|
|
AviRubin_2011X-_你所拥有的设备都能被骇_
|
| I'm a computer science professor, and my area of expertise is computer and information security. |
我是一个计算机科学教授 我的专业领域是 计算机与信息安全 |
|
computer science:n.计算机科学; expertise:n.专门知识;专门技术;专家的意见;
|
| When I was in graduate school , |
当我还在研究生院的时候 |
|
graduate school:研究所,研究院;
|
| I had the opportunity to overhear my grandmother describing to one of her fellow senior citizens what I did for a living. |
我有次听见了我祖母 向她的一位高龄同乡描述 我的工作。 |
|
overhear:vt.偶然听到;无意中听到 describing:v.描述;形容;把…称为;做…运动;(describe的现在分词) senior citizens:老人(尤指退休者);
|
| Apparently , I was in charge of making sure that no one stole the computers from the university. (Laughter) |
没想到,她说我的工作是确保 学校的计算机不被小偷偷走(笑声) |
|
Apparently:adv.显然地;似乎,表面上; in charge of:负责;主管;
|
| And, you know, that's a perfectly reasonable thing for her to think, because I told her I was working in computer security, and it was interesting to get her perspective . |
但你也会觉得她这么想是完全合理的 因为我告诉她我工作内容是 计算机安全, 但是能够得知她的观点真的很有趣。 |
|
reasonable:adj.合理的,公道的;通情达理的; perspective:n.观点;远景;透视图;adj.透视的;
|
| But that's not the most ridiculous thing I've ever heard anyone say about my work. |
但这并不是我所听过对我工作 最离谱的叙述。 |
|
ridiculous:adj.可笑的;荒谬的;
|
| The most ridiculous thing I ever heard is, |
我听过最谱奇的版本是, |
| I was at a dinner party , and a woman heard that I work in computer security, and she asked me if -- she said her computer had been infected by a virus, and she was very concerned that she |
我在一个晚宴上,然後有一位女士听说 我是负责计算机安全的, 于是她问我如果-她的电脑 感染了病毒,所以她十分担心自己 |
|
dinner party:晚宴; infected:adj.带菌的; v.传染; (infect的过去分词和过去式) concerned:adj.有关的;关心的;v.关心;与…有关;(concern的过去时和过去分词)
|
| might get sick from it, that she could get this virus. (Laughter) |
会因此而生病,会感染到这个病毒(笑声) |
| And I'm not a doctor, but I reassured her that it was very, very unlikely that this would happen, but if she felt more comfortable, she could be free to use latex gloves when she was on the computer, and there would be no harm whatsoever in that. |
虽然我不是个医生,但我向她再三保证 这种事不可能会发生 但如果她还是不放心,她或许可以考虑 在用电脑的时候带着橡胶手套, 而且这无论如何都是无害的。 |
|
reassured:adj.使消除疑虑的;使放心的;v.使安心;再次保证(reassure的过去式); unlikely:adj.不大可能发生的;非心目中的;非想象的;难以相信的; latex:n.乳胶;乳液; whatsoever:pron.无论什么;
|
| I'm going to get back to this notion of being able to get a virus from your computer, in a serious way. |
我一会儿会回过头来谈谈这种能够被 自己电脑的病毒感染的想法,用一个更严肃的角度来谈 |
|
notion:n.观念;信念;理解;
|
| What I'm going to talk to you about today are some hacks , some real world cyber-attacks that people in my community , the academic research community , have performed , which I don't think most people know about, and I think they're very interesting and scary, and this talk is kind of a greatest hits of the academic security community's hacks. |
今天我要讲的是 一些在我领域,学术研究界的人员 所进行大多人所不知的 黑客活动 和一些真实世界的网络攻击, 我觉得它们既有意思又可怕, 而这次的演说就有点像是学术的安全共同体中的 经典黑客案例 |
|
hacks:出租汽车;老马(hack的复数); community:n.社区;[生态]群落;共同体;团体; academic:adj.学术的;理论的;学院的;n.大学生,大学教师;学者; performed:v.表演;执行;履行;演出;工作,运转(好/不好)(perform的过去分词和过去式)
|
| None of the work is my work. It's all work that my colleagues have done, and I actually asked them for their slides and incorporated them into this talk. |
这些都不是我个人的工作。这全部都是 我同事做的,而我其实还向他们要了一些 幻灯片并把它们加到我的演讲里。 |
|
colleagues:n.同事;同行(colleague的复数); incorporated:adj.合并的; v.合并;
|
| So the first one I'm going to talk about are implanted medical devices . |
那么,我要讲的第一个案例就是 植入性医疗器械。 |
|
implanted:植入的; devices:n.[机][计]设备;[机]装置;[电子]器件(device的复数);
|
| Now medical devices have come a long way technologically . |
当今的医疗器械是经历了一段很长的科技发展。 |
|
come a long way:突飞猛进; technologically:adv.科技地;技术上地;
|
| You can see in 1926 the first pacemaker was invented. |
你可以看到,第一款心脏起搏器发明于1926年。 |
|
pacemaker:n.[基医]起搏器;领跑者;标兵;
|
| 1960, the first internal pacemaker was implanted, hopefully a little smaller than that one that you see there, and the technology has continued to move forward. |
1960年,第一个体内心脏起搏器被植入, 希望是比大家在这看到的要小一些, 之后,这方面的技术一直在不断地发展。 |
|
internal:n.内脏;本质;adj.内部的;里面的;体内的;(机构)内部的; technology:n.技术;工艺;术语;
|
