I want you to travel back in time with me, to the before time, to 2017. I don't know if you can remember it, dinosaurs were roaming the earth. I was a security researcher, I had spent about five or six years doing research on the ways in which APTs, which is short for advanced persistent threats, which stands for nation-state actors, spy on journalists and activists and lawyers and scientists and just generally people who speak truth to power.
我想大家和我一起回到過去, 回到之前的時間,到 2017 年。 我不知道你能否記起 恐龍在地球上漫遊。 我是個資安研究員, 我用了五或六年時間 做關於 APT 的研究, 即高級長期威脅的簡稱, 亦即是民族國家行動者 來監視記者、社會活動家、 律師、科學家, 還有對強權說真話的普通人。
And I'd been doing this for a while when I discovered that one of my fellow researchers, with whom I had been doing this all this time, was allegedly a serial rapist. So the first thing that I did was I read a bunch of articles about this. And in January of 2018, I read an article with some of his alleged victims. And one of the things that really struck me about this article is how scared they were. They were really frightened, they had, you know, tape over the cameras on their phones and on their laptops, and what they were worried about was that he was a hacker and he was going to hack into their stuff and he was going to ruin their lives. And this had kept them silent for a really long time.
我已經做了一段時間, 才發現我其中一位研究員, 這段時間一直與我共事的這個人 據稱是一名連續強姦犯。 所以我第一件做的事 就是讀了很多相關的報導。 而在 2018 年一月 我讀到一些據稱 是他受害者的相關文章。 而有一點讓我很震驚, 就是她們有多害怕。 她們真的很驚慌, 她們用膠帶覆蓋手機的鏡頭, 筆電的也是。 她們擔心的是他是個駭客, 而他會駭進她們的東西, 他會毀了她們的生活。 因此令她們沉默了很長的時期。
So, I was furious. And I didn't want anyone to ever feel that way again. So I did what I usually do when I'm angry: I tweeted.
所以,我怒火中燒。 我不想任何人再有那種感受。 所以我做了生氣時常做的事: 在推特發文。
(Laughter)
(笑聲)
And the thing that I tweeted was that if you are a woman who has been sexually abused by a hacker and that hacker has threatened to break into your devices, that you could contact me and I would try to make sure that your device got a full, sort of, forensic look over. And then I went to lunch.
而我的推文是 如果你是遭到駭客性侵犯的女性, 而那個駭客威脅要駭入你的設備, 你可以聯絡我, 我會試著確保 你的設備得到了大致上 完整的鑑識科學檢查。 然後我就去吃午餐了。
(Laughter)
(笑聲)
Ten thousand retweets later,
然後被轉推了一萬次。
(Laughter)
(笑聲)
I had accidentally started a project.
我意外開始了一個計劃。
So every morning, I woke up and my mailbox was full. It was full of the stories of men and women telling me the worst thing that had ever happened to them. I was contacted by women who were being spied on by men, by men who were being spied on by men, by women who were being spied on by women, but the vast majority of the people contacting me were women who had been sexually abused by men who were now spying on them. The one particularly interesting case involved a man who came to me, because his boyfriend had outed him as gay to his extremely conservative Korean family. So this is not just men-spying-on-women issue.
每天早上,我起床的時候 信箱都是滿的, 充滿著男性和女性的故事, 告訴我發生在他們身上最壞的事。 聯絡我的包括被男性監視的女性、 被男性監視的男性、 被女性監視的女性, 但是絕大多數與我聯繫的人 是遭到男人性侵的女性, 現在被他們監視著。 一個特別有趣的案例 是有個男人來找我, 因為他男朋友向他極度保守的韓國家人 公開了他是個同性戀。 因此,這不只是男性監視女性的問題。
And I'm here to share what I learned from this experience. What I learned is that data leaks. It's like water. It gets in places you don't want it. Human leaks. Your friends give away information about you. Your family gives away information about you. You go to a party, somebody tags you as having been there. And this is one of the ways in which abusers pick up information about you that you don't otherwise want them to know. It is not uncommon for abusers to go to friends and family and ask for information about their victims under the guise of being concerned about their "mental health."
我在此分享 從這經驗學到的事。 我學到的是資料會流出。 如水一樣。 會到你不想它到的地方。 人會流出。 你朋友會流出關於你的資訊, 你家人會流出關於你的資訊。 你參加派對, 有人標記了你在此。 而這就是其中一個方法 令侵犯者得到 你不想他們得知的資訊。 侵犯者到家人朋友那邊 以擔心受害人的「心理健康」為由, 拿取受害人資訊的情況並不罕見。
A form of leak that I saw was actually what we call account compromise. So your Gmail account, your Twitter account, your Instagram account, your iCloud, your Apple ID, your Netflix, your TikTok -- I had to figure out what a TikTok was. If it had a login, I saw it compromised.
我看到的一種流出形式 實際上就是我們所說的帳戶被盜用。 你的 Gmail 帳戶、 你的推特帳戶、 你的 Instagram 帳戶、 你的 iCloud 帳戶、 你的 Apple 帳戶、 你的 Netflix、抖音—— 我查了才知道抖音是甚麼。 只要需要登入帳戶, 就有可能被盜用。
And the reason for that is because your abuser is not always your abuser. It is really common for people in relationships to share passwords. Furthermore, people who are intimate, who know a lot about each other, can guess each other's security questions. Or they can look over each other's shoulders to see what code they're using in order to lock their phones. They frequently have physical access to the phone, or they have physical access to the laptop. And this gives them a lot of opportunity to do things to people's accounts, which is very dangerous.
因為侵犯者並不總是你的侵犯者。 戀人之間分享密碼很常見。 此外,親密的人、 知道對方很多事的人, 可以猜中對方的安全提問。 或是他們可以從背後偷看 對方在用甚麼密碼解鎖手機。 他們很常可以接觸到那手機, 或是他們可以接觸到那筆電。 這給了他們很多機會 對別人的帳戶做很多事, 而那是非常危險的。
The good news is that we have advice for people to lock down their accounts. This advice already exists, and it comes down to this: Use strong, unique passwords for all of your accounts. Use more strong, unique passwords as the answers to your security questions, so that somebody who knows the name of your childhood pet can't reset your password. And finally, turn on the highest level of two-factor authentication that you're comfortable using. So that even if an abuser manages to steal your password, because they don't have the second factor, they will not be able to log into your account.
好消息是我們對避免帳戶被盜用 提出了一些建議。 這個建議已經存在,它就是: 所有帳戶都用強、獨特的密碼。 用更強、更獨特的密碼 作為你安全問題的答案, 那麼那個知道你童年寵物名字的人 就不能重置你的密碼。 最後,打開你可以輕鬆使用的 最高級別的雙重身份驗證。 因此就算侵犯者成功盜取密碼, 因為他們沒有第二重認證, 就不能登入到你的帳戶。
The other thing that you should do is you should take a look at the security and privacy tabs for most of your accounts. Most accounts have a security or privacy tab that tells you what devices are logging in, and it tells you where they're logging in from. For example, here I am, logging in to Facebook from the La Quinta, where we are having this meeting, and if for example, I took a look at my Facebook logins and I saw somebody logging in from Dubai, I would find that suspicious, because I have not been to Dubai in some time.
另一件你應該要做的事 是你要看看安全和隱私頁面, 所有的帳戶都一樣。 大多帳戶都有安全和隱私頁面, 它會告知你甚麼裝置登入了, 亦會各告知你登入的位置。 例如,我在這, 由拉昆塔登入 Facebook, 也就是我們這次會議的地點, 而作為示範 我看了 Facebook 的登入紀錄, 看到有人從杜拜登入, 我會覺得那很可疑, 因為我已經有一段時間沒去杜拜了。
But sometimes, it really is a RAT. If by RAT you mean remote access tool. And remote access tool is essentially what we mean when we say stalkerware. So one of the reasons why getting full access to your device is really tempting for governments is the same reason why getting full access to your device is tempting for abusive partners and former partners.
但有時,那其實是 RAT。 RAT 就是遠端存取工具的意思。 而遠端存取工具 本質上就是我們說的監控軟體。 能全面進入你的設備 對政府來說這麼誘人的原因之一 就和能全面進入你的設備 對侵犯人的現任和前任伴侶 這麼誘人的原因一樣。
We carry tracking devices around in our pockets all day long. We carry devices that contain all of our passwords, all of our communications, including our end-to-end encrypted communications. All of our emails, all of our contacts, all of our selfies are all in one place, often our financial information is also in this place. And so, full access to a person’s phone is the next best thing to full access to a person's mind.
我們整天攜帶著追蹤裝置。 我們攜帶的裝置有我們所有密碼, 所有通訊, 包括我們的端到端加密通訊。 所有電郵、所有聯絡人、 所有我們的自拍都齊集一身, 有時我們的財務資料也在這。 所以擁有一個人手機的完整權限, 僅次於完全進入一個人的腦袋。
And what stalkerware does is it gives you this access. So, you may ask, how does it work? The way stalkerware works is that it's a commercially available program, which an abuser purchases, installs on the device that they want to spy on, usually because they have physical access or they can trick their target into installing it themselves, by saying, you know, "This is a very important program you should install on your device." And then they pay the stalkerware company for access to a portal, which gives them all of the information from that device. And you're usually paying something like 40 bucks a month. So this kind of spying is remarkably cheap.
而監控軟體的作用就是給你權限。 那你可能會問,它怎樣做到? 監控軟體的運作方式 就是個商業程式, 當侵犯者購買後 就安裝在他們想監控的裝置上, 很常是因為他們能親自拿到, 或者誘騙他們的目標自己安裝。 像是說這樣的話, 「這個程式很重要,你應該要安裝。」 然後就付款給監控軟體公司 取得進入裝置的入口, 來得到那裝置的所有資料。 通常每月只要付 40 美元左右。 所以真的超便宜。
Do these companies know that their tools are being used as tools of abuse? Absolutely. If you take a look at the marketing copy for Cocospy, which is one of these products, it says right there on the website that Cocospy allows you to spy on your wife with ease, "You do not have to worry about where she goes, who she talks to or what websites she visits." So that's creepy.
這些公司知道 它們的軟體 被用作侵犯他人嗎? 當然知道。 如果你看看 Cocospy 的行銷文案, 它其中一個產品 在網頁上寫著 Cocospy 讓你輕易監控妻子, 「不用擔心她的去向、 她的聊天對象和到訪的網站。」 令人毛骨悚然。
HelloSpy, which is another such product, had a marketing page in which they spent most of their copy talking about the prevalence of cheating and how important it is to catch your partner cheating, including this fine picture of a man who has clearly just caught his partner cheating and has beaten her. She has a black eye, there is blood on her face. And I don't think that there is really a lot of question about whose side HelloSpy is on in this particular case. And who they're trying to sell their product to.
HelloSpy,另一個類似的產品, 它們的行銷頁面有很大篇幅的文案 在說明出軌有多層出不窮, 還有抓到伴侶出軌的重要性, 裡面還有個男人的照片, 很明顯他抓到伴侶出軌, 然後痛打了她。 她一隻眼瘀青,臉上有血。 我不用想也知道 在這個例子中 HelloSpy 是站在哪一方的。 還有它們的銷售對象是誰。
It turns out that if you have stalkerware on your computer or on your phone, it can be really difficult to know whether or not it's there. And one of the reasons for that is because antivirus companies often don't recognize stalkerware as malicious. They don't recognize it as a Trojan or as any of the other stuff that you would normally find that they would warn you about. These are some results from earlier this year from VirusTotal. I think that for one sample that I looked at I had something like a result of seven out of 60 of the platforms recognized the stalkerware that I was testing. And here is another one where I managed to get 10, 10 out of 61. So this is still some very bad results.
事實證明很難知道監控軟體是否存在 你的電腦或手機裡。 而原因之一是 防毒公司 都不把監控軟體視為惡意軟體。 不視它作木馬 或是其他通常會 警告你的東西。 這些是 VirusTotal 今年稍早的部分結果。 我看了一個例子, 然後結果只有六十分之七的平台 認出我在測試的監控軟體。 還有另一個成功達到十, 六十一分之十。 那仍然是非常差的結果。
I have managed to convince a couple of antivirus companies to start marking stalkerware as malicious. So that all you have to do if you're worried about having this stuff on your computer is you download the program, you run a scan and it tells you "Hey, there's some potentially unwanted program on your device." It gives you the option of removing it, but it does not remove it automatically. And one of the reasons for that is because of the way that abuse works. Frequently, victims of abuse aren't sure whether or not they want to tip off their abuser by cutting off their access. Or they're worried that their abuser is going to escalate to violence or perhaps even greater violence than they've already been engaging in.
我成功說服幾家防毒公司 開始把監控軟體標為惡意的。 如果你擔心它在你的電腦中, 那麼你要做的事 就是下載程式, 進行掃瞄,它就會告訴你 「嗨,你的裝置上 有些你不想要的程式。」 它就會給你移除的選項, 但它不會自動刪除。 原因之一是因為 侵犯的運作方式。 通常,受害者不知應否 切斷侵犯者的進入權限, 這就等於打草驚蛇了。 或是擔心會升級為暴力, 或是現有的暴力升級。
Kaspersky was one of the very first companies that said that they were going to start taking this seriously. And in November of this year, they issued a report in which they said that since they started tracking stalkerware among their users that they had seen an increase of 35 percent. Likewise, Lookout came out with a statement saying that they were going to take this much more seriously. And finally, a company called Malwarebytes also put out such a statement and said that they had found 2,500 programs in the time that they had been looking, which could be classified as stalkerware.
卡巴斯基是首間 認真對待這類事件的公司之一。 今年十一月 它們發表了一份報告, 自從開始為使用者探測監控軟體, 它們看到了 35% 的增長。 同樣,Lookout 也發表聲明 說要更加認真對待此事。 而最後 Malwarebytes 亦聲明 在它們尋找的期間, 它們找到了 2500 個 可歸類為監控軟體的程式。
Finally, in November I helped to launch a coalition called the Coalition Against Stalkerware, made up of academics, people who are doing this sort of thing on the ground -- the practitioners of helping people to escape from intimate partner violence -- and antivirus companies. And our goal is both to educate people about these programs, but also to convince the antivirus companies to change the norm in how they act around this very scary software, so that soon, if I get up in front of you and I talk to you about this next year, I could tell you that the problem has been solved, and all you have to do is download any antivirus and it is considered normal for it to detect stalkerware. That is my hope.
最後在十一月, 我幫忙成立了一個聯盟, 叫反監控軟體聯盟, 由學者組成, 還有實地在做這些事的人—— 幫人擺脫親密伴侶暴力的從業人員, 還有防毒軟體公司。 我們的目標是教育大家 有關這些程式的知識, 還有說服防毒軟體公司 去改變常態, 改變它們應對這可怕軟體的手法。 那麼很快的,明年我再來這裡 站在你們眼前再說這件事的時候, 我就可以告訴你們問題已經解決了, 而你們只要下載任何防毒軟體, 它就會把偵測監控軟體視為理所當然, 那就是我的期望。
Thank you very much.
多謝大家。
(Applause)
(掌聲)