LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2016

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: snooping windows 10 - how to stop it on a linux gateway?
From:	jdow <[log in to unmask]>
Reply To:	jdow <[log in to unmask]>
Date:	Sat, 5 Mar 2016 02:36:49 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (111 lines)

If squid can find usefully unique patterns in encrypted traffic I suppose that 
might work. But that's one heck of a big "if".

{o.o}   Joanne

On 2016-03-05 02:15, Karel Lang AFD wrote:
> Hmm ... yes, yes.
> Thanks for bringing this up.
> I force all http traffic through the squid proxy on our SL 6 gateway, this could
> be also helpful..
>
>
>
> On 03/05/2016 11:00 AM, [log in to unmask] wrote:
>> The only way I can think of is to force all internet access through a proxy
>> and filter it out in the proxy.
>> Then you don't give the machines any internet access just access to the proxy.
>> Unfortunately I do not have details for you on how to filter the snoop
>> messages because in I haven't looked at them but it should be fairly easy
>> using squid and an external Perl regex filter script or other filter
>> application, but you will take a latency hit because you will have to inspect
>> every transaction.
>>
>>    Original Message
>> From: jdow
>> Sent: Friday, March 4, 2016 23:35
>> To: [log in to unmask]
>> Subject: Re: snooping windows 10 - how to stop it on a linux gateway?
>>
>> That windows update server is a relay for the "snoop" messages. About the only
>> way to totally stop the snoop messages is to totally isolate the network
>> containing Windows machines from the network. Any windows machine can serve as a
>> relay point for any others.
>>
>> {o.o}
>>
>> On 2016-03-04 20:16, Karel Lang AFD wrote:
>>> Hi guys,
>>>
>>> firstly, sorry Todd, i don't know how it happened i got attached to your thread.
>>>
>>> secondly, thank you all for your thoughtful posts.
>>>
>>> I know it is not easy to block the selected traffic from windows 10 and you are
>>> right, it is being backported to windows 7 as well. Horrible and disgusting.
>>>
>>> I already have windows server in LAN dedicated as a update server (work of my
>>> windows colleagues), so the PC don't have to access windows update servers
>>> outside LAN - this should simplify things.
>>>
>>> Also the PCs must have internet access to email, http, https, ftp, sftp - simply
>>> the 'usual' stuff.
>>> I think, yet, there should be a way. I'll try to consult mikrotik experts (the
>>> router brand we use) and guys from our ISP.
>>> If i have something, i'll let you know :-)
>>>
>>> thank you, bb
>>>
>>> Karel
>>>
>>> On 03/05/2016 12:40 AM, Steven Haigh wrote:
>>>> On 05/03/16 07:24, Karel Lang AFD wrote:
>>>>> Hi all,
>>>>>
>>>>> guys, i think everyone heard already about how windows 10 badly treat
>>>>> its users privacy.
>>>>
>>>> My solution to this was to finally rid Windows 7 off my desktop PC - as
>>>> most of the telemetry has also been 'back ported' to Windows 7 also. You
>>>> can't stop it.
>>>>
>>>>> I'm now thinking about a way howto stop a windows 10 sending these data
>>>>> mining results to a microsoft telemetry servers and filter it on our SL
>>>>> 6 linux gateway.
>>>>
>>>> Nope. There are no specific servers in use - just general - so whatever
>>>> you block will end up killing other services.
>>>>
>>>>> I think it could be (maybe?) done via DPI (deep packet inspection). I
>>>>> similarly filter torrent streams on our gateway - i patched standard SL
>>>>> 6 kernel with 'xtables' (iptables enhancement) and it is working
>>>>> extremely well.
>>>>
>>>> I would be interested to see if you could identify telemetry packets in
>>>> the flow - but I'm not predicting much success. If you do get it, make
>>>> sure you let the world know though!
>>>>
>>>>> I read (not sure if true) that some DNS resolutions to M$ servers are
>>>>> even 'hardwired' via some .dll library, so it makes it even harder.
>>>>
>>>> Correct.
>>>>
>>>>> I'm no windows expert, but i'm and unix administrator concerned about
>>>>> privacy of windows desktop/laptop users sitting inside my LAN.
>>>>>
>>>>> What i'd like to come up is some more general iptables rules, than
>>>>> blocking specific IP addresses or names, because, apparently they may
>>>>> change in any incoming windows update ...
>>>>>
>>>>> Anyone gave this thought already? Anyone else's concerned the way i am?
>>>>
>>>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on
>>>> a few things that I like - so Fedora is a happy medium for me - as I
>>>> still have the fedora-updates-testing repo enabled. My work laptop as
>>>> well as my personal laptop - and now my home desktop all run Fedora 23
>>>> (KDE Spin if you hate Gnome 3 - like me).
>>>>
>>>
>>
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV