[–] [deleted] 1 points 58 points (+59|-1) ago 

[Deleted]

1
34

[–] BobBelcher 1 points 34 points (+35|-1) ago  (edited ago)

So, just to quickly summarize, that's 3967 connection attempts to 51 different Microsoft IPs.

Obviously port 80 is standard web traffic for http, port 443 being for https.

According to this, that first one with the most attempts on port 3544 is likely to be their Consumer Experience Program. So, telemetry data. OP, can you confirm if you opt'ed out of that program during the install? If you did, and it's still trying to connect that many times..... That IP also apparently traces back to the UK.

EDIT - Archive link since OP nuked his posts: https://archive.is/QFL8e

[–] [deleted] 0 points 30 points (+30|-0) ago  (edited ago)

[Deleted]

0
6

[–] alexei954 0 points 6 points (+6|-0) ago 

That IP also apparently traces back to the UK.

This is significant. By routing traffic to an overseas connection, traffic is automatically susceptible to warrant-less data collection. Additionally, once it is in Britain, it becomes susceptible to collection by the GCHQ (the British version of the NSA) and whatever rules the British may or may not follow for data collection. Once they have it, it can be shared back with the US, providing another legalistic end-run to deal with.

0
1

[–] atom0s 0 points 1 points (+1|-0) ago 

I wouldn't brush off the standard web traffic attempts as nothing because the ports are well-known to something. Simply because your browser uses port 80/443 by standard does not mean another application can't make use of them (ie TeamViewer uses port 80), along with applications being able to make internal web requests themselves making use of those ports.

1
1

[–] BobOki 1 points 1 points (+2|-1) ago 

If anyone else wants to do this traffic monitoring and you have ddwrt just do an rflow on the port you plugged your win10 box into to a collector, and analyse the data from that. There are a ton of collectors out there to chose from, and it will return pretty great data.

0
1

[–] hunterkll 0 points 1 points (+1|-0) ago 

Did you remove all of the live tiles? Disable windows update? Modify the group policy settings for data transmission different levels of data transmission like as specified in the DISA STIG?

Honestly, this looks kind of expected, especially since Microsoft is a heavy Akamai user. But until you do this test with all the correct group policy settings configured, it's more FUDy than anything else - as Microsoft has been clear that any "potentially invasive" telemetry can be easily turned off but some metrics may still be collected without further configuration.

1
1

[–] New_years_day 1 points 1 points (+2|-1) ago 

Nice work, man. I love seeing this type of data. I may set something like this up as well.

1
0

[–] 7bTlP1GAElId 1 points 0 points (+1|-1) ago 

So is it safe to just outright block all incoming and outgoing connections on those IP to the router and non-essentials will be fine? I'm planning to put that on permanent block if ever I have to use windows 10. Thanks in advance.

2
40

[–] crustyjuggler 2 points 40 points (+42|-2) ago 

I think the best thing to do after a few more days of collection is to gather the same information again after running spybot anti-beacon. I'm EXTREMELY curious to see what you find. You're right, no one seems to be talking about this. Everything I have found on the net is either "oh, this is what they are spying on" and "here are a few tools like spybot anti-beacon". Zero fucking reviews on whether they work or not, and it's bothering me. I've been meaning to run a windows 10VM and inspect the traffic coming from the virtual adapter, but I haven't had the time. Thanks in advance. BTW. Lol, we have similar usernames. Stay crusty!

[–] [deleted] 1 points 12 points (+13|-1) ago 

[Deleted]

1
15

[–] crustyjuggler 1 points 15 points (+16|-1) ago  (edited ago)

Anti-beacon basically modifies the registry, local group policy, and disables a ton of the telemetry. I think it adds a bunch to the hosts file also. Though, I have heard that low level components of Windows 10 can get around the hosts file instead of blocking traffic.

Barnacules Nerdgasm did a semi-review on it. https://www.youtube.com/watch?v=u1kGMCfb2xw

Thanks for doing this!

1
4

[–] simagule 1 points 4 points (+5|-1) ago 

Can you also do a install where you don't uncheck all the tracking options for a comparision

0
1

[–] binglederry 0 points 1 points (+1|-0) ago 

If you do test spybot and other tools, make sure you test over a decent period of time. When I tested, w10 still phoned home but only did it once a day or so. Easy to miss!

2
-1

[–] ginx2666 2 points -1 points (+1|-2) ago 

Zero fucking reviews on whether they work or not, and it's bothering me.

Whether they do or not, the best way to completely cut off M$ is to block those addresses in external, hardware firewall. There. Nothing M$ can do about that.

1
0

[–] crustyjuggler 1 points 0 points (+1|-1) ago 

I have been recently tempted to build a pfsense router. Maybe now's the time to really consider it since I run wind10 on my gaming rig and laptop.

1
30

[–] Troll 1 points 30 points (+31|-1) ago 

Thank you for posting this. These tables basically spell out FUCK YOU WE'RE MICROSOFT WE CAN DO WHATEVER WE WANT YOU FAGGOTS.

3
4

[–] european 3 points 4 points (+7|-3) ago 

Well yes. They did write it. EULA probably does not promise to not totally and utterly destroy your privavy.

1
21

[–] arrggg 1 points 21 points (+22|-1) ago 

Excellent writeup and documentation. I did the same test on Windows 10 Enterprise and was unable to stop the connections out, even after disabling most of the services.

While you are at it, here are a few more things to try that will produce interesting\creepy results

Block all the dns requests from local hosts file, and see how many retry with hard coded ips. Block all the IP's collected from the first 2 tests with null routes or on the router, and see how many alternates it tries. Disable the services that enable telemetry, ceip, onedrive, windows store, windows defender, windows update, and then document the new connections out.

Can't wait to see your results. Documenting this unbelievable spyware is the first step to doing something about it.

0
0

[–] chubbysumo 0 points 0 points (+0|-0) ago 

Block all the dns requests from local hosts file, and see how many retry with hard coded ips

it has already been proven that you cannot block or disable MS IPs through the host file, the windows firewall, or the group policy editor. Its hard coded into windows 10 to allow those IPs 100% of the time. You need to add IPtable rules to block/drop them.

[–] [deleted] 1 points 15 points (+16|-1) ago 

[Deleted]

1
6

[–] FuttsMcButts 1 points 6 points (+7|-1) ago 

Thanks for taking the time to do this for people that don't know how or don't have the time for!

[–] [deleted] 1 points 13 points (+14|-1) ago  (edited ago)

[Deleted]

[–] [deleted] 1 points 9 points (+10|-1) ago 

[Deleted]

0
0

[–] LibNE 0 points 0 points (+0|-0) ago 

This would mean a lot to the world of security observationists.

1
10

[–] SuperConductiveRabbi 1 points 10 points (+11|-1) ago 

Are these limited to outbound connection attempts? Can you repeat this analysis for WIndows 7 and then for a flavor of Linux?

What type of traffic is being transmitted to the top hosts? Is it encrypted? Do you have experience installing your own root CA on the target machine and creating a MITM SSL proxy to decrypt any SSL-protected information from the top hosts?

1
8

[–] RedSocks157 1 points 8 points (+9|-1) ago 

Holy shit. What could possibly be the purpose of all those connection attempts? This is ridiculous! Could I configure my router to block connections in such a way that Win10 can't do this? I have it on my HTPC only, but I still don't want it sharing data with M$...there has to be a way.

0
0

[–] tomlinas 0 points 0 points (+0|-0) ago 

What could possibly be the purpose of all those connection attempts?

Well, all of the ones with "deploy.static.akamaitechnologies.com" in them are attempts to download windows updates, which Windows does from a huge block of IPs concurrently. I presume this is to spread load on MS' side but I'm not really sure -- I do know setting up squid to cache these is getting incrementally harder :/

The *.search.msn.com ones are very interesting to me. I have been able to get my box to generate queries to Bing with all of the privacy options turned off by searching in the start menu, but not the MSN ones. OP - do you have the MSN live tile installed? I haven't done a vanilla Enterprise install, so not sure if that's on the Enterprise image...I wouldn't think so but you never know :P

I am mostly interested in what the static IPs that don't backwards resolve end up being...

load more comments ▼ (26 remaining)