What’s the REAL deal with Windows 10 and privacy?

Windows 10, following the trend of pretty much everything in the technology world, represented another incremental step towards losing more privacy.

image

Of course, the reason why we are all OK with “slowly boiling to death”, is because it doesn’t “feel” like a big invasion. Well, sometimes these leaps forward are significant. I wrote about the new “Wi-Fi Sense” feature in Windows 10 and the possible problems that could cause. More on the big picture in a minute; first I wanted to research and address something I found on the internet.

The Problem:
Yesterday, I ran across this article:

A Traffic Analysis of Windows 10
http://localghost.org/posts/a-traffic-analysis-of-windows-10

this article summarized, and referenced the source article, which is here:

Analýza Windows 10: Ve svém principu jde o pouhý terminál na sběr informací o uživateli, jeho prstech, očích a hlasu!
http://aeronet.cz/news/analyza-windows-10-ve-svem-principu-jde-o-pouhy-terminal-na-sber-informaci-o-uzivateli-jeho-prstech-ocich-a-hlasu/

oh wait, if you don’t speak Czech (like me), here is the translated version:

Analysis of Windows 10: In its principle, it is only a terminal to collect information about the user’s fingers, eyes and voice!
https://translate.google.com/translate?hl=en&sl=cs&tl=en&u=http%3A%2F%2Faeronet.cz%2Fnews%2Fanalyza-windows-10-ve-svem-principu-jde-o-pouhy-terminal-na-sber-informaci-o-uzivateli-jeho-prstech-ocich-a-hlasu%2F

Let me sum up why this is so significant, and what I did to attempt to verify or disprove the claims.

The Original Analysis:
The gist of all of this, is that the original author made some shocking claims (with specific details). Some of the claims include:

  1. Windows 10 has a keylogger and uploads all your keystrokes every 5 minutes.
  2. Everything you type in Edge or Cortana is sent to Microsoft, along with any media files it finds.
  3. When webcam is enabled, 35MB of data goes to Microsoft
  4. Even with Cortana disabled/uninstalled, Windows 10 sends all microphone audio to Microsoft, when the computer is idle.

I mean, WOW, right? If any of this is true, that’d be pretty bad. Now, on the localghost post, the author notes that in the comments, people question the credibility of the source. For me, if any of this is true, this is significant to my line of work as a information security professional.

So, I sought out to see if I could confirm OR disprove any or all of the above! Either way, the result is significant.

The Test Rig:
I first started off with what I had on-hand, Windows 10 Enterprise, my main workstation. To fully test this though, I then went up to MSDN to pulled down Windows 10 Home and Windows 10 Professional too.

For all 3, here’s how I approached it:

  • Installed the operating system with privacy settings off.
  • Installed Wireshark.
  • Set up a filter to specifically look for traffic to/from the named servers from the original Czech blog post.
  • Set it to capture for 2 hours.

Then, after that:

  • Disable all privacy settings, camera, microphone, and location services.
  • Capture for another 2 hours.

Then finally, open it up:

  • All privacy settings enabled.
  • No capture filter except to capture any traffic going to/from the local machine.

The idea here is that with a fresh install and no software installed – what kind of traffic do we have coming and going?

Testing (the nitty gritty):
If you want to try this on your own, here is the finite, distinct list of ALL of the servers the original Czech post published:

cs1.wpc.v0cdn.net
df.telemetry.microsoft.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
statsfe1.ws.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.urs.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
vortex.data.microsoft.com

So, when I set up Wireshark, I specifically look for traffic to/from these names. So, my Wireshark capture filter is:

host cs1.wpc.v0cdn.net or host df.telemetry.microsoft.com or host i1.services.social.microsoft.com or host oca.telemetry.microsoft.com or host oca.telemetry.microsoft.com.nsatc.net or host pre.footprintpredict.com or host reports.wes.df.telemetry.microsoft.com or host sqm.telemetry.microsoft.com or host sqm.telemetry.microsoft.com.nsatc.net or host statsfe1.ws.microsoft.com or host telecommand.telemetry.microsoft.com or host telecommand.telemetry.microsoft.com.nsatc.net or host telemetry.appex.bing.net or host telemetry.urs.microsoft.com or host vortex-sandbox.data.microsoft.com or host vortex-win.data.microsoft.com or host vortex.data.microsoft.com

You might notice that i1.services.social.microsoft.com.nsatc.net is missing from the capture filter – good eye!! That’s because that name doesn’t resolve, so I left it out. So, I start with something like this:

image

and for testing all local traffic:

image

where “testwin10pro” is the name of the Windows 10 Professional, test workstation for example.