| In 2006, we hit an important milestone from the perspective of computer security. |
到了2006年,我们迎来了一个重要的里程碑, 对于电脑安全而言。 |
|
milestone:n.里程碑,划时代的事件;
|
| And why do I say that? |
那我为什么这么说呢? |
| Because that's when implanted devices inside of people started to have networking capabilities. |
那是因为这正是植入人体的器械 开始具备联网能力的时候。 |
| One thing that brings us close to home is we look at Dick Cheney's device, he had a device that pumped blood from an aorta to another part of the heart, and as you can see at the bottom there, it was controlled by a computer controller, and if you ever thought that software liability was very important, get one of these inside of you. |
一件带我们回主题的事就是当我们 看到迪克·切尼的仪器,他拥有一可以 将血液从一个大动脉输送到心脏的另一个部分的仪器, 就如你在底部所看到的, 它是被一个电脑控制器所控制的, 如果你认为软件责任 非常重大的话,你可以给自己装一个这个。 |
|
close to home:触及痛处; Dick:n.阴茎,鸡巴;侦探;誓言; pumped:adj.紧张的; v.用泵输送; (pump的过去分词和过去式) aorta:n.[解剖]主动脉; as you can see:正如你所看到的;你是知道的; liability:n.责任;债务;倾向;可能性;不利因素;
|
| Now what a research team did was they got their hands on what's called an ICD. |
现在有一支研究团队所做的就是得到了一个 被称作 ICD 的器件。(植入型心律转复除颤器) |
| This is a defibrillator , and this is a device that goes into a person to control their heart rhythm , and these have saved many lives. |
这是一个复除颤器,而且这是个 用在人体体内来控制他们心率的仪器, 而且这仪器还救过不少人的命。 |
|
defibrillator:n.除颤器(通过电击心脏控制心肌运动); rhythm:n.节奏;韵律;
|
| Well, in order to not have to open up the person every time you want to reprogram their device or do some diagnostics on it, they made the thing be able |
那麽,为了不用每次给装置重新编程 或者进行某些其他的检测的时候 都要剖开病人的胸腔,他们让这个装置 |
|
reprogram:vt.改编程序;程序重调; diagnostics:n.诊断学(用作单数);
|
| to communicate wirelessly , and what this research team did is they reverse engineered the wireless protocol , and they built the device you see pictured here, |
可以无线通讯,而这个研究团队所做的 就是对无线协议做逆向工程, 并制作出你现在所看到的图中所显示的仪器, |
|
wirelessly:用无线电报与…联系;用无线电报发送(信息等):;;打无线电报;打无线电话; reverse:n.反面; v.颠倒; adj.相反的; protocol:n.协议;草案;礼仪;vt.拟定;vi.拟定;
|
| with a little antenna , that could talk the protocol to the device, and thus control it. |
它还有一个小天线用于与设备 进行交流,从而进行操控。 |
|
antenna:n.[电讯]天线;[动]触角,[昆]触须;
|
| In order to make their experience real -- they were unable to find any volunteers , and so they went and they got some ground beef and some bacon and they wrapped it all up to about the size of a human being's area where the device would go, and they stuck the device inside it to perform their experiment somewhat realistically . |
为了让他们的试验更真实-他们无法 找到任何志愿者,所以他们找来 一些牛肉馅儿和培根肉 弄成一个大小和人体内 安放这个装置差不多大小的区域, 然后他们把这个装置放了进去 从而使他们的实验近乎真实。 |
|
volunteers:n.志愿者; v.自愿做; (volunteer的第三人称单数和复数) ground beef:un.绞细牛肉; bacon:n.咸肉;腌肉;熏猪肉; wrapped:adj.极高兴的;十分满意的;v.用…包裹;用…缠绕;(wrap的过去分词和过去式) somewhat:n.几分;某物;adv.有点;多少;几分;稍微; realistically:adv.现实地;实际地;逼真地;
|
| They launched many, many successful attacks. |
他们进行了很多很多成功的攻击。 |
|
launched:v.发射;发起;开展;开始;(launch的过去式和过去分词)
|
| One that I'll highlight here is changing the patient's name. |
我特别想重点讲一下的是他们成功地修改了病人的姓名信息。 |
|
highlight:vt.突出;强调;使显著;加亮;n.最精彩的部分;最重要的事情;加亮区;
|
| I don't know why you would want to do that, but I sure wouldn't want that done to me. |
我不清楚为什么有人要这么做 , 但是我肯定不愿意有人对我这么做。 |
| And they were able to change therapies , including disabling the device -- and this is with a real, commercial , off-the-shelf device -- simply by performing reverse engineering and sending wireless signals to it. |
他们还能够更改治疗方案, 包括使设备失效-而这些都发生在一个真的 营利的、市场上能买到的心率仪上 -- 仅仅是通过反向破解以及向其 发送无线指令就能实现。 |
|
therapies:n.治疗方法(therapy复数形式); disabling:v.使不能;使失去能力;致残疾(disable的ing形式); commercial:adj.贸易的;商业的;赢利的;以获利为目的的;n.(电台或电视播放的)广告; off-the-shelf:adj.现成的;常备的;成品的;adv.现成地;无需作重大修改地; performing:adj.表演的;演奏的;v.做;执行;演出;运转(perform的现在分词) reverse engineering:逆向工程;
|
| There was a piece on NPR that some of these ICDs could actually have their performance disrupted simply by holding a pair of headphones onto them. |
NPR 上曾经有过一则新闻报到了(美国国家公共广播电台) 一些ICD的运行甚至可以被 放在其上面的一副耳机扰乱 |
|
performance:n.性能;表现;业绩;表演; disrupted:破坏;使瓦解;使分裂;使中断;使陷于混乱(disrupt的过去分词形式); headphones:n.[电讯]耳机;听筒;[电子]头戴式受话器;(headphone的复数)
