大腦掃描 數碼盔甲裏的騎士
IT TOOK just 20 minutes to build, but Chris Soghoian's hastily constructed website capable of generating fake airline boarding passes led to a rebuke from a congressman, a raid by the Federal Bureau of Investigation (FBI), an investigation by the Transport Security Administration (TSA), worldwide media coverage-and ultimate vindication. With a series of similar exploits that have exposed security flaws and privacy violations, he has demonstrated his ability to hack the media with just as much facility as he manipulates computers. At the age of 30 he has established himself as the most prominent member of a new generation of activist technology researchers who delight in causing a media stink in order to shame companies and governments into fixing problems with their systems.
Christ Soghoian只花了20分鐘,就匆匆建成了一個網站,它可以輸出虛假登機牌,但卻招來了國會議員的譴責,聯邦調查局的突襲,美國運輸安全管理局的調查,全球媒體報道,以及最終的無罪證明。通過採取一系列類似行動來披露安全漏洞和隱私侵權,Christ證明了以他的能力"黑"媒體就如同他操作電腦般輕巧。年方30的Christ已經成爲了新一代行動主義技術研究者中的翹楚,這一團體樂於引發媒體醜聞以迫使公司和政府解決自身體制問題。
The boarding-pass example occurred in 2006, when Dr Soghoian, then a graduate student at Indiana University, became irritated by an obvious flaw in airport procedures used by TSA screeners. Although screeners checked the name on each passenger's boarding pass against a government-issued identity document, they had no way of verifying that the boarding pass itself was valid. Fake boarding passes could easily be created for any flight using a computer and image-manipulation software, as had already been pointed out by Bruce Schneier, another security guru, in 2003. Charles Schumer, a senator, even issued a press release in February 2005 explaining how easily security could be bypassed in this way.
登機牌事件發生在1996年,那時Soghoian博士還在印第安納大學讀研究生。美國運輸安全管理局審查員一個顯而易見的安全漏洞惹惱了他:雖然審查員可以將每位乘客登機牌上的名字與政府發行的身份證件覈對,但他們無從確認登機牌本身是否真實有效。用電腦加上圖像處理軟件就可以輕鬆製成任何航班的虛假登機牌,這點另一位安全大師Bruce Schneier在2003年就已經指出。參議院Charles Schumer甚至在2005年2月召開了一場新聞發佈會來講解安全防禦是如何被這種方法輕易繞過的。
Yet it took Dr Soghoian to light the right kind of firecracker under this known problem. In October 2006 he threw together a web page that could generate fake boarding passes for Northwest Airlines that appeared valid to TSA screeners. The page received enormous press attention, even though he never printed out or used a false pass himself. Ed Markey, a congressman, called for Dr Soghoian's arrest. The FBI had his website shut down and seized his computers. The TSA opened an inquiry. But when the simplicity of the "hack" became apparent, along with Dr Soghoian's academic status, Mr Markey apologised and suggested that rather than investigating Dr Soghoian, the TSA should hire him instead. Dr Soghoian's computers were returned a few weeks later and the TSA investigation was closed. This year the TSA finally began testing equipment to validate boarding passes at airports.
然而,是Soghoian博士找準了突破點突出了這個已知的問題。2006年10月他隨手做了個可以僞造西北航空登機牌的網頁,這樣做出的虛假登機牌在美國運輸安全管理局的審查員那裏可以以假亂真。儘管Soghoian博士本人從未打印或使用過虛假登機牌,這個網頁還是受到了廣泛的媒體關注。國會議員Ed Markey呼籲逮捕他;聯邦調查局關閉了他的網站並沒收了他的電腦;美國運輸安全管理局展開了調查。然而當這一黑客行爲的簡易性變得昭然若揭,又考慮到Soghoian博士的學術地位,Markey道了歉,並建議美國運輸安全管理局與其調查Soghoian不如聘用他;幾個星期後,Soghoian博士的電腦都被歸還了;美國運輸安全管理局的調查也終止了。今年,美國運輸安全管理局終於開始測試在機場鑑別登機牌的設備了。
Dr Soghoian has since perfected this modus operandi and used it to expose problems with internet encryption, online privacy and electronic surveillance. In each case he identifies a problem, creates a technology demonstration to highlight it and sometimes files Freedom of Information Act requests or complaints to government agencies. He then presents the results neatly packaged for the news media. The organisations targeted by Dr Soghoian usually start off by accusing him of being mistaken or naive, before admitting that he is right and modifying their policies, or issuing a statement saying that a fix was already in the works.
自此以後,Soghoian博士開始改進這個套路並利用它來披露網絡加密,在線隱私,電子監視的各種問題。每次他都先定位一個問題,用技術證明來凸顯這個問題,有時也會向政府機構提交《信息自由法案》相關的要求或投訴。此後他便將結果巧妙地整合起來交予新聞媒體。被Soghoian博士瞄準的機構開始往往總要指責他,說他搞錯了或是太天真,而後就得承認他是對的並且修改自身的政策,或是發佈一個聲明說改進本身就已經在進行中了。
Dr Soghoian has, among other things, revealed the extent to which Sprint, an American telecoms operator, was disclosing its customers' satellite-positioning data to law-enforcement agencies; shamed Google, an internet giant, into upgrading its encryption; exposed a woefully misguided attempt to attack Google by a public-relations firm hired by Facebook, a rival internet giant; embarrassed Dropbox, a provider of online file-storage, over its marketing claims and technical practices; and pushed for the adoption of a "Do Not Track" scheme to allow internet users to opt out of targeted advertising. "Every privacy scandal essentially has to take the form of a firestorm," says Dr Soghoian. "I try to focus on things that are really important that haven't gotten enough attention." He is now campaigning against the widespread trawling of internet traffic by law-enforcement agencies, calling instead for a more targeted focus on specific cases or leads.
Soghoian博士建樹頗多,其中包括披露美國電信運營商Sprint向執法機構透露其用戶的衛星定位數據的程度;讓互聯網巨頭谷歌顏面掃地,不得不升級它的加密系統;揭發了另一互聯網巨頭Facebook僱傭公關公司試圖對谷歌進行極具誤導性的攻擊;令在線文件存儲提供商Dropbox因其市場聲明與技巧性操作陷入難堪;促使"不攻擊"計劃得到採納,這個計劃使得互聯網用戶得以選擇拒收定位廣告。"基本上每個隱私醜聞都得"爆"出來," Soghoian博士說道,"我努力把注意力主要集中在確實重要而關注度又不夠的事情上。"他目前正活動反對執法機構網羅搜查網絡通信,他呼籲用針對具體案件或線索的,目標性更爲明顯的集中力量來取而代之。
The FBI made me do it
聯邦調查局讓我乾的Having grown up surrounded by computers (his father used to be a software engineer), Dr Soghoian says he slid into computer science without even considering other disciplines. He became interested in computer security in particular during his undergraduate studies, and was then drawn to the specialised field of privacy. But it was only when the FBI raided his home in 2006 and his PhD adviser suggested that he take a law class that Dr Soghoian decided to concentrate on the intersection between computing and the law. He wrote his thesis on governmental use of third parties to monitor electronic communications and was awarded his doctorate in July 2012.
在電腦堆中長大的(他的爸爸曾是爲軟件工程師)Soghoian博士說他甚至都沒有考慮其他學科就不知不覺進入了計算機科學。他對計算機安全產生特殊的興趣是在他本科學習的時候,之後就被隱私這一專攻領域吸引了。直到2006年聯邦調查局突襲了他的家,他的博士導師又建議他學習下法律,Soghoian博士才決定把注意力集中在計算機與法律的交叉部分。他撰寫論文討論爲監控電信政府對第三方的利用,並於2012年7月被授予博士學位。
But it would be wrong to characterise Dr Soghoian simply as an academic or an activist, because he has an unusual gift for working outside conventional institutional strictures. While completing his PhD, he was also attached to America's Federal Trade Commission (FTC) as a technical adviser. This came about as a result of Dr Soghoian's support for the "Do Not Track" standard, and his efforts to make it easier for people to prevent their use of the internet being tracked by advertisers. Turning such tracking off can be quite tricky, and must be done for multiple groups, or networks, of advertisers.
但若簡單地將Soghoian博士劃爲學者或行動主義者是不對的,因爲他有異乎常人的在常規束縛之外行動的稟賦。他在修讀博士的時候,也曾是美國聯邦貿易委員會的技術顧問。這是由於Soghoian博士支持"不攻擊"計劃標準,使得人們在網上能免於廣告商的跟蹤。要關閉這種跟蹤很棘手,而且一關就涉及到多個廣告商團體或組織。
This prompted Dr Soghoian to develop two add-ons for the Firefox web browser that demonstrated simple ways to turn off tracking automatically. The first manipulated "cookies", the tiny snippets of information stored by web browsers, to disable tracking. The second, developed with the help of Sid Stamm, a programmer, sends a special message with every page request asking that the user not be tracked. Dr Soghoian got the idea for this approach from Dan Kaminsky, a security researcher. But it will work only if websites are required to detect and act on such messages. At first this suggestion was ridiculed. In 2009, however, Dr Soghoian was contracted by the FTC to provide lawyer-to-geek translation for its staff. In this role he was able to garner support for his "Do Not Track" scheme within the FTC, and technology firms including Microsoft and Twitter have subsequently backed it. The advertising industry dislikes it, but seems resigned to accepting it in some form.
這促使Soghoian博士爲火狐瀏覽器開發了兩個插件,這兩個插件能顯示自動關閉跟蹤的簡單方法。第一個插件操縱"cookies"(瀏覽器存儲的信息小片段)來使得跟蹤失效。第二個插件向每個請求頁面都發送特殊消息要求用戶不被跟蹤,這一插件是在程序員Sid Stamm的幫助下開發的。這個方法的創意是Soghoian博士從安全研究員Dan Kaminsky那獲得的。但這個方法只有在要求網站偵查且迴應這類信息纔有效。起初這個建議被當成了笑話,然而,在2009年,Soghoian博士被美國聯邦貿易委員會聘用,幫助其職員進行法律和技術間的溝通。扮演這一角色的他得以在聯邦貿易委員會內部爭取對其"不攻擊"計劃的支持,而後包括微軟和推特在內的技術公司都支持了這個計劃。廣告行業反感這個計劃,但似乎也在某種形式上妥協接受了它。
A few months after joining the FTC Dr Soghoian recorded a Sprint executive speaking at a surveillance trade show attended by telecoms firms, law-enforcement agencies and equipment-makers. The executive explained that Sprint had built an automatic system that had provided 8m lookups of customers' locations in the preceding year in response to requests backed by court orders. (Sprint said later that a single court order could generate several thousand lookups.) Dr Soghoian briefed the press and posted the audio online. He insisted that he was doing so in his role as a graduate student, rather than an FTC contractor. The scale of tracking caused a furore that persists three years later about the ease and scale of mobile-phone surveillance. When Dr Soghoian's first year at the FTC was up, the agency did not renew his contract. He blames the fuss caused by the Sprint recording. (The FTC will not comment.)
在加盟美國聯邦貿易委員會幾個月後,Soghoian博士錄下了一位Sprint的主管在一場電信公司,執法機關,設備製造商都有出席的監管貿易展上的講話。這位主管講解說Sprint已建立了自動系統,該系統對有法庭指令支持的請求做出反應,在前一年提供了8百萬次用戶所在地查找(後來Sprint說一份法庭指令可能產生幾千次查找)。Soghoian博士向媒體做了概述,並且把音頻發到了線上。他堅持說他是以一個研究生的身份這麼做,而不是以一個聯邦貿易委員會僱員的身份。跟蹤面之大引發了轟動與憤怒,三年後,對監聽移動電話監管的易行性與涉及面的憤怒仍未褪去。美國聯邦貿易委員會在Soghoian博士工作一年期滿後,並沒有與之續簽。Soghoian博士將此歸咎於這場Sprint錄音事件(美國聯邦貿易委員會對此未作評論)。
Dr Soghoian is one of a group of researchers, some of whom are affiliated with academic institutions and many of whom work together, who have risen to prominence by showing how tedious technical flaws can affect ordinary people. Ashkan Soltani, who like Dr Soghoian has worked as an adviser to the FTC, has shown how some companies have devised "evercookies"-cookies that are very difficult to eradicate. Along with Jonathan Mayer of Stanford Law School, he showed how Google was bypassing tracking preferences in Apple's web browser, Safari, which resulted in Google having to pay a $22.5m fine. Mr Kaminsky spotted a huge flaw in the internet's addressing system in 2008, and then worked closely with large technology firms to fix it. And Dr Stamm is now a privacy advocate at the Mozilla Foundation, which oversees the development of the Firefox web browser.
Soghoian博士代表了一類研究者,這羣研究者中有的與學術機構關係緊密,不少還相互合作。他們展示了繁冗的技術缺陷可以如何影響普通人的生活,並因此顯山露水。與Soghoian博士一樣在美國聯邦貿易委員會當過顧問的Ashkan Soltani曾揭露一些公司是如何創造了"永久cookie",即極難被清除的cookie。他還同斯坦福大學法學院的Jonathan Mayer合作,展示了谷歌是如何繞過蘋果瀏覽器Safari的跟蹤優先選擇項的,這致使谷歌不得不上繳2250萬美金的罰款Kaminsky先生在2008年發現了互聯網地址系統的一大漏洞,並在之後與大型技術公司緊密合作解決這一問題。Stamm博士目前則是美國莫茲拉基金會的隱私擁護者,該基金會監管火狐瀏覽器的開發。
First among equals
佼佼者These researchers insist they are acting solely in the interest of protecting individual privacy. They are certainly not in it for the money. Dr Soghoian has spent three years living the life of an ascetic in Washington, DC, where he rides a bicycle and resides in the basement of a house he shares with four other people. "There are so many events with free food and drink that you never need to buy anything to eat," he says. After his funding from Indiana University ran out in 2008, Dr Soghoian received several grants and fellowships. He gleefully points out the varied political leanings of his patrons. He has received some funding from the libertarian-leaning Institute for Humane Studies (IHS), backed by the arch-conservative Charles Koch. But as he moved to investigate business misdeeds rather than those of government, the IHS money was replaced by a fellowship from the Open Society Foundations, a group run by Mr Koch's nemesis on the left, George Soros. That funding ended in July.
這些研究者都堅持自己的行動都只是爲了保護個人隱私。他們自然並不是爲錢才做這些事的。Soghoian博士三年都住在華盛頓特區過着苦行僧般的生活,他在那騎自行車出行,與其他四個人共住一間房子的地下室。"有好多活動都體統免費食物和飲料,從來不用你自己賣什麼吃的。"他這樣說。2008年當他在印第安納大學的經費用完了後,Soghoian博士獲得了一些撥款和獎學金。他愉快地指出他的贊助人政治傾向是多種多樣的。他從有自由傾向的人文研究所獲得了一些經費,該研究所是由主要保守派的Charles Koch支持的。但當他從調查政府錯誤轉向調查企業過失時,來自Koch的左翼死敵George Soros管理的開放社會基金會的獎學金就代替了人文研究所的經費,這筆款項在七月到期。
Can Dr Soghoian's reputation as a knight in digital armour be squared with his obvious flair for self-promotion? Yes, says Jules Polonetsky, director of the Future of Privacy Forum, a think-tank based in Washington, DC, who by his own admission does not always see eye-to-eye with him. "People would be surprised by the number of times that this otherwise very public media bomb-thrower has quietly worked to get a company to simply solve a problem when it could have been a front-page story," says Mr Polonetsky. Dr Soghoian's agenda is "not about money, not about fame or anything like that," says Lee Tien of the Electronic Frontier Foundation, a lobby group with which Dr Soghoian sometimes collaborates. He just uses the glare of the media to get results.
考慮到他顯露無疑的自我推銷天賦,Soghoian博士"數碼盔甲裏的騎士"的美譽是否還能站的住腳? Jules Polonetsky認爲能。Jules是華盛頓未來隱私論壇智囊團的主管,他也承認他並不總是贊成Soghoian博士的做法。"他本能成爲大紅大紫的媒體擲彈手的,有些公司的問題完全可以登上頭版頭條的,但他都採取了低調處理,單純爲了讓這個公司把問題解決掉,要是人們知道他這麼做了多少次他們會大爲驚訝的。" Polonetsky先生這樣說道。Soghoian博士的信條是"不爲錢,不爲名,不爲任何虛浮之事"電子前沿基金會的Lee Tien這樣說道,該基金會是個有時會與Soghoian博士合作的遊說團體。他只是利用媒體監督來達到目的。
"The economics of modern surveillance are not beneficial to the consumer."
現代監管的經濟方式對消費者並不有利。Though known for his strong views on privacy and surveillance, Dr Soghoian is no absolutist. In April he published a paper in the Berkeley Technology Law Journal on how best to grant law-enforcement agencies access to individuals' location data, with proper checks and balances. It was co-written with Stephanie Pell, who was on the Department of Justice team that prosecuted people accused of being linked to al-Qaeda. Writing the paper, says Dr Soghoian, involved finding a balance between Ms Pell's knowledge of the utility of location-tracking in law enforcement and his own concerns about unwarranted privacy intrusions. "The marginal cost of spying on one more person is essentially zero now," he says. "The economics of modern surveillance are not beneficial to the consumer."
儘管Soghoian博士因他對隱私與監管的強烈態度而出名,他並不是一個絕對論者。四月份他在《伯克利技術法律週刊》上發表了一篇論文論述如何在政府部門間的相互制衡下讓執法部門最優地獲取個人位置信息。這篇論文是與Stephanie Pell合著的,她就職於司法部,負責起訴被指與基地組織有聯繫的人。Soghoian博士說撰寫這篇論文意味着在Pell女士對執法機關對定位跟蹤使用的瞭解與他對未經授權的隱私侵權的擔憂之間尋求一個平衡點。"如今多暗線監視一個人的邊際成本基本爲零," Soghoian博士這樣說道,"現代監管的經濟方式對消費者並不有利。"
As a respite from his campaign to defend personal privacy, Dr Soghoian likes to go to India. But he may have to find somewhere else to holiday. "India is rapidly becoming a surveillance state," he says. Such trips may be less frequent in any case, because Dr Soghoian now has a new job at the American Civil Liberties Union, mediating between geeks and lawyers, as he did at the FTC. His new employers must be well aware that they have captured lightning in a bottle-and should not be surprised when it escapes.
Soghoian博士喜歡以去印度,算是維護個人隱私活動的調劑。但他可能得換個新目的地度假了。"印度正快速成爲監管國家,"他這樣說道。不過這類旅行本身可能就不會太多了,因爲Soghoian博士現在在美國公民自由聯盟有了一份新工作,與在聯邦貿易委員會時一樣,他斡旋於律師與技術宅之間。他的新僱主相信想必很清楚他們這樣做如同將一道閃電藏入瓶中,要是這道閃電跑掉了也不會大驚小怪。
