×

We use cookies to help make LingQ better. By visiting the site, you agree to our cookie policy.


image

TED Talks, Mikko Hypponen: Three types of online attack

Mikko Hypponen: Three types of online attack

In the 1980s in the communist Eastern Germany, if you owned a typewriter, you had to register it with the government.

You had to register a sample sheet of text out of the typewriter. And this was done so the government could track where text was coming from. If they found a paper which had the wrong kind of thought, they could track down who created that thought. And we in the West couldn't understand how anybody could do this, how much this would restrict freedom of speech. We would never do that in our own countries.

But today in 2011, if you go and buy a color laser printer from any major laser printer manufacturer and print a page, that page will end up having slight yellow dots printed on every single page in a pattern which makes the page unique to you and to your printer. This is happening to us today. And nobody seems to be making a fuss about it. And this is an example of the ways that our own governments are using technology against us, the citizens. And this is one of the main three sources of online problems today.

If we take a look at what's really happening in the online world, we can group the attacks based on the attackers. We have three main groups. We have online criminals. Like here, we have Mr. Dimitry Golubov from the city of Kiev in Ukraine. And the motives of online criminals are very easy to understand. These guys make money. They use online attacks to make lots of money, and lots and lots of it. We actually have several cases of millionaires online, multimillionaires, who made money with their attacks. Here's Vladimir Tsastsin form Tartu in Estonia. This is Alfred Gonzalez. This is Stephen Watt. This is Bjorn Sundin. This is Matthew Anderson, Tariq Al-Daour and so on and so on.

These guys make their fortunes online, but they make it through the illegal means of using things like banking trojans to steal money from our bank accounts while we do online banking, or with keyloggers to collect our credit card information while we are doing online shopping from an infected computer. The U.S. Secret Service, two months ago, froze the Swiss bank account of Mr. Sam Jain right here, and that bank account had 14.9 million U.S. dollars on it when it was frozen. Mr. Jain himself is on the loose; nobody knows where he is. And I claim it's already today that it's more likely for any of us to become the victim of a crime online than here in the real world. And it's very obvious that this is only going to get worse. In the future, the majority of crime will be happening online.

The second major group of attackers that we are watching today are not motivated by money. They're motivated by something else -- motivated by protests, motivated by an opinion, motivated by the laughs. Groups like Anonymous have risen up over the last 12 months and have become a major player in the field of online attacks.

So those are the three main attackers: criminals who do it for the money, hacktivists like Anonymous doing it for the protest, but then the last group are nation states, governments doing the attacks. And then we look at cases like what happened in DigiNotar. This is a prime example of what happens when governments attack against their own citizens. DigiNotar is a Certificate Authority from The Netherlands -- or actually, it was. It was running into bankruptcy last fall because they were hacked into. Somebody broke in and they hacked it thoroughly. And I asked last week in a meeting with Dutch government representatives, I asked one of the leaders of the team whether he found plausible that people died because of the DigiNotar hack. And his answer was yes.

So how do people die as the result of a hack like this? Well DigiNotar is a C.A. They sell certificates. What do you do with certificates? Well you need a certificate if you have a website that has https, SSL encrypted services, services like Gmail. Now we all, or a big part of us, use Gmail or one of their competitors, but these services are especially popular in totalitarian states like Iran, where dissidents use foreign services like Gmail because they know they are more trustworthy than the local services and they are encrypted over SSL connections, so the local government can't snoop on their discussions. Except they can if they hack into a foreign C.A. and issue rogue certificates. And this is exactly what happened with the case of DigiNotar.

What about Arab Spring and things that have been happening, for example, in Egypt? Well in Egypt, the rioters looted the headquarters of the Egyptian secret police in April 2011, and when they were looting the building they found lots of papers. Among those papers, was this binder entitled "FINFISHER." And within that binder were notes from a company based in Germany which had sold the Egyptian government a set of tools for intercepting -- and in very large scale -- all the communication of the citizens of the country. They had sold this tool for 280,000 Euros to the Egyptian government. The company headquarters are right here.

So Western governments are providing totalitarian governments with tools to do this against their own citizens. But Western governments are doing it to themselves as well. For example, in Germany, just a couple of weeks ago the so-called State Trojan was found, which was a trojan used by German government officials to investigate their own citizens. If you are a suspect in a criminal case, well it's pretty obvious, your phone will be tapped. But today, it goes beyond that. They will tap your Internet connection. They will even use tools like State Trojan to infect your computer with a trojan, which enables them to watch all your communication, to listen to your online discussions, to collect your passwords.

Now when we think deeper about things like these, the obvious response from people should be that, "Okay, that sounds bad, but that doesn't really affect me because I'm a legal citizen. Why should I worry? Because I have nothing to hide." And this is an argument, which doesn't make sense. Privacy is implied. Privacy is not up for discussion. This is not a question between privacy against security. It's a question of freedom against control. And while we might trust our governments right now, right here in 2011, any right we give away will be given away for good. And do we trust, do we blindly trust, any future government, a government we might have 50 years from now? And these are the questions that we have to worry about for the next 50 years.

Mikko Hypponen: Three types of online attack Mikko Hypponen: Tres tipos de ataque en línea Mikko Hypponen: Trzy rodzaje ataków online Mikko Hypponen: Três tipos de ataques em linha Микко Хиппонен: Три типа онлайн-атак

In the 1980s in the communist Eastern Germany, if you owned a typewriter, you had to register it with the government. Nos anos 80, na Alemanha Oriental comunista, se você possuía uma máquina de escrever, tinha que registrá-la no governo.

You had to register a sample sheet of text out of the typewriter. Você teve que registrar uma folha de amostra de texto na máquina de escrever. And this was done so the government could track where text was coming from. E isso foi feito para que o governo pudesse rastrear a origem do texto. If they found a paper which had the wrong kind of thought, they could track down who created that thought. Se eles encontrassem um trabalho que tivesse o tipo errado de pensamento, poderiam rastrear quem o criou. And we in the West couldn't understand how anybody could do this, how much this would restrict freedom of speech. E nós no Ocidente não conseguíamos entender como alguém poderia fazer isso, o quanto isso restringiria a liberdade de expressão. We would never do that in our own countries. Nós nunca faríamos isso em nossos próprios países.

But today in 2011, if you go and buy a color laser printer from any major laser printer manufacturer and print a page, that page will end up having slight yellow dots printed on every single page in a pattern which makes the page unique to you and to your printer. Hoje, porém, em 2011, se você comprar uma impressora a laser colorida de qualquer fabricante importante de impressoras a laser e imprimir uma página, essa página acabará tendo pequenos pontos amarelos impressos em cada página em um padrão que torna a página exclusiva para você e à sua impressora. This is happening to us today. And nobody seems to be making a fuss about it. E ninguém parece estar se incomodando com isso. And this is an example of the ways that our own governments are using technology against us, the citizens. E este é um exemplo das maneiras como nossos próprios governos estão usando a tecnologia contra nós, os cidadãos. And this is one of the main three sources of online problems today. E esta é uma das três principais fontes de problemas online hoje.

If we take a look at what's really happening in the online world, we can group the attacks based on the attackers. Se dermos uma olhada no que realmente está acontecendo no mundo on-line, podemos agrupar os ataques com base nos invasores. We have three main groups. Temos três grupos principais. We have online criminals. Like here, we have Mr. Dimitry Golubov from the city of Kiev in Ukraine. And the motives of online criminals are very easy to understand. These guys make money. They use online attacks to make lots of money, and lots and lots of it. Eles usam ataques online para ganhar muito dinheiro, e muito e muito. We actually have several cases of millionaires online, multimillionaires, who made money with their attacks. Here's Vladimir Tsastsin form Tartu in Estonia. This is Alfred Gonzalez. This is Stephen Watt. This is Bjorn Sundin. This is Matthew Anderson, Tariq Al-Daour and so on and so on. Este é Matthew Anderson, Tariq Al-Daour e assim por diante.

These guys make their fortunes online, but they make it through the illegal means of using things like banking trojans to steal money from our bank accounts while we do online banking, or with keyloggers to collect our credit card information while we are doing online shopping from an infected computer. Esses caras fazem suas fortunas online, mas eles usam meios ilegais de usar trojans bancários para roubar dinheiro de nossas contas bancárias enquanto fazemos serviços bancários on-line ou com keyloggers para coletar nossas informações de cartão de crédito enquanto fazemos compras on-line de um computador infectado. The U.S. Secret Service, two months ago, froze the Swiss bank account of Mr. Sam Jain right here, and that bank account had 14.9 million U.S. dollars on it when it was frozen. dólares quando estava congelado. Mr. Jain himself is on the loose; nobody knows where he is. O próprio Sr. Jain está à solta; ninguém sabe onde ele está. And I claim it's already today that it's more likely for any of us to become the victim of a crime online than here in the real world. And it's very obvious that this is only going to get worse. In the future, the majority of crime will be happening online.

The second major group of attackers that we are watching today are not motivated by money. They're motivated by something else -- motivated by protests, motivated by an opinion, motivated by the laughs. Groups like Anonymous have risen up over the last 12 months and have become a major player in the field of online attacks.

So those are the three main attackers: criminals who do it for the money, hacktivists like Anonymous doing it for the protest, but then the last group are nation states, governments doing the attacks. Então esses são os três principais atacantes: criminosos que fazem isso por dinheiro, hacktivistas como o Anonymous fazendo isso para o protesto, mas depois o último grupo são estados-nação, governos fazendo os ataques. And then we look at cases like what happened in DigiNotar. E então analisamos casos como o que aconteceu no DigiNotar. This is a prime example of what happens when governments attack against their own citizens. DigiNotar is a Certificate Authority from The Netherlands -- or actually, it was. It was running into bankruptcy last fall because they were hacked into. Somebody broke in and they hacked it thoroughly. And I asked last week in a meeting with Dutch government representatives, I asked one of the leaders of the team whether he found plausible that people died because of the DigiNotar hack. E perguntei na semana passada, em uma reunião com representantes do governo holandês, perguntei a um dos líderes da equipe se ele achava plausível que as pessoas tivessem morrido por causa do hack do DigiNotar. And his answer was yes.

So how do people die as the result of a hack like this? では、このようなハッキングの結果、人々はどのようにして死ぬのでしょうか? Então, como as pessoas morrem como resultado de um hack como esse? Well DigiNotar is a C.A. Bem DigiNotar é uma CA They sell certificates. What do you do with certificates? Well you need a certificate if you have a website that has https, SSL encrypted services, services like Gmail. Now we all, or a big part of us, use Gmail or one of their competitors, but these services are especially popular in totalitarian states like Iran, where dissidents use foreign services like Gmail because they know they are more trustworthy than the local services and they are encrypted over SSL connections, so the local government can't snoop on their discussions. Except they can if they hack into a foreign C.A. and issue rogue certificates. e emitir certificados não autorizados. And this is exactly what happened with the case of DigiNotar.

What about Arab Spring and things that have been happening, for example, in Egypt? Well in Egypt, the rioters looted the headquarters of the Egyptian secret police in April 2011, and when they were looting the building they found lots of papers. エジプトではまあ、2011年4月に暴動団がエジプトの秘密警察の本部を略奪し、彼らが建物を略奪したとき、彼らはたくさんの書類を見つけました。 Bem no Egito, os manifestantes saquearam a sede da polícia secreta egípcia em abril de 2011 e, quando saqueavam o prédio, encontraram muitos papéis. Among those papers, was this binder entitled "FINFISHER." それらの論文の中で、このバインダーは「FINFISHER」と題されていました。 Entre esses documentos, havia esse fichário intitulado "FINFISHER". And within that binder were notes from a company based in Germany which had sold the Egyptian government a set of tools for intercepting -- and in very large scale -- all the communication of the citizens of the country. そしてそのバインダーの中には、エジプト政府が国の市民のすべてのコミュニケーションを傍受するための一連のツールを、そして非常に大規模に販売したドイツに本拠を置く会社からのメモがありました。 E dentro dessa pasta havia anotações de uma empresa sediada na Alemanha, que havia vendido ao governo egípcio um conjunto de ferramentas para interceptar - e em larga escala - toda a comunicação dos cidadãos do país. They had sold this tool for 280,000 Euros to the Egyptian government. The company headquarters are right here.

So Western governments are providing totalitarian governments with tools to do this against their own citizens. But Western governments are doing it to themselves as well. For example, in Germany, just a couple of weeks ago the so-called State Trojan was found, which was a trojan used by German government officials to investigate their own citizens. If you are a suspect in a criminal case, well it's pretty obvious, your phone will be tapped. あなたが刑事事件の容疑者である場合、まあそれはかなり明白です、あなたの電話は盗聴されます。 But today, it goes beyond that. They will tap your Internet connection. Eles tocarão na sua conexão com a Internet. They will even use tools like State Trojan to infect your computer with a trojan, which enables them to watch all your communication, to listen to your online discussions, to collect your passwords. Eles até usam ferramentas como o Trojan do Estado para infectar seu computador com um cavalo de Troia, o que lhes permite assistir toda a sua comunicação, ouvir suas discussões on-line e coletar suas senhas.

Now when we think deeper about things like these, the obvious response from people should be that, "Okay, that sounds bad, but that doesn't really affect me because I'm a legal citizen. Agora, quando pensamos mais sobre coisas como essas, a resposta óbvia das pessoas deve ser a seguinte: "Ok, isso soa mal, mas isso não me afeta realmente porque sou um cidadão legal. Why should I worry? Por que eu deveria me preocupar? Because I have nothing to hide." And this is an argument, which doesn't make sense. E este é um argumento que não faz sentido. Privacy is implied. Privacidade está implícita. Privacy is not up for discussion. A privacidade não está em discussão. This is not a question between privacy against security. Esta não é uma questão entre privacidade e segurança. It's a question of freedom against control. É uma questão de liberdade contra o controle. And while we might trust our governments right now, right here in 2011, any right we give away will be given away for good. E embora possamos confiar em nossos governos agora, aqui em 2011, qualquer direito que dermos será dado para sempre. And do we trust, do we blindly trust, any future government, a government we might have 50 years from now? And these are the questions that we have to worry about for the next 50 years. E essas são as perguntas com as quais devemos nos preocupar pelos próximos 50 anos.