SCIENTIFIC-LINUX-USERS Archives

March 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: snooping windows 10 - how to stop it on a linux gateway?
From:
Karel Lang AFD <[log in to unmask]>
Reply To:
Karel Lang AFD <[log in to unmask]>
Date:
Sat, 5 Mar 2016 11:15:49 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (105 lines) 
Hmm ... yes, yes.
Thanks for bringing this up.
I force all http traffic through the squid proxy on our SL 6 gateway, 
this could be also helpful..



On 03/05/2016 11:00 AM, [log in to unmask] wrote:
> The only way I can think of is to force all internet access through a proxy and filter it out in the proxy.
> Then you don't give the machines any internet access just access to the proxy.
> Unfortunately I do not have details for you on how to filter the snoop messages because in I haven't looked at them but it should be fairly easy using squid and an external Perl regex filter script or other filter application, but you will take a latency hit because you will have to inspect every transaction.
>
>    Original Message
> From: jdow
> Sent: Friday, March 4, 2016 23:35
> To: [log in to unmask]
> Subject: Re: snooping windows 10 - how to stop it on a linux gateway?
>
> That windows update server is a relay for the "snoop" messages. About the only
> way to totally stop the snoop messages is to totally isolate the network
> containing Windows machines from the network. Any windows machine can serve as a
> relay point for any others.
>
> {o.o}
>
> On 2016-03-04 20:16, Karel Lang AFD wrote:
>> Hi guys,
>>
>> firstly, sorry Todd, i don't know how it happened i got attached to your thread.
>>
>> secondly, thank you all for your thoughtful posts.
>>
>> I know it is not easy to block the selected traffic from windows 10 and you are
>> right, it is being backported to windows 7 as well. Horrible and disgusting.
>>
>> I already have windows server in LAN dedicated as a update server (work of my
>> windows colleagues), so the PC don't have to access windows update servers
>> outside LAN - this should simplify things.
>>
>> Also the PCs must have internet access to email, http, https, ftp, sftp - simply
>> the 'usual' stuff.
>> I think, yet, there should be a way. I'll try to consult mikrotik experts (the
>> router brand we use) and guys from our ISP.
>> If i have something, i'll let you know :-)
>>
>> thank you, bb
>>
>> Karel
>>
>> On 03/05/2016 12:40 AM, Steven Haigh wrote:
>>> On 05/03/16 07:24, Karel Lang AFD wrote:
>>>> Hi all,
>>>>
>>>> guys, i think everyone heard already about how windows 10 badly treat
>>>> its users privacy.
>>>
>>> My solution to this was to finally rid Windows 7 off my desktop PC - as
>>> most of the telemetry has also been 'back ported' to Windows 7 also. You
>>> can't stop it.
>>>
>>>> I'm now thinking about a way howto stop a windows 10 sending these data
>>>> mining results to a microsoft telemetry servers and filter it on our SL
>>>> 6 linux gateway.
>>>
>>> Nope. There are no specific servers in use - just general - so whatever
>>> you block will end up killing other services.
>>>
>>>> I think it could be (maybe?) done via DPI (deep packet inspection). I
>>>> similarly filter torrent streams on our gateway - i patched standard SL
>>>> 6 kernel with 'xtables' (iptables enhancement) and it is working
>>>> extremely well.
>>>
>>> I would be interested to see if you could identify telemetry packets in
>>> the flow - but I'm not predicting much success. If you do get it, make
>>> sure you let the world know though!
>>>
>>>> I read (not sure if true) that some DNS resolutions to M$ servers are
>>>> even 'hardwired' via some .dll library, so it makes it even harder.
>>>
>>> Correct.
>>>
>>>> I'm no windows expert, but i'm and unix administrator concerned about
>>>> privacy of windows desktop/laptop users sitting inside my LAN.
>>>>
>>>> What i'd like to come up is some more general iptables rules, than
>>>> blocking specific IP addresses or names, because, apparently they may
>>>> change in any incoming windows update ...
>>>>
>>>> Anyone gave this thought already? Anyone else's concerned the way i am?
>>>
>>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on
>>> a few things that I like - so Fedora is a happy medium for me - as I
>>> still have the fedora-updates-testing repo enabled. My work laptop as
>>> well as my personal laptop - and now my home desktop all run Fedora 23
>>> (KDE Spin if you hate Gnome 3 - like me).
>>>
>>
>

-- 
*Karel Lang*
*Unix/Linux Administration*
[log in to unmask] | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

ATOM RSS1 RSS2