Does this mean a Win10 machine setup to use something like Tor will leak the user's actual IP back to Microsoft? If you're VPN'd, is some traffic still leaking outside of the VPN?
From an engineering perspective, how is this happening? Does Microsoft have a second network interface hidden away using hardcoded settings for DNS, etc?
On a somewhat related note, if a Win10 app is cert pinning, is there a way to force it to use your cert so you can MITM it?
VPN traffic doesn't leak if the default route is the VPN interface. I tried it and my firewall went silent apart from the tunnel.
I have absolutely no fucking idea what it is sending out though. It's always talking to something. I've turned everything off that is documented and use a local account and remove-appxpackage'd everything. Sorry but this release is a write off. My host/vm relation is being inverted to Ubuntu as a host this week rather than a guest.
If I don't know what it's doing, how can I trust it?
And this is on a machine running Enterprise with privacy settings cranked, and most stuff disabled via group policy.
I'm trying to avoid blocking updates, but svchost is still out there talking to random microsoft servers. The worst part is that I can't differentiate between the servers used for tracking and the ones used for updates. I might have already blocked necessary stuff for updates.
At this point I'm really tempted to just wipe the machine and go back to 7, I've never felt so little trust in a machine I own. Even when I've run malware, at least I knew or could easily find out what was happening. This is just a big unknown to me. I'm seeing claims that it sends idle mic data even with Cortana disabled too, which is making me very paranoid even though the claims look sketchy at best.
No, it is definitely not.
This will change soon though, they're working on browser extensions which will keep all content client side too.
EDIT: Clarified some points, added a little more detail.
A better solution would be decrypting the image and then loading the image into an image tag with a data: uri in base64 encoding.
I could zoom normally with the browsers own zoom tools, I could right-click save normally, etc.
The site is perfectly usable. More than usable, even, because I get RES-style zooming for free, amongst other things.
You can right-click save normally already - just right-click and save. If you want the browser zoom tools, hit the "View in Browser" button or right-click and open in new tab
This website works in every browser I've used, and I've never heard of any problem even remotely close to what you say you're running into.
You might say your browser works fine, but I'd put my money on something there being the issue.
Neither "Save as" nor "View in new tab" work.
I said so on the github issue, too
Do you have running app for mouse gestures? That's the only thing I can think of that makes sense in your scenario. Try holding the right click for a few seconds, see if the context menu appears.
The service provider can still decode the info by MitM'ing.
If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.
If not: As we’ve seen with CINNIC, MitM'ing is trivial because CAs give out root certificates far too often, far too easily
>The service provider can still decode the info by MitM'ing.
Yes, but as I explicitly mentioned, only if you visit the website. If NSA goes to the website and demands the data, they can't do anything with it until I visit, whereas if it was decrypted, they could. This is a non-trivial difference.
>If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.
Google is not going to risk their entire reputation by abusing their CA. Notice how CNNIC was removed from trusted stores and basically lost their business. Mitm by compromising a CA is far from trivial. Also, certificate pinning can mitigate the CA risk almost completely.
Take Megaupload (not MEGA), they had unencrypted data, but complied fully with DMCA and operated fully legally.
Take MEGA, they have to comply with DMCA, too, even though everything is encrypted and they never can decrypt the data, either (MEGA does literally the same as up1.ca)
Additionally, Certificate pinning only works if I visited the site before the MitM started. And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data. (Chrome’s Turbo mode does the same).
MEGA is only able to comply with the DMCA when the link is provided with the full hash.
MEGA is technically unable to remove similar or matching files based on content.
> And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data.
I question the t-mobile thing, unless they're installing certificates on end-user's phones that should not be possible. This is SSL traffic, remember, all those headers are also sent over SSL so unless T-Mobile is performing MITM, this shouldn't be a problem.
As for the Chrome Turbo mode thing, it is disabled for SSL traffic, as are most of these other things.
That is a very baseless and false conclusion.
What crypto? I didn't provide any key, so both the content AND the key came from the same place. Looks like completely useless crypto.
That part is not sent to the server by your browser. That's a seed, it's run through sha512 then split into parts, including a key, iv and filename to fetch from the server.
Now, as I said, in this instance, since I distributed the link on a public website, it's pretty pointless. But when I link my friends and colleagues on a private XMPP server or via textsecure, it's a pretty nice feature to have, as I can very easily share private screenshots.
There is a reason you do actual crypto differently. Encrypt the image with the public key of your friends and send it to them, that is privately.
Giving a foreign entity control over your data and key is not "privately".
Yeah, if you have this concern strongly, well, we're working on browser extensions which will prevent any potential risk here. However, like I said to someone else, unless you reverse engineer every update to your OS, you really shouldn't be commenting. This is just as much "giving a foreign entity control over your data" as using an OS provided in binary form is giving a foreign entity control over your CPU, which would be far, far worse really. Unless you're manually validating the code in all cryptography products you use, there's really no argument to be made here.
> Encrypt the image with the public key of your friends and send it to them, that is privately.
When you do this, say using PGP, PGP generates a static key, encrypts that key to their public key and encrypts the message using the static key.
This is essentially the same thing, the only difference being that the Up1 does only the static key portion and does not provide the public key portion, which you can do out of band using whatever method you prefer, be it PGP, SSL to a private server, OTR, TextSecure, etc.
And it allows the transfer of images and small files in this secure form to be incredibly simple and fast. Pipe into a command line tool or use ShareX, paste that link over a secured protocol and you've securely shared a file.
Of course, if you don't trust the public Up1 instance, feel free to run your own, it's all open source, server included.
It's a trade-off, privacy for a slightly increased risk of security, these days you're more likely to get exploited by a fucking web font than by a script though.
Worst case, like I said, don't trust the public instance if you don't want to (well, if you're the type who doesn't trust their OS provider at least). You can always run it yourself or wait for the browser extensions.
Anyway, for posting on a public forum it’s pretty useless, as it provides no benefit and requires the users to have JS enabled, which is, especially on Hacker News, not really a given.
Even the mods complained when an up1.ca link was used as submission link recently.
Using a standard protocol would be an advantage here most definitely.
The link of the comment I replied to was just as bad as the sites that block right-clicking.
But it's entirely possible, and there's even a dedicated button to view just the image. ("View in Browser").
Make sure your browser is functioning properly - this isn't an issue with the website.
Hacker News is a site I browse on my phone because it works without eating up RAM or anything.
This feels more like a pretty network monitor than a real firewall.
It's not enough to examine software: if you don't trust the company, then anything they say or promise is worthless. Automatic updates can change anything, including the TOS! This is the same company that sells a 1984-Telescreen (XBox) with an always-on camera and microphone. _NSA shouldn't be forgotten.
Oracle likes to tout Java as GPL, but what does that matter when we know the company can't be trusted? Who controls a software project is the key, not the licenses or corporate promises. There's no point in trusting iOS because we've examined it, we also have to trust Apple.
Tell that to Google.
They worked out it's easier to get at our data out and on home territory (cloud, telemetry) than actually have to break into your kit.
In the case of software vendors, you have to trust the vendor.
You cannot independently verify everything. You do not have the expertise nor the bandwidth.
Edit: and if you have the software audited, are you not then trusting the auditor?
But I can just disable networking on the host (which shouldn't be running anything anyways), or at worse, route it though a VM.
I'm more concerned about how to run it in a VM, since I need day to day Win dev tools with Internet access.
So if you can't trust the company offering the service, you shouldn't do business with them. It's the same with food and food supplies: if they can't be trusted to serve/sell you stuff that doesn't make you ill, don't do business with them. Very simple.
I literally have an IMAP box and nothing else.
Currently digging a financial company out of a royal mess of 20 years of bad technical leadership leading to sprawling infrastructure and cloud dependencies.
In your experience, what are the "worst" cloud dependencies? I'd imagine SalesForce and AWS would have very different impact?
Salesforce is the root of all evil. Once you're in the ecosystem, you're stuffed. You know it's bad when the entire business team start running round clucking when the EMEA salesforce instance goes down hard...
AWS is fine. Most of the platform's concepts have real world parallels for example.
That somewhat multiplies the problems.
If so, I suppose you have big issues with your system administration team.
Realistically we don't want to deploy a host file and AFAIK it doesn't work anyway; we want to control the network itself which we do via firewalls and DNS but it's a compromise between flexibility (our users still need to use the internet) and security.
Yes I can see how that would complicate things a little :)
Also change your default DNS servers on the Windows 10 install to point to the UNIX install. If you know how, set up DNS on this computer. I recommend using your own cache listening on 127.0.0.x, not a public one.
Then monitor traffic being forwarded by the UNIX install.
This is not difficult for anyone familiar with UNIX. Plenty of good and bad software to help you.
Do people need instructions? If there is interest in blocking this nonsense I for one would be willing to help.
There are a lot more Windows users than Apple users so this is fun to watch how the Windows users react to the incessant connections to the mothership, which is par for the course with Apple products. Would love to see the stats on how much cumulative user-purchased bandwidth Apple and Microsoft are usurping in order to track the people who have to pay for it.
If you want to block this nonsense, then the easiest way to do it is from another computer acting as a gateway.
Trying to block these connections from the computer on which Windows 10 has been installed will probably be an exercise in frustration for most users and they will give up. (Most Apple users do not know or care so they do not try to block.) I am sure that Microsoft is counting on their users acting like Apple users.
The privacy settings that do not work were pretty good hidden already and many are scared away already. This second level is even worse.
What we need is a simple tool where you set check boxes to fix it all. That would be a solution for the target audience.
In the case of other users, I'm not sure because I do not fully understand it, but it seems like this would not be necessary?
I don't want to be a brat, but what is the possible overlap between people caring to use Tor (for whatever reason) and people using Windows 10 as the host OS ?
You're at the absolute cutting edge of spyware-in-the-home, defective by design, obscured infrastructure that was designed from the ground up to be user hostile in every conceivable dimension. And you're going to run Tor on that.
There's a phrase for this and that phrase is "clown college".
There are many journalists who need to cover sensitive topics, who are not particularly technically literate. They need to be able to buy a system off the shelf, do some minimal and easy amount of installation of privacy protection, and be reasonably confident that it will work and they will not be outing their sources to whatever particular despot is listing in.
Of course, Tails is a better solution for that. But in terms of being able to allow them to do their job as easily as possible, it would be preferable for them to be able to install the Tor browser bundle on their existing OS rather than having to learn an entirely new one (and possibly dual boot in order to run some Windows-only software, and not keep it isolated well enough and thus leak information accidentally).
It apparently took a while to teach Glen Greenwald enough of how to use Tor and GPG in order for Snowden to be able to communicate with him. We need to make this process easier, not harder.
Not everyone interested in Tor is educated enough to reinstall an OS. Or they need Windows for something else they do. Or 50 other things. Or maybe we're concerned about VPN leakage, or any other thing than tor that we might use to obfuscate traffic.
Those people make Tor worse for everyone.
Notably, it's still possible to MITM the traffic, just not as easy as if the system respected the proxy settings. You need to spoof the destination IP and try to terminate the TLS with your own trusted cert. If the connection still fails, only then would you know there is a cert pin. I haven't heard if anyone has tried this with the "CDN"-bound traffic, or the persistent bing.com/live.com traffic.
If a VPN was being used, I would expect traffic would still be routed through the VPN interface. The HTTP(S) proxy code is higher up the stack than a VPN interface.
It does raise a huge red flag though, if you are not fully in control of your own network routing using standard tooling, IMO it's not an appropriate OS for any enterprise environment.