On 2/20/2016 2:20 PM, email@example.com wrote:
Enable logging in the firewall. It will log either (or both or neither)
successful connections *or* unsuccessful (dropped) connections.
Of course, a rootkit (i.e. MS!) could chose to hide data that it
doesn't want you to see! For this machine, I monitor the log
of the firewall in my router to see what's going on (outside
| What utility did he use to determine there were 5000 "callouts" in 8
| What (not spamware laded) utility can I run to see what is happening
| on mine???
I was going to refer you to the article, but when
I went to look I saw it had been deleted! Sorry about
that. I didn't know I was sending you to a stripped
link. When I looked up the user link it claimed that
user had never made any submissions. I then went
to archive.org for a copy. They had one, but said
the machine that serves it is down:
Weird. I always save such things, because URLs are
often altered or moved. But I also found an archive
linked from the comments on that page. It explains
how the whole thing was done:
He has some sort of customized router and installed
Win10 on VirtualBox, on Linux Mint, so that he could
track all activity. The problem with tracking it from
Win10 itself is that Windows can no longer be trusted.
Some IP addresses are now hard-coded, so that a
DNS lookup is not even needed. (That actually started
many years ago with Windows Media Player.)
To the extent that it might be possible to catch
some of the traffic, you could try TCPView from
sysinternals. You might also try a firewall. But that's
tricky. The firewall would depend on Windows networking
functionality, and most are not detailed enough to
tell you what's going out, much less what the data is.
I think there are other utilities to record the actual
data going in and out, but I've never tried anything
| Until I can see exactly what the guy supposedly used to log the
| activity, I put very little stock in what he said.
It's at the link. Did you read it? In any case,
it's up to you what you want to think about
Win10. But if you think it's not spyware you're
fooling yourself. Microsoft even says in their
terms that some data sent back to them is not
On 2/20/2016 7:23 PM, firstname.lastname@example.org wrote:
Put a cheap router between you and your network connection.
Mine will log all incoming/outgoing accepted/rejected
connections, SYN flood attempts, PoD attempts, etc.
Attempts are logged in the form:
<protocol> <sourceIP>.<port> -> <destinationIP>.<port> on <interface>
and tagged "Connection accepted" or "Connection refused"
For outbound connections, <sourceIP> is one of the IP's served by
the router while <destinationIP> is something foreign. The roles
reverse for incoming connections.
Unless you are good at remembering the common ports/protocols,
you'll tend to need a log interpreter to explain what each
attempt is likely trying to do.
E.g., my ISP runs some network discovery tools that periodically
(i.e., once a minute) probe specific ports on my connection (these
are blocked by my router so the PC never sees them).
On 2/21/2016 2:31 PM, email@example.com wrote:
There are 1600 attempted connections to port 3544 which is
allegedly used in the "customer experience program" (spyware
that you possibly can opt out of -- one has to wonder why
MS would choose to enable this, by default?)
There are ~1200 attempted connections to port 443 (HTTPS)
and ~400 to port 80 (HTTP).
Another 600 attempts to port 53 (DNS) and another 600 to
137 (NetBIOS). These can be simple network discovery probes.
Or, "calls out" prior to initiating further connection attempts
to other "named hosts".
The fact that so many were (apparently) hard-coded (port 53 is
blocked so where could those IP addr's have come from if not
encoded in the binary?) is interesting/suspicious. Of course,
there may be some uncertainty as to when the ports were blocked;
any name resolution that occurred early in the installation
may have been cached before the firewall was erected
(MS may *require* a live connection for the install to work?)
[This is why having DETAILED logs of the installation process
are important: when did you do *each* action. So, you can later
audit YOUR actions to see where discrepancies may have crept in.]
By my count, we're at 4000 connection attempts (all blocked) on
a machine that has "not used the Windows 10 installation at all"
(the author was asleep during the test). After having "disabled
three pages of tracking options"
The IP addresses involved resolve to msn.com and akamaitechnologies.com
(akamaitechnologies is one of those mechanisms that allows you to
be tracked across HTTP domains)
The use of these well known ports (80/53/443/137) may be innocent.
Or, it may be a surreptitious attempt to probe *through* external
firewalls (cuz those ports tend to be NEEDED to be open for their
NORMAL, intended traffic so one can exploit them to route specific
data to external hosts tunneling through them!)
| The use of these well known ports (80/53/443/137) may be innocent.
That's really not a relevant question. The man
testing had chosen all possible privacy options. It's
his computer. Microsoft had no business rigging
the system to call out.
How did we get to a point
where we presume someone breaking into a house
had innocent reasons and has done nothing wrong,
unless we actually catch them running off with a
A box sending a request on port 53 can be doing so as
part of network discovery. Or, are you claiming "call(ing)
out" should also include being able to detect the
immediate environment? Locate network shares on the
local intranet? etc.
You also don't know what the software was *trying* to do at the
time. E.g., Windows machines have long tried to "validate"
their licenses. If I build a new 7even box and DON'T let
it phone home, it will complain that the product has not been
"activated". Should MS require the user to expllicitly
perform the activation step? ("Please connect me to an
active internet connection and let me contact my activation
server as part of the terms of the license agreement
that you accepted when you installed this software. I
will not allow you to use this software until you do so")
First loads of IE always want to run off to some startup page
at microsoft. Is this convenience? (so the user sees
SOMETHING when he invokes the browser without explicitly
specifying a URL in the invocation) Or, a surreptitious
attempt by Microsoft to notice yet another instance of
it's product coming on-line?
The adage "innocent until proven guilty". No one has
shown the content of these connection attempts. How
do we know it isn't just a "helpful attempt" to provide
information (even advertising services: sign up for
your free hotmail/mslive account, today!) to a CUSTOMER?
It's too easy to get caught up in paranoia/conspiracy
theories. I like seeing conclusive *data* before
forming an opinion.
I build "appliances". You typically can't sit down at a console
(nor telnet into my devices). How do I provide information
to the user regarding the proper operation of the device
when I may only have a tri-color LED with which to convey
that information? He can't examine my network status "on
command". He can't force me to ping some remote host so
he can see if the ICMP packets are being sourced from my
network interface and passing through *his* firewall.
He can't see if I am "seeing" his incoming connection
So, I intentionally perform some specific, observable
actions on startup to provide myself with information
about my environment AND let him observe how I am
integrating with that environment. And, use information
from those actions to decide whether my LED should glow
GREEN, YELLOW, or RED -- or blink some obscure "error
code" (that will send him running for a cheat sheet
that explains its meaning, likely causes and potential
When a BofH starts beating his chest about my device's
"misbehavior" (it's spying on us; its trying to probe the
firewall; it's trying to access our web server; etc.)
I ask his boss how they would like me to redesign the
device -- and how much they would like to add to its
cost (to provide for those features).
The cincher is reminding the boss that this will be
yet another device that *his* IT department will then
have to maintain (instead of a turnkey appliance).
"Leave it the way it is. Bob, go back to work..."
The author of the article could have designed an
experiment where he captured some of the traffic
(to a masquerading host as well as to the actual
GENUINE hosts -- does the content differ?). Instead,
he just captured the low hanging fruit.
And, of course, there's no guarantee that the nature
of the traffic won't change when he "wakes up" and
actually starts USING the box!
Or, that the box isn't simply "being coy" -- biding
its time until it thinks no one is watching it before
sending out its data ("Hey, I've got this big disk
that I can use to REMEMBER all the stuff I want to send
home... why should I do it *now*??")
The software end user agreement calls for either "call home"
authentication or manual authentication over the phone. It only needs
to be done once - and after that it doesn't attempt to "call home"
unless MAJOR modifications are made to the system.
There are places where non-profits (verified 501(c)3's)
can get licenses for very *little* money (single digits).
But, those places operate at the whim of the folks who
*donate* the licenses (e.g., MS). So, you're stuck with
Stick with Dells and licensing isn't usually a problem.
OTOH, you're always at the mercy of drivers. And, the
manufacturers AND MS have skin in that game -- wanting
to move you along to the latest and greatest at all costs!
Of course! MS is late to the game. Billy Goates thought
software was the product; but, in fact, the *users* are!
I'd seen notes that there were more tweeks required.
And, as everything between the user and the network connection
is controlled by MS, there's nothing to say they can't simply
*ignore* that setting -- now or after you've installed something
I.e., I can install updates "offline" and KNOW that my machines
will never "phone home" -- there's no way they can do that
(no connection to outside networks). As I'm using them as
"computers" and not "entertainment devices" or "media access
points", I lose nothing by operating in this manner.
However, the students will almost assuredly WANT to be
And, *I* would want them to get any "required" updates automatically
without having to deal with seeing *all* of these machines again,
every Patch Tuesday, etc.
FOSS options are simply impractical. Who do they call for
help when something doesn't work? Can they turn to the
student seated at the next desk and ask for assistance?
Or, the teacher/assistant in the classroom?
What happens when they want to download a file-sharing
application? Or, <whatever>?
| And, *I* would want them to get any "required" updates automatically
| without having to deal with seeing *all* of these machines again,
| every Patch Tuesday, etc.
I wonder why you posted your question. You seem
to already have formed opinions and gathered as
much info as you want.
I would add, though, that I don't enable updates on
any machines I handle. I install service packs. Beyond
that very few updates are important and some will
do damage. Unless you use MS Office, there's not
much to update. If you don't use IE, even better.
MS doesn't generally offer functionality updates. Just
bug and security patches. If you don't use MS
software online then you don't need security patches.
You'd get those from Mozilla or whatever other
company makes the software you use online.
