LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2016

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: snooping windows 10 - how to stop it on a linux gateway?
From:	Karel Lang AFD <[log in to unmask]>
Reply To:	Karel Lang AFD <[log in to unmask]>
Date:	Sat, 5 Mar 2016 05:16:37 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (73 lines)

Hi guys,

firstly, sorry Todd, i don't know how it happened i got attached to your 
thread.

secondly, thank you all for your thoughtful posts.

I know it is not easy to block the selected traffic from windows 10 and 
you are right, it is being backported to windows 7 as well. Horrible and 
disgusting.

I already have windows server in LAN dedicated as a update server (work 
of my windows colleagues), so the PC don't have to access windows update 
servers outside LAN - this should simplify things.

Also the PCs must have internet access to email, http, https, ftp, sftp 
- simply the 'usual' stuff.
I think, yet, there should be a way. I'll try to consult mikrotik 
experts (the router brand we use) and guys from our ISP.
If i have something, i'll let you know :-)

thank you, bb

Karel

On 03/05/2016 12:40 AM, Steven Haigh wrote:
> On 05/03/16 07:24, Karel Lang AFD wrote:
>> Hi all,
>>
>> guys, i think everyone heard already about how windows 10 badly treat
>> its users privacy.
>
> My solution to this was to finally rid Windows 7 off my desktop PC - as
> most of the telemetry has also been 'back ported' to Windows 7 also. You
> can't stop it.
>
>> I'm now thinking about a way howto stop a windows 10 sending these data
>> mining results to a microsoft telemetry servers and filter it on our SL
>> 6 linux gateway.
>
> Nope. There are no specific servers in use - just general - so whatever
> you block will end up killing other services.
>
>> I think it could be (maybe?) done via DPI (deep packet inspection). I
>> similarly filter torrent streams on our gateway - i patched standard SL
>> 6 kernel with 'xtables' (iptables enhancement) and it is working
>> extremely well.
>
> I would be interested to see if you could identify telemetry packets in
> the flow - but I'm not predicting much success. If you do get it, make
> sure you let the world know though!
>
>> I read (not sure if true) that some DNS resolutions to M$ servers are
>> even 'hardwired' via some .dll library, so it makes it even harder.
>
> Correct.
>
>> I'm no windows expert, but i'm and unix administrator concerned about
>> privacy of windows desktop/laptop users sitting inside my LAN.
>>
>> What i'd like to come up is some more general iptables rules, than
>> blocking specific IP addresses or names, because, apparently they may
>> change in any incoming windows update ...
>>
>> Anyone gave this thought already? Anyone else's concerned the way i am?
>
> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on
> a few things that I like - so Fedora is a happy medium for me - as I
> still have the fedora-updates-testing repo enabled. My work laptop as
> well as my personal laptop - and now my home desktop all run Fedora 23
> (KDE Spin if you hate Gnome 3 - like me).
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV