Solved

Shadow Transport Security


Userlevel 1

Wondering if Shadow might indulge me with a little information on how it handles transport security.

Based on previous threads, which are relatively limited, it seems Shadow uses UDP to stream from the Shadow instance back to the client unless you choose TCP.  My experience with the TCP options was not as good as a typical VDI or RDP session, the basic desktop would artifact, lag, and ghost.

The typical discussion point to choosing UDP centers around reducing latency and higher gaming performance. 

Unless wrapped in a TLS or IPSEC tunnel, UDP isn’t typically encrypted.  Now it’s valid to consider that what is streaming down from the Shadow instance to the client, it’s normally screen data and sound.  Risk here is relatively small for gaming assuming proper password masking for applications on the instance.  But how does the client handle data being sent to the instance?  Primarily keystroke and peripheral (camera and sound/voice)?

Unencrypted keyboard and peripheral (camera, sound/voice) is a much higher risk.  I choose to make up a random new Microsoft Account to activate my Shadow, then created a local account to login.  This reduces the risk, but then there’s the game userid and password.

Much of this is speculation and professional experience.  So this brings me to my original question, how does Shadow manage transport security?

icon

Best answer by Darasin 15 July 2020, 19:36

View original

This topic has been closed for comments

16 replies

Userlevel 6
Badge +6

If your initial answer was answered, please mark it as answered. Thanks) 

Userlevel 5
Badge +4

Thank you @Darasin for the perfectly reasonable details.

I was reading the “terms of service” the other day, and it does specifically mention that business/commercial use is prohibited, which makes sense.

Userlevel 3
Badge +1

Since you mentioned HIPAA and I work with PCI, I will say it will not meet those requirements and there is no reason they should. Shadow hasn’t mentioned a business class product yet, so no reason to pay someone to come into your data centers to grant you HIPAA/PCI certification. This requirement is why some business have issues with AWS and Azure, its a tough requirement that leads most to using compensating control.

I still think the biggest security feature is that your Shadow is not directly on the net and has no open inbound ports. Its likely a little more secure for it then home PC users. 

Userlevel 3
Badge +1

You have a PC with basically no in bound ports to attack. You can download viruses the same way anyone does and they “might” be able to harm your personal info, if you aren’t running standard protection software. 

You use a secure method to authenticate your identity to your Shadow, so you can interact. The stream itself is like a movie, no one is taking your banking password from it. 

In Jaxxys case he cant even accidentally DL a keylogger to his Ghost, for someone to get passwords that way. 

Its not that Shadow is trying to use obscurity to protect the service, its that they are keeping streaming performance high while keeping your Shadow very locked down.

Those are my professional observations. 

Dar

Userlevel 1
Badge +1

@Neyland Are you saying that Shadow is not encrypting our data as they have led us to believe? I’m asking as I have recently switched to using the Shadow Ghost as my only PC. That means I am now doing everything on my VM including banking, insurance, medical televisits, and other data sensitive activities from my Shadow  VM. If my data is not being encrypted and only obfuscated then I am going to have to get a lowend PC to use to do all of that and only use Shadow for gaming. That said I am very concerned as I have been doing my banking and all over Shadow for sometime now. If your speculation is true and Shadow/Blade has misrepresented their security protocols I have put my sensitive data at risk for some time.

Userlevel 5
Badge +4

Good stuff. I could be wrong about them not engaging in these forums (which are fairly new btw); I just know I haven’t really seen much.

And, I retract the word “constructive” referring to my criticism. There wasn’t much constructive about it.

Userlevel 1

LOL nooo.  We use VDI but the infrastructure cost is pretty high when you are looking at maintaining unique storage for a large number of people.

With the pandemic pushing more WFH, we needed more quickly so we began to dynamically scale to Azure allowing Citrix to manage the machine deployment and tear down. 

Well Microsoft has their own virtual desktop service so we had out TAM set up a meeting to take a look and went through their dog and pony.  What we had was working, but it’s always good to know your options. 

At the end of that meeting our Citrix admin, my colleague, an I were “virtually” sitting around talking about the strengths and weaknesses of each platform. I brought up trying Shadow on a personal level. When you get a bunch of geeky guys in a room chewing on these topics you just naturally start to want to get your fingers in there and know more. 

I work in healthcare and I don’t think this would meet the HIPAA sniff test. ;)

I mentioned it again recently to my colleague and he was still skeptical and I didn’t have any more answers so I figured I could dig some.

Now for the brutal honesty. I’m to lazy. We have our home on the market. Trying to WFH, keep the house in “show ready state”, leave at any time with the kids and dogs… I just don’t want to go through the effort to really dig into it.   That’s 100% on me. I just thought they came here and might be able to drop some more info. 
 

As great as this service is and has given me more gaming flexibility, I still only have time once or twice a week. I’m good money for Shadow :)

if they don’t come here then I’ve wasted your time and withdraw my question. For some reason I was under a different impression.  
 


 

 

Userlevel 5
Badge +4

We both use VDI and had been through a preliminary discussion with Microsoft over their offering. Our Citrix admin had been telling us all about how the VDI platform was better.  I explained about trying Shadow out.

Out of curiosity, does that mean you’re looking at using Shadow as a potential “workplace” VDI? I hadn’t really considered that use case, but would see why that would prompt more security questions vs. using it just for video games. :yum:

Userlevel 5
Badge +4

@Neyland fair enough...that you didn’t react negatively to my constructive criticism shows you’re a person of good character, and you have my respect.

I don’t believe the Shadow technical personnel frequent these forums, at least from what I’ve seen here. It’s more of a user-to-user community, with some expert moderation from time-to-time.

I think you might get some traction by opening a support incident, and craft it in a way that you’d like more information from their professional staff about your specific questions.

Also, in looking at the CurrPorts (it’s basically a GUI for netstat) filtered output on the Shadow client processes, it doesn’t look like it’d take too much work to interrogate those flows. Doing that might invoke some specific questions to ask them about...

Userlevel 1

What was behind the question was me trying to get a colleague to sign up. I was telling him about how well it was running and worked on my Surface tablet. 
 

We both use VDI and had been through a preliminary discussion with Microsoft over their offering. Our Citrix admin had been telling us all about how the VDI platform was better.  I explained about trying Shadow out.
 

We talked about their TCP option and what it was using instead. And speculated on the security of the platform. 
 

I have a different risk appetite than he does and felt I could use it in the manner I was ok. He felt like more information was warranted. I told him I would ask a few questions and see if there was any more out there. 

Userlevel 1

Jim,

I assumed Shadow frequented these forums and answered questions. I am seeking a little more information than is provided in their KB article. I, and many other professionals, routinely engage other vendors in this same manner when seeking further information. It is one of the reasons companies maintain a presence in forums they sponsor about their products. Look at the Cisco, Microsoft, Red Hat, RSA, etc company forums. 
 

I’m honestly not trying to stoke my own ego. Shadow hints at a tunnel “like a VPN”. They claimed that the proprietary protocol protects the data. It takes a good amount of grey matter to write your own protocol that performs as well as theirs does. I believe they can provide a little more clarity. 
 

As I’ve said. I use the service. Like the service. Will continue to use the service. But if I had a little more information I could better tailor how I use it. I don’t want to limit my use because I have unfounded fears due to a misunderstanding or incorrect assumptions.
 

Userlevel 5
Badge +4

@Neyland I’m not trying to shut you down...just being pragmatic. @Lily was gracious enough to point you to Blade’s “public stance” on the matter, which will satisfy the curiosity of most people. If you (as a security professional) find gaps in that information, you’re more likely to find better engagement with them directly, vs. narcissistic* public community forum posts.

Indeed it isn’t the 1990s and security is expected; however, all IT security is a “trust and verify” system. We “trust” that we are being provided accurate/complete information in good faith, but it’s on us to “verify” that information to be accurate and complete. The work falls on security professionals to do just that.

*I’m not trying to say that you’re a narcissist, just that your posts in this thread seem to be more of an illustration of your level of expertise, vs. a genuine quest for answers. Most professionals tend not to act that way in public forums. Of course, this is just my opinion of what I perceive, and might be completely off base from the reality.

Userlevel 1

Yes Jim you’re absolutely correct. I could spin up an instance of Security Onion and packet capture away. I could spend a few days plugging away at it… or I could just look at the company I’m doing business with and ask that they be a little more forthcoming on the real security around their data transport and give us at least a quarter estimation of deploying encryption. 
 

It isn’t the 1990s and sending sensitive information over the internet with some level encryption is almost expected. A company providing IAAS should be able to answer these questions with a measure of detail and not require their customers to “do the work”. 
 

I feel you’re response is really more aimed at trying to shut down my question. 
 

I like the service greatly. But I feel we need to understand these elements of it to properly gauge the risk and act accordingly. It’s not really going to change how I use the service. But if you do your banking on a Shadow, you might want to reconsider. 

Userlevel 5
Badge +4

<snip> ...would love for Shadow to explain this in greater detail

 

You can answer all of your own questions with packet captures, and using other tools (CurrPorts comes to mind) to monitor the traffic. This activity should be trivial for a professional like yourself.

Userlevel 1

Thank you Lily.  I saw that KB article. 

This ‘proprietary’ tunnel they reference hints at being encrypted, but doesn’t say they use encryption.  It sounds like they are just relying on obfuscation to protect confidentiality.  This isn’t a strategy that has historically worked for anyone in computing. 

They state that they will eventually go to a “single key” system using an SSL certificate.  I hope this is TLS due to the deprecated state of SSL.  Until this occurs, we should consider our communications to have weak confidentiality with a higher risk of exposure.

I would be ecstatic to be wrong, and would love for Shadow to explain this in greater detail

 

Userlevel 6
Badge +6

Please see this link. 
https://help.shadow.tech/hc/en-gb/articles/360015328933-Shadow-and-Security-FAQ

That is any and all information anyone can give you.