下載App 希平方
攻其不背
App 開放下載中
下載App 希平方
攻其不背
App 開放下載中
IE版本不足
您的瀏覽器停止支援了😢使用最新 Edge 瀏覽器或點選連結下載 Google Chrome 瀏覽器 前往下載

免費註冊
! 這組帳號已經註冊過了
Email 帳號
密碼請填入 6 位數以上密碼
已經有帳號了?
忘記密碼
! 這組帳號已經註冊過了
您的 Email
請輸入您註冊時填寫的 Email,
我們將會寄送設定新密碼的連結給您。
寄信了!請到信箱打開密碼連結信
密碼信已寄至
沒有收到信嗎?
如果您尚未收到信,請前往垃圾郵件查看,謝謝!

恭喜您註冊成功!

查看會員功能

註冊未完成

《HOPE English 希平方》服務條款關於個人資料收集與使用之規定

隱私權政策
上次更新日期:2014-12-30

希平方 為一英文學習平台,我們每天固定上傳優質且豐富的影片內容,讓您不但能以有趣的方式學習英文,還能增加內涵,豐富知識。我們非常注重您的隱私,以下說明為當您使用我們平台時,我們如何收集、使用、揭露、轉移及儲存你的資料。請您花一些時間熟讀我們的隱私權做法,我們歡迎您的任何疑問或意見,提供我們將產品、服務、內容、廣告做得更好。

本政策涵蓋的內容包括:希平方學英文 如何處理蒐集或收到的個人資料。
本隱私權保護政策只適用於: 希平方學英文 平台,不適用於非 希平方學英文 平台所有或控制的公司,也不適用於非 希平方學英文 僱用或管理之人。

個人資料的收集與使用
當您註冊 希平方學英文 平台時,我們會詢問您姓名、電子郵件、出生日期、職位、行業及個人興趣等資料。在您註冊完 希平方學英文 帳號並登入我們的服務後,我們就能辨認您的身分,讓您使用更完整的服務,或參加相關宣傳、優惠及贈獎活動。希平方學英文 也可能從商業夥伴或其他公司處取得您的個人資料,並將這些資料與 希平方學英文 所擁有的您的個人資料相結合。

我們所收集的個人資料, 將用於通知您有關 希平方學英文 最新產品公告、軟體更新,以及即將發生的事件,也可用以協助改進我們的服務。

我們也可能使用個人資料為內部用途。例如:稽核、資料分析、研究等,以改進 希平方公司 產品、服務及客戶溝通。

瀏覽資料的收集與使用
希平方學英文 自動接收並記錄您電腦和瀏覽器上的資料,包括 IP 位址、希平方學英文 cookie 中的資料、軟體和硬體屬性以及您瀏覽的網頁紀錄。

隱私權政策修訂
我們會不定時修正與變更《隱私權政策》,不會在未經您明確同意的情況下,縮減本《隱私權政策》賦予您的權利。隱私權政策變更時一律會在本頁發佈;如果屬於重大變更,我們會提供更明顯的通知 (包括某些服務會以電子郵件通知隱私權政策的變更)。我們還會將本《隱私權政策》的舊版加以封存,方便您回顧。

服務條款
歡迎您加入看 ”希平方學英文”
上次更新日期:2013-09-09

歡迎您加入看 ”希平方學英文”
感謝您使用我們的產品和服務(以下簡稱「本服務」),本服務是由 希平方學英文 所提供。
本服務條款訂立的目的,是為了保護會員以及所有使用者(以下稱會員)的權益,並構成會員與本服務提供者之間的契約,在使用者完成註冊手續前,應詳細閱讀本服務條款之全部條文,一旦您按下「註冊」按鈕,即表示您已知悉、並完全同意本服務條款的所有約定。如您是法律上之無行為能力人或限制行為能力人(如未滿二十歲之未成年人),則您在加入會員前,請將本服務條款交由您的法定代理人(如父母、輔助人或監護人)閱讀,並得到其同意,您才可註冊及使用 希平方學英文 所提供之會員服務。當您開始使用 希平方學英文 所提供之會員服務時,則表示您的法定代理人(如父母、輔助人或監護人)已經閱讀、了解並同意本服務條款。 我們可能會修改本條款或適用於本服務之任何額外條款,以(例如)反映法律之變更或本服務之變動。您應定期查閱本條款內容。這些條款如有修訂,我們會在本網頁發佈通知。變更不會回溯適用,並將於公布變更起十四天或更長時間後方始生效。不過,針對本服務新功能的變更,或基於法律理由而為之變更,將立即生效。如果您不同意本服務之修訂條款,則請停止使用該本服務。

第三人網站的連結 本服務或協力廠商可能會提供連結至其他網站或網路資源的連結。您可能會因此連結至其他業者經營的網站,但不表示希平方學英文與該等業者有任何關係。其他業者經營的網站均由各該業者自行負責,不屬希平方學英文控制及負責範圍之內。

兒童及青少年之保護 兒童及青少年上網已經成為無可避免之趨勢,使用網際網路獲取知識更可以培養子女的成熟度與競爭能力。然而網路上的確存有不適宜兒童及青少年接受的訊息,例如色情與暴力的訊息,兒童及青少年有可能因此受到心靈與肉體上的傷害。因此,為確保兒童及青少年使用網路的安全,並避免隱私權受到侵犯,家長(或監護人)應先檢閱各該網站是否有保護個人資料的「隱私權政策」,再決定是否同意提出相關的個人資料;並應持續叮嚀兒童及青少年不可洩漏自己或家人的任何資料(包括姓名、地址、電話、電子郵件信箱、照片、信用卡號等)給任何人。

為了維護 希平方學英文 網站安全,我們需要您的協助:

您承諾絕不為任何非法目的或以任何非法方式使用本服務,並承諾遵守中華民國相關法規及一切使用網際網路之國際慣例。您若係中華民國以外之使用者,並同意遵守所屬國家或地域之法令。您同意並保證不得利用本服務從事侵害他人權益或違法之行為,包括但不限於:
A. 侵害他人名譽、隱私權、營業秘密、商標權、著作權、專利權、其他智慧財產權及其他權利;
B. 違反依法律或契約所應負之保密義務;
C. 冒用他人名義使用本服務;
D. 上載、張貼、傳輸或散佈任何含有電腦病毒或任何對電腦軟、硬體產生中斷、破壞或限制功能之程式碼之資料;
E. 干擾或中斷本服務或伺服器或連結本服務之網路,或不遵守連結至本服務之相關需求、程序、政策或規則等,包括但不限於:使用任何設備、軟體或刻意規避看 希平方學英文 - 看 YouTube 學英文 之排除自動搜尋之標頭 (robot exclusion headers);

服務中斷或暫停
本公司將以合理之方式及技術,維護會員服務之正常運作,但有時仍會有無法預期的因素導致服務中斷或故障等現象,可能將造成您使用上的不便、資料喪失、錯誤、遭人篡改或其他經濟上損失等情形。建議您於使用本服務時宜自行採取防護措施。 希平方學英文 對於您因使用(或無法使用)本服務而造成的損害,除故意或重大過失外,不負任何賠償責任。

版權宣告
上次更新日期:2013-09-16

希平方學英文 內所有資料之著作權、所有權與智慧財產權,包括翻譯內容、程式與軟體均為 希平方學英文 所有,須經希平方學英文同意合法才得以使用。
希平方學英文歡迎你分享網站連結、單字、片語、佳句,使用時須標明出處,並遵守下列原則:

  • 禁止用於獲取個人或團體利益,或從事未經 希平方學英文 事前授權的商業行為
  • 禁止用於政黨或政治宣傳,或暗示有支持某位候選人
  • 禁止用於非希平方學英文認可的產品或政策建議
  • 禁止公佈或傳送任何誹謗、侮辱、具威脅性、攻擊性、不雅、猥褻、不實、色情、暴力、違反公共秩序或善良風俗或其他不法之文字、圖片或任何形式的檔案
  • 禁止侵害或毀損希平方學英文或他人名譽、隱私權、營業秘密、商標權、著作權、專利權、其他智慧財產權及其他權利、違反法律或契約所應付支保密義務
  • 嚴禁謊稱希平方學英文辦公室、職員、代理人或發言人的言論背書,或作為募款的用途

網站連結
歡迎您分享 希平方學英文 網站連結,與您的朋友一起學習英文。

抱歉傳送失敗!

不明原因問題造成傳送失敗,請儘速與我們聯繫!
希平方 x ICRT

「Avi Rubin:小心...所有裝置都能被駭客入侵」- All Your Devices Can Be Hacked

觀看次數:2940  • 

框選或點兩下字幕可以直接查字典喔!

Thank you, Dave. Good morning, everyone. I'm a computer science professor, and my area of expertise is computer and information security. When I was in graduate school, I had the opportunity to overhear my grandmother describing to one of her fellow senior citizens what I did for a living. Apparently, I was in charge of making sure that no one stole the computers from the university. And, you know, that's a perfectly reasonable thing for her to think, because I told her I was working in computer security, and it was interesting to get her perspective.

But that's not the most ridiculous thing I've ever heard anyone say about my work. The most ridiculous thing I ever heard is, I was at a dinner party, and a woman heard that I work in computer security, and she asked me if—she said her computer had been infected by a virus, and she was very concerned that she might get sick from it, that she could get this virus. And I'm not a doctor, but I reassured her that it was very, very unlikely that this would happen, but if she felt more comfortable, she could be free to use latex gloves when she was on the computer, and there would be no harm whatsoever in that.

I'm going to get back to this notion of being able to get a virus from your computer, in a serious way. What I'm going to talk to you about today are some hacks, some real world cyber attacks that people in my community, the academic research community, have performed, which I don't think most people know about, and I think they're very interesting and scary, and this talk is kind of a greatest hits of the academic security community's hacks. None of the work is my work. It's all work that my colleagues have done, and I actually asked them for their slides and incorporated them into this talk.

So the first one I'm going to talk about are implanted medical devices. Now medical devices have come a long way technologically. You can see in 1926 the first pacemaker was invented. 1960, the first internal pacemaker was invented, hopefully a little smaller than that one that you see there, and the technology has continued to move forward. In 2006, we hit an important milestone from the perspective of computer security. And why do I say that? Because that's when implanted devices inside of people started to have networking capabilities. One thing that brings us close to home is we look at Dick Cheney's device, he had a device that pumped blood from an aorta to another part of the heart, and as you can see at the bottom there, it was controlled by a computer controller, and if you ever thought that software liability was very important, get one of these inside of you.

Now what a research team did was they got their hands on what's called an ICD. This is a defibrillator, and this is a device that goes into a person to control their heart rhythm, and these have saved many lives. Well, in order to not have to open up the person every time you want to reprogram their device or do some diagnostics on it, they made the thing be able to communicate wirelessly, and what this research team did is they reverse engineered the wireless protocol, and they built the device you see pictured here, with a little antenna, that could talk the protocol to the device, and thus control it. In order to make their experience real—they were unable to find any volunteers, and so they went and they got some ground beef and some bacon and they wrapped it all up to about the size of a human being's area where the device would go, and they stuck the device inside it to perform their experiment somewhat realistically. They launched many, many successful attacks. One that I'll highlight here is changing the patient's name. I don't know why you would want to do that, but I sure wouldn't want that done to me. And they were able to change therapies, including disabling the device—and this is with a real, commercial, off-the-shelf device—simply by performing reverse engineering and sending wireless signals to it.

There was a piece on NPR that some of these ICDs could actually have their performance disrupted simply by holding a pair of headphones onto them.

Now, wireless and the Internet can improve health care greatly. There's several examples up on the screen of situations where doctors are looking to implant devices inside of people, and all of these devices now, it's standard that they communicate wirelessly, and I think this is great, but without a full understanding of trustworthy computing, and without understanding what attackers can do and the security risks from the beginning, there's a lot of danger in this.

Okay, let me shift gears and show you another target. I'm going to show you a few different targets like this, and that's my talk. So we'll look at automobiles.

This is a car, and it has a lot of components, a lot of electronics in it today. In fact, it's got many, many different computers inside of it, more Pentiums than my lab did when I was in college, and they're connected by a wired network. There's also a wireless network in the car, which can be reached from many different ways. So there's Bluetooth, there's the FM and XM radio, there's actually wi-fi, there's sensors in the wheels that wirelessly communicate the tire pressure to a controller on board. The modern car is a sophisticated multi-computer device.

And what happens if somebody wanted to attack this? Well, that's what the researchers that I'm going to talk about today did. They basically stuck an attacker on the wired network and on the wireless network. Now, they have two areas they can attack. One is short-range wireless, where you can actually communicate with the device from nearby, either through Bluetooth or wi-fi, and the other is long-range, where you can communicate with the car through the cellular network, or through one of the radio stations. Think about it. When a car receives a radio signal, it's processed by software. That software has to receive and decode the radio signal, and then figure out what to do with it, even if it's just music that it needs to play on the radio, and that software that does that decoding, if it has any bugs in it, could create a vulnerability for somebody to hack the car.

The way that the researchers did this work is, they read the software in the computer chips that were in the car, and then they used sophisticated reverse engineering tools to figure out what that software did, and then they found vulnerabilities in that software, and then they built exploits to exploit those. They actually carried out their attack in real life. They bought two cars, and I guess they have better budgets than I do. The first threat model was to see what someone could do if an attacker actually got access to the internal network on the car. Okay, so think of that as, someone gets to go to your car, they get to mess around with it, and then they leave, and now, what kind of trouble are you in? The other threat model is that they contact you in real time over one of the wireless networks like the cellular, or something like that, never having actually gotten physical access to your car.

This is what their setup looks like for the first model, where you get to have access to the car. They put a laptop, and they connected to the diagnostic unit on the in-car network, and they did all kinds of silly things, like here's a picture of the speedometer showing 140 miles an hour when the car's in park. Once you have control of the car's computers, you can do anything. Now you might say, "Okay, that's silly."Well, what if you make the car always say it's going 20 miles an hour slower than it's actually going? You might produce a lot of speeding tickets.

Then they went out to an abandoned airstrip with two cars, the target victim car and the chase car, and they launched a bunch of other attacks. One of the things they were able to do from the chase car is apply the brakes on the other car, simply by hacking the computer. They were able to disable the brakes. They also were able to install malware that wouldn't kick in and wouldn't trigger until the car was doing something like going over 20 miles an hour, or something like that. The results are astonishing, and when they gave this talk, even though they gave this talk at a conference to a bunch of computer security researchers, everybody was gasping. They were able to take over a bunch of critical computers inside the car: the brakes computer, the lighting computer, the engine, the dash, the radio, etc., and they were able to perform these on real commercial cars that they purchased using the radio network. They were able to compromise every single one of the pieces of software that controlled every single one of the wireless capabilities of the car. All of these were implemented successfully.

How would you steal a car in this model? Well, you compromise the car by a buffer overflow of vulnerability in the software, something like that. You use the GPS in the car to locate it. You remotely unlock the doors through the computer that controls that, start the engine, bypass anti-theft, and you've got yourself a car.

Surveillance was really interesting. The authors of the study have a video where they show themselves taking over a car and then turning on the microphone in the car, and listening in on the car while tracking it via GPS on a map, and so that's something that the drivers of the car would never know was happening.

Am I scaring you yet? I've got a few more of these interesting ones. These are ones where I went to a conference, and my mind was just blown, and I said, "I have to share this with other people."

This was Fabian Monrose's lab at the University of North Carolina, and what they did was something intuitive once you see it, but kind of surprising. They videotaped people on a bus, and then they post-processed the video. What you see here in number one... What you see here in number one is a reflection in somebody's glasses of the smartphone that they're typing in. They wrote software to stabilize—even though they were on a bus and maybe someone's holding their phone at an angle—to stabilize the phone, process it, and you may know on your smartphone, when you type a password, the keys pop out a little bit, and they were able to use that to reconstruct what the person was typing, and had a language model for detecting typing. What was interesting is, by videotaping on a bus, they were able to produce exactly what people on their smartphones were typing, and then they had a surprising result, which is that their software had not only done it for their target, but other people who accidentally happened to be in the picture, they were able to produce what those people had been typing, and that was kind of an accidental artifact of what their software was doing.

I'll show you two more. One is P25 radios. P25 radios are used by law enforcement and all kinds of government agencies and people in combat to communicate, and there's an encryption option on these phones. This is what the phone looks like. It's not really a phone. It's more of a two-way radio. Motorola makes the most widely used one, and you can see that they're used by Secret Service, they're used in combat, it's a very, very common standard in the U.S. and elsewhere. So one question the researchers asked themselves is, could you block this thing, right? Could you run a denial-of-service, because these are first responders? So, would a terrorist organization want to black out the ability of police and fire to communicate at an emergency? They found that there's this Girl Tech device used for texting that happens to operate at the same exact frequency as the P25, and they built what they called My First Jammer. If you look closely at this device, it's got a switch for encryption or clear text. Let me advance the slide, and now I'll go back. You see the difference? This is plain text. This is encrypted. There's one little dot that shows up on the screen, and one little tiny turn of the switch. And so the researchers asked themselves, "I wonder how many times very secure, important, sensitive conversations are happening on these two-way radios where they forget to encrypt and they don't notice that they didn't encrypt?"

So they bought a scanner. These are perfectly legal and they run at the frequency of the P25, and what they did is they hopped around frequencies and they wrote software to listen in. If they found encrypted communication, they stayed on that channel and they wrote down, that's a channel that these people communicate in, these law enforcement agencies, and they went to 20 metropolitan areas and listened in on conversations that were happening at those frequencies. They found that in every metropolitan area, they would capture over 20 minutes a day of clear text communication. And what kind of things were people talking about? Well, they found the names and information about confidential informants. They found information that was being recorded in wiretaps, a bunch of crimes that were being discussed, sensitive information. It was mostly law enforcement and criminal. They went and reported this to the law enforcement agencies, after anonymizing it, and the vulnerability here is simply the user interface wasn't good enough. If you're talking about something really secure and sensitive, it should be really clear to you that this conversation is encrypted. That one's pretty easy to fix.

The last one I thought was really, really cool, and I just had to show it to you, it's probably not something that you're going to lose sleep over like the cars or the defibrillators, but it's stealing keystrokes. Now, we've all looked at smartphones upside down. Every security expert wants to hack a smartphone, and we tend to look at the USB port, the GPS for tracking, the camera, the microphone, but no one up till this point had looked at the accelerometer. The accelerometer is the thing that determines the vertical orientation of the smartphone. And so they had a simple setup. They put a smartphone next to a keyboard, and they had people type, and then their goal was to use the vibrations that were created by typing to measure the change in the accelerometer reading to determine what the person had been typing. Now, when they tried this on an iPhone 3GS, this is a graph of the perturbations that were created by the typing, and you can see that it's very difficult to tell when somebody was typing or what they were typing, but the iPhone 4 greatly improved the accelerometer, and so the same measurement produced this graph. Now that gave you a lot of information while someone was typing, and what they did then is used advanced artificial intelligence techniques called machine learning to have a training phase, and so they got most likely grad students to type in a whole lot of things, and to learn, to have the system use the machine learning tools that were available to learn what it is that the people were typing and to match that up with the measurements in the accelerometer. And then there's the attack phase, where you get somebody to type something in, you don't know what it was, but you use your model that you created in the training phase to figure out what they were typing. They had pretty good success. This is an article from the USA Today. They typed in, "The Illinois Supreme Court has ruled that Rahm Emanuel is eligible to run for Mayor of Chicago" —see, I tied it in to the last talk— "and ordered him to stay on the ballot."Now, the system is interesting, because it produced "Illinois Supreme" and then it wasn't sure. The model produced a bunch of options, and this is the beauty of some of the A.I. techniques, is that computers are good at some things, humans are good at other things, take the best of both and let the humans solve this one. Don't waste computer cycles. A human's not going to think it's the Supreme might. It's the Supreme Court, right? And so, together we're able to reproduce typing simply by measuring the accelerometer. Why does this matter? Well, in the Android platform, for example, the developers have a manifest where every device on there, the microphone, etc., has to register if you're going to use it so that hackers can't take over it, but nobody controls the accelerometer.

So what's the point? You can leave your iPhone next to someone's keyboard, and just leave the room, and then later recover what they did, even without using the microphone. If someone is able to put malware on your iPhone, they could then maybe get the typing that you do whenever you put your iPhone next to your keyboard.

There's several other notable attacks that unfortunately I don't have time to go into, but the one that I wanted to point out was a group from the University of Michigan which was able to take voting machines, the Sequoia AVC Edge DREs that were going to be used in New Jersey in the election that were left in a hallway, and put Pac-Man on it. So they ran the Pac-Man game.

What does this all mean? Well, I think that society tends to adopt technology really quickly. I love the next coolest gadget. But it's very important, and these researchers are showing, that the developers of these things need to take security into account from the very beginning, and need to realize that they may have a threat model, but the attackers may not be nice enough to limit themselves to that threat model, and so you need to think outside of the box.

What we can do is be aware that devices can be compromised, and anything that has software in it is going to be vulnerable. It's going to have bugs. Thank you very much.

播放本句

登入使用學習功能

使用Email登入

HOPE English 播放器使用小提示

  • 功能簡介

    單句重覆、重複上一句、重複下一句:以句子為單位重覆播放,單句重覆鍵顯示綠色時為重覆播放狀態;顯示白色時為正常播放狀態。按重複上一句、重複下一句時就會自動重覆播放該句。
    收錄佳句:點擊可增減想收藏的句子。

    中、英文字幕開關:中、英文字幕按鍵為綠色為開啟,灰色為關閉。鼓勵大家搞懂每一句的內容以後,關上字幕聽聽看,會發現自己好像在聽中文說故事一樣,會很有成就感喔!
    收錄單字:框選英文單字可以收藏不會的單字。
  • 分享
    如果您有收錄很優秀的句子時,可以分享佳句給大家,一同看佳句學英文!