经济学人159:黑客之伤:白了少年头(在线收听) |
Cybercrime 网络犯罪
Black hats, grey hairs
黑客之伤:白了少年头
A shake-up in the hacker underground and fresh attacks suggest change is coming to computer security
地下黑客组织受到打击,新式攻击预示着计算机安全将有所改变
Aug 6th 2011 | from the print edition
AN 18-YEAR-OLD with 16 computers in a small house in the Shetland Islands: that is where a police hunt ended for the global nerve centre of LulzSec, a group of hackers whose exploits include defacing or disabling the websites of Rupert Murdoch’s media empire, the CIA, a bunch of gay-bashing American Baptists, and Britain’s Serious Organised Crime Agency. Active from May to late June, when it claims to have disbanded, LulzSec’s hallmark was prankish attacks accompanied by public mockery. As well as officialdom, its targets included computer-security and online-gaming companies regarded as pompous, complacent or hypocritical.
在英国设德兰群岛上的一间小屋里,有一个十八岁的孩子守着十六台计算机,这就是警察搜寻到的LulzSec 的全球控制总部。这个名叫Lulzsec 黑客组织的战绩包括,攻击破坏罗伯特默多克媒体帝国的网站,美国中央情报局网站,美国浸信会中攻击同性恋的网站,还有英国重大组织犯罪署的网站。一直从五月活跃到七月末,它忽然宣布解散。LulzSec特点就是在公众的嘲笑下恶作剧般的攻击。它的目标包括那些自大骄傲虚伪的计算机安全公司和在线游戏公司,还有官僚做派的组织。
In geekspeak “lulz” means to laugh at a victim; “sec” is for “security”. But lately the misfortune has mostly been the hackers’ own. Of LulzSec’s six presumed core members, police have arrested at least two, including, in late July, the (now bailed) Scottish teenager Jake Davis. The most expert, who goes by the alias Sabu, is still at large. About 15 members of Anonymous, a shadowy collective of skilled, politically motivated hackers, are also in police custody worldwide, according to Gregg Housh, a Boston man who ran computer servers for it but denies involvement in illegal hacks.
在奇客语言中,“lulz”是嘲笑受害者的意思。“sec”的意思是安全。但是最近这种厄运降临到黑客自己身上。警察已经逮捕了LulzSec的前任六名核心成员中的两名,其中有一名苏格兰少年杰克?戴维斯(现已保释)。组织核心,化名为萨布的成员仍然在逃。根据一个名叫格列哥?豪斯的波士顿人称,“匿名”组织有大约十五名技术精湛的骇客在世界范围被监禁。这个组织的成员一般因为政治原因行动,格列哥?豪斯为此组织运营计算机服务器,但是他否认参与了非法攻击。
Authorities in America, Australia, Britain, France, the Netherlands, Norway and elsewhere are arresting high-profile hacktivists and threatening them with real-life jail (without, horrors, internet access). Old-fashioned policing, such as less severe sentences for those who snitch, is proving effective: “These are criminal networks and there are known techniques for dealing with criminal networks,” says Nils Gilman of Monitor 360, a consultancy.
美国,澳大利亚,英国,法国,荷兰,挪威等国的当局都在高调追捕那些骇客,并且以拘留(没有,恐怖,没有网上)为挟。这种旧式整顿,比如说轻微的判刑对于这些小偷小摸的人说,有效果。360监控的咨询师尼尔斯?吉尔曼说“这些就是犯罪网络,但是已经有对付犯罪网络的技术了”。
Amid this pressure the hacker underground, riven by squabbles and splits over personality and policy, has turned on itself. Cyber civil wars have broken out, with rivals attacking each others’ computers and attempting to discover and reveal their real-world identities. LulzSec itself emerged from such a row a little more than three months ago when it broke off from Anonymous. The quarrel, about which targets deserved attack, was particularly bitter, says Mr Housh.
这些地下黑客组织不光面临着外界压力,在个性和政策上的争执分歧也让自己焦头烂额,引火烧身。网络内战已经爆发,竞争对手间互相攻击对方的计算机网络,试图去揭发泄露对方现实身份。LulzSec 同三个月前他和“匿名”断交前相比,现在更多的参与到其中。豪斯先生说,关于攻击目标的争论,尤为激烈。
Upon forming, LulzSec distanced itself from its parent. The older group had been launching computer attacks against MasterCard, Visa, PayPal and others that had blocked donations to WikiLeaks. The LulzSec team of self-described “evil bastards” wrote in a press release that it preferred to abuse more ordinary folks and organisations for “a jolt of satisfaction”. Devilry seemingly trumped high-minded politics: the aim, says Mr Housh, was entertainment, “screwing with a person until he can’t take it anymore”. But some more puritanical hackers have turned vigilante, trying to disrupt LulzSec. Its antics, they say, encourage official crackdowns on internet freedoms.
刚刚组建,LulzSec 就同其母体组织保持距离。旧的团体曾经对万事达,威士卡,贝宝和其它的一些停止对维基泄密提供资金的公司发动攻击。而LulzSec团队自我描述成“魔鬼私生子”曾在发布稿中写过,它更愿意去攻击更普通的平民或者组织,只是为了纯粹的满足感。邪恶好像是高尚的政治正义感更胜一筹。豪斯先生说:纯粹为了娱乐,和一个人死磕到底直到他动弹不得。但是一些清教徒式的黑客成为了治安专员,想要搞垮LulzSec。他们认为,它的各种离经叛道的行径就是在鼓励当局限制网络自由。
Not in it for the money
不是为了钱
Groups such as Anonymous and LulzSec are not motivated by money, but they can still wreak financial havoc. Following the theft of roughly 100m online gamers’ account details in April, Sony shut down its PlayStation Network for nearly a month at a cost of about $171m. A loss in consumer trust has added to that toll. Anonymous and LulzSec often post stolen data online to brag and attract potential recruits. But others can and do attempt to cash in on the loot. David Pérez of Taddong, a Madrid-based consultancy, says stolen bank-account or credit-card details often end up in online black markets. Illicit software automates many of these bourses, says Gordon Snow, assistant director of the cybercrime division in America’s FBI. Sellers and buyers need not communicate directly, so closing deals is less risky.
像“匿名”和LulzSec这样的团体不为钱驱使,但是他们仍旧能摆脱经济上困窘。四月大概有一亿在线玩家的账户被盗,之后索尼就将它自己的PSN关了近一个月的时间,花了大概1.71亿美元。由于失去了客户信任,增加了损失。“匿名”和LulzSec 经常在网上展示偷来的数据,用来显摆或者吸引新人眼球。但是其他人可以也尝试利用这些战利品来趁机捞一把。来自马德里一家名叫塔东咨询公司的大卫?佩雷斯说,那些偷来的银行账号或者信用卡详细资料最终都会落到线上黑市交易。美国联邦调查局的网络犯罪部门助理司长戈登?斯诺说,非法软件让许多线上交易所自动交易。卖家和买家不需要直接沟通,做成交易没多大风险。
Lately LulzSec has changed tack, branding itself a champion of the oppressed, perhaps to shake off accusations of political indifference and sadism. A grandiloquent statement issued after Mr Davis’s arrest said: “We are sick of the twisted corporatocracy that controls us…united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.”
最近LulzSec改换了策略,给自己定位为打压受害者,或许是想要摆脱政治冷漠和施虐的帽子。戴维斯先生被捕之后发表了一段大言不惭的讲话:“我们厌倦了那些复杂的公司王国来控制我们,让我们团结,我们能轻易击败普通的压迫者,并且给我们自己我们需要的自由和力量。”
Even as the hacking underworld has splintered, new threats are emerging. The agenda for Black Hat USA, a security shindig this week in Las Vegas, ranges from the perennial flaws of Microsoft’s software to newly discovered weaknesses in Apple laptops’ batteries, in mobile devices running Google’s Android operating system and in wireless water-meters.
就在地下黑客内部四分五裂的时候,新的威胁又出现了。在本周拉斯维加斯的美国黑帽安全峰会上,所议问题包括微软层出不穷的漏洞,还有刚刚发现苹果手提电脑电池,运行谷歌安卓运系统的移动设备,移动水表的各种问题。
The growth of “cloud” computing makes life harder for hackers overall (because firms that run cloud systems will on average have better security) but when a breach occurs, it offers bigger gains. LulzSec recently claimed (on flimsy evidence) that it had made Apple “our bitch for life” by pillaging passwords and source code from the iCloud servers built to dispatch photos, music and other data to customers’ iPhones, iPads and computers. As mischief has become easier, the hacker crowd has burgeoned and mutated. Ilias Chantzos of Symantec, a computer-security company, says it has far outgrown its nerdy roots in a subculture of brainy social outcasts fuelled by pizza deliveries and fizzy drinks.
云计算的成长让黑客雪上加霜(因为运行云系统的公司总的说来有更好的安全水平)但是,一旦出现缺口,黑客就有更多的收获。苹果云服务器是用来将图片,音乐和其它数据发送到顾客的苹果手机,平板电脑,计算机的服务系统,而最近LulzSec宣称(尽管证据不足)它已经把用户密码和资源代码从云系统中盗了出来,将其变成了“我们终身的婊子”。随着内部不和升级,黑客组织生出新芽,产生巨变。计算机安全公司赛门铁克的伊利亚斯?肯兹说,现在黑客群体已经不仅仅局限于它当初的起源人群,那些每天靠吃比萨外卖二氧化碳汽水为生的书呆子,这些社会次文化中头脑活跃的边缘团体。
The lower technological barriers to entry—no matter the motive—have led to what the FBI’s Mr Snow refers to as hacking’s “industrialisation”. Supporters of Anonymous and LulzSec have stoked the fire, he says, thanks to the spread of new easy-to-use software called “hacking toolkits”. These automate attacks and can be configured to deface or crash a website, or even snatch goodies ranging from credit-card details to industrial designs. Some toolkits also offer “drive-by download”. This turns a website into a trap that hijacks visitors’ computers (or phones), even if they have not clicked on anything.
技术门槛低并且不看动机导致了现在如联邦调查局的斯诺先生所说的黑客工业化的情况。他说,由于一个一个简单实用的名为黑客工具包的软件的传播,“匿名”和LulzSec 的支持者们也能跟着煽风点火。这些自动程序可以攻击或者能被设置能破坏或者使网站瘫痪,甚至顺带着攫取一些甜头,从信用卡细节资料到工业设计。一些工具包也提供偷渡下载,这就将网站变成了一个陷阱,只要访客的计算机(或者手机)点击到了网站的任何东西,那就被黑了。
The hacktivists may do most damage by providing cover for more sinister efforts. A report this week by McAfee, a computer-security company, reveals the results of a five-year probe called Operation Shady RAT, examining attacks that use “Remote Access Tools” to inveigle access to computer networks. It does not name the perpetrator (some fingers are pointed at China) but lists 72 victims, from sporting authorities to the governments of America, Canada, India, South Korea, Taiwan, and Vietnam, plus defence contractors and many other firms. Dmitri Alperovitch of McAfee describes the intrusions as “the biggest transfer of wealth in terms of intellectual property in history”. Kenneth Geers of NATO’s cyberwar centre in Estonia says the hacking boom makes it easier for cyber-spies to pass off their work as the handiwork of a misguided rebellious teenager. Not so funny after all.
黑客活动因为为一些更为恶性的行为提供屏蔽而造成了更多伤害。计算机安全公司迈克菲这周发布的报告发布了一个名叫“Shady RAT”为其五年的调查结果,有哪些攻击是使用“远程访问工具”来诱击计算机网络的。它并没有指出作案者的姓名(一些的指向在中国),但是列举出了72个受害者,包括体育当局,美国,加拿大,引渡,南韩,台湾和越南的政府还有国防承包商其他的许多公司。迈克菲副总裁狄米崔?阿帕罗维奇把这些入侵描述成“历史上最大的知识产权的财富交易”。爱沙尼亚的北约网站肯尼斯?吉尔斯指出,黑客蓬勃发展让网络间谍有机可乘,视工作为误入歧途的叛逆青少年的手工小制作。但是没那么有趣罢了。 |
原文地址:http://www.tingroom.com/lesson/jjxrfyb/zh/241961.html |