Let's assume the information about the Windows 10 key logging is true.
Access to this key logger data is the holy grail in computer hacking.
A dream of every "commercial" hacker. This means you can fully automated generate Fullz each at the moment $35 USD worth.
45 mio. (of 1.5 billion, data from 11-Aug-2015, strong growing) Windows 10 systems at the moment.
The average DNS bit-flip error rate is 1 in 100,000 requests. See Bitsquatting: DNS Hijacking without exploitation
Here is one thought-provoking quote from that dinaburg.org article:
Some machines control considerably more traffic than others. While a bit-error in the memory of a PC or phone will only affect one user, a bit-error in a proxy, recursive DNS server, or a database cache may affect thousands of users. Bit-errors in web application caches, DNS resolvers, and a proxy server were all observed in my experiment. For instance, a bit error changing fbcdn.net to fbbdn.net led to more than a thousand Farmville players to make requests to my server.
P
And this are only 1 bit-flips. As it turned out multiple bit flips are even more common than single bit-flips.
This means at least 450 wrong DNS requests from this 45 mio. Windows 10 users. Per domain.
3 domains (nsatc.net, footprintpredict.com, microsoft.com) Wrong requests every day: (A record TTL):
nsatc.net=3 h, footprintpredict.com=0.5 h, microsoft.com=2 h == (24/3*450)+(24/0.5*450)+(24/3*450)==30,600
Not all DNS Bitquatting domains have equal value. The order of bit flipping probability is 0,6,(1+2),8,(3+13),14,12,15,(4+5),(7+9+11),10
The bit in position #0 is 100 times more likely to be flipped than one in position #10
If someone like to exact calculate what are the most likely single and multi bit-flip bitquatting names are, here: Observations on checksum errors in DNS queries are all the data you need to do this.
What single bit-flip bitquatting names are free and which are taken ?
(the taken and connected ones are listed with the IP and country)
[Editor's note: I am just listing a few of the more concerning Microsoft bit-flips in interest of brevity. Please see original submission for the very large full list..]
oicrosoft.com,52.74.200.167,Singapore
iicrosoft.com
eicrosoft.com,103.31.75.164,Hong Kong
mkcrosoft.com,72.52.4.91,United States
mycrosoft.com,208.91.197.104,Virgin Islands
mibrosoft.com,209.15.13.134,United States
miarosoft.com,52.74.200.167,Singapore
mikrosoft.com,65.55.39.10,United States
misrosoft.com,103.224.182.217,Australia
micsosoft.com,65.55.39.10,United States
mic2osoft.com,52.74.200.167,Singapore
microqoft.com,65.55.39.10,United States
microwoft.com,54.174.31.254,United States
microcoft.com,185.53.177.9,Germany
micro3oft.com,23.21.201.35,United States
microsnft.com,184.187.12.126,United States
microsovt.com,208.91.197.104,Virgin Islands
microsofu.com microsofv.com microsofp.com
I'm totally surprised that not all of them are already taken.
Does Microsoft care ? Of course not.
Related Stories
The administrator of AE News (an online news portal for Czech and Slovak expatriates) writes a very revealing article regarding the Windows 10 collection of user data. Here is the original Czech article. Here is a Bing translation to English. Here is a English condensed version translated by a blogger. And finally a PDF of the original Czech article.
In the post the AE News administrator states:
With the advent of Windows 10, I decided to undergo several tests. The collected knowledge for someone may be alarming. The Windows operating system 10 is essentially the end terminal, more than the operating system, because many of the processes and functions of this system is directly or indirectly dependent on remote servers and databases to Microsoft.
All text typed on the keyboard is stored in temporary files, and sent (once per 30 mins) to:
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com
AE News also references an arstechnica.co.uk article which states it might be impossible to stop this communication:
And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy."
arstechnica.co.uk also "asked Microsoft if there is any way to disable this additional communication or information about what its purpose is". Microsoft did not reply as to a way to disable this chatter but did respond to the 'additional communication' stating Microsoft is now 'delivering Windows 10 as a service'.
Although the original source for this story is skeptical, Smart nerds on soylentnews can easily fire up Wireshark and reveal the communication for themselves. It appears that MS has fully embraced the cloud where your OS is now a terminal. And regarding privacy? Well, according to arstechnica.co.uk: Windows 10 privacy policy is the new normal
(Score: 4, Insightful) by Nollij on Sunday August 23 2015, @11:26PM
The article seems to assume that this data can be passed, in a usable form, to a different host, based on hardware errors alone.
Obviously, Microsoft would encrypt such data. Not only to prevent this from getting into the wrong hands (e.g. traditional DNS hijacks, etc), but to (hopefully) keep it from being easily discovered.
Unless, of course, the first 3 lines were nothing but clickbait, and unrelated to the actual story here.
(Score: 1, Interesting) by Anonymous Coward on Monday August 24 2015, @12:04AM
What is so obvious about that?
It isn't their data. They are sucking up the data of millions of others. That makes it obvious that there is no risk to Microsoft in not encrypting the data and there would be a significant expense to them in decryption the data. Any beancounter or MBA would veto encryption right quick and any logical, or employment, minded programmer would shrug and be glad to go home a couple hours early.
(Score: 1) by tftp on Monday August 24 2015, @12:05AM
Obviously, Microsoft would encrypt such data. Not only to prevent this from getting into the wrong hands (e.g. traditional DNS hijacks, etc), but to (hopefully) keep it from being easily discovered
And, most importantly, to prevent the government from stealing the stolen data without paying Microsoft. I would certainly presume that the data is not only signed by the reporting host's private key, but is also encrypted to the keypair that only Microsoft has access to. No amount of redirection of traffic will help because the reporting host will simply fail to negotiate the SSL connection.
(Score: 4, Insightful) by Runaway1956 on Monday August 24 2015, @04:29AM
Perhaps you've heard of CISPA. The major corporations join a club with the government as equal members. All the members share all of their data. Perfect setup for everyone to exploit the c̶a̶t̶t̶l̶e̶ masses.
Before you counter that CISPA has been defeated - I'll point out that unofficial agreements work fine for private clubs if the general public can't be party to the agreements.
Abortion is the number one killed of children in the United States.
(Score: 1) by tftp on Monday August 24 2015, @04:41AM
There is no honor among thieves. Each will be protecting his own, at least so that they can exchange their haul for someone else's. This information costs real money to collect, and these companies are not in it just because they are curious.
(Score: 2) by Runaway1956 on Monday August 24 2015, @04:52AM
Yes, quid pro quo. And, the outsiders have no bargaining chips. So, the club members are offering each other snippets of data, and asking what they are offered for more data of a similar nature. The other players have their own snippets at hand, so they start making offers. Eventually, of course, once all the players understand how valuable the system is to them, they'll just set up a clearing house for the data flow.
All of the significan players are already collecting the data, CISPA just formalizes a manner in which they can profit from data that they aren't using directly.
Abortion is the number one killed of children in the United States.
(Score: 3, Insightful) by PinkyGigglebrain on Monday August 24 2015, @12:22AM
Easy way to find out.
look at the packets being sent. Are they encrypted, compressed or plain text.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2) by Nerdfest on Monday August 24 2015, @01:32AM
This is what's bothering me. If the packets can't be read, how do people know that they're gathering and batching all keystrokes. I'm sure the connections are at least through SSL. Can anybody provide details on this ... I was curious after the previous article as well.
(Score: 4, Interesting) by tibman on Monday August 24 2015, @02:21AM
I looked a bit during the last article and there is some pre-talk before the ssl connection. After resolving the domain it looks like it receives cert details (unencrypted) before initiating a TLS 1.2 connection back to the motherland. I could speculate a man-in-the-middle scenario but it would be mostly bs i could never backup. I'm certainly open to hearing other people's speculation though! : )
SN won't survive on lurkers alone. Write comments.
(Score: 2) by mojo chan on Monday August 24 2015, @12:16PM
The data being transmitted is not keylogger data. Windows 10 can, with the user's permission, transmit fragments of handwriting or speech input that the user went back and corrected. The idea is to learn from mistakes. So what gets sent is the fragment of input (as vectors for handwriting or compressed and filtered audio for speech), the original guess character and the corrected character. The whole lot is packaged up and encrypted.
There is no evidence that Windows 10 includes a keylogger for keyboards, or that it even captures all input data routinely (it would need to be stored somewhere).
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 5, Insightful) by Anonymous Coward on Sunday August 23 2015, @11:48PM
This means you can fully automated generate Fullz each at the moment $35 USD worth.
45 mio. (of 1.5 billion, data from 11-Aug-2015, strong growing) Windows 10 systems at the moment.
What the heck is this suppose to mean?
(Score: 0) by Anonymous Coward on Sunday August 23 2015, @11:51PM
It means the author does not understand supply and demand
(Score: 5, Insightful) by Gaaark on Sunday August 23 2015, @11:54PM
Worst.
evER.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Funny) by Anonymous Coward on Monday August 24 2015, @04:40AM
This isn't news for nerds, it's news for cannibals. You forgot which site you were on.
(Score: 5, Informative) by coolgopher on Monday August 24 2015, @01:31AM
I'll take a stab at deciphering that for you:
By registering domains likely to be hit due to bit-flipping (as per other linked post) stemming from faulty RAM, it is [probably] possible to automate the capture of the full keyboard logging Microsoft posts. This data is bound to at times include full name/address/credit-card details ("Fullz"), which can currently be sold on the black market for USD $35 each. Considering there are currently about 45 million Win10 installations (and growing), and the full Windows install base being 1.5 billion, this could become lucrative.
Whether those numbers actually hold up when you calculate bit flip probabilities vs domain registration costs vs probability of capturing sufficient personal information, I have no idea. If someone feels so inclined to fill in on that, be my guest :)
(Score: 0) by Anonymous Coward on Monday August 24 2015, @10:03PM
Yes, but why do you have to decipher that for us. The editors here are as useless as the dipshits at Slashdot? FFS, editors, do your job or let someone else who is qualified do it.
(Score: 0) by Anonymous Coward on Monday August 24 2015, @01:16AM
Besides ditching Windows for Linux, which I won't do on one PC because it's a gaming rig, the rest are Linux. A router blocking solution?
(Score: 2) by tibman on Monday August 24 2015, @02:28AM
Router blocking looks difficult. The range of IPs is wide and the domains aren't all microsoft.com. I also saw akamai being used. Probably best to put some tape over the camera and pretend everything is fine.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Monday August 24 2015, @04:49AM
If the computer is only being used for games, dropping all traffic except that to and from the game servers would seem to be the way to go. Apart from not having Windows 10, that is.
(Score: 0) by Anonymous Coward on Monday August 31 2015, @05:25PM
How's Wine doing with its Win 10 implementation?
(Score: 0) by Anonymous Coward on Monday August 24 2015, @03:12AM
There is MShost.txt file available over at the other site. It blocks about 5900 MS sites.
I am creating this list in a host table as you read this.
I am adding to my IPCop firewall, with MVPS "ad" blocking list - it also include statics sites to help stop tracking.
YES, it does not stop it all, say hard coded IP in the code or MS is running their own DNS, that is hardcoded in the code. Those will have to blocked by a rule in iptables. Nice to have firewall that is not part of my wireless routers or cable modem, so I can block any thing, once I know about it. I have Win10 in VM, with another VM being a firewall too. This way I can see extactly what is crossing the network.
Now, in the end, I will have the local hosts file for some blocking, but mainly for site overrides so local server is used in place of foreign or simulating ooma's need to between modem and router/firewall and built in site: setup.ooma.com is mapped to internal address on ooma. Three extra host files will be added to the dnsmasq.conf for AD blocking, MShost blockings, & MSBitFlipHost blocking.
The change for AD blocking has really helped improve web performance, but the costs has been some click throughs, like google's sponsored items in the list, or slickdeals.net click throughs.
#
# mods to IPCop
# change: /etc/dnsmasq.conf
# added line in global: addn-hosts=/etc/hosts.ext
#
# Download file from MVPS and place HOSTS on desktop.
#
http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
#
# run to copy HOSTS to IPCop.
#
scp -P 8022 HOSTS root@ipcop:/etc/hosts.ext
#
# gain access to IPCop
#
ssh root@ipcop -p 8022
#
# run on IPCop to reactive dnamasq
#
/etc/rc.d/rc.dnsmasq restart
#
# then to leave type
#
exit
(Score: 1) by blackhawk on Monday August 24 2015, @05:14AM
If your router doesn't let you change the hosts file and you don't trust the windows handling of hosts then you can just do what I did a while back. I set up a raspberry pi on my network and installed dnsmasq. It's configured to provide both DHCP and DNS services and makes use of the hosts blocking file in the parent as an additional DNS source. Upstream it defaults to running queries on 8.8.8.8 (googles DNS). I think switched off my router's DHCP and let the new raspberry pi take over. You can do the whole thing in an hour or so including reading the docs / configuring DNS Masq.
Once that's done, you can block what you like and add in what you like e.g. aliases for DNS entries your ISP / country is blocking.
(Score: 0) by Anonymous Coward on Monday August 24 2015, @12:51PM
Yes, you can. IPFire (a branch off of IPCop) is great and the work is done. Since IPFire is based on IPCop, the same instructions and methods will work.
I use RPi/IPFire as network backup device paired with my cell phone (rest of the time, it is print server). So it main network is down, unplug from main network modem and plug in IPFire, nothing else changes. I do like the software and would like to use the lower power setup for main firewall, but with only 1 ethernet port (via USB) it is lacking for me through-put.
(Score: 2) by Kromagv0 on Monday August 24 2015, @03:03PM
If you have a router that is that bad to begin with I might suggest one of these first [google.com] then go and get a router that has good firmware from the factory or can have OpenWRT or DDWRT put on it.
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 1) by blackhawk on Wednesday August 26 2015, @05:03PM
That's definitely easier to do in the US than in say Australia. I've looked quite a few times at the list of routers that support Tomato, OpenWRT or DDWRT and never seen a match with one that I can actually buy here. A lot of Aus is on ADSL, and since most of those don't even support ADSL / routers - it's a no show.
(Score: 2) by captain normal on Monday August 24 2015, @05:22AM
APK! where have you been? And why AC?
"It is easier to fool someone than it is to convince them that they have been fooled" Mark Twain
(Score: 0) by Anonymous Coward on Monday August 24 2015, @04:26AM
[quote]Besides ditching Windows for Linux, which I won't do on one PC because it's a gaming rig, the rest are Linux. A router blocking solution?[/quote]
It's more or less what I've done for a couple of decades now, and what I would do if I got back into gaming seriously and was forced to use winblows. What I'm not sure I could do any longer, in light of the SMM/EFI/BIOS vulnerability, is run my gaming (or most powerful) machine as dual-boot. In light of this, you may have to run one machine at a time--Linux on-winblows off or vice-versa--and make damn sure your firewall is not running some closed-source garbage that has more holes than a colander. At work, our firewall is an old PC running SmallWall, a fork of M0n0Wall, which has been discontinued by its author. OpenWRT is another good choice, and maybe better since (almost?) everything in the early boot process is open, unlike the BIOS in even that old PC and the SMM that is also present even back then.
(Score: 2, Insightful) by Anonymous Coward on Monday August 24 2015, @06:32AM
the filtering solution is painful, and bypassed by windows after next patch?
i think, the solution is:
Isolate the pc from the rest of network, at least by a vlan with separate routing
Monitor the traffic from it when its unused/idle, to build a list of destinations
Randomize content of the encrypted packets, meaning all packets from connections i don't initiate get added to blacklist
all packets in the blacklist get every packets payload converted to decimal, divided by 13 (or something), converted back to binary and sent like that?
The method of randomization would probably mark you uniquely, but who cares, the automated tracking is fucked.
oh and make sure you use a removable usb sound card, its very handy to unplug it when done gaming :)
Incidentally, the russian word for plague is "чума"
(Score: 2) by Runaway1956 on Monday August 24 2015, @04:34AM
Among the articles I've read (several now), there have been suggestions that router blocking won't work either. If Windows is managing your network connections, then Windows knows how you are communicating with the outside world. Windows manages proxies, VPN's, encryption, and everything else that you or I use to "hide" our sensitive data. It's a pretty safe bet that if you have a working internet connection, then Windows can and will communicate with Microsoft assigned servers.
Abortion is the number one killed of children in the United States.
(Score: 0) by Anonymous Coward on Monday August 24 2015, @08:49AM
Besides ditching Windows for Linux, which I won't do on one PC because it's a gaming rig,
You are so hosed, dude! Won't do it? Can't do it? What do you want, another cig, or another hit of heroin?
(Score: 0) by Anonymous Coward on Monday August 24 2015, @02:25PM
Until Linux gaming catches up, won't do it. That's the only reason Windows exists in this house. My Linux PCs are used for important stuff... banking, browsing, email, etc. Now when Linux does catch up, and it looks like it will... then M$ can go back to the "rotting smelling diarrhea depths of hell" where it came from.
(Score: 4, Insightful) by goodie on Monday August 24 2015, @01:35AM
The first part of the summary made some sort of sense. The it got very confusing to me. I'm no expert in all this. But man this is beyond cryptic. Reads like my "cool ideas I write on the corner of a napkin but cannot explain to anybody else in clear terms" ;).
I'm sure this is of interest. But I can't really understand any of it because it seems like it jumps from one thing to the next. Maybe it's just me and it's been a long day after all...
(Score: 2) by hemocyanin on Monday August 24 2015, @02:43AM
mio to.
(Score: 5, Informative) by Runaway1956 on Monday August 24 2015, @04:42AM
TFS is rather poorly written. Summary follows:
Win10 is a keylogger. Win10 phones home pretty regularly. It has been demonstrated that bit-flipping makes the phoning home rather insecure. People can do bit-squatting, and intercept the phone call. There are logs demonstrating that the intercepts are trivially easy, and frequent enough to be valuable.
What has not been demonstrated, is that the bitsquatters can decrypt and use the information contained in the keylogger's communications.
In short, there is no reason to expect that your use of Win10 will remain private - and the criminal element is actively researching how to exploit this new back door into your computer.
Abortion is the number one killed of children in the United States.
(Score: 2) by mojo chan on Monday August 24 2015, @12:37PM
Actually the bit about WIndows 10 being a keylogger hasn't been demonstrated either. There is some stuff in the EULA about them sending voice and handwriting data back for analysis, just like Apple and Google and everyone else does, but no actual evidence that your keystrokes are being systematically recorded.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 3, Insightful) by Runaway1956 on Monday August 24 2015, @02:01PM
The EULA and the privacy policy make it prety plain that they WERE recording keystrokes. The apparent claim is, they've shut it off. I guess it boils down to whether you trust Microsoft or not.
"just like Apple and Google and everyone else does"
Who, exactly, do you refer to with "everyone else"? I'm not aware of any Linux distro that incorporates keyloggers, other than those Android surveillance devices manufactured for the telcos.
https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_security/how-to-turn-off-windows-10-key-logging/d7da1704-258f-4c08-9f75-50b26e8928f7?auth=1 [microsoft.com]
From the second link:
For example, when you:
...
enter text, we may collect typed characters and use them for purposes such as improving autocomplete and spellcheck features.
How can i disable collecting typed characters ?
Abortion is the number one killed of children in the United States.
(Score: 2) by Joe Desertrat on Monday August 24 2015, @06:37PM
How can i disable collecting typed characters ?
Perhaps typing characters can be simulated, a program that types nonsense non-stop and floods MS with junk data, if it can be loaded on enough PC's perhaps even at the level of a DDOS effect, all initiated by MS on themselves.
(Score: 2) by cafebabe on Tuesday August 25 2015, @02:41PM
While I find your proposal amusing, I would like to note that Windows10 is so far removed from general purpose computing that it would be trivial for Microsoft to remove widespread implementations of such software by name and/or checksum on the basis that user intention is "malware".
1702845791×2