
Chinese: 
譯者: Peifong Ren
審譯者: Helen Chang
今天的演講將會用些對話交流
希望不會嚇到你們
那不是我的本意了
我真想做的是啟發你們
我想要介紹一些你可以做的事
來保護自己
保護你的國家、你的公司、你的社區
這些是很有意思的
引用羅伊·巴蒂（Roy Batty）的話
他是電影《銀翼殺手》的主角
[駭客入侵]
我對於你們這些
了解駭客入侵的人致敬
[介紹]
我想問你們真的知道的是什麼？
不幸的是，太多
好萊塢對駭客的描述
我想傳達的是一般老百姓——
你、我、一般人——
如何被駭客入侵
然後我們要談談
公司真被駭客入侵的方式

English: 
Transcriber: Shihwan Go
Reviewer: David DeRuwe
So today's talk is going
to be a little bit more conversational,
and I hope that it doesn't scare you.
That's actually not my intent.
So really what I want to do
is sort of educate you.
I want to kind of present things
that you can do,
ways that you protect yourself,
ways that you can protect your country,
your company, your community.
Interesting stuff.
The Roy Batty quote,
he's from Blade Runner,
[HACKING]
so for those of you
who get it, thumbs up.
[INTRO]
So I'd like to ask you what you 
really think you know.
Unfortunately, there's way too much
Hollywood education in hacking.
So I want to describe
how average people -
you, me, everyone -
gets hacked.
And then we're going to talk
about the real ways
that companies get hacked,

English: 
and we're going to talk
about how governments hack,
and if we have time, we'll talk
about how governments get hacked.
And I want to actually leave you
with something positive.
This is something that I feel
very, very strongly about,
and it is the epistemology of security.
And so for those Philosophy 101 people,
yes, it's going to be
as bad as you remember.
(Laughter)
We're going to go in reverse order, right?
So here's the reverse order.
[COUNTRIES]
What's the most common way
that governments hack their citizens?
And I want to be interactive,
and I want someone to shout out
what they think is the most common way
a government hacks their citizens.
(Audience) BioRICS.
That's good.
Not the right answer, but good.
(Laughter)
So that is such a can of worms,
I'm not even going to comment on it.
(Laughter)
Anybody else want to try?
We're not going to do this a lot.
We'll go a couple answers
and then I'm going to go - Yes?
Pen registers, phone tapping -
the audience member said phone tapping.
That's not a hack, that's the law.
Yes?
(Audience) Credit cards.

Chinese: 
再談談政府如何入侵人民
如果有時間，我們會談
政府如何遭到駭客攻擊
我想留給你們一些正面的東西 :
這一直是我最深刻強烈地意念
那就是深入的討論了解安全知識
對於那些講究哲學原則的人
它將是
像你記憶中一樣的糟糕
（笑聲）
我們將由後往前進行，好吧？
所以這是相反的順序
[國家]
什麼是政府最常用來攻擊公民的方式？
互動一下，有人喊出答案
什麼是最常見的
政府駭其公民的方式
（觀眾）BioRICS
很好
不是正確的答案，但是很好
（笑聲）
那是個爭執不完的話題
我不打算對此發表評論
（笑聲）
還有沒有別人要回答？
我不會老要你們講話的
我們將給出幾個答案
然後我要——是的？
筆錄、電話竊聽——
觀眾說電話竊聽
那不是駭客，那是法律
再來？
（觀眾）信用卡

English: 
Government's can't do that because
there's ambitious federal prosecutors.
Ambitious federal prosecutors
save us more than they hurt us.
(Audience) Tell us why?
Governments can't do "things"
with your credit cards.
I mean they couldn't hack - What's that?
(Audience) DMV.
Oh, the DMV is torture.
That's not hacking.
(Laughter)
But good! Good.
So I'm going to tell you,
I'm going to tell you.
It's surveillance.
It's surveillance,
but it's not the surveillance
you're all thinking about.
It's not the surveillance of the NSA.
It's not a three-letter agency.
It's petty surveillance,
and it burns my ass.
So I'm going to tell you that I am a guy
who's pretty powerful, in my own way.
Throughout history, individuals like me
have never held this much power.
I run a group of the best
hackers in the world.
I'm not bragging,
and I'm not selling to you.
They're the best in the world.
I heard this story three years ago
about a school district in Pennsylvania,