If you're going to enable Windows Update then
you're probably leaving your students to be tricked
I've not used Windows 10. I was hoping folks had first-hand
experiences with it and could indicate why a student *would*
want to run it instead of W7, etc. And, at the same time,
identify issues that I (with no experience using it)
*or* a student (with little interest in the details) wouldn't
Exactly. The last batch of machines I built were
XP boxes. As ALL the updates were already released,
I could safely install ALL of them and then remove
the update mechanism (nothing new to be gained with it).
But, moving to a more current OS -- especially one that
WANTS to go poking around in your box -- means you have
little practical choice in the matter.
I can remove the executables so the updates never happen.
But, that means any hardware that is received as a donation
must have driver support for the older OS's.
This is a losing proposition; over time, the machines that
are available as donations will NOT have support for
older OS's thereby forcing newer OS's to be deployed.
I.e., the machines being manufactured today will be available
as donations in 2-3 years. Look at today's offerings and see how
far back OS support goes.
By the same token, machines seen as donations today were
manufactured 2-3 years ago. The "Windows Option" becomes
increasingly difficult to be presented as a *choice*
("use THIS version of Windows, or nothing")
| Exactly. The last batch of machines I built were
| XP boxes. As ALL the updates were already released,
| I could safely install ALL of them and then remove
| the update mechanism (nothing new to be gained with it).
| But, moving to a more current OS -- especially one that
| WANTS to go poking around in your box -- means you have
| little practical choice in the matter.
?? I have two Win7 computers. I don't enable
Windows Update on either one of them. I use
XP for getting things done. My main Win7 box is
I put AV on that one, for good measure, but disable
most services, including Windows update. It's
simply not needed.
| > If you're going to enable Windows Update then
| > you're probably leaving your students to be tricked
| > into Win10.
| I can remove the executables so the updates never happen.
| But, that means any hardware that is received as a donation
| must have driver support for the older OS's.
What's that got to do with enabling Windows Update?
If you get a computer that you want to put Win7 on,
you go online and get drivers for the hardware. If there
are no drivers then so be it. Enabling Windows Update
won't help with that.
And you are relying on Windows to honor your wish NOT to
Do you likewise rely on windows 10 NOT to track your
activities -- simply because you *told* it not to?
Which activities constitute tracking in YOUR mind?
Are you sure MS doesn't have a rationale for those *particular*
activities "to provide better service", "to assist in
troubleshooting problems", "to..."?
"If you're going to enable Windows Update then
you're probably leaving your students to be tricked
"I can remove the executables so the updates never happen."
I.e., so windows can't even *chose* to IGNORE the "disable updates"
setting (cuz you are relying on windows to do what you've
told it to do). As such, there (should be) no way for updates
to be offered -- unless a user visits a MS service (web page, etc.)
that tries to explicitly offer that option.
But, the effect of disallowing Windows 10 (via update or any
other means) forces:
"any hardware that is received as a donation must have driver
support for the older OS's."
As donations get NEWER (simply a consequence of the passing of time),
finding drivers for that NEWER hardware for OLDER OS's becomes
problematic -- they probably NEVER write an XP driver for hardware
on a machine released in 2016!
[You can verify this by trying to purchase a "current" machine
and seeing for which OS's it offers support. Of course, you
*may* be able to get older drivers for SOME of the hardware
(with some effort and some risk of uncertainty). Or, you
may be completely SoL.]
(By extension, which drivers are simply not available for machines
designed in 2013 -- which are now being donated for these uses?)
You're conflating two different issues. Please reread my comments
The XP machines were relatively easy, by comparison, to "control".
As all the updates -- that would ever exist -- were already released
(by MS), it was safe to install them and disable the update service
entirely (there's nothing more to update, why even try??)
[Yeah, maybe root certificates, eventually]
Students who were too-smart-by-half and tried to update using
a copy of a Win7 CD that a friend happened to have were
essentially "on their own". If I received a call about a "broken
computer", I simply repeated the instructions that I provided with
each machine: "reboot, press this, click on that, wait 4 minutes"
and they'd soon "discover" that I'd undone all of their changes
and restored the machine to the state it was in when they
received it (from me).
It doesn't take long for them to realize that there's no support
for the upgrade that they think they want -- at least, not from
the freebie computer guy! :>
[At the same time, there was nothing that prevented them from
trying this! Or any *other* use/OS/etc. *I* just don't want to
be taxed with supporting their adventures!]
I had to turn off several privacy settings that were either intrusive or
collected data taking an extra minute to shut down.
My only disappointment with Win 10 was their taking off several time
wasting games and making you go to their ap store to get them for free.
Not super intrusive but you will get a pop up ad at the end of the game
and they tell you you can make it ad free by paying $1.49 a month.
I think Apple and Android are in the up sale business and MS has joined
them. Future software upgrades will be free but won't be free of them
trying to up sell you aps.
Otherwise I'm happy with Win 10 and have not had any serious issues
since starting to use it.
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.