Placeholder Image

字幕列表 影片播放

  • This video was made possible by CuriosityStream.

    這支影片由 CuriosityStream 贊助播出。

  • When you sign up for an annual subscription, you'll also get access to Nebula.

    當你註冊年度訂閱時,也可以使用 Nebula。

  • Now streaming HAI's first ever 40-minute special, which premiered yesterday.

    來看看 HAI 首次推出的 40 分鐘特別節目,而且昨天才首播。

  • It's about bricks.


  • Happy now?


  • Alright so, here's the deal: there's this group of nerds called ICANNthe Internet Corporation for Assigned Names and Numbers.

    事情是這樣的:有一群書呆子組成名為 ICANN 的組織——網際網路名稱與數字位址分配機構。

  • And they have handed out seven keys to seven individuals spread out across the world, and with those keys, you can shut down, and reboot the Internet.


  • Now normally, this is where I would make a bunch of bad jokes, and call them stuff like the Fellowship of the Keys, or the Key-I Joes, or You, Key, and Dupree.


  • But we don't have time for that, because to understand these keys, you need to understand a bunch of complicated internet stuff that was very confusing for me to figure out, starting with DNS.

    但是我們沒有時間,因為要了解這些鑰匙,需要了解一堆搞得我很困惑的複雜網路東西,從 DNS 開始。

  • In case you don't know what DNS is, because I don't know, you had friends in college, I'll explain.

    如果大學的時候朋友會借你網路所以你不知道什麼是 DNS 的話,我會解釋給你聽。

  • All the computers that make up the internet are identified via long numbers called IP addresses.

    所有電腦組成的網際網路都是透過叫做 IP 位址的一連串數字所辨識。

  • But when I want to go to, for example, Twitter, because I want to scroll through an endless mix of hot takes, anger, harassment, product placement.

    但當我因為想瀏覽各種熱門話題、偏激、騷擾或置入性行銷的發文而上像是 Twitter。

  • And videos of Kanye West saying problematic things but then it turns out that he's actually a cake.

    還有看 Kanye West 說出難懂的言論的影片,但事後證明他其實是蛋糕。

  • I don't want to have to type in which is the IP address of one of the servers that hosts Twitter.

    我不想輸入,這是其中一個掌管 Twitter 伺服器的 IP 位址。

  • I just want to type, and then be taken there so I can get to my seeing-photos-of-people-partying-during-Covid induced panic attack.


  • So my computer has to translate into the right IP address, and it does that first by asking a whole long line of things.

    所以我的電腦必須將 轉換為正確的 IP 位址,而在那之前首先要詢問一連串事情。

  • First, of course, it asks Clippy, but Clippy doesn't know.

    首先,電腦會問 Office 小幫手,但是小幫手不知道。

  • So instead, it asks your Operating System, which maybe knows, but if it doesn't it asks something called a recursive name server, which also maybe knows.


  • But if it doesn't, it asks the world's 13 root servers, which send you to the appropriate top-level domain server.

    但是如果還是不知道,它會詢問全球 13 台的根域伺服器,這些伺服器會將你發送到相對應的頂級域伺服器。

  • In this case, the one that runs all the dotcoms who sends you to the right authoritative name server, which eventually is likeoh yeah, twitter is”

    在這種情況下,負責營運所有網路並將你發送到正確的權威域名稱伺服器的伺服器最終會表示:「是的,twitter 是199.59.148.0」。

  • But you need someone to administer this whole system.


  • To make sure, first of all, that IP addresses aren't handed out willy nilly, and more importantly, to keep everything secure.

    首先,要確保 IP 位址不會被任意分發出去,更重要的是,要確保所有內容的安全。

  • So people can't come in and mess with it, and sayhey check it out, this IP address for is actually this IP address, which goes to a site called

    所以大眾無法隨意進來胡搞瞎搞然後說:「你看,伊斯蘭國政府的 IP 位址連結到這個叫做完全合法且不用錢只要給我你的銀行訊息的網站。」

  • So the DNS is authenticated through a system called DNSSEC.

    所以 DNS 是通過名為 DNSSEC 的系統進行驗證的。

  • And I promise we're going to get to their mystical internet keys soon, but first, you need to understand how DNSSEC works.

    我保證我們會講到他們神秘的網路鑰匙,但首先你需要了解 DNSSEC 如何運作。

  • The first important idea is asymmetrical encryption, which involves a private key and a public key, which are long numbers that are linked mathematically.


  • The public key is a number everybody can know, but the private key is very secret, and only held by one entity.


  • And this is what's important: with the private key, you can make something called a digital signature over a document, that someone can, by looking at the corresponding public key go,


  • Oh man, based on what this public key says, I know that that signature was definitely made by the person with the corresponding private key.”


  • And that's how DNS is authenticated.

    而 DNS 就是這樣被驗證的。

  • The information is” is signed by Twitter using their private key, and then my computer uses Twitter's public key.

    Twitter 使用他們的私鑰對「 是」進行了簽名,然後我的電腦會使用 Twitter 的公鑰。

  • Looks at the signature, and says, “yep, this signature was definitely made using Twitter's private key, so the information must be legitimate.”

    看著那個簽名並說:「沒錯,這個簽名肯定是 Twitter 的私鑰授權的,所以這個訊息肯定是合法的。」

  • The problem is, we have to be sure that Twitter's public key, off of which I'm basing this analysis, is legit too.

    問題是,根據此分析,我們必須確保 Twitter 的公鑰也是合法的。

  • So Twitter's public key is signed by a higher authority, the top-level domain server who runs all dotcoms, using their private key.

    所以 Twitter 的公鑰是由更高層級、利用他們的私鑰營運所有網路的頂級域伺服器所授權的。

  • And then I use their public key to be like, “yup, this signature was made by the dotcom people.”


  • But to know that public key is legit, it's signed by an even higher authority, up and up and up, until it's signed off on by ICANN, that nonprofit I mentioned earlier, using a single private key.

    但要知道,公鑰能合法是藉由不斷往更高的層級簽名,直到它被我之前提到的非營利組織 ICANN 使用一個私鑰授權為止。

  • Every single website's IP address in DNS is ultimately secured by ICANN's single public and private key, which is called the trust anchor.

    每一個網站在 DNS 裡的 IP 位址最終都受 ICANN 裡被稱作信任錨的公鑰和私鑰所保護。

  • In fact, I can even show you ICANN's public key, It's this.

    事實上,我甚至可以給你們看 ICANN 的公鑰,就長這樣。

  • And I shouldn't say this, but, their private key, the super top-top-top-secret number that secures the whole internet, is sevenfourtwo.


  • Okay look, I don't know their private key, I just wanted you to think I'm cool.


  • Now, the numbers that make up the private key that secures the whole DNS are stored on hard drives inside physical boxes.

    組成保護整個 DNS 的私鑰的數字被存放在實體箱子裡的的硬碟中。

  • Called Hardware Security Modules, or HSMs for short, or H's for shorter, orhuh's” for shortest.

    它被稱作為硬體安全模組,或簡稱為 HSM,或簡稱為 H,或簡稱為「呵呵」。

  • And there are four of them, kept in pairs in ICANN stations 2,500 miles apart: one in Culpepper, Virginia and one in El Segundo, California.

    而它們總共有四個,並成對地放置在相距 2,500 英里的 ICANN 據點裡:一個在弗吉尼亞州的 Culpepper,另一個在加利福尼亞的 El Segundo。

  • Once you get past the armed guards and pin pads, and card scanners, and biometric security stops, and sword-fighting bears.


  • To get into those physical HSM boxes that hold that secret number, you need several smart cards.

    要進入保存該密碼的實體 HSM 箱子前,你還需要幾張 IC 卡。

  • And those smart cards are kept inside other boxes, which can only be opened with physical keys, which are finally, held by seven people across the world.

    這些 IC 卡保存在其他箱子中,只能用實體的鑰匙打開,而這些鑰匙最終由世界各地的七個人持有。

  • Oh, I was kidding about the sword-fighting bears, by the way. ICANN actually uses nunchuck wielding fish.

    對了,關於持劍的戰鬥熊我是開玩笑的。 ICANN 實際上使用的是揮舞著雙節棍的魚。

  • The key-holders aren't world leaders or anything, but just security experts designated by ICANN.

    持有鑰匙的這些人並不是世界的領導者之類的,他們只是被 ICANN 任命的安全專家。

  • In fact, I can show you who they are: it's these people.


  • I know, not that exciting.


  • Should DNS ever be compromised, five of the seven key-holders would have to go to an ICANN facility, use their keys, in what's called a “key ceremonyto get to the smart-cards.

    如果 DNS 遭到破壞,則七個鑰匙持有人中的五個就必須去 ICANN 的據點,在所謂的「鑰匙儀式」中使用他們的鑰匙來拿到 IC 卡。

  • Then use those smart-cards to physically open the box with ICANN's private key in it, and use that to shut DNS, and with it much of the functionality of the internet, down, and reset it.

    然後使用這些 IC 卡實際地打開其中裝有 ICANN 私鑰的箱子,並使用它來關閉 DNS,並關閉網際網路的大部分功能,然後重新設置它。

  • Some people say the keyholders are the most powerful people in the world.


  • But whoever said that is an idiot, because clearly the most powerful people in the world are the Half As Interesting commenters who spent literal years demanding that we make a video about bricks.

    但不管這樣說的人是誰都是笨蛋,因為很顯然世界上最有權力的人是在 HAI 留言的人,他們花了數年的時間要求我們製作有關磚頭的影片。

  • Because guess what, we finally did it.


  • And it's way more than just another HAI video.

    而且這不只是另一部 HAI 的影片。

  • It's a 40-minute long special called The Brick Façade: A True Crime Drama and it's got action and drama and suspense and cameos and, more than anything, it's got bricks.

    這是叫做《磚頭:真實的犯罪影集》 的 40 分鐘的特別節目,其中包括動作場面、戲劇、懸疑和客串演出,而且還有很多磚頭。

  • And it's available right now on Nebula.

    它現正在 Nebula 上熱映中。

  • The best way to get Nebula is through the CuriosityStream bundle.

    登入 Nebula 最好的方法是透過 CuriosityStream 的搭售方案。

  • For just $15 a year, for a limited time, you'll get an annual subscription to CuriosityStream, where you can watch all sorts of great full-length documentaries, and Nebula.

    一年只要 15 美金,在有效期限內你有將擁有 CuriosityStream 的年度訂閱,並可以在其中觀看各種精彩的長片及 Nebula。

  • Just go to


This video was made possible by CuriosityStream.

這支影片由 CuriosityStream 贊助播出。


單字即點即查 點擊單字可以查詢單字解釋