Slashdot Mirror
US Government Checking Up On Vista Users?
Paris The Pirate writes "This article at Whitedust displays some very interesting logs from Vista showing connections to the DoD Information Networking Center, United Nations Development program and the Halliburton Company; for no reason other than the machine was running Vista. From the article 'After running Vista for only a few days — with a complete love for the new platform the first sign of trouble erupted. I began noticing latency on my home network connection — so I booted my port sniffing software and networking tools to see what was happening. What I found was foundation shaking. The two images below show graphical depictions of what has and IS trying to connect to my computer even in an idle state'."
I swear this place is becoming more and more like Digg everyday. I'm no longer renewing my Slashdot subscription while I can get this same quality news for free elsewhere. Where do I start?
::yawn::
1.The screenshots clearly show WinXP, not Vista. In fact, this guy's ultra-leet "port sniffing software and networking tools" is PeerGuardian 2. Straight from the product's home page: Note: PeerGuardian 2 does not support Windows Vista at the moment. This is a top priority, and we hope to have a Vista download soon.
2. Lame screen shots from some Windows app isn't enough to validate a conspiracy theory. Where's the complete traffic dump? And not from some random guy and his "fanboy" friend; how about a creditable network security organization? Hell, I'd even settle for an intern with his CCNA.
3. Hard to tell because all we have are screen shots, but it looks like nothing more than port scans.
(Guess is this is what I get for spending a beautiful Sunday afternoon indoors, on my computer).
Entrepreneur : (noun), French for "unemployed"
The DOD NIC runs one of the DNS root servers. Yes, that's right... his DNS requests are sometimes going to the Department of Defense! Burn the government down.
It's not even a Vista screen
That's because the FBI installed XP in the middle of the night.
Table-ized A.I.
Either M$ is the dumbest company on earth, or this is a scam article. I would assume that if M$ was in fact monitoring users, which I think is quite possible, then all of the information would go back to Redmond and then distributed to the appropriate groups. At least this way they have plausible deniability....
Also, "Halliburton"? Give me a break.... First, what type of tool is going to return a text output so blunt... Not is not "HA-39214", but instead is just "Haliburton" the evil company.... Also, I am certainly not a fan of the company and its former involvement with the vice president which just smells bad to begin with, but what in the world would a military contracting company that fufills soft drinks, food, oil, and other supplies to military groups want to monitor computers... This is just unrealistic...
Yawn. 1/10 for FUD. Slashdot FUD: "...showing connections to..." Source: "...trying to connect to..." Nice faulty translation there. Tons of system try to connect to every other system on the Internet; bad guys, good guys and just curious guys. Also from the source: "...my computer even in an idle state..." The processes active on a target system is not indicative of what other systems are trying to do in most cases. Plz may I'z haves moore FUD. K thx.
this is just normal scans that everyone gets all the time. nothing to do with having vista installed.
Which when you think of it, makes complete sense, because the Internet was invented for and by the military.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Great plan genius- now we have to find someone who bought Vista! :)
Posting anonymously for obvious reasons...
I work in one of the extraterrestial government agencies not in question, and I can confirm that we have been doing this. To be fair to United States government, they had no choice to let us in. It's been going on for years now. Right here, directly out of our own network, so that any retard with a freeware tcpdump/traceroute frontend can see exactly what they're up to.
PS: this isn't real.
Isn't this inbound stuff? Isn't this the same crap that ZoneAlarm blocks for me constantly?
So he installed Vista, plus his warez, and now he's seeing suspicious network connections? Get a grip.
I'd like to see a bare install of Vista (legit), with no other programs running, and connection monitoring being done on a router in between the Vista box and the internet, before I will believe this. And I say this as a die-hard Linux user who has barely touched XP.
I suffer from attention surplus disorder.
Just as over-rated. But I realized leaving your post modded higher makes more sense anyway (since you obviously weren't ust trying to be a prick and this why the whole conversations is easy to read).
As you'll see in one of the follow-up posts to this parent the software is being run on a second systems (since as you point out Vista isn't supported the listener is XP).
