Aggregator
What?s New for Developers: January 2022
假期计划-masscan改造计划(一)
新年快乐
ChengYingTeam祝各位朋友们新年快乐!
技术管理所见所感-上卷
Java反序列化漏洞研究前序: Transformer、动态代理与注解
ssh client代码阅读 (unfinished)
How We Handle Privacy at F5 Labs
Universal Plug and Play (UPnP): What You Need to Know
UPnProxy: Eternal Silence
Discord? Discard!
UNLISTED POST; DO NOT SHARE
Image by K4YT3X, adapted from Alexander Shatov; Unsplash License
Online multiplayer games often feature voice chat functionalities within the game so players can chat with each other during the game. For example, Rainbow Six Siege, a popular online FPS (first-person shooting) game, integrates TeamSpeak, a third-party VoIP (voice over internet protocol) solution, as their in-game voice chat system. These in-game voice chat solutions often have very little features, which lead to the birth of Discord.
Figure 1: A gamer using Discord for voice chat (ELLA DON; Unsplash License)
Discord’s name shouldn’t be unfamiliar to any video gamers. It is one of the most popular voice chat platforms. Discord allows players to join servers and voice/text channels to communicate with each other during game sessions. It also provides fancy features like noise cancellation with Krisp and automation with Discord bots. The elegantly designed user interface made it popular beyond gamers. Although most of Discord’s users are still gamers (31.3% by 2021, according to a user survey), a lot of non-gamers and organizations also use Discord as their preferred platform for communications. A lot of users use Discord as an instant messaging (IM) app in replacement of traditional IMs like WhatsApp and Signal. However, you’ll see why this might not be a good idea after digging into their privacy policy and terms of service.
Discord, a Data HoarderA lot of people have heard about the names of privacy-respecting apps like Signal and Telegram, especially after WhatsApp’s new terms of service change in March 2021. However, not everyone knows exactly how these apps are more private.
One of the most commonly evaluated criteria is how much data the app collects. Thanks to Apple’s new policy, all apps published on AppStore must now display the categories of data this app collects. We can do a simple comparison between Discord and Signal to see the differences. Discord’s AppStore page shows that its mobile app collects the following categories of data:
Figure 2: AppStore showing the data which Discord collects (source)
We can see that discord is collecting seven categories of data, a lot of which could be private and sensitive. For instance, it collects the photos, videos, and all other contents you send over the platform, which means that none of your conversations on Discord are truly private.
Figure 3: AppStore showing the detailed information about the information Discord collects (source)
In fact, Discord’s privacy policy has reserved it the right to collect almost everything generated from your use of their platform or sent over their platform. Discord could be silently collecting more categories of data unlisted on their AppStore page. Their desktop app might also be silently collecting more types of data than their iOS counterpart. For this reason, you should consider all of the activities you perform and data you share on Discord public. I would personally also consider Discord a semi-spyware.
Figure 4: Discord’s privacy policy reserving them the right to collect any data generated or transferred over their platform (source)
In contrast, Signal’s iOS app collects almost nothing. The only piece of information Signal collects is your phone number, which is required for the app to function since your phone number is your account ID. From this comparison, it is not all too difficult to see how Discord is not very respectful of its users’ privacy: it collects too much private information about you.
Figure 5: AppStore showing the data which Signal collects (source)
Discord claims that they don’t sell the users’ data, but they legally can. There is no clause in their privacy policy nor terms of service that legally prevents them doing so. Even if they strictly keep it to themselves, data breaches can still happen. Equifax’s massive data breach didn’t happen that long ago.
Discord may also share your data with law enforcements. FBI scraped the chat history of the leader of a protest in Charlottesville named “United The Right” in 2018, and the chat history were found to be admissible evidence in court. Some chat history were also published online by news medias. Discord’s transparency report also shows that they comply with most of the requests they receive from law enforcements:
Figure 6: Discord’s compliance history with law enforcement requests in H1 2021 (source)
The horror story doesn’t end there. There are more caveats in Discord’s privacy policy and terms of services. In 2018, Discord modified their terms of service and revoked the users’ rights to sue the company or join a class-action lawsuit. The new dispute resolution provision forces users to enter an arbitration with the company and prevents them from going to a court trial, which means no jury will be involved in the process – potentially a huge disadvantage for the user.
Figure: 7: A section of Discord’s dispute resolution provision (source)
Furthermore, a class waiver clause prevents the user from entering any class-action lawsuits. Combined with the dispute resolution provision, Discord has forced the users to only be able to enter an arbitration alone with the company should there be a dispute, which put the user at a very uncomfortable position to hold the company accountable for anything that it does.
Figure 8: The class waiver in Discord’s terms of service (source)
There are many more caveats with Discord’s privacy policy and terms of service. It is both time-consuming and difficult for an average user with untrained eyes to pick out all of these legal tricks Discord pulled off in its documents. Luckily, an open-source, volunteer-powered project called ToS;DR could help. Many volunteers, including professional lawyers, translate and summarize the complicate legal languages in different platforms’ terms of service documents into plain English to help average users better understand what they’re up against. You can view their page for Discord to see exactly what else is Discord hiding in their documents:
Figure 9: Caveats in Discord’s privacy policy and terms of service listed by ToS;DR
If the reasons above still aren’t enough for you to quit Discord, here are some more. Richard Matthew Stallman has also written a post to discourage people from using Discord. You can also see a more technical analysis here for why Discord is very close to being spyware.
What if I Have to Use ItWhile Discord might not be the ideal platform for anything private or sensitive, it may still be a compelling or the only option for communications in a lot scenarios. For instance, a conference might entirely be organized on Discord, or the game party that you play with only uses Discord. If you absolutely have to keep using Discord for some reason, here are some tips to minimize Discord’s privacy impact on you:
1. Don’t Send Private/Sensitive MessagesAs the previous sections have discussed, Discord isn’t the best place to send private/sensitive messages because Discord can see all your messages and has the power and will to share them to law enforcements. Minimize your conversations and activities on Discord to minimize Discord’s impact on your privacy.
2. Mark Your Chats NSFWBy default, Discord’s explicit content filter reads through all of the messages you send to flag explicit materials NSFW. If you don’t wish this automated service to read all of your chat messages, you can mark your channel NSFW. The explicit content filter will not filter through messages sent in channels labeled NSFW.
3. Use the Web AppUse the web version of Discord in your browser instead of the desktop app. A native desktop application can access a lot of information on your computer, such as what other apps you’re running, how long has your computer been on, and so on. Even if Discord isn’t collecting some information for now, Discord can easily update their app to silently start collecting them in the future. In contrast, modern browsers like Chrome are highly sandboxed so malicious web pages cannot harm your computer. Discord’s web app can access a lot less of your information than its desktop counterpart. Try to run Discord in your browser unless you truly need its desktop-only features.
Figure 10: Login into Discord on your browser (source)
If you have to use Discord’s desktop app – perhaps becuase you need a feature that’s only available in the desktop version, consider putting your Discord in a sandbox like Sandboxie or Firejail. These sandboxes will limit Discord’s access to your computer and minimize its footprint on the system.
5. Tweak Discord’s Privacy SettingsThere are several settings you can tweak within Discord’s privacy settings to protect your privacy. By default, Discord scans all of your direct chats for explicit content, which means their bot will read all of your messages. You can disable this feature so the bots don’t read your chats:
Figure 11: Discord’s safe direct messaging setting
You can also minimize what Discord can use your data for in the settings. It is also a good idea to periodically request your data from Discord to see how much Discord knows about you.
Figure 12: Discord’s data usage settings
Another thing that you should be mindful of is how using Discord could impact your digital identity. Discord is a strongly gamer-flavored platform. Preferring it as your default method of communication might leave the others with the impression that you’re somewhat “unprofessional.” By default, Discord also shows the game that you’re playing or the app that you’re using to other users. The kind of games that you play or apps that you use may also tell the other users things about you.
Figure 13: Discord’s status panel showing what other users are doing
In both Signal and Telegram, you could set self-destruct timers for messages. You can even delete both yours and the other person’s messages in a private chat for both parties. Unlike Signal and Telegram, it is much harder to delete your past messages and conversations in Discord. What you said a long time ago could be easily dug out, so you’ll need to be extra careful about what you say on Discord. They might be used against you someday and ruin your image.
Why Privacy MattersAlmost the entirety of this article is explaining how Discord is undermining your privacy, but a problem I often come across is, “so what?” To answer this question for the viewers that are wondering the same, below are some great resources explaining exactly why privacy is important:
- Privacy Is a Human Right: This article by Tor Project, the organization that built the famous Tor Browser, started a campaign explaining why privacy matters: because it’s a human right. Tor Project’s argument is simple: privacy is important because it’s declared as a human right in the Universal Declaration of Human Rights in 1948, and that is enough reason for people to respect and protect their and other people’s privacy.
- The terrifying now of big data and surveillance: A conversation with Jennifer Granick: One of the issues Discord has is the will to aid law enforcements. In this interview with TED, Jennifer Granick, an American attorney, says “if you care about any political issue – whether it’s tax reform or Black Lives Matter – we need to ensure these people can operate freely in the political world.” When platforms like Discord deprives people’s privacy and toss their data carelessly to authorities, it affects much more than an individual’s comfort. The lack of privacy in a society threatens this society’s free will.
Aside from the resources listed above, a slightly older presentation from 2014 by Glenn Greenwald named Why Privacy Matters also does a fantastic job at explaining the importance of privacy.
- https://k4yt3x.com/discord-discard/ - 2019-2024 K4YT3X. All rights reserved.《美国联邦政府零信任战略》正式版发布
CodeQL 数据流分析/污点分析 笔记(上篇)
Ransomware as a Service Innovation Curve
域持久化 - Machine Account - zha0gongz1
[复现]CVE-2021-4034 ubuntu提权
[已結束] DEVCORE 2022 實習生計畫
DEVCORE 自 2012 成立以來已邁向第十年,我們很重視台灣的資安,也專注找出最嚴重的弱點以保護世界。雖然公司規模擴張不快,但在漸漸站穩腳步的同時,我們仍不忘初衷:從 2020 開始在輔大、台科大成立資安獎學金;在 2021 年末擴大徵才,想找尋有著相同理念的人才一起奮鬥;而現在,我們開始嘗試舉辦實習生計畫,希望培育人才、增強新世代的資安技能,如果您對這個計畫有興趣,歡迎來信報名!
實習內容本次實習分為 Binary 及 Web 兩個組別,主要內容如下:
- Binary
以研究為主,在與導師確定研究標的後,分析目標架構、進行逆向工程或程式碼審查。藉由這個過程訓練自己的思路,找出可能的攻擊面與潛在的弱點。另外也會讓大家嘗試寫過往漏洞的 Exploit,體驗真實世界的漏洞都是如何利用。
- 漏洞挖掘及研究 70 %
- 1-day 開發 (Exploitation) 30 %
- Web
主要內容為在導師指引與輔佐下研究過往漏洞與近年常見新型態漏洞、攻擊手法,需要製作投影片介紹成果並建置可供他人重現弱點的模擬測試環境 (Lab),另可能需要撰寫或修改可利用攻擊程式進行弱點驗證。
- 漏洞及攻擊手法研究 70%
- 建置 Lab 30%
台北市松山區八德路三段 32 號 13 樓
實習時間- 2022 年 4 月開始到 7 月底,共 4 個月。
- 每週工作兩天,工作時間為 10:00 – 18:00
- 每週固定一天下午 14:00 - 18:00 必須到公司討論進度
- 其餘時間皆為遠端作業
大專院校大三(含)以上具有一定程度資安背景的學生
預計招收名額- Binary 組:2 人
- Web 組:2~3 人
每月新台幣 16,000 元
招募條件資格與流程 實習條件要求 Binary- 基本逆向工程及除錯能力
- 能看懂組合語言並瞭解基本 Debugger 使用技巧
- 基本漏洞利用能力
- 須知道 ROP、Heap Exploitation 等相關利用技巧
- 基本 Scripting Language 開發能力
- Python、Ruby
- 具備分析大型 Open Source 專案能力
- 以 C/C++ 為主
- 具備基礎作業系統知識
- 例如知道 Virtual Address 與 Physical Address 的概念
- Code Auditing
- 知道怎樣寫的程式碼會有問題
- Buffer Overflow
- Use After free
- Race Condition
- …
- 知道怎樣寫的程式碼會有問題
- 具備研究熱誠,習慣了解技術本質
- 加分但非必要條件
- CTF 比賽經驗
- pwnable.tw 成績
- 有公開的技術 blog/slide 或 Write-ups
- 精通 IDA Pro 或 Ghidra
- 有寫過 1-day 利用程式
- 具備下列經驗
- Kernel Exploit
- Windows Exploit
- Browser Exploit
- Bug Bounty
- 熟悉 OWASP Web Top 10。
- 理解 PortSwigger Web Security Academy 中所有的安全議題或已完成所有 Lab。
- 參考連結:https://portswigger.net/web-security/all-materials
- 理解計算機網路的基本概念。
- 熟悉 Command Line 操作,包含 Unix-like 和 Windows 作業系統的常見或內建系統指令工具。
- 熟悉任一種網頁程式語言(如:PHP、ASP.NET、JSP),具備可以建立完整網頁服務的能力。
- 熟悉任一種 Scripting Language(如:Shell Script、Python、Ruby),並能使用腳本輔以研究。
- 具備除錯能力,能善用 Debugger 追蹤程式流程、能重現並收斂問題。
- 具備可以建置、設定常見網頁伺服器(如:Nginx、Apache)及作業系統(如:Linux)的能力。
- 具備追根究柢的精神。
- 加分但非必要條件
- 曾經獨立挖掘過 0-day 漏洞。
- 曾經獨立分析過已知漏洞並能撰寫 1-day exploit。
- 曾經於 CTF 比賽中擔任出題者並建置過題目。
- 擁有 OSCP 證照或同等能力之證照。
本次甄選一共分為三個階段:
第一階段:書面審查第一階段為書面審查,會需要審查下列兩個項目
- 書面審查
- 簡答題測驗(2 題,詳見下方報名方式)
我們會根據您的履歷及簡答題所回答的內容來決定是否有通過第一階段,我們會在七個工作天內回覆是否有通過第一階段,並且視情況附上第二階段的題目。
第二階段:能力測驗- Binary
- 第二階段會根據您的履歷或是任何可以證明具備 Binary Exploit 相關技能的資料來決定是否需要另外做題目,如果未達標準則會另外準備 Binary Exploitation 相關題目,原則上這個階段會給大家約兩週時間解題,解完後請務必寫下解題過程(Write-up),待我們收到解題過程後,將會根據您的狀況決定是否可以進入第三階段。
- Web
- 無
此階段為 1~2 小時的面試,會有 2~3 位資深夥伴參與,評估您是否具備本次實習所需的技術能力與人格特質。
報名方式- 請將您的履歷及簡答題答案做成一份 PDF 檔寄到 [email protected]
- 信件標題格式:[應徵] 職位 您的姓名(範例:[應徵] Web 組實習生 王小美)
- 履歷內容請務必控制在兩頁以內,至少需包含以下內容:
- 基本資料
- 學歷
- 實習經歷
- 社群活動經歷
- 特殊事蹟
- 過去對於資安的相關研究
- 對於這份實習的期望
- MBTI 職業性格測試結果(測試網頁)
- 簡答題題目如下,請依照欲申請之組別回答,答案頁數不限,可自由發揮
- Binary
- 假設你今天要分析一個 C/C++ 寫的 web server,在程式執行過程中,你覺得有哪些地方可能會發生問題導致程式流程被劫持?為什麼?
- 在 Linux 機器上,當我們在對 CGI 進行分析時,由於 CGI 是由 apache 所呼叫並傳遞 input,且在執行後會立即結束,這種程式你會如何 debug ?
- Web
- 當你在網頁瀏覽器的網址列上輸入一串網址(例如:http://site.fake.devco.re/index.php?foo=bar),隨後按下 Enter 鍵到出現網頁畫面為止,請問中間發生了什麼事情?請根據你所知的知識背景,以文字盡可能說明。
- 依據前述問題的答案,允許隨意設想任何一個情境,並以文字盡可能說明在情境的各個環節中可能發生的任何安全議題或者攻擊目標、攻擊面向。
- Binary
若有應徵相關問題,請一律使用 Email 聯繫,如造成您的不便請見諒,我們感謝您的來信,並期待您的加入!