Hmm good idea.
At least i've got some more things to study .. ok gonna start with a
'man man' :-))
I'll have to find some guy with deeper windows networking understanding
to get really clear picture, how this whole communication works, because
i need to understand principle of thing.
Thanks again guys for all ideas.
On 03/05/2016 01:28 PM, David Sommerseth wrote:
On 05/03/16 13:23, David Sommerseth wrote:
On 05/03/16 11:36, jdow wrote:
If squid can find usefully unique patterns in encrypted traffic I suppose that
might work. But that's one heck of a big "if".
A quick google search on "transparent https proxy" gave me these:
<http://docs.mitmproxy.org/en/stable/howmitmproxy.html>
<http://rahulpahade.com/content/squid-transparent-proxy-over-ssl-https>
I probably have more "faith" in the mitmproxy approach, as that seems
generally more designed with https in mind.
Just another idea came to mind. You only need a transparent proxy to be used
when connecting to IP ranges belonging to Microsoft. So instead of an
iptables REDIRECT for all http/https connection, you add separate rules with
--destination to the different Microsoft subnets.
--
kind regards,
David Sommerseth
On 2016-03-05 02:15, Karel Lang AFD wrote:
Hmm ... yes, yes.
Thanks for bringing this up.
I force all http traffic through the squid proxy on our SL 6 gateway, this
could
be also helpful..
On 03/05/2016 11:00 AM, prmari...@gmail.com wrote:
The only way I can think of is to force all internet access through a proxy
and filter it out in the proxy.
Then you don't give the machines any internet access just access to the proxy.
Unfortunately I do not have details for you on how to filter the snoop
messages because in I haven't looked at them but it should be fairly easy
using squid and an external Perl regex filter script or other filter
application, but you will take a latency hit because you will have to inspect
every transaction.
Original Message
From: jdow
Sent: Friday, March 4, 2016 23:35
To: scientific-linux-us...@fnal.gov
Subject: Re: snooping windows 10 - how to stop it on a linux gateway?
That windows update server is a relay for the "snoop" messages. About the only
way to totally stop the snoop messages is to totally isolate the network
containing Windows machines from the network. Any windows machine can serve
as a
relay point for any others.
{o.o}
On 2016-03-04 20:16, Karel Lang AFD wrote:
Hi guys,
firstly, sorry Todd, i don't know how it happened i got attached to your
thread.
secondly, thank you all for your thoughtful posts.
I know it is not easy to block the selected traffic from windows 10 and
you are
right, it is being backported to windows 7 as well. Horrible and disgusting.
I already have windows server in LAN dedicated as a update server (work of my
windows colleagues), so the PC don't have to access windows update servers
outside LAN - this should simplify things.
Also the PCs must have internet access to email, http, https, ftp, sftp -
simply
the 'usual' stuff.
I think, yet, there should be a way. I'll try to consult mikrotik experts
(the
router brand we use) and guys from our ISP.
If i have something, i'll let you know :-)
thank you, bb
Karel
On 03/05/2016 12:40 AM, Steven Haigh wrote:
On 05/03/16 07:24, Karel Lang AFD wrote:
Hi all,
guys, i think everyone heard already about how windows 10 badly treat
its users privacy.
My solution to this was to finally rid Windows 7 off my desktop PC - as
most of the telemetry has also been 'back ported' to Windows 7 also. You
can't stop it.
I'm now thinking about a way howto stop a windows 10 sending these data
mining results to a microsoft telemetry servers and filter it on our SL
6 linux gateway.
Nope. There are no specific servers in use - just general - so whatever
you block will end up killing other services.
I think it could be (maybe?) done via DPI (deep packet inspection). I
similarly filter torrent streams on our gateway - i patched standard SL
6 kernel with 'xtables' (iptables enhancement) and it is working
extremely well.
I would be interested to see if you could identify telemetry packets in
the flow - but I'm not predicting much success. If you do get it, make
sure you let the world know though!
I read (not sure if true) that some DNS resolutions to M$ servers are
even 'hardwired' via some .dll library, so it makes it even harder.
Correct.
I'm no windows expert, but i'm and unix administrator concerned about
privacy of windows desktop/laptop users sitting inside my LAN.
What i'd like to come up is some more general iptables rules, than
blocking specific IP addresses or names, because, apparently they may
change in any incoming windows update ...
Anyone gave this thought already? Anyone else's concerned the way i am?
Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on
a few things that I like - so Fedora is a happy medium for me - as I
still have the fedora-updates-testing repo enabled. My work laptop as
well as my personal laptop - and now my home desktop all run Fedora 23
(KDE Spin if you hate Gnome 3 - like me).
--
*Karel Lang*
*Unix/Linux Administration*
l...@afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
