windows 10 Windows 10 Sends Huge Amount Of Data To Microsoft IP Addresses

[Sylence]

Windows 10 Sends Huge Amount Of Data To Microsoft IP Addresses

 

With the release of Windows 10 operating system, Microsoft has changed its policy and decided to offer free update all Windows 7, 8 and 8.1 users. There are various reasons for that, but one thing is sure - the company wants to have more control over user's data.

According to Voat user CheesusCrust, who has done some extensive testing on Windows 10, the operating system sends a huge amount of data Microsoft IP addresses. During an 8-hour period, his PC tried to send data to over 51 different IPS addresses owned by Microsoft, and at a staggering 5,500 times, and after 30 hours, it reached a huge 113 non-private IP addresses.

Another problem is the non-private IP addresses, which can be intercepted by hackers, making the OS very vulnerable. Even if you disable all the tracking features, and use some third-party tools such as DisableWinTracking, the PC will still send data to Microsoft. In that case, his PC pushed data to Microsoft 2,758 times, across 30 different IP addresses.

 

 

Spoiler

[–] BobBelcher 34 points (+35|-1) 9 days ago  (edited 1 day ago)

So, just to quickly summarize, that's 3967 connection attempts to 51 different Microsoft IPs.

Obviously port 80 is standard web traffic for http, port 443 being for https.

According to this, that first one with the most attempts on port 3544 is likely to be their Consumer Experience Program. So, telemetry data. OP, can you confirm if you opt'ed out of that program during the install? If you did, and it's still trying to connect that many times..... That IP also apparently traces back to the UK.

EDIT - Archive link since OP nuked his posts: https://archive.is/QFL8e

• permalink
•  
• parent

 

[–] [deleted] 9 days ago  (edited 9 days ago)

[deleted by user]

• parent

3 replies

 

 

 

[–] alexei954 6 points (+6|-0) 4 days ago 

That IP also apparently traces back to the UK.

This is significant. By routing traffic to an overseas connection, traffic is automatically susceptible to warrant-less data collection. Additionally, once it is in Britain, it becomes susceptible to collection by the GCHQ (the British version of the NSA) and whatever rules the British may or may not follow for data collection. Once they have it, it can be shared back with the US, providing another legalistic end-run to deal with.

• permalink
•  
• parent

Load more replies (3 remaining)

 

[–] [deleted] 10 days ago 

[deleted by author at 2/12/2016 1:11:37 AM]

• parent

Load more replies (5 remaining)

 

 

 

[–] crustyjuggler 40 points (+42|-2) 10 days ago 

I think the best thing to do after a few more days of collection is to gather the same information again after running spybot anti-beacon. I'm EXTREMELY curious to see what you find. You're right, no one seems to be talking about this. Everything I have found on the net is either "oh, this is what they are spying on" and "here are a few tools like spybot anti-beacon". Zero fucking reviews on whether they work or not, and it's bothering me. I've been meaning to run a windows 10VM and inspect the traffic coming from the virtual adapter, but I haven't had the time. Thanks in advance. BTW. Lol, we have similar usernames. Stay crusty!

• permalink

 

[–] [deleted] 10 days ago 

[deleted by user]

• parent

 

 

 

[–] crustyjuggler 15 points (+16|-1) 10 days ago  (edited 9 days ago)

Anti-beacon basically modifies the registry, local group policy, and disables a ton of the telemetry. I think it adds a bunch to the hosts file also. Though, I have heard that low level components of Windows 10 can get around the hosts file instead of blocking traffic.

Barnacules Nerdgasm did a semi-review on it. https://www.youtube.com/watch?v=u1kGMCfb2xwYouTube

Thanks for doing this!

• permalink
•  
• parent

3 replies

 

 

 

[–] simagule 4 points (+5|-1) 9 days ago 

Can you also do a install where you don't uncheck all the tracking options for a comparision

• permalink
•  
• parent

Load more replies (1 remaining)

 

 

 

[–] ginx2666 -1 points (+1|-2) 8 days ago 

Zero fucking reviews on whether they work or not, and it's bothering me.

Whether they do or not, the best way to completely cut off M$ is to block those addresses in external, hardware firewall. There. Nothing M$ can do about that.

• permalink
•  
• parent

 

 

 

[–] crustyjuggler 0 points (+1|-1) 8 days ago 

I have been recently tempted to build a pfsense router. Maybe now's the time to really consider it since I run wind10 on my gaming rig and laptop.

• permalink
•  
• parent

1 reply

 

 

 

[–] Troll 30 points (+31|-1) 10 days ago 

Thank you for posting this. These tables basically spell out FUCK YOU WE'RE MICROSOFT WE CAN DO WHATEVER WE WANT YOU FAGGOTS.

• permalink

 

 

 

[–] european 4 points (+7|-3) 9 days ago 

Well yes. They did write it. EULA probably does not promise to not totally and utterly destroy your privavy.

• permalink
•  
• parent

 

 

 

[–] arrggg 21 points (+22|-1) 9 days ago 

Excellent writeup and documentation. I did the same test on Windows 10 Enterprise and was unable to stop the connections out, even after disabling most of the services.

While you are at it, here are a few more things to try that will produce interesting\creepy results

Block all the dns requests from local hosts file, and see how many retry with hard coded ips. Block all the IP's collected from the first 2 tests with null routes or on the router, and see how many alternates it tries. Disable the services that enable telemetry, ceip, onedrive, windows store, windows defender, windows update, and then document the new connections out.

Can't wait to see your results. Documenting this unbelievable spyware is the first step to doing something about it.

• permalink

 

[–] [deleted] 9 days ago 

[deleted by user]

• parent

 

 

 

[–] chubbysumo 0 points (+0|-0) 2 days ago 

Block all the dns requests from local hosts file, and see how many retry with hard coded ips

it has already been proven that you cannot block or disable MS IPs through the host file, the windows firewall, or the group policy editor. Its hard coded into windows 10 to allow those IPs 100% of the time. You need to add IPtable rules to block/drop them.

• permalink
•  
• parent

 

[–] [deleted] 10 days ago 

[deleted by user]

 

 

 

[–] FuttsMcButts 6 points (+7|-1) 9 days ago 

Thanks for taking the time to do this for people that don't know how or don't have the time for!

• permalink
•  
• parent

 

[–] [deleted] 10 days ago  (edited 10 days ago)

[deleted by author at 2/12/2016 1:11:41 AM]

 

[–] [deleted] 10 days ago 

[deleted by user]

• parent

 

 

 

[–] LibNE 0 points (+0|-0) 2 days ago 

This would mean a lot to the world of security observationists.

• permalink
•  
• parent

 

 

 

[–] SuperConductiveRabbi 10 points (+11|-1) 9 days ago 

Are these limited to outbound connection attempts? Can you repeat this analysis for WIndows 7 and then for a flavor of Linux?

What type of traffic is being transmitted to the top hosts? Is it encrypted? Do you have experience installing your own root CA on the target machine and creating a MITM SSL proxy to decrypt any SSL-protected information from the top hosts?

• permalink

 

 

 

[–] onegin 8 points (+9|-1) 10 days ago 

Great to see some real data on this.

So since you dropped all connections at the router, that means all these ips are hard coded into the OS?

It'd be interesting to see what happens if you don't drop the connections. You never know when they might pull down more ips with one of their requests.

It would also help filter out any "first boot" connections and give an idea of the ongoing telemetry activity.

• permalink

 

 

 

[–] european 2 points (+4|-2) 9 days ago  (edited 9 days ago)

Can you explain this?

So since you dropped all connections at the router, that means all these ips are hard coded into the OS?

• permalink
•  
• parent

 

 

 

[–] Aradiel 3 points (+4|-1) 9 days ago  (edited 9 days ago)

I think he means that since the traffic isn't going outside of the router, it can't be hitting a DNS server, so it has the IPs specified rather than the more human-readable names.

• permalink
•  
• parent

1 reply

 

 

 

[–] RedSocks157 8 points (+9|-1) 9 days ago 

Holy shit. What could possibly be the purpose of all those connection attempts? This is ridiculous! Could I configure my router to block connections in such a way that Win10 can't do this? I have it on my HTPC only, but I still don't want it sharing data with M$...there has to be a way.

• permalink

 

 

 

[–] tomlinas 0 points (+0|-0) 9 days ago 

What could possibly be the purpose of all those connection attempts?

Well, all of the ones with "deploy.static.akamaitechnologies.com" in them are attempts to download windows updates, which Windows does from a huge block of IPs concurrently. I presume this is to spread load on MS' side but I'm not really sure -- I do know setting up squid to cache these is getting incrementally harder :/

The *.search.msn.com ones are very interesting to me. I have been able to get my box to generate queries to Bing with all of the privacy options turned off by searching in the start menu, but not the MSN ones. OP - do you have the MSN live tile installed? I haven't done a vanilla Enterprise install, so not sure if that's on the Enterprise image...I wouldn't think so but you never know

I am mostly interested in what the static IPs that don't backwards resolve end up being...