|
| Now, wireless and the Internet can improve health care greatly . |
如今,无线技术和互联网 能够大大改善医疗服务 |
|
improve:v.改进;改善; health care:n.卫生保健; greatly:adv.很,大大地;非常;
|
| There's several examples up on the screen of situations where doctors are looking to implant devices inside of people, and all of these devices now, it's standard that they communicate wirelessly, and I think this is great, |
屏幕上显示的几个例子是一些 医生要为病人体内植入医疗装置 的情况,而现今所有这方面的仪器, 无线联网已经成为了标准配备, 我认为这很了不起, |
|
standard:n.标准;水准;旗;度量衡标准;adj.标准的;合规格的;公认为优秀的;
|
| but without a full understanding of trustworthy computing , and without understanding what attackers can do and the security risks from the beginning, there's a lot of danger in this. |
但是如果没有全面的了解和可靠的计算, 和没有认识到攻击行为所造成的影响 以及固有的安全隐患, 这就会带来很多危险。 |
|
trustworthy:adj.可靠的;可信赖的; computing:n.计算;计算机技术;信息处理技术;v.计算;求出;(compute的现在分词) attackers:n.攻击者;进攻者;
|
| Okay, let me shift gears and show you another target. |
好的,让我换个机械向你们展示另外一个攻击对象。 |
|
shift:n.移动;变化;手段;轮班;v.移动;转变;转换; gears:n.[机]齿轮,[机]传动装置(gear的复数形式); v.以齿轮连起,安排(gear的三单形式);
|
| I'm going to show you a few different targets like this, and that's my talk. So we'll look at automobiles . |
我将向你们展示几个类似的攻击对象, 它们是我演讲的主要部分。我们接下来看看汽车。 |
|
automobiles:n.[车辆]汽车,发动器(automobile复数);关于汽车;
|
| This is a car, and it has a lot of components , a lot of electronics in it today. |
这是一辆车,它拥有很多组成部分, 如今还拥有许多的电子零件。 |
|
components:n.部件;组件;成份(component复数); electronics:n.电子学;电子工业;
|
| In fact, it's got many, many different computers inside of it, more Pentiums than my lab did when I was in college, and they're connected by a wired network. |
事实上,它里面有很多很多台不同的电脑, 它所拥有的奔腾处理器比我大学时期的实验室里的还多, 而且这些电脑之间是由内部线路相连。 |
| There's also a wireless network in the car, which can be reached from many different ways. |
车内也有一个无线网络, 它可以通过不同的方式与外界相连。 |
| So there's Bluetooth , there's the FM and XM radio, there's actually wi-fi , there's sensors in the wheels that wirelessly communicate the tire pressure to a controller on board. |
包含了蓝牙,有FM广播和XM广播, 甚至还有wi-fi,车轮里面有传感器 可以通过无线网络监测轮胎气压 并传输给控制板。 |
|
Bluetooth:n.蓝牙技术(一种无线通信的标准); wi-fi:abbr.无线保真技术(wirelessfidelity);无线上网技术; sensors:n.[自]传感器,感应器;感测器(sensor的复数);
|
| The modern car is a sophisticated multi-computer device. |
现代汽车是非常复杂的多电脑设备 |
|
sophisticated:adj.复杂的;老练的;见多识广的;水平高的;
|
| And what happens if somebody wanted to attack this? |
那如果有人想攻击这台设备的话会发生什么呢? |
| Well, that's what the researchers that I'm going to talk about today did. |
这就是今天我演讲中的 研究者们所做的。 |
| They basically stuck an attacker on the wired network and on the wireless network. |
他们很根本地在汽车的有线和无线网络上 都安装了攻击装置。 |
|
basically:adv.主要地,基本上;
|
| Now, they have two areas they can attack. |
现在,他们可以通过两种方式进行攻击。 |
| One is short-range wireless, where you can actually communicate with the device from nearby , either through Bluetooth or wi-fi, and the other is long-range , where you can communicate with the car through the cellular network, or through one of the radio stations. |
一种是短程无线网络,这样你可以直接 和附近的装置进行通信, 比如通过蓝牙或 wi-fi, 另一个是远程网络,让你可以 通过移动网络 或者通过某个无线电电台与车进行通信。 |
|
short-range:adj.短射程的;短期间的; nearby:adj.附近的,邻近的;adv.在附近;prep.在…附近; long-range:adj.(飞机,火箭等)远程的;长期的;远大的; cellular:adj.细胞的;多孔的;由细胞组成的;n.移动电话;单元;
|
| Think about it. When a car receives a radio signal, it's processed by software. |
想想看。当一辆汽车接收到无线电信号, 软件会对这信号进行处理。 |
|
processed:v.加工,处理;审核;列队行进;(process的过去式和过去分词)
|
| That software has to receive and decode the radio signal, and then figure out what to do with it, even if it's just music that it needs to play on the radio, and that software that does that decoding , |
这软件必需对信号进行接收和解码 从而弄明白如何进行处理, 即便那只是电台音乐, 而那进行解码的软件, |
|
decode:vt.[计][通信]译码,解码;vi.从事破译工作; decoding:v.解码;破译(尤指密码);译解,理解(外文);(decode的现在分词)
|
| if it has any bugs in it, could create a vulnerability for somebody to hack the car. |
如果存有任何漏洞,就有机会 让他人入侵汽车的电脑系统中。 |
|
bugs:n.缺陷;虫子;窃听器;(bug的复数)v.窃听;使烦恼;(bug的第三人称单数) vulnerability:n.易损性;弱点;
|
