US Government Checking Up On Vista Users?

Paris The Pirate writes "This article at Whitedust displays some very interesting logs from Vista showing connections to the DoD Information Networking Center, United Nations Development program and the Halliburton Company; for no reason other than the machine was running Vista. From the article 'After running Vista for only a few days — with a complete love for the new platform the first sign of trouble erupted. I began noticing latency on my home network connection — so I booted my port sniffing software and networking tools to see what was happening. What I found was foundation shaking. The two images below show graphical depictions of what has and IS trying to connect to my computer even in an idle state'."

I call bullshit.

[XorNand]

I swear this place is becoming more and more like Digg everyday. I'm no longer renewing my Slashdot subscription while I can get this same quality news for free elsewhere. Where do I start?

1.The screenshots clearly show WinXP, not Vista. In fact, this guy's ultra-leet "port sniffing software and networking tools" is PeerGuardian 2 [phoenixlabs.org]. Straight from the product's home page: Note: PeerGuardian 2 does not support Windows Vista at the moment. This is a top priority, and we hope to have a Vista download soon.

2. Lame screen shots from some Windows app isn't enough to validate a conspiracy theory. Where's the complete traffic dump? And not from some random guy and his "fanboy" friend; how about a creditable network security organization? Hell, I'd even settle for an intern with his CCNA.

3. Hard to tell because all we have are screen shots, but it looks like nothing more than port scans. ::yawn::

(Guess is this is what I get for spending a beautiful Sunday afternoon indoors, on my computer).

Re:I call bullshit.

[igotmybfg]

1.The screenshots clearly show WinXP, not Vista. In fact, this guy's ultra-leet "port sniffing software and networking tools" is PeerGuardian 2. Straight from the product's home page: Note: PeerGuardian 2 does not support Windows Vista at the moment. This is a top priority, and we hope to have a Vista download soon.

The screenshots also clearly show another computer is involved, since he is remoting from his Vista PC to his Windows PC. Perhaps they are both on the same network, and he has reason to believe that these connections are being caused by having Vista on the network.

Re:

[entgod]

I love how you're clearly indicating that vista ist't windows enough to be windows :)

Re:

[Tuoqui]

Well considering all the DRM and crap that Vista has in it. He is doing the right thing by NOT trusting a Vista machine to accurately represent the IP traffic passing through it.

I personally would have done it with a Linux machine myself using Ethereal or something reliable. The fact is you cannot trust Vista to report the packets in an unbiased manner. It could theoretically drop these packets before they make it to your OS.

Either way if you set up a ARP spoofing attack on your own network (or have a manag

I doubt it's due to Vista...

[Anonymous Coward]

With PeerGuardian, you see all kinds of crap. I doubt anyone is checking up on him due to Vista. It's more likely his IP is confused for one running P2P.

I mean, hell, 38.100.26.190 (SafeNet / MediaSentry) has been DoSing me with 10 connections/second bursts for ages now because I once clicked the wrong torrent but you don't see me writing Slashdot stories over it.

Re:I call bullshit.

[uvajed_ekil]

He said the traffic in question related to his home network, not necessarily the machine that was running Peer Guardian 2 for the screenies, right? I don't know how much difference this makes, just playing devil's advocate and trying not to dismiss every concern as BS. It's easy to ignore everyone's alarming claims as over zealous, misunderstood data, but maybe we should take this type of thing more seriously until we have all the facts.

This would make a great scary movie.

[Ohreally_factor]

Imagine that he disconnects his LAN from the internet. . . . and keeps getting the DoD traffic!! OMFG!! The DoD is hiding somewhere in his house! Probably with a big butcher knife or a a hook or one of those chain saws with a silencer that government assassins are now using.

Now what's he doing? No, you FOOL! Don't go into the server closet!!!

No, sir, it is you who is full of shit of a bull.

[SyncNine]

No, sir, I call BS on your post. If you'd ever installed Windows Server 2003, you'd know the following:

1) Firewall defaults to ON out of the box on a default install UNLESS you're installing it into an existing domain with a DC GPO that forces it to off. (read: if so, you set it up that way, stfu)
2) Machine does not allow incoming connections until you close the Manage Your Server dialog. It brings this fact to your attention no less than 3 times during the initial setup. (read: after first boot, OS configuration, server type setup, domain creation, role assignment, windows update -- unless you close the dialog without doing that, in which case, again, your fault, stfu)
3) Machine really does not want to allow incoming connections until you complete a Windows Update and does make you click OK about 3 times to enable incoming connections.
4) Did I yet mention that you have to explicitly close a dialog that says 'No Incoming Connections are allowed until you close this dialog.' before it will allow incoming connections? I wanted to make sure I mentioned that.

