SN 1049：DNS缓存投毒卷土重来——勒索软件支付额暴跌

它里面有一个文件系统。

It had a file system in there.

所以

So

嗯，这是一个安卓设备，对吧？

Well, it's an Android device, right?

那就是

That's the

关键所在。

whole point.

就像安卓手机一样，你可以用ADB进入并获取root权限。

And like an Android phone, you use ADB and you get into it and you can root it.

对。

Right.

但另一个要点是，iLife是一家中国公司。

The But other point is that iLife is a Chinese company.

你还记得你买那个中国产的开关吗，就是那个电源开关？

So remember when you bought that Chinese switch, the on off switch?

嗯。

Yeah.

你当时也有同样的担忧。

You had the same concern.

没错。

So right.

纳拉亚南的博客对在设备文件系统中发现其网络的未加密Wi-Fi凭证感到惊讶。

Narayanan's blog expresses surprise at finding his network's unencrypted Wi Fi access credentials sitting in the device's file system.

如果设备无法使用他的Wi-Fi凭证登录网络，他还能指望它怎么连接到他的网络呢？

How did he expect it to be on his network if it wasn't able to use his Wi Fi access credentials to log itself on?

他的博客还带着一些愤慨声称，这些凭证被发送回了设备制造商。

And his blog claimed with some indignity that those credentials were being sent back to the device's manufacturer.

他写道：此时，我已经启用了SSH端口访问，使我能够从计算机连接到该系统。

He wrote, At this point, I had enabled SSH port access, allowing me to connect to the system from a computer.

然后我重新组装了整个设备，因为他已经把整个东西都拆开了。

Then I reassembled the entire device because he had taken the whole thing apart.

在尝试了一段时间的Linux访问后，我找到了日志、配置文件，甚至发现了设备发送给制造商服务器的未加密Wi-Fi凭证。

After experimenting with Linux Access for a while, I found logs, configurations, and even the unencrypted WiFi credentials that the device had sent to the manufacturer's servers.

好吧，这些内容对我们听众来说都不该感到惊讶。

Okay, so none of this should come as any surprise to our listeners.

但我之所以想花点时间分享这个，是因为假设某件事可能发生是一回事，而真正去检查并面对一个现实中正在发生的实例则是另一回事。

But the reason I wanted to take some time to share it is that it's one thing to assume that something could happen, but it's something more to examine and confront a real world instance where it actually is happening.

换句话说，这种事情正在发生。

In other words, this is happening.

你知道，任何需要认证凭证才能连接网络的设备——实际上所有设备都需要这些凭证才能连接到你的Wi-Fi——无论它们看起来多么小巧无害，都可能保存着这些凭证，并很可能将它们泄露回设备的主服务器。

And, you know, essentially any device that's connected to a network that requires authentication credentials, and they all do in order to hook to your Wi Fi, no matter how small and innocuous that device may appear to be, will have those credentials, which it could very well be leaking back to the device's home servers.

它们根本没必要这样做。

There's no reason it ever should.

设备正常运行并不需要这样做，但也没有任何机制阻止它这样做。

It doesn't need to in order to function, but nothing prevents it.

很容易想象，某个角落的程序员会认为，收集并存档每一位客户的家庭路由器登录凭证很酷，仅仅因为这是可能的，而且存储成本低廉。

And it's easy to imagine some coder geek somewhere thinking that it would be cool to collect and archive every one of their customers' home router log on credentials for no other reason than it's possible and storage is cheap.

亚马逊这样做是有原因的。

And there are reasons because Amazon does this.

当你设置亚马逊设备时，它会说：我可以记住你的凭证。

When you set up an Amazon device, it says, I could just remember your credentials.

然后当你设置另一台亚马逊设备时，它就会自动连接到网络。

Then when you set up another Amazon device, it'll just join the network.

真让人安心啊。

How comforting.

如果你拥有一堆iLife设备，你可能会说：哦，对了，看啊，我可以自动把它们全部连接上。

And if you had a bunch of iLife devices, you might say, Oh yeah, look, I just hook them all up automatically.

是啊，真神奇。

Yeah, magic.

可不是它们在互相通信。

Not like they're talking to each other.

它们正在向母舰发送数据。

They're talking back to the mothership.

家里的办公室，没错。

The home office, yeah.

对，就是这样。

That's right.

在中国深圳。

In Shenzhen, China.

同样重要的是要认识到，任何联网设备都会向设计该设备的实体提供绕过网络路由器、访问该设备所连接的内部住宅网络的完全权限。

It's also important to appreciate that any connected device will be providing the entities that designed the device with full access behind the network's router to the internal residential network to which the device is authenticated.

在他的博客中，玛丽·耶农还指出，该设备默认预装了RTDY软件。

In his blog, Mary Yenon also noted, The device came with RTDY software installed by default.

这段小型软件允许远程获取设备的root权限，使制造商能够在客户不知情的情况下远程运行任何命令或安装任何脚本。

This small piece of software allows remote root access to the device, enabling the manufacturer to run any command or install any script remotely without the customer's knowledge.

当然，再次强调，这是一个你赋予了网络访问权限的滚动Linux平台，它正在向家外发送数据。

Of course, again, it's a rolling Linux platform that you've given access to your network to, and it's phoning home.

因此，任何使用这些设备的人，都相当于无形中邀请了一个功能强大的、联网的、基于Linux的消费级计算设备进入家中，并赋予它对家庭内部网络的完全访问权限。

So anyone using one of these will implicitly have invited a powerful network aware Linux powered consumer computing device into their home and giving it full access to their home's internal network.

我们都熟悉特洛伊木马的故事。

We all know the story of the Trojan horse.

我之所以祈祷与东方朋友的敌对局势永远不会升级，其中一个原因就是，中国政府内部一定有人非常清楚，他们已经对西方所有较富裕家庭的内部住宅网络拥有持久的访问权限。

One of the many reasons I pray that hostilities with our friends in the East never escalate is that there must be people inside the government of the PRC that understand quite well that they already have persistent access into the internal residential networks of all of the more upscale homes in the West.

我确信，这些设备都不是被设计成特洛伊木马的，但任何足够灵活的设备都可能被用作特洛伊木马。

I'm certain that none of these devices were designed to be Trojan horses, but any of them with sufficient flexibility can fill that bill.

消费级路由器中出现的独立访客Wi-Fi功能是一件非常好的事，但仍然必须确保启用访客Wi-Fi网络的隔离功能，而不仅仅是为访客设置一个额外的SSID和密码。

The emergence of isolated guest Wi Fi accounts in capabilities in consumer routers has been a very good thing, but it's still necessary to be certain to enable that guest Wi Fi account network isolation, not to just have an additional SSID and password for your guests.

隔离通常不是默认设置，因为刻意在主网络和访客网络之间设置的屏障，可能会导致主网络上的设备需要访问私有或访客网络设备时产生额外的开销。

Isolation is typically not the default because the barriers it deliberately erects between your main network and the guest network can result in some additional overhead when devices on the primary network need to contact devices on the private or the guest network.

我确信，几乎没有任何普通消费者真正理解将物联网设备引入家中意味着什么。

I'm sure that virtually no regular consumers appreciate what it means to have invited IoT gadgets into their homes.

几乎可以肯定，什么都不会发生。

It's almost certain that nothing would ever come.

可能这一切最终都会不了了之。

Probably this will all amount to nothing.

但愿我们这么做后什么都不会发生。

Let's hope nothing will ever come of having done so.

但至少，所有具备安全意识的用户——比如所有听这个播客的人——都应该在心里时刻保持警惕。

But at the very least, it's something that all security aware users, like everyone listening to this podcast, should just, you know, take up some residence in the back of their mind.

所有这些物联网设备，利奥，正如你所说，都会连回上海、深圳，或者谁知道哪儿，它们都有连接。

That all of these IoT things, Leo, as you said, they phone home to to Shanghai or Shenzhen or who knows where, and they've got connections.

没有任何正当理由让这个在地板上滚动的吸尘器把数据传回总部。

And there's no justifiable reason for this vacuum rolling around the floor to be streaming data back to central headquarters.

我的意思是，对他们来说，存储成本很低。

I mean, the problem is storage is cheap for them there.

现在，我们的带宽 everywhere 都很便宜。

Bandwidth is cheap for us everywhere now.

没有任何东西能阻止这种情况发生，而它确实在发生。

Nothing prevents it from happening, and it is happening.

是的。

Yeah.

你应该假设它确实如此。

You should assume it is.

医生。

Doctor.

是的，我的意思是，是。

Yeah, I mean, is.

我经常想做的一件事，但一直没时间，也许等我把所有其他真正想完成的软件都做完之后，就是去查看一下路由器的实际带宽使用情况，这真让人害怕。

One of the things I've often wanted to do, but I've never had the time, maybe once I get all of the other software that I really want to get done as my primary finished, is it is quite frightening to look at one's actual bandwidth at the router.

我坐在电脑前什么都没做，突然间大量数据从我的网络中流出。

I'm sitting at my computer doing nothing, and suddenly a huge amount of data leaves my network.

为什么？

Why?

我什么都没做，但我亲眼看见它发生了。

Nothing I did, but I could see it happening.

如果能分辨所有这些流量，并创建一个用户界面，向关心的人展示谁在和谁通信，那会非常酷。

It would be really cool to be able to disambiguate all of that traffic and create a user interface that shows users who care who's talking to who?

这些到底都在发生什么？

What is all this going on?

因为我们的网络非常繁忙，而我们对此却毫无可见性。

Because our networks are very, very busy and we have no visibility into that.

嗯，我的意思是，我们以前用Wireshark就能做到，对吧？

Well, I mean, we used to be able to do that with Wireshark, right?

我的意思是，你可以运行类似Wireshark的工具。

I mean, you could run something like Wireshark.

是的，但你得到的只是原始的数据包转储。

Yeah, but all you get is a raw packet dump.

我的意思是，这并没有什么特别的，我希望能有人一看就说，哦，那是apple.com。

I mean, it's not doing any great mean, you I'd like people to say, oh, that's apple.com.

别担心。

Don't worry.

这只是你的苹果设备在做一些工作。

That's just your iThings, you know, doing some work.

但如果你发现有大量的数据流向中国，能知道是哪个设备在进行这种通信就好了。

But, you know, if it's heading off to there's, like, large bandwidths of stuff going off to China, it'd be nice to know which of your devices, you know, is doing that talking.

而且我

And I

你可以用Wireshark记录下来，然后发送给AI，让它进行翻译或分析。

bet you could record with Wireshark and then send it to an AI, have it kind of translate it or analyze it.

我相信你可以做到这一点。

I bet you you could do that.

是的。

Yeah.

步骤很多。

Lot of steps.

只是

Just

你应该为Zapier设置一下。

like You should have have for Zapier.

我希望有一个简洁的用户界面，或者上传到GRC，让GRC上的一个页面显示出来。

I would like to have a, you know, a nice little UI or maybe upload it to GRC and a page at GRC will show you.

好的。

Okay.

史蒂夫，那里谁负责？

Steve, who's in charge there?

结果是个非常忙的人。

Somebody who's very busy, it turns out.

是个手忙脚乱的人，没错。

You're Somebody who's scrambling to Yeah.

我原以为在安迪发布他的网站之前，我就该完成基准测试了，但现在几乎是并驾齐驱了

I expected I would have the benchmark finished before Andy had his website published, but right now it's kind of neck and

并驾齐驱。

neck.

我在

I'm

不确定。

not sure.

这是一场竞赛。

It is, it's a race.

好的。

Okay.

所以我看了一点关于一些新的俄罗斯立法的新闻，挺有趣，但并不是特别有说服力。

So, I was looking at a bit of news about some new Russian legislation that was interesting, but not particularly compelling.

我想，好吧，我不会把这篇文章放进播客里，除非它能与四年前中国实施的类似立法的明显结果联系起来。

And I thought, okay, I'm not going to put this in the podcast until that article tied back to the apparent results from the similar legislation that China had put in place four years ago.

当时我谈过这个。

Talked about it at the time.

我们的听众会对此感到熟悉。

It's going to be familiar to our listeners.

但这表明这一切都很重要。

But this suggests that all of this is important.

所以事情是这样的。

So here's what happened.

俄罗斯立法者——这是我从找到的新闻文章中读到的——正在制定一项新法案，要求安全研究人员、安全公司以及其他白帽黑客将他们发现的所有漏洞报告给国家，这项法案的精神与中国自2021年起实施的法律相似。

Russian lawmakers, this is I'm reading from the piece of news that I found, are working on a new bill that would require security researchers, security firms, and other white hat hackers to report all vulnerabilities they find to the state in a law that's similar in spirit to a law already in effect in China since 2021.

还记得我们之前讨论过中国的情况吗？在那里，组织会根据提交给国家的漏洞数量进行排名，提交得越多，声誉等级就越高。

Remember, we talked about this in China where you actually, like organizations were ranked and like got a higher reputation level if they submitted more vulnerabilities to the state.

甚至还有最低报告要求，以维持在‘好人名单’上的资格。

And there was even like a minimum required reporting level in order to like stay on the good guys list.

我的意思是，他们真的把这变成了一件关乎面子的事情，符合中国文化的特点。

I mean, they really made it like a saving face sort of thing for the Chinese culture there.

文章中提到，我们稍后再回过头来谈这一点。

And what the article said, we will circle back to that in a second.

文章称，这项俄罗斯法案目前仍在立法者之间讨论，尚未公布正式草案。

The article says the bill is currently being, the Russia bill is currently being discussed among lawmakers and no official draft is available yet.

这是俄罗斯规范其白帽生态体系的一部分，官员们早在2022年就开始推动这一进程。

It is part of Russia's efforts to regulate its white hat ecosystem, a process officials began working toward three years ago in 2022.

此前的所有努力都失败了，最近一次尝试于今年七月在国家杜马被否决，理由是该提案未考虑到报告政府和关键基础设施网络漏洞的特殊情形与需求。

All previous efforts have failed, with the most recent one being knocked down in the DOMA in July on the grounds that it did not take into account the special circumstances and needs of reporting bugs in government and critical infrastructure networks.

据向俄罗斯商业杂志《RBC》透露的消息来源称，一项新的法案草案正在拟定中。

According to sources who spoke to Russian business magazine RBC, a new draft of the bill is being prepared.

这一即将出台的版本最大的变化是，不仅要求将所有漏洞报告给厂商或网络所有者，还必须同时向俄罗斯当局报告。

The biggest change in this upcoming version is the addition of a requirement to not only report all vulnerabilities to the vendor or network owner, but also to Russian authorities.

三个国家机构将负责这一新的统一系统，该系统将接收漏洞报告，并为研究人员制定新的规则或要求。

Three state agencies will be in control of this new unified system that takes in vulnerability reports and will be making new rules or requirements for researchers going forward.

包括该国主要的内部情报机构——众所周知的联邦安全局（FSB）、国家计算机事件协调中心（自2018年起由FSB创建和运营的类似CERT的组织），以及隶属于俄罗斯军方的联邦技术与出口控制局（FSTEC）。

Include the country's main internal intelligence service, you know, the well known FSB, the National Coordination Center for Computer Incidents, which is sort of a CERT like organization created and operated under the FSB since 2018, and the FSTEC, which is Russia's Cryptography Export Control and Dual Use Technology Agency under the country's military.

因此，根据这项拟议的新法案，未能向这一国家统一系统报告漏洞的安全研究人员，将因非法转让漏洞而面临刑事指控。

So under this proposed new forthcoming legislation, security researchers who fail to report bugs to this state unified system will face criminal charges for unlawful transfer of vulnerabilities.

换句话说，将诞生一种新机制——法律强制要求将漏洞转移给国家。

In other words, a new thing is going to get created, like where you have to transfer vulnerabilities by law to the state.

如果你不报告，就会因非法传输漏洞而面临刑事指控。

And if you don't, then you face criminal charges under unlawful transfer.

该法案还将引入新的注册制度，分别针对运营漏洞赏金计划的公司和研究人员本身。

The bill will also introduce a new concept of registries for companies that run bug bounty programs and for registries for researchers themselves.

你必须注册才能成为研究人员，白帽黑客必须向国家提供真实姓名。

You have to register to be a researcher where white hats will have to provide their real names to the state.

不再允许使用这些黑客绰号。

No more of these hacker monikers.

这一条款在之前的法案版本中一直存在争议，私营部门和安全研究人员因一些正当理由强烈反对。

This last part has been a contention in previous versions of the bill with the private sector and security researchers pushing back hard against it for some legitimate reasons.

正如俄罗斯商业杂志RBC的文章所指出的，研究人员对向政府提供真实姓名感到不安。

As the RBC piece, which is that Russian business magazine, points out, researchers are uncomfortable with providing the government with their real names.

他们认为，如果该系统发生泄露或被黑，将严重威胁他们的安全，可能遭到犯罪团伙绑架，并在暴力威胁下被迫提供漏洞。

They argue that a leak or a hack of this system would pose serious threats to their safety, being at risk of being kidnapped by criminal groups and forced to produce vulnerabilities under the threat of violence.

天哪。

Yikes.

他们还担心自己的数据落入外国政府手中，后者可能冻结他们的账户，或在他们出国参加大会或度假时逮捕他们。

They also fear their data falling into the hands of foreign governments, which may sanction their accounts or arrest them on trips abroad for conferences or vacations.

是的，所有这些都曾发生过。

And yes, all of that's been seen.

因此，那些发现漏洞的人希望保持匿名，他们为此提出了强有力的论据，因为他们的工作被视为精英黑客的成果，不仅对俄罗斯政府有价值，对犯罪分子也同样有价值。

So, yeah, so the guys who are finding the vulnerabilities want to remain anonymous, and they're making a strong case for that because they're seen as elite hackers whose work product has real value, not only to the Russian government, but to the criminal side.

因此，这项法案旨在涵盖白帽生态系统的各个方面，包括商业漏洞赏金计划、企业内部漏洞奖励计划、私营公司的漏洞赏金，以及个人研究者进行的业余工作和渗透测试任务。

So the bill is intended to cover all facets of the white hat ecosystem from commercial bug bounty programs to internal vulnerability rewards programs, you know, bug bounties, at private corporations and from individual researchers doing hobby work to pen testing assignments.

基本上，任何身处俄罗斯境内、有可能发现任何软件漏洞的人。

So basically anybody who is in a position to ever find a bug in any software who's inside of Russia.

所有漏洞，无论在哪里、以何种方式发现，都必须上报。

All bugs, no matter where and how they were found, must be reported.

如果研究人员遵守规定，他们将获得法律责任保护。

And researchers will receive legal liability protection if they follow the rules.

因此，他们不会因为报告某商业软件中的漏洞而被商业公司起诉。

So they cannot be, you know, sued by a commercial company for reporting a bug in that commercial software.

所以这一点很重要。

So that's important.

只要他们遵守这些规定，就能获得法律责任豁免。

Legal liability protection, so long as they abide by these rules.

然而，这种责任豁免在过去不足以让俄罗斯信息安全界站在政府一边，现在可能仍然不足以说服他们：为了自身利益而公开真实姓名，并免费向政府提交所有研究成果——而这正是这项法案的实质要求。

The liability protection, however, was not enough to get the Russian InfoSec community on the government's side last time and may still not be enough to convince them this time around that it's in their best interests to reveal their real names and give the government a copy of all their research for free, which is what this also amounts to.

因此，俄罗斯正在推动一项立法，要求所有安全研究人员向俄罗斯政府注册，提供真实姓名和身份信息，并强制报告任何发现的软件缺陷。

So Russia is working toward legislation which would require all security researchers to register with the Russian government, giving them their real name and identity information and mandatory reporting of anything they might discover in software that doesn't work as it should.

现在，这部分内容虽然并不令人意外，却最为令人担忧。

Now here's the part, while not surprising, is most worrisome.

但你可能想不到，我们甚至还没说到重点。

And believe it or not, we didn't even get there yet.

2021年7月，当时我们就讨论过，中国政府通过了一项类似法律，要求所有中国研究人员和安全公司必须在发现漏洞后48小时内向政府报告。

In July 2021, which we talked about at the time, the Chinese government passed a similar law that required all Chinese researchers and security firms to report bugs to the government no more than forty eight hours after its discovery.

人们担心中国政府会滥用这些未修复漏洞报告的初衷，将其用于自身的进攻性行动，而时间已经证明这种情况确实在发生。

People were worried that the Chinese government would abuse the intent behind these reports of unpatched bugs, unpatched and unknown bugs, to benefit its own offensive operations, and time has proven that to be happening.

自四年前中国法律生效以来，中国高级持续性威胁（APT）组织对零日漏洞的使用大幅增加。

The use of zero days by Chinese APTs, Advanced Persistent Threat Groups, has increased dramatically since the Chinese law went into effect four years ago.

俄罗斯新版白帽研究法的草案预计将在今年年底前提交国家杜马，但尚不清楚是否能通过，因为这一议题三年来已引发大量争议，俄罗斯信息安全界对此提出了有力反对，至少对公共注册部分如此。

A draft for Russia's new white hat research law is expected to reach the Duma by the end of the year, although it's unclear if it will pass since this whole thing has had three years worth of controversy attached to it already with the Russian InfoSec community making a good argument against it, or at least the public registry part of it.

好吧。

Okay.

因此，这一更新促使我进一步深入调查。

So this update caused me to go digging a bit further.

我找到了一份关于中国这一项目现状的智库研究报告。

And I found a piece of think tank research about the status of this Chinese program.

该智库写道：中国国家互联网信息办公室（CAC）、公安部（MPS）和工业和信息化部（MIIT）于2021年7月发布了《网络产品安全漏洞管理规定》，简称RMSV。

The think tank wrote, The Cyberspace Administration of China, CAC, the Ministry of Public Security, the MPS, and the Ministry of Industry and Information Technology, the MIIT, published the Regulations on the Management of Network Product Security Vulnerabilities, known as the RMSV, in July 2021.

也就是四年前。

So four years ago.

甚至在法规于九月实施之前，分析人士就已对新法规的潜在影响发出警告。

Even before the regulations were implemented in September, analysts had issued warnings about the new regulation's potential impact.

争议点在于该法规要求软件漏洞——即攻击者可利用的代码缺陷——由行业在发现后48小时内向工业和信息化部报告。

At issue is the regulation's requirement that software vulnerabilities, you know, flaws in code that attackers can exploit, will note that they would be reported to the MIIT within forty eight hours of their discovery by industry.

这些规定禁止研究人员在补丁发布前公开漏洞信息，除非他们与产品所有者和工业和信息化部协调；不得发布用于演示漏洞利用方式的概念验证代码，也不得夸大漏洞的严重性。

The rules prohibit researchers from publishing information about vulnerabilities before a patch is available, unless they coordinate with the product owner and the MIIT, publishing proof of concept code used to show how to exploit a vulnerability, and they're not allowed to exaggerate the severity of the vulnerability.

实际上，该智囊团指出，这些法规将所有软件漏洞报告都导向了工业和信息化部，直至补丁发布。

In effect, the regulations the think tank wrote push all software vulnerability reports to the MIIT before a patch is available.

哦，这才是关键。

Oh, that's the key.

在补丁发布之前。

Before the patch is available.

是的。

Yes.

相反，美国目前的系统依赖于自愿向公司报告漏洞，这些漏洞来自追求金钱和声望的研究人员，或来自观察到野外实际利用行为的网络安全公司。

Conversely, the system currently in place in The US relies on voluntary reporting to companies with vulnerabilities sourced from researchers chasing money and prestige or from cybersecurity companies that observe exploitation in the wild.

他们写道，软件漏洞并非科技生态系统中平凡无奇的一部分。

They wrote software vulnerabilities are not some mundane part of the tech ecosystem.

黑客经常利用这些漏洞来攻击目标。

Hackers often rely on these flaws to compromise their targets.

对于负责进攻行动的组织，如军方或情报机构而言，拥有更多的漏洞更有利。

For an organization tasked with offensive operations, such as a military or intelligence service, it is better to have more vulnerabilities.

批评者认为这类似于囤积武器库。

Critics consider this akin to stockpiling an arsenal.

当攻击者确定目标后，他们可以查阅一个包含可利用漏洞的数据库来实施行动。

When an attacker identifies a target, they can consult a repository of vulnerabilities that enable their operation.

收集更多漏洞可以提高行动的速度、成功率和范围。

Collecting more vulnerabilities can increase operational tempo, success, and scope.

拥有丰富工具库的操作人员效率更高，但公司会定期修补和更新软件，导致旧漏洞失效。

Operators with a deep bench of tools work more efficiently, but companies patch and update their software regularly causing old vulnerabilities to expire.

在不断变化的作战环境中，持续获得新的漏洞尤为宝贵，他们写道。

In a changing operational environment, a pipeline of fresh vulnerabilities is particularly valuable, they wrote.

再次强调，我将跳过这份冗长而详尽的报告的大部分内容，直接总结其结论。

Again, I'm going to wrap this up by jumping way down to some of this very long and detailed report's conclusions.

以下是真正支撑这一论点的四段内容。

Here are the four paragraphs that really make the case.

报告最后写道：三份早期报告描绘了中国软件漏洞生态系统的图景。

The report finishes writing, Three earlier reports contour China's software vulnerability ecosystem.

综合来看，这些报告表明，向外国公司报告的软件漏洞数量正在减少，且这些漏洞有可能被用于进攻性行动。

Combined, they demonstrate a decrease in software vulnerabilities being reported to foreign firms and the potential for these vulnerabilities to feed into offensive operations.

所以，它们就在这里。

So here they are.

第三。

Three.

首先，大西洋理事会的《龙尾》报告表明，中国的软件漏洞研究产业是全球漏洞披露的重要来源，而中国披露要求出台前的美国立法，显著减少了被列入美国实体清单的特定外国公司报告漏洞的数量，从而从生态系统中移除了一个重要的安全研究来源。

First, the Atlantic Council's Dragon Tails report demonstrates that China's software vulnerability research industry is a significant source of global vulnerability disclosures and that US legislation prior to China's disclosure requirements significantly decreased the reporting of vulnerabilities from specific foreign firms adding to The US entities list, removing an important source of security research from the ecosystem.

其次，微软《2022年数字防御报告》——该报告发布于中国新法案实施仅一年后——显示，基于中国的黑客组织所部署的零日漏洞数量相应增加。

Second, Microsoft's Digital Defense Report 2022, so that was only one year after the new legislation went into effect in China, showed a corresponding uptick in the number of zero days deployed by PRC based hacking groups.

微软明确将这一增长归因于RMSV，即这项新的报告要求。

Microsoft explicitly attributes the increase as a likely result of the RMSV, which is this new reporting requirement.

尽管不到一年的数据不足以构成趋势，但这两份报告都以符合中国过去将软件漏洞披露渠道武器化行为的方式，暗示了这项法规的影响。

Although less than a year's worth of data do not make a trend, Both reports gesture at the impact of the regulation in expected ways based on China's past behavior of weaponizing the software vulnerability disclosure pipeline.

最后，Recorded Future 在2017年发布了一系列报告，提供证据表明，向中国国家信息安全漏洞数据库（即由国家安全部运营的CNNVD）报告的关键漏洞，被有意延迟公开，用于进攻性行动。

And finally, Recorded Future published a series of reports in 2017 with evidence indicating that critical vulnerabilities reported to China's National Information Security Vulnerability Database, that's that CNNVD, which is run by the MSS, were being withheld from publication for use in offensive operations.

所以，在这项规定成为法律之前，这种情况就已经存在了。

So way before this became a law, it was already happening.

现在这项规定已成为法律，这种情况变得更加普遍。

Now with it being a law, it is happening more.

因此，这一切几乎毫无疑问地表明，中国作为一个冷静而积极的网络战参与者，正在竭尽全力整合并武器化不断被发现的已部署软件中的漏洞。

So this all leaves very little doubt that China, as a sober and aggressive cyberwar participant, is doing everything it can to marshal and weaponize the vulnerabilities that are continually being discovered in deployed software.

现在看来，俄罗斯也将很快正式推行类似的策略。

And now it appears that Russia will soon be formalizing a similar strategy.

如果他们能获得现有信息安全生态系统的支持，也许不得不稍微放宽注册要求，但显然，他们希望与中国采取的策略保持一致，而这一策略正使中国受益，却让其他人付出代价。

If they can get a buy in from the existing InfoSec ecosystem, Maybe they'll have to, you know, soften the registration requirements a bit, but clearly, they want to be at parity with the strategy that China has taken, which is benefiting China at everybody else's expense.

结果证明，利奥，软件并不完美。

It turns out, Leo, software is not perfect.

从来不会。

Ever.

谁能想到呢？

Who would have thought?

谁能料到呢？

Who would have thunk it?

你知道有一样东西是完美的吗？

You know one thing that is perfect, though?

我们的广告商。

Our advertisers.

我就知道你会猜对。

I knew you were going to guess correctly.

我们休息一下。

Let's take a little break.

我们马上回来。

We will come back.

实际上，当你在谈论我如何用Zapier自动化一个网络流以便使用Wireshark时，我正在想这件事。嗯，Zapier是我们的赞助商，所以我应该解释一下。

Actually, was thinking as you were talking about how I could use Zapier to automate a wire so I could have Wireshark Well, Zapier's our sponsor, so I should probably explain that.

我可以让Wireshark捕获所有流出网络的数据包，然后让Zapier用AI处理这些数据，并给我生成一份完整的报告。

I could have Wireshark get all the packets going outside the network and then have Zapier use AI to process that and deliver to me a finished report.

这看起来应该相当容易实现。

Seems like it'd be fairly easy to do.

事实上，我可能应该在想到的时候就去做了。

In fact, I probably should have done it while I was thinking about it.

本集《Security Now》由Zapier赞助播出。

This episode of Security Now brought to you by Zapier.

我确实经常在想，如何用Zapier让我的生活更轻松。

I I actually am always thinking about ways I can use Zapier to make my life easier.

Zapier可以连接你使用的所有不同工具，它支持成千上万种工具，几乎涵盖了所有主流应用。

Zapier lets you connect all the different tools you use and it supports thousands of them, pretty much everybody.

它能将这些工具连接起来，形成自动化工作流，帮你节省时间。

It lets you connect those tools in ways that save you time into workflows.

但现在Zapier有了令人兴奋的新变化。

But now things have changed with Zapier in a way that's very exciting.

多年来我一直用Zapier做各种事情，比如家庭自动化。

I've been using Zapier for years for all sorts of stuff, home automation.

我用它来处理工作。

I use it for work.

每次我收藏一篇文章，它都会自动被发布到我的Mastodon实例，同时也会被格式化后发送到Google表格中的一行，制作团队会用这些数据来制作节目笔记。

Every time I bookmark a story, it's automatically tooted, sent to my Masternode instance, but it's also sent formatted and sent to a Google spreadsheet as a line on the spreadsheet, which the producers then use to create the show notes.

我的意思是，这真是一个非常有用的工具。

I mean, it's really a very useful tool.

但现在Zapier新增了一个功能，让我更加兴奋。

But now Zapier has added a new feature that makes me even more excited.

我们在这档节目中总是谈论AI。

We're always talking about AI on the show.

我的意思是，过去几个月里每个人都在谈论AI。

I mean, everybody has been talking about AI for the last few months.

但谈论趋势并不能帮助你在工作中更高效。

But talking about trends doesn't help you be more efficient at work.

为此，你需要合适的工具。

For that, you need the right tools.

你需要Zapier。

You need Zapier.

Zapier是你打破炒作周期、将AI应用于公司各处的方式。

Zapier is how you break the hype cycle and put AI to work across your company.

Zapier是什么？

What is Zapier?

Zapier是你真正落实AI战略、而不仅仅是空谈的方式。

Well, Zapier is how you actually deliver on your AI strategy, not just talk about it.

把Zapier想象成一个AI编排平台，你可以将AI的强大功能融入任何工作流程，从而专注于更重要的事情。

Think of Zapier as an AI orchestration platform where you can bring the power of AI to any workflow so you can do more of what matters.

让Zapier运行Wireshark，获取Wireshark信息，通过Claude处理，你可以为Claude编写所有脚本，包括提示词等内容，让其解读并生成易于使用的报告，从而弄清你的设备正在与什么通信。

Have Zapier run Wireshark, get the Wireshark information, process it through Claude, have Claude, and you can have all the scripting for Claude, what the prompt is and everything, interpret it and generate an easy to use report so that you can figure out what your devices are talking to.

你可以让报告以电子表格形式呈现，包含设备名称、其连接的网址、发送的数据包样本等信息。

You could have the report be a spreadsheet with the device name, the URL that it's contacting, a sample of the packets it's sending, that kind of thing.

用 Zapier 做起来非常简单。

Very easy to do with Zapier.

它让你能够将 AI 带入任何工作流程，从而更专注于真正重要的事情。

It lets you bring AI to any workflow so you can do more of what matters.

我可以把它用在我的书签工作流中，自动总结我为某个节目收藏的所有文章，从而生成一份简报手册。

I could have it with my bookmark workflow automatically do a summary of all the stories I've bookmarked for a show so I can have a briefing book.

用途无穷无尽。

The uses are endless.

将顶级 AI 模型——所有主流模型，如 ChatGPT、Claude 等——与你的团队已使用的工具连接起来。

Connect top AI models, all of the big ones, ChatGPT, Claude, whatever, to the tools your team already uses.

这才是关键。

And this is the key.

如果你使用 Zapier，我敢肯定你有很多经常使用的流程，它们被称为 Zaps。

If you use Zapier, I'm sure you have many workflows, but they call them Zaps that you use all the time.

我知道我有。

I know I do.

我有一整套这样的流程。

I have a whole library of them.

现在我要重新检查它们，看看哪里可以加入AI， wherever需要就直接接入。

Well, now I'm going to go back through them and look and see where I could add AI, just plug it in wherever I need it.

无论是AI驱动的流程、自主代理、客户聊天机器人，还是仅用AI来解读通过Zapier流程流动的数据。

Whether that's an AI powered workflow or an autonomous agent, a customer chatbot, or just using AI to interpret the data that's flowing through the Zapier workflow.

我的意思是，潜力无限。

I mean, the sky's the limit.

只要你能想到，就能用Zapier来协调实现。

If you could think of it, you can orchestrate it with Zapier.

顺便说一句，你不需要会编程。

And by the way, you don't have to be a coder.

Zapier是为每个人设计的。

This is Zapier is for everyone.

你不需要是技术专家。

You don't have to be a tech expert.

团队已经使用Zapier自动化了超过3亿个AI任务。

Teams have already automated over 300,000,000 AI tasks using Zapier.

加入数百万正在用Zapier和AI改变工作方式的企业。

Join the millions of businesses transforming how they work with Zapier and AI.

免费开始使用。

Get started for free.

立即访问 zapier.com/security。

Visit zapier.com/security now.

就是 zapier.com/security，现在就去。

That's zapier.com/security now.

真有趣。

It's funny.

我们聊天室里的Quippy刚刚在Discord上发了消息。

Quippy in our chat room has just posted in the Discord.

这是一项非常酷的技术。

This is a really cool technology.

确实如此。

It is.

我的意思是，AI的问题之一就是，好吧，我坐在提示框前。

I mean, of the problems with AI is, you know, okay, I'm sitting at the prompt.

现在我该做什么？

Now what do I do?

Zapier 让这一切变得简单。

Zapier makes it easy.

你不需要考虑这些。

You don't have to think about that.

你说，这是数据。

You say, here's the data.

这是我需要的。

Here's what I need.

生成它。

Produce it.

很简单。

It's easy.

Zapier.com/security。

Zapier.com/security.

现在免费试用。

Now try it for free.

我想你会喜欢的。

I think you'll like it.

我得提醒你，你会上瘾的。

I gotta warn you, you'll be hooked.

继续，我们来谈谈分散的蜘蛛，但别害怕。

On we go, let's talk about scattered spiders, but don't be scared.

这里没有昆虫。

There's no insects involved here.

只是一些坏人。

Just some evil people.

三个，这真让人难过。

Three Well, it's sad.

三天，是的。

Three days Yeah.

所有黑客在青少年时期都是这样，对吧？

Were all hackers as teenagers, right?

我知道你也是。

I know you were.

我多次说过，如果我今天还在上高中，我会有着强烈的道德感，

I've said many times, if I were in high school today, well, I have a strong sense of ethics,

所以，是的。

so Yeah.

你不会去勒索公司或做类似的事情。

You wouldn't be ransom wearing companies or anything like that.

不。

No.

正如我之前提到过的，至少有一次，我拥有整个学区的万能钥匙，可以打开高中里任何一扇门。

Had a as I mentioned once before, maybe at least once, I had a master key to the district, the entire school district opened any door in the high school and any high school.

天哪。

Oh my God.

但你没有用它来做坏事。

But you didn't use it for evil.

没有。

No.

而校长最终把我叫到办公室说：你们这些孩子，因为当时有一小群人，本来会惹上大麻烦，但我们知道当校工丢掉他的万能钥匙串时的情况。

And the principal who had me in his office finally said, you know, you kids, because there was a small group of us, would be in real trouble, except we know when the janitor lost his master key ring.

所以我们知道你们持有这些钥匙有多久了。

So we know how long you've had these keys.

根本没有人报告任何盗窃或问题。

No one has reported any theft or problem at all.

我们说：‘是啊，我们只是觉得拥有它很酷。’

And we said, Yeah, we just thought it was cool to have.

如果是我校长，他会说：‘看吧，我一直说你是个表现不佳的学生，拉波特。’

If it had been my principal, he would have said, See, I've always said you were an underachiever, Laporte.

一点野心都没有。

No ambition at all.

你从来都没用过那把钥匙。

Never used that key once.

所以，三天前，BBC报道了一则新闻，关于两名青少年被捕的事，他们是分散蜘蛛黑客组织的成员，这个组织我们最近讨论得很多，但别忘了，黑客确实正在被抓获并承担责任。

So, okay, three days ago, the BBC carried some news about the arrest of a pair of teens who were members of the scattered spider hacking collective, which, you know, we've been talking about so much recently, since it's not worth losing sight of the fact, or I should say it's worth not losing sight of the fact that hackers are being caught and held responsible.

你知道，我很少这么说。

You know, I don't say that often enough.

我看到这些新闻一晃而过。

I see the stories go by.

这些就是那些被抓到的人，你知道的，他们被逮住了，但这种情况很少上我们的播客。

These are those people, you know, they got nabbed and everything, but it doesn't often make the podcast.

所以我想，让我们暂停一下，确保大家明白这些孩子、黑客们并不会永远逍遥法外。

So I thought, let's just pause here for a second to make sure people understand that these kids, hackers, are not getting away with this like forever.

不过，这种时间延迟确实有点奇怪。

Although it is weird what time delay there is.

我来解释一下。

I'll explain this.

因此，BBC三天前报道了这一事件。

So the BBC reported on this incident three days ago.

报道称，两名青少年出庭受审，被指控与去年针对伦敦交通局（TFL）的网络攻击有关。

They wrote two teenagers having appeared in court facing computer hacking charges in connection with last year's cyber attack on Transport for London, TFL.

这两名18岁和19岁的青年被控合谋违反《计算机滥用法案》，实施未经授权的行为。

The 18 and 19 year olds were charged with conspiring to commit unauthorized acts under the Computer Misuse Act.

他们于周五在南华克皇家法院出庭，仅确认了自己的姓名。

They appeared at a hearing at Southwark Crown Court on Friday and spoke only to confirm their names.

法官托尼·鲍姆加特纳将下一次听证会定于11月21日，审判日期定为2026年8月6日。

Judge Tony Baumgartner scheduled a further hearing for the November 21 with a trial date set for 06/08/2026.

去年的这次网络攻击导致伦敦交通系统中断了三个月，影响了地铁实时信息、在线行程记录以及Oyster应用的支付功能。

The cyber attack caused three months of disruption to transport for London last year and affected live tube information, online journey history, and payments on the Oyster app.

我不清楚这些是什么，但我猜如果你在伦敦，你就懂。

Don't know what any of that is, but I guess if you're in London, you do.

这两名青少年最近被英国国家犯罪署逮捕。

The teenagers were recently arrested by the National Crime Agency.

最近才被逮捕，意味着在很长一段时间里，他们以为自己已经逍遥法外了。

So recently arrested, meaning a lot of time went by during which they thought they'd gotten away with this.

他们于9月16日被英国国家犯罪署和伦敦市警察局逮捕，几周前的事，两天后被正式起诉。

Recently arrested by the National Crime Agency and City of London Police on the September 16, so a few weeks ago, and were charged two days later.

国家犯罪署表示，他们相信这次黑客攻击始于八月，由网络犯罪组织Scattered Spider的成员实施。

The NCA said it believed that the hack, began on August, was carried out by members of cybercriminal group Scattered Spider.

伦敦交通局表示，这次黑客攻击造成了3900万英镑的损失和运营中断。

TFL said the hack cost it £39,000,000 in damage and disruption.

黑客事件发生后，伦敦交通局向约5000名客户发信，称其个人信息如银行账户号码、电子邮件和家庭地址可能遭到未经授权的访问。

Following the hack, TFL wrote to around 5,000 customers to say there may have been unauthorized access to their personal information such as bank account numbers, emails, and home addresses.

所以，他们只有18岁和19岁，现在却一辈子都背上了成年计算机罪犯的犯罪记录。

So again, 18 and 19 years old, and now they'll have an adult computer criminal crime record for the rest of their lives.

他们 presumably 拥有一定的软件技能，也喜欢计算技术，但在软件技能并不稀缺的环境中，谁会正常地雇佣他们来做任何与计算机相关的工作呢？

They presumably have some software skills and enjoy computing technology, but in, you know, an environment where software skills are not scarce, who in their right mind would hire either of them to do anything that was computer related?

你知道的，去炸汉堡没问题，但别碰我们的销售终端，因为你们是计算机罪犯，而且永远都是。

You know, flip burgers, fine, but stay away from our point of sale terminals because you guys are computer criminals, and they always will be.

真遗憾，他们因为这么做而毁了自己的前程。

So, boy, sad that they messed up by doing that.

上周四，也就是前一天，欧盟认定Facebook、Instagram和TikTok应用程序违反了欧盟《数字服务法》（DSA）的相关条款。

Last Thursday, the day before, the European Union found that Facebook, Instagram, and TikTok apps were and are in violation of terms of the EU's DSA, which is the Digital Services Act.

这项法律对此类违规行为有严厉处罚，Meta和TikTok可能被处以高达全球总收入6%的巨额罚款，这可是真金白银。

The act has some teeth in it for this breach, since Meta and TikTok could be fined an attention grabbing 6%, up to 6% of their total global revenue, which is cash.

欧盟的新闻稿解释了事情的来龙去脉。

The EU's press release explained what's going on.

今天，欧盟委员会初步认定TikTok和Meta未能履行《数字服务法》（DSA）规定的义务，即向研究人员提供充分的公共数据访问权限。

Today, the European Commission preliminarily found both TikTok and Meta in breach of their obligation to grant researchers adequate access to public data under the Digital Services Act, the DSA.

委员会还初步认定，Meta旗下的Instagram和Facebook未能履行其义务，即为用户提供简便的机制以举报非法内容，并允许他们有效挑战内容审核决定。

The commission also preliminarily found Meta for both Instagram and Facebook in breach of its obligations to provide their users simple mechanisms to notify of illegal content, as well as to allow them to effectively challenge content moderation decisions.

作为平台用户，应该有一种简便的方式向Meta举报并挑战Meta所作的决定。

There should be an easy way to do that as a user of the platform, both to notify Meta and challenge a decision that Meta has made.

委员会的初步调查结果显示，Facebook、Instagram和TikTok可能为研究人员申请访问公共数据设置了繁琐的程序和工具。

The Commission's preliminary findings show that Facebook, Instagram, and TikTok may have put in place burdensome procedures and tools for researchers to request access to public data.

没错，我们可不希望这样，因为研究人员可能会开展一些研究。

Right, we wouldn't want that because researchers might get up to some research.

这常常导致他们只能获得部分或不可靠的数据，从而影响其研究能力，例如用户（包括未成年人）是否接触到非法或有害内容。

This often leaves them with partial or unreliable data impacting their ability to conduct research, such as whether users, including minors, are exposed to illegal or harmful content.

允许研究人员访问平台数据是《数字服务法》规定的必要透明度义务，因为它使公众能够监督平台对我们身心健康可能产生的影响。

Allowing researchers access to platforms' data is an essential transparency obligation under the DSA as it provides public scrutiny into the potential impact of platforms on our physical and mental health.

就Meta而言，Facebook和Instagram似乎都没有提供——这仍是欧洲委员会在发言。

When it comes to Meta, neither Facebook nor Instagram appear to provide a this is still the European Commission speaking.

无论是Facebook还是Instagram，根据欧洲委员会经过大量研究后得出的结论，似乎都没有为用户提供友好且易于访问的通知与处理机制，以便用户举报非法内容，例如儿童性虐待材料和恐怖主义内容。

Neither Facebook nor Instagram, this is the European Commission's opinion on this after lots of research into this, appear to provide a user friendly and easily accessible notice and action mechanism for users to flag illegal content such as child sexual abuse material and terrorism content.

Meta当前采用的机制似乎给用户增加了若干不必要的步骤和额外要求。

The mechanisms that Meta currently applies seems to impose several unnecessary steps and additional demands on users.

此外，Facebook和Instagram在通知和处理机制方面似乎使用了所谓的黑暗模式或误导性界面设计。

In addition, both Facebook and Instagram appear to use so called dark patterns or deceptive interface designs when it comes to the notice and action mechanisms.

当然，几年前试图抵制从Windows 7升级到Windows 10的人们都深有体会，知道什么是黑暗模式。

And of course, anybody who was trying to resist the upgrade from Windows seven to Windows 10 a few years ago knows all about dark patterns.

您现在要更新吗，还是稍后再更新？

Would you like to update now or later?

这些做法，他们写道，可能会让人感到困惑并产生抵触情绪。

Such practices, they wrote, can be confusing and dissuading.

因此，Meta用于举报和删除非法内容的机制可能无效。

Meta's mechanisms to flag and remove illegal content may therefore be ineffective.

根据《数字服务法案》，通知与处理机制对于使欧盟用户和可信赖的举报者告知在线平台某些内容不符合欧盟或国家法律至关重要。

Under the DSA, notice and action mechanisms are key to allowing EU users and trusted flaggers to inform online platforms that certain content does not comply with EU or national laws.

如果在线平台在获知其服务上存在非法内容后未迅速采取行动，则不得享受《数字服务法案》规定的责任豁免。

Online platforms do not benefit from the DSA's liability exemption in cases where they have not acted expeditiously after being made aware of the presence of illegal content on their services.

好吧，一方面，你可以理解平台为什么想设置一些阻力，施加一点压力，就像保险公司那样，先拒绝你的第一次索赔，然后你得跟他们争一争，最后他们才说：好吧，行吧。

Okay, so on one hand, you can kind of see where the platform would like to put up some resistance, a little bit of back pressure, like the same way insurance companies do of denying your first claim, and then you've got to fight them a little bit and then they go, Okay, fine.

嗯，是的，我们会认可这个请求的。

Well, yeah, we'll honor that.

因为这样可以减少涌入和泛滥。

Because that reduces the influx and the flood.

同时，如果能证明他们没有及时做出回应，就会触发《数字服务法案》下的追责，从而丧失其责任豁免权。

At the same time, if they could be shown not to be responding in a timely fashion, that opens them to action under the DSA and they lose their liability protection.

所以他们现在是在走钢丝。

So they're walking a thin line here.

欧盟制定的《数字服务法案》还赋予欧盟用户权利，当平台删除其内容或暂停其账户时，用户可以对内容审核决定提出异议。

The EU wrote the DSA also gives users in the EU the right to challenge content moderation decisions when platforms remove their content or suspend their accounts.

目前，Facebook 和 Instagram 的申诉机制似乎不允许用户提供解释或支持性证据来佐证其申诉。

At this stage, the decision appeal mechanisms of both Facebook and Instagram do not appear to allow users to provide explanations or supporting evidence to substantiate their appeals.

这使得欧盟用户难以进一步说明为何不同意 Meta 的内容决定，也难以主张恢复内容，从而削弱了申诉机制的有效性。

This makes it difficult for users in the EU to further explain why they disagree with Meta's content decision, arguing for its restoration, limiting the effectiveness of the appeals mechanism.

本质上，Facebook 和 Instagram 不想为履行《数字服务法》要求而建立一个庞大的机制。

Essentially, Facebook and Instagram don't want to spin up a big mechanism for doing what the DSA requires them to do.

要做到这一点并不容易。

It's not going to be easy to do this.

他们更愿意直接大力抵制。

They'd rather just kind of push back a lot.

委员会写道，关于 Meta 的报告工具、黑暗模式和投诉机制的立场，是基于一项深入调查。

The Commission writes, The Commission's views related to Meta's reporting tool, dark patterns, and complaint mechanism are based on an in-depth investigation.

这些是初步调查结果，不会预判调查的最终结果。

These are preliminary findings which do not prejudge the outcome of the investigation.

Facebook、Instagram 和 TikTok 现在可以查阅委员会调查文件中的材料，并以书面形式回应委员会的初步发现。

Facebook, Instagram, and TikTok now have the possibility to examine the documents in the Commission's investigation files and reply in writing to the Commission's preliminary findings.

这些平台可以采取措施纠正违规行为。

The platforms can take measures to remedy the breaches.

与此同时，将咨询欧洲数字服务委员会。

In parallel, the European Board for Digital Services will be consulted.

如果委员会的观点最终得到确认，委员会可能会作出不合规决定，这可能导致对提供商处以高达其全球年营业额6%的罚款。

If the Commission's views are ultimately confirmed, the Commission may issue a non compliance decision which can trigger a fine of up to 6% of the total worldwide annual revenue of the provider.

委员会还可以处以定期罚款，以迫使平台遵守规定。

The Commission can also impose periodic penalty payments to compel a platform to comply.

新的研究者访问权限将于2025年10月29日，也就是明天，随着数据访问的授权法案生效而开启。

New possibilities for researchers will open up on October 29, tomorrow of 2025, as the delegated action on data access comes into force.

这是《数字服务法》的下一个部分。

That's the next part of the DSA.

该法案将授予研究人员访问超大型在线平台和搜索引擎非公开数据的权限，以增强其问责性并识别其活动可能带来的风险。

This act will grant access to non public data from very large online platforms and search engines aiming to enhance their accountability and identify potential risks arising from their activities.

好的。

Okay.

所以我的理解是，撇开细节不谈，这一切归根结底都表明整个在线科技行业正在经历一场重大转变。

So my takeaway from this is that details aside, what all of this amounts to is more evidence of a significant changing tide for the entire online tech industry.

未来十年将与过去十年大不相同。

The next ten years are not going to look like the last ten years.

到目前为止，网络世界一直是一个无法无天的自由地带。

Up to this point, the online world has been an anything goes free for all.

这种状况自世界开始发现用电话调制解调器拨号连接AOL的替代方式以来就一直存在。

This state of affairs has existed since the world began to discover an alternative to using their telephone modems to dial into AOL.

它被称为互联网。

It's called the Internet.

回过头看，这花的时间出人意料地长，对吧？

In retrospect, it has taken a surprisingly long time, right?

我的意思是，几十年来，政界人士一直没能意识到，他们有能力制定并执行针对这些全球性网络巨头行为的法规。

Mean, we've had decades of this for the political class to recognize that it's able to create and then enforce regulations on the behavior of these global online behemoths.

这可能要归咎于科技公司长期以来对政府礼貌提出的网络应用行为整改要求置之不理。

And it's probably the fault of the tech companies who have for so long thumbed their noses at polite governmental requests for online app behavioral changes.

我们在这档播客的整个生命周期中一直在报道这一点。

We've been covering that throughout the life of this podcast.

立法者终于厌倦了请求自愿整改，决定出台一些有强制力的法律。

The legislators finally grew tired of asking for voluntary change and decided to enact some laws with teeth.

我预计，这些大公司的政府合规部门将会变得庞大得多。

I expect we're going to be seeing the government compliance departments of these large companies becoming much larger.

而且需要一种文化上的转变，改变我们对在线科技公司能做什么的看法。

And there's going to be a need for a culture change, a change in thinking about what we get to do with tech companies online.

在通往成功和全球主导地位的道路上，当某个应用的影响力变得足够强大时，这项服务就会越来越像公共事业，其影响力行为将受到监管。

Somewhere along the road to success and world domination, when an app's reach becomes sufficiently influential, that service begins to more closely resemble a public utility, and its influential behavior is going to be regulated.

现在，我们每周都会报道这场斗争的各个方面，因为它们上了新闻，正在发生，并且正在塑造我们的未来。

Now, every week, we cover various aspects of this struggle because they're in the news, they're what's happening, and they are determining the shape of our future.

到目前为止，大型科技公司一直享有在无法律约束的游乐场中为所欲为的完全自由。

Until now, big tech has had total freedom to do as it pleases in a lawless and unregulated playground.

我认为，到目前为止，每个人都应该清楚，这种现状正在改变。

I think it should be clear to everyone by now that this status quo is changing.

利奥？

Leo?

嗯。

Yeah.

我同意。

I agree.

这很有趣。

It's interesting.

唯一的问题是，政府究竟代表谁在行动。

The only issue is whether the government is acting who the government is acting in the on behalf of.

所以，如果他们代表我们来保护我们，那就太好了。

So if they're acting on behalf of us to protect us, great.

我完全支持。

I'm all for it.

但如果他们像欧盟经常做的那样，代表欧洲公司行事，很多人认为欧盟这是保护主义。

If they're acting as I think often the EU is on behalf of European companies, a lot of the people think that the EU's Protectionism.

对吧？

Right?

是的。

Yeah.

欧盟对苹果的打压是受Spotify的唆使。

That the EU's attack on Apple is at the behest of Spotify.

确实如此。

Well, it is.

Spotify提出了投诉。

Spotify complained.

当然，如果他们出于政治原因针对这些公司，那就是第三个可能并不那么好的理由。

And and of course, if they're acting against these companies for political reasons, that's a third reason that maybe isn't so good either.

只要他们代表我们的利益行事，那就没问题。

So as long as they're acting on our behalf, that's fine.

另一个例子是我们之前看到并讨论过的，当谷歌试图让欧洲同意其反跟踪技术时，这项技术其实很不错，但欧洲广告商却表示：我们不喜欢这个。

Another example is what we saw, and we covered this, when Google was trying to get Europe to agree to its anti tracking technology, which was really good, it was European advertisers who said, We don't like this.

顺便说一下，这个问题又出现了。

That's come up again, by the way.

欧盟现在又在抱怨苹果的广告追踪功能，那个叫什么来着？

The EU is is now complaining about Apple's ad track what what do call it?

应用跟踪。

App tracking.

你知道那个弹出的开关吗？就是问你是否允许该应用跨应用跟踪你的那个。

You know that switch that pops up where you said you wanna allow this app to track you across the

对。

Right.

欧盟正在抱怨苹果考虑为欧盟用户禁用这个功能，但这对用户来说是好事。

And the EU is complaining about Apple's actually thinking of of disabling it for EU customers, but it's a good thing for customers.

对吧？

Right?

是的。

Yes.

它会通知你。

It it notifies you.

没错。

Yeah.

所以这是一个例子。

So that's an example.

我敢肯定广告商已经对此抱怨了。

I'm sure that that's advertisers have complained.

所以这是保护主义的。

And so it's protectionist.

是的。

Yes.

人们说：不。

People are saying, no.

我不希望被追踪。

I don't want to be tracked.

我之前没意识到我在被追踪，但既然你问我，谢谢，我不希望被追踪。

I didn't realize I was, but now that you ask me, thank you, no, I don't want to

对，没错。

No, right.

像有90%看到这个的人会说：不，别追踪我。

Like 90% of people who see that say, No, don't track me.

所以，利奥，我完全理解你所说的受益者是谁，但其实这也不重要，对吧？

So I understand exactly what you mean, Leo, about who is to benefit, but it also doesn't matter, right?

我的意思是，这是欧盟法律，我们的大型科技公司必须遵守所在司法管辖区的法律，这种情况就会发生。

I mean, it's EU law and our big tech has to operate within the laws of the prevailing jurisdiction, then this is going to happen.

再者，想想我们过去那种西部荒野的态度，那些极具颠覆性的技术就这样横冲直撞，却没人说什么。

And again, think that, you know, we've had this like Wild West attitude where, you know, where really disruptive technologies have just come barreling in and no one said anything.

不知为何，今年2025年，空气中似乎弥漫着一种新的氛围：好吧，世界各地的政府都说，我们受够了这种状况。

It's that like suddenly, I don't know what it is in the air, but this year in 2025, it's like, okay, the governments everywhere are saying we've had enough of this.

我们要在这里制定一些法律。

We're going to put some laws down here.

而且没人说这不会造成混乱。

And I mean, and it's no one's saying it's not creating a mess.

我们一直在谈论年龄验证的灾难，对吧？这简直是一团糟。

We keep talking about it like the age verification disaster, you know, it's a mess.

但他们终于说：好吧，我们要实行年龄验证。

But they finally said, okay, you know, we're going to have age verification.

你们这些极客去想办法解决吧。

You geeks figure out how to do that.

嗯。

Yep.

这不是我们的问题。

Not our problem.

说到极客，如果以上这些还不够让你却步的话，那来看看这个消息：从今年12月起，也就是一个半月后，微软团队将添加可强制应用于用户的Wi-Fi追踪功能。

Speaking of geeks, if all of that wasn't enough to put a chill in your step, how about the news that starting this December, month and a half, Microsoft Teams will be adding Wi Fi tracking that can be forced upon its users.

也就是说，适用于团队客户端的用户。

That is, the users of Teams clients.

我最初看到一则简短报道，写道：微软团队将新增Wi-Fi追踪功能。

I first saw a little blurb about this, which read Microsoft Teams to get Wi Fi tracking feature.

报道称，微软团队的新功能将允许组织根据附近的Wi-Fi网络追踪员工。

It said a new Microsoft Teams feature will let organizations track employees based on nearby Wi Fi networks.

该功能旨在让雇主根据附近的网络了解员工的工作地点。

The feature is designed to let employers know what building an employee is working from based on nearby networks.

根据隐私专家的说法，这一新功能将使公司能够追踪那些逃避返岗要求的员工。

According to privacy experts, the new feature will allow companies to track down on workers who dodge their return to office mandates.

新的Wi-Fi追踪功能预计将于12月在Teams的Mac和Windows桌面客户端上线。

The new Wi Fi tracking is expected to roll out in December for the Teams Mac and Windows desktop clients.

这就是那则小新闻的全部内容。

So that's all the little blurb said.

这让我感到好奇。

That made me curious.

于是我找到了微软365路线图的通知。

So I tracked down Microsoft three sixty five Roadmaps notice.

微软对这一功能的标题是：Microsoft Teams：通过您组织的Wi-Fi自动更新您的工作地点。

Microsoft's title for this is, Microsoft Teams colon automatically update your work location via your organization's Wi Fi.

听起来不错，对吧？

Well, that sounds nice, right?

够无害吧？

Innocuous enough?

谁会想要开启这个功能？

Who would want to have that turned on?

微软对这一功能的简要说明是：当用户连接到组织的Wi-Fi时，Teams将能够自动更新其工作地点，以反映他们正在工作的建筑物。

Microsoft's short summary of that reads, When users connect to their organization's Wi Fi, Teams will soon be able to automatically update their work location to reflect the building they're working from.

此功能默认关闭。

This feature will be off by default.

租户管理员将决定是否启用该功能，并要求最终用户选择加入。

Tenant admins will decide whether to enable it and require end users to opt in.

换句话说，通过策略，它可以被强制开启。

In other words, by policy, it can be forced on.

因此，从这段表述中并不清楚，如果你连接到本地星巴克的Wi-Fi会发生什么，但它至少暗示公司会知道你不在公司内。

So it's not clear from that wording what happens if you were to connect from your local Starbucks Wi Fi, but it at least suggests that corporate would know you were not on campus.

我预计在今年年底该功能开始推出后，我们会听到一些团队成员的反馈。

I imagine we'll hear from some of our teams using listeners once this starts rolling out at the end of the year.

我很想知道，这种定位的精确度到底有多高。

I'll be interested to find out, you know, like what sort of granularity this provides.

如果你在星巴克登录，它只是显示‘不在校园’，还是我们根本无从得知？

If you're logging in from Starbucks, does it just say off campus or we don't know?

或者它可能会直接说：你正在星巴克。

Or maybe it'll say, oh, you're at Starbucks.

在一篇关于当前全球勒索软件威胁态势的长文中，有一条新闻引起了我的注意。

One bit of news stood out for me amid a long article about the current global ransomware threat landscape.

这篇深入调查的文章引用了这样一句话：95%的受访者对自己的勒索软件恢复能力充满信心。

The quote from the deeply researched article read, 95% of survey respondents are confident in their ability to recover from a ransomware attack.

好吧。

Okay.

对吧？

Right?

剩下的5%。

5%.

95%。

95%.

没错。

Yep.

几乎每个人。

Almost everybody.

我们没问题。

We're good.

我们没问题。

We're good.

来吧，宝贝。

Bring it on, baby.

我们能恢复。

We can recover.

我们准备好了。

We're ready.

结果发现，那些自信能达95%的人中，只有15%真正能做到

Turns out only 15% of those confident 95 were actually able

是的。

Yeah.

只能勉强应付一下。

To cover their So so only okay.

这解释了很多事情，史蒂夫，因为我一直想知道为什么人们会受苦？

This explains a lot, Steve, because I keep wondering why are people suffering?

你知道，为什么捷豹会因为一次勒索攻击而停摆一个月？

You know, why did Jaguar why were they down for a month with Yes.

勒索软件

Ransomware

他们的所有供应商都破产了，是的。

And all their suppliers went bankrupt and Yeah.

代价很高。

It costed.

英国的经济就像像

And The UK's economy were like like

20亿美元。

$2,000,000,000.

现在我明白了，捷豹的高管、IT人员和安全人员都很自信。

That's because now I understand the executives, the IT guys, the security guys at Jaguar were confident.

自信我们能从任何事情中恢复过来。

Confident we could recover from anything.

但他们没能做到。

And they couldn't.

他们按了备份按钮，结果就没了。

They pushed the backup button and it went.

我们

We

有一个赞助商，但我们稍后再谈。

have a sponsor for that, but we'll save that for a little later.

Coveware 是领先的勒索软件谈判公司。

Well, Coveware is the leading ransomware negotiation company.

这些家伙正身处事件的核心。

So these guys are right in the thick of things.

一个令人惊讶且令人欣慰的消息吸引了我关注他们上周五发布的2025年报告，那就是勒索软件付款率首次降至25%以下。

A bit of surprising and welcome news, which drew me to their 2025 report, which they published last Friday, was that for the first time ever, ransomware payment rates had seen a drop below 25%.

低于25%，现在已降至23%，意味着不到四分之一的受害者现在支付赎金。

Below 25%, they are down to 23%, meaning fewer than one in four are now paying ransom.

我把这个图表放在了节目笔记中第10页的顶部，因为这张图表非常直观好看。

I put the chart for this in the show notes at the top of page 10 here because it's a beautiful looking chart.

它在下降。

It's dropping.

这很有趣。

That's interesting.

是的。

Yes.

是的。

Yes.

它展示了从2019年到刚刚结束的2025年过去六年中勒索软件付款的百分比。

It shows the percentage of ransoms paid across the past six years from the 2019 through this just ended 2025.

当Coveware六年前开始绘制这一数据时，勒索付款率高达85%，即85%的勒索要求都得到了支付。

Ransom payout rates started at 85% when CoveWare began charting this six years ago, 85% of ransoms were being paid.

因此，当时几乎可以说是稳赚不赔。

So they were nearly a sure thing.

正如图表所示，自那以来，勒索付款的概率一直稳步下降。

As the chart shows, the probability of a ransom being paid has been dropping more or less steadily ever since.

正如我所说，直到今天，收到勒索付款的可能性已降至四分之一以下。

Until today, the chance of being paid a ransom has fallen to less than one in four, as I said.

不，我们总是关注被攻击的公司，并评论说做得还不够。

No, we're always looking at companies being attacked and commenting that enough is not being done.

但这张图表表明，过去六年中实际上已经发生了巨大变化。

But this chart suggests that in fact a great deal has changed over the past six years.

部分原因是越来越多的公司选择说不并拒绝支付，这是未付款的部分原因；但这也很可能意味着，由于IT部门向他们保证能够不依赖罪犯的帮助而恢复数据，因此更多公司有能力说不并拒绝支付。

Partly this might be more companies just saying no and refusing, so that's part of the non payment reason, but it also likely means that more companies are able to say no and refuse to pay because their IT departments have assured them that they'll be able to recover without paying for the criminal's help.

希望这些公司不属于那85%最终无法从备份中恢复的案例，因为显然只有15%能做到。

And hopefully, those are not part of those 85% that turn out not to be able to restore from backup because only 15% apparently can.

但正如我所说，这个有趣的细节正是最初吸引我关注这份报告的原因。

But as I said, that interesting tidbit was what first drew me to this report.

CoveWare对网络攻击的见解非常有趣、清晰且富有洞察力。

Cove Ware's perspective on attacks is very interesting, illuminating and insightful.

他们是真正了解情况的人，因为他们亲身参与其中。

And they're the people who know because they're involved.

他们在谈判中处于最前沿。

They're like the tip of the spear in negotiating.

莱奥，在我们下一个广告时段后，我们将在After

And Leo, after our next break, we're here at After

八，进入，

Eight, in,

我们将查看Coveware发布的一份非常有趣的报告。

we're gonna look at a very interesting report from Coveware.

好的。

Okay.

但我确实认为Coveware在这一统计数据上可能有一点自身利益。

I do think though that Coveware might have a little bit of a vested interest in this statistic.

你看，我们可以帮助你不要支付赎金，因为我们能与那些坏人谈判。

Like, see, we can help you not pay the ransomware because we'll negotiate with the bad guys.

对吧？

Right?

有可能。

Could be.

不过，我关注的是他们关于攻击行为的信息，这真的很有意思。

Although although what I'm focusing on is the the information they have about attacks, which is really interesting.

这将具有极大的价值。

That would be of great value.