Hacker News new | past | comments | ask | show | jobs | submit login

> And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.

Does this mean a Win10 machine setup to use something like Tor will leak the user's actual IP back to Microsoft? If you're VPN'd, is some traffic still leaking outside of the VPN?

From an engineering perspective, how is this happening? Does Microsoft have a second network interface hidden away using hardcoded settings for DNS, etc?

On a somewhat related note, if a Win10 app is cert pinning, is there a way to force it to use your cert so you can MITM it?




I've been on Windows 10 for a couple of days now.

VPN traffic doesn't leak if the default route is the VPN interface. I tried it and my firewall went silent apart from the tunnel.

I have absolutely no fucking idea what it is sending out though. It's always talking to something. I've turned everything off that is documented and use a local account and remove-appxpackage'd everything. Sorry but this release is a write off. My host/vm relation is being inverted to Ubuntu as a host this week rather than a guest.

If I don't know what it's doing, how can I trust it?


I've been trying to use a software firewall and here's what I've blocked so far...

https://up1.ca/#JQqL3y0xqLZnxaOlYQ0s6A

And this is on a machine running Enterprise with privacy settings cranked, and most stuff disabled via group policy.

I'm trying to avoid blocking updates, but svchost is still out there talking to random microsoft servers. The worst part is that I can't differentiate between the servers used for tracking and the ones used for updates. I might have already blocked necessary stuff for updates.

At this point I'm really tempted to just wipe the machine and go back to 7, I've never felt so little trust in a machine I own. Even when I've run malware, at least I knew or could easily find out what was happening. This is just a big unknown to me. I'm seeing claims that it sends idle mic data even with Cortana disabled too, which is making me very paranoid even though the claims look sketchy at best.


Here’s an image link to your image that actually fucking works: http://i.imgur.com/i4ydV1a.png


Thank you.

Javascript is required to view and upload files.

No, it is definitely not.


Up1 uses client-side crypto, so in this instance it is. No real point here though, but I use ShareX with it, and it's nice to be able to deliver screenshots and stuff like this privately.


What's the point of client-side crypto in a browser? Can't you be served backdoored JavaScript that no longer does proper encryption, and you'd be none the wiser?


Yeah, you have to trust the site and their providers of course. But how do you know your OS provider doesn't serve you backdoored updates? Until it was abused by malware, Windows Update used to accept stuff signed by a 512-bit RSA key. Do you personally reverse engineer every binary you accept?

This will change soon though, they're working on browser extensions which will keep all content client side too.

EDIT: Clarified some points, added a little more detail.


Which is all nice, but doesn’t make it better that the site is almost unusable.

A better solution would be decrypting the image and then loading the image into an image tag with a data: uri in base64 encoding.

I could zoom normally with the browsers own zoom tools, I could right-click save normally, etc.


> that the site is almost unusable.

The site is perfectly usable. More than usable, even, because I get RES-style zooming for free, amongst other things.

You can right-click save normally already - just right-click and save. If you want the browser zoom tools, hit the "View in Browser" button or right-click and open in new tab


Both of which do not work. I can not right-click "view in new tab" or right-click "save as".


Works fine for me. Make sure your browser is functioning properly.

This website works in every browser I've used, and I've never heard of any problem even remotely close to what you say you're running into.


Browser works fine, it only is an issue with his site. Firefox 40.


Nobody else has been able to reproduce it, and you haven't given enough information on what you're doing or what you've tried. Have you tried different machines? Different browsers? Have you tried pressing the various buttons in the UI? What kind of machine do you have? Do you have a very small amount of RAM? Et cetera.

You might say your browser works fine, but I'd put my money on something there being the issue.


I tried 2 different machines, running two different versions of linux, tried Firefox, Firefox Aurora and Firefox nightly, all with clean profiles.

Neither "Save as" nor "View in new tab" work.

I said so on the github issue, too


I saw you tried different versions on 2 different machines -- it certainly suggests something related to your setup: I can zoom, open in new tab, save as, etc on Firefox 41 on Ubuntu 14.04.

Do you have running app for mouse gestures? That's the only thing I can think of that makes sense in your scenario. Try holding the right click for a few seconds, see if the context menu appears.


The context menu appears, but if I click on "Save as" or "View Image", nothing happens. "Image Info" does work, though.


Which browser are you using that you can't use right click-> save on a blob URL'd image? It's using the standard HTML image and appears to be working in Chrome, Firefox and Edge.


Doesn’t work in Firefox 40 on Linux. Tried Firefox, Dev channel and Nightly channel on 2 systems with clean profile. Just does not work.


The service provider isn't able to decode the info because the key is part of the URL that isn't sent to them. This decreases liability (and if nobody visits them, they can't be forced to decrypt it).


This protects you from nothing. It actually makes it LESS secure. Because you now have to enable JavaScript.

The service provider can still decode the info by MitM'ing.

If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.

If not: As we’ve seen with CINNIC, MitM'ing is trivial because CAs give out root certificates far too often, far too easily


This is not to protect you, it's to protect the website.

>The service provider can still decode the info by MitM'ing.

Yes, but as I explicitly mentioned, only if you visit the website. If NSA goes to the website and demands the data, they can't do anything with it until I visit, whereas if it was decrypted, they could. This is a non-trivial difference.

>If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.

Google is not going to risk their entire reputation by abusing their CA. Notice how CNNIC was removed from trusted stores and basically lost their business. Mitm by compromising a CA is far from trivial. Also, certificate pinning can mitigate the CA risk almost completely.


As you’ve probably seen with MEGA, this does not protect the site at all.

Take Megaupload (not MEGA), they had unencrypted data, but complied fully with DMCA and operated fully legally.

Take MEGA, they have to comply with DMCA, too, even though everything is encrypted and they never can decrypt the data, either (MEGA does literally the same as up1.ca)

Additionally, Certificate pinning only works if I visited the site before the MitM started. And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data. (Chrome’s Turbo mode does the same).

Essentially, the site uses JavaScript for showing images without providing any advantage to either the user or the site.


It actually works quite well for MEGA.

MEGA is only able to comply with the DMCA when the link is provided with the full hash.

MEGA is technically unable to remove similar or matching files based on content.

> And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data.

I question the t-mobile thing, unless they're installing certificates on end-user's phones that should not be possible. This is SSL traffic, remember, all those headers are also sent over SSL so unless T-Mobile is performing MITM, this shouldn't be a problem.

As for the Chrome Turbo mode thing, it is disabled for SSL traffic, as are most of these other things.

https://developer.chrome.com/multidevice/data-compression


> Essentially, the site uses JavaScript for showing images without providing any advantage to either the user or the site.

That is a very baseless and false conclusion.


Well, admittedly, in the context of a link on Hacker News, it's pretty true. The link containing the seed is trivial to obtain and could easily be reported to the providers who would have to take it down if deemed legally necessary.


Yep, exactly. Also it's nice to have the extra privacy, especially when linking to images privately amongst friends


> Up1 uses client-side crypto, so in this instance it is.

What crypto? I didn't provide any key, so both the content AND the key came from the same place. Looks like completely useless crypto.


You did in fact provide a key. See that bit after the # in the URL? This is the beauty of Up1. It makes the crypto as transparent to the user as possible.

That part is not sent to the server by your browser. That's a seed, it's run through sha512 then split into parts, including a key, iv and filename to fetch from the server.

Now, as I said, in this instance, since I distributed the link on a public website, it's pretty pointless. But when I link my friends and colleagues on a private XMPP server or via textsecure, it's a pretty nice feature to have, as I can very easily share private screenshots.


"Private", well, it’s not private. Seriously.

There is a reason you do actual crypto differently. Encrypt the image with the public key of your friends and send it to them, that is privately.

Giving a foreign entity control over your data and key is not "privately".

And, worse, I have to activate JavaScript, which decreases security by a lot.


> Giving a foreign entity control over your data and key is not "privately".

Yeah, if you have this concern strongly, well, we're working on browser extensions which will prevent any potential risk here. However, like I said to someone else, unless you reverse engineer every update to your OS, you really shouldn't be commenting. This is just as much "giving a foreign entity control over your data" as using an OS provided in binary form is giving a foreign entity control over your CPU, which would be far, far worse really. Unless you're manually validating the code in all cryptography products you use, there's really no argument to be made here.