So, no. I've never, ever installed Windows 2003 Server and 'accidentally' had a network cable installed, only to find that within 45 seconds it was crippled, and neither have you, because it's not possible unless you personally clicked 'yes, allow incoming connections to my unpatched, non-updated machine, and hey, while you're at it, let me open firewall.cpl (or the firewall control panel applet for you non command-line users) and disable the firewall'. See, because that's what you would have had to have done to create a situation that could exhibit those results, in case you weren't aware. I am, because I've installed Windows Server 2003, and all flavors thereof, no less than 100 times.

Thanks for playing, game over.

Re:No, sir, it is you who is full of shit of a bul

[bensode]

Actually, Windows Server 2003 SP0 has no firewall -- you get that with SP1 or R2 versions. So tone down your pwnt rant it's obvious you have not installed all flavors thereof and the ink on your MS cert must still be wet. To be perfectly clear here, let's go to the source, Microsoft. I've pasted the important bits after the link. No need to believe me, just google "introduction of firewall Windows server 2003".

http://www.microsoft.com/technet/community/columns /cableguy/cg1204.mspx [microsoft.com]

Differences in Default Behavior for Windows Firewall
Windows Server 2003 SP1 includes Windows Firewall, which works the same way as Windows Firewall in Windows XP SP2. However, because the purpose of a server computer is to accept incoming unsolicited traffic, Windows Firewall for Windows Server 2003 SP1 is disabled by default.

The exception to this behavior is the following: for a new installation of Windows Server 2003 that already includes SP1 (known as a slipstream installation), Windows Firewall is enabled by default for the duration of the Post-Setup Security Updates, a portion of the initial setup of the server computer in which the latest security fixes are downloaded and installed from Windows Update and Automatic Updates are configured. After the Post-Setup Security Updates is complete, Windows Firewall is disabled. If you do not want the Post-Setup Security Updates, you can use the Unattend.txt file or Group Policy to configure Windows Firewall settings. The Post-Setup Security Updates does not occur if there are configured Windows Firewall settings.

You can enable Windows Firewall on a computer running Windows Server 2003 with SP1 manually using the Windows Firewall component of Control Panel, through Group Policy settings as described in Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2, or you can use the new Security Configuration Wizard in Windows Server 2003 SP1. The Security Configuration Wizard is the recommended method to enable and configure Windows Firewall and other security settings on computers running Windows Server 2003 with SP1.

Re:

[ClubStew]

It's nothing more than FUD.

Besides, if he wrote a paper and his professor was shocked, I'm sure it was only because of his horrible grammar (ex: countries instead of country's). Sheesh. If you're going to spread FUD, at least try to sound intelligent.

Re:I call bullshit.

[avaric3]

The machine running the peer guardian is an XP machine. It is sniffing traffic on the local network and filtering out all the results that don't originate from the vista machine. He is running remote desktop from the Vista machine to the XP machine (the one running Peer Guardian). He probably did this because of the issues that software has with Vista, or possible because he feels that Vista would hide this information from programs running locally.

Re:

[mikkelm]

So, what, he has the Vista machine and the XP machine sharing a hub of all things, or does he have a SPAN session up? Why does he feel the need to remote desktop to a local machine that's in all likelihood in the same room as the Vista machine to take a desktop of some rather anonymous looking "port scanner" that's lacking any real verifiable bits of information?

If this guy is doing this internally, why is the remote desktop session showing 192.168.0.1, and the PeerGuardian logs showing a destination of 24.

Re:

[Khazunga]

Surely if these two machines are on the same network with internal addresses, there's a NAT box somewhere stripping any evidence of the global outside destination in the original IP header.

Please go read up on NAT. Of course the destination IP is there. Nat is supposed to be transparent for the computers involved.

Re:

[mikkelm]

Well, I could explain to you how you are misunderstanding either my post or NAT, but since you started out so rudely, I'll just leave this hanging for people to chuckle at.

Re:

[VGPowerlord]

Please go read up on NAT. Of course the destination IP is there. Nat is supposed to be transparent for the computers involved.

You weren't talking to me, but I have read up on NAT.

Since the other reply didn't say it, I will: If the XP machine was behind a NAT, the destination address would have been rewritten by the NAT. In other words, the IP would have been in one of the RFC1918 [faqs.org] address ranges:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255

Re:I call bullshit.

[Anonymous Coward]

I agree, but .. you missed the best part.
PeerGuardian is for blocking *incoming* connections, this has nothing to do with Vista *AT ALL*.
The names that show up against the IP are taken from user submitted rule files(In case you didn't know this is so that IP's from RIAA/MPAA employed companies can be blocked-who log all ip's connected to any torrent as seeds/leeches). There is no validation on the name corresponding to the IP. Complete and utter FUD.
Even the IPs DID correspond to DoD etc.. there is a completely plausible reason for that.
Bit torrent clients cache IP addresses so that they can connect to all the seeds/leeches in case the torrent managing host goes down. All this has proven is that the US Government uses Bit torrent.

Re:think again

[Fallingcow]

Peerguardian2 under WinXP commonly shows DoD and other odd incoming requests. Let's see what's on my log of recent attempts right now...

Kuwait Ministry of Communications
AAFES/Barracks
Military Medical Academy

And a host of other weird entries. I know I've seen DoD on there before... let's check my older logs:

Federal Electric and Water Authority (WTF?)
Saudi ARAMCO (oil company)

OK, no DoD now, but the point is that weird crap shows up in Peerguardian all the time. DoD entries appear fairly frequently. If this guy's run any P2P software in the last, oh, week or two, that'll cause this to happen.

Re:

[Fallingcow]

I *think* that what happens is that the Peerguardian folks blacklist whole IP blocks based on their nominal ownership, so three things might cause them to show up:

1) The attempted connection is actually a P2P monitoring or spyware thing coming from a DoD machine, and is legitimately blocked and correctly labeled
2) Someone's running P2P software on a DoD machine (or their own machine on a DoD network).
3) Someone's running P2P software on a NON-government machine that is unlucky enough to be on the same IP bl

Re:I call bullshit.

[SocialEngineer]

Maybe he's got multiple machines hooked up to a hub, with the XP machine sniffing in promiscuous mode. Maybe he's tunneling the connection through the XP machine. Who knows. While I too am inclined to call BS, the XP argument doesn't fly.

Re:I call bullshit.

[ptbarnett]

Hard to tell because all we have are screen shots, but it looks like nothing more than port scans.

Or P2P. But, the important part is that he is showing nothing more than incoming frames, and conveniently obscures the destination port(s).

And to even get to the point where PeerGuardian (or whatever) can see the frame, it has to pass through his firewall -- presuming that he has one. And that means he either is explicitly allowing that port through or he made the connection himself.

I wonder what Task Manager would show running?

Re:I call bullshit.

[Igmuth]

And to even get to the point where PeerGuardian (or whatever) can see the frame, it has to pass through his firewall -- presuming that he has one. And that means he either is explicitly allowing that port through or he made the connection himself.

If you look at the screenshots, you can see he's connecting RDP to 192.168.0.1, which is the typical gateway address on most NATs. I think he might actually be running a WinXP box as a firewall. This would explain how he is seeing all of the packets, with the external destination IP. Therefore I wonder if his XP box has just been rooted.

Re:

[spyowl]

I think he might actually be running a WinXP box as a firewall.

And that is the place to stop reading this discussion thread.

Re:I call bullshit.

[guardiangod]

For the first time in many years, I agree that /. ain't what it used to be.

Blah how does this make the front page? There are million of reasons for these connections.

Maybe he is using a dynamic ip based isp and he just got a new ip? Maybe the last person who used that ip was using bittorrent? Botnets trying to reconnect to this ip?

Aside from those "Remote Desktop" xp screenshots, I noticed there are Hei Long Jiang education committee, UN Development program, China Edu and Research Network, and whatever.

I guess the DoD and the "Chinese intelligence agency" are both attacking his computer.

UN probably sent some people to infiltrate his computer as well.

Wait, Hei Long Jiang is right next to Russia? Maybe the KGB is using China's network to go after him as well!*roll eyes*

Even if they are not bt, they might just as well be port scans.

News for nerds, indeed.

Re:

[Dude McDude]

Blah how does this make the front page?

It gives the anti-Microsoft crew yet another chance to bitch and moan.

Re:

[fredklein]

Botnets trying to reconnect to this ip?

Even if they are not bt, they might just as well be port scans.


Port scans from GOVERNMENT computers? Oh, okay, nothing to see here...

Re:

[Skreems]

You'd be amazed by the number of government employees who run BitTorrent on work machines...

Re:I call bullshit.

[gujo-odori]

Yeah, I looked at the wide-ranging place he's getting connections from and asked myself, "Now, what do IPs in all those places - especially China - tend to have in common?" I've been working in email security for four years and was a postmaster before that, so I had a ready answer to that question; zombies.

P2P and fast-flux networks is the current cutting edge of botnets, and that fits with all the inbound connections he's seeing.

