discord china_内部Discord的安全大修

discord china

In an April 2020 report on the security and privacy of 15 video calling apps, the Mozilla Foundation gave failing grades to three apps: Doxy, Houseparty, and Discord. I was one of the journalists who worked with the foundation to break the story.

在 2020年4月的一份关于15个视频通话应用程序的安全性和隐私性的报告中 ，Mozilla基金会对以下三个应用程序的评分不及格：Doxy，Houseparty和Discord。 我是与基金会合作打破故事的记者之一。

It’s been months since the report came out, and both Doxy and Houseparty are still on the foundation’s fail list. But Discord, a voice, video, and text communication tool that’s popular with gamers and on the rise among other groups, is different. Within one day of the Mozilla report’s release, Mozilla announced that Discord had fixed its most glaring security hole, which allowed accounts to be created with passwords as simple as “111111.” The foundation applauded the rapid change, saying, “We’re pleased to see Discord prioritize consumers’ security, and thank them for their quick action.”

报告发布已经有几个月了，两个Doxy 和Houseparty仍在基金会的失败名单上。 但是Discord是一种受游戏玩家欢迎并且在其他人群中越来越多的语音，视频和文本交流工具，它与众不同。 在Mozilla报告发布的一天之内，Mozilla宣布Discord 解决了其最明显的安全漏洞 ，该漏洞允许使用“ 111111”这样的简单密码创建帐户。 该基金会对Swift的变化表示赞赏，并表示：“我们很高兴看到Discord优先考虑消费者的安全，并感谢他们的Swift行动。”

After the Mozilla report, Discord reached out to me with information about the privacy of its app. The spokesperson said, “We do not make any money via advertising or share [user] data with any third-parties that look to profit off of the information from our users. Our business model is entirely based on subscriptions (Nitro).”

在Mozilla报告之后，Discord向我提供了有关其应用程序隐私的信息。 发言人说：“我们不会通过广告或与希望从用户信息中获利的任何第三方共享[用户]数据来赚钱。 我们的业务模式完全基于订阅( Nitro )。”

Fixing password procedures seems like it should be straightforward, but in reality, it requires changing verification systems across multiple websites, apps, and other digital endpoints.

修复密码程序似乎应该很简单，但实际上，它要求跨多个网站，应用程序和其他数字端点更改验证系统。

Zero monetized data sharing is a pretty bold claim for a technology company to make. So I started to dig deeply into Discord’s privacy and security — from a legal, technical, and business standpoint. I expected to find all kinds of lurking demons. But instead, I walked away pleasantly surprised. Discord still faces challenges, but the company seems genuinely committed to improving privacy and security for its users.

零货币化数据共享对于技术公司来说是一个相当大胆的主张。 因此，我开始从法律，技术和业务角度深入研究Discord的隐私和安全性。 我期望找到各种潜伏的恶魔。 但是，相反，我惊喜地走开了。 Discord仍面临挑战，但该公司似乎确实致力于改善其用户的隐私和安全性。

For my investigation, I started by using a browser-based data logger to capture and view all the data Discord sent as I used the service. I also used Lumen — an app developed by UC Berkeley’s Haystack Project — to monitor the data sent out by Discord’s Android app as I logged in, joined chats, and performed other actions. I also grabbed a dump of all my user data directly from Discord and combed through it. And I spoke at length with Jen Caltrider, the lead researcher on the Mozilla Foundation’s report.

为了进行调查，我首先使用了基于浏览器的数据记录器来捕获和查看在使用服务时Discord发送的所有数据。 我还使用了Lumen(由UC Berkeley的Haystack Project开发的应用程序)来监视Discord的Android应用程序在我登录，加入聊天和执行其他操作时发送的数据。 我还直接从Discord中抓取了所有用户数据的转储，并进行了梳理。 我与Mozilla基金会报告的首席研究员Jen Caltrider进行了详尽的交谈 。

Caltrider confirmed that upon starting her own research on Discord, she was skeptical about the app’s privacy and security. This was primarily due to her knowledge of Discord’s original user base, which included neo-Nazis, Gamergate promoters, and the like. (Mozilla still warns that “Discord has had problems with toxic content, harassment, human trafficking, and other online crimes.”)

Caltrider确认在对Discord进行自己的研究后，她对该应用程序的隐私和安全性表示怀疑。 这主要是由于她了解Discord的原始用户群，其中包括neo-Nazis ，Gamergate推广者等。 (Mozilla仍警告说 ：“ Discord在毒物，骚扰，人口贩运和其他在线犯罪方面存在问题。”)

But Caltrider, too, ultimately walked away feeling that the company was genuinely trying to do right by its users.

但是，Caltrider也最终走开了，感觉到该公司确实在试图由其用户来做。

After Mozilla’s report went live, Caltrider said that Discord co-founder Stanislav Vishnevskiy immediately reached out to her with a detailed message. She called the email a “feat of computer engineering” and said the message went into Discord’s privacy policies and security measures in intense (sometimes overwhelming) detail. Caltrider said that while everything wasn’t perfect about the company’s plans, Discord was “addressing all the right things.”

在Mozilla的报告发布后，Caltrider说，Discord联合创始人Stanislav Vishnevskiy立即向她伸出了详尽的信息。 她称这封电子邮件为“计算机工程的壮举”，并说这封信深入详尽地(有时是压倒性的)纳入了Discord的隐私政策和安全措施。 Caltrider表示，尽管对于公司的计划而言，并不是所有事情都完美无缺，但Discord却在“解决所有正确的问题”。

Caltrider was also impressed by the speed with which Discord fixed its password issues. Fixing password procedures seems like it should be straightforward, but in reality, it requires changing verification systems across multiple websites, apps, and other digital endpoints. It also means potentially invalidating passwords that are too weak and dealing with a surge of users updating their credentials all at once.

Calordder也对Discord修复其密码问题的速度印象深刻。 修复密码程序似乎应该很简单，但实际上，它要求跨多个网站，应用程序和其他数字端点更改验证系统。 这也意味着可能使太弱的密码无效，并导致大量用户一次更新其凭据。

Mozilla says that Discord also moved to disallow passwords that had been compromised through other websites’ data breaches, enable two-factor authentication for major users of the platform (other users can opt in to two-factor authentication using Google Authenticator or Authy), and integrate a third-party authentication service rather than relying on less secure SMS messages. These are all positive steps toward better privacy and security. Caltrider found it surprising that Discord made them so quickly.

Mozilla表示，Discord还采取行动以禁止因其他网站的数据泄露而泄露的密码，为平台的主要用户启用两因素身份验证(其他用户可以使用Google Authenticator或Authy 选择两因素身份验证)，以及集成第三方身份验证服务，而不是依赖不太安全的SMS消息。 这些都是迈向更好的隐私和安全性的积极步骤。 Caltrider感到惊讶，Discord如此Swift地将它们制成。

My own investigation of Discord was mostly notable for what I didn’t find. Firstly, I saw no evidence that Discord was sharing customer data with third-party advertising platforms, at least in the browser. Even companies that publicly boycott platforms like Facebook still often share data with them, and Zoom got into hot water for its own data sharing earlier this year. Discord sends data to Google Analytics, but I didn’t see evidence of data going to other third-party websites.

我对Discord的调查主要是因为我没有发现。 首先，我看不到任何证据表明Discord至少在浏览器中与第三方广告平台共享了客户数据。 即使是像Facebook这样的公开抵制平台的公司，仍然经常与他们共享数据 ，而Zoom 在今年早些时候因其自身的数据共享而陷入困境 。 Discord将数据发送到Google Analytics(分析)，但是我没有看到数据进入其他第三方网站的证据。

Likewise, my analysis of Discord’s Android app didn’t reveal much concerning activity. The company does appear to send data to two external services — Adjust and Google’s Crashlytics. This data could potentially be used to target ads. But it’s more likely that Discord is using these services for its own internal analytics or to spot and fix stability issues with its app.

同样，我对Discord的Android应用程序的分析也没有太多涉及活动。 该公司确实出现将数据发送到两个外部服务- 调整和谷歌的Crashlytics 。 此数据可能会用于定位广告。 但是，Discord更有可能将这些服务用于自己的内部分析，或者发现并修复其应用程序的稳定性问题。

The large dump of my Discord data (which any Discord user can access for their own account) revealed the same pervasive internal tracking of user activity that I expect to see with any modern app. Every interaction, message sent, or channel joined is logged.

我的Discord数据的大量转储( 任何Discord用户都可以使用其自己的帐户访问 )显示了我希望在任何现代应用程序中看到的相同的用户活动内部跟踪信息。 记录每次交互，发送的消息或加入的频道。

But unlike with my Facebook data dump, which revealed third-party connections to more than 1,000 companies, I saw no evidence that Discord was sharing my user data with others. Discord also has a surprisingly comprehensive tutorial explaining the specifics of its data dump—a rare move that should be applauded. And it allows users to opt out of much of its internal logging.

但是，与我的Facebook数据转储不同，后者揭示了与1000多家公司的第三方连接，而我却看不到任何证据表明Discord正在与他人共享我的用户数据。 Discord还提供了令人惊讶的综合教程，解释了其数据转储的细节，这一罕见的举动值得称赞。 而且，它使用户可以选择不使用其内部日志记录。

All these steps only allow me to see the data that Discord is gathering or sharing through my browser or app, as well as the personal data it has chosen to disclose to me. It’s possible that the company could still be sharing data with advertising partners through its backend. That kind of sharing wouldn’t be visible unless I had access to Discord’s servers.

所有这些步骤仅允许我查看Discord正在通过我的浏览器或应用程序收集或共享的数据，以及它选择向我透露的个人数据。 该公司仍有可能仍通过后端与广告合作伙伴共享数据。 除非我可以访问Discord的服务器，否则这种共享是不可见的。

But in my experience, most companies that share data privately also use public tracking and sharing methods, like the Facebook integrations I’ve found on hundreds of other websites. Discord’s services appear refreshingly free of these obvious interconnections.

但是以我的经验，大多数私下共享数据的公司也使用公共跟踪和共享方法，例如我在其他数百个网站上发现的Facebook集成。 Discord的服务似乎没有这些明显的相互联系。

That’s strange, because according to Caltrider, Discord’s privacy policy makes it “sound like the company is sharing data with third parties.” Notably, the policy does state clearly: “We do not sell the personal information of our users.” But in online advertising, “sell” and “share” are often slippery concepts.

这很奇怪，因为根据Caltrider的说法，Discord的隐私权政策使其“听起来像公司正在与第三方共享数据”。 值得注意的是，该政策确实明确规定：“我们不会出售用户的个人信息。” 但是，在在线广告中，“出售”和“共享”通常是比较光滑的概念。

A company may “share” data with a third party to target ads to its users. Even if the company then makes money through those ads, the data transfer may be considered “sharing” instead of “selling,” since the company made profits through the ads, not the transfer of the data itself.

公司可以与第三方“共享”数据，以将广告定位到其用户。 即使公司随后通过这些广告赚钱，也可以将数据传输视为“共享”，而不是“出售”，因为公司是通过广告而不是数据本身来获利的。

Discord’s policy does allow for sharing “your information with our Related Companies,” which include Discord’s “affiliates.” And the policy says that Discord integrates with Facebook’s SDK and “may collect information for optimizing advertising campaigns outside of the Service” (though, again, I saw no evidence that this was happening).

Discord的政策确实允许共享“与我们的关联公司的信息”，其中包括Discord的“关联公司”。 该政策规定Discord与Facebook的SDK集成在一起，并且“可能会收集信息以优化Service外部的广告活动”(不过，我再也没有证据表明这种情况正在发生)。

Challenges still lie ahead, and improvements are still possible — especially as Discord scales.

挑战依然存在，并且改进仍有可能-尤其是随着Discord规模的扩大。

Discord might have left that language in its privacy policy so it could keep the option to transfer data to third parties (or to target ads on Facebook) down the road. But if the company is actually abstaining from transferring customer data to third parties right now, it should consider updating its privacy policy to reflect this. That might give users peace of mind and would be a bold step toward privacy in a world where corporate data sharing has become ubiquitous.

Discord可能已将该语言保留在其隐私政策中，因此它可以保留将数据传输到第三方(或在Facebook上定位广告)的选项。 但是，如果该公司现在实际上正在放弃将客户数据传输给第三方的行为，则应考虑更新其隐私政策以反映这一点。 在企业数据共享变得无处不在的世界中，这可以使用户放心，并且是迈向隐私的大胆一步。

Overall, both Caltrider and I walked away from our research on Discord with the impression that the company is genuinely trying to improve privacy and security. Part of that may be tied to its overall business goals. In late June, Discord announced that it had raised more than $100 million in a new funding round. The company was probably finalizing the round right as Mozilla’s report came out — this alone may have accounted for its remarkable speed in fixing its password issue. The new round values Discord at $3.5 billion.

总体而言，我和Caltrider都放弃了对Discord的研究，给人的印象是该公司确实在努力改善隐私和安全性。 其中一部分可能与其总体业务目标有关。 6月下旬，Discord宣布已在新一轮融资中筹集了超过1亿美元 。 Mozilla的报告出炉后，该公司可能正在最终确定该回合权利-仅此一项就可能说明了其解决密码问题的惊人速度。 新一轮对Discord的估值为35亿美元。

A big part of this valuation is based on a major pivot in Discord’s business model. According to TechCrunch, “Discord wants to be more than just a place for gamers.” Fueled by a surge of online activity during Covid-19 lockdowns, the platform has fast become “a Slack for users’ social lives.” Catering to the needs of everyday users is a much better business prospect for Discord than tailoring its services to a niche audience of sometimes combative gamers.

估值的很大一部分是基于Discord业务模式的主要重点。 根据TechCrunch的说法 ，“ Discord不仅想成为游戏玩家的地方 。” 在Covid-19锁定期间在线活动激增的推动下，该平台Swift成为“用户社交生活的懈怠”。 满足日常用户的需求，Discord的业务前景要比针对有时好斗的游戏玩家的小众市场量身定制的服务要好得多。

To this end, Forbes reports that Discord has been cracking down on hate speech, alt-right groups, and white supremacists on its platform. While parts of Discord are “still a place rife with gaming’s school-yard culture,” Forbes says that the app also now attracts Black Lives Matter protesters, as well as people interested in casual chats with friends or family members.

为此， 《福布斯》报道说，Discord在其平台上一直在打击仇恨言论，另类右翼组织和白人至上主义者。 尽管Discord的某些部分“仍然充斥着游戏的校园文化，” 福布斯说，该应用程序现在还吸引了Black Lives Matter抗议者，以及对与朋友或家人休闲聊天感兴趣的人。

Caltrider largely agreed with this. In her words, Discord “seems keen on getting kids, book clubs, and overall a broader user base.” While the service “isn’t designed for sensitive, encrypted communication,” it’s probably a reasonably safe and private space to gather with friends and discuss Little Fires Everywhere.

Caltrider在很大程度上同意了这一点。 用她的话说，Discord“似乎热衷于吸引孩子，读书俱乐部以及整体上更广泛的用户群。” 尽管该服务“并非为敏感的加密通信而设计”，但它可能是与朋友聚会并讨论Little Fires Everywhere的合理安全和私人空间。

If Discord’s new direction means the company is leaning into privacy and security, that’s an excellent thing. While I don’t have a window into the company’s internal operations, all my investigations suggest that it’s moving in this direction.

如果Discord的新方向意味着该公司正致力于隐私和安全性，那将是一件很棒的事情。 虽然我没有了解公司内部运营的窗口，但我的所有调查都表明它正在朝这个方向发展。

Challenges still lie ahead, and improvements are still possible — especially as Discord scales. Venture investors might put pressure on the company to monetize user data down the line, a siren song it should continue to resist. And there are security updates it could make right now. According to Caltrider, “The best thing Discord could do at the moment is roll out two-factor authentication to all users,” making it a requirement to use the service.

挑战依然存在，并且改进仍有可能-尤其是随着Discord规模的扩大。 风险投资人可能会向公司施加压力，要求他们通过路线将用户数据货币化，这是它应该继续抵制的警笛。 并且它可以立即进行安全更新。 根据Caltrider的说法，“ Discord目前最好的做法是向所有用户推出两因素身份验证，”这是使用该服务的要求。

But overall, Discord appears to be actively engaged in protecting the privacy and security of its users and moving in the right direction. In an era where user privacy is often casually traded away, Discord’s new direction is refreshing to see.

但总体而言，Discord似乎积极致力于保护其用户的隐私和安全并朝着正确的方向发展。 在用户隐私经常被随意交易的时代，Discord的新方向令人耳目一新。

翻译自: https://onezero.medium.com/inside-discords-security-overhaul-bf2e7de23ba5

discord china