Chinese: 
政府不能這樣做，因為
有野心勃勃的聯邦檢察官
野心勃勃的聯邦檢察官
拯救我們的比傷害我們的多
（觀眾）為什麼？
政府不能用你的信用卡來入侵你們
意思是他們無法駭入破解......
什麼？
（觀眾）DMV
哦，DMV是酷刑折磨，不是駭
（笑聲）
但是很好！好
讓我告訴你們
監視
是監視
但這不是你們都在想的監視
這不是國家安全局的監控
不是三個字母的機構
這是輕微監視 ，相當惹惱了我
我要告訴你們
我是一個相當能幹的人
在歷史中，像我這樣的人
從來沒有這麼有權
我經營一群全世界最好的駭客
我不吹牛，而且我不是在推銷做生意
他們是世界上最好的駭客
三年前我聽到了這個
在賓州學區裡發生的故事

Chinese: 
這個學區在中學生的
筆記本電腦上安裝軟件
事情發生了
有人在這學區裡使用這個軟件
未經授權地使用這個軟件
而這種未經授權的方式
在孩子自己的家裡拍攝錄下他們
脫衣服的各個階段的照片
我是個有能力的人，那真激怒了我
我叫手下兩名工程師將該軟件分解
然後我們打電話給
《連線》雜誌進行演示
那相當有力
我們發現的是該軟件
在電腦網路上可以被任何人入侵
他們可以找出密碼產生數據
對應用程序進行身份驗證
密碼是——我發誓這是真的——
虛無主義的德國詩的一句話
這種狗屁東西——你不能胡謅的
（笑聲）

English: 
installing software on the laptops
of middle school children.
And the story developed
that there was someone using the software
at the school district
in an unauthorized way.
And that unauthorized way 
manifested itself
by photographs being taken of children
in various stages of undress
in the privacy of their own homes.
I'm a powerful guy. That burns my ass.
I get two engineers
to tear that software apart,
and then we call 
"Wired" magazine for a demo.
That's a powerful thing.
What we found was that software
was hackable by anybody
on the capital-I Internet
that could figure out the password
to generate the packets
to authenticate to the application.
The password was -
and I swear to God this is true -
a line from a nihilistic German poem.
You cannot make this shit, a stuff up.
(Laughter)

English: 
So this is an example
of petty surveillance,
the kind of erosion of your property
that happens and starts
in places like middle school?
That gives somebody the ability
to surveil you in your home?
That's not good.
Those little petty surveillances
happen infinitely more times
than the NSA is going
to intercept your phone call.
The only time the NSA is really going
to get your phone call is it's from the US
to outside the US, and trust me,
they have a lot of people to watch.
I don't think they're going
to be interested in,
generally speaking, you and I.
So that's an example
of how a government hacks you,
and the power of distributed hackers
to kind of make a point of hacking back.
You're going to hear a lot more of that
in the talk that's coming up next.
So next,
we're going to spend
some time on this one.
[COMPANIES]
So how does a typical company get hacked?

Chinese: 
所以這是一個輕微監視的例子
侵蝕你的人身
發生在中學這樣的地方？
給别人能力在你家裡監視你？
這很糟
這種小型的監視發生太多次了
遠遠超過國家安全局
攔截你的電話次數
國家安全局真正竊聽你的電話
就只是自美國打到美國國外
相信我，有很多人在他們的觀察名單上
我不認為他們對像你和我
這般平凡的人，感興趣
這就是一個政府
如何入侵你的一個例子
而分佈各地的駭客
也有能力回撃
等一下的談話中
你將聽到更多駭客的故事
接下來
我們要在這個上花一些時間
[公司]
那麼典型的公司如何被駭客入侵？

English: 
There's way too much Hollywood.
We're going to dispense with swordfish.
We're going to dispense with sneakers.
We're going to dispense with any animated 
GUI on a screen you ever see,
like the things sweep in and stuff.
That does not happen.
I am going to tell you how
my company hacks companies,
and what we've found of companies
that have gotten hacked.
So
moderately frightening hacks -
October of 2001,
the World Trade Center 
is still a smoking ruin,
we are requested by a government agency
in the executive branch
to evaluate energy companies
for vulnerabilities
because they had
what they called "shatter."
They wanted to see if someone could
break into an energy company
in a major American city
and what kind of damage they could do.
Ah -
The way this company got hacked
was they had a cafeteria
with network drops in it.
We actually doing, this is fantastic,

Chinese: 
關於駭客的電影太多了
我們不談《劍魚》
我們也不談《神鬼尖兵》
我們也不碰任何屏幕上 GUI 的動畫
就像東西席捲而來
那不會發生
我要告訴你我的公司
如何駭入侵進別家公司
以及我們對一些被駭入的公司的發現
所以
中度駭人的駭客——
2001 年 10 月
世界貿易中心仍然是還在冒煙的廢墟
我們是由政府機構行政部門中要求來
評估能源公司的漏洞
因為他們建立了閉環提取系統
他們稱之為「粉碎」
他們想看看是否有人能夠入侵
美國主要城市的能源公司
造成什麼樣的損害
呃......
該公司被駭客入侵的方式是由
他們在自助餐廳有
可以上到公司網絡的插座
我們就這麼做......太棒了

Chinese: 
開會時我們描述我們要怎麼駭入
負責整個公司安全工程的首席
他用一種像是吃了藥，偏高的聲音說：
「 這是想都不用想的。不可能。」
我向天發誓，他用了那句話
（笑聲）
想都不用想，我們不可能
闖入他們的網絡
我們真的就走出會議室
走下樓
走過旋轉門，就在他們的餐廳裡
上到他們的固定網絡——
我可以解釋一下——
拿到一個 IP 地址
天啊，我們如入無人之境
壞極了，壞極了
（笑聲）
歸根結底，我們只打開通風風扇
我們就只打開建築物中的風扇
但是我們可以關閉開關、打開閥門
我們可以做任何事情
這不是不可想像的
這很容易
嗯......
那是一個相當精巧的駭客攻擊的例子

English: 
so during the meeting where we described
what we were going to do to this company,
the head of security engineering actually,
and he did it in a high, weedy voice,
he said, "It would be inconceivable."
I swear to God, he used that phrase.
(Laughter)
It would be inconceivable
that we could break into their networks.
And we most literally walked
out of the room,
walked downstairs,
walked through the little turnstiles,
right into their cafeteria,
jacked into their flat network -
I can explain that -
were given a IP address,
and we ran through them
badly, badly
(Laughter)
At the end of day, what we did
was we turned on a ventilation fan.
We simply turned on
a ventilation fan in a building,
but we could have
closed a switch, opened a valve.
We could have done anything.
And it wasn't inconceivable.
It was trivially easy.
Um ...
That's an example
of relatively sophisticated hacking

Chinese: 
因為一旦我們進入網絡
為了通過系統裡比較脆弱的地方
我們必須寫一些程式
而且我們得攔截一些數據和機密
非常精巧的東西，但有趣
你走進自助餐廳
你喝咖啡，吃糕點
然後擁有一家發電廠——
這才是真正的好東西
好的，這有點荒謬
這些確實是很難的駭客技巧
簡單的駭侵怎麼做 ?
典型的公司如何被駭客入侵？
典型的公司是這樣被駭客入侵的
駭客上臉書
查看公司的執行長
查看他的孩子或妻子
得到名字後，尋找
小孩或太太名字的電子郵件地址
然後他們可能會駭入你的孩子的電腦
因為很有可能你的孩子的電腦
比公司 IT 部門設給執行長的
電腦更容易駭入

English: 
because once we did get on the network,
we had to go through things
that were vulnerable,
and we did have to actually
write some software,
and we did have to actually intercept
some packets and stuff,
sophisticated stuff but kind of fun.
You know you walk into the cafeteria,
you have your coffee, you get a danish,
you could own a power plant -
this is the stuff that really is good.
OK, so that's kind of mythical;
that's kind of mystical.
These are really difficult hacks.
How about easy hacks?
How does the typical company get hacked?
So the typical company
gets hacked this way.
They go onto Facebook,
and they see the CEO of the company,
and they look at his kids,
or they look at his wife,
and they get the name,
and then they look for email addresses
attached to that name.
Then they might pop your kid's computer
because the odds are that your kid's
computer is going to be way less secure
than the computer that the company
IT department gave to the CEO.

Chinese: 
當然，並非總是如此，對不對？
然後他們駭入你孩子的電腦
送出一個官冕堂皇
非常合理的電子郵件
合情合理
我有一次收到一張許可証
我有一次親身收到一張許可証
但這不是我的孩子去的健身房
但是人民解放軍以為是
但是現在想想
假設你收到孩子寄給你
我不知道，同樣的觀念
你老婆給你發了一張購貨單？
好，所有這些東西我都看過
我說你需要知道的超於 80％ 的
讓我補充一下
如果有人駭入你孩子的電腦
電子郵件看似發自你孩子的電腦
前題標題是正確的
郵件媒介是正確的
你的垃圾郵件過濾器無法篩檢出
即使你設有白名單
但這是你孩子寄來的！

English: 
That's not always the case,
by the way, right?
So then they pop your kid's computer,
and they make a very
plausible sounding email.
Very plausible.
I once got a permission slip.
I once got a permission slip, personally,
but that was not a gym
that my kid went to.
But somehow the People's Liberation
Army thought it was.
But figure this now.
What if you get, say,
your kids sending you,
I don't know - same thing, concept -
your wife sending you a shopping list?
OK, all of these things
I've actually seen happen.
I would say what you need to know
is that better than 80% of the time -
Let me back up.
If someone pops your kid's computer,
the email appears to come
from your kid's computer,
the headers are correct,
the mail agent is correct,
your spam filter's not going
to run on that one.
It's from your kids!

English: 
Even if your whitelist! Pretty bad stuff.
So, let me continue -
when we hack companies, we find about 80,
80-plus percent of the time, that works.
You open up a PDF document, if you're not
a hundred percent patched, right?
If you're back a couple of Revs, one Rev,
you open up that PDF file,
(Finger snapping)
your box is owned, like that!
"Owned" is really cool hacker parlance
for, you know, broken into.
(Laughter)
So yeah, that happens all the time.
Every single professional attack
that we've seen,
all the big ones that you hear on TV -
APT, Night Dragon, all these fancy names -
all that is is cyber espionage.
Every single one that I've ever seen,
the final investigative report,
all began with a PDF.
There's a lawyer in Los Angeles
who did not get beat.
He said, "I've worked
with my partner Bob for 15 years.
That message wasn't how he sounded."
That's cool. Tone and voice,
things that humans are great at.

Chinese: 
相當糟糕的情況
所以，讓我繼續——
我們駭入公司時，發現
大約 80% 以上會成功
你打開 PDF 文檔，如果不是
百分百地跟著更新軟體
如果你晚了幾個版本
即使只是差了一個版本
你打開該 PDF 文件，（彈手指做響）
就像這樣，你的機器被別人控制了！
「 被控制 」是駭客很酷的說法
因為，你知道，你被入侵了
（笑聲）
是的，那一直在發生
我們看到每一次的職業攻擊
所有你在電視上聽到的大新聞——
所有這些花哨的名字：APT，夜龍......
都是網絡間諜活動
我見過的每一個案例
最終的調查報告
都始於 PDF
在洛杉磯有個律師沒有被駭客擊敗
他說：「 我已經
和同事鮑勃在一起工作15年
那不像他會用的字眼。」
這很酷
聲調和字眼都是人類擅長的

English: 
You're great at listening to tone.
You're great at intonation,
voicing, and the written words.
Pay attention to that.
If something sounds off from Bob,
don't open it, don't open it.
How do you survive in this age
where one Rev back on a patch,
one client-side vulnerability,
screws the pooch
for your entire enterprise?
Turn on auto-update!
I use auto-update.
If your IT department says
we can't turn on auto-update,
get a new IT department,
(Laughter)
or something.
That's how companies get hacked:
social engineering and spearfishing.
What's the most common way,
and this is a shout out,
[PEOPLE]
what's the most common way
people get hacked? Shout!
Anyone?
(Audience) Fishing
Fishing? Yep, true.
(Audience) Sharing passwords.
Bingo! That's a good one.
Sharing passwords, true!

Chinese: 
你擅長聽音調
你擅長語調、發聲、用字遣詞
花心思在這上面
如果鮑勃用的字眼有些不對勁
不要打開，不要打開
你要如何在漏裝了一個軟體補丁
或一個用戶的漏洞
就可整垮你整個企業的時代生存下來呢？
打開軟體自動更新的功能！
我使用自動更新
如果你的 IT 部門說
我們無法進行自動更新
換個新的 IT 部門
（笑聲）
或者其他
這就是公司被駭客入侵的方式：
人際工程和網路釣魚
我得大聲疾呼提醒大家
[人]
人類最常見被駭客入侵的方法是什麼？
大聲喊出答案！有沒有人？
（觀眾）網釣
網釣？是的，是的
（觀眾）共享密碼
答對了！答得好！
共享密碼，不錯！

Chinese: 
讓我們在這裡另外討論一下
多少人......大家老實說
你想要的話可以寫下來隨意批評
有多少人在不同的服務網站
使用相同的密碼？
不要那樣做！
（笑聲）
老天爺！
（笑聲）
不要那樣做！明白嗎？
你們都必須停止！
因為
你剛剛擴大了你的信任圈
從你自己到社交生活
社交圈被侵破，你也被侵破了
你剛剛擴大了信任圈
從你到 LinkedIn
LinkedIn 被打破，你也被打破了
明白我在說什麼吧？
不要把防缐給任何一個你不信任的人
只要你的密碼是不同的
它們可以是任何東西
使用助記符來幫助
如果你需要使用語音
字符和中文，都好

English: 
Let's take a sidebar here.
How many people, and be honest,
you can pan this if you want,
how many people use
the same password for multiple services?
Don't do that!
(Laughter)
Jesus Christ!
(Laughter)
Don't do that! Did you get that?
You all need to stop that!
Here's why.
You've just extended your trust boundary
from you to Living Social.
Living Social got popped, you're popped.
You've just extended your trust boundary
from you to LinkedIn,
LinkedIn got popped, you've got popped.
See what I'm saying.
Don't express that boundary
to someone you can't trust.
Your password changes could be anything
you want as long as they're different.
Make them mnemonic.
If you need to use phoneticized
characters and Chinese, do it.

Chinese: 
如果您需要使用國際
簽署字母拼寫密碼
但是，不要，不要再這樣做了
當你這樣做的時候
你讓我的生活變得毫無意義
（笑聲）
好吧，人們最常被駭入的方式
是由經過自動程式
一般人被駭是経由自動漫遊器
他們不是要你這個人
如果有人只針對你
他們是有能力做到的
你完了
聽眾中有高官權貴，這些人很有可能
成為被蒐集情資的目標——
你必須格外警惕
普通人，是的，你，平常人
（笑聲）
打開電腦上的軟體自動更新功能
你不會被機器人操作的
演講的最後五分鐘，為了清楚起見
我要再次強調
我不再多説關於
普通百姓怎麼被駭入了
你被機器人給控制的
打開電腦裡自動更新軟體的功能就好

English: 
If you need to use the international call
sign alphabet to spell things out, do it.
But do not, don't do that anymore.
You make my life meaningless
when you do that.
(Laughter)
Okay, the most common way that people
get hacked is by automated bots.
The average person gets hacked
by an automated bot.
They don't want you personally.
If someone wants you personally,
and they're capable,
you are screwed.
There are powerful people in this audience
who are very, very likely
to be the targets of intelligence
gathering operations -
you must be extra vigilant.
Average people, yes, you, average,
(Laughter)
turn on an auto-updating.
You will not get owned by a bot.
And I'm going to take the last
five minutes of this talk,
and just to be clear,
I don't have to talk more
about the way common people get owned.
You get owned by bots.
Turn on auto-update, you're done!

English: 
We're done! We'll never
have to talk about it again.
But this is what I want to talk about.
[BONO PASTORE]
Bono Pastore is a Catholic term.
Epistemologically,
it means being a good shepherd
because you are actually responsible
for your little technology flock,
and you have to be a good shepherd.
Your tablets, your phones,
your PCs, your laptops, someday your car,
someday your house,
someday your fill-in-the-blank, right?
You need to be a good shepherd
because the internet
is a rare and precious gift.
And if you are in what's called a botnet,
in other words, your computer got owned,
and some computer program somewhere
in Romania is pushing, you know,
organ enlargement pills on your behalf,
you are officially part of the problem,
and you make it bad for all of us.

Chinese: 
大功告成！
我們永遠不需要再談論這個了
下面這個是我想談的
[ BONO PASTORE ]
博諾·帕斯托（Bono Pastore）
是個天主教名詞
學理上，意味著要當個好的守護者
因為你對你所有的
科技產品都有責任
而且你必須成為一個好的守護者
你的平板電腦、手機
PC、筆記本電腦
未來你的汽車、你高科技的房子
有一天你的高科技的某某某，對吧？
你要當好的守護者
因為電腦網路是稀有珍貴的禮物
如果你位於所謂的殭屍網絡中
換句話說，你的電腦被別人控制住了
像是在羅馬尼亞的一些計算機程式
冒你的名字訂購了器官增大藥丸
你也成了問題的一部分
對我們所有人都不利

Chinese: 
這就是 Bono Pastore 的意思
做個好好照顧你科技產品的守護者
我們就會擁有美好的事物
成為殭屍網絡的成員
不管怎樣我都會有收入
但是我們真的想要
保有這個電腦網路
我要說
這是稀有珍貴的禮物
因為它傳播知識和促進全球了解
我們做穰一——
我有 3/4 的大拇指
所以做「伊藤穰一」的手勢很酷——
你在電腦網路那裡？
我就在電腦網路上
從古至今，唯一能解決問題的
就是靠盡可能
廣泛地傳播知識和理解
自發明文字之後，電腦網路是
人類設計過的最好的東西
所以每個人都必須是個好的守護者
照顧好他們的東西
讓我們再過一遍
不要點開不明電腦址或郵件
奈吉利亞沒有人認識你
那是事實，對吧？
保持系統更新

English: 
So that's what I mean by Bono Pastore.
Be a good shepherd to your devices,
and we get to have nice things.
Be a member of a botnet.
Grant that I get paid either way,
but like we really do want
to keep the internet.
And I'll say this.
It is a rare and precious gift
because it spreads knowledge
and understanding throughout the world.
We did that Joi -
I have 3/4 of a thumb, so it's really cool
with the "Joi Ito" thing -
Where were you on the internet?
I'm right here on the internet for me.
I think the only thing that's ever
solved problems in the past
has been knowledge and understanding
spread the widest possible.
The internet is the best thing
that humans have ever designed
to do that since writing.
So I think that everybody
has to be a good shepherd,
take care of their thing.
Let's just go over this one more time.
Don't click on the link.
No one in Nigeria actually knows you.
That's just a fact, right?
Keep your systems updated.

English: 
Microsoft has worked very, very hard
to ensure that auto-update,
and Apple's worked very hard to do this.
Mozilla could work harder though.
But turn on auto-update for your packages,
the things that you use.
And be a good shepherd.
Understand where your bandwidth is going.
Put a password on your wireless.
Don't be part of the problem;
be part of the solution,
and we'll all get to have nice things.
So thank you very, very much.
(Applause)

Chinese: 
微軟非常努力確保軟體自動更新
蘋果也是
Mozilla 可得多加把勁
但是，在你使用的科技產品上
啟用軟體自動更新則是非你莫屬
成為一個好的守護者
了解您的頻寬用在哪裡
在你的無線器設備上輸入密碼
不要成為問題的一部分
而是成為解決方案的一部分
我們就都會擁有美好的事物
謝謝，非常感謝
（掌聲）