| The way that the researchers did this work is, they read the software in the computer chips that were in the car, and then they used sophisticated reverse engineering tools to figure out what that software did, |
研究人员试验的方法就是, 他们读取了车内电脑芯片中的软件 之后他们运用复杂的 反向破解工具 来弄明白了这个软件的功能, |
|
chips:炸土豆条(chip的复数)
|
| and then they found vulnerabilities in that software, and then they built exploits to exploit those. |
并且找到了软休的漏洞, 之后他们利用这些漏洞建造后门。 |
|
vulnerabilities:n.缺陷(vulnerability的复数形式);脆弱点; exploits:n.功绩,业绩;壮举(exploit的复数);v.利用;开发(exploit的第三人称单数);
|
| They actually carried out their attack in real life. |
他们真的在现实生活中试验了这些攻击。 |
| They bought two cars, and I guess they have better budgets than I do. |
他们买了两辆车, 我猜他们的经费比我要宽裕一些。 |
|
budgets:n.[财政]预算(budget复数形式);v.为…做预算(budget的第三人称单数形式);
|
| The first threat model was to see what someone could do if an attacker actually got access to the internal network on the car. |
第一个攻击计划是想看看一个人能在 攻击者得到许可进入汽车的 内部网络时做些什麽。 |
| Okay, so think of that as, someone gets to go to your car, they get to mess around with it, and then they leave, and now, what kind of trouble are you in? |
好的,假设有一个人可以接近你的车, 在车中做了一些手脚,然后离开, 那现在,你会遇到些什么麻烦呢? |
|
mess around with:瞎搞;乱动;与…勾搭;
|
| The other threat model is that they contact you in real time over one of the wireless networks like the cellular, or something like that, never having actually gotten physical access to your car. |
另一个计划是他们通过 无线网络进行实时交流 就像手机或是其他类似的方式, 根本不需要跟你的车有任何的物理上的接触。 |
|
contact:n.接触,联系;v.使接触,联系; real time:adj.实时的;接到指示立即执行的; physical:adj.[物]物理的;身体的;物质的;符合自然法则的;n.体格检查;
|
| This is what their setup looks like for the first model, where you get to have access to the car. |
这是他们第一个模型设置的样子, 在这他们可以接触到车。 |
| They put a laptop , and they connected to the diagnostic unit on the in-car network, and they did all kinds of silly things, like here's a picture of the speedometer showing 140 miles an hour when the car's in park. |
他们放了一个笔记本电脑,并把它连接到车内部网络的 诊断单元,他们利用这些做了各种各样好玩的把戏, 像这张车速表的照片 在车静止的情况下显示每小时140英里。 |
|
laptop:n.便携式电脑;笔记本电脑; in-car:在汽车内使用的; speedometer:n.速度计;里程计;
|
| Once you have control of the car's computers, you can do anything. |
当你控制住车内电脑系统, 你可以做任何事。 |
| Now you might say, "Okay, that's silly." |
你也许会觉得,“这只是搞笑而已。” |
| Well, what if you make the car always say it's going 20 miles an hour slower than it's actually going? |
那如果你让车总是显示 比真正的速度慢了20英里每小时呢? |
|
what if:如果…怎么办?
|
| You might produce a lot of speeding tickets. |
这样会拿到很多超速罚单。 |
| Then they went out to an abandoned airstrip with two cars, the target victim car and the chase car, and they launched a bunch of other attacks. |
之后他们开了两辆车到一个废弃的简易机场, 一辆目标车,一辆追踪车, 他们并进行了更多其他的攻击。 |
|
abandoned:adj.被抛弃的放纵的;v.抛弃;丢弃,离开;放弃;(abandon的过去分词和过去式) airstrip:n.飞机跑道; victim:n.受害人;牺牲品;牺牲者; a bunch of:一群;一束;一堆;
|
| One of the things they were able to do from the chase car is apply the brakes on the other car, simply by hacking the computer. |
其中一件可以从追踪车里做到的是 在目标车中进行刹车, 这只需要侵入目标车的电脑就可以了。 |
|
apply:v.申请;涂,敷;应用;适用;请求; hacking:v.黑客行为;砍;劈;猛踢;(hack的现在分词)
|
| They were able to disable the brakes. |
他们可以废掉刹车系统。 |
|
disable:vt.使失去能力;使残废;使无资格;
|
| They also were able to install malware that wouldn't kick in and wouldn't trigger until the car was doing something like going over 20 miles an hour, or something like that. |
他们还可以安装一些恶意软件要在车子 做出特定的指令下,比方说车速在20英里每小时 或类似的指令才会启动。 |
|
install:v.安装;设置;安置;建立(程序); malware:n.恶意软件; trigger:n.触发器; v.触发;
|
| The results are astonishing , and when they gave this talk, even though they gave this talk at a conference to a bunch of computer security researchers, everybody was gasping . |
这个结果非常的震撼,而当他们做这个演讲时, 即使是在一个充满 电脑安全研究人员的会议, 所有人都难以之信。 |
|
astonishing:adj.令人十分惊讶的;v.使十分惊讶;使吃惊;(astonish的现在分词) conference:n.会议;研讨会;商讨会;体育协会(或联合会) gasping:adj.喘气的;痉挛的;v.喘气;渴望(gasp的现在分词);
|
| They were able to take over a bunch of critical computers inside the car: the brakes computer, the lighting computer, the engine, the dash, the radio, etc., |
他们成功的控制了车内很多 重要的电脑系统:刹车系统,照明系统, 发动机,仪表盘,无线电台,等等, |
|
take over:接管;继承;接收;接任;接替; critical:adj.鉴定的;[核]临界的;批评的,爱挑剔的;危险的;决定性的;评论的;
|
| and they were able to perform these on real commercial cars that they purchased using the radio network. |
而且他们可以在他们所购买的商务车中 利用无线网络来做这些事情。 |
|
purchased:v.买;购买;采购;(purchase的过去式和过去分词)
|
| They were able to compromise every single one of the pieces of software that controlled every single one of the wireless capabilities of the car. |
他们可以妥協每一个 操控每一项 车内无线功能的软件。 |
|
compromise:n.妥协;折中;互让;和解;v.妥协;违背(原则);达不到(标准);使陷入危险;
|
| All of these were implemented successfully. |
所有的实验都成功的实施了。 |
|
implemented:v.使生效;贯彻;执行;实施;(implement的过去式和过去分词)
|
| How would you steal a car in this model? |
你要怎样去偷这类型的车呢? |
| Well, you compromise the car by a buffer overflow of vulnerability in the software, something like that. |
首先你从内部软件缓冲区溢出的 漏洞开始侵入,就像这样。 |
|
buffer:n.[计]缓冲区;缓冲器,[车辆]减震器;vt.缓冲; overflow:vi.溢出;泛滥;充溢;n.充满,洋溢;泛滥;超值;溢值;vt.使溢出;使泛滥;使充溢;
|
| You use the GPS in the car to locate it. |
你再用车内置的导航器确定它的位置。 |
|
locate:v.确定…的准确地点;把…安置在(或建造于);创办于(某地);
|
| You remotely unlock the doors through the computer that controls that, start the engine, bypass anti-theft , and you've got yourself a car. |
再用电脑遥控打开车门, 启动发动机,绕过防盗系统, 这样你就弄到了一辆车。 |
|
remotely:adv.遥远地;偏僻地;(程度)极微地,极轻地; bypass:vt.绕开;忽视;设旁路;迂回;n.旁路;[公路]支路; anti-theft:防盗;
|
| Surveillance was really interesting. |
监控是很有意思的。 |
|
Surveillance:n.监督;监视;
|
| The authors of the study have a video where they show themselves taking over a car and then turning on the microphone in the car, and listening in on the car while tracking it via GPS on a map, |
这个研究的作者们有一个影像显示 他们侵入一辆车,然后打开 车内的话筒,听著车内的声音 并同时用导航器跟踪车的位置, |
|
microphone:n.麦克风;传声器;话筒; tracking:n.追踪,跟踪;v.跟踪;(track的现在分词) via:prep.通过;经由;n.道路;[医]管道;
|
| and so that's something that the drivers of the car would never know was happening. |
而这些是车的司机 绝对不会知道的。 |
| Am I scaring you yet? |
我吓到你们了吗? |
| I've got a few more of these interesting ones. |
我还有几个很有趣的实验。 |
| These are ones where I went to a conference, and my mind was just blown, and I said, "I have to share this with other people." |
这些是我从一个我去过的会议所知道的, 我当时惊呆了,我说 “我得跟其他人分享这个信息。” |
| This was Fabian Monrose's lab at the University of North Carolina , and what they did was something intuitive once you see it, but kind of surprising. |
这是北卡大学 Fabian Monrose 教授的实验室, 他们做的实验 是一个当你看了之后会觉得很直观, 但也会很惊讶的实验。 |
|
Carolina:n.卡罗莱纳州(在美国东南部); intuitive:adj.直觉的;凭直觉获知的;
|
| They videotaped people on a bus, and then they post-processed the video. |
他们录下了在公车上的人们, 然后后期处理这些视频。 |
|
videotaped:n.录像带;vt.将…录到录像带上;
|
| What you see here in number one is a reflection in somebody's glasses of the smartphone that they're typing in. |
你在一号所看到的是 在输入手机的某人的眼镜中所反射 出来的智慧型手机映像。 |
|
reflection:n.反映;沉思;映像;深思; smartphone:n.智能手机;
|
| They wrote software to stabilize -- even though they were on a bus and maybe someone's holding their phone at an angle -- to stabilize the phone, process it, and you may know on your smartphone, when you type |
他们编了一个软件来稳定 -- 即使他们在公车上 或是有人会把手机摆在一个特殊的角度 -- 来稳定这个手机,处理它, 你也许知道,当你在智慧型手机上输入 |
|
stabilize:vt.使稳固,使安定;vi.稳定,安定;
|
| a password, the keys pop out a little bit, and they were able to use that to reconstruct what the person was typing, and had a language model for detecting typing. |
密码时,对应键会放大一点,因此他们可以 利用这一点去重组那个人所输入的东西, 还有一个语言模型去检测输入行为。 |
|
reconstruct:vt.重建;改造;修复;重现; detecting:n.检测;检定;v.发现;探知(detect的现在分词);adj.探测的;
|
| What was interesting is, by videotaping on a bus, they were able to produce exactly what people on their smartphones were typing, and then they had a surprising result, which is that |
有意思的是,利用公车上的录像 他们可以准确无误的得到他人在 手机上输入什么, 之后他们还发现了一个意外结果,就是 |
|
videotaping:n.进行录像;v.将…录在录像带上;录制(videotape的ing形式); smartphones:智能手机(smartphone的复数);
|
| their software had not only done it for their target, but other people who accidentally happened to be in the picture, they were able to produce what those people had been typing, and that was kind of an accidental artifact of what their software was doing. |
他们的软件不但会对他们的目标进行处理, 也可以对那些意外入镜的 人进行分析出 那些人都输入了什么,而这些 是这软件进行中所得到的意外收获。 |
|
accidentally:adv.意外地:偶然,偶然地; artifact:n.人工制品;手工艺品;
|
| I'll show you two more. One is P25 radios. |
我再给你们看两个例子。一个是P25无线电。 |
| P25 radios are used by law enforcement and all kinds of government agencies and people in combat to communicate, and there's an encryption option on these phones. |
P25无线电是执法部门 和种种政府机构 以及战场上的人们交流所使用的, 而这些电话里都会有加密选项。 |
|
enforcement:n.执行,实施;强制; agencies:n.代理;代理处(agency的复数); combat:v.战斗;防止;减轻;与…搏斗;n.战斗;搏斗;打仗; encryption:n.加密;加密术; option:n.选择;可选择的东西;
|
| This is what the phone looks like. It's not really a phone. |
这电话就是长这个样子。这不是真正的电话。 |
| It's more of a two-way radio. |
它比较像是双向无线电。 |
|
two-way:adj.双向的;相互的;两路的;
|
| Motorola makes the most widely used one, and you can see that they're used by Secret Service , they're used in combat, it's a very, very common standard in the U.S. and elsewhere . |
摩托罗拉是这电话的最大生产商,你也会看到 它们是被秘密机构以及战场上所使用, 它在美国和其他地方都非常~非常的常见的标准。 |
|
Secret Service:n.(政府的)特工部门; elsewhere:adv.在别处;到别处;
|
| So one question the researchers asked themselves is, could you block this thing, right? |
所以研究员们自问的一个问题就是 可以阻止这个东西~~~吧? |
| Could you run a denial-of-service, because these are first responders ? |
可以执行拒绝服务吗? 因为这些都是抢险救生员。 |
|
responders:n.响应器;回答者;(responder的复数)
|
| So, would a terrorist organization want to black out the ability of police and fire to communicate at an emergency ? |
那么,恐怖组织会想要阻断 警察和火警的紧急联系功能吗? |
|
organization:n.组织;机构;体制;团体; emergency:n.紧急情况;突发事件;非常时刻;adj.紧急的;备用的;
|
| They found that there's this GirlTech device used for texting that happens to operate at the same exact frequency as the P25, and they built what they called |
他们发现有个叫GirlTech的信息设备 所使用的频道和 P25 是一样的, 然後他们建造了一个叫 |
|
frequency:n.频率;发生率;重复率;频繁;
|
| My First Jammer . (Laughter) |
我的第一干扰 。(笑声) |
|
Jammer:n.干扰发射机;U型钢丝芯撑;
|
| If you look closely at this device, it's got a switch for encryption or cleartext. |
如果你仔细看这个设备, 这里有个开关可以切换加密或是明文。 |
| Let me advance the slide, and now I'll go back. |
让我先到下一页,然後现在我再回去。 |
| You see the difference? |
你看到那差异了吗? |
| This is plain text . This is encrypted . |
这是明文,这是加密。 |
|
plain text:n.明文; encrypted:v.把…加密(或编码);(encrypt的过去式和过去分词)
|
| There's one little dot that shows up on the screen, and one little tiny turn of the switch. |
屏幕上出现一个小点, 而开关也转了一点点。 |
| And so the researchers asked themselves, "I wonder how many times very secure, important, sensitive conversations are happening on these two-way radios where they forget to encrypt and they don't notice that they didn't encrypt?" |
那些研究员们就自问,“我猜想 有多少非常保密的,重要的,敏感的谈话 是在这些他们忘记加密 而且没有注意到这回事的双向无线电的情况下进行呢? |
|
sensitive:adj.敏感的;感觉的;易受影响的;n.敏感的人;有灵异能力的人;
|
| So they bought a scanner . These are perfectly legal and they run at the frequency of the P25, and what they did is they hopped around frequencies and they wrote software to listen in. |
他们买了一个扫描仪。这些都是完全合法的 他们并在P25的频率下运行这扫描仪, 之後他们在这个频率周围不停地转动 然後用他们所写的软件来监听。 |
|
scanner:n.[计]扫描仪;扫描器;光电子扫描装置; legal:adj.法律的;合法的;法定的; hopped:v.单脚跳行;齐足(或双足)跳行;(hop的过去分词和过去式) frequencies:n.频率;发生率;重复率;频繁;(frequency的复数)
|
| If they found encrypted communication, they stayed on that channel and they wrote down, that's a channel that these people communicate in, these law enforcement agencies, |
如果他们找到了加密的对话,他们就停留 在那个频道,然后写下这是 那些人交流的频道, 那些执法机构, |
| and they went to 20 metropolitan areas and listened in on conversations that were happening at those frequencies. |
他们去了20个大都市区监听 这些频道上的所进行的对话。 |
|
metropolitan:adj.大都市的;大主教辖区的;宗主国的;n.大城市人;大主教;宗主国的公民;
|
| They found that in every metropolitan area, they would capture over 20 minutes a day of cleartext communication. |
他们发现在每一个大都会区 他们每天都能捕捉到至少20分钟的 明文交流。 |
|
capture:v.俘虏;捕获;攻占;夺得;刻画,描述;n.(被)捕获;(被)俘获
|
| And what kind of things were people talking about? |
那他们都交流些什么呢? |
| Well, they found the names and information about confidential informants . They found information that was being recorded in wiretaps , a bunch of crimes that were being discussed, sensitive information. |
他们得到了秘密举报人的 名字和信息。他们得到了 正在被窃听的信息, 一堆正在被讨论的犯罪案件, 敏感的消息。 |
|
confidential:adj.机密的;表示信任的;获信任的; informants:n.被调查者;告密者;提供消息者; wiretaps:n.窃听; vi.(搭线)窃听; vt.搭线窃听; adj.窃听的;
|
| It was mostly law enforcement and criminal. |
大多数都是执法和犯罪类的。 |
| They went and reported this to the law enforcement agencies, after anonymizing it, and the vulnerability here is simply the user interface wasn't good enough. If you're talking |
他们向执法机构说明了这件事, 当然是在匿名之后, 而当中的漏洞很纯粹的只是用户界面 不够好。如果你是在讨论 |
|
anonymizing:隐去姓名资料;使匿名; interface:n.接口;人机界面;连接电路;v.连接;
|
| about something really secure and sensitive, it should be really clear to you that this conversation is encrypted. |
一些非常保密或者敏感话题,你应该 清楚的知道这个谈话是被加密的。 |
| That one's pretty easy to fix. |
这个很容易修正。 |
| The last one I thought was really, really cool, and I just had to show it to you, it's probably not something that you're going to lose sleep over like the cars or the defibrillators , but it's stealing keystrokes . |
最后一例子我认为是非常,非常的牛, 所以我必须得给你们看这个,这可能不是一些 会使你们失眠的东西, 像是汽车实验和心脏去颤器那样, 但这个是窃取击键。 |
|
defibrillators:n.电震发生器;(defibrillator的复数形式) keystrokes:v.[计]击键(keystroke的第三人称单数形式); n.打键次数(keystroke的复数形式);
|
| Now, we've all looked at smartphones upside down . |
至今,我们都彻底的观察过智慧型手机。 |
|
upside down:adj.颠倒的;乱七八糟的;
|
| Every security expert wants to hack a smartphone, and we tend to look at the USB port, the GPS for tracking, the camera, the microphone, but no one up till this point had looked at the accelerometer . |
每个安全专家都想要侵入这样的手机系统, 而我们一般都会去看USB插头,跟踪GPS, 相机,话筒,但目前为止没有人 看过加速规。 |
|
accelerometer:n.[航][物]加速计;
|
| The accelerometer is the thing that determines the vertical orientation of the smartphone. |
加速规是那个决定 手机垂直方向的东西。 |
|
determines:v.查明;测定;准确算出;决定;裁决;安排;(determine的第三人称单数) vertical:n.垂直线;垂直位置;adj.竖的;垂直的;直立的;纵向的; orientation:n.方向;定向;适应;情况介绍;向东方;
|
| And so they had a simple setup. |
因此他们有个很简单的设置。 |
| They put a smartphone next to a keyboard, and they had people type, and then their goal was to use the vibrations that were created by typing to measure the change in the accelerometer reading to determine what the person had been typing. |
他们把手机放在键盘旁边, 然後他们让人们去打字,而他们的目标是 利用打字而产生的震动 去测量加速规的数据的变化 由此来判断这个人输入的是什么。 |
|
vibrations:n.[力]振动;共鸣;动摇(vibration的复数);
|
| Now, when they tried this on an iPhone 3GS, this is a graph of the perturbations that were created by the typing, and you can see that it's very difficult |
那么当他们在用iPhone 3GS做这实验时, 这是他们从打字所得到的 扰动图,而你可以了解到这是很难 |
|
perturbations:n.[流]扰动;不安(perturbation的复数形式);
|
| to tell when somebody was typing or what they were typing, but the iPhone 4 greatly improved the accelerometer, and so the same measurement produced this graph. |
判断什么时候有人在打字或者他们打过了什么字, 但是iPhone 4在加速规上有很大的提高, 因此同样的测量 所得到的图是这样的。 |
|
improved:adj.改良的:v.改进:改善(improve的过去分词和过去式) measurement:n.测量;度量;长度;
|
| Now that gave you a lot of information while someone was typing, and what they did then is used advanced artificial intelligence techniques called machine learning to have a training phase , and so they got most likely grad students to type in a whole lot of things, and to learn, |
这么现在有人在打字时就会给出更多的信息了, 那他们接下来用了一个先进的 人工智能技术,称作 机器学习 来进行一个培训阶段, 然后他们极有可能是找了一些研究生 去输入一大堆的东西,然后去学习, |
|
advanced:adj.先进的; v.前进; (advance的过去式和过去分词形式) artificial intelligence:n.人工智能; techniques:n.技巧;技艺;工艺;技术;(technique的复数) phase:n.阶段;时期;月相;(月亮的)盈亏;v.分阶段进行;逐步做;
|
| to have the system use the machine learning tools that were available to learn what it is that the people were typing and to match that up with the measurements in the accelerometer. |
让这个系统利用已有的机器学习工具去 了解这些人输入的是什么 并结合了 加速规所测量的数据。 |
|
measurements:n.测量值,尺寸(measurement的复数);
|
| And then there's the attack phase, where you get somebody to type something in, you don't know what it was, but you use your model that you created in the training phase to figure out what they were typing. |
接下来就是攻击阶段了,你找 一些人来输入一些东西,但是你不知道输入的是什麽 但你利用之前在培训中 所编写的模式来得出输入的内容。 |
| They had pretty good success. This is an article from the USA Today. |
他们有很好的成功几率。这是一篇出至《今日美国》的文章。 |
| They typed in, "The Illinois Supreme Court has ruled that Rahm Emanuel is eligible to run for Mayor of Chicago" |
