其他
TED演讲:你的个人隐私被泄露了吗?
前些日子,脱口秀演员池子指责中信银行泄露其个人银行账户交易信息,侵犯个人隐私。消息一出,舆论哗然。
目前,中信银行已道歉。这起事件,也引发人们对个人隐私的担忧。银行尚且如此,那其他机构呢?在这个网络大数据时代,我们的个人信息被各种APP、跟踪定位软件记录,这些数据是否会被贩卖,被利用?
网络安全专家Eva Galperin在演讲中描述了正在出现的跟踪软件的危险,并给出了大家防范建议,一起看看吧!
演讲者:Eva Galperin
数字安全专家,在线安全组织电子前沿基金会(Electronic Frontier Foundation)的网络安全主管,该组织致力于保护弱势群体的隐私。
I want you to travel back in time with me, to the before time, to 2017. I don't know if you can remember it, dinosaurs were roaming the earth. I was a security researcher, I had spent about five or six years doing research on the ways in which APTs, which is short for advanced persistent threats, which stands for nation-state actors, spy on journalists and activists and lawyers and scientists and just generally people who speak truth to power.
我想让你们和我一起回到过去,一起回到 2017 年。我不确定你们是否还记得,恐龙曾在地球上漫游。我当时是一名网络安全研究员,我曾经花五到六年时间研究什么是 APT,就是高级长期威胁的缩写,这个代表着国家级的行动者,监察记者和活动家,律师和科学家,一般来说,就是敢对权力说真话的人。
And I'd been doing this for a while when I discovered that one of my fellow researchers, with whom I had been doing this all this time, was allegedly a serial rapist. So the first thing that I did was I read a bunch of articles about this.我曾做了一段时间这个职业,期间我发现,我的一名研究员同事,就是一直和我一起做这件事的人,据说是一名连环强奸犯。所以我所做的第一件事就是阅读了大量关于他的文章。
And in January of 2018, I read an article with some of his alleged victims. And one of the things that really struck me about this article is how scared they were.在 2018 年 1 月,我阅读了一篇据称是他的受害者的文章。这篇文章对我影响最深的一件事是,他们当时有多么恐惧。
They were really frightened, they had, you know, tape over the cameras on their phones and on their laptops, and what they were worried about was that he was a hacker and he was going to hack into their stuff and he was going to ruin their lives. And this had kept them silent for a really long time.他们非常的恐惧,他们用胶带封上手机和电脑上的摄像头,他们非常担心这个人是一个黑客,他可以“黑”进这些受害者的电子设备,然后毁掉他们的生活。这让他们在长时间内不得不保持沉默。
So, I was furious. And I didn't want anyone to ever feel that way again. So I did what I usually do when I'm angry: I tweeted.我对此非常的愤怒。我也不希望还有人为此担心。所以我做了我每次生气都会做的事情:发推特。
And the thing that I tweeted was that if you are a woman who has been sexually abused by a hacker and that hacker has threatened to break into your devices, that you could contact me and I would try to make sure that your device got a full, sort of, forensic look over. And then I went to lunch.这段推特的内容是,如果你是一名被黑客性虐待的女性,然后黑客恐吓要入侵你的设备,你可以联系我,我会尝试对你的设备进行类似法医的检查。然后我去吃午饭了。
Ten thousand retweets later,结果这段推文获得了一万次的转发,
I had accidentally started a project.我不小心启动了一个项目。
So every morning, I woke up and my mailbox was full. It was full of the stories of men and women telling me the worst thing that had ever happened to them.结果每天早上起床的时候,我的邮箱都是满的。满满都是男人和女人们的故事,告诉我他们遇到的最糟糕的事。
I was contacted by women who were being spied on by men, by men who were being spied on by men, by women who were being spied on by women, but the vast majority of the people contacting me were women who had been sexually abused by men who were now spying on them.有被男性监视的女性联系我,有被男性监视的男性联系我,还有被女性监视的女性联系我,但是大部分联系我的人是曾经被男性性虐待的女性,她们现在仍被这些男性监视着。
The one particularly interesting case involved a man who came to me, because his boyfriend had outed him as gay to his extremely conservative Korean family. So this is not just men-spying-on-women issue.其中特别有意思的一个案件是一个男性来找我,因为他的男朋友在他极度保守的韩国家庭里公开了他男同性恋的身份。所以这不仅仅是男性监视女性的问题。
And I'm here to share what I learned from this experience. What I learned is that data leaks. It's like water. It gets in places you don't want it. Human leaks. Your friends give away information about you. Your family gives away information about you.我想在这里分享我从这段经历中学到的东西。我学到的是信息泄漏,就像水一样,它出现在你不想让它出现的地方。人员泄漏。你的朋友泄漏你的信息。你的家人泄漏你的信息。
You go to a party, somebody tags you as having been there. And this is one of the ways in which abusers pick up information about you that you don't otherwise want them to know. It is not uncommon for abusers to go to friends and family and ask for information about their victims under the guise of being concerned about their "mental health."你去参加一个派对,有人说你曾去过那里。这是侵犯者收集你信息的其中一个方式,这些信息你并不想让他们知道。侵犯者常常打着“关心他们心理健康”的幌子去向受害者的朋友和家人询问他们的信息。
A form of leak that I saw was actually what we call account compromise. So your Gmail account, your Twitter account, your Instagram account, your iCloud, your Apple ID, your Netflix, your TikTok -- I had to figure out what a TikTok was. If it had a login, I saw it compromised.我看到的一种形式的泄漏其实就是我们说的账户泄露。你的谷歌邮箱账户,你的推特账户,你的 Instagram 账户,你的 iCloud,你的苹果账户,你的奈飞账户,抖音账户——我要先弄清楚什么是抖音。只要有登录记录,就有可能被盗。
And the reason for that is because your abuser is not always your abuser. It is really common for people in relationships to share passwords. Furthermore, people who are intimate, who know a lot about each other, can guess each other's security questions.原因是你的侵犯者不总是你的侵犯者。人们都喜欢在亲戚朋友间分享密码。此外,大家都有亲密的人,他们非常了解对方,能猜到对方的保密问题。
Or they can look over each other's shoulders to see what code they're using in order to lock their phones. They frequently have physical access to the phone, or they have physical access to the laptop. And this gives them a lot of opportunity to do things to people's accounts, which is very dangerous.或者他们可以从背后偷窥对方的锁屏密码。他们经常能接触到电话,或者经常接触到电脑。这给了他们很多的机会对别人的账户做手脚,这些都是非常危险的。
The good news is that we have advice for people to lock down their accounts. This advice already exists, and it comes down to this: Use strong, unique passwords for all of your accounts.好消息是,我们建议人们锁住他们的账户。这个建议已经存在了,它可以归结为:请为你的所有账户设置安全性强且独特的密码。
Use more strong, unique passwords as the answers to your security questions, so that somebody who knows the name of your childhood pet can't reset your password.请为你的所有安全提示问题设置安全性强且独特的答案。所以即使一些人知道你儿童时期的宠物名字也不能重置你的密码。
And finally, turn on the highest level of two-factor authentication that you're comfortable using. So that even if an abuser manages to steal your password, because they don't have the second factor, they will not be able to log into your account.最后,打开你用得最顺手的最高级别的双重身份验证。这样,即使侵犯者计划盗取你的密码,但是因为没有第二重身份验证信息,他们可能也不能登陆你的账号。
The other thing that you should do is you should take a look at the security and privacy tabs for most of your accounts. Most accounts have a security or privacy tab that tells you what devices are logging in, and it tells you where they're logging in from.另一件你需要做的事就是,你需要检查大多数账户的安全和隐私栏。大多数的账号都有安全和隐私栏,可以告诉你有哪些设备登陆了你的帐号,以及它们的登陆地点。
For example, here I am, logging in to Facebook from the La Quinta, where we are having this meeting, and if for example, I took a look at my Facebook logins and I saw somebody logging in from Dubai, I would find that suspicious, because I have not been to Dubai in some time.比如说,我在拉昆塔酒店登陆了脸书,就是我们这个会议所在的地方,然后假设我查看了我的脸书登陆记录,然后发现有人在迪拜登陆,我觉得很可疑,因为我从来没有到过迪拜。
But sometimes, it really is a RAT. If by RAT you mean remote access tool. And remote access tool is essentially what we mean when we say stalkerware. So one of the reasons why getting full access to your device is really tempting for governments is the same reason why getting full access to your device is tempting for abusive partners and former partners.但是有的时候,真的是 RAT 在作祟。RAT 的意思是远程访问工具。远程访问工具本质上就是我们所说的跟踪软件。为什么政府对能够完全访问你的设备非常感兴趣,以及为什么虐待型伴侣和前伴侣也很渴望获得你的设备访问权限,其实是出于同一个原因。
We carry tracking devices around in our pockets all day long. We carry devices that contain all of our passwords, all of our communications, including our end-to-end encrypted communications.我们的口袋里整天都装着追踪设备。我们携带的设备包含了我们所有的密码,我们所有的交流记录,包括我们的端到端加密通信。
All of our emails, all of our contacts, all of our selfies are all in one place, often our financial information is also in this place. And so, full access to a person’s phone is the next best thing to full access to a person's mind.我们所有的邮件,我们所有的联系人,我们所有的自拍,都储存在一个地方,通常我们的财务信息也在这里。所以,完全访问一个人的手机仅次于访问一个人的头脑。
And what stalkerware does is it gives you this access. So, you may ask, how does it work? The way stalkerware works is that it's a commercially available program, which an abuser purchases, installs on the device that they want to spy on, usually because they have physical access or they can trick their target into installing it themselves, by saying, you know,而跟踪软件所做的就是给你这个访问权限。所以,你可能会问,他们是怎么做到的呢?跟踪软件的原理是这样:它本身是一套市场上可以买到的计算机程序,当一个侵犯者可以购买并安装在他们想要监视的设备上,通常是因为他们有物理访问权限,或者他们可以欺骗他们的目标,让他们自己安装,比如使用这样的说辞,
"This is a very important program you should install on your device." And then they pay the stalkerware company for access to a portal, which gives them all of the information from that device. And you're usually paying something like 40 bucks a month. So this kind of spying is remarkably cheap.“这是一个非常重要的程序,你应该安装在你的设备上。”之后他们付钱给跟踪软件公司以获得访问接口,通过这个借口,他们就能获得这个设备的所有信息。你一个月只需要支付 40 美元。这种间谍形式非常的便宜。
Do these companies know that their tools are being used as tools of abuse? Absolutely. If you take a look at the marketing copy for Cocospy, which is one of these products, it says right there on the website that Cocospy allows you to spy on your wife with ease, "You do not have to worry about where she goes, who she talks to or what websites she visits." So that's creepy.这些公司知道他们的工具被用来入侵他人的设备吗?当然。如果你看看 Cocospy 公司的市场报告——他们出售的就是这类产品——网站上说 Cocospy 可以让你轻松监视你的妻子,“你不再需要担心她去了哪里,和谁聊天以及浏览了什么网站。”所以这很令人毛骨悚然。
HelloSpy, which is another such product, had a marketing page in which they spent most of their copy talking about the prevalence of cheating and how important it is to catch your partner cheating, including this fine picture of a man who has clearly just caught his partner cheating and has beaten her.HelloSpy 是另一款跟踪软件,他们在一个营销页面上花了大部分的篇幅来谈论出轨的盛行,以及抓到你的伴侣出轨是多么的重要,包括这张照片种的男性刚刚抓到他的伴侣出轨,然后殴打了她。
She has a black eye, there is blood on her face. And I don't think that there is really a lot of question about whose side HelloSpy is on in this particular case. And who they're trying to sell their product to.她的眼眶乌青,脸上还有血迹。在这个特殊的案件中,很容易看出 HelloSpy 是站在哪一边的,以及他们想向哪方推荐产品。
It turns out that if you have stalkerware on your computer or on your phone, it can be really difficult to know whether or not it's there. And one of the reasons for that is because antivirus companies often don't recognize stalkerware as malicious.事实证明,很难判断你的电脑或手机上是否安装了跟踪软件,其中一个原因是因为杀毒软件公司通常不会把跟踪软件当作恶意软件。
They don't recognize it as a Trojan or as any of the other stuff that you would normally find that they would warn you about. These are some results from earlier this year from VirusTotal.他们不会把跟踪软件当作特洛伊病毒,或者是他们警告可能存在危险的任何你通常能找到的病毒。这些是今年早些时期来自于 VirusTotal 的数据结果。
I think that for one sample that I looked at I had something like a result of seven out of 60 of the platforms recognized the stalkerware that I was testing. And here is another one where I managed to get 10, 10 out of 61. So this is still some very bad results.这是我看过的一个样本,在我测试的 60 个平台中有 7 个都能识别跟踪软件。这是另一个样本,在 61 个软件中有 10 个可识别跟踪软件。可以说这样的结果很糟糕。
I have managed to convince a couple of antivirus companies to start marking stalkerware as malicious. So that all you have to do if you're worried about having this stuff on your computer is you download the program, you run a scan and it tells you "Hey, there's some potentially unwanted program on your device."我已经成功地说服了几家杀毒软件公司开始将跟踪软件当作恶意软件。所以如果你担心你的电脑上有跟踪软件,只需要下载这个程序,开始扫描,这个程序就会告诉你“嘿,你的设备中有一些你可能不想要的程序。”
It gives you the option of removing it, but it does not remove it automatically. And one of the reasons for that is because of the way that abuse works. Frequently, victims of abuse aren't sure whether or not they want to tip off their abuser by cutting off their access. Or they're worried that their abuser is going to escalate to violence or perhaps even greater violence than they've already been engaging in.它将会给你选择删除的权利,但是它不会自动删除。其中一个原因是基于跟踪软件的运行方式。通常,受害者不确定他们是否想通过切断访问权来摆脱入侵者。或者他们担心这样做会导致侵犯者进一步施暴,甚至可能比他们已经遭受的暴力更严重。
Kaspersky was one of the very first companies that said that they were going to start taking this seriously. And in November of this year, they issued a report in which they said that since they started tracking stalkerware among their users that they had seen an increase of 35 percent.卡巴斯基是第一批提出会严肃对待这件事情的公司之一。在今年的 11 月份,他们发布了一份报告称,自从他们开始追踪用户中的跟踪软件以来,他们发现该软件的使用率增加了 35%。
Likewise, Lookout came out with a statement saying that they were going to take this much more seriously. And finally, a company called Malwarebytes also put out such a statement and said that they had found 2,500 programs in the time that they had been looking, which could be classified as stalkerware.同样,Lookout 也发表了一份声明,称他们将更加严肃地对待此事。最终,一家名叫 Malwarebytes 的公司也发表了声明,说在他们进行搜寻的那段时间里,已经发现了 2500 个可以被认定为跟踪软件的程序。
Finally, in November I helped to launch a coalition called the Coalition Against Stalkerware, made up of academics, people who are doing this sort of thing on the ground -- the practitioners of helping people to escape from intimate partner violence -- and antivirus companies.最终在11月份,我帮助创立了一个“反跟踪软件联合会”,该联合会的成员包括学者,那些在实地做这类事情的人——帮助人们逃离亲密伴侣暴力的实践者——和杀毒软件公司。
And our goal is both to educate people about these programs, but also to convince the antivirus companies to change the norm in how they act around this very scary software, so that soon, if I get up in front of you and I talk to you about this next year, I could tell you that the problem has been solved, and all you have to do is download any antivirus and it is considered normal for it to detect stalkerware. That is my hope.我们的目标是教育人们这些软件的类型,但也要说服杀毒公司改变他们针对这个非常可怕的软件的行为规范,所以很快,如果我明年依然能够站在你们面前和你们谈论这个话题,我可能可以告诉你们,这个问题已经被解决了,你们所有的人下载的任何的杀毒软件都已经内置了跟踪软件的检测功能。这是我的希望。
Thank you very much.非常感谢你们
RECOMMEND
推荐阅读439篇Ted英文演讲视频集合,推荐收藏!100篇美国20世纪精彩演讲(文本+MP3音频)
108篇经典BBC纪录片合集,强烈推荐!
《纽约时报》年度十大好书,2019最值得看的英文书单!
54部经典经典英文名著合集,收藏贴~2010年代豆瓣十佳经典影片!全部9.0分以上(附资源)
《暮光之城》经典台词整理(附1-4部资源)
《风雨哈佛路》经典回顾:你的人生,其实早就注定了(附完整视频)