Windows 10 Data exfiltration

If you don’t know how to control the information Windows 10 sends back about you to Microsoft, the Redmond giant has updated its guide on how to do so.

Snappily titled “Configure telemetry and other settings in your organization“, the page was tweaked on Tuesday, and some corners of the web are rather excited by this development. The guide was first published around the middle of last year. You may not have seen this page before, but if you have: you can safely go back to your coffee.

The document applies to Windows 10 build 1511, which was released in November. It goes over what Microsoft says Windows 10 collects about you and sends back to Redmond’s servers via encrypted HTTPS transfers. This telemetry allows the software giant to analyze the types of computers running Windows 10, exactly how programs are used by people, and why apps and services crash.

Some will call that spying, others will call it harmless diagnostic data. However you want to label it, it’s possible Windows will send back your files, or fragments of files, from your system to Microsoft engineers investigating programming bugs in their code. That may be a surprise to you, it may not.

The aforementioned configuration guide is quite long and detailed, so here’s our summary of things you ought to know:

  • There are four telemetry settings: “Security“, “Basic“, “Enhanced“, and “Full“.
  • Here’s how Microsoft sums up the four modes:
    • Security:“Information that’s required to help keep Windows secure, including info about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.”
    • Basic:“Basic device info, including: quality-related info, app compat, and info from the Security level.”
    • Enhanced:“Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.”
    • Full:“All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.”
  • Windows 10 Enterprise, Windows 10 Education, and IoT Core defaults to Enhanced. Windows 10 Home and Pro default to Full.
  • Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions can select Security – no other edition can.
  • Security provides the most privacy and can block the transmission of all and any telemetry, if required. “No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID,” says Redmond.
  • Basic hands over details of the software and hardware you have installed. Enhanced hands over details of events happening within your system.
  • Full is where things get a little dicey, depending on how much you prize your privacy. If your system reports back strange crashes that Microsoft techies can’t get their heads around, they can request extra data from your machine, which Windows 10 will hand over under remote control if management approves. This extra information can include some of your files so the engineers can recreate the exact crash in their labs using your data and apps. Microsofties can also run diagnostic tools on your system to gather more evidence. Here’s Microsoft’s explanation of the process:

Before more info is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:

  • Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
  • Ability to get registry keys.
  • Ability to gather user content, such as documents, if they might have been the trigger for the issue.

In short: if you value your privacy, you’ll want to select Basic. If you’re super-paranoid, you can select Security, and if you can’t do that due to your Windows 10 edition, well, Basic will have to do. If you don’t want your documents flung back to Redmond, don’t use the Full setting.

Microsoft urges you to not opt out of this telemetry collection because it has been used to debug nasty errors and catch early malware infections – attempts to exploit vulnerabilities trigger weird new crashes that engineers haven’t seen before.

That’s just Redmond’s opinion: on Windows 10, go to your PC’s Settings application, find the Feedback & Diagnostics pane, and change your telemetry level to what you want, not what Microsoft wants.

Don’t forget, much of this information is collated into anonymized business reports that are shared within the company. Microsoft is not exactly spying on you individually, but it’s taking a keen interest in what its users are up to.

How often does Windows 10 phone home data? “Real-time events, such as gaming achievements, are always sent immediately,” explains Redmond. “Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.”

The company adds: “Sensitive info is stored in a separate data store that’s locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification.

“Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days.”

Check out the above linked page for individual settings and controls over your operating system – particularly if you’re an IT admin worried about this kind of stuff.

If you’re annoyed by this collection of data – which isn’t terribly well sign-posted by Microsoft – and want to get your own back, set up a virtual machine running Windows 10, enable full telemetry, and then fuzz Redmond’s operating system with the most horrendous or ridiculous image files you can find. Can you imagine how much porn or cat GIFs their engineers already end up receiving in crash data? ®

 

Log Interpretation

IronPort:

 

TCP_MISS = %w Transactional result code
NONE – Neither a hit nor a miss, indicates an error in the transaction
TCP_MEM_HIT – Object was cached in memory
TCP_DENIED – Access Denied
TCP_HIT – A valid copy of the requested object was in the cache.
TCP_MISS – The requested object was not in the cache.
TCP_REFRESH_HIT – An expired copy of the requested object was in the cache.
Squid made an If-Modified-Since request and the response was “Not Modified.”
TCP_REFRESH_FAIL_HIT An expired copy of the requested object was in the
cache. Squid attempted to make an If-Modified-Since request, but it failed.
The old (stale) object was delivered to the client.
TCP_REFRESH_MISS – An expired copy of the requested object was in the cache.
Squid made an If-Modified-Since request and received a new, different
object. TCP_CLIENT_REFRESH The client issued a request with the “no-cache”
pragma. (“reload” – handled as MISS)
TCP_IMS_HIT – An If-Modified-Since GET request was received from the client.
A valid copy of the object was in the cache (fresh).
TCP_IMS_MISS – An If-Modified-Since GET request was received from the
client. The requested object was not in the cache (stale).
TCP_SWAPFAIL – The object was believed to be in the cache, but could not be
accessed. TCP_DENIED Access was denied for this request.
200 = %h HTTP Response Code
200 – OK
204 – No Content
206 – Partial content
301 – Moved Permanenatly
302 – Found (over there)
304 – Not modified
305 – Use Proxy
307 – Temporary Redirect
401 – Unauthorized
403 – Forbidden
404 – Not Found
405 – Method not allowed
407 – Proxy Authorization Required
503 – Service Unavailable
504 – Gateway timeout
14148 = %s Total bytes transferred
GET http://www.cisco.com/ = %r Request method URI

DIRECT/www.cisco.com = %H – Cache hierchy retrieval
NONE – No request made
DIRECT – request went directly to server
DEFAULT_PARENT – Single upstream proxy or failover
LEASTBUSY_PARENT – Fewest Connections
HASHBASED_PARENT – Hash based load balancing
LEASTRECENT_PARENT – Least recently used
ROUNDROBIN_PARENT – Round robin load balancing
text/html = %c – MIME content type/subtype
text/plain – simple text

SIFT smbd not starting

This is likely due to it looking for the ‘sansforensics’ account which is in the usual download of the SIFT workstation. If you’ve built your own then it won’t be there. Go to SYSTEM, Administration, Samba – and modify the ‘Server Settings’ -> Security -> Guest Account to be the local user account.

 

smbd should now start!