大脑扫描 数码盔甲里的骑士
IT TOOK just 20 minutes to build, but Chris Soghoian's hastily constructed website capable of generating fake airline boarding passes led to a rebuke from a congressman, a raid by the Federal Bureau of Investigation (FBI), an investigation by the Transport Security Administration (TSA), worldwide media coverage-and ultimate vindication. With a series of similar exploits that have exposed security flaws and privacy violations, he has demonstrated his ability to hack the media with just as much facility as he manipulates computers. At the age of 30 he has established himself as the most prominent member of a new generation of activist technology researchers who delight in causing a media stink in order to shame companies and governments into fixing problems with their systems.
Christ Soghoian只花了20分钟,就匆匆建成了一个网站,它可以输出虚假登机牌,但却招来了国会议员的谴责,联邦调查局的突袭,美国运输安全管理局的调查,全球媒体报道,以及最终的无罪证明。通过采取一系列类似行动来披露安全漏洞和隐私侵权,Christ证明了以他的能力"黑"媒体就如同他操作电脑般轻巧。年方30的Christ已经成为了新一代行动主义技术研究者中的翘楚,这一团体乐于引发媒体丑闻以迫使公司和政府解决自身体制问题。
The boarding-pass example occurred in 2006, when Dr Soghoian, then a graduate student at Indiana University, became irritated by an obvious flaw in airport procedures used by TSA screeners. Although screeners checked the name on each passenger's boarding pass against a government-issued identity document, they had no way of verifying that the boarding pass itself was valid. Fake boarding passes could easily be created for any flight using a computer and image-manipulation software, as had already been pointed out by Bruce Schneier, another security guru, in 2003. Charles Schumer, a senator, even issued a press release in February 2005 explaining how easily security could be bypassed in this way.
登机牌事件发生在1996年,那时Soghoian博士还在印第安纳大学读研究生。美国运输安全管理局审查员一个显而易见的安全漏洞惹恼了他:虽然审查员可以将每位乘客登机牌上的名字与政府发行的身份证件核对,但他们无从确认登机牌本身是否真实有效。用电脑加上图像处理软件就可以轻松制成任何航班的虚假登机牌,这点另一位安全大师Bruce Schneier在2003年就已经指出。参议院Charles Schumer甚至在2005年2月召开了一场新闻发布会来讲解安全防御是如何被这种方法轻易绕过的。
Yet it took Dr Soghoian to light the right kind of firecracker under this known problem. In October 2006 he threw together a web page that could generate fake boarding passes for Northwest Airlines that appeared valid to TSA screeners. The page received enormous press attention, even though he never printed out or used a false pass himself. Ed Markey, a congressman, called for Dr Soghoian's arrest. The FBI had his website shut down and seized his computers. The TSA opened an inquiry. But when the simplicity of the "hack" became apparent, along with Dr Soghoian's academic status, Mr Markey apologised and suggested that rather than investigating Dr Soghoian, the TSA should hire him instead. Dr Soghoian's computers were returned a few weeks later and the TSA investigation was closed. This year the TSA finally began testing equipment to validate boarding passes at airports.
然而,是Soghoian博士找准了突破点突出了这个已知的问题。2006年10月他随手做了个可以伪造西北航空登机牌的网页,这样做出的虚假登机牌在美国运输安全管理局的审查员那里可以以假乱真。尽管Soghoian博士本人从未打印或使用过虚假登机牌,这个网页还是受到了广泛的媒体关注。国会议员Ed Markey呼吁逮捕他;联邦调查局关闭了他的网站并没收了他的电脑;美国运输安全管理局展开了调查。然而当这一黑客行为的简易性变得昭然若揭,又考虑到Soghoian博士的学术地位,Markey道了歉,并建议美国运输安全管理局与其调查Soghoian不如聘用他;几个星期后,Soghoian博士的电脑都被归还了;美国运输安全管理局的调查也终止了。今年,美国运输安全管理局终于开始测试在机场鉴别登机牌的设备了。
Dr Soghoian has since perfected this modus operandi and used it to expose problems with internet encryption, online privacy and electronic surveillance. In each case he identifies a problem, creates a technology demonstration to highlight it and sometimes files Freedom of Information Act requests or complaints to government agencies. He then presents the results neatly packaged for the news media. The organisations targeted by Dr Soghoian usually start off by accusing him of being mistaken or naive, before admitting that he is right and modifying their policies, or issuing a statement saying that a fix was already in the works.
自此以后,Soghoian博士开始改进这个套路并利用它来披露网络加密,在线隐私,电子监视的各种问题。每次他都先定位一个问题,用技术证明来凸显这个问题,有时也会向政府机构提交《信息自由法案》相关的要求或投诉。此后他便将结果巧妙地整合起来交予新闻媒体。被Soghoian博士瞄准的机构开始往往总要指责他,说他搞错了或是太天真,而后就得承认他是对的并且修改自身的政策,或是发布一个声明说改进本身就已经在进行中了。
Dr Soghoian has, among other things, revealed the extent to which Sprint, an American telecoms operator, was disclosing its customers' satellite-positioning data to law-enforcement agencies; shamed Google, an internet giant, into upgrading its encryption; exposed a woefully misguided attempt to attack Google by a public-relations firm hired by Facebook, a rival internet giant; embarrassed Dropbox, a provider of online file-storage, over its marketing claims and technical practices; and pushed for the adoption of a "Do Not Track" scheme to allow internet users to opt out of targeted advertising. "Every privacy scandal essentially has to take the form of a firestorm," says Dr Soghoian. "I try to focus on things that are really important that haven't gotten enough attention." He is now campaigning against the widespread trawling of internet traffic by law-enforcement agencies, calling instead for a more targeted focus on specific cases or leads.
Soghoian博士建树颇多,其中包括披露美国电信运营商Sprint向执法机构透露其用户的卫星定位数据的程度;让互联网巨头谷歌颜面扫地,不得不升级它的加密系统;揭发了另一互联网巨头Facebook雇佣公关公司试图对谷歌进行极具误导性的攻击;令在线文件存储提供商Dropbox因其市场声明与技巧性操作陷入难堪;促使"不攻击"计划得到采纳,这个计划使得互联网用户得以选择拒收定位广告。"基本上每个隐私丑闻都得"爆"出来," Soghoian博士说道,"我努力把注意力主要集中在确实重要而关注度又不够的事情上。"他目前正活动反对执法机构网罗搜查网络通信,他呼吁用针对具体案件或线索的,目标性更为明显的集中力量来取而代之。
The FBI made me do it
联邦调查局让我干的Having grown up surrounded by computers (his father used to be a software engineer), Dr Soghoian says he slid into computer science without even considering other disciplines. He became interested in computer security in particular during his undergraduate studies, and was then drawn to the specialised field of privacy. But it was only when the FBI raided his home in 2006 and his PhD adviser suggested that he take a law class that Dr Soghoian decided to concentrate on the intersection between computing and the law. He wrote his thesis on governmental use of third parties to monitor electronic communications and was awarded his doctorate in July 2012.
在电脑堆中长大的(他的爸爸曾是为软件工程师)Soghoian博士说他甚至都没有考虑其他学科就不知不觉进入了计算机科学。他对计算机安全产生特殊的兴趣是在他本科学习的时候,之后就被隐私这一专攻领域吸引了。直到2006年联邦调查局突袭了他的家,他的博士导师又建议他学习下法律,Soghoian博士才决定把注意力集中在计算机与法律的交叉部分。他撰写论文讨论为监控电信政府对第三方的利用,并于2012年7月被授予博士学位。
But it would be wrong to characterise Dr Soghoian simply as an academic or an activist, because he has an unusual gift for working outside conventional institutional strictures. While completing his PhD, he was also attached to America's Federal Trade Commission (FTC) as a technical adviser. This came about as a result of Dr Soghoian's support for the "Do Not Track" standard, and his efforts to make it easier for people to prevent their use of the internet being tracked by advertisers. Turning such tracking off can be quite tricky, and must be done for multiple groups, or networks, of advertisers.
但若简单地将Soghoian博士划为学者或行动主义者是不对的,因为他有异乎常人的在常规束缚之外行动的禀赋。他在修读博士的时候,也曾是美国联邦贸易委员会的技术顾问。这是由于Soghoian博士支持"不攻击"计划标准,使得人们在网上能免于广告商的跟踪。要关闭这种跟踪很棘手,而且一关就涉及到多个广告商团体或组织。
This prompted Dr Soghoian to develop two add-ons for the Firefox web browser that demonstrated simple ways to turn off tracking automatically. The first manipulated "cookies", the tiny snippets of information stored by web browsers, to disable tracking. The second, developed with the help of Sid Stamm, a programmer, sends a special message with every page request asking that the user not be tracked. Dr Soghoian got the idea for this approach from Dan Kaminsky, a security researcher. But it will work only if websites are required to detect and act on such messages. At first this suggestion was ridiculed. In 2009, however, Dr Soghoian was contracted by the FTC to provide lawyer-to-geek translation for its staff. In this role he was able to garner support for his "Do Not Track" scheme within the FTC, and technology firms including Microsoft and Twitter have subsequently backed it. The advertising industry dislikes it, but seems resigned to accepting it in some form.
这促使Soghoian博士为火狐浏览器开发了两个插件,这两个插件能显示自动关闭跟踪的简单方法。第一个插件操纵"cookies"(浏览器存储的信息小片段)来使得跟踪失效。第二个插件向每个请求页面都发送特殊消息要求用户不被跟踪,这一插件是在程序员Sid Stamm的帮助下开发的。这个方法的创意是Soghoian博士从安全研究员Dan Kaminsky那获得的。但这个方法只有在要求网站侦查且回应这类信息才有效。起初这个建议被当成了笑话,然而,在2009年,Soghoian博士被美国联邦贸易委员会聘用,帮助其职员进行法律和技术间的沟通。扮演这一角色的他得以在联邦贸易委员会内部争取对其"不攻击"计划的支持,而后包括微软和推特在内的技术公司都支持了这个计划。广告行业反感这个计划,但似乎也在某种形式上妥协接受了它。
A few months after joining the FTC Dr Soghoian recorded a Sprint executive speaking at a surveillance trade show attended by telecoms firms, law-enforcement agencies and equipment-makers. The executive explained that Sprint had built an automatic system that had provided 8m lookups of customers' locations in the preceding year in response to requests backed by court orders. (Sprint said later that a single court order could generate several thousand lookups.) Dr Soghoian briefed the press and posted the audio online. He insisted that he was doing so in his role as a graduate student, rather than an FTC contractor. The scale of tracking caused a furore that persists three years later about the ease and scale of mobile-phone surveillance. When Dr Soghoian's first year at the FTC was up, the agency did not renew his contract. He blames the fuss caused by the Sprint recording. (The FTC will not comment.)
在加盟美国联邦贸易委员会几个月后,Soghoian博士录下了一位Sprint的主管在一场电信公司,执法机关,设备制造商都有出席的监管贸易展上的讲话。这位主管讲解说Sprint已建立了自动系统,该系统对有法庭指令支持的请求做出反应,在前一年提供了8百万次用户所在地查找(后来Sprint说一份法庭指令可能产生几千次查找)。Soghoian博士向媒体做了概述,并且把音频发到了线上。他坚持说他是以一个研究生的身份这么做,而不是以一个联邦贸易委员会雇员的身份。跟踪面之大引发了轰动与愤怒,三年后,对监听移动电话监管的易行性与涉及面的愤怒仍未褪去。美国联邦贸易委员会在Soghoian博士工作一年期满后,并没有与之续签。Soghoian博士将此归咎于这场Sprint录音事件(美国联邦贸易委员会对此未作评论)。
Dr Soghoian is one of a group of researchers, some of whom are affiliated with academic institutions and many of whom work together, who have risen to prominence by showing how tedious technical flaws can affect ordinary people. Ashkan Soltani, who like Dr Soghoian has worked as an adviser to the FTC, has shown how some companies have devised "evercookies"-cookies that are very difficult to eradicate. Along with Jonathan Mayer of Stanford Law School, he showed how Google was bypassing tracking preferences in Apple's web browser, Safari, which resulted in Google having to pay a $22.5m fine. Mr Kaminsky spotted a huge flaw in the internet's addressing system in 2008, and then worked closely with large technology firms to fix it. And Dr Stamm is now a privacy advocate at the Mozilla Foundation, which oversees the development of the Firefox web browser.
Soghoian博士代表了一类研究者,这群研究者中有的与学术机构关系紧密,不少还相互合作。他们展示了繁冗的技术缺陷可以如何影响普通人的生活,并因此显山露水。与Soghoian博士一样在美国联邦贸易委员会当过顾问的Ashkan Soltani曾揭露一些公司是如何创造了"永久cookie",即极难被清除的cookie。他还同斯坦福大学法学院的Jonathan Mayer合作,展示了谷歌是如何绕过苹果浏览器Safari的跟踪优先选择项的,这致使谷歌不得不上缴2250万美金的罚款Kaminsky先生在2008年发现了互联网地址系统的一大漏洞,并在之后与大型技术公司紧密合作解决这一问题。Stamm博士目前则是美国莫兹拉基金会的隐私拥护者,该基金会监管火狐浏览器的开发。
First among equals
佼佼者These researchers insist they are acting solely in the interest of protecting individual privacy. They are certainly not in it for the money. Dr Soghoian has spent three years living the life of an ascetic in Washington, DC, where he rides a bicycle and resides in the basement of a house he shares with four other people. "There are so many events with free food and drink that you never need to buy anything to eat," he says. After his funding from Indiana University ran out in 2008, Dr Soghoian received several grants and fellowships. He gleefully points out the varied political leanings of his patrons. He has received some funding from the libertarian-leaning Institute for Humane Studies (IHS), backed by the arch-conservative Charles Koch. But as he moved to investigate business misdeeds rather than those of government, the IHS money was replaced by a fellowship from the Open Society Foundations, a group run by Mr Koch's nemesis on the left, George Soros. That funding ended in July.
这些研究者都坚持自己的行动都只是为了保护个人隐私。他们自然并不是为钱才做这些事的。Soghoian博士三年都住在华盛顿特区过着苦行僧般的生活,他在那骑自行车出行,与其他四个人共住一间房子的地下室。"有好多活动都体统免费食物和饮料,从来不用你自己卖什么吃的。"他这样说。2008年当他在印第安纳大学的经费用完了后,Soghoian博士获得了一些拨款和奖学金。他愉快地指出他的赞助人政治倾向是多种多样的。他从有自由倾向的人文研究所获得了一些经费,该研究所是由主要保守派的Charles Koch支持的。但当他从调查政府错误转向调查企业过失时,来自Koch的左翼死敌George Soros管理的开放社会基金会的奖学金就代替了人文研究所的经费,这笔款项在七月到期。
Can Dr Soghoian's reputation as a knight in digital armour be squared with his obvious flair for self-promotion? Yes, says Jules Polonetsky, director of the Future of Privacy Forum, a think-tank based in Washington, DC, who by his own admission does not always see eye-to-eye with him. "People would be surprised by the number of times that this otherwise very public media bomb-thrower has quietly worked to get a company to simply solve a problem when it could have been a front-page story," says Mr Polonetsky. Dr Soghoian's agenda is "not about money, not about fame or anything like that," says Lee Tien of the Electronic Frontier Foundation, a lobby group with which Dr Soghoian sometimes collaborates. He just uses the glare of the media to get results.
考虑到他显露无疑的自我推销天赋,Soghoian博士"数码盔甲里的骑士"的美誉是否还能站的住脚? Jules Polonetsky认为能。Jules是华盛顿未来隐私论坛智囊团的主管,他也承认他并不总是赞成Soghoian博士的做法。"他本能成为大红大紫的媒体掷弹手的,有些公司的问题完全可以登上头版头条的,但他都采取了低调处理,单纯为了让这个公司把问题解决掉,要是人们知道他这么做了多少次他们会大为惊讶的。" Polonetsky先生这样说道。Soghoian博士的信条是"不为钱,不为名,不为任何虚浮之事"电子前沿基金会的Lee Tien这样说道,该基金会是个有时会与Soghoian博士合作的游说团体。他只是利用媒体监督来达到目的。
"The economics of modern surveillance are not beneficial to the consumer."
现代监管的经济方式对消费者并不有利。Though known for his strong views on privacy and surveillance, Dr Soghoian is no absolutist. In April he published a paper in the Berkeley Technology Law Journal on how best to grant law-enforcement agencies access to individuals' location data, with proper checks and balances. It was co-written with Stephanie Pell, who was on the Department of Justice team that prosecuted people accused of being linked to al-Qaeda. Writing the paper, says Dr Soghoian, involved finding a balance between Ms Pell's knowledge of the utility of location-tracking in law enforcement and his own concerns about unwarranted privacy intrusions. "The marginal cost of spying on one more person is essentially zero now," he says. "The economics of modern surveillance are not beneficial to the consumer."
尽管Soghoian博士因他对隐私与监管的强烈态度而出名,他并不是一个绝对论者。四月份他在《伯克利技术法律周刊》上发表了一篇论文论述如何在政府部门间的相互制衡下让执法部门最优地获取个人位置信息。这篇论文是与Stephanie Pell合著的,她就职于司法部,负责起诉被指与基地组织有联系的人。Soghoian博士说撰写这篇论文意味着在Pell女士对执法机关对定位跟踪使用的了解与他对未经授权的隐私侵权的担忧之间寻求一个平衡点。"如今多暗线监视一个人的边际成本基本为零," Soghoian博士这样说道,"现代监管的经济方式对消费者并不有利。"
As a respite from his campaign to defend personal privacy, Dr Soghoian likes to go to India. But he may have to find somewhere else to holiday. "India is rapidly becoming a surveillance state," he says. Such trips may be less frequent in any case, because Dr Soghoian now has a new job at the American Civil Liberties Union, mediating between geeks and lawyers, as he did at the FTC. His new employers must be well aware that they have captured lightning in a bottle-and should not be surprised when it escapes.
Soghoian博士喜欢以去印度,算是维护个人隐私活动的调剂。但他可能得换个新目的地度假了。"印度正快速成为监管国家,"他这样说道。不过这类旅行本身可能就不会太多了,因为Soghoian博士现在在美国公民自由联盟有了一份新工作,与在联邦贸易委员会时一样,他斡旋于律师与技术宅之间。他的新雇主相信想必很清楚他们这样做如同将一道闪电藏入瓶中,要是这道闪电跑掉了也不会大惊小怪。
