关于跟踪软件,你需要了解的东西 Eva Galperin: What you need to know about stalkerware

上映日期: 0

语言:

影片类型:

导演:

演员: Eva Galperin


台词
I want you to travel back in time with me,
我想让你们和我一起回到过去,
to the before time, to 2017.
一起回到 2017 年。
I don't know if you can remember it,
我不确定你们是否还记得,
dinosaurs were roaming the earth.
恐龙曾在地球上漫游。
I was a security researcher,
我当时是一名网络安全研究员,
I had spent about five or six years
我曾经花五到六年时间
doing research on the ways in which APTs,
研究什么是 APT,
which is short for advanced persistent threats,
就是高级长期威胁(advanced persistent threats)的缩写,
which stands for nation-state actors,
这个代表着国家级的行动者,
spy on journalists and activists
监察记者和活动家,
and lawyers and scientists
律师和科学家,
and just generally people who speak truth to power.
一般来说, 就是敢对权力说真话的人。
And I'd been doing this for a while
我曾做了一段时间这个职业,
when I discovered that one of my fellow researchers,
期间我发现, 我的一名研究员同事,
with whom I had been doing this all this time,
就是一直和我一起做这件事的人,
was allegedly a serial rapist.
据说是一名连环强奸犯。
So the first thing that I did
所以我所做的第一件事就是
was I read a bunch of articles about this.
阅读了大量关于他的文章。
And in January of 2018,
在 2018 年 1 月,
I read an article with some of his alleged victims.
我阅读了一篇据称 是他的受害者的文章。
And one of the things that really struck me about this article
这篇文章对我影响最深的一件事是,
is how scared they were.
他们当时有多么恐惧。
They were really frightened,
他们非常的恐惧,
they had, you know, tape over the cameras on their phones
他们用胶带封上手机
and on their laptops,
和电脑上的摄像头,
and what they were worried about was that he was a hacker
他们非常担心这个人是一个黑客,
and he was going to hack into their stuff
他可以“黑”进 这些受害者的电子设备,
and he was going to ruin their lives.
然后毁掉他们的生活。
And this had kept them silent for a really long time.
这让他们在长时间内 不得不保持沉默。
So, I was furious.
我对此非常的愤怒。
And I didn't want anyone to ever feel that way again.
我也不希望还有人为此担心。
So I did what I usually do when I'm angry:
所以我做了 我每次生气都会做的事情:
I tweeted.
发推特。
(Laughter)
(笑声)
And the thing that I tweeted
这段推特的内容是,
was that if you are a woman who has been sexually abused by a hacker
如果你是一名被黑客性虐待的女性,
and that hacker has threatened to break into your devices,
然后黑客恐吓要入侵你的设备,
that you could contact me
你可以联系我,
and I would try to make sure
我会尝试对
that your device got a full, sort of, forensic look over.
你的设备进行类似法医的检查。
And then I went to lunch.
然后我去吃午饭了。
(Laughter)
(笑声)
Ten thousand retweets later,
结果这段推文获得了 一万次的转发,
(Laughter)
(笑声)
I had accidentally started a project.
我不小心启动了一个项目。
So every morning, I woke up and my mailbox was full.
结果每天早上起床的时候, 我的邮箱都是满的。
It was full of the stories of men and women
满满都是男人和女人们的故事,
telling me the worst thing that had ever happened to them.
告诉我他们遇到的最糟糕的事。
I was contacted by women who were being spied on by men,
有被男性监视的女性联系我,
by men who were being spied on by men,
有被男性监视的男性联系我,
by women who were being spied on by women,
还有被女性监视的女性联系我,
but the vast majority of the people contacting me
但是大部分联系我的人
were women who had been sexually abused by men
是曾经被男性性虐待的女性,
who were now spying on them.
她们现在仍被这些男性监视着。
The one particularly interesting case
其中特别有意思的一个案件是
involved a man who came to me,
一个男性来找我,
because his boyfriend had outed him as gay
因为他的男朋友 在他极度保守的韩国家庭里
to his extremely conservative Korean family.
公开了他男同性恋的身份。
So this is not just men-spying-on-women issue.
所以这不仅仅是 男性监视女性的问题。
And I'm here to share
我想在这里分享
what I learned from this experience.
我从这段经历中学到的东西。
What I learned is that data leaks.
我学到的是信息泄漏,
It's like water.
就像水一样,
It gets in places you don't want it.
它出现在你不想让它出现的地方。
Human leaks.
人员泄漏。
Your friends give away information about you.
你的朋友泄漏你的信息。
Your family gives away information about you.
你的家人泄漏你的信息。
You go to a party,
你去参加一个派对,
somebody tags you as having been there.
有人说你曾去过那里。
And this is one of the ways
这是侵犯者收集你信息的
in which abusers pick up information about you
其中一个方式,
that you don't otherwise want them to know.
这些信息你并不想让他们知道。
It is not uncommon for abusers to go to friends and family
侵犯者常常打着 “关心他们心理健康”的幌子
and ask for information about their victims
去向受害者的朋友和家人
under the guise of being concerned about their "mental health."
询问他们的信息。
A form of leak that I saw
我看到的一种形式的泄漏
was actually what we call account compromise.
其实就是我们说的账户泄露。
So your Gmail account,
你的谷歌邮箱账户,
your Twitter account,
你的推特账户,
your Instagram account,
你的 Instagram 账户,
your iCloud,
你的 iCloud,
your Apple ID,
你的苹果账户,
your Netflix, your TikTok --
你的奈飞账户,抖音账户——
I had to figure out what a TikTok was.
我要先弄清楚什么是抖音。
If it had a login,
只要有登录记录,
I saw it compromised.
就有可能被盗。
And the reason for that is because your abuser is not always your abuser.
原因是你的侵犯者 不总是你的侵犯者。
It is really common for people in relationships to share passwords.
人们都喜欢在亲戚朋友间分享密码。
Furthermore, people who are intimate,
此外,大家都有亲密的人,
who know a lot about each other,
他们非常了解对方,
can guess each other's security questions.
能猜到对方的保密问题。
Or they can look over each other's shoulders
或者他们可以从背后偷窥
to see what code they're using in order to lock their phones.
对方的锁屏密码。
They frequently have physical access to the phone,
他们经常能接触到电话,
or they have physical access to the laptop.
或者经常接触到电脑。
And this gives them a lot of opportunity
这给了他们很多的机会
to do things to people's accounts,
对别人的账户做手脚,
which is very dangerous.
这些都是非常危险的。
The good news is that we have advice
好消息是,我们建议
for people to lock down their accounts.
人们锁住他们的账户。
This advice already exists, and it comes down to this:
这个建议已经存在了, 它可以归结为:
Use strong, unique passwords for all of your accounts.
请为你的所有账户 设置安全性强且独特的密码。
Use more strong, unique passwords
请为你的所有安全提示问题
as the answers to your security questions,
设置安全性强且独特的答案。
so that somebody who knows the name of your childhood pet
所以即使一些人知道 你儿童时期的宠物名字
can't reset your password.
也不能重置你的密码。
And finally, turn on the highest level of two-factor authentication
最后,打开你用得最顺手的
that you're comfortable using.
最高级别的双重身份验证。
So that even if an abuser manages to steal your password,
这样,即使侵犯者 计划盗取你的密码,
because they don't have the second factor,
但是因为没有 第二重身份验证信息,
they will not be able to log into your account.
他们可能也不能登陆你的账号。
The other thing that you should do
另一件你需要做的事就是,
is you should take a look at the security and privacy tabs
你需要检查大多数账户的
for most of your accounts.
安全和隐私栏。
Most accounts have a security or privacy tab
大多数的账号都有安全和隐私栏,
that tells you what devices are logging in,
可以告诉你有哪些设备 登陆了你的帐号,
and it tells you where they're logging in from.
以及它们的登陆地点。
For example, here I am,
比如说,
logging in to Facebook from the La Quinta,
我在拉昆塔酒店登陆了脸书,
where we are having this meeting,
就是我们这个会议所在的地方,
and if for example,
然后假设
I took a look at my Facebook logins
我查看了我的脸书登陆记录,
and I saw somebody logging in from Dubai,
然后发现有人在迪拜登陆,
I would find that suspicious,
我觉得很可疑,
because I have not been to Dubai in some time.
因为我从来没有到过迪拜。
But sometimes, it really is a RAT.
但是有的时候, 真的是 RAT 在作祟。
If by RAT you mean remote access tool.
RAT 的意思是远程访问工具 (remote access tool)。
And remote access tool
远程访问工具
is essentially what we mean when we say stalkerware.
本质上就是我们所说的跟踪软件。
So one of the reasons why getting full access to your device
为什么政府对能够完全访问 你的设备非常感兴趣,
is really tempting for governments
以及为什么虐待型伴侣和前伴侣
is the same reason why getting full access to your device
也很渴望获得你的设备访问权限,
is tempting for abusive partners and former partners.
其实是出于同一个原因。
We carry tracking devices around in our pockets all day long.
我们的口袋里整天都装着追踪设备。
We carry devices that contain all of our passwords,
我们携带的设备 包含了我们所有的密码,
all of our communications,
我们所有的交流记录,
including our end-to-end encrypted communications.
包括我们的端到端加密通信。
All of our emails, all of our contacts,
我们所有的邮件,我们所有的联系人,
all of our selfies are all in one place,
我们所有的自拍,都储存在一个地方,
often our financial information is also in this place.
通常我们的财务信息也在这里。
And so, full access to a person’s phone
所以,完全访问一个人的手机
is the next best thing to full access to a person's mind.
仅次于访问一个人的头脑。
And what stalkerware does is it gives you this access.
而跟踪软件所做的 就是给你这个访问权限。
So, you may ask, how does it work?
所以,你可能会问, 他们是怎么做到的呢?
The way stalkerware works
跟踪软件的原理是这样:
is that it's a commercially available program,
它本身是一套市场上 可以买到的计算机程序,
which an abuser purchases,
当一个侵犯者可以购买
installs on the device that they want to spy on,
并安装在他们想要监视的设备上,
usually because they have physical access
通常是因为他们有物理访问权限,
or they can trick their target into installing it themselves,
或者他们可以欺骗他们的目标, 让他们自己安装,
by saying, you know,
比如使用这样的说辞,
"This is a very important program you should install on your device."
“这是一个非常重要的程序, 你应该安装在你的设备上。”
And then they pay the stalkerware company
之后他们付钱给跟踪软件公司
for access to a portal,
以获得访问接口,
which gives them all of the information from that device.
通过这个借口,他们就能获得 这个设备的所有信息。
And you're usually paying something like 40 bucks a month.
你一个月只需要支付 40 美元。
So this kind of spying is remarkably cheap.
这种间谍形式非常的便宜。
Do these companies know
这些公司知道
that their tools
他们的工具
are being used as tools of abuse?
被用来入侵他人的设备吗?
Absolutely.
当然。
If you take a look at the marketing copy for Cocospy,
如果你看看 Cocospy 公司的 市场报告——
which is one of these products,
他们出售的就是这类产品——
it says right there on the website
网站上说 Cocospy
that Cocospy allows you to spy on your wife with ease,
可以让你轻松监视你的妻子,
"You do not have to worry about where she goes,
“你不再需要担心她去了哪里,
who she talks to or what websites she visits."
和谁聊天以及浏览了什么网站。”
So that's creepy.
所以这很令人毛骨悚然。
HelloSpy, which is another such product,
HelloSpy 是另一款跟踪软件,
had a marketing page in which they spent most of their copy
他们在一个营销页面上 花了大部分的篇幅
talking about the prevalence of cheating
来谈论出轨的盛行,
and how important it is to catch your partner cheating,
以及抓到你的伴侣出轨 是多么的重要,
including this fine picture of a man
包括这张照片种的男性
who has clearly just caught his partner cheating
刚刚抓到他的伴侣出轨,
and has beaten her.
然后殴打了她。
She has a black eye, there is blood on her face.
她的眼眶乌青,脸上还有血迹。
And I don't think that there is really a lot of question
在这个特殊的案件中,
about whose side HelloSpy is on in this particular case.
很容易看出 HelloSpy 是站在哪一边的,
And who they're trying to sell their product to.
以及他们想向哪方推荐产品。
It turns out that if you have stalkerware on your computer or on your phone,
事实证明,很难判断 你的电脑或手机上
it can be really difficult to know whether or not it's there.
是否安装了跟踪软件,
And one of the reasons for that
其中一个原因是
is because antivirus companies
因为杀毒软件公司
often don't recognize stalkerware as malicious.
