Hello, I'd like to analyze the data that is sent to Microsoft further. Also before someone says Windows user, I'm not, I'll just make a VM for that. I'll be doing it mostly out of curiosity because I want to see what's in there. Any help, suggestions or ideas would be appreciated. Maybe we could all come together and make something easy to setup for people so that they can analyze their traffic themselves, which might be a big punch in MS's face if something is found that shouldn't be there. So, my idea would be the following:
2. Make a certificate for the domain microsoft.com and add it to the certificates. 3. Use a DNS server that redirects the resolution-requests for microsoft.com to something that is under my control (for example an Apache server set up with the private key). 4. Log all the traffic that goes to the server and decrypt it with the private key.
Might that work? Anyone tried something like that?
Even without telemetry, W10 is worse than W7. Also, why even bother with Windows.
Evan Rodriguez
chances are anything shady is encrypted, you probably wouldn't see anything of value without microsoft's private key
Jonathan Bailey
I would assume that telemetry data is encrypted (which you appear to assume, as well), but I would further assume that they would hard-code the public cert info and IP addresses of telemetry servers into their telemetry software precisely so that someone couldn't do:
Is that not the case?
Gavin Jenkins
If you need to use windows for school or work software and there is no available free software alternative just use windows 7 or vista. there is no reason to get windows 10 unless you are a gamer faggot.
Gavin Scott
Yeah, but you could maybe add a new certificate for your "forged Microsoft server."
Even if they would hardcode the IPs you might be able to modify the raw IP packets and just redirect it to one of your servers (for example I think this could be done by setting up a linux router with iptables) between it. Also even if they would hardcode the cert info wouldn't that mean you could change it :P There must be a beginning where it begins to verify the identity of the server, but anything can be modified, so for MS there's no way to truly hide it if someone with enough knowledge tries to force it open.
Look, I'm truly just interested on what it is sent and how it is sent. I use Linux on most machines. I'd never connect a Windows machine to the internet, besides for the exception of maybe trying to analyze the telemetry.
Anthony Perry
Could -> Couldn't?
Perhaps, but I assume you'd have to do that with a hex editor, and it probably wouldn't be easy to find. I guess you'd need experience with a disassembler.
Andrew Perez
I'm all for that OP, but without the right (((catalyst))) we won't see Microsoft in the news next to faceberg any time soon.
Jordan Jackson
OP here again, it seems someone had the same idea as me! Here's the article: softscheck.com/en/privacy-analysis-windows-10-enterprise-telemetry-level-0/ It would be nice if we could share all our findings. Maybe someone finds something interesting. Please note that I'm not sure if the person did set all Group Policy settings correctly as the article for configuring connections to Microsoft services is quite long and probably not that well-known. I'll probably set up a VM and try mitmproxy myself.
Enjoy your Windows 7 until until January 14, 2020. Only 1.6 years away.
Christopher Miller
Who said Windows can't detect if it's running in a VM? You need to try harder to make it fucking impossible to detect VM. Also, certificates are probably hardcoded deep in the system, and Windows could see that it's connecting to something else and not send suspicious data when it's detected. Unless you can inspect the source to make sure Windows doesn't change behavior based on hypervisor presence and modified certificates, this won't prove the absence of the data which you did not capture. (Well, it can also be hidden in other ways, for example sending some shit only if the user is targeted, or random sampling)
it only applies to
Windows 10 Enterprise edition Windows Server 2016
if you test only them, it won't say shit about the other editions.
Jayden Butler
The traffic redirection itself can be done transparently if you have a sufficiently smart gateway. Doesn't matter if IP addresses or DNS names are hardcoded. But the big problem is to deal with encryption, and not let Windows detect that it is running in an unnatural environment. That, in a worst case, would require heavily patching Windows, without access to the source code that sucks ass I guess.
Mason Harris
And then you would need to also prove that you didn't intentionally add some other shit while patching, and even then results could be deemed illegally obtained in some countries, as reverse engineering Windows is likely prohibited by EULA, etc.
Jeremiah Cook
Hey (you). What are you doing? You're not supposed to fiddle around with that, you know.
Either that, or maybe they don't even give much of a shit at this point. After all, the telemetry thing was finalized post-Snowden, after they saw that the shitstorm was short-lived and everyone either swallowed the "hurr but it's for national security kthxbai" message, or just felt hepless anyway. Maybe even the long-term reaction (or rather a lack thereof) to Snowden revelations encouraged them to implement the telemetry thing in the first place.
Brody Wright
...
Mason Hughes
Extended support ended back in 2010. Still working, still using it
What's the advantage to using 2k over XP, given that you can turn basically all the bullshit in XP off one way or another and bring it to 2k level of comfiness, while 2k itself is much more limited compatibility-wise?
Daniel King
If MS tried an unprecedented dick move and decided to revoke all 7 licenses January 14, 2020 (thus literally forcing anyone concerned about licensing to abandon the OS), then that short timespan might indeed be worrying.
Evan Taylor
For some reason it is smaller. There's almost no bullshit to remove, you only need to add some bullshit like updated crypto, etc. depending on use cases. Still they both are probably insecure as fuck anyway.
Liam Rodriguez
Nothing really, personal preference - fewer services to disable & no WPA pretty much. And 2k _can_ be made more XP compatible with kernel extensions.
does power user mean "I will find you and kick your ass if you fuck with me"? in that case, maybe you have a point.
Oliver Lee
XP?, maybe, but a configured firewall should keep you safe from the potential remote exploits, and common sense should keep you safe from malware.
7?, no, it's still supported, it might or might not have a few vulnerabilities W10 doesn't have (e.g. eternalblue), but W10 probably has some vulnerabilities W7 doesn't have as well, with all the extra botnet services.
Adam Jenkins
webm source?
Joshua Howard
Wait I'm retarded, I somehow thought this was between W7 and WXP.
noob here, cant you just install wireshark and save it to a file or something?
Jaxon Gutierrez
wrong, in my country win7 is twice as expensive
Andrew Clark
also im retarded idk how the license system works, judging from reviews the "cheaper" versions (30EU) are illegal or something?
Gavin Williams
Any success in OP's endeavor would be ephemeral at best. As we speak, MS is working with Intel to have Windows telemetry work entirely transparently via the ME.
Easton Scott
...
Samuel Ramirez
Pro-tip: Windows, as of version 7 (or vista maybe), knows when it's run in a VM and adjusts behaviour accordingly. Microsoft most certainly made windows 10 do less malicious things in a VM to make sure people have a harder time making a telemetry analysis.
Impossible
Nathan Lopez
In a properly set-up VM, I doubt it. That would require red pill techniques[1], and I'm not sure Microsoft implements them, or that strong blue bill techniques can really be defeated.
Which publicly available VM implementation uses something like blue pill?
Jeremiah Ward
I honestly don't know. This presentation[1] by Muli Ben Yehuda explains a bit more about blue pill techniques, but it's very technical, and I'll admit it's beyond my level of understanding of how hypervisors work. I think it explains how to install such a blue-pill rootkit.
If you modify KVM or similar the proper way, you might be able to blue pill Windows 10. I doubt OP can, however. That would be a task for a decently sized team of security professionals working at a lab.
Why not then inspect the traffic after it has already left the machine
Hudson Perry
Stop deluding yourself, don't you think they've thought of all this lmao
Easton Flores
it will be encrypted to make it readable you need to replace certs in Windoze without triggering it as I said in >>894286
Elijah Scott
I mean if you simply change certificates Windoze will likely have ways to detect it, so you need to also prove that the behavior you measure is the same as if you didn't change them
Brody Butler
The OS detecting a "vmware virtual xyz adapter" device (or equivalent in other virtualization software) is not enough for it to figure out it's run in a vm?
Nathaniel Campbell
If you want to run a blue pill VM, you obviously don't give it such an adapter name.
Gavin Young
1. encryption (whether by the OS or by the ME) 2. big network equipment companies (such as Cisco) being part of the cabal can make such traffic invisible to the user
Ian Johnson
All virtualization software exposes some virtual devices to the OS which can be trivially recognized as such by any modern OS. Or do you know virtualization software that can either do passthrough of every physical host device (or spoof presence of various physical devices)?
Lincoln Martin
Yes, it's literally called a blue pill. Modern AMD-V or VT-x virtualization is entirely transparent, and you can just use a minimal hypervisor underneath that doesn't perform PCI initialization.
Joshua Baker
By default, because it helps with getting the guest OS to run as decently as possible. That default can be changed. As I said, I don't know how you would go about with a QEmu/KVM setting, but fully fooling the guest OS is a possibility since Joanna Rutkowska's work in 2005-2006.
Bentley Collins
What about React OS?
Asher Myers
What about? Go and test and tell us.
Luis Sanders
It's still in alpha. So it's unstable, featureless, doesn't work fine with any drivers yet and doesn't work well with a lot of software.