US Government Checking Up On Vista Users? 291
Paris The Pirate writes "This article at Whitedust displays some very interesting logs from Vista showing connections to the DoD Information Networking Center, United Nations Development program and the Halliburton Company; for no reason other than the machine was running Vista. From the article 'After running Vista for only a few days — with a complete love for the new platform the first sign of trouble erupted. I began noticing latency on my home network connection — so I booted my port sniffing software and networking tools to see what was happening. What I found was foundation shaking. The two images below show graphical depictions of what has and IS trying to connect to my computer even in an idle state'."
PeerGurdian is not a legitimate investigative tool (Score:5, Informative)
Re:I call bullshit. (Score:5, Informative)
Re:I call bullshit. (Score:5, Informative)
Or P2P. But, the important part is that he is showing nothing more than incoming frames, and conveniently obscures the destination port(s).
And to even get to the point where PeerGuardian (or whatever) can see the frame, it has to pass through his firewall -- presuming that he has one. And that means he either is explicitly allowing that port through or he made the connection himself.
I wonder what Task Manager would show running?
nothing to see here.. move along now (Score:2, Informative)
I'm confused (Score:4, Informative)
Re:I call bullshit. (Score:2, Informative)
2. There is a version that is working on Vista [winmatrix.com]. However it is command line only right now, the GUI is not done.
3. I am sure a lot of people will be monitoring now. This guy just noticed increased traffic from suspicious organizations AFTER he installed Vista. Did you see all of the Vista code? Do you know what info Vista sends and to whom?
It sounds like you are trying to apologize for MS. This sounds just like the crap MS would do. All these connection attempts weren't there in XP. "Upgrade" to Vista and now all kinds of "terrorist" scans are taking place? What the hell is Haliburton doing scans for? This seem more than a coincidence to me.
Re:PeerGurdian is not a legitimate investigative t (Score:5, Informative)
Re:I call bullshit. (Score:1, Informative)
No info on his network setup or for that matter what other boxes on the network might be running.
Re:I call bullshit. (Score:2, Informative)
Though what I can't figure out is why he didn't use actual port sniffing software like WireShark. I call bullshit on this lame post.
Laughable. (Score:3, Informative)
So I ran its networking through a seperate machine that ran ethereal, and studied the logs in great detail. I also watched for any 'privacy issues'. Basically, anytime Vista 'phones home' it's required to be by the user Opt-In, and never as a default. If you didn't read the EULA/Privacy Policy, etc. and just kept hitting 'I Agree', 'Accept' and 'Next' every dialog... you might get some things you didn't expect
say you visit a HTTPS url... aside from what actually appears on the page (content + ads) you may need: the digital certificates for the signing authority, revocation lists, accurate time, to check for expiration, DNS, Sytle Sheets, DTDs... a lot of that can be cached, but at some point they may be automatically downloaded.
Playing a (non-DRM) song?, you may get the album information automatically.
Plus all the non-MS software 'phoning home', Adobe Acrobat reader, Quicktime Updater, HP printer drivers, anti-virus updates, *Peer Guardian blocklist updates*
As for the incoming connections mentioned in the article, it seems well within Homeland Securities domain to scan for botnet and such infected machines, in order to defend against DOS attacks on critical infrastructure (like root DNS servers).
I once did a Google search for 'attrs' using Firefox on a Linux box. What popped up was a box asking me to accept a Department of Defense digital signature, served from a DOD server.
why? Google had suggested I was looking for 'atrrs' which was a DOD term, and Firefox tried to pre-load the first result, which was a DOD run website, which popped up the certificate from a site I did not intend to visit! If there is a conspiracy, then Google, Mozilla, and Slackware are in on it.
Re:I call bullshit. (Score:2, Informative)
1) You are running P2P stuff knowingly and are too lacking in knowledge to figure out that that's what your packet sniffer is showing you; I did note in my post that this may be regular P2P stuff
2) You have an owned box. Anybody involved even slightly with botnet research can tell you this. As I already stated, P2P is the state of the art in botnets. If a person is not running BT or any other P2P apps, and yet we see a lot of connections on his network that can only be reasonably explained by P2P activity, then they can also be reasonably explained only by one or more owned hosts on the network.
As to why the original post is gone, it could be b/c it was BS and they pulled it, it could be because it was
No, sir, it is you who is full of shit of a bull. (Score:5, Informative)
1) Firewall defaults to ON out of the box on a default install UNLESS you're installing it into an existing domain with a DC GPO that forces it to off. (read: if so, you set it up that way, stfu)
2) Machine does not allow incoming connections until you close the Manage Your Server dialog. It brings this fact to your attention no less than 3 times during the initial setup. (read: after first boot, OS configuration, server type setup, domain creation, role assignment, windows update -- unless you close the dialog without doing that, in which case, again, your fault, stfu)
3) Machine really does not want to allow incoming connections until you complete a Windows Update and does make you click OK about 3 times to enable incoming connections.
4) Did I yet mention that you have to explicitly close a dialog that says 'No Incoming Connections are allowed until you close this dialog.' before it will allow incoming connections? I wanted to make sure I mentioned that.
So, no. I've never, ever installed Windows 2003 Server and 'accidentally' had a network cable installed, only to find that within 45 seconds it was crippled, and neither have you, because it's not possible unless you personally clicked 'yes, allow incoming connections to my unpatched, non-updated machine, and hey, while you're at it, let me open firewall.cpl (or the firewall control panel applet for you non command-line users) and disable the firewall'. See, because that's what you would have had to have done to create a situation that could exhibit those results, in case you weren't aware. I am, because I've installed Windows Server 2003, and all flavors thereof, no less than 100 times.
Thanks for playing, game over.
Re:No, sir, it is you who is full of shit of a bul (Score:5, Informative)
http://www.microsoft.com/technet/community/column