Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Government Checking Up On Vista Users?

Posted by ryuzaki0 on from the security-theatre-in-your-home dept.

Paris The Pirate writes "This article at Whitedust displays some very interesting logs from Vista showing connections to the DoD Information Networking Center, United Nations Development program and the Halliburton Company; for no reason other than the machine was running Vista. From the article 'After running Vista for only a few days — with a complete love for the new platform the first sign of trouble erupted. I began noticing latency on my home network connection — so I booted my port sniffing software and networking tools to see what was happening. What I found was foundation shaking. The two images below show graphical depictions of what has and IS trying to connect to my computer even in an idle state'."

34 of 291 comments (clear)

  1. I call bullshit. by XorNand · · Score: 5, Insightful

    I swear this place is becoming more and more like Digg everyday. I'm no longer renewing my Slashdot subscription while I can get this same quality news for free elsewhere. Where do I start?

    1.The screenshots clearly show WinXP, not Vista. In fact, this guy's ultra-leet "port sniffing software and networking tools" is PeerGuardian 2. Straight from the product's home page: Note: PeerGuardian 2 does not support Windows Vista at the moment. This is a top priority, and we hope to have a Vista download soon.

    2. Lame screen shots from some Windows app isn't enough to validate a conspiracy theory. Where's the complete traffic dump? And not from some random guy and his "fanboy" friend; how about a creditable network security organization? Hell, I'd even settle for an intern with his CCNA.

    3. Hard to tell because all we have are screen shots, but it looks like nothing more than port scans. ::yawn::

    (Guess is this is what I get for spending a beautiful Sunday afternoon indoors, on my computer).

    --
    Entrepreneur : (noun), French for "unemployed"
    1. Re:I call bullshit. by igotmybfg · · Score: 5, Insightful

      1.The screenshots clearly show WinXP, not Vista. In fact, this guy's ultra-leet "port sniffing software and networking tools" is PeerGuardian 2. Straight from the product's home page: Note: PeerGuardian 2 does not support Windows Vista at the moment. This is a top priority, and we hope to have a Vista download soon.

      The screenshots also clearly show another computer is involved, since he is remoting from his Vista PC to his Windows PC. Perhaps they are both on the same network, and he has reason to believe that these connections are being caused by having Vista on the network.

    2. Re:I call bullshit. by Anonymous Coward · · Score: 5, Insightful

      I agree, but .. you missed the best part.
      PeerGuardian is for blocking *incoming* connections, this has nothing to do with Vista *AT ALL*.
      The names that show up against the IP are taken from user submitted rule files(In case you didn't know this is so that IP's from RIAA/MPAA employed companies can be blocked-who log all ip's connected to any torrent as seeds/leeches). There is no validation on the name corresponding to the IP. Complete and utter FUD.
      Even the IPs DID correspond to DoD etc.. there is a completely plausible reason for that.
      Bit torrent clients cache IP addresses so that they can connect to all the seeds/leeches in case the torrent managing host goes down. All this has proven is that the US Government uses Bit torrent.

    3. Re:I call bullshit. by SocialEngineer · · Score: 4, Insightful

      Maybe he's got multiple machines hooked up to a hub, with the XP machine sniffing in promiscuous mode. Maybe he's tunneling the connection through the XP machine. Who knows. While I too am inclined to call BS, the XP argument doesn't fly.

      --
      "Better to be vulgar than non-existent" -Bev Henson
    4. Re:I call bullshit. by guardiangod · · Score: 5, Insightful

      For the first time in many years, I agree that /. ain't what it used to be.

      Blah how does this make the front page? There are million of reasons for these connections.

      Maybe he is using a dynamic ip based isp and he just got a new ip? Maybe the last person who used that ip was using bittorrent? Botnets trying to reconnect to this ip?

      Aside from those "Remote Desktop" xp screenshots, I noticed there are Hei Long Jiang education committee, UN Development program, China Edu and Research Network, and whatever.

      I guess the DoD and the "Chinese intelligence agency" are both attacking his computer.

      UN probably sent some people to infiltrate his computer as well.

      Wait, Hei Long Jiang is right next to Russia? Maybe the KGB is using China's network to go after him as well!*roll eyes*

      Even if they are not bt, they might just as well be port scans.

      News for nerds, indeed.

    5. Re:I call bullshit. by Dude+McDude · · Score: 2, Insightful

      Blah how does this make the front page? It gives the anti-Microsoft crew yet another chance to bitch and moan.
    6. Re:I call bullshit. by Tuoqui · · Score: 2, Insightful

      Well considering all the DRM and crap that Vista has in it. He is doing the right thing by NOT trusting a Vista machine to accurately represent the IP traffic passing through it.

      I personally would have done it with a Linux machine myself using Ethereal or something reliable. The fact is you cannot trust Vista to report the packets in an unbiased manner. It could theoretically drop these packets before they make it to your OS.

      Either way if you set up a ARP spoofing attack on your own network (or have a managed switch) it would be better means of packet sniffing the network so that you dont even have to remote into Vista to get this going.

      --
      09F911029D74E35BD84156C5635688C0
      +2 Troll is Slashdot's way of saying groupthink is confused
    7. Re:I call bullshit. by gujo-odori · · Score: 5, Insightful

      Yeah, I looked at the wide-ranging place he's getting connections from and asked myself, "Now, what do IPs in all those places - especially China - tend to have in common?" I've been working in email security for four years and was a postmaster before that, so I had a ready answer to that question; zombies.

      P2P and fast-flux networks is the current cutting edge of botnets, and that fits with all the inbound connections he's seeing.

      The explanation that fits best with his experience is that his Vista box has already been owned and has become part of a botnet.

      While his conspiracy theory that Microsoft is in bed with DoD, DOHS, and Haliburton (gimme a break!) is clearly anti-MS FUD, there is good reason to draw a bad conclusion about Vista from this. One of Vista's big selling points was better security, yet here we have somebody stepping up front and center with an apparently freshly installed and freshly owned Vista box.

      The article doesn't speak well of Vista, but not for the tinfoil hat theory advanced by its author.

      The other leading theory, which has been advanced by a number of others, is that he's running bit torrent or another P2P app. This is also plausible, and if the zombie theory is wrong, then the P2P app theory still holds. Bhy far the least likely explanation is the conspiracy theory advanced by the author.

    8. Re:I call bullshit. by arth1 · · Score: 2, Insightful

      One thing worth noting is that Vista-running boxes don't have telepathic connections to the US DoD, Halliburton and all the others. They won't know that his machine runs Vista and to contact him unless they're told about it -- normally by an outgoing request.
      If there's no outgoing requests, but just incoming, this is more likely to be cached P2P entries, where the outside hosts are trying to reach a (now gone) peer, be it bittorrent, edonkey, kademlia or whatever.
      It would have been very interesting to see the incoming port numbers that the outside clients are trying to connect to. My bet would be on these being p2p software ports -- quite possibly known because this very same guy was leeching pr0n the night before.

    9. Re:I call bullshit. by Anonymous Coward · · Score: 1, Insightful

      More likely he was running P2P software on one of the machines on the network and Peerguardian was picking up the network scans.

    10. Re:I call bullshit. by mikkelm · · Score: 2, Insightful

      So, what, he has the Vista machine and the XP machine sharing a hub of all things, or does he have a SPAN session up? Why does he feel the need to remote desktop to a local machine that's in all likelihood in the same room as the Vista machine to take a desktop of some rather anonymous looking "port scanner" that's lacking any real verifiable bits of information?

      If this guy is doing this internally, why is the remote desktop session showing 192.168.0.1, and the PeerGuardian logs showing a destination of 24.247.148.173? Surely if these two machines are on the same network with internal addresses, there's a NAT box somewhere stripping any evidence of the global outside destination in the original IP header. Even if the XP box is sitting at the end of a SPAN port monitoring traffic, why is he delegating global IP addresses to his equipment behind his router?

      If the XP box is in a DMZ, is it really any wonder that it's receiving random traffic from large bot infested networks, and even then, why is the traffic so infrequent, and why are there no regular ISP ranges like you'd normally find in a promiscuous scan of incoming traffic?

      This just does not look credible at all.

    11. Re:I call bullshit. by Ravnen · · Score: 3, Insightful

      For the first time in many years, I agree that /. ain't what it used to be.

      I'm afraid I have to agree. The misleading article summaries are bad enough, ranging from being irrelevant to actually implying the opposite of what the articles in question say, but I find it hard to believe the Slashdot editors would really believe the sort of claptrap written in this article. I think the sad reality is that they know it's drivel, but also that it will generate traffic, especially from the nutter contingent, and this, in my view, reflects poorly on their integrity.

    12. Re:I call bullshit. by KDR_11k · · Score: 3, Insightful

      there is good reason to draw a bad conclusion about Vista from this. One of Vista's big selling points was better security, yet here we have somebody stepping up front and center with an apparently freshly installed and freshly owned Vista box.

      However, we don't know how much user error was involved.There's always the chance that he was running admin and clicked yes when it asked him whether vista_activation_keygen.exe should be allowed to run with full admin rights...

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
    13. Re:I call bullshit. by Skreems · · Score: 2, Insightful

      You'd be amazed by the number of government employees who run BitTorrent on work machines...

      --
      Slashdot needs a "-1, Wrong" moderation option.
      The Urban Hippie
    14. Re:I call bullshit. by uvajed_ekil · · Score: 3, Insightful

      He said the traffic in question related to his home network, not necessarily the machine that was running Peer Guardian 2 for the screenies, right? I don't know how much difference this makes, just playing devil's advocate and trying not to dismiss every concern as BS. It's easy to ignore everyone's alarming claims as over zealous, misunderstood data, but maybe we should take this type of thing more seriously until we have all the facts.

      --
      This is a hacked account, for which the owner can not be held responsible.
    15. Re:I call bullshit. by smilindog2000 · · Score: 4, Insightful

      I found the responses to this article very informative. The article itself was just some college kid, probably not the world's greatest network analyst. However, the responses include some very insightful comments. I think it's wise of /. to pick articles that invoke interesting dialog, and if you take that measure into account, this article isn't half bad. In particular, if I similar connections to my home network in the future, my first thought will be "zombie or P&P", rather than "world governments are spying on me".

      Actually, my first reaction to this article was "What! The US doesn't need to make connections to spy on me!" With AT&T's big fat pipe to the NSA, the government get's all the data it wants about me, even though I run Ubuntu.

      --
      Beer is proof that God loves us, and wants us to be happy.
  2. Highly Suspicious to me... by tgatliff · · Score: 5, Insightful

    Either M$ is the dumbest company on earth, or this is a scam article. I would assume that if M$ was in fact monitoring users, which I think is quite possible, then all of the information would go back to Redmond and then distributed to the appropriate groups. At least this way they have plausible deniability....

    Also, "Halliburton"? Give me a break.... First, what type of tool is going to return a text output so blunt... Not is not "HA-39214", but instead is just "Haliburton" the evil company.... Also, I am certainly not a fan of the company and its former involvement with the vice president which just smells bad to begin with, but what in the world would a military contracting company that fufills soft drinks, food, oil, and other supplies to military groups want to monitor computers... This is just unrealistic...

    1. Re:Highly Suspicious to me... by Anonymous Coward · · Score: 3, Insightful

      whois 34.60.236.180
      [Querying whois.arin.net]
      [whois.arin.net]

      OrgName: Halliburton Company
      OrgID: HALLIB-1
      Address: 10200 Bellaire Blvd
      City: Houston
      StateProv: TX
      PostalCode: 77072-5299
      Country: US

      NetRange: 34.0.0.0 - 34.255.255.255
      CIDR: 34.0.0.0/8
      NetName: HALLIBURTON
      NetHandle: NET-34-0-0-0-1

      and so on. So, yes, it's in Halliburton's IP range. That still does not mean anything, though. PG as a traffic analysis tool is a joke, as others pointed out already. At least he could have displayed the destination port and check what service is supposed to listen to it, if any. This way it might very well be just a bunch of zombies portscanning away[*] - there are a bunch of University addresses (Purdue, Athens, Rio) and a couple of Chinese IPs. Wow, MS must have really sold out to the barbarian invaders, right?

      [*] I'm giving the guy the benefit of the doubt about these not being attempts to connect to his previously-running p2p application, although with the carefully-trimmed destination ports from his screen-captures maybe I shouldn't. After all, he was clever enough to tune this blog entry to the net-herd paranoia and get hits from at least /.

  3. FUD by gregholt · · Score: 2, Insightful

    Yawn. 1/10 for FUD. Slashdot FUD: "...showing connections to..." Source: "...trying to connect to..." Nice faulty translation there. Tons of system try to connect to every other system on the Internet; bad guys, good guys and just curious guys. Also from the source: "...my computer even in an idle state..." The processes active on a target system is not indicative of what other systems are trying to do in most cases. Plz may I'z haves moore FUD. K thx.

  4. Re:PeerGurdian is not a legitimate investigative t by CastrTroy · · Score: 4, Insightful

    Which when you think of it, makes complete sense, because the Internet was invented for and by the military.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. I was going to mod you down... by msimm · · Score: 4, Insightful

    Just as over-rated. But I realized leaving your post modded higher makes more sense anyway (since you obviously weren't ust trying to be a prick and this why the whole conversations is easy to read).

    As you'll see in one of the follow-up posts to this parent the software is being run on a second systems (since as you point out Vista isn't supported the listener is XP).

    As to the credibility of the rest of the story I suppose that's up for grabs. Or rather reproducibility. Sniffing software is easy enough to install/use. Maybe the poster of the original story is being watched via a government trojan. Maybe there is a backdoor for the government to use to monitor potential criminal. I imagine if ALL Vista systems phoned home like this they'd be drown in data so it's either addition software, activated existing feature or hoax/fluke.

    --
    Quack, quack.
  6. Connection to or from? by Britz · · Score: 4, Insightful

    I guess all those computers are botnets (check out the other connections, DoD is only one among a whole bunch of seemingly random international sites including a couple universities from Brazil and China) trying to get more bots using security holes and trying if they have yet been patched on random IPs.

    Because those are trying to connect TO his computer from the outside, not the other way around.

    What a load of bullcrap. Where does /. pick up its editors?

  7. Statistics by tsa · · Score: 4, Insightful

    Those are some very strong allegations. I can't understand why /. soiled its pages with this. The guy didn't even try other machines and other operating systems. No statistics at all. This is the worst 'article' I've seen so far on /., and I have seen some really bad stuff here already. Indeed, as one poster said, /. is becoming more and more like Digg. And that is NOT a compliment, Taco at al.!

    --

    -- Cheers!

    1. Re:Statistics by TopSpin · · Score: 4, Insightful

      I can't understand why /. soiled its pages with this.

      As I see it, there are two possibilities:

      The first is that the story actually had credibility with Zonk and he was more than happy to put it up. Put Halliburton in a story and the truthers soil themselves. The second; Zonk saw through it like any other technically savy grownup and knew it would be ridiculed. In that case it is a sort of April Fools joke.

      Anyhow, there are plenty of reasonable explanations already posted for the 'evidence' provided. Here is one I didn't notice; why would 'they' use easily identified domains to spy on people? 'They' run the world so clearly 'they' could arrange for something less obvious, no?

      Finally, is there any recourse for a business that has had it's products publicly slandered? I'd hate to see Microsoft get a piece of /. in court, but it wouldn't surprise me if they tried.

      --
      Lurking at the bottom of the gravity well, getting old
  8. Halliburton? by Jeian · · Score: 3, Insightful

    Halliburton?

    He's really grasping, isn't he.

  9. I might've read the article by RichPowers · · Score: 1, Insightful

    Until I saw the bit about the "Halliburton Company" in the summary. Are these nutjubs now required to mention it in every one of their hackneyed theories?

    The worst part about stories like these is that it obscures what the government is really doing to invade our privacy.

    How about some editorial control, Slashdot?

  10. Highly plausible... by Ub3rT3Rr0R1St · · Score: 2, Insightful

    With the fairly recent uproar that occurred with the numerous accounts of illegal wire tapping by part of the Bush administration, why, oh why, would anyone discard this as some sort of sham?

    Now, I'm not agreeing that the proof is 100% credible, and I'm not completely disregarding the fact that this might really be a sham, but the previous experiences the US has had with any sort of monitoring on the peoples should be enough to regard this with high suspicion.

    Monitoring through the internet isn't difficult. You don't need to be a Government agency with vast resources at your disposal. All you need is a terminal, and knowledge. I think the Government has plenty of both. Most people with internet connections don't know how to check the connections going into their computer. They don't know how to "port sniff". This makes for millions upon millions of victims to such an invasion of privacy.

    I strongly believe this should be taken more seriously than it is at the moment. If wire tapping is illegal, and is treated with such priority, then I think this should be handled the same way. We have nothing to lose by assuming this is legitimate, and we have so much more to gain by going directly to the facts, by means of thorough investigation. This shouldn't be taken lightly.

  11. No Destination Ports by tiny69 · · Score: 5, Insightful

    The screenshots conveniently leave out the destination ports. With out that information and without knowing what programs the user had installed or running, the entire article is a waste of time. We have no idea if the traffic is associated with a program he's running or if it's something else. He's concerned about connections that appear to originate from the U.S. Government, but isn't phased by the connections appearing to come from China. Oh noes!?! China has a backdoor in Vista!!

    My guess is that he's running some P2P software. Guess what? The U.S. Government does get 0w3nD and does have problems with viruses, trojans, and P2P software.

    Nothing to see here. Move along....

    --
    Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
  12. Worst /. Story Ever? by nuintari · · Score: 2, Insightful

    Okay, this has got to one of the most pointless slashdot stories ever.

    One, he is sniffing with a crappy piece of software that is barely a sniffer. Secondly, unless he has that XP system he claims is a Vista system, monitoring a HUB, not a switch, that the Vista machine's traffic has to go thru, he isn't sniffing anything relevant. Last, this is pointless paranoia.

    You want to see more of your "government conspiracy traffic?" Find someone at an ISP to help you, as you will need a piece of public IP address space. Route it to someplace where you can monitor all the traffic destined to it, and plug nothing into that segment of your network. It just has to exist, and be publicly accessible. It goes nowhere, has no devices in it, it just exists. Then turn your sniffer on, and watch the botnet traffic fly by. Yeah, you will see attacks coming from everywhere, nowhere to go, and still they scan like crazy. And yes, you will see it come from DoD address space too, heaven for-fucking-bid.

    Oh, and when do your sniffing, use a real sniffing tool. Then you can tell us what kind attacks the scary US government is mounting against its most paranoid citizens.

    --

    --Nuintari

    slashdot : where an opinion can be wrong.

  13. Re:think again by Fallingcow · · Score: 4, Insightful

    Peerguardian2 under WinXP commonly shows DoD and other odd incoming requests. Let's see what's on my log of recent attempts right now...

    Kuwait Ministry of Communications
    AAFES/Barracks
    Military Medical Academy

    And a host of other weird entries. I know I've seen DoD on there before... let's check my older logs:

    Federal Electric and Water Authority (WTF?)
    Saudi ARAMCO (oil company)

    OK, no DoD now, but the point is that weird crap shows up in Peerguardian all the time. DoD entries appear fairly frequently. If this guy's run any P2P software in the last, oh, week or two, that'll cause this to happen.

  14. Mods on crack again. by HornWumpus · · Score: 2, Insightful

    Who modded this dweeb insightful.

    Metamoderators please spank these mods.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  15. Yawn! by no-body · · Score: 2, Insightful
    What else is new? That M$oft is in kahuz with all kinds of 3 letter agencies is not new.

    Since Windows XP, info from your XP computer is sent out to Microsoft.com - I don't have it, so I can't report much about it, but with a decent firewall installed, many software packages "call home", repeatedly and totally without justification. One does not need to check daily for updates! Adobe on my top list.

    And - with the recent court approved installing of a sniffer on a potential suspect's computer - doing non-approved sniffer installs is probably more frequent, not even considering botnets.

    It furthers an atmosphere of fear, is not empowering and in short - sucks!

  16. Not plausible at all by teg · · Score: 2, Insightful

    Are there hidden things which the US government or others can use in Vista? Not impossible.

    Should you trust Vista crypto totally, if you really have something to hide? Probably not.

    Would they be as stupid as to let every computer send traffic to DOD computers? Obviously not. Even if most don't know how to monitor traffic, enough do that there would be an immediate uproar.

    Possible "hidden features" would either need the system in question (secret keys....) or would be dormant. If turned on by some events, I'm sure their effects would be non-obvious too. Sending network packages to a DOD address isn't.

    This story is BS.

  17. Re:PeerGurdian is not a legitimate investigative t by Sycraft-fu · · Score: 2, Insightful

    Specifically, they run G. Because of the development of the Internet as on originally military project, and then subsequently adding US research institutions, it turns out there's a reasonable chance your query will go to some entity that's a part of, or beholden to, the US government. H is run by the Army Research Lab, and E is run by NASA (which is a government agency). The only roots not run by a US company, university of the US government are I, K, and M.

    If this guy wants to actually prove anything ro see what is going on, he needs to first find out what the address is for, and then toss a software firewall or other sniffer on the Vista box to see what process is interacting with it.

    I do love the conspiracy theorists that think that someone like MS is smart and sneaky enough to build monitoring like this in, and assume it won't be found (please remember there are a lot of places with the Windows source code http://www.microsoft.com/resources/sharedsource/de fault.mspx) but stupid enough that the address it talks to is tagged as DoD. You know because the DoD couldn't quietly get a block of addresses from Cox that would show up to the world as just any other cable modem IPs.