A Traffic Analysis of Windows 10

All text typed on the keyboard is stored in temporary files, and sent (once per 30 mins) to:

oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com

Telemetry is sent once per 5 minutes, to:

vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net

typing the name of any popular movie into your local file search starts a telemetry process that indexes all media files on your computer and transmits them to:

df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
cs1.wpc.v0cdn.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com


When a webcam is first enabled, ~35mb of data gets immediately transmitted to:

oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net


Everything that is said into an enabled microphone is immediately transmitted to:

oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.urs.microsoft.com
cs1.wpc.v0cdn.net
statsfe1.ws.microsoft.com

If this weren’t bad enough, this behaviour still occurs after Cortana is fully disabled/uninstalled. It’s speculated that the purpose of this function to build up a massive voice database, then tie those voices to identities, and eventually be able to identify anyone simply by picking up their voice, whether it be a microphone in a public place or a wiretap on a payphone.

Interestingly, if Cortana is enabled, the voice is first transcribed to text, then the transcription is sent to:

pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com
df.telemetry.microsoft.com

While the inital reflex may be to block all of the above servers via HOSTS, it turns out this won’t work: Microsoft has taken the care to hardcode certain IPs, meaning that there is no DNS lookup and no HOSTS consultation. However, if the above servers are blocked via HOSTS, Windows will pretend to be crippled by continuously throwing errors, while still maintaining data collection in the background. Other than an increase in errors, HOSTS blocking did not affect the volume, frequency, or rate of data being transmitted.

http://localghost.org/

Analýza Windows 10: Ve svém principu jde o pouhý terminál na sb?r informací o uživateli, jeho prstech, o?ích a hlasu!

AC

 

14,335 views

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
  • http://akazip.com/ unclezip

    Linux. Windows is dead; they jumped the shark on Wintendo 8 deliberately, so people would welcome something “better”. If better is emulating the cowards, thieves, and traitors at Facebook, then you get what you deserve for upgrading.

    • Chief Presiding Judge

      Microsoft is terrible for this, but you’re just as bad for that avatar so don’t try to talk from some type of high ground. Racist traitor rag deserves to be burned.

      • http://akazip.com/ unclezip

        You call me racist without knowing anything about me. The flag is not about racism, you moral coward. People like you, who try to steer the conversation with vituperation and ignorance, are the real problem in this country.

      • mgbjay

        To CPJ, re: uncleszip’s avatar:

        Your intolerance and wrist-wringing progressive mentality are the very tools being employed to send this country to the bottom of the heap.
        If you don’t want to see the flag, don’t look at it.

        If you don’t like the flag, don’t buy one.

        But do not tell me that if I do, I cannot.

        At that point, you have then crossed boundaries into the “totalitarianism-rules and I must insist your rights are to be infringed upon & demand you agree with me” never-never land.
        Believe whatever you want, like or dislike whatever you will, and I shall respect that, but please, please, allow me the same courtesy.

        Beware: The coming backlash is going to snap your stiff, intolerant neck.

  • Flem

    You had to know there was some reason they were giving free upgrades. And you also had to know that the reason was a criminal one.

    • sandamhernandez

      ????????????????????????????????????? my amigo’s sister makes 83$$/hour on the web……..on saturday I got a top of the degree audi since getting a check for 4216$$ this most recent 4 weeks in addition, ten thousand last-munth . irrefutably about it, this really is the most enamoring occupation Ive had . I really began six months/earlier and on an extremely fundamental level straight away was making more than 87$$ p/h . endeavor this site……..

      ????? tinyurl.com/Work2nReportOnlineao1 ???????????????????????????????? GO TO THIS AND CLICK NEXT LINK INSIDE IT FOR WORK DETAILS AND HLP

    • Shizuppy

      If you’re not paying for the product, you ARE the product.

  • Tark McCoy

    Would a personal firewall like PeerBlock stop this, I wonder?

    • Andrei

      So you firs buy it, and then fix it :))) Why buy it broken in the first place?

  • btb

    Thanks for this… VERY informative..

  • Ash

    Hi IWB, I just have a few questions on the methodology you used here, because this is some scary stuff.

    I was under the impression that Win 10 encrypts all the stuff it “sends home”, so can you let us know how you discovered the actual content being sent?

    If it’s actually sending everything you type (including passwords?) as plain text — yikes!

    If it was encrypted, how did you decrypt it? MITM your machine on the local network or something?

    Thanks.

    • Kage

      I forget how it was done, but there is a trick you can use to get all data that any program would send to drop what’s being transmitted via HTTPS in pre-encrypted form. The data is then stored in a file you can peruse at your leisure. This is using tools that are all readily available in Windows, so you wouldn’t even need any special software to break the encryption. Just some specific technical knowledge that not many people possess.

      • Ash

        Thanks Kage.

        Can you (or anyone else?) expand on how to do this “preview the data that will be sent” trick? I’ve been looking around but can’t find any mention of it on the web.

        Cheers.

        • Kage

          It was in a comments section for another article, turns out you do need one program that doesn’t come with Windows, it’s called Wireshark. The comment was left anonymously, so can’t really credit anyone for it. The trick used is below.

          Create an environment variable called SSLKEYLOGFILE. Point it to a text
          file for SSL keys. Reboot the Windows computer. Open up Wireshark. Set
          Protocol -> SSL -> (Pre)-Master-Secret log file to the text doc.
          Filter on the IP to decode ;)

          • Ash

            Thanks again Kage. :)

  • http://jigsy1.blogspot.com/ Jigsy

    The way to stop it would be blocking it via router level.