评论
打印
I want you to travel back in time with me, to the before time, to 2017.
我想让你们和我一起回到过去,一起回到2017年。
I don't know if you can remember it, dinosaurs were roaming the earth.
我不确定你们是否还记得,恐龙曾在地球上漫游。
I was a security researcher, I had spent about five or six years doing research on the ways in which APTs,
我当时是一名网络安全研究员,我曾经花五到六年时间研究什么是APT,
which is short for advanced persistent threats, which stands for nation-state actors,
就是高级长期威胁的缩写,这个代表着国家级的行动者,
spy on journalists and activists and lawyers and scientists and just generally people who speak truth to power.
监察记者和活动家,律师和科学家,一般来说,就是敢对权力说真话的人。
And I'd been doing this for a while when I discovered that one of my fellow researchers,
我曾做了一段时间这个职业,期间我发现,我的一名研究员同事,
with whom I had been doing this all this time, was allegedly a serial rapist.
就是一直和我一起做这件事的人,据说是一名连环强奸犯。
So the first thing that I did was I read a bunch of articles about this.
所以我所做的第一件事就是阅读了大量关于他的文章。
And in January of 2018, I read an article with some of his alleged victims.
在2018年1月,我阅读了一篇据称是他的受害者的文章。
And one of the things that really struck me about this article is how scared they were.
这篇文章对我影响最深的一件事是,他们当时有多么恐惧。
They were really frightened, they had, you know, tape over the cameras on their phones and on their laptops,
他们非常的恐惧,他们用胶带封上手机和电脑上的摄像头,
and what they were worried about was that he was a hacker
他们非常担心这个人是一个黑客,
and he was going to hack into their stuff and he was going to ruin their lives.
他可以“黑”进这些受害者的电子设备,然后毁掉他们的生活。
And this had kept them silent for a really long time.
这让他们在长时间内不得不保持沉默。
So, I was furious. And I didn't want anyone to ever feel that way again.
我对此非常的愤怒。我也不希望还有人为此担心。
So I did what I usually do when I'm angry: I tweeted.
所以我做了我每次生气都会做的事情:发推特。
And the thing that I tweeted was that if you are a woman who has been sexually abused by a hacker
这段推特的内容是,如果你是一名被黑客性虐待的女性,
and that hacker has threatened to break into your devices,
然后黑客恐吓要入侵你的设备,
that you could contact me and I would try to make sure that your device got a full, sort of, forensic look over.
你可以联系我,我会尝试对你的设备进行类似法医的检查。
And then I went to lunch. Ten thousand retweets later, I had accidentally started a project.
然后我去吃午饭了。结果这段推文获得了一万次的转发,我不小心启动了一个项目。
So every morning, I woke up and my mailbox was full.
结果每天早上起床的时候,我的邮箱都是满的。
It was full of the stories of men and women telling me the worst thing that had ever happened to them.
满满都是男人和女人们的故事,告诉我他们遇到的最糟糕的事。
I was contacted by women who were being spied on by men,
有被男性监视的女性联系我,
by men who were being spied on by men, by women who were being spied on by women,
有被男性监视的男性联系我,还有被女性监视的女性联系我,
but the vast majority of the people contacting me were women who had been sexually abused by men who were now spying on them.
但是大部分联系我的人是曾经被男性性虐待的女性,她们现在仍被这些男性监视着。
The one particularly interesting case involved a man who came to me,
其中特别有意思的一个案件是一个男性来找我,
because his boyfriend had outed him as gay to his extremely conservative Korean family.
因为他的男朋友在他极度保守的韩国家庭里公开了他男同性恋的身份。
So this is not just men-spying-on-women issue.
所以这不仅仅是男性监视女性的问题。
And I'm here to share what I learned from this experience. What I learned is that data leaks.
我想在这里分享我从这段经历中学到的东西。我学到的是信息泄漏。
It's like water. It gets in places you don't want it. Human leaks.
就像水一样,它出现在你不想让它出现的地方。人员泄漏。
Your friends give away information about you. Your family gives away information about you.
你的朋友泄漏你的信息。你的家人泄漏你的信息。
You go to a party, somebody tags you as having been there.
你去参加一个派对,有人说你曾去过那里。
And this is one of the ways in which abusers pick up information about you that you don't otherwise want them to know.
这是侵犯者收集你信息的其中一个方式,这些信息你并不想让他们知道。
It is not uncommon for abusers to go to friends and family and ask for information about their victims under the guise of being concerned about their "mental health."
侵犯者常常打着“关心他们心理健康”的幌子去向受害者的朋友和家人询问他们的信息。
A form of leak that I saw was actually what we call account compromise.
我看到的一种形式的泄漏其实就是我们说的账户泄露。
So your Gmail account, your Twitter account, your Instagram account, your iCloud, your Apple ID, your Netflix, your TikTok
你的谷歌邮箱账户,你的推特账户,你的Instagram账户,你的iCloud,你的苹果账户,你的奈飞账户,抖音账户,
I had to figure out what a TikTok was. If it had a login, I saw it compromised.
我要先弄清楚什么是抖音。只要有登录记录,就有可能被盗。
And the reason for that is because your abuser is not always your abuser.
原因是你的侵犯者不总是你的侵犯者。
It is really common for people in relationships to share passwords.
人们都喜欢在亲戚朋友间分享密码。
Furthermore, people who are intimate, who know a lot about each other, can guess each other's security questions.
此外,大家都有亲密的人,他们非常了解对方,能猜到对方的保密问题。
Or they can look over each other's shoulders to see what code they're using in order to lock their phones.
或者他们可以从背后偷窥对方的锁屏密码。
They frequently have physical access to the phone, or they have physical access to the laptop.
他们经常能接触到电话,或者经常接触到电脑。
And this gives them a lot of opportunity to do things to people's accounts, which is very dangerous.
这给了他们很多的机会对别人的账户做手脚,这些都是非常危险的。
The good news is that we have advice for people to lock down their accounts.
好消息是,我们建议人们锁住他们的账户。
This advice already exists, and it comes down to this: Use strong, unique passwords for all of your accounts.
这个建议已经存在了,它可以归结为:请为你的所有账户设置安全性强且独特的密码。
Use more strong, unique passwords as the answers to your security questions,
请为你的所有安全提示问题设置安全性强且独特的答案。
so that somebody who knows the name of your childhood pet can't reset your password.
所以即使一些人知道你儿童时期的宠物名字也不能重置你的密码。
And finally, turn on the highest level of two-factor authentication that you're comfortable using.
最后,打开你用得最顺手的最高级别的双重身份验证。
So that even if an abuser manages to steal your password,
这样,即使侵犯者计划盗取你的密码,
because they don't have the second factor, they will not be able to log into your account.
但是因为没有第二重身份验证信息,他们可能也不能登陆你的账号。
The other thing that you should do is you should take a look at the security and privacy tabs for most of your accounts.
另一件你需要做的事就是,你需要检查大多数账户的安全和隐私栏。
Most accounts have a security or privacy tab that tells you what devices are logging in,
大多数的账号都有安全和隐私栏,可以告诉你有哪些设备登陆了你的帐号,
and it tells you where they're logging in from.
以及它们的登陆地点。
For example, here I am, logging in to Facebook from the La Quinta, where we are having this meeting,
比如说,我在拉昆塔酒店登陆了脸书,就是我们这个会议所在的地方,
and if for example, I took a look at my Facebook logins and I saw somebody logging in from Dubai,
然后假设我查看了我的脸书登陆记录,然后发现有人在迪拜登陆,
I would find that suspicious, because I have not been to Dubai in some time.
我觉得很可疑,因为我从来没有到过迪拜。
But sometimes, it really is a RAT. If by RAT you mean remote access tool.
但是有的时候,真的是RAT在作祟。RAT的意思是远程访问工具。
And remote access tool is essentially what we mean when we say stalkerware.
远程访问工具本质上就是我们所说的跟踪软件。
So one of the reasons why getting full access to your device is really tempting for governments
为什么政府对能够完全访问你的设备非常感兴趣,
is the same reason why getting full access to your device is tempting for abusive partners and former partners.
以及为什么虐待型伴侣和前伴侣也很渴望获得你的设备访问权限,其实是出于同一个原因。
We carry tracking devices around in our pockets all day long.
我们的口袋里整天都装着追踪设备。
We carry devices that contain all of our passwords, all of our communications, including our end-to-end encrypted communications.
我们携带的设备包含了我们所有的密码,我们所有的交流记录,包括我们的端到端加密通信。
All of our emails, all of our contacts, all of our selfies are all in one place,
我们所有的邮件,我们所有的联系人,我们所有的自拍,都储存在一个地方,
often our financial information is also in this place.
通常我们的财务信息也在这里。
And so, full access to a person's phone is the next best thing to full access to a person's mind.
所以,完全访问一个人的手机仅次于访问一个人的头脑。
And what stalkerware does is it gives you this access.
而跟踪软件所做的就是给你这个访问权限。
So, you may ask, how does it work?
所以,你可能会问,他们是怎么做到的呢?
The way stalkerware works is that it's a commercially available program,
跟踪软件的原理是这样:它本身是一套市场上可以买到的计算机程序,
which an abuser purchases, installs on the device that they want to spy on,
当一个侵犯者可以购买并安装在他们想要监视的设备上,
usually because they have physical access or they can trick their target into installing it themselves,
通常是因为他们有物理访问权限,或者他们可以欺骗他们的目标,让他们自己安装,
by saying, you know, "This is a very important program you should install on your device."
比如使用这样的说辞,“这是一个非常重要的程序,你应该安装在你的设备上。”
And then they pay the stalkerware company for access to a portal, which gives them all of the information from that device.
之后他们付钱给跟踪软件公司以获得访问接口,通过这个借口,他们就能获得这个设备的所有信息。
And you're usually paying something like 40 bucks a month. So this kind of spying is remarkably cheap.
你一个月只需要支付40美元。这种间谍形式非常的便宜。
Do these companies know that their tools are being used as tools of abuse? Absolutely.
这些公司知道他们的工具被用来入侵他人的设备吗?当然。
If you take a look at the marketing copy for Cocospy, which is one of these products,
如果你看看Cocospy公司的市场报告,他们出售的就是这类产品,
it says right there on the website that Cocospy allows you to spy on your wife with ease,
网站上说Cocospy可以让你轻松监视你的妻子,
"You do not have to worry about where she goes, who she talks to or what websites she visits." So that's creepy.
“你不再需要担心她去了哪里,和谁聊天以及浏览了什么网站。”所以这很令人毛骨悚然。
HelloSpy, which is another such product,
HelloSpy是另一款跟踪软件,
had a marketing page in which they spent most of their copy talking about the prevalence of cheating
他们在一个营销页面上花了大部分的篇幅来谈论出轨的盛行,
and how important it is to catch your partner cheating,
以及抓到你的伴侣出轨是多么的重要,
including this fine picture of a man who has clearly just caught his partner cheating and has beaten her.
包括这张照片中的男性刚刚抓到他的伴侣出轨,然后殴打了她。
She has a black eye, there is blood on her face.
她的眼眶乌青,脸上还有血迹。
And I don't think that there is really a lot of question about whose side HelloSpy is on in this particular case.
在这个特殊的案件中,很容易看出HelloSpy是站在哪一边的。
And who they're trying to sell their product to.
以及他们想向哪方推荐产品。
It turns out that if you have stalkerware on your computer or on your phone,
事实证明,如果你的电脑或手机上有跟踪软件,
it can be really difficult to know whether or not it's there.
很难判断它是否存在。
And one of the reasons for that is because antivirus companies often don't recognize stalkerware as malicious.
其中一个原因是因为杀毒软件公司通常不会把跟踪软件当作恶意软件。
They don't recognize it as a Trojan or as any of the other stuff that you would normally find that they would warn you about.
他们不会把跟踪软件当作特洛伊病毒,或者是他们警告可能存在危险的任何你通常能找到的病毒。
These are some results from earlier this year from VirusTotal.
这些是今年早些时期来自于VirusTotal的数据结果。
I think that for one sample that I looked at
这是我看过的一个样本,
I had something like a result of seven out of 60 of the platforms recognized the stalkerware that I was testing.
在我测试的60个平台中有7个都能识别跟踪软件。
And here is another one where I managed to get 10, 10 out of 61. So this is still some very bad results.
这是另一个样本,在61个软件中有10个可识别跟踪软件。可以说这样的结果很糟糕。
I have managed to convince a couple of antivirus companies to start marking stalkerware as malicious.
我已经成功地说服了几家杀毒软件公司开始将跟踪软件当作恶意软件。
So that all you have to do if you're worried about having this stuff on your computer is you download the program,
所以如果你担心你的电脑上有跟踪软件,只需要下载这个程序,
you run a scan and it tells you "Hey, there's some potentially unwanted program on your device."
开始扫描,这个程序就会告诉你,“嘿,你的设备中有一些你可能不想要的程序。”
It gives you the option of removing it, but it does not remove it automatically.
它将会给你选择删除的权利,但是它不会自动删除。
And one of the reasons for that is because of the way that abuse works.
其中一个原因是基于跟踪软件的运行方式。
Frequently, victims of abuse aren't sure whether or not they want to tip off their abuser by cutting off their access.
通常,受害者不确定他们是否想通过切断访问权来摆脱入侵者。
Or they're worried that their abuser is going to escalate to violence
或者他们担心这样做会导致侵犯者进一步施暴,
or perhaps even greater violence than they've already been engaging in.
甚至可能比他们已经遭受的暴力更严重。
Kaspersky was one of the very first companies that said that they were going to start taking this seriously.
卡巴斯基是第一批提出会严肃对待这件事情的公司之一。
And in November of this year, they issued a report in which they said that
在今年的11月份,他们发布了一份报告称,
since they started tracking stalkerware among their users that they had seen an increase of 35 percent.
自从他们开始追踪用户中的跟踪软件以来,他们发现该软件的使用率增加了35%。
Likewise, Lookout came out with a statement saying that they were going to take this much more seriously.
同样,Lookout也发表了一份声明,称他们将更加严肃地对待此事。
And finally, a company called Malwarebytes also put out such a statement
最终,一家名叫Malwarebytes的公司也发表了声明,
and said that they had found 2,500 programs in the time that they had been looking, which could be classified as stalkerware.
说在他们进行搜寻的那段时间里,已经发现了2500个可以被认定为跟踪软件的程序。
Finally, in November I helped to launch a coalition called the Coalition Against Stalkerware,
最终,在11月份,我帮助创立了一个“反跟踪软件联合会”,
made up of academics, people who are doing this sort of thing on the ground
该联合会的成员包括学者,那些在实地做这类事情的人,
the practitioners of helping people to escape from intimate partner violence -- and antivirus companies.
帮助人们逃离亲密伴侣暴力的实践者,和杀毒软件公司。
And our goal is both to educate people about these programs,
我们的目标是教育人们这些软件的类型,
but also to convince the antivirus companies to change the norm in how they act around this very scary software,
但也要说服杀毒公司改变他们针对这个非常可怕的软件的行为规范,
so that soon, if I get up in front of you and I talk to you about this next year,
所以很快,如果我明年依然能够站在你们面前和你们谈论这个话题,
I could tell you that the problem has been solved,
我可能可以告诉你们,这个问题已经被解决了,
and all you have to do is download any antivirus and it is considered normal for it to detect stalkerware.
你们所有的人下载的任何的杀毒软件都已经内置了跟踪软件的检测功能。
That is my hope. Thank you very much.
这是我的希望。非常感谢你们。