他们输入了“伊利诺伊州最高法院裁定 伊曼纽尔拥有参加芝加哥市长竞选的资格” |
|
Illinois:n.伊利诺斯州(美国州名); Supreme Court:最高法院; eligible:adj.合格的,合适的;符合条件的;有资格当选的;n.合格者;适任者;有资格者; Mayor:n.市长;镇长;
|
| — see, I tied it in to the last talk — "and ordered him to stay on the ballot ." |
-看,我结合了上一个演讲- “并且命令他必需留在选票上”。 |
|
ballot:n.投票;投票用纸;投票总数;vi.投票;抽签决定;vt.使投票表决;拉选票;
|
| Now, the system is interesting, because it produced "Illinois Supreme" and then it wasn't sure. |
这个系统很有趣,因为它分析出了 “伊利诺伊州最高”而之后的它就不确定了。 |
| The model produced a bunch of options , and this is the beauty of some of the A.I. techniques, is that computers are good at some things, humans are good at other things, take the best of both and let the humans solve this one. |
这个模式给了一堆的选择, 这也就是人工智能技术厉害的地方, 也就是电脑在某方面很在行, 而人类则是在别的方面很强, 结合双方的优势,并让人类去解决这一个问题。 |
|
options:n.选择; v.得到或获准进行选择; (option的三单形式)
|
| Don't waste computer cycles. |
不去浪费电脑的周期。 |
| A human's not going to think it's the Supreme might. |
一个人是不会认为那会是 最高可能 。 |
| It's the Supreme Court, right? |
当然是 最高法院 ,对吧? |
| And so, together we're able to reproduce typing simply by measuring the accelerometer. |
也因此,人们和机器一起可以只测量加速规的 数据来得出打出来的内容。 |
|
reproduce:v.繁殖;复制;再现;生育;
|
| Why does this matter? Well, in the Android platform , for example, the developers have a manifest where every device on there, the microphone, etc., has to register if you're going to use it so that hackers can't take over it, but nobody controls the accelerometer. |
这有什么重要的呢?好吧,用安卓平台来 举个例子,开发者们有一个清单, 当中的每一个设备,像是麦克风等等, 都需要注册,如果有你要用它 好让黑客无法侵入它的话, 但是没人控制加速规。 |
|
Android:n.机器人;安卓操作系统; platform:n.平台; v.把…放在台上[放在高处; developers:n.开发商;发展者;[摄]显影剂(developer的复数); manifest:v.表明;显现;使人注意到;adj.明显的;显而易见的;n.旅客名单; register:v.登记;注册;记录;n.登记簿;登记表;注册簿; hackers:n.黑客,骇客;电脑黑客(hacker的复数);
|
| So what's the point? You can leave your iPhone next to someone's keyboard, and just leave the room, and then later recover what they did, even without using the microphone. |
那重点在那呢?你可以把你的iPhone放在 某人的键盘旁边,然后就离开房间, 之后再回来复原他们所做过的事, 就连麦克风都不需要。 |
| If someone is able to put malware on your iPhone, they could then maybe get the typing that you do whenever you put your iPhone next to your keyboard. |
如果有人能够把入侵软件装入你的iPhone, 他们也就可能得到你所输入的内容, 每当你把你的iPhone放在你的键盘旁边。 |
| There's several other notable attacks that unfortunately |
另外还有几个值得注意的攻击,但我很不幸的 |
|
notable:adj.值得注意的,显著的;著名的;n.名人,显要人物; unfortunately:adv.不幸地;
|
| I don't have time to go into, but the one that I wanted to point out was a group from the University of Michigan which was able to take voting machines, the Sequoia AVC Edge DREs that |
没有时间去说,但有一个我想点出 的是在密西根大学的一组人员, 他们成功的侵入了投票机, 这是 Sequoia AVC Edge DRE(美国最大的电子投票机制造商之一) |
|
Michigan:n.密歇根;美国密歇根州; Sequoia:n.红杉(产于美国加州); DREs:n.服饰业;
|
| were going to be used in New Jersey in the election that were left in a hallway, and put Pac-Man on it. |
准备在新泽西州选举中用, 它被留在了一个走廊里,他们在里面安装了吃豆人游戏。 |
|
Pac-Man:n.吃豆人(游戏名);
|
| So they ran the Pac-Man game. |
他们安装了吃豆人游戏,所以呢? |
| What does this all mean? |
这些都有什么意义呢? |
| Well, I think that society tends to adopt technology really quickly. I love the next coolest gadget . |
我觉得我们的社会往往很快的采用新技术 我非常喜欢下一个最炫的小玩意儿。 |
|
adopt:v.采取;接受;收养;正式通过; gadget:n.小玩意;小器具;小配件;诡计;
|
| But it's very important, and these researchers are showing, that the developers of these things need to take security into account from the very beginning, |
但是更重要的是,这些研究人员所显示的, 这些东西的开发者 需要从一开始就把安全考虑在内, |
| and need to realize that they may have a threat model, but the attackers may not be nice enough to limit themselves to that threat model, and so you need to think outside of the box. |
也需要意识到它们可能会有的威胁模型, 但是那些攻击者也许不会好心到 只把他们局限于这些威胁模型中, 所以你需要跳脱传统思维。 |
| What we can do is be aware that devices can be compromised , and anything that has software in it is going to be vulnerable . It's going to have bugs. |
我们所能做得就是要意识到 设备是可以被妥协的, 而任何有软件的东西 都是会有弱点的。它们是会有错误的。 |
|
compromised:v.妥协,折中,让步; (compromise的过去分词和过去式) vulnerable:adj.易受攻击的,易受…的攻击;易受伤害的;有弱点的;
|
| Thank you very much. (Applause) |
非常感谢。(掌声) |