As to the credibility of the rest of the story I suppose that's up for grabs. Or rather reproducibility. Sniffing software is easy enough to install/use. Maybe the poster of the original story is being watched via a government trojan. Maybe there is a backdoor for the government to use to monitor potential criminal. I imagine if ALL Vista systems phoned home like this they'd be drown in data so it's either addition software, activated existing feature or hoax/fluke.
Quack, quack.
indeed. When I was running Peer Gaurdian, I got DOD requests all the time in XP. This is a non-story
Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
I guess all those computers are botnets (check out the other connections, DoD is only one among a whole bunch of seemingly random international sites including a couple universities from Brazil and China) trying to get more bots using security holes and trying if they have yet been patched on random IPs.
/. pick up its editors?
Because those are trying to connect TO his computer from the outside, not the other way around.
What a load of bullcrap. Where does
Those are some very strong allegations. I can't understand why /. soiled its pages with this. The guy didn't even try other machines and other operating systems. No statistics at all. This is the worst 'article' I've seen so far on /., and I have seen some really bad stuff here already. Indeed, as one poster said, /. is becoming more and more like Digg. And that is NOT a compliment, Taco at al.!
-- Cheers!
Halliburton?
He's really grasping, isn't he.
Okay, so maybe the US government and Halliburton are checking up on Vista users, but that's benign compared to the folks after us FreeBSD users. I whois'ed some of my port scan logs and found McGraw Hill, The Washington Post, the BBC, and Ikea. Now that is one terrifying conspiracy. Eisenhower was right when he warned us of the dangers of the media-Swedish furniture complex.
Seriously, though. Worms and botnets are endemic and every organization has boxes probing the internet without their knowledge. Doesn't mean they're out to get you.
I always hated people who would whine about Slashdot story selection, but come on, editors, use a little discretion. You're just helping spread paranoid stupidity.
Don't be sillly. The RIAA will sue you with much less evidence than a screenshot.
With the fairly recent uproar that occurred with the numerous accounts of illegal wire tapping by part of the Bush administration, why, oh why, would anyone discard this as some sort of sham?
Now, I'm not agreeing that the proof is 100% credible, and I'm not completely disregarding the fact that this might really be a sham, but the previous experiences the US has had with any sort of monitoring on the peoples should be enough to regard this with high suspicion.
Monitoring through the internet isn't difficult. You don't need to be a Government agency with vast resources at your disposal. All you need is a terminal, and knowledge. I think the Government has plenty of both. Most people with internet connections don't know how to check the connections going into their computer. They don't know how to "port sniff". This makes for millions upon millions of victims to such an invasion of privacy.
I strongly believe this should be taken more seriously than it is at the moment. If wire tapping is illegal, and is treated with such priority, then I think this should be handled the same way. We have nothing to lose by assuming this is legitimate, and we have so much more to gain by going directly to the facts, by means of thorough investigation. This shouldn't be taken lightly.
That's as may be, but a default OS installation should have no reason to talk to any of the root servers. Only a machine RUNNING a DNS server should have any reason to communicate with root servers.
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"
Is it possible that this box was taken over by a hacker and is trying to attack DoD addresses? As opposed to some alleged "phone home" behavior that Vista is showing?
The screenshots conveniently leave out the destination ports. With out that information and without knowing what programs the user had installed or running, the entire article is a waste of time. We have no idea if the traffic is associated with a program he's running or if it's something else. He's concerned about connections that appear to originate from the U.S. Government, but isn't phased by the connections appearing to come from China. Oh noes!?! China has a backdoor in Vista!!
My guess is that he's running some P2P software. Guess what? The U.S. Government does get 0w3nD and does have problems with viruses, trojans, and P2P software.
Nothing to see here. Move along....
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Okay, this has got to one of the most pointless slashdot stories ever.
One, he is sniffing with a crappy piece of software that is barely a sniffer. Secondly, unless he has that XP system he claims is a Vista system, monitoring a HUB, not a switch, that the Vista machine's traffic has to go thru, he isn't sniffing anything relevant. Last, this is pointless paranoia.
You want to see more of your "government conspiracy traffic?" Find someone at an ISP to help you, as you will need a piece of public IP address space. Route it to someplace where you can monitor all the traffic destined to it, and plug nothing into that segment of your network. It just has to exist, and be publicly accessible. It goes nowhere, has no devices in it, it just exists. Then turn your sniffer on, and watch the botnet traffic fly by. Yeah, you will see attacks coming from everywhere, nowhere to go, and still they scan like crazy. And yes, you will see it come from DoD address space too, heaven for-fucking-bid.
Oh, and when do your sniffing, use a real sniffing tool. Then you can tell us what kind attacks the scary US government is mounting against its most paranoid citizens.
--Nuintari
slashdot : where an opinion can be wrong.
http://zapatopi.net/mindguard/
Peerguardian2 under WinXP commonly shows DoD and other odd incoming requests. Let's see what's on my log of recent attempts right now...
Kuwait Ministry of Communications
AAFES/Barracks
Military Medical Academy
And a host of other weird entries. I know I've seen DoD on there before... let's check my older logs:
Federal Electric and Water Authority (WTF?)
Saudi ARAMCO (oil company)
OK, no DoD now, but the point is that weird crap shows up in Peerguardian all the time. DoD entries appear fairly frequently. If this guy's run any P2P software in the last, oh, week or two, that'll cause this to happen.
Who modded this dweeb insightful.
Metamoderators please spank these mods.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Since Windows XP, info from your XP computer is sent out to Microsoft.com - I don't have it, so I can't report much about it, but with a decent firewall installed, many software packages "call home", repeatedly and totally without justification. One does not need to check daily for updates! Adobe on my top list.
And - with the recent court approved installing of a sniffer on a potential suspect's computer - doing non-approved sniffer installs is probably more frequent, not even considering botnets.
It furthers an atmosphere of fear, is not empowering and in short - sucks!
With PeerGuardian, you see all kinds of crap. I doubt anyone is checking up on him due to Vista. It's more likely his IP is confused for one running P2P.
I mean, hell, 38.100.26.190 (SafeNet / MediaSentry) has been DoSing me with 10 connections/second bursts for ages now because I once clicked the wrong torrent but you don't see me writing Slashdot stories over it.
I actually did contract test work at Microsoft, testing a Vista component that used the network.
So I ran its networking through a seperate machine that ran ethereal, and studied the logs in great detail. I also watched for any 'privacy issues'. Basically, anytime Vista 'phones home' it's required to be by the user Opt-In, and never as a default. If you didn't read the EULA/Privacy Policy, etc. and just kept hitting 'I Agree', 'Accept' and 'Next' every dialog... you might get some things you didn't expect
say you visit a HTTPS url... aside from what actually appears on the page (content + ads) you may need: the digital certificates for the signing authority, revocation lists, accurate time, to check for expiration, DNS, Sytle Sheets, DTDs... a lot of that can be cached, but at some point they may be automatically downloaded.
Playing a (non-DRM) song?, you may get the album information automatically.
Plus all the non-MS software 'phoning home', Adobe Acrobat reader, Quicktime Updater, HP printer drivers, anti-virus updates, *Peer Guardian blocklist updates*
As for the incoming connections mentioned in the article, it seems well within Homeland Securities domain to scan for botnet and such infected machines, in order to defend against DOS attacks on critical infrastructure (like root DNS servers).
I once did a Google search for 'attrs' using Firefox on a Linux box. What popped up was a box asking me to accept a Department of Defense digital signature, served from a DOD server.
why? Google had suggested I was looking for 'atrrs' which was a DOD term, and Firefox tried to pre-load the first result, which was a DOD run website, which popped up the certificate from a site I did not intend to visit! If there is a conspiracy, then Google, Mozilla, and Slackware are in on it.
Are there hidden things which the US government or others can use in Vista? Not impossible.
Should you trust Vista crypto totally, if you really have something to hide? Probably not.
Would they be as stupid as to let every computer send traffic to DOD computers? Obviously not. Even if most don't know how to monitor traffic, enough do that there would be an immediate uproar.
Possible "hidden features" would either need the system in question (secret keys....) or would be dormant. If turned on by some events, I'm sure their effects would be non-obvious too. Sending network packages to a DOD address isn't.
This story is BS.
I'd like to applaud the commitment and bravery of the researchers in bringing this information into the public domain.
I'm from a similar underground organization, and have been monitoring Vista for some time. Notable connections we have so far made are:
Dinosauroid-like Alien Reptiles using Vista UMPCs are dominating the World
Apollo 11 Moon Landings were faked by Vista
September 11 was orchestrated by the U. S. government using Vista and Workflow Foundation
etc.
It's pretty conclusive stuff, people.
(Conspiracies kindly provided by http://www.2spare.com/item_43133.aspx - note it's on an IIS server - don't trust it. The truth is out there!)
Specifically, they run G. Because of the development of the Internet as on originally military project, and then subsequently adding US research institutions, it turns out there's a reasonable chance your query will go to some entity that's a part of, or beholden to, the US government. H is run by the Army Research Lab, and E is run by NASA (which is a government agency). The only roots not run by a US company, university of the US government are I, K, and M.
e fault.mspx) but stupid enough that the address it talks to is tagged as DoD. You know because the DoD couldn't quietly get a block of addresses from Cox that would show up to the world as just any other cable modem IPs.
If this guy wants to actually prove anything ro see what is going on, he needs to first find out what the address is for, and then toss a software firewall or other sniffer on the Vista box to see what process is interacting with it.
I do love the conspiracy theorists that think that someone like MS is smart and sneaky enough to build monitoring like this in, and assume it won't be found (please remember there are a lot of places with the Windows source code http://www.microsoft.com/resources/sharedsource/d
I *think* that what happens is that the Peerguardian folks blacklist whole IP blocks based on their nominal ownership, so three things might cause them to show up:
1) The attempted connection is actually a P2P monitoring or spyware thing coming from a DoD machine, and is legitimately blocked and correctly labeled
2) Someone's running P2P software on a DoD machine (or their own machine on a DoD network).
3) Someone's running P2P software on a NON-government machine that is unlucky enough to be on the same IP block, for whatever reason, so the label's actually wrong.
I'd imagine that's how a lot of the weirder ones show up, like "CHINANET henan province network" and "Zhuji Municipal People's Government" (those are real entries from my log right now) and crap like that; Peerguardian just blocks chunks of IP space that are owned by any governmental agencies in any country.
I don't KNOW this to be the case, but it seems to be what's going on.
Imagine that he disconnects his LAN from the internet. . . . and keeps getting the DoD traffic!! OMFG!! The DoD is hiding somewhere in his house! Probably with a big butcher knife or a a hook or one of those chain saws with a silencer that government assassins are now using.
Now what's he doing? No, you FOOL! Don't go into the server closet!!!
It's not offtopic, dumbass. It's orthogonal.
No, sir, I call BS on your post. If you'd ever installed Windows Server 2003, you'd know the following:
1) Firewall defaults to ON out of the box on a default install UNLESS you're installing it into an existing domain with a DC GPO that forces it to off. (read: if so, you set it up that way, stfu)
2) Machine does not allow incoming connections until you close the Manage Your Server dialog. It brings this fact to your attention no less than 3 times during the initial setup. (read: after first boot, OS configuration, server type setup, domain creation, role assignment, windows update -- unless you close the dialog without doing that, in which case, again, your fault, stfu)
3) Machine really does not want to allow incoming connections until you complete a Windows Update and does make you click OK about 3 times to enable incoming connections.
4) Did I yet mention that you have to explicitly close a dialog that says 'No Incoming Connections are allowed until you close this dialog.' before it will allow incoming connections? I wanted to make sure I mentioned that.
So, no. I've never, ever installed Windows 2003 Server and 'accidentally' had a network cable installed, only to find that within 45 seconds it was crippled, and neither have you, because it's not possible unless you personally clicked 'yes, allow incoming connections to my unpatched, non-updated machine, and hey, while you're at it, let me open firewall.cpl (or the firewall control panel applet for you non command-line users) and disable the firewall'. See, because that's what you would have had to have done to create a situation that could exhibit those results, in case you weren't aware. I am, because I've installed Windows Server 2003, and all flavors thereof, no less than 100 times.
Thanks for playing, game over.
To the darkened skies once more, and ever onward.
http://www.microsoft.com/technet/community/column
"Keep at least 3-6 full bottles of hard alcohol on hand, a 2 week resignation notice,..." - Poetmatt