@kalimov
2015-01-02T21:34:02.000000Z
字数 3879
阅读 699
Downloading Data Through The Display
by:Brian Benchoff
(译者按:日防夜防,暗箭难防。即便有企业禁止员工使用未经批准使用的U盘,或者加装了无数网关和数据过滤,办公室配上无数监控录像,仍会疑心商业机密是否被盗取。这则报道估计更能让它们惶惶不安,它的原理就类似于我们说的枪版盗录电影。当你把文件打开显示在显示屏的一刻,随时准备见光死吧。)
原文出处:http://hackaday.com/2014/12/14/downloading-data-through-the-display/
原作:Brian Benchoff
译者:Kalimov
HIPAA – the US standard for electronic health care documentation – spends a lot of verbiage and bureaucratese on the security of electronic records, making a clear distinction between the use of records by health care worker and the disclosure of records by health care workers. Likewise, the Federal Information Security Management Act of 2002 makes the same distinction; records that should never be disclosed or transmitted should be used on systems that are disconnected from networks.
HIPAA(健康保险携带和责任法案或医疗电子交换法案),是美国的电子医疗保健文档的标准,耗费了大量官场措辞来诠释电子记录的安全性,对医护人员使用记录和医护人员泄漏记录的解读作了很清晰的区别定义。无独有偶,2002年联邦信息安全管理法案也做出了同样的界定,认为资料记录绝不能披露及传播,应在不联网的系统上使用。
This distinction between use and disclosure or transmission is of course a farce; if you can display something on a screen, it can be transmitted. [Ian Latter] just gave a talk at Kiwicon that provides the tools to do just that. He calls it ThruGlassXfer (TGXf), and it does exactly what it says on the tin: anything that can be displayed on a screen can be transmitted. All you need are the right tools.
这种对使用与泄密或传播的界定当然是个笑话,如果你把东西放到屏幕行,那就能传播。Ian Latter刚刚在Kiwicon表示有一种工具能做到上述要求。他把机器称为ThruGlassXfer(TGXF),它能确实做到写在外壳上的话:任何显示在屏幕上的东西能被传播。你所需要的只是正确的工具。
How is [Ian] doing this? With QR codes, strangely enough. [Ian] has designed a protocol and application that allows people to download files through a screen. By using TGXf, anyone can load a file stored locally on a computer, have the binary data displayed through QR codes, and record that data with a smartphone or tiny video camera. This video is then analyzed, the data is recovered, and the file is transmitted, defeating all security measures a sysadmin has in mind.
Ian是如何做到这一点的?不可思议地,通过二维码就足够了。他设计了一种协议和程序,使人们能通过屏幕下载文件。任何人能通过使用TGXF下载在电脑本地储存的文件,通过二维码显示二进制数据,用智能手机或微型摄录机录下数据。接着这段视频通过解析,恢复出数据,然后这个文件就能传播出去,系统管理员脑子里认为的所有安全措施都是渣渣。
ThruKeyboardXfer (TKXf) keyboard stuffer
ThruKeyboardXfer (TKXf) keyboard stuffer
Displaying binary data as a QR code presents another problem. How do you put an application that will convert raw data to QR codes on a locked-down system? That’s another trick up [Ian]’s sleeve called ThruKeyboardXfer (TKXf). This requires a hardware device to emulate a USB HID keyboard, pushing data up to a computer simply by emulating a keyboard.
将二进制数据以二维码方式显示出来带来另一个问题。你如何在完全锁死的系统上安装这个将原数据转二维码的程序呢?这时就有另一个方法,Ian称为ThruKeyboardXfer(TKXF)来完成这一步了。它需要一个模拟USB键盘的硬件设备,仅以模拟键盘敲击的方式将数据推送到电脑上。
TKXf encodes binary data that are sent out the serial port of one computer (or smartphone) and enters them via the keyboard of another. Either a single file (i.e. an app that encodes data as a QR code) or a continuous stream of data can be sent into a computer through the a USB HID keyboard interface.
TKXF将从计算机(或智能手机)串口发送的二进制数据编码,然后通过另一台设备上的键盘输出。不论是单文件(例如有个应用将数据编码为二维码)或是连续数据流都能桶过USB键盘界面发送到一台电脑上。
For a demonstration of his system, [Ian] put up a video of a smartphone downloading a PDF from YouTube through a laptop screen. The only requirement for this file transfer are pointing the phone directly at the screen; no WiFi or cellular network is necessary to send data from a computer to a smartphone.
作为展示,Ian拍了个用智能手机下载资料的视频,利用笔记本屏幕播放YouTube视频,视频内容是一个PDF文件。这种文件传输方式的唯一要求是把手机直接对着屏幕而已,无需WiFi或者移动网络就能把数据从一台电脑发送到一台智能手机上。
If this sounds like something torn from the pages of a yet-to-be-written [Cory Doctorow] YA novel, you’re probably not far off: nearly all official recommendations for security and privacy controls, including publications published by NIST, place a distinction between use of a file, and distribution or disclosure of a file. There is a marked difference between displaying information on a screen and sending it over a network. By transmitting binary data through a display, [Ian] has kicked that door down, turning every monitor and every employee into a security risk.
如果上面的信息听起来还像是不成熟年轻作家写的小说片段的话,那你离遭遇到这种情况不远了:几乎所有关于安全和隐私控制的官方建议,包括美国国家标准及技术研究所出版的指引,都将使用文件和传播或披露文件作了区别。在这当中,标明了通过屏幕显示信息和通过网络发送信息的区别。Ian通过显示器来发送数据这个方式踹开了安全大门,将每台显示器和每个员工置身于信息安全威胁当中。
TGXF设备网站:http://thruglassxfer.com/
(译者后记:某黑衣身份不明男子敲开受害者家门,拿着枪对受害者说:“你知道了不该知道的东西。”受害者:“可我没拷贝回来啊。”黑衣人:“可你看过了。”)