Hackable Robot Lawn Mower Unlocks a New Nightmare
Hackable Robot Lawn Mower Unlocks a New Nightmare
可被黑客入侵的割草机器人开启了新的噩梦
Cramming for finals is bad enough without the platform you use to do your schoolwork suddenly shutting down. Unfortunately for countless students across the US, that’s exactly what they faced on Thursday after Canvas went into “maintenance mode” following a ransomware attack on education tech firm Instructure. Hackers using the name ShinyHunters claimed responsibility for the breach, and experts say the chaos they caused shows how far these actors will go to extort their victims.
期末考试前的突击复习已经够让人头疼了,如果此时你用来完成学业的平台突然瘫痪,那更是雪上加霜。不幸的是,美国无数学生在周四就遭遇了这种情况:教育科技公司 Instructure 遭到勒索软件攻击后,Canvas 平台被迫进入“维护模式”。自称 ShinyHunters 的黑客组织宣布对此次入侵负责,专家表示,他们造成的混乱表明这些攻击者为了勒索受害者可以不择手段。
Did you know that Google Chrome includes an automatic download of the Gemini Nano AI model? If not, you wouldn’t be alone. People who use Google’s wildly popular browser realized this week that Gemini Nano has been taking up 4 GB of space on their desktops since 2024, sparking annoyance and concerns over privacy. Fortunately, you can disable the AI model—but not without losing some helpful security features. Obviously, you can also just download a different browser for free.
你知道谷歌浏览器(Google Chrome)会自动下载 Gemini Nano AI 模型吗?如果不知道,你并不孤单。本周,谷歌这款广受欢迎的浏览器的用户发现,自 2024 年以来,Gemini Nano 一直在占用他们电脑上 4GB 的空间,这引发了用户的不满和对隐私的担忧。幸运的是,你可以禁用该 AI 模型,但代价是会失去一些有用的安全功能。当然,你也可以直接免费下载其他浏览器。
Researchers this week revealed that thousands of vibe coded apps were left exposed on the open internet, revealing sensitive corporate and personal data. The security failings are a reminder: Just because you can vibe code something doesn’t necessarily mean you should.
本周研究人员披露,数以千计通过“Vibe Coding”(即利用 AI 辅助编程)开发的应用程序被暴露在公共互联网上,导致敏感的企业和个人数据泄露。这些安全漏洞提醒我们:仅仅因为你能用 AI 编程写出东西,并不意味着你应该这样做。
The Department of Homeland Security subpoenaed Google in an attempt to obtain the location data and account activity of a Canadian man who criticized US immigration enforcement tactics following the killings of Renee Good and Alex Pretti in Minneapolis early this year. The American Civil Liberties Union this week filed a complaint against DHS on behalf of the man, who has not visited the US in more than 10 years.
美国国土安全部(DHS)向谷歌发出传票,试图获取一名加拿大男子的位置数据和账户活动信息。该男子曾在今年年初明尼阿波利斯发生 Renee Good 和 Alex Pretti 遇害事件后,批评过美国的移民执法策略。美国公民自由联盟(ACLU)本周代表该男子向国土安全部提起诉讼,该男子已超过 10 年未曾到访过美国。
Scammers, low-level hackers, and other cybercriminals have joined the ranks of humanity yearning to be free of AI slop, according to new research. Meta, meanwhile, is sprucing up its age-verification tech after a study found that kids are tricking online age checks using simple techniques—including one child hero who circumvented online age verification by drawing on a fake mustache. Finally, we detailed Russia’s effort to create a local competitor to Starlink satellite internet service—with all the privacy and security concerns that entails.
最新研究显示,诈骗者、低级黑客和其他网络犯罪分子也加入了渴望摆脱“AI 垃圾内容”的人类行列。与此同时,Meta 正在升级其年龄验证技术,此前一项研究发现,孩子们正在利用简单的技巧欺骗在线年龄检查——其中一位“小英雄”甚至通过画上假胡子绕过了在线年龄验证。最后,我们详细介绍了俄罗斯试图打造本土版“星链”卫星互联网服务的努力,以及随之而来的所有隐私和安全隐患。
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
还有更多内容。每周,我们都会汇总那些我们未深入报道的安全和隐私新闻。点击标题即可阅读完整报道。祝大家保持安全。
Robot Lawn Mower Is a Security Nightmare
割草机器人是安全噩梦
Most people hope that the 200-pound robot with blades in their backyard cannot be easily hacked. Unfortunately for the owners of Yarbo, a $5,000 lawn mower robot that can also work as a leaf blower, snowblower, and edger, that was not the case. The Verge reports that a security researcher found numerous vulnerabilities in the lawn bots that could allow hackers to remotely take over the machines (including their camera feeds,) as well as extract owners’ email addresses, Wi-Fi passwords, and home locations.
大多数人希望后院里那个重达 200 磅、带有刀片的机器人不会轻易被黑客入侵。但对于 Yarbo 的用户来说,情况并非如此。Yarbo 是一款售价 5,000 美元的割草机器人,同时还具备吹叶、除雪和修边功能。据 The Verge 报道,一名安全研究人员在这些割草机器人中发现了大量漏洞,黑客可以借此远程接管机器(包括获取摄像头画面),并窃取机主的电子邮件地址、Wi-Fi 密码和家庭住址。
After a Yarbo spokesperson told The Verge that the robots’ “diagnostic environment is not publicly accessible,” the reporter and researcher demonstrated the security flaws and their potential consequences by nearly running over the reporter with a hijacked robot. The company has since reported that they are developing a fix to at least one of the flaws the researcher identified.
在 Yarbo 发言人告诉 The Verge 机器人的“诊断环境无法公开访问”后,记者和研究人员通过劫持机器人差点撞向记者,演示了这些安全漏洞及其潜在后果。该公司随后表示,他们正在开发针对研究人员发现的至少一个漏洞的修复程序。
Meta Strips Encryption From Instagram DMs
Meta 取消 Instagram 私信加密
Mark Zuckerberg’s Meta has pulled support for end-to-end encrypted messages on Instagram, backtracking on its plans to protect people’s privacy by providing messaging the company could not snoop on. The company stopped offering encryption on Instagram on May 8, making it easier than before for the firm to technically access DMs.
马克·扎克伯格旗下的 Meta 公司已撤销对 Instagram 端到端加密消息的支持,背弃了其通过提供公司无法窥探的通信方式来保护用户隐私的计划。该公司于 5 月 8 日停止在 Instagram 上提供加密功能,这使得该公司在技术上比以往更容易访问用户的私信。
After spending years building out the encryption systems needed to secure its chat apps, Meta said in 2023 that it had rolled out default encryption for Messenger. It also said it was introducing an opt-in version for Instagram, which it had planned would eventually become the default setting. However, that day never arrived with Meta deciding in March this year that not enough people had opted-in and it would remove the option to encrypt Instagram chats. The U-turn has infuriated privacy and security experts who fear the rollback could damage end-to-end encryption efforts around the world.
在花费数年时间构建保护聊天应用所需的加密系统后,Meta 曾在 2023 年表示已为 Messenger 推出了默认加密功能。它还表示正在为 Instagram 引入可选版本,并计划最终将其设为默认设置。然而,这一天永远不会到来,Meta 在今年 3 月决定,由于选择加入的人数不足,将取消 Instagram 聊天加密选项。这一“大转弯”激怒了隐私和安全专家,他们担心这种倒退可能会损害全球范围内的端到端加密努力。
Trump’s New Counterterrorism Strategy Targets “Antifa,” “Radically Pro-Transgender” Ideology
特朗普的新反恐战略针对“反法西斯主义运动”及“激进支持跨性别”意识形态
The Trump administration unveiled a new counterterrorism strategy, which President Donald Trump describes as a “return to common sense and Peace through Strength” in a foreword included in the document. The three biggest types of terror groups, according to the document, are cartels, Islamist terror groups, and “violent left wing extremists,” which the memo says includes anarchists and anti-fascists and have ideologies that are “anti-American” and “radically pro-transgender.”
特朗普政府公布了一项新的反恐战略,唐纳德·特朗普总统在文件的前言中将其描述为“回归常识与以实力求和平”。根据该文件,三大恐怖组织类型分别是贩毒集团、伊斯兰恐怖组织以及“暴力左翼极端分子”。备忘录称,后者包括无政府主义者和反法西斯主义者,其意识形态是“反美”且“激进支持跨性别”的。
The memo promises, “We will use all the tools constitutionally available to us to map them at home, identify their membership, map their ties to international organizations like Antifa, and use law enforcement tools to cripple them operationally before they can maim or kill the innocent.”
备忘录承诺:“我们将利用宪法赋予我们的一切工具,在国内对他们进行摸排,识别其成员身份,绘制他们与‘反法西斯主义运动’(Antifa)等国际组织的联系,并利用执法工具在他们伤害或杀害无辜者之前,从行动上摧毁他们。”
Notably, during a congressional hearing last year, the operations director of the FBI’s National Security Branch was unable to answer questions about how many people were in “Antifa,” where it was located, or other specifics.
值得注意的是,在去年的一次国会听证会上,联邦调查局(FBI)国家安全部门的行动主管无法回答关于“反法西斯主义运动”有多少成员、位于何处或其他具体细节的问题。
Elite Russian Hacking School Unmasked by Leaked Documents
泄露文件揭露俄罗斯精英黑客学校
Russia’s GRU military intelligence agency has launched some of the most brazen and destructive cyberattacks in history. While some of its operatives have been publicly named and hit with international sanctions, a consortium of journalists revealed this week how a special unit inside Bauman Moscow State Technical University, named Department 4, allegedly provides training and a suspected pipeline into GRU units, including those involved in hacking and disinformation. Documents obtained by the consortium—which includes Le Monde, the Guardian, Der Spiegel…
俄罗斯格鲁乌(GRU)军事情报机构发动了历史上一些最肆无忌惮且最具破坏性的网络攻击。虽然其部分特工已被公开点名并受到国际制裁,但一个记者联盟本周披露,鲍曼莫斯科国立技术大学内一个名为“第四系”的特殊部门,据称正在提供培训,并被怀疑是通往格鲁乌部门(包括参与黑客攻击和虚假信息传播的部门)的输送渠道。该联盟(成员包括《世界报》、《卫报》、《明镜周刊》等)获取的文件显示……