Analyzing Windows 10 Telemetry Deeper

Hello, I'd like to analyze the data that is sent to Microsoft further. Also before someone says Windows user, I'm not, I'll just make a VM for that. I'll be doing it mostly out of curiosity because I want to see what's in there. Any help, suggestions or ideas would be appreciated. Maybe we could all come together and make something easy to setup for people so that they can analyze their traffic themselves, which might be a big punch in MS's face if something is found that shouldn't be there. So, my idea would be the following:

1. Make a Windows 10 LTSB VM
(Optional) Configure everything according to the article: docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services
and try to find out what is sent on minimal level, which I would have great interest in. Please note that MS uses for the telemetry-level "Security" the word "includes," so at the end they could still potentially send anything, which is a big concern.

2. Make a certificate for the domain microsoft.com and add it to the certificates.
3. Use a DNS server that redirects the resolution-requests for microsoft.com to something that is under my control (for example an Apache server set up with the private key).
4. Log all the traffic that goes to the server and decrypt it with the private key.

Might that work? Anyone tried something like that?

Attached: Kaenbyou.Rin.full.1671810.jpg (1920x1080, 1.13M)

Other urls found in this thread:

softscheck.com/en/privacy-analysis-windows-10-enterprise-telemetry-level-0/
imdb.com/title/tt1723811/
en.wikipedia.org/wiki/Blue_Pill_(software)
mulix.org/lectures/vmsecurity/vmsec-cyberday13.pdf
twitter.com/NSFWRedditImage

Even without telemetry, W10 is worse than W7.
Also, why even bother with Windows.

chances are anything shady is encrypted, you probably wouldn't see anything of value without microsoft's private key

I would assume that telemetry data is encrypted (which you appear to assume, as well), but I would further assume that they would hard-code the public cert info and IP addresses of telemetry servers into their telemetry software precisely so that someone couldn't do:


Is that not the case?

If you need to use windows for school or work software and there is no available free software alternative just use windows 7 or vista. there is no reason to get windows 10 unless you are a gamer faggot.

Yeah, but you could maybe add a new certificate for your "forged Microsoft server."

Even if they would hardcode the IPs you might be able to modify the raw IP packets and just redirect it to one of your servers (for example I think this could be done by setting up a linux router with iptables) between it. Also even if they would hardcode the cert info wouldn't that mean you could change it :P There must be a beginning where it begins to verify the identity of the server, but anything can be modified, so for MS there's no way to truly hide it if someone with enough knowledge tries to force it open.

Look, I'm truly just interested on what it is sent and how it is sent. I use Linux on most machines. I'd never connect a Windows machine to the internet, besides for the exception of maybe trying to analyze the telemetry.

Could -> Couldn't?

Perhaps, but I assume you'd have to do that with a hex editor, and it probably wouldn't be easy to find. I guess you'd need experience with a disassembler.

I'm all for that OP, but without the right (((catalyst))) we won't see Microsoft in the news next to faceberg any time soon.

OP here again, it seems someone had the same idea as me! Here's the article: softscheck.com/en/privacy-analysis-windows-10-enterprise-telemetry-level-0/ It would be nice if we could share all our findings. Maybe someone finds something interesting. Please note that I'm not sure if the person did set all Group Policy settings correctly as the article for configuring connections to Microsoft services is quite long and probably not that well-known. I'll probably set up a VM and try mitmproxy myself.

Attached: blog-win10-fig1.jpg (679x732 46.79 KB, 63.87K)

Enjoy your Windows 7 until until January 14, 2020. Only 1.6 years away.

Who said Windows can't detect if it's running in a VM?
You need to try harder to make it fucking impossible to detect VM.
Also, certificates are probably hardcoded deep in the system, and Windows could see that it's connecting to something else and not send suspicious data when it's detected.
Unless you can inspect the source to make sure Windows doesn't change behavior based on hypervisor presence and modified certificates, this won't prove the absence of the data which you did not capture.
(Well, it can also be hidden in other ways, for example sending some shit only if the user is targeted, or random sampling)


it only applies to

Windows 10 Enterprise edition
Windows Server 2016

if you test only them, it won't say shit about the other editions.

The traffic redirection itself can be done transparently if you have a sufficiently smart gateway. Doesn't matter if IP addresses or DNS names are hardcoded.
But the big problem is to deal with encryption, and not let Windows detect that it is running in an unnatural environment. That, in a worst case, would require heavily patching Windows, without access to the source code that sucks ass I guess.

And then you would need to also prove that you didn't intentionally add some other shit while patching, and even then results could be deemed illegally obtained in some countries, as reverse engineering Windows is likely prohibited by EULA, etc.

Hey (you). What are you doing? You're not supposed to fiddle around with that, you know.

Attached: index.jpeg (225x225, 4.17K)

Either that, or maybe they don't even give much of a shit at this point. After all, the telemetry thing was finalized post-Snowden, after they saw that the shitstorm was short-lived and everyone either swallowed the "hurr but it's for national security kthxbai" message, or just felt hepless anyway. Maybe even the long-term reaction (or rather a lack thereof) to Snowden revelations encouraged them to implement the telemetry thing in the first place.

...

Extended support ended back in 2010. Still working, still using it

Attached: win2k.jpg (1024x768, 37.85K)

What's the advantage to using 2k over XP, given that you can turn basically all the bullshit in XP off one way or another and bring it to 2k level of comfiness, while 2k itself is much more limited compatibility-wise?

If MS tried an unprecedented dick move and decided to revoke all 7 licenses January 14, 2020 (thus literally forcing anyone concerned about licensing to abandon the OS), then that short timespan might indeed be worrying.

For some reason it is smaller. There's almost no bullshit to remove, you only need to add some bullshit like updated crypto, etc. depending on use cases.
Still they both are probably insecure as fuck anyway.

Nothing really, personal preference - fewer services to disable & no WPA pretty much. And 2k _can_ be made more XP compatible with kernel extensions.

Attached: wpa.png (640x530, 26.64K)

...

Like that is a bad thing for power users.

Attached: creampie.webm (640x272, 697.47K)

does power user mean "I will find you and kick your ass if you fuck with me"? in that case, maybe you have a point.

XP?, maybe, but a configured firewall should keep you safe from the potential remote exploits, and common sense should keep you safe from malware.

7?, no, it's still supported, it might or might not have a few vulnerabilities W10 doesn't have (e.g. eternalblue), but W10 probably has some vulnerabilities W7 doesn't have as well, with all the extra botnet services.

webm source?

Wait I'm retarded, I somehow thought this was between W7 and WXP.

imdb.com/title/tt1723811/

noob here, cant you just install wireshark and save it to a file or something?

wrong, in my country win7 is twice as expensive

also im retarded idk how the license system works, judging from reviews the "cheaper" versions (30EU) are illegal or something?

Any success in OP's endeavor would be ephemeral at best. As we speak, MS is working with Intel to have Windows telemetry work entirely transparently via the ME.

...

Pro-tip: Windows, as of version 7 (or vista maybe), knows when it's run in a VM and adjusts behaviour accordingly. Microsoft most certainly made windows 10 do less malicious things in a VM to make sure people have a harder time making a telemetry analysis.


Impossible

In a properly set-up VM, I doubt it. That would require red pill techniques[1], and I'm not sure Microsoft implements them, or that strong blue bill techniques can really be defeated.

[1] Read more on blue pill and red pill techniques there: en.wikipedia.org/wiki/Blue_Pill_(software)

how do?

Which publicly available VM implementation uses something like blue pill?

I honestly don't know. This presentation[1] by Muli Ben Yehuda explains a bit more about blue pill techniques, but it's very technical, and I'll admit it's beyond my level of understanding of how hypervisors work. I think it explains how to install such a blue-pill rootkit.

If you modify KVM or similar the proper way, you might be able to blue pill Windows 10. I doubt OP can, however. That would be a task for a decently sized team of security professionals working at a lab.

[1] mulix.org/lectures/vmsecurity/vmsec-cyberday13.pdf

Why not then inspect the traffic after it has already left the machine

Stop deluding yourself, don't you think they've thought of all this lmao

it will be encrypted
to make it readable you need to replace certs in Windoze without triggering it
as I said in >>894286

I mean if you simply change certificates Windoze will likely have ways to detect it, so you need to also prove that the behavior you measure is the same as if you didn't change them

The OS detecting a "vmware virtual xyz adapter" device (or equivalent in other virtualization software) is not enough for it to figure out it's run in a vm?

If you want to run a blue pill VM, you obviously don't give it such an adapter name.

1. encryption (whether by the OS or by the ME)
2. big network equipment companies (such as Cisco) being part of the cabal can make such traffic invisible to the user

All virtualization software exposes some virtual devices to the OS which can be trivially recognized as such by any modern OS. Or do you know virtualization software that can either do passthrough of every physical host device (or spoof presence of various physical devices)?

Yes, it's literally called a blue pill. Modern AMD-V or VT-x virtualization is entirely transparent, and you can just use a minimal hypervisor underneath that doesn't perform PCI initialization.

By default, because it helps with getting the guest OS to run as decently as possible. That default can be changed. As I said, I don't know how you would go about with a QEmu/KVM setting, but fully fooling the guest OS is a possibility since Joanna Rutkowska's work in 2005-2006.

What about React OS?

What about? Go and test and tell us.

It's still in alpha. So it's unstable, featureless, doesn't work fine with any drivers yet and doesn't work well with a lot of software.

bump