SCIENTIFIC-LINUX-USERS Archives

March 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: snooping windows 10 - how to stop it on a linux gateway?
From:
David Sommerseth <[log in to unmask]>
Reply To:
[log in to unmask], [log in to unmask]
Date:
Sat, 5 Mar 2016 13:28:10 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (137 lines) 
On 05/03/16 13:23, David Sommerseth wrote:
> On 05/03/16 11:36, jdow wrote:
>> If squid can find usefully unique patterns in encrypted traffic I suppose that
>> might work. But that's one heck of a big "if".
> 
> A quick google search on "transparent https proxy" gave me these:
> 
> <http://docs.mitmproxy.org/en/stable/howmitmproxy.html>
> <http://rahulpahade.com/content/squid-transparent-proxy-over-ssl-https>
> 
> I probably have more "faith" in the mitmproxy approach, as that seems
> generally more designed with https in mind.

Just another idea came to mind.  You only need a transparent proxy to be used
when connecting to IP ranges belonging to Microsoft.  So instead of an
iptables REDIRECT for all http/https connection, you add separate rules with
--destination to the different Microsoft subnets.


--
kind regards,

David Sommerseth


>> On 2016-03-05 02:15, Karel Lang AFD wrote:
>>> Hmm ... yes, yes.
>>> Thanks for bringing this up.
>>> I force all http traffic through the squid proxy on our SL 6 gateway, this
>>> could
>>> be also helpful..
>>>
>>>
>>>
>>> On 03/05/2016 11:00 AM, [log in to unmask] wrote:
>>>> The only way I can think of is to force all internet access through a proxy
>>>> and filter it out in the proxy.
>>>> Then you don't give the machines any internet access just access to the proxy.
>>>> Unfortunately I do not have details for you on how to filter the snoop
>>>> messages because in I haven't looked at them but it should be fairly easy
>>>> using squid and an external Perl regex filter script or other filter
>>>> application, but you will take a latency hit because you will have to inspect
>>>> every transaction.
>>>>
>>>>    Original Message
>>>> From: jdow
>>>> Sent: Friday, March 4, 2016 23:35
>>>> To: [log in to unmask]
>>>> Subject: Re: snooping windows 10 - how to stop it on a linux gateway?
>>>>
>>>> That windows update server is a relay for the "snoop" messages. About the only
>>>> way to totally stop the snoop messages is to totally isolate the network
>>>> containing Windows machines from the network. Any windows machine can serve
>>>> as a
>>>> relay point for any others.
>>>>
>>>> {o.o}
>>>>
>>>> On 2016-03-04 20:16, Karel Lang AFD wrote:
>>>>> Hi guys,
>>>>>
>>>>> firstly, sorry Todd, i don't know how it happened i got attached to your
>>>>> thread.
>>>>>
>>>>> secondly, thank you all for your thoughtful posts.
>>>>>
>>>>> I know it is not easy to block the selected traffic from windows 10 and
>>>>> you are
>>>>> right, it is being backported to windows 7 as well. Horrible and disgusting.
>>>>>
>>>>> I already have windows server in LAN dedicated as a update server (work of my
>>>>> windows colleagues), so the PC don't have to access windows update servers
>>>>> outside LAN - this should simplify things.
>>>>>
>>>>> Also the PCs must have internet access to email, http, https, ftp, sftp -
>>>>> simply
>>>>> the 'usual' stuff.
>>>>> I think, yet, there should be a way. I'll try to consult mikrotik experts
>>>>> (the
>>>>> router brand we use) and guys from our ISP.
>>>>> If i have something, i'll let you know :-)
>>>>>
>>>>> thank you, bb
>>>>>
>>>>> Karel
>>>>>
>>>>> On 03/05/2016 12:40 AM, Steven Haigh wrote:
>>>>>> On 05/03/16 07:24, Karel Lang AFD wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> guys, i think everyone heard already about how windows 10 badly treat
>>>>>>> its users privacy.
>>>>>>
>>>>>> My solution to this was to finally rid Windows 7 off my desktop PC - as
>>>>>> most of the telemetry has also been 'back ported' to Windows 7 also. You
>>>>>> can't stop it.
>>>>>>
>>>>>>> I'm now thinking about a way howto stop a windows 10 sending these data
>>>>>>> mining results to a microsoft telemetry servers and filter it on our SL
>>>>>>> 6 linux gateway.
>>>>>>
>>>>>> Nope. There are no specific servers in use - just general - so whatever
>>>>>> you block will end up killing other services.
>>>>>>
>>>>>>> I think it could be (maybe?) done via DPI (deep packet inspection). I
>>>>>>> similarly filter torrent streams on our gateway - i patched standard SL
>>>>>>> 6 kernel with 'xtables' (iptables enhancement) and it is working
>>>>>>> extremely well.
>>>>>>
>>>>>> I would be interested to see if you could identify telemetry packets in
>>>>>> the flow - but I'm not predicting much success. If you do get it, make
>>>>>> sure you let the world know though!
>>>>>>
>>>>>>> I read (not sure if true) that some DNS resolutions to M$ servers are
>>>>>>> even 'hardwired' via some .dll library, so it makes it even harder.
>>>>>>
>>>>>> Correct.
>>>>>>
>>>>>>> I'm no windows expert, but i'm and unix administrator concerned about
>>>>>>> privacy of windows desktop/laptop users sitting inside my LAN.
>>>>>>>
>>>>>>> What i'd like to come up is some more general iptables rules, than
>>>>>>> blocking specific IP addresses or names, because, apparently they may
>>>>>>> change in any incoming windows update ...
>>>>>>>
>>>>>>> Anyone gave this thought already? Anyone else's concerned the way i am?
>>>>>>
>>>>>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on
>>>>>> a few things that I like - so Fedora is a happy medium for me - as I
>>>>>> still have the fedora-updates-testing repo enabled. My work laptop as
>>>>>> well as my personal laptop - and now my home desktop all run Fedora 23
>>>>>> (KDE Spin if you hate Gnome 3 - like me).
>>>>>>
>>>>>
>>>>
>>>

ATOM RSS1 RSS2