The Findings:
Considering that I half-way know my way around Wireshark, but I am by no means an expert – I can draw some basic conclusions. I should also disclaim that I am not decrypting any TLS traffic – so this analysis is really just on the metadata.

Disclaimer: 1) I’m not an expert with Wireshark! 2) I didn’t decrypt any data, so this is based on clear-text traffic I can read, or otherwise just metadata-only. 3) I only ran the monitor for 2 hours each. I can’t account for things which might happen on bigger time scales (e.g. some event that happens every 24 hours).

However, for the purposes of this post, that should be enough to draw a conclusion. So, with that said, here are some things I observed:

  • Network traffic was about the same between Home, Professional, and Enterprise although there was more traffic for the consumer levels: 797kb, 676kb, and 523kb respectively.
  • When monitoring JUST the known server list, there was very little traffic – like 80-400 packets per hour with a total of less than 1MB of traffic.
  • When monitor ALL traffic on a fresh install with all privacy settings enabled (allowing everything), there was not a lot of traffic. Almost all of it was on the internet network with “Network Discovery” turned on. All 3 SKU’s have a couple thousand packets equaling less than 1MB over the 2 hour test period.

So in short, there wasn’t much network traffic to/from Microsoft, even with all privacy settings enabled. The traffic I could decipher was all for Cortana and the Edge browser.

What about those original claims?
Specifically, here are the claims, and what I could confirm:

  1. Windows 10 has a keylogger and uploads all your keystrokes every 5 minutes.
    image This DOES exist in some Microsoft pre-production software, but I could not find any files or network traffic which support this. Also, when you use the Edge browser or Cortana, every keystroke IS sent to Microsoft, but just for searches. It’s not a “keylogger” in the sense that it captures other things like usernames and passwords.
  2. Everything you type in Edge or Cortana is sent to Microsoft, along with any media files it finds.
    image Well, not “everything” – according to the Microsoft privacy statement, all URL’s and searches are retained by Microsoft/Bing. I could not confirm/deny if it sends media file information – I didn’t see anything in the Wireshark session, but then again, I could not read the TLS traffic to/from Microsoft/Bing.
  3. When webcam is enabled, 35MB of data goes to Microsoft
    image I couldn’t confirm this. There was no particular network activity when I enabled the webcam or microphone on any edition of Windows 10.
  4. Even with Cortana disabled/uninstalled, Windows 10 sends all microphone audio to Microsoft, when the computer is idle.
    image Again, I couldn’t confirm this – but according the Microsoft privacy statement, they are well within their rights to do this, so it is probable.

So, the Microsoft Privacy Statement does confirm some of this – but I could not confirm any keylogger though, in the RTM versions of any edition of Windows 10 – with my limited testing.

Bottom line:
So what does this mean? How privacy-aware is Windows 10? And what’s up with that other blog post – was that guy trolling everyone?

As far as the original post – I don’t know. I will say that it is likely he did that analysis with the tech preview. Part of the agreement for using pre-production versions of Windows DOES INCLUDE a provision for them running a keylogger, and sending your keystrokes to Microsoft, amongst all sorts of other telemetry data. In fact, check out this “tech preview” privacy statement (this is for PRE-production Windows 10, not the RTM version):

“Examples of data we may collect include your name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data; device configuration and sensor data; voice, text and writing input; and application usage.” –Microsoft Privacy Statement (pre-release versions of Windows)

Yikes. So, that is my best guess, that the analysis was done on a pre-production version of Windows.

Does that mean Windows 10 is “safe”? Well, that depends on what your threshold is. In present day, if you take a step back, it is simply amazing the privacy we give up. Take Google for example: you are their product. In exchange for using their great products and services, they unapologetically have the right to comb over every keystroke, every byte, and every sound recording they can enumerate from you. This data, they use for profiling you and for selling to advertisers. Many people are OK with that.

Microsoft is in a similar boat. Now that Windows 10 is free, YOU are now their product. Cortana – the cornerstone of Windows and Windows Phone runs pretty much the same way as Google is described above. Even if you disable Cortana, it’s still sort of turned-on, so all of this still applies. Take a look at the Privacy Policy.

“Microsoft collects data to operate effectively and provide you the best experiences with our services. You provide some of this data directly, such as when you create a Microsoft account, submit a search query to Bing, speak a voice command to Cortana, upload a document to OneDrive, or contact us for support. We get some of it by recording how you interact with our services by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device. We also obtain data from third parties (including other companies).” –Microsoft Privacy Statement

On that page, you can go service by service – they have the right to collect just about all data to which they technically have access. They, like Google, use that to profile you and to sell information to advertisers. So, if you OK with that – then yes – Windows 10 is “safe”, especially with the accusation of having a keylogger.

What are my options?
Well, most people are completely OK with this and don’t find it to be a violation. What harm is there in having a peeping tom, if you don’t ever see him and if he doesn’t disrupt your day – right?!

For the people who might not be OK with this, I would argue that: Microsoft, Google, Amazon, and Apple are all in the same boat. The “model” has now been well-defined: they give you free stuff, and you let them stalk you, legally. It’s not “if” they will analyze you, it’s an agreement – they WILL.

So, the only other options for operating systems is Linux. “Ugh, Linux? Where everything is cryptic and overly-complexticated?” you grumble. Well, while yes that is the general gist of that technology – there are several distributions that have skyrocketed to success because they are much more refined, capable, and easy to use. Gone are the days of the cryptic Linux console prompt and clunky versions of Windows of yestermonth; Linux has come a long way!

I would always recommend Ubuntu for a desktop, but an even nicer option is LinuxMint.

http://www.linuxmint.com/

This is free operating system that you can install on any Intel or AMD-based computer. It’s based on Ubuntu, which is based on Debian – which are all famous for being easier-to-use. So, how do you decide if you’d want to make a big leap like this?

image
(above: example desktop of Linux mint with a browser, file explorer, and command-line window open)

I recommend two things:

  1. Make a list of all of the applications you use, and see if there is something comparable for Linux. For example, check out www.libreoffice.org for a replacement for MS Office, or Thunderbird Mail as a replacement for Outlook.
  2. Actually try it, without messing up your current system! Download the installation media and make a bootable DVD or USB drive – you can boot up into a working install and play with it, without touching your C: drive. See if you like it!? When you’re done, pop the DVD out and reboot and you are back to Windows.

I didn’t mean to thread-jack my own post about Windows 10 – but this is a legitimate point to me. In the olden days, there were huge sacrifices and changes if you wanted to switch between Windows, MacOS, and Linux. Now, ALL of these operating systems have matured – and all of them are of completely capable. So, while you are considering if you are OK with this new world of privacy – I thought a brief discussion of Linux could be in the mix!

Posted in Computers and Internet, General, Infrastructure, Linux, Security, Uncategorized, Windows
15 comments on “What’s the REAL deal with Windows 10 and privacy?
  1. bbb says:

    Hi there,

    do you mind to set up wirshark on another computer wich actually only relays the traffic to your router and maybe take into consideration not only names but ips are directly contacted?
    Just an idea to rule some stuff out

    Regards

    Like

    • Robert Seder says:

      Let me clarify. I could go into much more detail, but for the point of the post, I wanted to just give the summary – since that’s what most people would want.

      As far as more detail:

      These are VM’s setup in Hyper-V. The host machine is plugged into a switch, which then goes to the internet. So, I can only capture traffic to/from the local machine because the switch isolates my connection. In fact, if I were to try to capture this network traffic from a different machine I’d either need to poison the ARP cache or plug both machines into a hub (do I still have a hub laying around here, somewhere?!). My point being that capturing on THE machine on which I want to capture packets, is a valid way to do it.

      Next, I started from the capture results in Wireshark and systematically did right-click “Apply as filter->…and not selected” to exclude known traffic, one by one. For example: DNS requests and responses, SMB/NBT communication with the domain, etc. Eventually, I was left with pretty much just the Microsoft traffic (and/or unknown traffic). Not all of it is obvious, and because I can’t peek into the TLS transaction, I can only infer so much. Here’s how I approached it…

      For example, an HTTP connection is established with 207.46.101.29, which doesn’t resolve in DNS. But if I do a tracert, I see it ends up in *.ntwk.msn.net network. In this case it does an HTTP POST of 1,176 bytes to /UploadData.aspx, and it sets the host-header to “ssw.live.com”. The data is mostly unreadable except for some GUID’s (UUID’s) and the words “(null)” a few times.

      Another example, an HTTPS connection is established with 64.4.54.254 and a Microsoft CA cert is returned. In that connection, 91KB of data is sent. Similarly, that IP address doesn’t resolve to a name, but if I run a tracert, that too ends up in the *.ntwk.msn.net, then *.network.microsoft.com network. I don’t know what’s being sent, but it’s not 35MB of webcame data for example.

      Lastly, to speak directly to the keylogger issue: every reference I could find says that the keyboard cache is stored in: C:ProgramDataMicrosoftDiagnosisetlogsautologger*.etl – in fact, I did a “dir C:ProgramData*.etl /s /b” and found many files under USOShared – but looking at those files, they aren’t big enough, and with being semi-readable, none appear to have anything interesting in them.

      So the bottom line for me, I couldn’t confirm some pieces of this – but just finding those Privacy Statements cleared up a lot for me. Microsoft TELLS you it’s absolutely going to take every search you make, correlate it with you personally, and store it. So those things are confirmed. The keylogger part, I was already dubious. That would mean that Microsoft would capture people’s usernames/passwords, and worse, when you connect into work and type intellectual property for your employer, Microsoft would be gathering those keystrokes – which would be akin to breaking into your company, indirectly. That would be a legal nightmare. I can’t imagine a scenario where the value of those keystrokes would be worth the class-action lawsuit! Plus, I couldn’t find any sign of the cached files, not the network traffic to prove it.

      Anyhow – I hope I helped answer some of your questions, thanks!

      Like

  2. […] why, even when you actively avoid using those services that you're still using them, obliviously more analysis needs to be done as every article that I've read seems to indicate that short of unplugging the […]

    Like

  3. Olli says:

    If you disable Telemetry, what does Wireshark see?

    To disable telemetry open Command Prompt as administrator by clicking right mouse button on Start button or by pressing Win+X shortcut, and enter the following:

    sc delete DiagTrack
    sc delete dmwappushservice
    echo “” > C:ProgramDataMicrosoftDiagnosisETLLogsAutoLoggerAutoLogger-Diagtrack-Listener.etl
    reg add “HKLMSOFTWAREPoliciesMicrosoftWindowsDataCollection” /v AllowTelemetry /t REG_DWORD /d 0 /f

    Like

    • Robert Seder says:

      Olli,

      Thanks very much for this! Can you cite anything for this, or where could one go for more information? And sorry, I don’t have this test rig setup anymore. Thanks again!

      -Rob

      Like

  4. sasds says:

    I’m a gamer, so Linux is out of the question for most of games I play. Oh well…

    Like

  5. IGcall says:

    Hi, . I am pretty sure I agree, but do you mind explaning your 3rd paragraph for me?

    Like

  6. 697695 says:

    The bottom line is that Microsoft could use Windows Update to enable any form of telemetry and change the servers at any time, making this a perpetual cat and mouse game. After all of those stealth upgrades to Windows 10 that have been forced on users, and the constant attempts to obfuscate the purpose of updates, people are just stupid to trust them.

    Like

    • Robert Seder says:

      Yeah, totally true. The only “safeguard” there is, is that Microsoft is a big company and probably doesn’t want to do anything too shady, because the whole world will turn on them. But then again, if they are in cahoots with the gov’t, who can protect them, then all bets are off, right?! It’s not a great situation, no matter how you slice it.

      Like

  7. Bill P says:

    I have disabled as much of the tracking and Cortana as possible. I have looked with Wireshark and Fiddler4 and find more traffic to/from Google than I can find of Microsoft.

    I have tried to move to Linux using; LinuxMint, Suse Linux, Ubuntu and I have found it impossible. Reasons being, the hobby development mentality of applications/programs for all distros, the lack of compatibility between distros and the lack of substitute and compatible software to replace what I use on Windows.

    Apple is better match for switching to, but they so expensive and proprietary. I could build a 4-5 of the system I have, for the price of one Apple system. And being such a closed, proprietary system there is little room for upgrading and expanding as with Windows systems.

    Like

    • Robert Seder says:

      Hey Bill, agreed! However, what I’ve found is that if you want to go the Linux route, there is exactly one answer, and it’s Ubuntu. If a vendor makes ANY effort to make something work on Linux, they choose Ubuntu – so it has the widest support. Even things like fingerprint readers are (relatively) easy to install and set up. I don’t know if you saw, but I ran (still continue to run) Windows, macOS, and Linux – and in present day, Ubuntu is “almost” as good as Windows or macOS. The showstoppers for me was really just MS Office, and a decent e-mail client. If they ever released MS Office (specifically OneNote and Outlook) on Ubuntu, I could pretty much convert no problem. With that said, and as I conclcuded in that post, there is no “perfect” OS, there is just “which is good for most of the things I care about”! haha 🙂 See: https://blog.robseder.com/2016/08/20/the-dilution-of-the-operating-system/

      Like

      • Vasile says:

        The way i see it is that Canonical kind of joined hands with Microsoft. also don’t forget that Canonical used to (don’t know if it still works the same way) send your keystrokes to online services (amazon was it?) when you open the “start” menu. Not to mention the online suggestions….
        So yeah…you could say that Canonical is not doing so well on the privacy part. or that how it use to be a few years ago when they added that ugly interface.
        I use linuxmint from time to time (build on/derived from ubuntu)
        The big problem with linux os is the lack of drivers. next problem is the lack of stability. There are too many application that crash on linux. also too many times i crash the linux os (at least i couldn’t fix with with my limited knowledge) by trying to install some softwares. also too many problems with libraries incompatibilities.
        So yeah…linux has way too many problems.
        You can use it for internet browsing, mail, with a bit of luck also watching movies. now steam is trying to fill it with games too.
        I also feel like Bill P “Reasons being, the hobby development mentality of applications/programs for all distros, the lack of compatibility between distros and the lack of substitute and compatible software to replace what I use on Windows.”
        there are lots of softwares that pretend to do nice things. but most of them crash too many times.
        Right now the only use i have for linux is to delete windows folders before i reinstall windows…every few months.

        Well probably windows 10 will start to look more and more like linux since it keeps upgrading its kernel and stuff resulting in softwares and drivers crashing or being disabled completely.

        Like

      • Robert Seder says:

        Yeah, I think I agree with all of that! I wish there was an OS that had good features, was stable, and also cared about privacy and security. Until then, there is no “great” choice!

        Like

  8. Steve C says:

    “When monitoring JUST the known server list, there was very little traffic – like 80-400 packets per hour with a total of less than 1MB of traffic.”

    Sounds small in today’s terms of terabytes, but lets remember that 1mb is equivalent to a four drawer file cabinet filled with 8.5″x11″ letter sized paper with single spaced type!

    I was hosed by Microsoft’s upgrade (really forced on us) to win10, that I tried to reverse from win 7 (code maliciously read writes to hd-causes-failure). Google just how many people who should have a class action suit against MS. This is why I was looking into HOST Files and Blocking MS thru a Firewall, just to find out Win 7 (reinstalled) firewall is basic and can use ip addresses only? Developed there on purpose so the cat n mouse can continue. MS had its best financial month ever Dec 2016-forcing the Win10 upgrade.

    I came close to hanging up MS forever… One last chance with win 7 (locking it down). Thanks for having this discussion.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 5 other followers

%d bloggers like this: