US Government Checking Up On Vista Users?

Paris The Pirate writes "This article at Whitedust displays some very interesting logs from Vista showing connections to the DoD Information Networking Center, United Nations Development program and the Halliburton Company; for no reason other than the machine was running Vista. From the article 'After running Vista for only a few days — with a complete love for the new platform the first sign of trouble erupted. I began noticing latency on my home network connection — so I booted my port sniffing software and networking tools to see what was happening. What I found was foundation shaking. The two images below show graphical depictions of what has and IS trying to connect to my computer even in an idle state'."

PeerGurdian is not a legitimate investigative tool

The DOD NIC runs one of the DNS root servers. Yes, that's right... his DNS requests are sometimes going to the Department of Defense! Burn the government down.

Re:I call bullshit.

[avaric3]

The machine running the peer guardian is an XP machine. It is sniffing traffic on the local network and filtering out all the results that don't originate from the vista machine. He is running remote desktop from the Vista machine to the XP machine (the one running Peer Guardian). He probably did this because of the issues that software has with Vista, or possible because he feels that Vista would hide this information from programs running locally.

Re:I call bullshit.

[ptbarnett]

Hard to tell because all we have are screen shots, but it looks like nothing more than port scans.

Or P2P. But, the important part is that he is showing nothing more than incoming frames, and conveniently obscures the destination port(s).

And to even get to the point where PeerGuardian (or whatever) can see the frame, it has to pass through his firewall -- presuming that he has one. And that means he either is explicitly allowing that port through or he made the connection himself.

I wonder what Task Manager would show running?

nothing to see here.. move along now

[sonictheboom]

this is just normal scans that everyone gets all the time. nothing to do with having vista installed.

I'm confused

[raftpeople]

Isn't this inbound stuff? Isn't this the same crap that ZoneAlarm blocks for me constantly?

Re:I call bullshit.

[JimDaGeek]

1. It shows an RDP from Vista to XP.

2. There is a version that is working on Vista. However it is command line only right now, the GUI is not done.

3. I am sure a lot of people will be monitoring now. This guy just noticed increased traffic from suspicious organizations AFTER he installed Vista. Did you see all of the Vista code? Do you know what info Vista sends and to whom?

It sounds like you are trying to apologize for MS. This sounds just like the crap MS would do. All these connection attempts weren't there in XP. "Upgrade" to Vista and now all kinds of "terrorist" scans are taking place? What the hell is Haliburton doing scans for? This seem more than a coincidence to me.

Re:PeerGurdian is not a legitimate investigative t

[nEoN+nOoDlE]

indeed. When I was running Peer Gaurdian, I got DOD requests all the time in XP. This is a non-story

Re:I call bullshit.

Bah! You get that with any computer on a open network. Spambots, torrent clients and what not... Halliburton has botnet infected PC's too. Oh my!
No info on his network setup or for that matter what other boxes on the network might be running.

Re:I call bullshit.

[Maniac-X]

Well PeerGuardian doesn't run on Vista, so that's probably why he RDP'd to it.

Though what I can't figure out is why he didn't use actual port sniffing software like WireShark. I call bullshit on this lame post.

Laughable.

[Kaenneth]

I actually did contract test work at Microsoft, testing a Vista component that used the network.

So I ran its networking through a seperate machine that ran ethereal, and studied the logs in great detail. I also watched for any 'privacy issues'. Basically, anytime Vista 'phones home' it's required to be by the user Opt-In, and never as a default. If you didn't read the EULA/Privacy Policy, etc. and just kept hitting 'I Agree', 'Accept' and 'Next' every dialog... you might get some things you didn't expect

say you visit a HTTPS url... aside from what actually appears on the page (content + ads) you may need: the digital certificates for the signing authority, revocation lists, accurate time, to check for expiration, DNS, Sytle Sheets, DTDs... a lot of that can be cached, but at some point they may be automatically downloaded.

Playing a (non-DRM) song?, you may get the album information automatically.

Plus all the non-MS software 'phoning home', Adobe Acrobat reader, Quicktime Updater, HP printer drivers, anti-virus updates, *Peer Guardian blocklist updates*

As for the incoming connections mentioned in the article, it seems well within Homeland Securities domain to scan for botnet and such infected machines, in order to defend against DOS attacks on critical infrastructure (like root DNS servers).

I once did a Google search for 'attrs' using Firefox on a Linux box. What popped up was a box asking me to accept a Department of Defense digital signature, served from a DOD server.

why? Google had suggested I was looking for 'atrrs' which was a DOD term, and Firefox tried to pre-load the first result, which was a DOD run website, which popped up the certificate from a site I did not intend to visit! If there is a conspiracy, then Google, Mozilla, and Slackware are in on it.

Re:I call bullshit.

[gujo-odori]

Actually, yes, a lot of inbound connections like the ones he showed are a smoking gun for ownage. There are only two explanations that cover it on a network like his:

1) You are running P2P stuff knowingly and are too lacking in knowledge to figure out that that's what your packet sniffer is showing you; I did note in my post that this may be regular P2P stuff

2) You have an owned box. Anybody involved even slightly with botnet research can tell you this. As I already stated, P2P is the state of the art in botnets. If a person is not running BT or any other P2P apps, and yet we see a lot of connections on his network that can only be reasonably explained by P2P activity, then they can also be reasonably explained only by one or more owned hosts on the network.

As to why the original post is gone, it could be b/c it was BS and they pulled it, it could be because it was /.ed and they pulled it, it could be that he took so much shit for it that he decided, he'd be better off retreating from the field. Whatever the cause, that does not undermine the basic concept that if his claims were true and not just something he made up, then the two most reasonable explanations for what he saw both involve P2P; the only question between them is whether it was voluntary P2P or involuntary P2P (ownage).

No, sir, it is you who is full of shit of a bull.

[SyncNine]

No, sir, I call BS on your post. If you'd ever installed Windows Server 2003, you'd know the following:

1) Firewall defaults to ON out of the box on a default install UNLESS you're installing it into an existing domain with a DC GPO that forces it to off. (read: if so, you set it up that way, stfu)
2) Machine does not allow incoming connections until you close the Manage Your Server dialog. It brings this fact to your attention no less than 3 times during the initial setup. (read: after first boot, OS configuration, server type setup, domain creation, role assignment, windows update -- unless you close the dialog without doing that, in which case, again, your fault, stfu)
3) Machine really does not want to allow incoming connections until you complete a Windows Update and does make you click OK about 3 times to enable incoming connections.
4) Did I yet mention that you have to explicitly close a dialog that says 'No Incoming Connections are allowed until you close this dialog.' before it will allow incoming connections? I wanted to make sure I mentioned that.

So, no. I've never, ever installed Windows 2003 Server and 'accidentally' had a network cable installed, only to find that within 45 seconds it was crippled, and neither have you, because it's not possible unless you personally clicked 'yes, allow incoming connections to my unpatched, non-updated machine, and hey, while you're at it, let me open firewall.cpl (or the firewall control panel applet for you non command-line users) and disable the firewall'. See, because that's what you would have had to have done to create a situation that could exhibit those results, in case you weren't aware. I am, because I've installed Windows Server 2003, and all flavors thereof, no less than 100 times.

Thanks for playing, game over.

Re:No, sir, it is you who is full of shit of a bul

[bensode]

Actually, Windows Server 2003 SP0 has no firewall -- you get that with SP1 or R2 versions. So tone down your pwnt rant it's obvious you have not installed all flavors thereof and the ink on your MS cert must still be wet. To be perfectly clear here, let's go to the source, Microsoft. I've pasted the important bits after the link. No need to believe me, just google "introduction of firewall Windows server 2003".

http://www.microsoft.com/technet/community/columns /cableguy/cg1204.mspx

Differences in Default Behavior for Windows Firewall
Windows Server 2003 SP1 includes Windows Firewall, which works the same way as Windows Firewall in Windows XP SP2. However, because the purpose of a server computer is to accept incoming unsolicited traffic, Windows Firewall for Windows Server 2003 SP1 is disabled by default.

The exception to this behavior is the following: for a new installation of Windows Server 2003 that already includes SP1 (known as a slipstream installation), Windows Firewall is enabled by default for the duration of the Post-Setup Security Updates, a portion of the initial setup of the server computer in which the latest security fixes are downloaded and installed from Windows Update and Automatic Updates are configured. After the Post-Setup Security Updates is complete, Windows Firewall is disabled. If you do not want the Post-Setup Security Updates, you can use the Unattend.txt file or Group Policy to configure Windows Firewall settings. The Post-Setup Security Updates does not occur if there are configured Windows Firewall settings.

You can enable Windows Firewall on a computer running Windows Server 2003 with SP1 manually using the Windows Firewall component of Control Panel, through Group Policy settings as described in Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2, or you can use the new Security Configuration Wizard in Windows Server 2003 SP1. The Security Configuration Wizard is the recommended method to enable and configure Windows Firewall and other security settings on computers running Windows Server 2003 with SP1.