell companies whether a particular flaw actually poses a risk to their particular systems. But these ingredient labels can dramatically speed up the process of patching flaws, especially for companies that have no idea what software undergirds their products.\n“Buying software is only the start of the transaction. It is not the end,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.\n“It's not a new problem,” Herr added. “It’s not a problem that’s going away, and what we are doing right now is insufficient for the scale of that problem.”","news_type":1,"symbols_score_info":{"BB":0.9}},"isVote":1,"tweetType":1,"viewCount":580,"commentLimit":10,"likeStatus":false,"favoriteStatus":false,"reportStatus":false,"symbols":[],"verified":2,"subType":0,"readableState":1,"langContent":"EN","currentLanguage":"EN","warmUpFlag":false,"orderFlag":false,"shareable":true,"causeOfNotShareable":"","featuresForAnalytics":[],"commentAndTweetFlag":false,"andRepostAutoSelectedFlag":false,"upFlag":false,"length":10,"xxTargetLangEnum":"ORIG"},"commentList":[],"isCommentEnd":true,"isTiger":false,"isWeiXinMini":false,"url":"/m/post/833299016"}