Placeholder Image

字幕表 動画を再生する

  • I don't have the rights to use any actual images of Pokémon in this video.

  • But just me talking to the camera for a few minutes isn't particularly interesting,

  • so I asked my illustrator friend Simon to create some plausible,

  • but utterly fake, Pokémon for me to catch.

  • Yeah, that'll do.

  • This week, there was a bit of a privacy scare about Pokémon Go.

  • Someone said that the company behind it could read all your email;

  • someone else said no, they couldn't,

  • and that was after doing a lot of research into how the app worked;

  • and then the consensus became that,

  • while it was technically possible,

  • it would require a lot of hassle on their part and it was the result of a mistake,

  • not some devious attempt to steal your data.

  • The problem was permissions.

  • When you see one of those buttons that says sign in with Google,

  • or sign in with Facebook, or -- excuse me --

  • Mm. Or sign in with Twitter, you are using something called OAuth.

  • It works like this:

  • you tell the app “I'd like to sign in with Google”.

  • The app then sends you to Google.

  • Google checks who you are with your username and password,

  • or by doing some magic with your Android phone, and if they're happy,

  • they send you back to the app with a new thing called a token.

  • The app takes the token, and until you say otherwise,

  • it can use that token as a way to access your account

  • without ever knowing your password and without you needing to be there.

  • It is, of course, a little bit more complicated than that,

  • as anyone who's ever tried to write code for it knows,

  • but that's a reasonable summary of what's going on.

  • Here's the clever part: that token, yes,

  • it could have access to your full account,

  • but it can also be set up so it only allows access

  • to a very limited and specific set of permissions.

  • Maybe it can only read your calendar appointments.

  • Or maybe it can only add comments to YouTube videos that you watch.

  • For Pokémon Go, that token was meant to only grant access to see your email address,

  • not to read anything, just to prove who you were.

  • The problem was, it didn't.

  • Pokémon Go is made by a company called Niantic (Nyan-tic?)

  • They were originally a spin-off of Google,

  • and it looks like they've got some contacts on the inside.

  • They weren't using the permissions system that everyone else had to use:

  • they were using an old one.

  • Through some fancy, manual trickery,

  • it was possible to convert the token they'd been given

  • into an "uber-token" that would give an attacker full access

  • to everything in your Google account,

  • including your email.

  • They weren't doing this, but they could have. And for that reason,

  • when you checked what permissions Pokémon Go had,

  • Google correctly reported that it had full access to your account.

  • I want to credit Ari Rubinstien at this point:

  • he was the developer who did all the digging

  • and put a really good post together about what's going on.

  • If you want the in-depth, technical details,

  • I've put a link in the description.

  • The latest update to Pokémon Go,

  • which has none of these weird things,

  • fixes the problem, of course, and all is well. Or is it?

  • Because there's a deeper problem here that can't be fixed by patching some code.

  • Don't get me wrong, the current OAuth solution with its tokens is much better than the old days.

  • I remember when you had to give your actual Twitter password to third-party apps,

  • who would then send it in plain text over the internet.

  • The current solution is better, but it's not perfect.

  • And there are two big things wrong with it.

  • First of all, you have to trust the app.

  • You have to trust that thesign in with Googlebutton is actually doing what it claims

  • and when the box pops up asking for your Google password,

  • it actually is a box from Google and not the app just faking it.

  • That's less of a problem for big apps,

  • or if you're downloading from the well moderated Apple App Store,

  • but because Pokémon Go was incredibly popular and not available everywhere in the world,

  • lots of people on Android were sideloading it:

  • downloading it from somewhere unofficial,

  • and copying it over manually to their phone.

  • There were plenty of alternate versions filled with malware

  • that would happily have stolen your password, or, well,

  • anything else that was on your phone.

  • Second, people's priorities for security often don't reflect reality.

  • We all emphasise easy to understand scare stories over complicated, subtle, boring attacks.

  • That's the reason I'm doing a video about Pokémon Go, for crying out loud.

  • A scare story about an innocent game,

  • one that millions of people are playing and have an emotional attachment to?

  • Oh, if that's actually being evil and reading your email? That'll get the clicks.

  • But that same game having live tracking on millions of people's locations and social networks,

  • being run by a small company that is now an enormous target for private hackers, and blackmailers,

  • and governments that would really like to know that information? That's boring.

  • That's abstract. We know that,

  • but it'll never happen to you, right?

  • I'm a great believer in the old saying cock-up before conspiracy:

  • never attribute to malice what can be explained by incompetence. No,

  • of course this wasn't a dastardly scheme to read all your email,

  • it was just a couple of developers making a mistake while rushed.

  • Let's just hope there aren't any more headlines caused by any other mistakes

  • while you're catching yourwhatever the heck that is.

  • I'm going to be away for three weeks on an expedition to the Arctic.

  • But rather than abandon my channel for a while, I thought:

  • why not get some guests involved? So,

  • if you have a YouTube channel,

  • and you've got an idea for an Amazing Places or a Things You Might Not Know video

  • that you could make and get to me before 6th August,

  • follow the link on screen or in the description.

  • I am particularly looking for people, styles,

  • and videos a little different from what normally appears here.

  • So if you just heard that and thought

  • "oh, I'd like to do that, but I'm not sure I'd fit”:

  • I definitely want you to get in touch.

  • [Translating these subtitles? Add your name here!]

I don't have the rights to use any actual images of Pokémon in this video.

字幕と単語

動画の操作 ここで「動画」の調整と「字幕」の表示を設定することができます

B1 中級

ポケモンGOはあなたのメールを読むことができません (No, Pokémon Go Can't Read Your Email)

  • 88 0
    林宜悉 に公開 2021 年 01 月 14 日
動画の中の単語