Placeholder Image

字幕列表 影片播放

  • I don't have the rights to use any actual images of Pokémon in this video.

    我沒有權利在這影片中使用 任何神奇寶貝的圖片

  • But just me talking to the camera for a few minutes isn't particularly interesting,

    但只有我對著攝影機講幾分鐘的話 的影片並不有趣

  • so I asked my illustrator friend Simon to create some plausible,

    所以我請我的繪師朋友 Simon 幫我畫了幾個合適

  • but utterly fake, Pokémon for me to catch.

    但不存在的神奇寶貝讓我抓

  • Yeah, that'll do.

    嘿,就醬

  • This week, there was a bit of a privacy scare about Pokémon Go.

    這週,出現了一些有關 Pokémon Go 的隱私疑慮

  • Someone said that the company behind it could read all your email;

    有人說製作公司可以讀取你所有的 Email

  • someone else said no, they couldn't,

    另一人說不,他們沒辦法

  • and that was after doing a lot of research into how the app worked;

    在經過許多對這 App 的研究之後

  • and then the consensus became that,

    之後大家的共識是

  • while it was technically possible,

    雖然理論上可以

  • it would require a lot of hassle on their part and it was the result of a mistake,

    但他們會需要做很多麻煩的事 而這個整個事件是他們的疏失

  • not some devious attempt to steal your data.

    並非有心想辦法取得你的資料

  • The problem was permissions.

    問題出在權限

  • When you see one of those buttons that says sign in with Google,

    當你看到「用 Google 登入」的按鈕

  • or sign in with Facebook, or -- excuse me --

    或「用 Facebook 登入」或 請等一下

  • Mm. Or sign in with Twitter, you are using something called OAuth.

    嗯,或「用 Twitter 登入」 你在用一種叫 OAuth 的機制

  • It works like this:

    是這樣的:

  • you tell the app “I'd like to sign in with Google”.

    你跟 App 說:「我想用 Google 登入」

  • The app then sends you to Google.

    App 將你轉到 Google

  • Google checks who you are with your username and password,

    Google 用帳號及密碼確認你的身分

  • or by doing some magic with your Android phone, and if they're happy,

    或用你的 Android 手機做一些神奇的事 如果登入成功

  • they send you back to the app with a new thing called a token.

    它會將你轉回 App 並附上一個叫 Token 的東西

  • The app takes the token, and until you say otherwise,

    那個 App 取得 Token 除非你取消

  • it can use that token as a way to access your account

    那個 App 就可以用那個 Token 讀寫你的帳戶

  • without ever knowing your password and without you needing to be there.

    在它永遠不必知道你的密碼 也不必你在場

  • It is, of course, a little bit more complicated than that,

    當然,實際上比剛才說的複雜

  • as anyone who's ever tried to write code for it knows,

    如果有寫相關程式都知道

  • but that's a reasonable summary of what's going on.

    但,這就是大概的概念

  • Here's the clever part: that token, yes,

    重點在這:那個 Token,是

  • it could have access to your full account,

    的確讓它有權讀取你 整個帳戶

  • but it can also be set up so it only allows access

    但也可以設定 只允許讀取一部分

  • to a very limited and specific set of permissions.

    有限制 且 只有部分權限

  • Maybe it can only read your calendar appointments.

    也許它只能讀你的行事曆

  • Or maybe it can only add comments to YouTube videos that you watch.

    或它只能對 你看過的 Youtube 影片 新增評論

  • For Pokémon Go, that token was meant to only grant access to see your email address,

    Pokémon Go 原本應該只能看到 你的 Email 地址

  • not to read anything, just to prove who you were.

    不能讀任何信件,只用來確認身分

  • The problem was, it didn't.

    問題在於 它不只取得一項權限

  • Pokémon Go is made by a company called Niantic (Nyan-tic?)

    Pokémon Go 是由一間稱作 Niantic 的公司

  • They were originally a spin-off of Google,

    他們原本是 Google 的內部部門

  • and it looks like they've got some contacts on the inside.

    而他們似乎也有一些內部關係

  • They weren't using the permissions system that everyone else had to use:

    他們沒有使用 其他人在用的授權系統

  • they were using an old one.

    他們用的是舊版

  • Through some fancy, manual trickery,

    透過一些複雜取巧的方法

  • it was possible to convert the token they'd been given

    可以將他們取得的 Token 轉為

  • into an "uber-token" that would give an attacker full access

    一個「超級 Token」 可能賦予黑客所有權限

  • to everything in your Google account,

    可以對你的 Google 帳戶 進行讀寫

  • including your email.

    包括你的 Email 信箱

  • They weren't doing this, but they could have. And for that reason,

    他們可以這麼做,但他們沒有

  • when you checked what permissions Pokémon Go had,

    所以當你檢查 Pokémon Go 所擁有的權限

  • Google correctly reported that it had full access to your account.

    Google 正確的顯示他擁有所有權限

  • I want to credit Ari Rubinstien at this point:

    我想在這感謝 Ari Rubinstein

  • he was the developer who did all the digging

    這些訊息都是開發者 Ari Rubinstein 所發現

  • and put a really good post together about what's going on.

    並整理成一篇解釋這事件的文章

  • If you want the in-depth, technical details,

    如果你想深入並閱讀技術資料

  • I've put a link in the description.

    我有在影片說明當中放置鏈結

  • The latest update to Pokémon Go,

    在 Pokémon Go 最新更新中

  • which has none of these weird things,

    沒有以上這些莫名的問題

  • fixes the problem, of course, and all is well. Or is it?

    問題已解決 所以沒有問題了,是嗎?

  • Because there's a deeper problem here that can't be fixed by patching some code.

    這裡有個 無法用更新解決的 更深層問題

  • Don't get me wrong, the current OAuth solution with its tokens is much better than the old days.

    不要誤會,目前用 Token 的 OAuth 方案 比過去更好

  • I remember when you had to give your actual Twitter password to third-party apps,

    我還記得需要將 自己的 Twitter 密碼 給第三方程式

  • who would then send it in plain text over the internet.

    然後它們再用明碼的方式透過網路傳送

  • The current solution is better, but it's not perfect.

    目前的方法比較好,但不完美

  • And there are two big things wrong with it.

    它有兩個大問題

  • First of all, you have to trust the app.

    第一,你需要信任那個 App

  • You have to trust that thesign in with Googlebutton is actually doing what it claims

    你必須相信那「用 Google 登入」是真的

  • and when the box pops up asking for your Google password,

    當要求 你的 Google 密碼 的畫面出現時

  • it actually is a box from Google and not the app just faking it.

    它真的是來自 Google 的畫面 而不是 App 假裝的

  • That's less of a problem for big apps,

    對有名的 App 比較不用擔心

  • or if you're downloading from the well moderated Apple App Store,

    或你是從經過審查的 Apple App Store 下載 App

  • but because Pokémon Go was incredibly popular and not available everywhere in the world,

    但因為 Pokémon Go 非常受歡迎 而且不是全球都開放

  • lots of people on Android were sideloading it:

    很多使用 Android 的人透過 APK 安裝

  • downloading it from somewhere unofficial,

    且從非官方的地方下載

  • and copying it over manually to their phone.

    然後手動複製到手機上

  • There were plenty of alternate versions filled with malware

    許多非正式版本充滿惡意程式

  • that would happily have stolen your password, or, well,

    非常樂意地偷取你的密碼

  • anything else that was on your phone.

    或任何在你手機上的資料

  • Second, people's priorities for security often don't reflect reality.

    第二,人們對安全第一的想法 通常與事實不同

  • We all emphasise easy to understand scare stories over complicated, subtle, boring attacks.

    我們都不斷重複簡單易懂的嚇人故事 而非複雜、微妙和無聊的攻擊

  • That's the reason I'm doing a video about Pokémon Go, for crying out loud.

    那就是為什麼我在 影片中談 Pokémon Go,我的老天

  • A scare story about an innocent game,

    有關無害遊戲的一個嚇人故事

  • one that millions of people are playing and have an emotional attachment to?

    一個成千上萬的玩家在玩且成癮的遊戲

  • Oh, if that's actually being evil and reading your email? That'll get the clicks.

    實際上非常邪惡且會偷看你的信件? 很多人就會點進來

  • But that same game having live tracking on millions of people's locations and social networks,

    但那遊戲隨時追蹤著百萬人的 地點與社群網路

  • being run by a small company that is now an enormous target for private hackers, and blackmailers,

    由一間小公司所營運 而目前許多黑客、勒索者

  • and governments that would really like to know that information? That's boring.

    及政府希望取得它們的資料?那太無聊了

  • That's abstract. We know that,

    太虛幻了 我們懂

  • but it'll never happen to you, right?

    但那不會在你身上發生,對吧?

  • I'm a great believer in the old saying cock-up before conspiracy:

    我是一個相信古諺「搞砸,而非陰謀」的:

  • never attribute to malice what can be explained by incompetence. No,

    在用愚蠢足以解釋的情況下,不要用惡意推測別人

  • of course this wasn't a dastardly scheme to read all your email,

    這當然不是一個為了要讀你信件的騙局

  • it was just a couple of developers making a mistake while rushed.

    只不過是幾個開發者 在趕工時的疏失

  • Let's just hope there aren't any more headlines caused by any other mistakes

    讓我們期望不要再有因為疏失而上頭條

  • while you're catching yourwhatever the heck that is.

    當你在抓... 不知道什麼東西的時候

  • I'm going to be away for three weeks on an expedition to the Arctic.

    在這三週我要去北極圈探索

  • But rather than abandon my channel for a while, I thought:

    與其閒置我的頻道一陣子,我想

  • why not get some guests involved? So,

    為何不讓一些人參與? 所以

  • if you have a YouTube channel,

    如果你有 Youtube 頻道

  • and you've got an idea for an Amazing Places or a Things You Might Not Know video

    你有一個「令人驚豔的地方」或 「你們也許不知道的事」的影片想法

  • that you could make and get to me before 6th August,

    並且你能在 8 月 6 日前拍攝完

  • follow the link on screen or in the description.

    在螢幕上或影片說明中的鏈結 填寫送出

  • I am particularly looking for people, styles,

    我對與平常在這裡出現的

  • and videos a little different from what normally appears here.

    不同的人、風格及影片非常期待

  • So if you just heard that and thought

    如果你聽到後想:

  • "oh, I'd like to do that, but I'm not sure I'd fit”:

    「呃,我想試試但不確定做不做得到」

  • I definitely want you to get in touch.

    我非常希望你能聯繫

  • [Translating these subtitles? Add your name here!]

I don't have the rights to use any actual images of Pokémon in this video.

我沒有權利在這影片中使用 任何神奇寶貝的圖片

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