Your Period Tracker Is (Probably) Spying on You
Your Period Tracker Is (Probably) Spying on You
你的经期追踪器(很可能)正在监视你
Hours of San Francisco Police Department drone video footage exposed on the open web illustrates a new era of incredibly granular—and consequential—urban surveillance. Meanwhile, the San Francisco City Attorney’s Office sent cease-and-desist letters to Apple and Google this week demanding that the tech giants delete 13 AI nudifying “face-swap” apps from their app stores that are almost exclusively used to target women and girls. 旧金山警察局数小时的无人机视频片段在开放网络上泄露,揭示了一个极其细致且影响深远的城市监控新时代。与此同时,旧金山市检察官办公室本周向苹果和谷歌发出停止侵权函,要求这两家科技巨头从其应用商店中删除 13 款人工智能“换脸”应用,这些应用几乎专门用于针对女性和女孩。
Since WIRED first reported in June about Meta’s NameTag face-recognition system, company executives have made opaque and conflicting comments about whether the feature even exists. We took a step back to lay out both the claims and the facts about the very real system. 自《连线》(WIRED)杂志六月份首次报道 Meta 的 NameTag 面部识别系统以来,该公司高管对于该功能是否存在发表了模糊且相互矛盾的评论。我们退后一步,梳理了关于这一真实系统的各种说法与事实。
In a speech on Thursday, President Donald Trump continued to push unsubstantiated and thoroughly debunked claims about interference in the 2020 US election. He even promised massive revelations in a trove of documents posted to the White House website, but the files did not prove his assertions—and in some cases actually contradicted Trump’s claims. 在周四的一次演讲中,唐纳德·特朗普总统继续兜售关于 2020 年美国大选受到干预的未经证实且已被彻底驳斥的说法。他甚至承诺在白宫网站发布的一批文件中会有重大披露,但这些文件并未证明他的主张,在某些情况下甚至与特朗普的说法相矛盾。
As adoption of AI tools rapidly expands and their capabilities increase, the tech giant Anthropic continued a push to get US states to regulate AI. Speaking about AI transparency requirements in California and New York from last year, Anthropic’s head of US state and local government relations, Cesar Fernandez, told WIRED this week, “The transparency-focused safety bills of 2025 were a really important start, but as the capabilities of AI systems continue to advance quickly—the policy responses need to match.” 随着人工智能工具的普及和能力的提升,科技巨头 Anthropic 继续推动美国各州对人工智能进行监管。在谈到去年加利福尼亚州和纽约州的人工智能透明度要求时,Anthropic 美国州和地方政府关系负责人塞萨尔·费尔南德斯(Cesar Fernandez)本周告诉《连线》:“2025 年以透明度为重点的安全法案是一个非常重要的开端,但随着人工智能系统能力的快速进步,政策响应也需要跟上步伐。”
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there. 还有更多内容。每周,我们都会汇总那些我们未进行深度报道的安全与隐私新闻。点击标题即可阅读全文。祝大家保持安全。
Mozilla Graded Period Trackers on Privacy. Only One Aced It
Mozilla 对经期追踪器的隐私性进行了评级,仅有一款表现优异
The astrology-themed period tracker Stardust sends users’ reproductive health details—birth control type, pregnancy status, moods, and symptoms as specific as tender breasts and stomach cramps—to a data firm not named in its privacy policy, according to the BBC, which first reported a Mozilla Foundation audit of six popular trackers produced in partnership with Harvard’s Berkman Klein Center. 据英国广播公司(BBC)报道,占星主题的经期追踪器 Stardust 会将用户的生殖健康细节(如避孕方式、怀孕状况、情绪,以及乳房胀痛和胃痉挛等具体症状)发送给一家在其隐私政策中未提及的数据公司。BBC 率先报道了 Mozilla 基金会与哈佛大学伯克曼·克莱恩中心合作对六款热门追踪器进行的审计。
Stardust scored 2 out of 10, the worst of the group. Mozilla researcher Shoshana Wodinsky found the app pings third-party trackers from the moment it opens, before a user enters anything; the instant she logged a symptom, the details went to analytics firm RudderStack alongside a persistent user ID, with no in-app way to shut the sharing off. RudderStack is built to route data onward to destinations Mozilla couldn’t observe. Stardust also hands Facebook an ad identifier that ties in-app behavior to the platform’s existing profiles. The company told TechCrunch it has never received a legal demand for user data. Stardust 的得分为 2 分(满分 10 分),是该组中最差的。Mozilla 研究员肖莎娜·沃丁斯基(Shoshana Wodinsky)发现,该应用在打开的那一刻起,在用户输入任何信息之前,就会向第三方追踪器发送信号;当她记录症状时,这些细节会立即与一个持久的用户 ID 一起发送给分析公司 RudderStack,且应用内没有关闭共享的途径。RudderStack 的设计初衷是将数据转发到 Mozilla 无法监测的目的地。Stardust 还向 Facebook 提供了一个广告标识符,将应用内行为与该平台现有的个人资料关联起来。该公司告诉 TechCrunch,它从未收到过关于用户数据的法律要求。
Euki, a nonprofit-run tracker, earned a perfect 10: no account required, health data never leaves the phone, and users can set a PIN, schedule automatic deletion, or pull up a decoy screen if someone forces the phone open. Its one soft spot is an in-app browser for educational pages that loads the usual web trackers, but it also resets identifiers between visits. 由非营利组织运营的追踪器 Euki 获得了满分 10 分:无需账户,健康数据从不离开手机,用户可以设置 PIN 码、安排自动删除,或者在有人强行打开手机时调出伪装屏幕。它唯一的弱点是用于教育页面的应用内浏览器会加载常见的网络追踪器,但它在每次访问之间会重置标识符。
Russia’s FSB Sanctioned for Cyberattack on Polish Infrastructure
俄罗斯联邦安全局(FSB)因对波兰基础设施发动网络攻击而受到制裁
Russia’s FSB has long had a reputation for highly sophisticated cyberespionage, leaving disruptive cyberattacks to its fellow hackers in the country’s GRU military intelligence agency. But sanctions from the EU and UK this week, along with an advisory from the US Cybersecurity and Infrastructure Security Agency, the FBI, and the NSA, pinned a cyberattack against the Polish electric grid on Center 16 of the FSB, a rare example of the Kremlin agency carrying out a cyberattack that nearly caused outages in the country’s electric and water utilities. 长期以来,俄罗斯联邦安全局(FSB)以极其复杂的网络间谍活动而闻名,通常将破坏性网络攻击留给其同行——俄罗斯军事情报机构(GRU)的黑客。但本周欧盟和英国的制裁,以及美国网络安全与基础设施安全局(CISA)、联邦调查局(FBI)和国家安全局(NSA)发布的咨询报告,将针对波兰电网的网络攻击归咎于 FSB 的第 16 中心。这是克里姆林宫机构发动网络攻击并差点导致该国电力和水利设施中断的罕见案例。
The attack, which the Polish government has said came “very close” to causing a blackout, was initially attributed by cybersecurity firms Dragos and ESET to Sandworm, also known as Unit 74455 of the GRU, a more usual suspect in infrastructure hacking given its active role in its long-running cyberwar against Ukraine. But the Polish computer emergency response team at the time disputed that finding and tied the attack to the FSB, a conclusion now supported by a wide consensus of Western governments. The incident suggests that the FSB may be taking on some of the reckless, highly aggressive tendencies—and targeting—of its GRU coworkers. 波兰政府表示,此次攻击“非常接近”导致大面积停电。网络安全公司 Dragos 和 ESET 最初将其归咎于 Sandworm(即 GRU 的 74455 部队),鉴于其在针对乌克兰的长期网络战中的活跃角色,它是基础设施黑客攻击中更常见的嫌疑对象。但波兰计算机应急响应小组当时对这一结论提出异议,并将攻击归咎于 FSB,这一结论现在得到了西方各国政府的广泛共识支持。这一事件表明,FSB 可能正在采取其 GRU 同行的一些鲁莽、极具侵略性的倾向和目标选择。
An Alleged Russian State-Sponsored Hacker Worked for Kaspersky
一名涉嫌受俄罗斯政府支持的黑客曾在卡巴斯基工作
For years, the Russian cybersecurity firm Kaspersky has been alleged to have ties to the Russian government, including by US officials who banned use of the company’s products within the US government and eventually by all American customers. Yet overt evidence of those connections has been scarce. Now Reuters reports that Denis Obrezko, a Russian man facing hacking charges in Boston and an alleged member of a hacker group known as Void Blizzard or Laundry Bear, spent two years working at Kaspersky. His stint at the company took place just before he joined another cybersecurity company, Yutek-NN, where he allegedly took part in the group’s hacking campaign that stole data and communications from numerous NATO governments and at least 11 US companies, according to US prosecutors. Prior to Kaspersky, Obrevko also allegedly worked at the FSB, neatly bookending his time at the company with apparent work for Russia’s intelligence services. 多年来,俄罗斯网络安全公司卡巴斯基一直被指控与俄罗斯政府有联系,包括美国官员在内的人士曾禁止在美国政府内部使用该公司产品,并最终禁止了所有美国客户使用。然而,这些联系的公开证据一直很少。路透社现在报道称,在波士顿面临黑客指控的俄罗斯人丹尼斯·奥布雷兹科(Denis Obrezko)——据称是名为 Void Blizzard 或 Laundry Bear 黑客组织的成员——曾在卡巴斯基工作了两年。据美国检察官称,他在该公司的工作经历发生在他加入另一家网络安全公司 Yutek-NN 之前,在那里他涉嫌参与了该组织的黑客行动,窃取了多个北约政府和至少 11 家美国公司的数据和通信信息。在加入卡巴斯基之前,奥布雷兹科还涉嫌在 FSB 工作过,这使得他在卡巴斯基的工作经历前后都伴随着为俄罗斯情报部门工作的明显迹象。
Obrevko has pleaded not guilty to the hacking charges. Kaspersky responded in a statement to Reuters that “the offenses charged cannot be related to the individual’s role or responsibilities during the employment at Kaspersky.” 奥布雷兹科对黑客指控表示不认罪。卡巴斯基在给路透社的一份声明中回应称:“所指控的罪行与该个人在卡巴斯基任职期间的角色或职责无关。”
A Real DHS Breach Was Twice Ruled a False Positive
一次真实的国土安全部(DHS)入侵事件被两次判定为误报
In an incident that will induce anxiety in anyone responsible for assessing suspicious network activity, DHS officials ruled—twice—that signs of a hacker breach in its data-sharing Homeland Security Information Network platform were false. 在一件会让任何负责评估可疑网络活动的人感到焦虑的事件中,国土安全部官员两次判定其数据共享平台“国土安全信息网络”(HSIN)中出现的黑客入侵迹象为误报。