通常不会把跟踪软件当作恶意软件。
They don't recognize it as a Trojan
他们不会把跟踪软件 当作特洛伊病毒,
or as any of the other stuff that you would normally find
或者是他们警告可能 存在危险的任何你通常
that they would warn you about.
能找到的病毒。
These are some results from earlier this year from VirusTotal.
这些是今年早些时期来自于 VirusTotal 的数据结果。
I think that for one sample that I looked at
这是我看过的一个样本,
I had something like a result of seven out of 60
在我测试的 60 个平台中
of the platforms recognized the stalkerware that I was testing.
有 7 个都能识别跟踪软件。
And here is another one where I managed to get 10,
这是另一个样本,在 61 个软件中
10 out of 61.
有 10 个可识别跟踪软件。
So this is still some very bad results.
可以说这样的结果很糟糕。
I have managed to convince a couple of antivirus companies
我已经成功地说服了 几家杀毒软件公司
to start marking stalkerware as malicious.
开始将跟踪软件当作恶意软件。
So that all you have to do
所以如果你担心
if you're worried about having this stuff on your computer
你的电脑上有跟踪软件,
is you download the program,
只需要下载这个程序,
you run a scan and it tells you
开始扫描,这个程序就会告诉你
"Hey, there's some potentially unwanted program on your device."
“嘿,你的设备中有一些 你可能不想要的程序。”
It gives you the option of removing it,
它将会给你选择删除的权利,
but it does not remove it automatically.
但是它不会自动删除。
And one of the reasons for that
其中一个原因是
is because of the way that abuse works.
基于跟踪软件的运行方式。
Frequently, victims of abuse aren't sure
通常,受害者不确定
whether or not they want to tip off their abuser
他们是否想通过切断访问权
by cutting off their access.
来摆脱入侵者。
Or they're worried that their abuser is going to escalate to violence
或者他们担心这样做会导致侵犯者
or perhaps even greater violence
进一步施暴,
than they've already been engaging in.
甚至可能比他们 已经遭受的暴力更严重。
Kaspersky was one of the very first companies
卡巴斯基是第一批
that said that they were going to start taking this seriously.
提出会严肃对待 这件事情的公司之一。
And in November of this year,
在今年的 11 月份,
they issued a report in which they said
他们发布了一份报告称,
that since they started tracking stalkerware among their users
自从他们开始追踪 用户中的跟踪软件以来,
that they had seen an increase of 35 percent.
他们发现该软件的使用率 增加了 35%。
Likewise, Lookout came out with a statement
同样,Lookout 也发表了一份声明,
saying that they were going to take this much more seriously.
称他们将更加严肃地对待此事。
And finally, a company called Malwarebytes also put out such a statement
最终,一家名叫 Malwarebytes 的公司 也发表了声明,
and said that they had found 2,500 programs
说在他们进行搜寻的那段时间里,
in the time that they had been looking,
已经发现了 2500 个
which could be classified as stalkerware.
可以被认定为跟踪软件的程序。
Finally, in November I helped to launch a coalition
最终,在 11 月份, 我帮助创立了一个
called the Coalition Against Stalkerware,
“反跟踪软件联合会” (Coalition Against Stalkerware),
made up of academics,
该联合会的成员包括学者,
people who are doing this sort of thing on the ground --
那些在实地做这类事情的人——
the practitioners of helping people to escape from intimate partner violence --
帮助人们逃离 亲密伴侣暴力的实践者——
and antivirus companies.
和杀毒软件公司。
And our goal is both to educate people about these programs,
我们的目标是教育人们 这些软件的类型,
but also to convince the antivirus companies
但也要说服杀毒公司
to change the norm
改变他们针对这个非常可怕的
in how they act around this very scary software,
软件的行为规范,
so that soon, if I get up in front of you
所以很快,如果我明年 依然能够站在你们面前
and I talk to you about this next year,
和你们谈论这个话题,
I could tell you that the problem has been solved,
我可能可以告诉你们, 这个问题已经被解决了,
and all you have to do is download any antivirus
你们所有的人下载的 任何的杀毒软件
and it is considered normal for it to detect stalkerware.
都已经内置了跟踪软件的检测功能。
That is my hope.
这是我的希望。
Thank you very much.
非常感谢你们。
(Applause)
(掌声)