I want you to travel back in time with me, to the before time, to 2017. I don't know if you can remember it, dinosaurs were roaming the earth. I was a security researcher, I had spent about five or six years doing research on the ways in which APTs, which is short for advanced persistent threats, which stands for nation-state actors, spy on journalists and activists and lawyers and scientists and just generally people who speak truth to power.
我想让你们和我一起回到过去, 一起回到 2017 年。 我不确定你们是否还记得, 恐龙曾在地球上漫游。 我当时是一名网络安全研究员, 我曾经花五到六年时间 研究什么是 APT, 就是高级长期威胁(advanced persistent threats)的缩写, 这个代表着国家级的行动者, 监察记者和活动家, 律师和科学家, 一般来说, 就是敢对权力说真话的人。
And I'd been doing this for a while when I discovered that one of my fellow researchers, with whom I had been doing this all this time, was allegedly a serial rapist. So the first thing that I did was I read a bunch of articles about this. And in January of 2018, I read an article with some of his alleged victims. And one of the things that really struck me about this article is how scared they were. They were really frightened, they had, you know, tape over the cameras on their phones and on their laptops, and what they were worried about was that he was a hacker and he was going to hack into their stuff and he was going to ruin their lives. And this had kept them silent for a really long time.
我曾做了一段时间这个职业, 期间我发现, 我的一名研究员同事, 就是一直和我一起做这件事的人, 据说是一名连环强奸犯。 所以我所做的第一件事就是 阅读了大量关于他的文章。 在 2018 年 1 月, 我阅读了一篇据称 是他的受害者的文章。 这篇文章对我影响最深的一件事是, 他们当时有多么恐惧。 他们非常的恐惧, 他们用胶带封上手机 和电脑上的摄像头, 他们非常担心这个人是一个黑客, 他可以“黑”进 这些受害者的电子设备, 然后毁掉他们的生活。 这让他们在长时间内 不得不保持沉默。
So, I was furious. And I didn't want anyone to ever feel that way again. So I did what I usually do when I'm angry: I tweeted.
我对此非常的愤怒。 我也不希望还有人为此担心。 所以我做了 我每次生气都会做的事情: 发推特。
(Laughter)
(笑声)
And the thing that I tweeted was that if you are a woman who has been sexually abused by a hacker and that hacker has threatened to break into your devices, that you could contact me and I would try to make sure that your device got a full, sort of, forensic look over. And then I went to lunch.
这段推特的内容是, 如果你是一名被黑客性虐待的女性, 然后黑客恐吓要入侵你的设备, 你可以联系我, 我会尝试对 你的设备进行类似法医的检查。 然后我去吃午饭了。
(Laughter)
(笑声)
Ten thousand retweets later,
结果这段推文获得了 一万次的转发,
(Laughter)
(笑声)
I had accidentally started a project.
我不小心启动了一个项目。
So every morning, I woke up and my mailbox was full. It was full of the stories of men and women telling me the worst thing that had ever happened to them. I was contacted by women who were being spied on by men, by men who were being spied on by men, by women who were being spied on by women, but the vast majority of the people contacting me were women who had been sexually abused by men who were now spying on them. The one particularly interesting case involved a man who came to me, because his boyfriend had outed him as gay to his extremely conservative Korean family. So this is not just men-spying-on-women issue.
结果每天早上起床的时候, 我的邮箱都是满的。 满满都是男人和女人们的故事, 告诉我他们遇到的最糟糕的事。 有被男性监视的女性联系我, 有被男性监视的男性联系我, 还有被女性监视的女性联系我, 但是大部分联系我的人 是曾经被男性性虐待的女性, 她们现在仍被这些男性监视着。 其中特别有意思的一个案件是 一个男性来找我, 因为他的男朋友 在他极度保守的韩国家庭里 公开了他男同性恋的身份。 所以这不仅仅是 男性监视女性的问题。
And I'm here to share what I learned from this experience. What I learned is that data leaks. It's like water. It gets in places you don't want it. Human leaks. Your friends give away information about you. Your family gives away information about you. You go to a party, somebody tags you as having been there. And this is one of the ways in which abusers pick up information about you that you don't otherwise want them to know. It is not uncommon for abusers to go to friends and family and ask for information about their victims under the guise of being concerned about their "mental health."
我想在这里分享 我从这段经历中学到的东西。 我学到的是信息泄漏, 就像水一样, 它出现在你不想让它出现的地方。 人员泄漏。 你的朋友泄漏你的信息。 你的家人泄漏你的信息。 你去参加一个派对, 有人说你曾去过那里。 这是侵犯者收集你信息的 其中一个方式, 这些信息你并不想让他们知道。 侵犯者常常打着 “关心他们心理健康”的幌子 去向受害者的朋友和家人 询问他们的信息。
A form of leak that I saw was actually what we call account compromise. So your Gmail account, your Twitter account, your Instagram account, your iCloud, your Apple ID, your Netflix, your TikTok -- I had to figure out what a TikTok was. If it had a login, I saw it compromised.
我看到的一种形式的泄漏 其实就是我们说的账户泄露。 你的谷歌邮箱账户, 你的推特账户, 你的 Instagram 账户, 你的 iCloud, 你的苹果账户, 你的奈飞账户,抖音账户—— 我要先弄清楚什么是抖音。 只要有登录记录, 就有可能被盗。
And the reason for that is because your abuser is not always your abuser. It is really common for people in relationships to share passwords. Furthermore, people who are intimate, who know a lot about each other, can guess each other's security questions. Or they can look over each other's shoulders to see what code they're using in order to lock their phones. They frequently have physical access to the phone, or they have physical access to the laptop. And this gives them a lot of opportunity to do things to people's accounts, which is very dangerous.
原因是你的侵犯者 不总是你的侵犯者。 人们都喜欢在亲戚朋友间分享密码。 此外,大家都有亲密的人, 他们非常了解对方, 能猜到对方的保密问题。 或者他们可以从背后偷窥 对方的锁屏密码。 他们经常能接触到电话, 或者经常接触到电脑。 这给了他们很多的机会 对别人的账户做手脚, 这些都是非常危险的。
The good news is that we have advice for people to lock down their accounts. This advice already exists, and it comes down to this: Use strong, unique passwords for all of your accounts. Use more strong, unique passwords as the answers to your security questions, so that somebody who knows the name of your childhood pet can't reset your password. And finally, turn on the highest level of two-factor authentication that you're comfortable using. So that even if an abuser manages to steal your password, because they don't have the second factor, they will not be able to log into your account.
好消息是,我们建议 人们锁住他们的账户。 这个建议已经存在了, 它可以归结为: 请为你的所有账户 设置安全性强且独特的密码。 请为你的所有安全提示问题 设置安全性强且独特的答案。 所以即使一些人知道 你儿童时期的宠物名字 也不能重置你的密码。 最后,打开你用得最顺手的 最高级别的双重身份验证。 这样,即使侵犯者 计划盗取你的密码, 但是因为没有 第二重身份验证信息, 他们可能也不能登陆你的账号。
The other thing that you should do is you should take a look at the security and privacy tabs for most of your accounts. Most accounts have a security or privacy tab that tells you what devices are logging in, and it tells you where they're logging in from. For example, here I am, logging in to Facebook from the La Quinta, where we are having this meeting, and if for example, I took a look at my Facebook logins and I saw somebody logging in from Dubai, I would find that suspicious, because I have not been to Dubai in some time.
另一件你需要做的事就是, 你需要检查大多数账户的 安全和隐私栏。 大多数的账号都有安全和隐私栏, 可以告诉你有哪些设备 登陆了你的帐号, 以及它们的登陆地点。 比如说, 我在拉昆塔酒店登陆了脸书, 就是我们这个会议所在的地方, 然后假设 我查看了我的脸书登陆记录, 然后发现有人在迪拜登陆, 我觉得很可疑, 因为我从来没有到过迪拜。
But sometimes, it really is a RAT. If by RAT you mean remote access tool. And remote access tool is essentially what we mean when we say stalkerware. So one of the reasons why getting full access to your device is really tempting for governments is the same reason why getting full access to your device is tempting for abusive partners and former partners.
但是有的时候, 真的是 RAT 在作祟。 RAT 的意思是远程访问工具 (remote access tool)。 远程访问工具 本质上就是我们所说的跟踪软件。 为什么政府对能够完全访问 你的设备非常感兴趣, 以及为什么虐待型伴侣和前伴侣 也很渴望获得你的设备访问权限, 其实是出于同一个原因。
We carry tracking devices around in our pockets all day long. We carry devices that contain all of our passwords, all of our communications, including our end-to-end encrypted communications. All of our emails, all of our contacts, all of our selfies are all in one place, often our financial information is also in this place. And so, full access to a person’s phone is the next best thing to full access to a person's mind.
我们的口袋里整天都装着追踪设备。 我们携带的设备 包含了我们所有的密码, 我们所有的交流记录, 包括我们的端到端加密通信。 我们所有的邮件,我们所有的联系人, 我们所有的自拍,都储存在一个地方, 通常我们的财务信息也在这里。 所以,完全访问一个人的手机 仅次于访问一个人的头脑。
And what stalkerware does is it gives you this access. So, you may ask, how does it work? The way stalkerware works is that it's a commercially available program, which an abuser purchases, installs on the device that they want to spy on, usually because they have physical access or they can trick their target into installing it themselves, by saying, you know, "This is a very important program you should install on your device." And then they pay the stalkerware company for access to a portal, which gives them all of the information from that device. And you're usually paying something like 40 bucks a month. So this kind of spying is remarkably cheap.
而跟踪软件所做的 就是给你这个访问权限。 所以,你可能会问, 他们是怎么做到的呢? 跟踪软件的原理是这样: 它本身是一套市场上 可以买到的计算机程序, 当一个侵犯者可以购买 并安装在他们想要监视的设备上, 通常是因为他们有物理访问权限, 或者他们可以欺骗他们的目标, 让他们自己安装, 比如使用这样的说辞, “这是一个非常重要的程序, 你应该安装在你的设备上。” 之后他们付钱给跟踪软件公司 以获得访问接口, 通过这个借口,他们就能获得 这个设备的所有信息。 你一个月只需要支付 40 美元。 这种间谍形式非常的便宜。
Do these companies know that their tools are being used as tools of abuse? Absolutely. If you take a look at the marketing copy for Cocospy, which is one of these products, it says right there on the website that Cocospy allows you to spy on your wife with ease, "You do not have to worry about where she goes, who she talks to or what websites she visits." So that's creepy.
这些公司知道 他们的工具 被用来入侵他人的设备吗? 当然。 如果你看看 Cocospy 公司的 市场报告—— 他们出售的就是这类产品—— 网站上说 Cocospy 可以让你轻松监视你的妻子, “你不再需要担心她去了哪里, 和谁聊天以及浏览了什么网站。” 所以这很令人毛骨悚然。
HelloSpy, which is another such product, had a marketing page in which they spent most of their copy talking about the prevalence of cheating and how important it is to catch your partner cheating, including this fine picture of a man who has clearly just caught his partner cheating and has beaten her. She has a black eye, there is blood on her face. And I don't think that there is really a lot of question about whose side HelloSpy is on in this particular case. And who they're trying to sell their product to.
HelloSpy 是另一款跟踪软件, 他们在一个营销页面上 花了大部分的篇幅 来谈论出轨的盛行, 以及抓到你的伴侣出轨 是多么的重要, 包括这张照片种的男性 刚刚抓到他的伴侣出轨, 然后殴打了她。 她的眼眶乌青,脸上还有血迹。 在这个特殊的案件中, 很容易看出 HelloSpy 是站在哪一边的, 以及他们想向哪方推荐产品。
It turns out that if you have stalkerware on your computer or on your phone, it can be really difficult to know whether or not it's there. And one of the reasons for that is because antivirus companies often don't recognize stalkerware as malicious. They don't recognize it as a Trojan or as any of the other stuff that you would normally find that they would warn you about. These are some results from earlier this year from VirusTotal. I think that for one sample that I looked at I had something like a result of seven out of 60 of the platforms recognized the stalkerware that I was testing. And here is another one where I managed to get 10, 10 out of 61. So this is still some very bad results.
事实证明,很难判断 你的电脑或手机上 是否安装了跟踪软件, 其中一个原因是 因为杀毒软件公司 通常不会把跟踪软件当作恶意软件。 他们不会把跟踪软件 当作特洛伊病毒, 或者是他们警告可能 存在危险的任何你通常 能找到的病毒。 这些是今年早些时期来自于 VirusTotal 的数据结果。 这是我看过的一个样本, 在我测试的 60 个平台中 有 7 个都能识别跟踪软件。 这是另一个样本,在 61 个软件中 有 10 个可识别跟踪软件。 可以说这样的结果很糟糕。
I have managed to convince a couple of antivirus companies to start marking stalkerware as malicious. So that all you have to do if you're worried about having this stuff on your computer is you download the program, you run a scan and it tells you "Hey, there's some potentially unwanted program on your device." It gives you the option of removing it, but it does not remove it automatically. And one of the reasons for that is because of the way that abuse works. Frequently, victims of abuse aren't sure whether or not they want to tip off their abuser by cutting off their access. Or they're worried that their abuser is going to escalate to violence or perhaps even greater violence than they've already been engaging in.
我已经成功地说服了 几家杀毒软件公司 开始将跟踪软件当作恶意软件。 所以如果你担心 你的电脑上有跟踪软件, 只需要下载这个程序, 开始扫描,这个程序就会告诉你 “嘿,你的设备中有一些 你可能不想要的程序。” 它将会给你选择删除的权利, 但是它不会自动删除。 其中一个原因是 基于跟踪软件的运行方式。 通常,受害者不确定 他们是否想通过切断访问权 来摆脱入侵者。 或者他们担心这样做会导致侵犯者 进一步施暴, 甚至可能比他们 已经遭受的暴力更严重。
Kaspersky was one of the very first companies that said that they were going to start taking this seriously. And in November of this year, they issued a report in which they said that since they started tracking stalkerware among their users that they had seen an increase of 35 percent. Likewise, Lookout came out with a statement saying that they were going to take this much more seriously. And finally, a company called Malwarebytes also put out such a statement and said that they had found 2,500 programs in the time that they had been looking, which could be classified as stalkerware.
卡巴斯基是第一批 提出会严肃对待 这件事情的公司之一。 在今年的 11 月份, 他们发布了一份报告称, 自从他们开始追踪 用户中的跟踪软件以来, 他们发现该软件的使用率 增加了 35%。 同样,Lookout 也发表了一份声明, 称他们将更加严肃地对待此事。 最终,一家名叫 Malwarebytes 的公司 也发表了声明, 说在他们进行搜寻的那段时间里, 已经发现了 2500 个 可以被认定为跟踪软件的程序。
Finally, in November I helped to launch a coalition called the Coalition Against Stalkerware, made up of academics, people who are doing this sort of thing on the ground -- the practitioners of helping people to escape from intimate partner violence -- and antivirus companies. And our goal is both to educate people about these programs, but also to convince the antivirus companies to change the norm in how they act around this very scary software, so that soon, if I get up in front of you and I talk to you about this next year, I could tell you that the problem has been solved, and all you have to do is download any antivirus and it is considered normal for it to detect stalkerware. That is my hope.
最终,在 11 月份, 我帮助创立了一个 “反跟踪软件联合会” (Coalition Against Stalkerware), 该联合会的成员包括学者, 那些在实地做这类事情的人—— 帮助人们逃离 亲密伴侣暴力的实践者—— 和杀毒软件公司。 我们的目标是教育人们 这些软件的类型, 但也要说服杀毒公司 改变他们针对这个非常可怕的 软件的行为规范, 所以很快,如果我明年 依然能够站在你们面前 和你们谈论这个话题, 我可能可以告诉你们, 这个问题已经被解决了, 你们所有的人下载的 任何的杀毒软件 都已经内置了跟踪软件的检测功能。 这是我的希望。
Thank you very much.
非常感谢你们。
(Applause)
(掌声)