内容来源：https://www.wired.com/story/security-news-this-week-crypto-funded-chinese-peptide-labs-are-booming/

内容总结：

科技与安全一周要闻：Meta智能眼镜暗藏人脸识别代码，xAI要求受害者实名诉讼

据《连线》本周报道，Meta公司悄悄在超过5000万部手机中隐藏了休眠的人脸识别代码，这些代码被嵌入其雷朋和奥克利智能眼镜的配套应用内。该功能内部代号为“NameTag”，一旦激活，佩戴者可通过将拍摄到的人脸与用户设备上的生物特征库进行比对，识别眼前的人物。Meta曾在2021年因支付数十亿美元和解伊利诺伊州和得克萨斯州的生物识别隐私诉讼后，宣称已放弃该技术。

与此同时，马斯克旗下xAI公司正要求联邦法官强制四名因Grok生成深度伪造裸照而起诉的用户放弃化名、以真实姓名参与诉讼——其中一名原告指控该聊天机器人被用于伪造其未成年时期的色情图像。原告方表示，宁愿撤诉也不愿遭受马斯克网络支持者的骚扰和人肉搜索。xAI的律师则声称，由于深度伪造内容将保密处理，“公开当事人姓名并无本质上的污名化问题”。

谷歌本周推出新的安卓功能，旨在应对利用AI技术伪造号码、克隆声音的冒充诈骗。该功能集成在谷歌拨号器中，面向运行安卓12及以上系统的手机推送。它会在通话时向对方设备发送静默密码握手信号。若检测为虚假来电，安卓会标记并移除屏幕上的联系人头像，但需双方均使用谷歌拨号器，苹果手机无法适用。

《连线》本周还报道，曼哈顿研究所——这个策划了上世纪90年代“破窗警务”和特朗普政府反DEI运动的右翼智库——正在推销一项立法模板，试图根据其“民事恐怖主义”新理论，将轻微抗议相关违法行为定为重罪。

研究人员详细披露了一种名为FROST的新型浏览器侧信道攻击，通过测量从固态硬盘沙盒文件读取的时间，为浏览器其他标签页甚至设备上的应用“指纹识别”。该攻击完全运行于JavaScript，并通过经常见软件输入/输出签名训练的神经网络分析时间轨迹。目前尚未发现该技术被实际利用的迹象。

其他重要新闻速览：

• 中国加密货币资助的芬太尼实验室转向销售肽类产品：区块链分析公司Chainalysis本周发布报告，追踪肽类卖家的加密货币流向，发现这一灰色市场年交易额已超1亿美元且在增长。部分此前销售芬太尼前体的中国实验室已转而制造和销售肽类产品，意在利用社交媒体“颜值优化”热潮获利，同时规避对阿片类药物制造商的执法打击。

• Meta的AI客服系统遭黑客利用：自Meta宣布账号支持功能将越来越多地由AI自动化处理（包括密码更新）以来，黑客发现可利用该工具重置密码并接管包括奥巴马总统、美国太空军军士长等名人账号。Meta称问题已修复，但这一波账号劫持事件暴露了将安全功能外包给AI的风险。

• Anthropic协助NSA进行进攻性黑客行动：AI公司Anthropic将其强大的Mythos工具提供给美国国家安全局（NSA）进行测试。该工具能以惊人速度发现软件中此前隐藏的可利用漏洞。尽管NSA也有防御使命，但《金融时报》报道称，Anthropic正派遣工程师协助NSA学习使用该工具进行进攻性黑客行动。目前尚无法确认Mythos是否已被用于实际攻击。

• 比尔·普尔特被任命为国家情报代理总监：美国总统特朗普选定比尔·普尔特临时担任国家情报总监，接替因丈夫健康问题辞职的图尔西·加巴德。普尔特将同时兼任联邦住房金融局局长，他任职期间已向司法部提交多份刑事转介，指控特朗普的政治对手犯有抵押贷款欺诈罪，包括纽约州总检察长詹姆斯、美联储理事丽莎·库克等。两党议员均对此任命表示担忧。

• 美军GPS系统神秘数据之谜获解：伦敦大学学院教授史蒂文·默多克发布证据，称困扰近二十年的GPS卫星信号中的随机神秘信息，很可能是美军用于向全球军用GPS接收器分发加密密钥的系统的一部分。他采用信号情报技术分析千万条历史数据，发现2011年5月几乎所有GPS卫星同时切换为广播同一占位信息，恰逢美军“无线密钥分发系统”（OTAD）部署。默多克强调未破解军事加密，但揭示了系统行为分析的价值。

中文翻译：

《连线》杂志本周报道，Meta已悄然在超过5000万部手机中隐藏了休眠状态的人脸识别代码，这些代码藏在其雷朋和奥克利智能眼镜的配套应用程序中。一旦激活，这项内部名为NameTag的功能就能让佩戴者通过将捕捉到的面部图像与用户设备上的生物特征库进行比对，从而识别面前的人。Meta曾宣称在2021年放弃了这项技术——当时它支付了数十亿美元，以和解得克萨斯州和伊利诺伊州提起的生物识别隐私诉讼。

与此同时，xAI正请求一位联邦法官强制四名因Grok生成的深度伪造裸照而起诉该公司的人放弃化名，以真实姓名进行诉讼——其中包括一名原告，她声称该聊天机器人被用于伪造她儿童时期的性图片。原告们表示，他们宁愿放弃诉讼，也不愿承受马斯克网络支持者的骚扰和“人肉搜索”。然而，xAI的律师声称，既然深度伪造内容仍将保密，“公开这些内容所涉及的人本身并不带有任何耻辱性”。

谷歌本周推出了一项新的安卓功能，旨在应对一波利用人工智能的冒充诈骗——这些诈骗帮助骗子伪造熟悉的号码并克隆某人的声音。该功能集成在谷歌拨号器中，并搭载到运行安卓12或更高版本的手机上。它会向呼叫者的设备发送一个静默加密握手信号。如果通话是伪造的，安卓系统将标记该来电，并从屏幕上移除联系人照片——但这仅在通话双方都使用谷歌拨号器时有效，因此苹果手机用户无法享受此功能。

《连线》杂志本周还报道称，曼哈顿研究所——这个曾策划上世纪90年代“破窗警务”政策和特朗普政府反“多元化、公平与包容”运动的同一家右翼智库——目前正在推广一项示范性立法，意图根据其提出的名为“民事恐怖主义”的新理论，将与轻微抗议相关的违法行为定为重罪。

研究人员详细描述了一种名为FROST的新型浏览器侧信道攻击，该攻击通过测量从固态硬盘上的沙盒文件中读取所需的时间，来识别其他浏览器标签页（有时甚至是设备上的应用程序）。该攻击完全在JavaScript中运行，并将时间追踪数据输入到一个基于常见软件输入/输出签名训练过的神经网络中。目前没有证据表明有人在现实环境中使用这种攻击。

这还不是全部。每周，我们都会汇总那些我们未能深入报道的网络安全与隐私新闻。点击标题阅读完整报道，并请保护好自己。

中国加密货币资助的芬太尼实验室正转向销售多肽

被称为多肽的补充剂——这些氨基酸链承诺帮助涂抹、口服或注射它们的人实现从减肥到皮肤焕新等各种功效——已经发展成为一个基本不受监管的制药子行业。因此，它们的增长由加密货币推动也就不足为奇了，这些加密货币通常直接流向销售这些神秘灵丹妙药的中国实验室。

加密货币追踪公司Chainalysis本周发布了一份对流向多肽卖家的加密货币流动的分析。这个灰色市场该公司目前估计年交易额超过1亿美元且仍在增长。Chainalysis特别发现，一些之前销售芬太尼前体的中国实验室，现在已转而生产和销售多肽。Chainalysis认为，这种转变是为了利用社交媒体上“颜值最大化”热潮来推销多肽，同时规避执法部门对阿片类药物制造商的打击风险。

Meta的AI支持系统入侵了自身用户的账户

只要您开口要求，人工智能可以做各种事情：编写应用程序、美化照片，甚至入侵巴拉克·奥巴马总统的Instagram账户。自Meta在3月宣布其账户支持将越来越多地由人工智能自动化处理（包括更新密码等功能）以来，黑客们发现，他们可以利用该工具重置密码并接管账户，即使是知名用户和名人也未能幸免。据404 Media报道，受害者包括奥巴马、美国太空军首席军士长以及化妆品连锁店丝芙兰。Meta表示，该问题现已修复，受影响的账户也已得到保护。但这波账户接管事件说明了将安全功能外包给人工智能的风险——尤其是在像Meta这样大肆宣扬其全公司采用人工智能策略的公司。

Anthropic现正协助NSA进行攻击性黑客行动

当人工智能公司Anthropic将其强大的Mythos工具提供给一个选定的组织群体进行测试时，它将美国国家安全局列入初始访问名单引起了关注。毕竟，据报道，Mythos能够以惊人的速度在软件中发现以前隐藏的、可被利用的黑客漏洞，引发了它可能被用于自动化大规模监控和网络攻击的担忧。但NSA也承担防御任务，最初的报道表明，该机构可能只是使用Anthropic的工具来查找美国人常用软件（例如微软的软件）中的漏洞，目标是更好地保护这些软件。然而，《金融时报》现在报道称，Anthropic正在帮助NSA将其对Mythos的使用推进了一步，向该机构派驻了Anthropic自己的工程师，帮助其学习使用这款人工智能工具——包括用于攻击性黑客行动。《金融时报》无法确认Mythos是否正被用于实际的攻击性行动。但考虑到人工智能在国家支持的黑客活动中使用越来越广泛，如果美国不加入现代自动化网络入侵的领域，那才令人惊讶。

比尔·普尔特被任命为国家情报代理总监

美国总统唐纳德·特朗普已选定比尔·普尔特暂时代理国家情报总监一职。普尔特接替了因丈夫健康问题近期辞职的图尔西·加巴德。特朗普表示，他正在考虑其他人选来担任该常任职务，但任命确认过程可能需要数月时间。作为代理总监，普尔特将负责整个美国情报界，协调包括中央情报局和国家安全局在内的18个不同机构。普尔特同时将保留其在联邦住房金融局局长的职位——他在该机构一直很繁忙。通常，该机构的工作涉及监管房利美和房地美，但普尔特却在忙于向司法部提交多份刑事转介，指控特朗普的政治敌人犯有抵押贷款欺诈罪，包括纽约州总检察长利蒂希娅·詹姆斯、美联储理事丽莎·库克以及参议员亚当·希夫。共和党和民主党的参议员都对普尔特的任命表示担忧，而目前国会仍在辩论是否续期一项名为“702条款”的大规模监视计划。

奇怪的GPS数据谜团与美国军方有关

多年来，GPS卫星一直在其公共信号的一个很少使用的部分广播着神秘的数据。这些信息看起来是随机的。似乎没有人确切知道它们的用途——直到现在。本周，伦敦大学学院的史蒂文·默多克教授发布了可能解开这个谜团的证据。在分析了近二十年来数百万条存档的GPS传输数据后，默多克得出结论，这些信息很可能是美国军方用于向全球军用GPS接收器分发加密密钥的系统的一部分。默多克借鉴了信号情报领域的技术。他研究了这些信息变化的频率、卫星同步其行为的时间以及这些模式随时间演变的规律。一个事件尤为突出：2011年5月，几乎所有在轨运行的GPS卫星都突然切换到广播同一个占位信息，然后才过渡到新的模式。这一变化与一个被称为“空中分发”的军用系统的推广大致同时发生，该系统允许军用GPS接收器远程接收更新的加密密钥，而无需进行物理重新编程。在接受《连线》杂志采访时，默多克强调他并未破解任何军事加密，也无法读取信息内容。相反，他的工作表明，通过研究一个系统的行为而非其秘密，可以了解到多少信息。这些信号本身是公开广播的，任何拥有适当设备的人都可以接收。默多克认为，通过研究多年的这些传输数据，他揭示了一个之前未记录在案的GPS基础设施组成部分，而它一直就隐藏在人们的眼皮底下。

英文来源：

Meta has been quietly stashing dormant face recognition code on more than 50 million phones, WIRED reported this week, tucked inside the companion app that pairs with its Ray-Ban and Oakley smart glasses. If activated, the feature—known internally as NameTag—would let wearers identify people in front of them by matching captured faces against a biometric gallery sitting on the user’s device. It’s the same kind of technology Meta said it walked away from in 2021, after paying out billions of dollars to settle biometric privacy lawsuits in Texas and Illinois.
Meanwhile, xAI is asking a federal judge to force four people suing the company over Grok-generated deepfake nudes to drop their pseudonyms and litigate under their real names—including one plaintiff who alleges the chatbot was used to fabricate sexual images of her as a child. The plaintiffs say they’d sooner drop the suit than submit to harassment and doxing from Musk’s online supporters. xAI’s lawyers, however, claim that since the deepfakes will remain under seal, there’s “nothing inherently stigmatizing” about naming the people in them.
Google rolled out a new Android feature this week aimed at the wave of AI-powered impersonation scams that help fraudsters spoof a familiar number and clone a person’s voice. Packaged with Google Dialer and shipping to phones running Android 12 or later, it pings the caller’s device for a silent cryptographic handshake. If the call is fake, Android will flag it and strip the contact photo from the screen, but only if both ends are on Google Dialer, which leaves iPhones out of the picture.
WIRED also reported this week that the Manhattan Institute—the same right-wing think tank that engineered the 1990s broken-windows policing and the Trump administration’s anti-DEI push—is now shopping model legislation to turn minor protest-related offenses into felonies under a novel theory it calls “civil terrorism.”
Researchers have detailed a clever new browser side-channel attack called FROST that fingerprints other tabs—and sometimes the apps on your device—by measuring how long it takes to read from a sandboxed file on your SSD. The attack runs entirely in JavaScript and feeds the timing traces through a neural network trained on the I/O signatures of common software. No evidence so far anyone is using it in the wild.
And that’s not all. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.
Chinese Crypto-Funded Fentanyl Labs Are Switching to Selling Peptides
The supplements known as peptides—chains of amino acids that promise to help those who smear, ingest, or inject them achieve everything from weight loss to skin rejuvenation—have become their own largely unregulated pharmaceutical subindustry. So it figures that their growth is being fueled by cryptocurrency, often sent directly to the Chinese labs that sell these mysterious panaceas.
Crypto-tracing firm Chainalysis this week published an analysis of crypto flows to peptide sellers, a gray market that the company now measures at more than $100 million a year and growing. Chainalysis specifically found that some of the same Chinese labs that were previously selling fentanyl precursors have now switched to manufacturing and selling peptides. The transition, Chainalysis believes, is designed to cash in on the wave of “looksmaxing” hype across social media that has pushed peptide sales—and to avoid the risk of a law enforcement crackdown on opioid manufacturers.
Meta’s AI Support Hacked Its Own Users’ Accounts
AI can do all kinds of things if you just ask it: Code an app, touch up your photos, or even hack President Barack Obama’s Instagram account. Since Meta announced in March that its account support will be increasingly automated with AI, including for functions like updating your password, hackers found that they could exploit the tool to reset the password and take over accounts of even high-profile users and celebrities. Among the victims, as reported by 404 Media, are Obama, the chief master sergeant of the US Space Force, and makeup chain Sephora. Meta says the issue is now fixed and affected accounts have been secured. But the wave of takeovers illustrates the risks of off-loading security functions to AI—particularly at companies like Meta, which has very publicly touted its all-in approach to adopting AI across the company.
Anthropic Is Now Helping the NSA With Offensive Hacking
When AI firm Anthropic rolled out its powerful Mythos tool to a select group of organizations for testing, it raised eyebrows by including the US National Security Agency on that initial access list. Mythos, after all, is reportedly capable of finding previously hidden, hackable vulnerabilities in software with alarming speed, raising fears that it could be used for automated mass surveillance and cyberattacks. But the NSA also has a defensive mission, and initial reporting suggested the agency might just be using Anthropic’s tool to find bugs in popular software used by Americans—such as Microsoft’s—with the goal of better securing it. Yet the Financial Times now reports that Anthropic is helping the NSA take its use of Mythos a step further, deploying Anthropic’s own engineers to the agency to help it learn to use the AI tool—including for offensive hacking. The FT couldn’t confirm that Mythos is being used in active hacking operations. But given the growing use of AI for state-sponsored hacking, it would be a surprise if the US is not joining the field of modern-day automated cyberintrusions.
Bill Pulte Tapped as Acting Director of National Intelligence
US president Donald Trump has picked Bill Pulte to temporarily act as director of national intelligence. Pulte replaces Tulsi Gabbard, who recently stepped down from the role citing her husband's health issues. Trump has said he is considering other people for the permanent job, but that confirmation process can take months.
As acting director, Pulte would be responsible for the entire US intelligence community, coordinating 18 different agencies including the Central Intelligence Agency and NSA.
Pulte would simultaneously remain in his position as director of the Federal Housing Finance Agency, where he's been busy. Typically, the agency's work involves regulating Fannie Mae and Freddie Mac, but Pulte has spent his time issuing multiple criminal referrals to the Justice Department accusing Trump's political enemies of mortgage fraud, including New York attorney general Letitia James, Federal Reserve governor Lisa Cook, and US senator Adam Schiff.
Both Republican and Democratic senators have expressed concerns about Pulte’s pick, which was made as Congress is still debating whether to renew a sweeping surveillance program known as Section 702.
Weird GPS Data Mystery Linked to US Military
For years, GPS satellites have been broadcasting mysterious data in a little-used portion of their public signal. The messages appear random. No one seemed to know exactly what they were for—until now. This week, University College London professor Steven Murdoch published evidence that may solve the mystery. After analyzing millions of archived GPS transmissions spanning nearly two decades, Murdoch concluded that the messages are likely part of the system the US military uses to distribute cryptographic keys to military GPS receivers around the world.
Murdoch borrowed techniques from the world of signals intelligence. He studied how often the messages changed, when satellites synchronized their behavior, and how those patterns evolved over time. One event stood out: In May 2011, nearly every operational GPS satellite abruptly switched to broadcasting the same placeholder message before transitioning to a new pattern. The change coincided with the rollout of a military system known as Over-the-Air Distribution, or OTAD, which allows military GPS receivers to receive updated cryptographic keys remotely rather than requiring them to be physically reprogrammed.
In an interview with WIRED, Murdoch stressed that he didn't crack any military encryption and cannot read the contents of the messages. Instead, his work shows how much can be learned by studying the behavior of a system rather than its secrets. The signals themselves are publicly broadcast and can be received by anyone with the right equipment. By examining years of those transmissions, Murdoch argues, he has uncovered a previously undocumented piece of GPS infrastructure that has been hiding in plain sight.