> Encrypt the image with the public key of your friends and send it to them, that is privately.

When you do this, say using PGP, PGP generates a static key, encrypts that key to their public key and encrypts the message using the static key.

This is essentially the same thing, the only difference being that the Up1 does only the static key portion and does not provide the public key portion, which you can do out of band using whatever method you prefer, be it PGP, SSL to a private server, OTR, TextSecure, etc.

And it allows the transfer of images and small files in this secure form to be incredibly simple and fast. Pipe into a command line tool or use ShareX, paste that link over a secured protocol and you've securely shared a file.

Of course, if you don't trust the public Up1 instance, feel free to run your own, it's all open source, server included.

> And, worse, I have to activate JavaScript, which decreases security by a lot.

It's a trade-off, privacy for a slightly increased risk of security, these days you're more likely to get exploited by a fucking web font than by a script though.

Worst case, like I said, don't trust the public instance if you don't want to (well, if you're the type who doesn't trust their OS provider at least). You can always run it yourself or wait for the browser extensions.


I’m the type that only runs arch because I can’t be bothered to run Gentoo ;)

Anyway, for posting on a public forum it’s pretty useless, as it provides no benefit and requires the users to have JS enabled, which is, especially on Hacker News, not really a given.

Even the mods complained when an up1.ca link was used as submission link recently.

Using a standard protocol would be an advantage here most definitely.


His link worked for me.


His link requires javascript and decrypts on device. Additionally, it overrides the browsers zoom behaviour and makes it impossible to view the image in a new tab seperately.

The link of the comment I replied to was just as bad as the sites that block right-clicking.


> impossible to view the image in a new tab seperately

But it's entirely possible, and there's even a dedicated button to view just the image. ("View in Browser").

Make sure your browser is functioning properly - this isn't an issue with the website.


Still, the result might now work in /some/ browsers, but it won’t magically make it work on most people’s phones.

Hacker News is a site I browse on my phone because it works without eating up RAM or anything.


Works fine for me


Glasswire huh? Good stuff.


Yeah, I'm not the biggest fan actually. Decided to try it out this run, but I used to run Outpost, which I liked a lot more as it could do per-host blocking and stuff.

This feels more like a pretty network monitor than a real firewall.


Agreed. It is useful for monitoring things like system changes, but I wouldn’t depend on just GlassWire alone for a software firewall. In my case, I use a combination of GlassWire and NetLimiter (as mentioned here):

https://news.ycombinator.com/item?id=10039125


> If I don't know what it's doing, how can I trust it?

It's not enough to examine software: if you don't trust the company, then anything they say or promise is worthless. Automatic updates can change anything, including the TOS! This is the same company that sells a 1984-Telescreen (XBox) with an always-on camera and microphone. _NSA shouldn't be forgotten.

Oracle likes to tout Java as GPL, but what does that matter when we know the company can't be trusted? Who controls a software project is the key, not the licenses or corporate promises. There's no point in trusting iOS because we've examined it, we also have to trust Apple.


The source-code in OpenJDK can be inspected and OpenJDK itself can be forked if Oracle's stewardship goes awry, which is the whole freaking point of open-source, so I don't see how that can compare with Windows or iOS.


> OpenJDK itself can be forked

Tell that to Google.


Android wasn't fork of OpenJDK


but Dalvik was.


No, Dalvik is not a fork of OpenJDK, but a clean room implementation. If it would have been a fork, then Google would be protected by the GPL license.


No. Dalvik was a new implementation and for the android standard library was used a fork of Harmony.


What shouldn't we forget about _NSA?


I think he meant _NSAKEY [0].

0. https://en.wikipedia.org/wiki/NSAKEY


Yes we should forget it.

They worked out it's easier to get at our data out and on home territory (cloud, telemetry) than actually have to break into your kit.


Or as I like to put it, at the end of the day you have to trust someone, somewhere in the chain.

In the case of software vendors, you have to trust the vendor.

You cannot independently verify everything. You do not have the expertise nor the bandwidth.

Edit: and if you have the software audited, are you not then trusting the auditor?


I don't like this argument. It's not necessarily you who has to audit your software. You can pay other people to do it. Big companies can pay for it. Your government's institutions can pay for it. If on the other hand the software is closed-source, then that's not an option. And especially for governments and for big companies Windows is a security liability.


True, but there's no logical fallacy in writing off companies and products if they're consistently untrustworthy.


I'm just about to untangle myself from my last client where I work with MS stuff. And I'm never touching it again.


I think I'll end up putting Win 10 as my host. It's just too annoying worrying about drivers and batteries on Linux.

But I can just disable networking on the host (which shouldn't be running anything anyways), or at worse, route it though a VM.

I'm more concerned about how to run it in a VM, since I need day to day Win dev tools with Internet access.


How can you trust any cloud service then?


You shouldn't. The cloud is just someone else's computer. You can mitigate things by encrypting a lot but there's no way you can't know they don't peek at your data.

So if you can't trust the company offering the service, you shouldn't do business with them. It's the same with food and food supplies: if they can't be trusted to serve/sell you stuff that doesn't make you ill, don't do business with them. Very simple.


Of course, I completely agree. But it is like you say, you either trust the provider or you don't (ceteris paribus encryption issues).


I don't and never have done for personal use.

I literally have an IMAP box and nothing else.


I assume from your answer, that you do use it for professional purposes?


Yes but not on recommendation. In fact the majority of what I do these days is legislative compliance and bringing teams and applications back onshore that the companies have fucked up.

Currently digging a financial company out of a royal mess of 20 years of bad technical leadership leading to sprawling infrastructure and cloud dependencies.


Oh wow. This is a tough task.

In your experience, what are the "worst" cloud dependencies? I'd imagine SalesForce and AWS would have very different impact?


Money is good though so that's some consolation :)

Salesforce is the root of all evil. Once you're in the ecosystem, you're stuffed. You know it's bad when the entire business team start running round clucking when the EMEA salesforce instance goes down hard...

AWS is fine. Most of the platform's concepts have real world parallels for example.


Can't you just redirect all that stuff it sends to 127.0.0.1 by editing your hosts file?


I've read somewhere that it ignores the hosts file for its microsoft communication.


I've read somewhere it respects the hosts file for its microsoft communication.


You can, but we have 450 workstations and about 600 servers.

That somewhat multiplies the problems.


1000+ machines and no way to update a file with a few commands/clicks/whatever-your-configuration-management-system-uses? (Ok, at worst, making a batch file and scheduling its launch.)

If so, I suppose you have big issues with your system administration team.


Yes they're factory pressed Windows administrators who are to be honest fucking useless unless it comes to pointing at someone else but that's another story...they're being replaced piecemeal by bits of Ansible and Linux machines.

Realistically we don't want to deploy a host file and AFAIK it doesn't work anyway; we want to control the network itself which we do via firewalls and DNS but it's a compromise between flexibility (our users still need to use the internet) and security.


If they're using DNS to resolve the name of the "mothership" just put a bogus record (or zone) in your DNS. If they're not using any name resolution protocol and you can isolate the IP addresses they're talking to just blackhole them at your border.


We're already doing that but it's hard work keeping up with it all.


And then Microsoft will fix that, ...


Default deny is the only viable strategy. (It's also completely impractical...)


> somewhat

Yes I can see how that would complicate things a little :)


What do you do about getting updates? You have to connect to hq sometime, and when you do, it will upload its intel.


Change the gateway on the Windows 10 install computer (or "default route" as another commenter calls it) to a computer _you_ control, i.e., a UNIX install, that can do IP forwarding. Turn on IP forwarding. Connect the UNIX install to the internet.

Also change your default DNS servers on the Windows 10 install to point to the UNIX install. If you know how, set up DNS on this computer. I recommend using your own cache listening on 127.0.0.x, not a public one.

Then monitor traffic being forwarded by the UNIX install.

This is not difficult for anyone familiar with UNIX. Plenty of good and bad software to help you.

Do people need instructions? If there is interest in blocking this nonsense I for one would be willing to help.

There are a lot more Windows users than Apple users so this is fun to watch how the Windows users react to the incessant connections to the mothership, which is par for the course with Apple products. Would love to see the stats on how much cumulative user-purchased bandwidth Apple and Microsoft are usurping in order to track the people who have to pay for it.

If you want to block this nonsense, then the easiest way to do it is from another computer acting as a gateway.

Trying to block these connections from the computer on which Windows 10 has been installed will probably be an exercise in frustration for most users and they will give up. (Most Apple users do not know or care so they do not try to block.) I am sure that Microsoft is counting on their users acting like Apple users.


If one can master all this, wouldn't it be easier to use a non-Windows box in the first place?


Of course not. Setting up OpenWRT to do this is a lot less work than migrating your entire workflow to a new operating system.


Right when I have finished porting all of my Autodesk products....


The problem is that it is not an user friendly solution. It will only help those people who do have several OS running or are capable of understanding.

The privacy settings that do not work were pretty good hidden already and many are scared away already. This second level is even worse.

What we need is a simple tool where you set check boxes to fix it all. That would be a solution for the target audience.


Well in the case of the Tor or VPN users, I suspect most of them are probably not the typical user you're implying, and at least have some IT skill.

In the case of other users, I'm not sure because I do not fully understand it, but it seems like this would not be necessary?


I'm sure if they could easily decide whats necessary, many would secure themselves.


Look. Seriously.

I don't want to be a brat, but what is the possible overlap between people caring to use Tor (for whatever reason) and people using Windows 10 as the host OS ?

You're at the absolute cutting edge of spyware-in-the-home, defective by design, obscured infrastructure that was designed from the ground up to be user hostile in every conceivable dimension. And you're going to run Tor on that.

There's a phrase for this and that phrase is "clown college".


> I don't want to be a brat, but what is the possible overlap between people caring to use Tor (for whatever reason) and people using Windows 10 as the host OS ?

Journalists.

There are many journalists who need to cover sensitive topics, who are not particularly technically literate. They need to be able to buy a system off the shelf, do some minimal and easy amount of installation of privacy protection, and be reasonably confident that it will work and they will not be outing their sources to whatever particular despot is listing in.

Of course, Tails is a better solution for that. But in terms of being able to allow them to do their job as easily as possible, it would be preferable for them to be able to install the Tor browser bundle on their existing OS rather than having to learn an entirely new one (and possibly dual boot in order to run some Windows-only software, and not keep it isolated well enough and thus leak information accidentally).

It apparently took a while to teach Glen Greenwald enough of how to use Tor and GPG in order for Snowden to be able to communicate with him. We need to make this process easier, not harder.


The next Snowden will be caught because the next Greenwald was using Windows 10. and we'll probably never know it happened.


Which is why he had to contact Laura in the first place.


Well, looks like they need to get their systems from some seller that is interested on satisfying their needs.


Look. Seriously. Like, totally.

Not everyone interested in Tor is educated enough to reinstall an OS. Or they need Windows for something else they do. Or 50 other things. Or maybe we're concerned about VPN leakage, or any other thing than tor that we might use to obfuscate traffic.


The fact that you run Windows as the OS on your computer means you are not very interested in anonymity or security. Other things are more important. like playing Fallout 4.

Those people make Tor worse for everyone.


Indeed, Microsoft phoning home is on the lower end of your concerns here.


What they are describing isn't necessarily cert pinning, although it's possible there is also cert pinning. It just means there are hard-coded IP addresses somewhere; either a hard-coded DNS server, or the endpoint itself.

Notably, it's still possible to MITM the traffic, just not as easy as if the system respected the proxy settings. You need to spoof the destination IP and try to terminate the TLS with your own trusted cert. If the connection still fails, only then would you know there is a cert pin. I haven't heard if anyone has tried this with the "CDN"-bound traffic, or the persistent bing.com/live.com traffic.

If a VPN was being used, I would expect traffic would still be routed through the VPN interface. The HTTP(S) proxy code is higher up the stack than a VPN interface.

It does raise a huge red flag though, if you are not fully in control of your own network routing using standard tooling, IMO it's not an appropriate OS for any enterprise environment.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: