A user on Voat going by the handle CheesusCrust has done an analysis of Windows 10 telemetry using DD-WRT doing remote logging to a Linux machine, and they have found that even with all of the telemetry options disabled, a clean Windows 10 Enterprise Edition install still appears to be sending substantial amounts of data back to Microsoft. In an eight-hour period, the experiment identified 3967 connection attempts to 51 distinct Microsoft IP addresses. A further update after 30 hours of letting it sit shows a total of 113 different external IPs are accessed. CheesusCrust also performed a further test using the popular anti-Windows 10 telemetry application DisableWinTracking, and found that while it is able to reduce the data being sent back to Microsoft, even the most stringent options cannot completely eliminate it.
Related Stories
Peter Bright at ArsTechnica reports:
Windows 10 uses the Internet a lot to support many of its features. The operating system also sports numerous knobs to twiddle that are supposed to disable most of these features, and the potentially privacy-compromising connections that go with them.
Unfortunately for privacy advocates, these controls don't appear to be sufficient to completely prevent the operating system from going online and communicating with Microsoft's servers.
For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.
Hairyfeet's contribution adds the following:
A Czech site went one further and did a traffic analysis on a default Windows 10 install, what did he find? Well it looks like the Win 10 Keylogger in the beta is still running with pretty much every keystroke, voice, and webcam data being sent to Microsoft even with Cortana disabled.
[Ed's Comment: The report about the Czech traffic analysis originally came from a newspaper and some comments doubt the veracity of this source.]
(Score: 2) by Absolutely.Geek on Thursday February 11 2016, @02:54AM
Whist I wanted to believe that you could just turn off all the spying; I didn't really believe that you could.
I just setup a Win10 system for someone; upgrading from WinXP. I told him to give Linux a go; but he was pretty keen to stick with windows. I turned off all the phone home "features" but I knew there were a heap in the background that would stay active....
Don't trust the police or the government - Shihad: My mind's sedate.
(Score: 2) by Nerdfest on Thursday February 11 2016, @03:05AM
Apparently some of the external IPs belong to "anti-piracy" groups, and the assumption at this point is they get sent a list of all your software, music, etc. It'll be intersting to see if that's verifiable.
(Score: 2) by Marand on Thursday February 11 2016, @03:36AM
Apparently some of the external IPs belong to "anti-piracy" groups, and the assumption at this point is they get sent a list of all your software, music, etc.
Can you elaborate on that? I'm curious where you saw that claim and which IPs/groups caught someone's attention. I skimmed all three discussions linked in TFS but didn't see anything about the owners of any IPs other than the MS-owned ones.
(Score: 5, Informative) by Nerdfest on Thursday February 11 2016, @03:57AM
I'd actually seen reference to it through HairyFeet, mentioning this [slashdot.org] post on SlashDot. I'm not sure of the accuracy, and the traffic analysis referred to seems to have disappeared. The gist is that the data is sent to MarkMonitor.com. I'm not sure of the veracity of the claims.
(Score: 2, Insightful) by anubi on Thursday February 11 2016, @07:46AM
Informative link there, Nerd... Thanks.
I am also of the strong suspicion that a lot of the traffic streaming from my machine when online has to do with verification that I am obeying EULAs. I have tried to block as much as I can even from an old WIN7 machine, but there is still a lot of unexplained stuff going on. I haven't really made much of a point in tracing it as I had determined long ago that I was not going to keep anything really important to me on a machine exposed to the internet.
I consider an internet-connected machine just about as public as putting my goodies in a cardboard box out behind my building in an alley. Anybody who knows how to ask can get to it. What passes for "security" these days to me is kinda like a privacy lock on a bathroom. Fail to open the door for Dad and see how robust that lock is.
Want security? Make your own lock. Nothing is sacred, but at least I can make them work for it rather than having their machine fetch the correct template for that encryption vendor and walk right in.
One of our fellow Soylenters has a tagline down the line of "Give me six lines written by the most honest of men, and in it I will find something with which to hang him." I can't help but believe that everyone on this planet is being subject to having a dossier on him for blackmail should he offend someone in power. Hitler had the "youth corps" who turned in their parents. I can't help but believe our own machines are being conscripted for the very same use.
I cannot trust any machine ( that I did not personally design ) which connects to the net anymore than I can trust a wife who still has allegiance to her previous boyfriends, and insists on regular conversations with them in a language I do not understand. I do not know if I am being set up for a patsy or what.
Businessmen may trust it, but I do not. I believe what it boils down to is in the event of a problem, in my case, I end up *personally* having to deal with it, whereas the businessman can delegate the problem onto someone else.
I believe that a businessman had to take *personal* responsibility for his selections, he would choose more secure alternatives.
If I need a file for the "secured" isolated machine, I transfer it old-school. Sneakernet. At least I know what file made it across.
My trust in big systems is so soured I had just as soon rig up a bunch of Arduinos and Propellers to do process control work.
I guess my big fear is having anything out there where someone else can arbitrarily pull the rug out from under me. I have unwittingly trusted the wrong people in the past who have caused me a lot of pain by denying me something I needed. I try to make things where I do not have so many achilles tendons exposed.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Friday February 12 2016, @01:00AM
Depends on who you trust with your identity details.
Corporate america, your government, microsoft, & your cell phone, cannot be trusted with anything.
Your FreeBSD box with properly configured pf conf file can be trusted to do all your web surfing, online banking, as well as your personal and/or business financial accounting, and pretty much anything else regarding your life and identity. You do have options, you just have to use the proper tools for the job. If Microsoft is on the label, well, you should know better than to trust them with anything.
(Score: 5, Interesting) by mojo chan on Thursday February 11 2016, @08:32AM
It's been debunked already. The guy who did the test is an idiot and cocked it up.
1. He didn't disable everything. After install a bunch of stuff is enabled, like it is on every OS. Live tiles, web search, Windows Store apps etc.
2. He made is firewall drop packets. This confuses Windows - it has an IP address, but it can't contact things like Windows Update, so it keeps retrying with different IP addresses from its pool. It was probably resolving DNS from the router.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 1, Insightful) by Anonymous Coward on Thursday February 11 2016, @10:13AM
enough of this making sense already, you troll!
(Score: 3, Interesting) by Nerdfest on Thursday February 11 2016, @11:03AM
Wonder what was hitting MarkMonitor.com ....
(Score: 2) by mojo chan on Thursday February 11 2016, @11:25AM
Probably some random live tile, or Windows Store app.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 3, Insightful) by frojack on Thursday February 11 2016, @06:35AM
More of them go to akamaitechnologies.com, which has more bandwidth than God, and more IPs that can be swapped into use at a moments notice.
The thing is, it seems unlikely any of this telemetry can be used in any way, not via private action, or legal action, or government action, because of all the lies Microsoft used to get this spyware on your machine.
In fact instead of blocking the telemetry, they should be finding what is being sent, because if private content is being sent there would be a cause for legal action.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by Anonymous Coward on Thursday February 11 2016, @08:27AM
Yes, it can. Parallel construction. [wikipedia.org]
They just have to claim they got an anonymous tip and search you on that basis.
(Score: 5, Interesting) by jasassin on Thursday February 11 2016, @03:23AM
If you MUST use Windows10 it has to be behind a router that blocks all packets all network traffic, and white lists the sites you visit. Wow.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @05:06AM
heh, but does it also covertly communicate via some type of packet/mesh network if it can't get out? good luck blocking all of that.
(Score: 1, Interesting) by Anonymous Coward on Thursday February 11 2016, @02:53PM
I've heard it can send info that doesn't show up in programs like Wireshark.
(Score: 3, Informative) by jasassin on Thursday February 11 2016, @07:38PM
Well there is tunneling https://en.m.wikipedia.org/wiki/Tunneling_protocol [wikipedia.org] but that could be filtered by dropping all packets and white listing. The only other way I can come up with would be tunneling data through a DNS https://zeltser.com/c2-dns-tunneling/ [zeltser.com] but that wouldn't work because only your trusted DNS would be white listed. Can anyone elaborate on this?
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 5, Informative) by Tork on Thursday February 11 2016, @03:29AM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by Absolutely.Geek on Thursday February 11 2016, @03:36AM
I completely agree; how can people (big corps) be ok with "just trust us"? I mean it makes no sense.
Don't trust the police or the government - Shihad: My mind's sedate.
(Score: 4, Insightful) by Anonymous Coward on Thursday February 11 2016, @03:45AM
Some people have to get kicked in the nuts before they learn to wear a guard.
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @01:50PM
Yeah, but how often...?
(Score: 5, Insightful) by Nerdfest on Thursday February 11 2016, @03:47AM
Most corporations are not interested in actual security, but more "butt covering checklists" that makes it look like they've done "due diligence". I quit using Windows back in teh vista days when I caught it sending data to Microsoft that it shouldn't have. This is really nothing new, just a couple of orders of magnitude more data.
(Score: 5, Interesting) by anubi on Thursday February 11 2016, @04:45AM
When I saw what was going on, I fought it tooth and nail.
I got fired.
So, instead of anything I could highlight for them, they can now settle it in courtrooms. They have already set themselves up so only the laws of man, not the laws of physics, will protect them.
Damn near anybody can break Man's law - the only trick is to not get caught. Man's law isn't really law at all... its either someone's wish list or a protocol. Run a stop sign? You violated a protocol. Exceed the speed of light? You broke the Law!
I fail to understand what makes businessmen think "support" from another business is so damned important. If there is one thing I have learned, its the old saying "if you want it done right, do it yourself" rings true.
Value the words of a tradesman, and take any word of a salesman with a lot of salt.
There are few things that can initiate one into the World of the Tinfoil Hat as much as an understanding of how to use WireShark.
Use that tool with great caution. Its your OWN sanity that is at stake.
You will soon experience the frustration of being a seeing man in the land of the blind... where the Corporate Boss values the leadership of men who listen to salesmen over the skills of the men who use the tools.
They do not seem to show people of a Business education the value of information. By observation, that seems to be the case. Or else, businessmen would be selecting their tools with the same care a mechanic selects a professional wrench. The mechanic knows good and well a badly implemented wrench *will* result in a very painful smash on the knuckles - which cannot be alleviated by delegating said pain to a legal staff.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Insightful) by Whoever on Thursday February 11 2016, @05:36AM
Quite simply: CYA. When the project turns into a clusterfuck, the manager can say "but we bought support from XYZ: it's their fault". The execs say the same thing and no-one gets fired, because they all followed the "best practices" that the MBA-toting consultants told them that they had to follow. The process then repeats itself, because they all learned that the way to be incompetent and keep their jobs is to have some else to blame.
(Score: 2) by frojack on Thursday February 11 2016, @06:42AM
Why isn't Microsoft being investigated to verify that Windows 10 in environments like the one I'm in isn't sending confidential data off to who-knows-where?
No company would sneak that much spyware into a commercial product without the full backing and protection of the US Government.
Even the richest and most powerful company couldn't withstand the barrage of lawsuits and federal investigations that would result when (not if) the project becomes know.
So protection FROM the government and BY the government seems likely.
No, you are mistaken. I've always had this sig.
(Score: 1, Informative) by Anonymous Coward on Thursday February 11 2016, @09:07AM
So you're saying that microsoft is in bed with the NSA?
I am shocked sir. Simply shocked!
http://techrights.org/wiki/index.php/Microsoft_and_the_NSA [techrights.org]
(Score: 3, Funny) by Anonymous Coward on Thursday February 11 2016, @03:37AM
Dumbass: Doctor, when I do this, it hurts.
Doctor: Don't do it.
Dumbass: But doctor, it hurts when I do this.
Doctor: Fucking dumbass.
(Score: 3, Funny) by Tork on Thursday February 11 2016, @03:42AM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @03:47AM
Yeah, that's the joke, dumbass.
(Score: 2) by Tork on Thursday February 11 2016, @04:47AM
In the Star Trek episode you're poorly quoting, Doctor Crusher couldn't actually help the child because he was in quarantine. It made sense (sort of...) for her to say that. Without that context the joke doesn't work.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @08:58AM
I don't know which Star Trek episode you are talking about, that joke is older than Star Trek itself.
What you and the dumbass in the joke both fail to realize is that not everything is a treatable condition. Sticking fingers in your eyes hurt. bending your wrists 90 degress hurts. Dropping a safe on your foot hurts. And each of those fall under "don't do that, then".
(Score: 3, Informative) by Daiv on Thursday February 11 2016, @06:42PM
The joke, as I was told at 6 years old-ish, started:
Patient: Doctor, it hurts when I do this! (Patient jams finger into eye socket - hard)
The joke, as told above, makes no reference to the patient doing something that *should* cause pain and leaves it up to readers to already know the joke.
(Score: 2) by Tork on Thursday February 11 2016, @08:36PM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @11:10PM
When I was told this joke as a small child it was just bending an arm... some minor thing that shouldn't hurt.
I think it's from a Groucho Marx film.
(Score: 2) by MostCynical on Thursday February 11 2016, @03:53AM
Real doctor would have said "take these tablets and come and see me every week for a year"
User: my compute told me to upgrade
government agency: everyone else has win10, and we need to ensure compatibility
Corp CIO: the government and our competitors have installed it, so it can't be too bad, and the MS rep took me out for a really nice dinner...
It isn't hard to believe people believe in UFO abductions whenthey upgrade *because everyone else did*
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by goodie on Thursday February 11 2016, @04:10AM
It's nice to learn about this for me right now. I'm running win7 and looking to get a new box. I was thinking of a Linux distro but without systemd. I will need a VM to run windows on a frequent basis simply because I cannot do without Office (not that I wouldn't like to but the people I work with cannot work with anything else). I figured at first why not give win10 a try for that VM? Looks like it's not happening. Everytime I read stuff like this I shake my head wondering "why? why do they have to do that? Do they actually get anything out of this? Marketing people buying that crap or they just sit on it until they can use it somehow?"
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @04:36AM
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @02:57PM
Since Win95SP1, that's when backdoor three letter telemetry started.
(Score: 2, Interesting) by Anonymous Coward on Thursday February 11 2016, @08:22AM
Have you tried antiX?
(Score: 1, Insightful) by Anonymous Coward on Thursday February 11 2016, @11:06AM
Vote with your wallet, friend! It's almost the only leverage we have in this world.
(Score: 0, Flamebait) by Anonymous Coward on Thursday February 11 2016, @05:05PM
Look, Linux with systemd is better than Windows 10. Systemd is - well not as terrible as people seem to make it. If it were, it wouldn't be going in all the mainstream distros.
(Score: 3, Insightful) by Demose on Thursday February 11 2016, @04:23AM
Loving more and more each update.
(Score: -1, Flamebait) by Anonymous Coward on Thursday February 11 2016, @05:32PM
Apparently you didn't get the memo. The cool hipsters have moved to the BSDs because linux is too mainstream. The systemd thing was the perfect catalyst for them to jump ship ahead of the masses, and it has the added benefit of being able to feel like you're "fighting the Man".
(Score: 3, Interesting) by Ramze on Thursday February 11 2016, @04:37AM
Just curious what type of data this might be as some connected to Akamai IP addresses. Windows 10 comes with the ability to push updates from one Win10 installation to others -- either on the same network or to the internet as a whole. So, how much of this might have been update files being distributed to other Win10 installs bittorrent-style? Win10 also sends crash and error data in the background as well as update requests. I don't doubt that some of this is telemetry data or other search data... but... I find it odd that everyone jumps to telemetry as the reason -- especially when they don't mention OTHER reasons MS phones home or pushes data to MS or other parties. One can turn OFF the update sharing completely or leave it on to just share on one's own network, but I believe it's set to global internet by default. That means if there was a recent MS update, all of the connections detected could be MS coordinating patch downloads from that machine to thousands of others on the internet -- saving MS's own bandwidth.
Can we get confirmation that feedback, detailed crash data, and update pushes were also disabled? There's more reasons than telemetry to call home or to Akamai.
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @03:02PM
The LAN share updates, or whatever it's called, I've had to slide that setting over to "no" at least 3 times. It keeps getting reset to "yes" after updates.
(Score: 2) by Hyperturtle on Thursday February 11 2016, @06:03PM
I would love for Microsoft to actually explain what the OS connects to and where.
If I paid for something, I'd hope that is explained.
Perhaps when the free offer expires, there will be more disclosures regarding this.
I know that I cringe whenever I see a generic content distribution system as a DNS name when trying to trace something backwards into the internet--usually something that is acting badly, and sometimes the same IP hosts dozens of DNS names and dozens of different services and web pages.
You can't easily block CDNs and not also break various client applications, or even generic website access like CNN and others that stopped hosting themsleves.
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @04:41AM
"Windows Ten just won't stop. I has only one mission. You can't stop the signal, Mal, you can't stop the signal."
(Score: 4, Interesting) by Anonymous Coward on Thursday February 11 2016, @04:42AM
This is a non-story. The guy even admits he doesn't take into account things like NTP (time synchronization) and Windows updates. It is very misleading research as he isn't going far enough. What matters is why the connections are being made and he hasn't looked into any of that. He also didn't connect Windows to a domain, which is supposed to reduce a lot of the traffic. That's the more important part. Is Microsoft still sending lots of telemetry from properly configured business machines? I would expect a non-domain connected Enterprise Edition to connect to more things as it's running more services than a Home edition and it's still using Microsoft as it's corporate master.
What should any good software do when it tries to connect to a server and can't, yet has an active network connection? Why try the next server in your list of alternatives of course! Even all the Linux package managers do this. Blocking connections like he's doing will greatly increase the amount of connection attempts and the amount of addresses.
Every modern OS makes multiple connections to servers for NTP, update checks, etc... He's not doing anything on the machine. I don't think Microsoft is stupid enough to constantly report that there's nothing to report. Heartbeat signals aren't this intense.
(Score: 1, Funny) by Anonymous Coward on Thursday February 11 2016, @05:04AM
"This is a non-story."
Hahahah piss off. I love watching M$ circle the drain!
(Score: 2) by tangomargarine on Thursday February 11 2016, @03:05PM
piss
circle the drain
Pun intended?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @05:27AM
To quote more from the movie, "Serenity", with appropriate edits"
Kaylee: "Been going on a year now that I ain't had nothin' between my nethers that weren't running on Windows Ten!"
Mal: "My god, I did not need to hear that!!"
Jane: "I could stand to hear a little more."
I'm with Jane, the hero of Mudtown, I could stand to hear a little more of this bullshit.
(Score: 2) by Whoever on Thursday February 11 2016, @06:12AM
You and your "facts". We have a lynch party ready here and we don't want to hear any "facts" that might make the lynch party redundant.
(Score: 2) by frojack on Thursday February 11 2016, @06:59AM
He also didn't connect Windows to a domain, which is supposed to reduce a lot of the traffic.
Only because big companies running big domains would notice their fat pipes saturated with hundreds of thousands of connections to Microsoft all sending data. And big companies have lots of lawyers.
Being part of a big domain makes Microsoft wary, because the promised not to spy on large corporate interests. Had they not, no company would allow windows 10 on their network.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by choose another one on Thursday February 11 2016, @12:56PM
Wrong reasons. Running windows enterprise (which the test vm is) on a properly setup and managed domain, Windows will use local domain services for (a) product activation (KMS, which happens shortly after install, and will keep trying if it fails to connect) and (b) windows update (WSUS), which happens at regular intervals and will keep trying if it fails to connect.
Entirely predictable traffic which is not telemetry, and is not identified or eliminated in this testing, and will be kept within the domain, if it's there.
(Score: 3, Informative) by tibman on Thursday February 11 2016, @03:54PM
I wouldn't call it "very" misleading. Start up your network monitoring tool and look for yourself. I have. These aren't a bunch of NTP connections because those would be on the standard udp port (http://wiki.tcl.tk/3391). These are encrypted connections using a bunch of different certificates and sending something back to the microsoft mothership. It does it when i open my start menu (not talking about all the little embedded widgets making ajax calls either). It does it randomly every 5-15 minutes. It does it when i start some applications.
I do completely agree with you that he hasn't taken the research far enough yet. Stripping the encryption should be the next step.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @07:34AM
Try doing the same on Mac OS X. The conclusion, when measured by a similar yardstick, will be the same.
(Score: 1, Insightful) by Anonymous Coward on Thursday February 11 2016, @10:40AM
And you love it.