第5集：#ASUSGATE

你发现了多少个零日漏洞？

How many zero days have you found?

这其实并不重要。

It doesn't really matter.

我并没有真正统计过，但我想可能超过一百个了，大概是这样。

I don't really keep count, but it's I guess it's probably over a 100, I sort of.

你觉得你可能发现了上百个零日漏洞？

A hundred zero days you think you might have found?

嗯，我不确定我是否把它们算作零日漏洞。

Well, I don't know if I count them as zero days.

我的意思是，是的，它们之前确实没被发现过，至少没被公开过，但有时候一个应用程序可能有三四个之前从未公开过的漏洞。

I mean, yeah, they hadn't been found before, at least disclosed before, but sometimes an application could have three or four things wrong with it that hadn't been disclosed before.

所以，你知道的，我不是什么超级黑客之类的，但我想大概就是这个数量吧。

So, you know, I'm not some kind of super hacker or anything, but yeah, I guess it's about that.

但任何人都能做到，只需要一点练习和大量的决心。

But anyone can do it, it just takes a little bit practice and a lot of determination.

这是《暗网日记》，讲述互联网黑暗面的真实故事。

This is Darknet Diaries, true stories from the dark side of the Internet.

我是杰克·雷西德。

I'm Jack Recider.

本集由Zocdoc赞助。

This episode is sponsored by Zocdoc.

找到一位你真正喜欢的医生，就像在沙砾中发现钻石。

Finding a doctor you actually like feels like discovering a diamond in the rough.

当然。

Sure.

你希望找一个在保险网络内、离得近、有空闲时段的医生，但说实话，这仅仅是开始。

You want someone that's in network, nearby, with open time slots, but let's be honest, that's just the start.

能找到一位真正倾听并清晰解释问题的医生，那就更好了。

It'd also be nice to find someone who really listens and explains things clearly.

你心目中的那位‘沙砾中的钻石’医生确实存在，而在Zocdoc上找到他们非常容易。

Your diamond in the rough doctor exists, and finding them is easy on ZocDoc.

Zocdoc 是一个免费的应用程序和网站，帮助您找到并预约高质量的网络内医生，让您找到心仪的医生。

ZocDoc is a free app and website that helps you find and book high quality in network doctors so you can find someone you love.

我们覆盖了全美50个州的15万多名医疗提供者。

We're talking more than a 150,000 providers across all 50 states.

您想亲自见医生吗？

Wanna see your doctor in person?

很好。

Great.

您更喜欢视频问诊吗？

Do you prefer a video visit?

他们也可以提供视频问诊。

They can do that too.

通过ZocDoc预约的就诊通常在预约后24至72小时内就能安排。

And appointments made through ZocTalk happen fast, typically within twenty four to seventy two hours of booking.

您甚至可以预约到当天的就诊。

You can even score same day appointments.

我很惊讶，当你需要时，搜索他们的网站并找到医疗提供者是如此快速和简单。

I'm impressed with how quickly and easy it is to search their site and find health care providers when you need it.

所以别再拖延这些医生预约了，立即前往 zocdoc.com/darknet 找到并立即预约你喜爱的医生。

So stop putting off these doctor's appointments and go to zocdoc.com/darknet to find and instantly book a doctor you love today.

拼写是 z o c d o c。

That's spelled z o c d o c.

zocdoc.com/darknet。

Zocdoc.com/darknet.

zocdoc.com/darknet。

Zocdoc.com/darknet.

感谢 Zocdoc 对本节目的支持。

Thanks, Zocdoc, for supporting this show.

本集由 Vanta 赞助。

This episode is sponsored by Vanta.

客户信任可以成就或毁掉你的业务。

Customer trust can make or break your business.

随着你的业务增长，你的安全和合规工具也会变得越来越复杂。

And the more your business grows, the more complex your security and compliance tools get.

这可能会陷入混乱，而混乱并不是一种安全策略。

It can turn into chaos, and chaos isn't a security strategy.

这就是Vanta发挥作用的地方。

That's where Vanta comes in.

把Vanta想象成一位24小时在线的AI驱动安全专家，它会随着你一起扩展。

Think of Vanta as your always on AI powered security expert who scales with you.

Vanta自动完成合规工作，持续监控你的控制措施，并为你提供合规与风险的单一信息来源。

Vanta automates compliance, continuously monitors your controls, and gives you a single source of truth for compliance and risk.

无论你是像Cursor这样的快速成长型初创公司，还是像Snowflake这样的大型企业，Vanta都能轻松融入你现有的工作流程，让你持续发展一家客户可以信赖的公司。

So whether you're fast growing startup like Cursor or an enterprise like Snowflake, Vanta fits easily into your existing workflows so you can keep growing a company your customers can trust.

前往 vanta.com/darknet 开始使用。

Get started at vanta.com/darknet.

拼写是 v-a-n-t-a。

That's spelled vanta.

vanta.com/darknet。

Vanta.com/darknet.

家是私密且个人的。

Home is private and personal.

家是安全且有保障的。

Home is safe and secure.

家是受保护且亲密的。

Home is protected and intimate.

我们不允许陌生人随意走进我们的家，拿走我们最私密的东西，比如银行对账单或照片。

We don't allow strangers to simply walk into our home and take our most private things like bank statements or photographs.

我们知道门是否上锁，窗户是否关好，我们知道这些能将陌生人挡在外面。

We know when our door is locked and when our window is shut, and we know this keeps strangers out.

但有时，陌生人还有其他方式可以进入我们的家，拿走我们最珍贵的东西，而这些陌生人可以从数千英里之外做到这一点。

But sometimes, there are other ways strangers can enter our home and take our most precious things, and these strangers can do this from thousands of miles away.

我的名字是凯尔·洛维特。

My name is Kyle Lovett.

我现在是Vericode公司的高级渗透测试员。

I am a senior penetration tester right now with Vericode.

凯尔的日常工作是渗透测试。

Kyle's day job is penetration testing.

他受雇于公司，测试其安全性，看看黑客是否有办法入侵网络。

He is paid to test the security of a company to see if there's a way a hacker can get into the network.

但这个故事讲的不是这个。

But that's not what this story is about.

这个故事讲的是2013年凯尔为家里买了一台新路由器的时候。

This story is about the time in 2013 when Kyle bought a new router for his home.

是的。

Yeah.

我当时在看新款的华硕路由器，n66型号。

I was looking at the new Asus router, the n 66.

凯尔的朋友拥有新款华硕n66家用路由器，并向他推荐了这款产品。

Kyle's friend had the new Asus n 66 home router and recommended it to Kyle.

这可不是一台便宜的路由器。

This was not a cheap router.

它是高端产品之一，价格刚超过300美元。

It was one of the high end ones, coming in at just over $300.

它们是当时市场上最热门的路由器之一，至少没人能否认它的硬件非常出色。

They were the hottest routers on the market or at least one of the hottest routers on the I mean, no one can deny the hardware on it is quite impressive.

所以它非常受欢迎，尤其是在IT圈子里。

So it was very popular, especially around the IT crowd.

你知道，很多IT人士家里都用这种路由器。

You know, they they a lot of a lot of IT folks had those routers in their home.

于是凯尔买了它，带回家。

So Kyle bought it and took it home.

当我回到家，仔细查看这款产品时，感觉有些不对劲。

Something struck me as a little odd when I when I got home and was looking through the the the actual product.

当他设置新路由器时，注意到默认情况下开启了大量功能。

As he was setting up his new router, he was noticing that it had a lot of features on by default.

功能太多了。

Too many features.

它上面安装了VPN、FTP服务器，还有Samba，用于网络内部的文件共享。

A VPN installed on it, an FTP server installed on it, Samba for, you know, the file sharing internally in the network.

它还运行着多个不同的网页服务器，我当时就想，这不可能安全。

It also had several different web servers running on it, and I was like, this can't be safe.

这不可能，肯定哪里有问题，因为它上面装了太多东西。

This can't be there was something gotta be go here because there's so much on it.

所以，是的，它看起来确实很不错。

So, yeah, it just seemed really good.

就是那种好得不真实的感觉。

Was too good to be true kind of thing.

他首先注意到，默认用户名是admin，默认密码也是Admin。

First thing he noticed is the default username was admin, and the default password was also Admin.

他从未被提示更改这个密码。

At no point was he prompted to change this password.

因此，对于许多拥有此设备的人来说，他们很可能没有更改过密码，密码一直保持为AdminAdmin。

So for many people who own this device, they likely didn't change their password on it, and it was left as AdminAdmin.

这种薄弱的默认设置经常让凯尔感到不满。

These kind of weak default settings often upsets Kyle.

他更改了默认密码，并继续设置他的新路由器。

He changed his default password and continued setting up his new router.

于是我就像对普通网页应用进行渗透测试一样开始摆弄它。

So I just started fiddling with it like I would do a normal web app pen test.

端口80是管理界面，端口443则是AI云或云界面，我主要关注的就是后者。

Port 80 had the administration interface with it, and then port four four three had the AI cloud or the cloud interface with it, which is what I kinda concentrated on.

他启用的一个功能是FTP服务器。

One of the features he enabled was an FTP server.

他将一个外部硬盘连接到路由器上，并启用了FTP服务器。

He plugged in an external hard drive into the router and enabled the FTP server.

这个功能将路由器变成了一个网络存储设备。

This feature turns the router into a networked storage device.

这使得用户能够将备份文件、音乐收藏、个人照片、过往税务记录，或任何人们存放在外接硬盘上的内容存储在其中。

This allowed users to store backup files, their music collection, personal photos, past tax records, or whatever people put on their external hard drives.

引起我注意的是，当我像往常一样偶尔开启FTP时，我扫描了自己的IP地址。

The thing that caught my interest is when I turned FTP on, as I do kinda once in a while, I scan my own IP address.

我意识到端口21是开放的，并且允许匿名访问，我当时就想：哇。

I realized that port 21 was open with anonymous access, and I was like, woah.

哇。

Woah.

等等。

Hold on here.

他发现的不仅是自己能在家里通过路由器访问个人照片，而且由于路由器连接在互联网上并拥有公网IP地址，他的所有数据实际上正向全世界公开共享。

What he found was not only could he access his personal photos from within his house through the router, but because the router was on the Internet with a public IP address, it was sharing all his data to the entire world.

更糟糕的是，访问他的文件根本不需要密码。

And to make matters worse, there was no password needed to access his files.

如果黑客知道你使用了这种路由器，并且你连接了硬盘，那么这名黑客就能从数千英里之外看到你硬盘上的所有文件。

If a hacker knew you had this router and you had plugged a hard drive into it, that hacker could see all the files you had on the hard drive from thousands of miles away.

是的。

Yeah.

是的。

Yeah.

我的意思是，我把其中一个外接硬盘插到了后面，这才是真正引起我注意的地方。

I mean, plugged in one of my external hard drives to the back of it, and that that's really what got me peeked.

等等。

Like, hold on.

一旦凯尔发现了路由器的一个安全问题，他就开始运用自己的渗透测试技能，看看是否能找到其他问题。

Once Kyle found one security issue with the router, he began using his penetration testing skills to see if he could find something else.

我就是开始到处查看和模糊测试。

What I did was I just started looking and fuzzing.

我其实根本不需要做太多模糊测试。

I didn't even really need to fuzz all that much.

所有的文件路径都直接摆在那儿了。

All of the file paths were right there.

我突然意识到我看到的是什么。

I kind of realized what I was looking at.

他使用了一些简单的工具，找到了目录结构以及某些文件的存储位置。

Using a few simple tools, he found the directory structure and where certain files were stored.

他找到的一个文件包含了路由器本身的用户名和密码。

One of the files he found was a file that contained the username and password of the router itself.

让他感到震惊的是，这个密码是以明文形式存储的，就是一个普通的文本文件。

What startled him about this was that the password was stored in clear text, just a plain file.

我 literally 可以打开浏览器，输入 HTTPS 加 IP 地址，再加斜杠 SMB 加斜杠 TMP 加斜杠 LightEP，那是他们使用的网页服务器的名称，还有权限。

I literally could go to my browser and browse up in the browser, HTTPS IP address forward slash SMB forward slash TMP forward slash LightEP, which was the name of the the the web server they're using, permissions.

当你这么做时，它会为你生成一个文本文件，里面包含 Admin 和他们的密码，如果他们没改默认密码，那就是 AdminAdmin。

When you do that, it drops a text file for you that has Admin and then whatever their password would be AdminAdmin if they didn't change their default password.

我只花了大约二十到二十五分钟就找到了这个漏洞，这甚至算不上什么复杂的模糊测试、智能测试，或者深入分析任何漏洞。

That only took me maybe twenty, twenty five minutes to find of testing, and that wasn't even really hard fuzzing, smart fuzzing, or looking at any kind of vulnerabilities.

这意味着，任何在他家里的访客都能轻易找到 Kyle 路由器的密码。

This means any guest within his home could easily find the password to Kyle's router.

有人只需使用普通浏览器，访问该URL就能看到他的密码。

Someone could just use a regular browser and go to the URL and see his password.

查看这个信息不需要任何身份验证，但凯尔对此又多想了一会儿。

No authentication was required to see this, but Kyle thought about this a little longer.

等等。

Hold on.

等等。

Hold on.

当443端口开放时，我能否从外部访问到这个？

Can I get to this from the outside when port four four three is open?

因为我启用了AI云服务，这是他们自己特有的云服务，内置了某些功能。

Because I enabled the AI cloud service, which is their own particular cloud service that has a built in.

他们提供的功能包括你可以同步你的iTunes、同步你的手机，等等，我也能从外部访问到这个ClearTax密码。

They do things like you can sync your iTunes to it, you can sync your phone to it, you know, and I was able to get to it from the outside as well, the ClearTax password.

然后我联系了另一位住得相当远的朋友，问他是否也有一个这样的设备。

And then I called another friend who lived, you know, quite far away and asked him if I could I knew he had one as well.

他实际上向我推荐过它。

He had actually recommended it to me.

我说，我能看看你的吗？

And I said, could I could I look at yours?

果然，我立刻就拿到了他的ClearTax密码，这让我有点害怕。

And sure enough, I was able to get his ClearTax password right off the bat, and that that was kind of scary.

所以现在他意识到，如果任何人启用了这款路由器的AI云功能，那么互联网上的任何人都能轻松找到这个路由器的密码。

So now he realized that if anyone enabled the AI cloud feature of this router, then anyone on the Internet can easily find the password to this router.

你可以 literally 列出全球所有具有该目录结构的ASUS路由器，然后只需获取那些开放了443端口的路由器。

So you could literally create a list of all of the ASUS routers there are in the world with that directory structure and just snag each one of them that had port four forty three open.

他越来越担心这款路由器的安全性。

He was becoming increasingly concerned about the security of this router.

他运行的是最新的补丁和更新，但这款路由器仍然存在诸多安全问题。

He was running it with the latest patches and updates, and it had all these security problems.

他开始研究这是否是一个已知的漏洞。

He began researching whether this was a known bug or not.

嗯。

Yeah.

这让我有点害怕，因为我知道这款路由器非常流行，于是我赶紧上网查看是否有人已经发现了这个问题，希望别人已经发现了。

It kinda scared me a little bit because I knew how popular this router was, and I quickly looked online to see if anyone else had found it, hoping somebody else had found it.

当我发现没人提到过这个问题时，我心里想：糟了。

And when I didn't find that anyone else had found it, I was like, uh-oh.

我得花更多时间研究一下这个问题。

I better spend a little more time on this.

此时，凯尔已经列出了一份他在这款路由器中发现的安全漏洞清单。

At this point, Kyle had a long list of security flaws he found in this router.

这些问题包括

These issues were

明文密码和未受保护的目录结构。

The Cleartext password, the unprotected directory structure.

还有FTP问题、Samba问题，用于网络内部的文件共享，这也是我的另一项发现。

You had the FTP problem, Samba, for, you know, the file sharing internally in the network, which was one of my other findings.

然后你遇到了更大的问题，那就是默认密码 AdminAdmin。

Then you you had the bigger problem of the default passwords, which was AdminAdmin.

这款路由器还内置了VPN功能，通过结合这些漏洞，攻击者可以像有人在你家里使用你的Wi-Fi一样，访问你的整个家庭网络。

The router also has a VPN built into it, which by combining these vulnerabilities, an attacker can gain access to your entire home network just as if someone is in your house using your Wi Fi.

这简直令人不安，至少可以说是这样。

It it was disturbing, to say the least.

Kyle意识到，任何使用这款路由器的人都拥有一个非常不安全的家庭网络。

It became evident to Kyle that anyone with this router has a very insecure home network.

Kyle使用了一个名为Showdown的网站，试图了解这个问题的规模。

Kyle used a website called Showdown to try to understand the size of this problem.

Showdown是一个扫描整个互联网，查看哪些IP地址在线以及哪些端口开放的网站。

Showdown is a website that scans the entire Internet to see what IPs are alive and what ports are open.

它还会尝试识别这些IP地址上运行的系统类型。

It also tries to get the type of system that's running on those IPs.

Kyle发现至少有五万人正在运行这个存在漏洞的FTP服务器。

Kyle found at least 50,000 people were running the vulnerable FTP server.

你知道吗，那五万、六万、七万个有漏洞的设备，只是针对FTP的。

You know, the fifty, sixty, 70,000 that were vulnerable, that was just to the FTP.

你得再乘以两到三倍，才能算上端口443和端口80的默认密码漏洞。

You're talking two to three times that amount to the port four forty three and then the port 80 default password.

最令人不安的是，攻击者可以把它当作一个一站式平台，用来投放他们分享或下载的所有恶意文件。

That was the really disturbing thing is that attackers could use it as a one stop shop to dump all their whatever malicious files they were sharing or downloading.

它甚至自带一个BT下载程序，然后攻击者可以利用这些终端用户的VPN，无论他们身在何处，进一步代理他们的攻击或恶意行为。

It even came with a torrent download little program, and then they could use the VPN of these people, whoever were the end user whereas, wherever they were, to then proxy, kind of proxy their attacks or their malicious deeds online furthermore.

凯尔现在终于明白了这个问题的规模之大。

Kyle was now understanding the massive size of this problem.

他购买的这款高端昂贵的路由器，充满了尚未被厂商知晓或公开讨论的严重安全漏洞和缺陷。

This high end expensive router that he had purchased was full of glaring security vulnerabilities and bugs that were not yet known to the vendor or discussed publicly.

它让超过十万人在自己家中面临被攻击的风险。

It made over a 100,000 people vulnerable to attacks in their own home.

这些攻击包括窃取他们的文件、访问内部计算机、控制用户的路由器，或利用路由器对其他系统发动攻击。

Attacks such as taking their files, accessing internal computers, controlling the user's router, or using the router to wage attacks in other systems.

最终用户直到他们的路由器开始瘫痪之前，几乎不可能意识到自己正遭受任何攻击。

And the end user, until their their routers started going down, I doubt would have ever have the knowledge that anything was happening to them at all.

当软件中存在安全漏洞而厂商尚未察觉时，这被称为零日漏洞。

When software has security bugs in it and the vendor is not aware of the problem, this is called a zero day vulnerability.

它被称为零日，是因为厂商自发现问题以来已经过去了零天。

It's called a zero day because that's how many days since the vendor has been aware of the problem.

一旦厂商意识到问题，就不再是零日漏洞了，厂商可以开始着手发布修复补丁。

Once the vendor is aware of the problem, it's no longer a zero day, and the vendor can work on releasing a fix.

现在，请你暂时站在凯尔的立场上想一想。

Now put yourself in Kyle's shoes for a moment.

你刚刚发现了一款非常流行的家用路由器中存在大量未修复的漏洞。

You have just found numerous unfixed bugs in a very popular home router.

这个漏洞允许你访问全球超过十万户家庭的私有网络。

This bug allows you to access the private networks of over a 100,000 homes around the world.

你不仅能轻松进入家庭网络，还能查看他们所有的文件，并将他们的路由器用作代理。

Not only can you easily get into the home network, but you can also have the ability to see all their files and use their router as a proxy.

如果你拥有这种知识和能力，你会怎么做？

What would you do if you had this kind of knowledge and capability?

你会到处查看每个人的文件，看看他们有什么吗？

Would you go around looking at everyone's files to see what they had?

你会试图在暗网出售这些漏洞，换取一些比特币吗？

Would you try to sell these exploits on a dark market for some Bitcoin?

身处这种境地，你会有什么感受？

How would it make you feel to be in this situation?

我有点生气，因为我买了一个存在如此明显漏洞的设备，所以我立刻想联系华硕，让他们负责安全的团队尽快修复它，因为这影响的不只是少数人。

I was kind of angry that I had bought this thing with this glaring vulnerability, so I wanted to get Asus on board right away with it, get their InfoSec group or whatever the team they had doing security to fix it right away because it affected more than just a few people.

对凯尔来说，选择很简单。

For Kyle, the choice was easy.

他从未尝试查看过任何人的文件，也从未将这种知识用于任何恶意目的。

Not even once did he try to view someone else's files or use this knowledge for anything malicious.

他只是希望修复这个漏洞，以帮助提升成千上万人的安全性。

He simply wanted this bug fixed to help improve security for thousands of people.

事实上，他也是一个客户，他希望这个漏洞能在他自己的路由器上得到修复。

In fact, he was a customer too, and he wanted the bug fixed for his own router.

于是他开始尝试联系这款路由器的制造商华硕。

So he began trying to figure out how to contact Asus, the makers of this router.

我想大概是二月或三月，我发了第一封邮件，之前我几乎没有进行过公开披露。

So I think it was around February or March I sent my first email, and I hadn't done much in the way of public disclosure before.

每当我发现一个问题，通常都是发一封匿名邮件，这次我也这么做了。

And whenever I had found something, it was usually I would send an anonymous note in, which I did.

大约一个月过去了，我的匿名邮箱没有收到任何回复。

For about a month, didn't get any response back to my anonymous email account.

我用的是一个假名字。

I had a fake name in there.

于是我心想：算了。

And I said, you know what?

我要用我的真名和真实邮箱，因为这件事太重要了。

I'm gonna use my real name and my real email address because this is that important.

于是，凯尔给华硕发了另一封邮件，这次使用了他的真实姓名。

So Kyle sent Asus another email, this time using his real name.

三周过去了。

Three weeks go by.

华硕仍然没有回复。

Still, no response from Asus.

所以凯尔在五月又给他们发了一封邮件。

So Kyle sends them another email in May.

他们回复了，说：好的，我们会看一下。

They did respond and they say, okay, we'll take a look at it.

凯尔终于得到了回复，感到有些宽慰，但他直到修复程序发布前都不会满意。

Kyle was somewhat relieved to have finally gotten a response, but he wasn't going to be satisfied until the fix was released.

当他又等了两周，距离他首次通知他们这个问题已经过去了两个月，但仍然没有修复程序，也没有发布任何公告告知客户这个问题的存在。

When he waited two more weeks, which has now been two months since he first notified them of this problem, there's still no bug fix or press release telling customers that this problem exists.

事实上，华硕甚至还没有确认他们是否发现了这个问题。

In fact, Asus hasn't even confirmed they see a problem yet.

他开始对他们失去耐心。

He was starting to lose patience with them.

你知道吗，我又发了一封邮件，之后又发了几封。

You know, I sent another email and then another couple emails after that.

我并不是想纠缠他们。

I wasn't trying to hound them.

我只是希望他们能说，嗯，我们确认了这是一个漏洞，因为我只想就此放下，然后继续前进。

I just wanted them to say, you know, yeah, we confirmed that this is a vulnerability because I just kinda wanted to forget it and, like, move on.

所以大约一个月后，我决定在网上进行部分披露，以促使他们加快行动，因为他们没有警告客户，而人们还在继续购买这些路由器。

So after about a month of that, I decided to go with a partial disclosure online to kinda prod them to, you know, move a little bit faster because they weren't warning their customers, and people were just going out and buying these routers.

凯尔决定将他发现的漏洞公开发布到网上，供任何人查看。

What Kyle decided to do was post the bug he found publicly, online for anyone to see.

这是一个艰难的决定。

This is a hard decision to make.

一方面，他是在通知客户他们的路由器存在漏洞，会让陌生人访问路由器并连接到他们的硬盘。

On one hand, he's notifying the customers there's a bug in their router, which lets strangers access their router and connect to their drives.

但另一方面，他等于把钥匙交给了黑客，让他们能够入侵成千上万人的家中。

But on the other hand, he's going to be giving keys to hackers, which they can use to enter thousands of people's homes.

作为独立的研究人员，我知道我的声音并没有多大分量。

What I know as far as being an individual independent researcher, you know, my voice doesn't carry a lot of weight.

所以当我个人发现一个问题，而厂商却不肯修复或根本不在乎时，我们真正能用的手段——除非你和某些记者关系特别密切——就是让他们丢脸。

So when I find something individually and the vendor doesn't want to fix it or they don't care about it, the only tool we really have at our discretion, you know, unless you're really connected in with some reporters or something, but is to embarrass them.

通过让他们丢脸，迫使他们修复漏洞。

Embarrass them into fixing the bug.

不幸的是，让厂商丢脸有时意味着提供一个概念验证，证明这确实是个漏洞，并展示出证据。

And unfortunately, embarrassing them sometimes means giving a proof of concept that this is truly a bug, and here's the proof of concept.

是的，我知道坏人也会看到这个概念验证，但有些厂商就是不为所动，直到舆论压力找上门来。

And yes, I know the bad guys are also gonna see this proof of concept, but some vendors just don't care until the PR hits them.

一旦舆论发酵、负面新闻爆发，公众得知他们的产品存在漏洞——无论是应用程序、路由器还是交换机——他们才会开始行动去修复。

When the PR hits and the bad press hits and it gets out there that they have a buggy application or a buggy router or switch or whatever it is, then they can then they get moving on fixing it.

对我们来说，这确实是个危险的做法，因为我以前就收到过诉讼威胁，你知道，当你披露了某个问题后，有人真的去利用了它，这种感觉并不好。

And it's a dangerous, you know, thing for us to do because we get I've had lawsuit threats before, you know, and, you know, and it doesn't feel too good to know that, you know, because you've disclosed something, people have gone and exploited it.

但正如我跟我妻子和其他几个人说的，我不破坏软件应用。

But, you know, as I said to I've told my wife and several other people, I said, I don't break the software applications.

我根本不可能做到这一点。

I I would be impossible to do.

我只指出那些已经出问题的地方。

I only point out where it's already broken.

将安全漏洞公之于众的做法被称为完全披露。

This concept of posting a security vulnerability publicly for the world to see is called full disclosure.

这个话题在安全界经常引发争议。

This topic is often debated in the security community.

然而，凯尔对是否将所有发现公之于众持谨慎态度。

Kyle was hesitant to share all his findings with the public though.

所以我选择了部分披露，没有详细说明具体是什么问题，只是说明了它可能造成的影响。

So I went with a partial disclosure, not really getting into details about what what what it was, but saying what we what it could do.

我简要提到了FTP问题，但没有深入展开。

And I briefly mentioned the FTP, issue, but I didn't go into depth about it.

于是，凯尔开始等待ACES的回应。

So now Kyle watched and waited for ACES to respond.

又过了三周。

Three more weeks went by.

自从他首次向他们提出这个问题以来，已经过去四个月了，但他们甚至连确认都没有做。

It's now been four months since he first brought this to their attention, and they still haven't even confirmed.

他们承认这是一个缺陷。

They agree it's a flaw.

凯尔决定更进一步。

Kyle decided to take it a step further.

于是我去发布了关于ClearTax密码的披露信息，结果被广泛转载了。

And that's when I went on there, and I I I I put the one disclosure about the the ClearTax password, which got picked up.

多家媒体都报道了这件事，事情迅速发酵，变得疯狂起来。

A bunch of outlets picked it up, and and it kinda ran from there crazy.

我没有提到FTP的问题，因为我觉得如果突然把那七万人推到风口浪尖上，后果会非常严重。

I didn't mention the FTP thing because I thought that was really damaging if, you know, all of a sudden I just threw those 70,000 people under the bus.

我知道完全披露就应该彻底披露，而如今，我可能会采取稍微不同的做法。

I I know full disclosure really should be full disclosure, and, you know, today, I probably would have done it a little differently.

安全博客、网站和新闻媒体看到了凯尔的披露，并开始撰写关于这一严重安全漏洞的文章。

Security blogs, websites, and news outlets saw Kyle's disclosure and began writing articles about the glaring security flaw.

他们能够清晰地阐明这个问题有多严重。

They were able to articulate exactly how bad this issue was.

客户开始感到不满，并要求华硕修复这一问题。

Customers began getting upset and demanding ASUS to fix the problem.

这促使他们至少修复了一些问题，但FTP问题一直拖到八月和九月都没有解决。

That got them in gear to at least fix a couple of the issues, but the FTP issue went remained unfixed through August and September.

于是凯尔再次给他们发了邮件。

So Kyle emailed them again.

这次，华硕让凯尔联系了一位公关人员，此人同时也是开发团队的联络人。

This time, ASUS connected Kyle with someone from PR, who's also a liaison to developers.

他说：哦，好的，我们会看一下，但这是设计使然。

He said, Oh, okay, well we'll take a look at it, but this is by design.

这是设计如此。

This is by design.

称之为——我可不是开玩笑——无限共享。

Call it, and I kid you not, infinite sharing.

这就是我们的无限共享，我不知道，也许你们会说这是一种升级，原本的设计本应让你能与所有人共享。

This is our infinite sharing, I don't know, I guess you would call it an upsell of something that it was supposed to be so you could share with everybody.

我说，所有人，比如你硬盘上的所有内容都能被他们共享。

And I said, everybody, like everything on your hard drive could be shared with them.

这个回应并没有让凯尔满意。

This response did not satisfy Kyle.

我当时就想，天啊，别开玩笑了。

Oh, I was like, oh, come the F on.

天哪，不行。

Jesus Christ, no.

但你知道吗，我当时就放过了，因为他们根本不会去修复这个问题。

But, you know, I I I just let it go at that point because they weren't gonna fix it.

他们知道这件事。

They knew about it.

但你知道，有时候你真的无能为力。

But, you know, there's really sometimes you can't really do anything.

本集由DeleteMe赞助。

This episode is sponsored by DeleteMe.

DeleteMe让删除你的个人信息变得简单、快速且安全，尤其是在监控和数据泄露普遍到让每个人都面临风险的今天。

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

在网上轻易就能找到关于人们的个人信息。

It's easier than ever to find personal information about people online.

你的地址、电话号码以及家人姓名在网络上公开，可能会在现实生活中带来实际后果，使每个人都有风险。

Having your address, phone number, and family members' names hanging out there on the Internet can have actual consequences in the real world and makes everyone vulnerable.

隐私对我来说是一个非常重要的议题。

Privacy is a super important topic to me.

所以几年前，我注册了DeleteMe，它立即开始扫描互联网，寻找我的名字，并向我提供发现的结果报告。

So a few years ago, I signed up, and DeleteMe immediately got busy scouring the Internet, looking for my name, and then gave me reports on what they found.

然后他们开始删除这些信息，并向我展示他们删掉了什么。

And then they got busy deleting things, showing me what they got rid of.

有人为我的隐私保驾护航，这真是太好了。

It's great to have someone on my team when it comes to my privacy.

通过注册 DeleteMe 来掌控你的数据，保护你的私人生活不被泄露。

Take control of your data and keep your private life private by signing up for DeleteMe.

现在，我的听众可以享受特别折扣：访问 deleteme.com/darknetdiaries 注册，结账时使用促销码 d d 20，即可享受 20% 折扣。

Now at a special discount for my listeners, you can get 20% off your DeleteMe plan when you go to join deleteme.com/darknetdiaries, and use promo code d d 20 at checkout.

获得 20% 折扣的唯一方式是访问 deleteme.com/darknetdiaries，并在结账时输入代码 d d 20。

The only way to get 20% off is to go to join deleteme.com/darknetdiaries and enter code d d 20 at checkout.

就是访问 deleteme.com/darknetdiaries，输入代码 d d 20。

That's join deleteme.com/darknetdiaries code d d 20.

十月过去了，十一月过去了，十二月和一月也过去了。

October passes, November passes, December and January pass.

到这个时候，凯尔发现的所有漏洞都已成为公开信息，部分源于他提到的线索，部分则是因为对华硕的额外关注。

At this point, all the bugs Kyle found were public knowledge, partially from the clues he mentioned and partially because of the extra attention on Asus.

他发现的漏洞存在于10款不同的华硕路由器型号上。

The vulnerabilities he found were present on 10 different Asus router models.

关于这一漏洞的信息继续在互联网上传播。

Knowledge of this vulnerability continued to spread around the internet.

不速之客现在开始四处窥探人们的文件。

Unwanted strangers were now going around looking into people's files.

此时，几乎可以肯定每个ACES FTP服务器都被多个陌生人访问过。

It's a high probability that every ACES FTP server was accessed by multiple strangers at this time.

他们可能翻看了文件，拿走任何看起来有趣的东西，甚至上传文件作为存储点。

They probably looked through the files and took anything that looked interesting and even uploaded files as a stash point.

一个未知的人群试图自己采取行动。

An unknown group of people tried to take matters into their own hands.

他们对互联网进行了扫描，寻找所有存在漏洞的华硕路由器，发现了超过一万个运行匿名FTP服务器的IP地址。

They did a scan on the Internet and looked for all vulnerable ASUS routers and found just over 10,000 IPs that were running the anonymous FTP server.

他们访问了每一个这样的路由器，并留下了一条信息。

They accessed each one of these routers and left a note.

它写道：警告，您存在安全隐患。

It said, warning, you are vulnerable.

这是一条发送给所有受影响用户的自动消息。

This is an automated message sent to everyone who is affected.

您的ASUS路由器和文件可以被任何拥有互联网连接的人访问。

Your ASUS router and your documents can be accessed by anyone in the world with an Internet connection.

解决方案：立即完全禁用FTP和AI云服务。

Solution, completely disable FTP and AI cloud immediately.

这份备注署名为/slash g。

A note was signed by slash g.

这可能意味着黑客来自4chan的技术版块，他们使用/slash g作为用户名。

This may mean the hackers originated from the technology board on 4chan, which uses slash g as their name.

该备注还将此事件称为“Asus Gate”。

The note also called this incident Asus Gate.

让我们试着理解成为这一事件受害者的感受。

Let's try to understand the feeling of being a victim to this.

想象一下，你晚上躺在舒适、温暖、安全的床上安然入睡。

Imagine you go to sleep at night in your nice, cozy, safe, warm bed and sleep peacefully through the night.

你醒来后走进浴室，上完厕所，照镜子时发现镜子上写着一张纸条，告诉你你的家门八个月来一直敞开，任何人都可以随意进入。

You wake up, walk into the bathroom, use the toilet, and when you look in the mirror, there's a note written on it telling you there has been a door open in your home for eight months and anyone can walk in.

当你意识到有人一直在你的路由器里查看你的文件时，那种毛骨悚然的感觉难以言喻。

The creepiness feeling you get when you realize someone has been in your router looking at your files is unexplainable.

这是一种被侵犯的感觉，非常可怕。

It's a feeling of being violated and it's horrible.

Ace的客户对他们的硬盘和文件被访问感到愤怒。

Ace's customers were outraged that their hard drives and files were accessed.

现在，由于FTP服务器没有设置密码，是否在没有访问限制的情况下访问它属于违法行为还值得怀疑。

Now because the FTP server did not have a password on it, it's questionable whether accessing it is illegal or not if there's no restriction keeping people out.

有些法律认为访问它是合法的。

And some laws say it's legal to access it.

黑客并没有使用任何特殊工具、绕过手段、入侵或诡计来访问这些文件。

The hackers did not use any special tool or bypass or hack or trick to access the files.

他们使用了标准的FTP客户端，且无需密码即可完成这些操作。

They used a standard FTP client, and no password was required to do what they did.

由于ACE声称这是功能而非安全漏洞，因此这种行为更不可能构成犯罪。

And since ACE has said this was a feature and not a security bug, then it's even more likely that this act was not criminal.

这促使ACE重新行动起来，但ACE却联系了我，以为是我做的。

That got ACEs back in gear, but ACEs contacted me like I had done it.

事实上，有几个人说：‘哦，那你为什么这么做？’

In fact, a couple of people were like, oh, so why did you do that?

我说：‘我没做过那件事。’

I'm like, I I didn't do that.

是另一个团体做的。

Some other group did.

另一些人有着良好的意图。

Some other they they had good intentions.

他们只是在他们的FTP上放了一个文本文件，但假如我做了类似的事，我绝不会用这种方式。

They were just dropping a text file on their FTP, but, I certainly wouldn't have done it in that manner if I had done something like that.

黑客将笔记上传到用户路由器的消息传遍了各大新闻媒体。

The news of the hackers uploading notes to people's routers made its way to major news networks.

事实上，凯尔曾一度被CNN采访，以解释这一情况。

In fact, Kyle was even interviewed by CNN at one point to explain the situation.

他对这次采访感到紧张，并对这则新闻的影响力之大感到惊讶。

He was nervous about the interview and was impressed at how big the news had become.

这变得相当大，而且对于我首次公开披露来说，也有些令人担忧，你知道的。

It got fairly big and a little little concerning for my first disclosure publicly, you know.

最终，华硕修复了凯尔报告的所有漏洞。

Eventually, Asus fixed all the bugs Kyle reported.

但之后，凯尔又在他们的修复版本中发现了更多漏洞，并继续报告了这些漏洞。

But after that, Kyle found even more bugs in their fixed versions and reported them too.

最终，华硕也解决了这些问题。

Eventually, ASUS resolved these issues too.

几年后，即2016年2月，美国联邦贸易委员会对华硕提起了诉讼。

A few years later, in February 2016, The United States Federal Trade Commission filed a case against ASUS.

FTC认为ASUS可能违反了法律。

The FTC believed a law may have been broken by ASUS.

五个月后，作出了裁决。

Five months later, a verdict is reached.

FTC发现有超过一万名客户的资料被未经授权的入侵者访问。

The FTC saw proof that over 10,000 customers had their data accessed by an unwanted intruder.

FTC表示ASUS未能及时解决安全问题。

The FTC said ASUS was not addressing security issues in a timely manner.

ASUS就该案达成和解，FTC批准了ASUS必须遵守的以下命令。

ASUS settled on the case and the FTC approved the following orders that ASUS must comply with.

ASUS不得对其客户误导有关安全漏洞的信息。

ASUS must not mislead their customers about security flaws.

他们必须在安全更新可用时公开明确通知客户。

They must clearly notify their customers publicly when a security update is available.

他们必须对其产品进行安全审计。

They must conduct security audits on their products.

这包括渗透测试、员工培训、代码审查、风险评估等。

This includes penetration testing, employee training, code reviews, risk assessments, and more.

安全审计必须提交给FTC，以证明其已执行。

The security audits must be submitted to the FTC to prove they have taken place.

如果ACES未能遵守这些命令中的任何一项，每次违规将被罚款16,000美元。

If ACEs failed to comply with any of these orders, they will be fined $16,000 for each violation.

FTC命令中最严厉的部分是，要求审计在未来二十年内持续进行。

And the harshest part of the FTC orders is that the FTC is requiring audits to continue for the next twenty years.

ACES必须遵守这些命令，直至2036年。

ACES has to comply with these orders until 2036.

直到今天，仍然有两三千人。

To this day, there are still two to 3,000.

这发生在多少年之后？

And it's what how many years later?

我们说的是三年半之后？

We're talking three, three and a half years later?

如果你继续查看这一点，你会看到仍有两三千人使用着旧固件，这会暴露他们整个FTP以及连接在路由器背面的所有内部硬盘，让它们以匿名读写权限对全世界开放，这相当可怕。

If you if you go on to show that, you'll see two to 3,000 people still have the old firmware on that exposes their entire FTP and therefore all of their internal hard drives they have plugged into the back of that router to the world as an anonymous readwrite access, which is quite scary.

由于人们根本没有修补他们的路由器，成千上万的人至今仍处于脆弱状态。

Thousands of people remain vulnerable still because they simply haven't patched their router.

虽然已经有修复方案，但他们要么不知道，要么根本不在乎去修复。

There's a fix available, but they either aren't aware of it or don't care to fix it.

如果你使用的是华硕路由器，最好保持其固件及时更新和修补。

If you have an ASUS router, it's a good idea to keep it up to date and patched up.

现在，安全研究人员有了新的方法与厂商合作来解决这些问题。

There are now new methods for security researchers to work with vendors to fix these problems.

一些公司会对发现的安全漏洞提供悬赏奖励。

Some companies will offer a bounty reward for any security bugs found.

这些悬赏可以让研究人员通过发现一个漏洞就赚取数千美元。

These bounties can result in researchers making thousands of dollars by finding a single vulnerability.

需要说明的是，凯尔从未要求过任何悬赏，也从未因他在华硕路由器中发现的漏洞而获得任何悬赏。

For the record, Kyle never did ask for a bounty reward, and nor was he offered any bounty reward for his findings in the ASUS routers.

国土安全部有一个名为美国计算机应急响应小组（US CERT）的分支机构。

The Department of Homeland Security has a branch called the US Computer Emergency Readiness Team or US CERT.

US CERT 的工作水平有了显著提升，现在很多人都可以联系 US CERT，他们会代为与厂商沟通，进行漏洞披露并公开处理。

US CERT has really stepped up its game and, you know, a lot of people can go now go to US CERT who will do that work for them, that will get in touch with the vendor and just do the disclosure and do it publicly.

感谢他们大力提升工作，帮助了我们很多人。

So thank them for really stepping up and helping a lot of us.

我几乎不再需要进行完整披露了，因为对于大多数问题，我都可以联系 US CERT，说：‘你们能帮我们一下吗？’

I don't really have to do full disclosure hardly anymore because I can go to US CERT on most items and say, hey, can you help us out here?

我一直在尝试联系这家厂商。

I've been trying to go with this vendor.

他们不愿意做出回应。

They don't wanna be responsive.

所以我把问题抛给他们，因为他们正在与国土安全部合作。

And kinda put the ball in their court because they're working with DHS.

他们正在与 MITRE 以及其他一些组织合作，为社区完成这类工作。

They're working with MITRE and and and some some other people that to to to do that kinda work for the community.

我很好奇，凯尔，你现在用的是哪个家用路由器？

I'm curious, Kyle, what home router do you use today?

哦，我现在用的是Xfinity的。

Oh, right now I have the Xfinity.

他们实际上推出了两款型号，一款用于100兆比特流媒体，另一款用于普通流媒体，而我正是在这款路由器上发现了一个漏洞，因为其固件和路由器硬件本身实际上是由思科制造的，我曾向他们披露了三个零日漏洞。

They actually have two models out, one for 100 megabyte streaming and one for the regular sized streaming, which I actually found a vulnerability with because the actual firmware of this and the router hardware itself was actually made by Cisco, who I disclosed three zero days on on those.

听起来无论凯尔看向哪里，他都能在这些家用路由器甚至商用路由器中发现漏洞。

It sounds like no matter where Kyle looks, he finds bugs in these home routers and even business class routers.

我觉得它们还有很长的路要走，我认为在大多数厂商那里，安全仍然是一个事后考虑的问题，直到这种心态改变，直到他们真正请一些优秀的渗透测试人员来测试他们的产品。

I think they're still got a long way to go, and I still think that security is an afterthought in most of the, you know, vendors until that mentality changes and until they, you know, really put some thought into just getting, you know, some good pen tester to test their product.

我们还会继续看到这些问题。

We're still gonna continue to see these things.

你正在收听《暗网日记》。

You've been listening to Darknet Diaries.

如需节目笔记和链接，请访问darknetdiaries.com。

For show notes and links, check out darknetdiaries.com.