Windows 10 Does Not Spy on You

Status
Not open for further replies.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Source: When it comes to Windows 10 privacy, don't trust amateur analysts | ZDNet

Forbes is at it again, whipping up a frenzy over Windows 10. This time he claims to have found SHOCKING EVIDENCE that Microsoft's telemetry is collecting STAGGERING amounts of data from Windows 10 users.

Sadly, what Mr. Kelly's post* proves is how very, very little he understands about modern computing or networking. Seriously, his article is pure gibberish.

In short, Windows keeps trying to make a simple connection using its IPv6 capabilities, but the router keeps dropping those connection attempts. So it keeps trying again and again.​

Continue reading for full story.
When it comes to Windows 10 privacy, don't trust amateur analysts

Another day, another sensational report from Forbes. Oh my goodness, is Windows 10 really "phoning home" thousands of times a day? Nope. In fact, anyone who has even a basic understanding of how networks work should cringe at this shoddy report.

Sadly, what Mr. Kelly's post* proves is how very, very little he understands about modern computing or networking. Seriously, his article is pure gibberish, technically. But more than 100,000 people have read it so far, and apparently they believe Mr. Kelly.

I feel sorry for those poor benighted souls.

What makes this whole sorry state of affairs even worse is that Mr. Kelly hasn't even done any of his own research. Instead, he is relying on ... well, I'll let him tell you:

Blowing the lid on it this week is Voat user CheesusCrust whose extensive investigation found Windows 10 contacts Microsoft to report data thousands of times per day.

Voat is a Reddit clone. The user CheesusCrust is ... well, we really have no idea who he is.

Henceforth, I shall refer to him as "Mr. Crust."

There is nothing in Mr. Kelly's article to indicate that he spoke with Mr. Crust to verify his credentials or gather any additional data.

What Mr. Crust did was to install Windows 10 Enterprise edition (apparently an evaluation version) in a virtual machine, using the free VirtualBox running on Linux Mint. Mr. Crust says he performed a custom installation where he "disabled three pages of tracking options."

[A side note here: Actual network administrators configuring Windows 10 Enterprise have hundreds of Group Policy options at their disposal, including fine-grained controls over telemetry and privacy settings. There's even a fourth option, not available to users of retail and OEM Windows 10 editions, that dials telemetry back to an absolute minimum. There is no evidence that Mr. Crust is aware of these options.]

And then, Mr. Crust reports, he "configured the DD-WRT router to drop and log all connection attempts via iptables through the DD-WRT router by Windows 10 Enterprise."

Oh dear.

Mr. Crust says his intent was to "analyse the network traffic of Windows 10 on a clean install." If there are any readers with networking experience in the audience, they might see the flaw in his methodology. If your software needs to connect to an outside resource to perform a specific task, and the connection drops unexpectedly, you will not get any traffic to analyze. Even worse, when the software detects an unsuccessful connection it will try to connect again. And again and again and again.

So what might have been a single, short data exchange could instead turn into multiple connection attempts.

Mr. Kelly is outraged:

The raw numbers come out as follows: in an eight hour period Windows 10 tried to send data back to 51 different Microsoft IP addresses over 5500 times. After 30 hours of use, Windows 10 expanded that data reporting to 113 non-private IP addresses. Being non-private means there is the potential for hackers to intercept this data. I'd argue this is the greatest cost to owning Windows 10.
I might have to pause here for a second to allow those of my readers with networking experience to try to make sense of those last two sentences. Don't even try. It's gibberish.

Helpfully, Mr. Crust supplied the raw data, which I plugged into a spreadsheet so I could perform my own extensive investigation. The results are unintentionally hilarious.

[Update: It appears that Mr. Crust has deleted his post and indeed his entire Voat account. The Forbes post that relied on his data remains unchanged.]

First of all, 602 connection attempts were to 192.168.1.255, using UDP port 137. That's the broadcast address where Windows computers on a local network announce their presence and look for other network computers using the NetBIOS Name Service. It's perfectly normal traffic.

Another 630 of those connection attempts were Domain Name System lookups to the router itself, 192.168.1.1, using UDP port 53. That address is the router itself.

Why is Windows performing those DNS lookups? One big reason is that's how Windows checks whether you have access to the Internet. If there's a problem with your Internet connection, you get a yellow overlay on the network icon down at the right side of the taskbar.

To do that test, Windows first performs a DNS lookup of www.msftncsi.com. It then makes an HTTP request to retrieve the page ncsi.txt from that site. This file is a plain-text file and contains only the text "Microsoft NCSI." (NCSI stands for Network Connection Status Icon.) Finally, it performs a DNS query for dns.msftncsi.com.

The whole procedure is extensively documented .

DNS queries aren't "spying." Neither are NetBIOS name broadcasts on your local network. So far, that's 22.3 percent of the so-called traffic that's easily accounted for as "not spying," unless you think there's something sinister about a two-word text file that has been downloaded trillions of times from that poor Microsoft server.

Next up is a staggering 1,619 connection attempts using UDP port 3544 to the address 94.245.121.253, which Mr. Crust was unable to identify, along with another five attempts using the same port to other servers.

That address does indeed belong to Microsoft. It's a Teredo server, teredo.ipv6.microsoft.com. Teredo is an Internet standard that is used to supply an IPv6 address to a PC that speaks only IPv4, making it easier to perform secure and reliable communication between two endpoints without having to worry about network translation. It's also well documented and doesn't involve any exchange of information other than IP addresses.

In short, Windows keeps trying to make a simple connection using its IPv6 capabilities, but the router keeps dropping those connection attempts. So it keeps trying again and again.

That's another 1,624 entries we can add to the "not spying" list. So far, by my tally, more than 52 percent of the connection attempts are completely harmless and involve no data collection at all.

Another three connection attempts are using port 123. That's the Network Time Protocol, which devices use to retrieve the current time from authoritative servers on the Internet. Setting the clock on your computer is not "spying."

Mr. Crust's list has another 549 connection attempts on port 80, which is plain old HTTP. Windows doesn't have a web server installed by default, so those are all incoming connections, with Windows trying to retrieve data. They're not sending it the other direction.

Many of the addresses on the list belong to content delivery networks (CDNs) like Akamai Technologies and CloudFlare. Some of those downloads are possibly trying to refresh live tiles in the provisioned MSN apps (News, Sports, Weather, Money, and so on). There are perhaps some updates to the Windows Store in there too.

We might know more if Mr. Crust had allowed his machine to complete some of those connections so he could perform some actual traffic analysis. But he didn't, so we can't.

We can, however, safely conclude that none of those connections would involve any "spying."

Which leaves us with 2,100 connection attempts in eight hours over port 443. Those are secure (HTTPS) connections designed to exchange data so that it can't be intercepted in transit.

We have no idea how many secure connections that machine would have made in eight hours had Mr. Crust actually allowed them to complete. The number would almost certainly have been smaller, perhaps by an order of magnitude or even two.

And of course, those connections are not all about telemetry.

The most important one is the Software Licensing Service, which checks the state of Windows activation periodically. By dropping those connections, Mr. Crust is not allowing those activation and validation checks to complete. Windows gets very cranky when that happens, which could explain why there were more than 1,700 connection attempts to a handful of addresses in a single range of IP addresses managed by Microsoft.

Other content that gets delivered securely over port 443 includes Windows updates, Windows Defender updates, and updates from the Windows Store for apps that are provisioned on every Windows 10 machine. Windows 10 attempts to contact OneDrive, also securely, to see if there are any saved settings for the current user. There are lists of known malicious websites that get delivered to the SmartScreen service in a hashed and encrypted format.

And yes, there is certainly some telemetry data in there. We have no idea whether Mr. Crust changed the default Diagnostic and Usage settings to Basic. If he had, there would probably be a single ping to Microsoft's servers when the machine starts up, which would disclose what that setting was, whether Windows Defender was up to date, and whether his installation had experienced any failures in software or driver installation.

If he had kept the Enhanced or Full settings, Windows would periodically deliver a batch of anonymized usage data to Microsoft. (Of course, since he wasn't actually using the machine, there would be no data to exchange.) But we don't know, because Mr. Crust didn't actually do any traffic analysis.

Meanwhile, Mr. Kelly might want to write a little less and study a little more. I know some networking experts who've done some excellent video training courses where he could learn a lot about TCP and UDP and HTTP. I could even recommend some books that might be helpful.

But something tells me he really isn't interested in learning.
 
Last edited:

DaveM

Level 2
Verified
Feb 12, 2016
62
Well, there is an amount of "spying" in the new system. But as has already been said, this particular individual had no clue what they were doing. Although it seems more likely that they did, and just wanted to rant about spying by purposely setting up a scenario to back up that rant.
 

Lanker

Level 1
Feb 7, 2016
12
Well ..Yes make sense just like any program that attemps to connect to a server and fails, obviously will attemp to reconnect until it works.
In this aspect this article might be correct but not all windows 10 privacy concerns all based on those connections
Note: sorry bad english
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
It seems that the only people who know the extent of the "spying" are microsoft themselves :p
 
  • Like
Reactions: CySecy825

DaveM

Level 2
Verified
Feb 12, 2016
62
Oh I'm sure more will come out about it as the OS matures and more people play with it. But as I said in another post, so far there doesn't seem to be anything different than what Google and others do. Think of all the games and other apps on tablets and smartphones. They vacuum up everything you do and send it to who knows where. But I seldom hear anyone making much of a fuss over that.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
57Tyj4ZU.png


5AHC16rJ.gif
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Very vague, sometimes it needs more study to provide information that privacy is something a probem for user through influential components.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top