• permalink
•  
• parent

 

 

 

[–] jagerhayles 7 points (+8|-1) 10 days ago 

Can I get a layman's summary? This is a lot of information to process and I can't really get the full picture with my limited tech knowledge, but I value knowing what my property is doing.

• permalink

 

[–] [deleted] 10 days ago  (edited 10 days ago)

[deleted by user]

• parent

 

 

 

[–] NedTaggart 14 points (+15|-1) 10 days ago 

To be clear, this is only win10 with no other apps installed and just left to idle, correct?

• permalink
•  
• parent

1 reply

 

 

 

[–] european 5 points (+7|-2) 9 days ago 

Are any addresses , ports or protocols particularly worrying?

Are there likely innocent explanations for any of the connections?

Do you worry 'someone' or 'something' can identify you based on this post and prevent the instally carrying out other nefarious actions such as uploading one you actually use the computer?

• permalink
•  
• parent

 

 

 

[–] jagerhayles 4 points (+6|-2) 10 days ago 

That's a little bit too basic of a summary.

• permalink
•  
• parent

1 reply

 

[+] hulksmashed -11 points 10 days ago   (show children)

 

 

 

[–] Ywis 1 points (+1|-0) 9 days ago 

Setting all the Windows 10 privacy option so you are most secure doesn't work. They're getting lots of data from you and you can't stop it if you use Windows.

• permalink
•  
• parent

 

 

 

[–] UsernameShoesername 0 points (+0|-0) 2 days ago 

Unfortunately, it's not your property. You have a limited usage license which you agree to by installing and using the software. This is Microsoft's whole attitude: it's their property, and they can do with it as they like. They even sell this as them improving their product by seeing how it works on peoples' computers (which they don't own.)

 

[Sylence]

I like to see the results after using DWS.exe (Destroy Windows Spying tool)

[steven36]

15 minutes ago, saeed_dc said:

I like to see the results after using DWS.exe (Destroy Windows Spying tool)

Old news already posted CheesusCrust  deleted  all his post, or ether Voat did, seems  his account  no longer exists  . Hes not  going to do  no more test it seems unless he does them elsewhere .

[Sylence]

2 minutes ago, steven36 said:

Old news already posted CheesusCrust  deleted  all his post or ether Voat did seems  his account  no longer exists  . Hes not be going no more test it seems unless he does them elsewhere .

 

Couldn't find it in search so new in here.

he could've posted his findings a lot of better places but seems like he isn't motivated enough for this job

[vibranium]

The plot thickens. Maybe he decided that it was best to disappear?

[steven36]

1 minute ago, saeed_dc said:

 

Couldn't find it in search so new in here.

he could've posted his findings a lot of better places but seems like he isn't motivated enough for this job

 

[Sylence]

3 minutes ago, steven36 said:

 

 

oh cool, my source was here though

[steven36]

Just now, saeed_dc said:

 

oh cool, my source was here though

My source was the real source site not the bloggers trying make news out of someone trying to help someone ..Its a wonder nsane  has not made the news yet  for trying  help people block windows 10 telemetry . If we posted our ip sniffer results  they most likely would

[Sylence]

3 minutes ago, steven36 said:

My source was the real source site not the bloggers trying make news out of someone trying to help someone ..Its a wonder nsane  has not made the news yet  for trying  help people block windows 10 telemetry . If we posted our ip sniffer results  they most likely would

 

which IP sniffer you use?

[steven36]

5 minutes ago, saeed_dc said:

 

which IP sniffer you use?

In windows Windows 10 FWC  has a built in sniffer  https and http also i use wireshark in windows and Linux and i have messed around with others .

[Sylence]

7 minutes ago, steven36 said:

In windows Windows 10 FWC  has a built in sniffer  https and http also i use wireshark in windows and Linux and i have messed around others .

 

Microsoft Network Capture and parser is a good alternative to Wireshark, it adds the functionality to only focus on a specific .exe file.

[steven36]

Just now, saeed_dc said:

 

Microsoft Network Capture and parser is a good alternative to Wireshark, it adds the functionality to only focus on a specific .exe file.

Windows 10 fwc does the samething  and lets you block the exe or the ips ether one. 

 

[Sylence]

Just now, steven36 said:

Windows 10 fwc does the samething  and lets you block the exe or the ips ether one. 

 

 

but not many people can use it as it causes interference with the main anti-virus/internet security software (Kaspersky, Bitdeffender etc.)

[Reefa]

Topic Locked Nothing New Here.. It's all been Posted Before....

 

29 minutes ago, steven36 said: