
Windows 10 Enterprise telemetry network traffic analysis, part 1 - walterbell
https://voat.co/v/technology/comments/835741
======
HappyTypist
What I'm concerned about is the following:

> However, before more info is gathered, Microsoft’s privacy governance team,
> including privacy and other subject matter experts, must approve the
> diagnostics request made by a Microsoft engineer. If the request is
> approved, Microsoft engineers can use the following capabilities to get the
> information:

> Ability to gather user content, such as documents, if they might have been
> the trigger for the issue.

This means that Telemetry in Windows 10 is a built in backdoor that allows
Microsoft to access your local files. That is disturbing. At minimum, explicit
user consent should be required, i.e. a popup asking if you'd like to share a
specific file with Microsoft.

Source: [https://technet.microsoft.com/en-
us/library/mt577208.aspx?f=...](https://technet.microsoft.com/en-
us/library/mt577208.aspx?f=255&MSPPError=-2147217396)

~~~
MatthiasP
That is only the case if you set the telemetry settings to "Full".

~~~
HappyTypist
Full is the default setting. For all intents and purposes, 99 in 100 Win10 PCs
are on Full.

~~~
spdionis
We're talking about Windows 10 Enterprise here, not regular consumers.

~~~
ionised
Enterprise is the only version that allows you to disable most of this stuff.

It's on by default on all other versions.

~~~
daveguy
And if you look in the comments even for enterprise he chose a "customized
install" to be presented with 15 pages of telemetry options (all default on
even in enterprise). He selected "No" for all telemetry data (in the
customized install that even most admins would trust is not necessary from MS
rhetoric) and is still getting this activity.

~~~
imron
The article said _3_ pages, with a total of around 15 options.

~~~
daveguy
Thanks for catching that. It is still worrisome that there is activity after
disabling the 15 options (3 pages) and maybe more worrisome that you don't get
that option in enterprise edition without a custom install. Working in
biotech, pharma companies do not take well to external network connections.
Although most will have whitelist firewalls, I would have expected the default
in enterprise would be to not phone home.

~~~
imron
I agree that it's far too many, and far too much effort to completely disable.

------
biot

      > I have configured the DD-WRT router to drop and log all
      > connection attempts via iptables...
    

I'd be more interested in seeing the result of letting the connections succeed
while timing how long they stay open and how many bytes are sent/received. The
fact that thousands of connections are opened is likely a result of retry
mechanisms after the connections are dropped at the router. Perhaps the first
thing Windows 10 does is let Microsoft know "this system has opted out of the
following tracking: ..." so that connections to Windows Update, etc. don't end
up logging additional information.

I'd also like to see a similar comparison for an average desktop Linux
installation, OS X installation, and so on.

~~~
chestnut-tree
_" I'd also like to see a similar comparison for an average desktop Linux
installation, OS X installation"_

I agree. I'd really like to see an analysis of Android and ChromeOS. I'm glad
to see Microsoft in the spotlight over tracking and analytics as this is a
subject that gets far too little scrutiny from the tech community.

Tracking practices are widespread in the industry. Take Chromebooks for
example, they are now used in many US schools. The kids have no choice in
using these laptops, it's the adults who make the decision to deploy them (and
Google that heavily promotes their use). The privacy implications of an OS
that requires sign-in and then tracks every app and website you use are
horrendous. Yet there's barely any scrutiny from the tech community.

We really need to apply this analysis of Windows 10 to other operating
systems, especially ones that we know track you by default.

~~~
mikegioia
Which operating systems other than Win10 do we know track you by default?

~~~
dingo_bat
OP gave an example: ChromeOS

~~~
mikegioia
Yea I know he mentions Android and ChromeOS, but I'm mostly asking where the
info is to support his claim that "we know they're tracked by default". I've
never come across anything yet related to ChromeOS that even comes close to
the Win10 tracking by default, but it seems presumed for some reason.

~~~
dingo_bat
I'm not very familiar with ChromeOS but I can cite an example in Android:

When you turn on Location in your Android phone, every time there is a
disclaimer (unless you turn the notice off). It says that Google will collect
your location data. If you decline, your phone's GPS is useless. So, in order
to utilize the hardware you bought, you are forced to give up your privacy.

This is the definition of "tracked by default". Is there any hardware feature
that Windows does not allow users to access if you turn off all the tracking?

~~~
chungy
I'm pretty familiar with Android and this isn't quite true. It prompts to ask
if your phone can report nearby WiFi hotspots to Google and use that
information to try to get a more accurate location than GPS provides.

But GPS still works. GPS even works with the WiFi and mobile radios turned
off. GPS works without the Google Apps installed, and without the WiFi
location being enabled.

~~~
dingo_bat
All the android phones I've used do not let you turn on gps (even the non
assisted gps) option without making you agree to data collection. It does work
without a data connection but I assume they store the data till the next time
you get Internet.

Edit: I read a bit about this. There is something called Google location
history. It's on by default and tracks and reports your location to Google.
You can turn it off (it's a bit non-obvious but not very much so). The wording
is "Places you go with your devices will stop being added to your Location
History map". So there, "tracked by default".

~~~
vetinari
Not true.

The data collection is active only in 'High accuracy' and 'Battery saving'
modes. Both these modes are services, the phone asks Google servers "I see
wifi with SSID ABC and MAC 0:1:2:3:4:5, where am I?" or "I see celltower of
provider 0123, with id 456, where am I?".

In 'Device only' mode, your location is determined purely by the device
hardware. If anyone, it's Qualcomm who knows about you, due to AGPS request.

Then there is a separate service, Location History, that can be turned off.

~~~
dingo_bat
>Then there is a separate service, Location History, that can be turned off.

Yes, exactly as I mentioned. And it is on by default.

~~~
vetinari
It's turned on or off based on your choice in OOBE wizard. At least on Nexus
and Sony devices, other vendors may do something else.

------
huhtenberg
From
[https://www.reddit.com/r/sysadmin/comments/44i7xk/windows_10...](https://www.reddit.com/r/sysadmin/comments/44i7xk/windows_10_enterprise_still_talks_constantly_to/)

> _The_ only _way to turn Telemetry data full off is to use Local or Group
> Policy (and an Enterprise SKU, to be fair), as documented by Microsoft
> publicly. You cannot disable telemetry using the UI in Windows._

It's a very good read in general, have a look.

------
Renaud
Strangely, I decided to lock down my Win10 Pro machines earlier today after
seeing telemetry traffic reported by GlassWire.

I ended up using O&O ShutUp10, a free app with a simple on/off interface for a
bunch of Windows privacy-related settings, including telemetry.

There are other apps, and ways to block specific domains and IP to prevent
Windows from calling home. It's staggering to see just how many part of the OS
actually report information.

Some references:

[http://answers.microsoft.com/en-
us/insider/forum/insider_win...](http://answers.microsoft.com/en-
us/insider/forum/insider_wintp-insider_security/how-to-block-spying-telemetry-
services/0f104191-c329-4bd4-83d7-60390f2aa5eb?auth=1)

[http://superuser.com/questions/972501/how-to-stop-
microsoft-...](http://superuser.com/questions/972501/how-to-stop-microsoft-
from-gathering-telemetry-data-from-windows-7-8-and-8-1)

[http://www.majorgeeks.com/files/details/destroy_windows_10_s...](http://www.majorgeeks.com/files/details/destroy_windows_10_spying.html)

[https://www.oo-software.com/en/shutup10](https://www.oo-
software.com/en/shutup10)

------
yread
Would be interesting to see which process tried to open the connection as
well. Does he have Skype installed? Is MSN Live tile enabled?

Some of these could be Windows checking if it is connected to the internet,
NTP, malware filters, certificate revocations, windows update, ...

You can't really expect to install a computer switch off one setting and
expect it to not connect to anything in 2016.

~~~
rasz_pl
You can do this in Windows firewall by enabling logging for all allowed
connections.

~~~
morganvachon
Yes, but isn't that basically letting the fox guard the hen house? If you
already don't trust Microsoft based on articles like this, depending on
Microsoft's firewall is not really a logical choice.

For what it's worth, I have Windows 10 Home and Pro as well as Windows 7 on
several machines, and according to my router Windows 10 is only slightly more
talkative than 7. I think that is mostly the Windows Store and Cortana stuff.
The dreaded telemetry from 10 has already been backported to 7 and 8/8.1, so
it's better to say "Windows tracks you" rather than "Windows 10 tracks you".

~~~
vetinari
With Windows 7/8 you can opt to not install telemetry updates.

With Windows 10, you cannot avoid that.

It even highlights separate issue, that automatic forced updates are a bad
thing.

~~~
morganvachon
> _With Windows 7 /8 you can opt to not install telemetry updates._

For now, yes. In the future that may change, just as it did when the Windows
10 update changed from "optional" to "recommended" and the installation began
without user interaction.

When you combine that with Microsoft's truncated support life cycle for 7 and
8.1, you end up feeling forced to move to 10 one way or another. I'm not
saying that Windows 10 is a bad OS (indeed, I enjoy it on my gaming PC and my
Stream 7 tablet, and it has been a huge performance boost to my wife's PC and
laptop). I'm just saying that any pretense of "Microsoft would never say one
thing and do another" is null and void at this point.

~~~
vetinari
That's the danger of automatic updates.

I used to have strictly manual updates set up. Yes, past time. One day I've
had to hide KB3035583 one time too much, so now I'm getting used to El-
Capitan.

------
greenyoda
As a comparison, it would be interesting to see what kind of traffic a clean
install of Windows 7 or Windows 8 generates.

~~~
Cyykratahk
Data from OSX and some popular Linux distros would be good to see as well.

~~~
LinuxBender
I block all outbound traffic on several of my CentOS 7 boxes and have logging
rules just before the reject rules. I get zero hits.

This includes 2 workstations. In fairness, my /etc/resolv.conf points to
recursive cache servers on my vpn, but I do log all my DNS queries. The only
log entries are for things I ask for and Firefox trying to dial home.

------
ksk
This is pretty weaksauce. You can get all the open sockets in like 10 seconds.
Besides, all of these IPs have been out there ever since W10 came out. How
about an actual analysis of what data is being gathered, what data is sent,
and what settings affect it?

------
kardos
It would be overwhelmingly more interesting to see the contents of these
'telemetry' packets. Has anyone sorted out how to do that yet?

A side-effect of being able to view the 'telemetry' packets is that one could
also modify the packets on the way out.

~~~
userbinator
I'd bet a lot of it is encrypted. The flip-side of having security. Remember
the "smart" TV spying a few years ago that was discovered only because it was
doing it in plaintext?

[http://arstechnica.com/security/2013/11/smart-tv-from-lg-
pho...](http://arstechnica.com/security/2013/11/smart-tv-from-lg-phones-home-
with-users-viewing-habits-usb-file-names/)

With encrypted connections, you won't know what data it's sending, and if MS's
treatment of security in other areas in previous versions of Windows is any
indicator, the certificates will also be hardcoded so it's very difficult to
MITM. Good for stopping everyone else from spying on you, but really bad when
it stops you from knowing what data your own machine is sending.

~~~
nisa
Did anyone tried to MITM a Windows 10 install e.g. with adding his own cert to
the certstore?

Edit: Found this: [https://systemoverlord.com/blog/so-is-windows-10-spying-
on-y...](https://systemoverlord.com/blog/so-is-windows-10-spying-on-you/)

------
pjc50
I can't see an _analysis_ of this, just a huge list of IP addresses? We need
to know what the actual content is and from what Windows components it's being
sent.

------
rasz_pl
AFAIK setting Windows firewall to deny all outgoing and then manually
whitelisting apps you use cuts all(') logging. Microsoft would be crazy to
punch backdoor holes in its own firewall, it would probably kill enterprise
market.

' maybe almost all, you need DNS. I dont know any way of letting applications
use DNS selectively, its all or nothing :(. This forces you to let svchost.exe
talk outgoing 53 udp.

~~~
woodman
That is putting a lot of faith in both Microsoft and the windows firewall,
which has historically been very weak. Microsoft has also indicated that
they're not adverse to bypassing users' obvious attempts to protect themselves
from spying, for example: bypassing hosts file entries for telemetric data
exfiltration. So while the firewall might work today, there is absolutely
nothing preventing a future update from silently changing the rules of the
game.

~~~
maxerickson
I think if that is your level of concern, you have to not use Windows, not try
to patch over their control of the firewall.

~~~
Silhouette
Presumably Microsoft are worrying by now that corporate customers with
knowledgeable IT departments will reach exactly that conclusion.

~~~
maxerickson
Wouldn't those users tend to have a hardware perimeter that they could use to
verify the behavior of Windows?

Also, I think if Microsoft is actually worried about losing those users, it
would choose not to subvert the firewall.

~~~
Silhouette
I suspect the problem will be if they have independent security tools near
their network edge that MITM their own traffic, as discussed elsewhere on HN
recently. If Microsoft are hard-coding addresses and certificate details for
its online services within Windows itself, the security tools won't be able to
inspect that traffic, and will probably be set to block it by default.

I suspect the kinds of organisations operating these tools would consider that
"working as intended" in most cases, but if it interferes with the enterprise-
grade configuration and update management tools then that could be an issue
for them.

~~~
maxerickson
My point was that they will be able to detect if Microsoft is subverting the
Windows Firewall, trivially. So it would be incompetent for Microsoft to
subvert the firewall and expect those users not to notice and incredibly
foolish for Microsoft to do it if they think those users will object by moving
away from Windows.

------
userbinator
It might not be so difficult to just patch this stuff out, but the biggest
problem is the automatic updates which could replace your changes. If someone
eventually finds a way to allow updates and automatically merge them in with
the local changes, that would be very highly appreciated for all those who are
forced to use Win10 for other reasons but do not want this behaviour.

~~~
vocatus_gate
The Tron project (reddit.com/r/TronScript) has integrated Telemetry removal
and disabling, seems to work pretty well.

~~~
Someone1234
Uhh that script is horrifying. It is from the same Cargo cult technical
support personnel that run stuff like CCleaner, BleachBit, and memory
cleaners. Just go look at the script itself and the supporting scripts, if
nothing else they make a lot of assumptions about what the end user does or
does not want, and it reconfigures the machine in such a way to disable
legitimately useful functionality.

~~~
userbinator
_if nothing else they make a lot of assumptions about what the end user does
or does not want_

If anything, _Windows 10_ makes "a lot of assumptions about what the end user
does or does not want"... and that script is just a _different_ set of
assumptions, perhaps ones that users would agree more with.

You could argue that _anything_ is "legitimately useful functionality", while
someone else would say it's privacy-invading spyware.

~~~
rashkov
Which one would you rather debug, as an end-user or support technician? The
options set by Microsoft, or the options set by an opaque tool from some third
party? There will be a lot more community support for fixing those issues
caused by Microsoft. The issues caused by the third party tool are way more
likely to harder to find discussion on and solutions of

~~~
vocatus_gate
Definitely not an opaque 3rd-party tool. Tron's not opaque at all though, it's
open-source on Github under the MIT license.

------
socceroos
Very interesting. I too have been struggling to find decent analysis on W10's
telemetry features. While not everything on his list is specifically
telemetry, it certainly shows you the shift from "give the user full control"
to "be convenient at the cost of privacy" (to put it nicely).

------
johnchristopher
Would results differ much between local and MS account ?

------
konschubert
Slightly off topic: How is voat .co able to copy reddits design almost 1:1
without being buried under a mountain of expensive lawsuits?

~~~
heinrich5991
Wow, I didn't notice I wasn't on Reddit. The only thing I noticed was that it
loaded more posts after scrolling to the end.

~~~
TrevorJ
Interestingly, on mobile it's about 10x better than than viewing reddit on the
same device.

------
RegW
> For this analysis, I wanted to simply analyse the network traffic of Windows
> 10 on a clean install, and just let it sit and run without using it.

Ha. So if Windows 10 was designed by a VW engineer you could expect it to
behave perfectly reasonably.

