Placeholder Image

字幕列表 影片播放

  • I don't have the rights to use any actual images of Pokémon in this video.

    我沒有權利在這影片中使用 任何神奇寶貝的圖片

  • But just me talking to the camera for a few minutes isn't particularly interesting,

    但只有我對著攝影機講幾分鐘的話 的影片並不有趣

  • so I asked my illustrator friend Simon to create some plausible,

    所以我請我的繪師朋友 Simon 幫我畫了幾個合適

  • but utterly fake, Pokémon for me to catch.


  • Yeah, that'll do.


  • This week, there was a bit of a privacy scare about Pokémon Go.

    這週,出現了一些有關 Pokémon Go 的隱私疑慮

  • Someone said that the company behind it could read all your email;

    有人說製作公司可以讀取你所有的 Email

  • someone else said no, they couldn't,


  • and that was after doing a lot of research into how the app worked;

    在經過許多對這 App 的研究之後

  • and then the consensus became that,


  • while it was technically possible,


  • it would require a lot of hassle on their part and it was the result of a mistake,

    但他們會需要做很多麻煩的事 而這個整個事件是他們的疏失

  • not some devious attempt to steal your data.


  • The problem was permissions.


  • When you see one of those buttons that says sign in with Google,

    當你看到「用 Google 登入」的按鈕

  • or sign in with Facebook, or -- excuse me --

    或「用 Facebook 登入」或 請等一下

  • Mm. Or sign in with Twitter, you are using something called OAuth.

    嗯,或「用 Twitter 登入」 你在用一種叫 OAuth 的機制

  • It works like this:


  • you tell the app “I'd like to sign in with Google”.

    你跟 App 說:「我想用 Google 登入」

  • The app then sends you to Google.

    App 將你轉到 Google

  • Google checks who you are with your username and password,

    Google 用帳號及密碼確認你的身分

  • or by doing some magic with your Android phone, and if they're happy,

    或用你的 Android 手機做一些神奇的事 如果登入成功

  • they send you back to the app with a new thing called a token.

    它會將你轉回 App 並附上一個叫 Token 的東西

  • The app takes the token, and until you say otherwise,

    那個 App 取得 Token 除非你取消

  • it can use that token as a way to access your account

    那個 App 就可以用那個 Token 讀寫你的帳戶

  • without ever knowing your password and without you needing to be there.

    在它永遠不必知道你的密碼 也不必你在場

  • It is, of course, a little bit more complicated than that,


  • as anyone who's ever tried to write code for it knows,


  • but that's a reasonable summary of what's going on.


  • Here's the clever part: that token, yes,

    重點在這:那個 Token,是

  • it could have access to your full account,

    的確讓它有權讀取你 整個帳戶

  • but it can also be set up so it only allows access

    但也可以設定 只允許讀取一部分

  • to a very limited and specific set of permissions.

    有限制 且 只有部分權限

  • Maybe it can only read your calendar appointments.


  • Or maybe it can only add comments to YouTube videos that you watch.

    或它只能對 你看過的 Youtube 影片 新增評論

  • For Pokémon Go, that token was meant to only grant access to see your email address,

    Pokémon Go 原本應該只能看到 你的 Email 地址

  • not to read anything, just to prove who you were.


  • The problem was, it didn't.

    問題在於 它不只取得一項權限

  • Pokémon Go is made by a company called Niantic (Nyan-tic?)

    Pokémon Go 是由一間稱作 Niantic 的公司

  • They were originally a spin-off of Google,

    他們原本是 Google 的內部部門

  • and it looks like they've got some contacts on the inside.


  • They weren't using the permissions system that everyone else had to use:

    他們沒有使用 其他人在用的授權系統

  • they were using an old one.


  • Through some fancy, manual trickery,


  • it was possible to convert the token they'd been given

    可以將他們取得的 Token 轉為

  • into an "uber-token" that would give an attacker full access

    一個「超級 Token」 可能賦予黑客所有權限

  • to everything in your Google account,

    可以對你的 Google 帳戶 進行讀寫

  • including your email.

    包括你的 Email 信箱

  • They weren't doing this, but they could have. And for that reason,


  • when you checked what permissions Pokémon Go had,

    所以當你檢查 Pokémon Go 所擁有的權限

  • Google correctly reported that it had full access to your account.

    Google 正確的顯示他擁有所有權限

  • I want to credit Ari Rubinstien at this point:

    我想在這感謝 Ari Rubinstein

  • he was the developer who did all the digging

    這些訊息都是開發者 Ari Rubinstein 所發現

  • and put a really good post together about what's going on.


  • If you want the in-depth, technical details,


  • I've put a link in the description.


  • The latest update to Pokémon Go,

    在 Pokémon Go 最新更新中

  • which has none of these weird things,


  • fixes the problem, of course, and all is well. Or is it?

    問題已解決 所以沒有問題了,是嗎?

  • Because there's a deeper problem here that can't be fixed by patching some code.

    這裡有個 無法用更新解決的 更深層問題

  • Don't get me wrong, the current OAuth solution with its tokens is much better than the old days.

    不要誤會,目前用 Token 的 OAuth 方案 比過去更好

  • I remember when you had to give your actual Twitter password to third-party apps,

    我還記得需要將 自己的 Twitter 密碼 給第三方程式

  • who would then send it in plain text over the internet.


  • The current solution is better, but it's not perfect.


  • And there are two big things wrong with it.


  • First of all, you have to trust the app.

    第一,你需要信任那個 App

  • You have to trust that thesign in with Googlebutton is actually doing what it claims

    你必須相信那「用 Google 登入」是真的

  • and when the box pops up asking for your Google password,

    當要求 你的 Google 密碼 的畫面出現時

  • it actually is a box from Google and not the app just faking it.

    它真的是來自 Google 的畫面 而不是 App 假裝的

  • That's less of a problem for big apps,

    對有名的 App 比較不用擔心

  • or if you're downloading from the well moderated Apple App Store,

    或你是從經過審查的 Apple App Store 下載 App

  • but because Pokémon Go was incredibly popular and not available everywhere in the world,

    但因為 Pokémon Go 非常受歡迎 而且不是全球都開放

  • lots of people on Android were sideloading it:

    很多使用 Android 的人透過 APK 安裝

  • downloading it from somewhere unofficial,


  • and copying it over manually to their phone.


  • There were plenty of alternate versions filled with malware


  • that would happily have stolen your password, or, well,


  • anything else that was on your phone.


  • Second, people's priorities for security often don't reflect reality.

    第二,人們對安全第一的想法 通常與事實不同

  • We all emphasise easy to understand scare stories over complicated, subtle, boring attacks.

    我們都不斷重複簡單易懂的嚇人故事 而非複雜、微妙和無聊的攻擊

  • That's the reason I'm doing a video about Pokémon Go, for crying out loud.

    那就是為什麼我在 影片中談 Pokémon Go,我的老天

  • A scare story about an innocent game,


  • one that millions of people are playing and have an emotional attachment to?


  • Oh, if that's actually being evil and reading your email? That'll get the clicks.

    實際上非常邪惡且會偷看你的信件? 很多人就會點進來

  • But that same game having live tracking on millions of people's locations and social networks,

    但那遊戲隨時追蹤著百萬人的 地點與社群網路

  • being run by a small company that is now an enormous target for private hackers, and blackmailers,

    由一間小公司所營運 而目前許多黑客、勒索者

  • and governments that would really like to know that information? That's boring.


  • That's abstract. We know that,

    太虛幻了 我們懂

  • but it'll never happen to you, right?


  • I'm a great believer in the old saying cock-up before conspiracy:


  • never attribute to malice what can be explained by incompetence. No,


  • of course this wasn't a dastardly scheme to read all your email,


  • it was just a couple of developers making a mistake while rushed.

    只不過是幾個開發者 在趕工時的疏失

  • Let's just hope there aren't any more headlines caused by any other mistakes


  • while you're catching yourwhatever the heck that is.

    當你在抓... 不知道什麼東西的時候

  • I'm going to be away for three weeks on an expedition to the Arctic.


  • But rather than abandon my channel for a while, I thought:


  • why not get some guests involved? So,

    為何不讓一些人參與? 所以

  • if you have a YouTube channel,

    如果你有 Youtube 頻道

  • and you've got an idea for an Amazing Places or a Things You Might Not Know video

    你有一個「令人驚豔的地方」或 「你們也許不知道的事」的影片想法

  • that you could make and get to me before 6th August,

    並且你能在 8 月 6 日前拍攝完

  • follow the link on screen or in the description.

    在螢幕上或影片說明中的鏈結 填寫送出

  • I am particularly looking for people, styles,


  • and videos a little different from what normally appears here.


  • So if you just heard that and thought


  • "oh, I'd like to do that, but I'm not sure I'd fit”:


  • I definitely want you to get in touch.


  • [Translating these subtitles? Add your name here!]

I don't have the rights to use any actual images of Pokémon in this video.

我沒有權利在這影片中使用 任何神奇寶貝的圖片


B1 中級 中文 權限 登入 密碼 疏失 讀取 影片

No, Pokémon Go Can't Read Your Email

  • 140 0
    林宜悉   發佈於 2020 年 04 月 01 日