The explanation that fits best with his experience is that his Vista box has already been owned and has become part of a botnet.

While his conspiracy theory that Microsoft is in bed with DoD, DOHS, and Haliburton (gimme a break!) is clearly anti-MS FUD, there is good reason to draw a bad conclusion about Vista from this. One of Vista's big selling points was better security, yet here we have somebody stepping up front and center with an apparently freshly installed and freshly owned Vista box.

The article doesn't speak well of Vista, but not for the tinfoil hat theory advanced by its author.

The other leading theory, which has been advanced by a number of others, is that he's running bit torrent or another P2P app. This is also plausible, and if the zombie theory is wrong, then the P2P app theory still holds. Bhy far the least likely explanation is the conspiracy theory advanced by the author.

Re:

[blowdart]

yet here we have somebody stepping up front and center with an apparently freshly installed and freshly owned Vista box.

Incoming P2P connections are proof of ownage? Really? How exactly is showing Peer Guardian *snicker* as a "packet sniffer" on his gateway, which apparently is XP (err, uber 3l1t3 points there) showing incoming traffic from a range of IPs to a Vista machine running P2P software ownage? Heck you can't even tell if it's Vista making the connections, or if they are inbound as normal P2P traf

Re:

[KDR_11k]

there is good reason to draw a bad conclusion about Vista from this. One of Vista's big selling points was better security, yet here we have somebody stepping up front and center with an apparently freshly installed and freshly owned Vista box.

However, we don't know how much user error was involved.There's always the chance that he was running admin and clicked yes when it asked him whether vista_activation_keygen.exe should be allowed to run with full admin rights...

Re:I call bullshit.

[Ravnen]

For the first time in many years, I agree that /. ain't what it used to be.

I'm afraid I have to agree. The misleading article summaries are bad enough, ranging from being irrelevant to actually implying the opposite of what the articles in question say, but I find it hard to believe the Slashdot editors would really believe the sort of claptrap written in this article. I think the sad reality is that they know it's drivel, but also that it will generate traffic, especially from the nutter contingent, and this, in my view, reflects poorly on their integrity.

Re:I call bullshit.

[smilindog2000]

I found the responses to this article very informative. The article itself was just some college kid, probably not the world's greatest network analyst. However, the responses include some very insightful comments. I think it's wise of /. to pick articles that invoke interesting dialog, and if you take that measure into account, this article isn't half bad. In particular, if I similar connections to my home network in the future, my first thought will be "zombie or P&P", rather than "world governments are spying on me".

Actually, my first reaction to this article was "What! The US doesn't need to make connections to spy on me!" With AT&T's big fat pipe to the NSA, the government get's all the data it wants about me, even though I run Ubuntu.

I'm confused

[raftpeople]

Isn't this inbound stuff? Isn't this the same crap that ZoneAlarm blocks for me constantly?

Re:

[JimDaGeek]

1. It shows an RDP from Vista to XP.

2. There is a version that is working on Vista [winmatrix.com]. However it is command line only right now, the GUI is not done.

3. I am sure a lot of people will be monitoring now. This guy just noticed increased traffic from suspicious organizations AFTER he installed Vista. Did you see all of the Vista code? Do you know what info Vista sends and to whom?

It sounds like you are trying to apologize for MS. This sounds just like the crap MS would do. All these connection att

Re:

[arth1]

One thing worth noting is that Vista-running boxes don't have telepathic connections to the US DoD, Halliburton and all the others. They won't know that his machine runs Vista and to contact him unless they're told about it -- normally by an outgoing request.
If there's no outgoing requests, but just incoming, this is more likely to be cached P2P entries, where the outside hosts are trying to reach a (now gone) peer, be it bittorrent, edonkey, kademlia or whatever.
It would have been very interesting to see

Re:

[JimDaGeek]

The last time I checked, Microsoft has more of a liberal / left-wing / Democrat bent than a conservative / right-wing / Republican leaning direction.

Nah, MS is a typical corporate whore that gives bribe money where ever they can to maximize profits. If you look at their SOFT MONEY DONATIONS [opensecrets.org] from 1998, 81% went to the Republicans.

With the current Democrat control, MS will obviously send more bribe money their way.

I was going to mod you down...

[msimm]

Just as over-rated. But I realized leaving your post modded higher makes more sense anyway (since you obviously weren't ust trying to be a prick and this why the whole conversations is easy to read).

As you'll see in one of the follow-up posts to this parent the software is being run on a second systems (since as you point out Vista isn't supported the listener is XP).

As to the credibility of the rest of the story I suppose that's up for grabs. Or rather reproducibility. Sniffing software is easy enough to install/use. Maybe the poster of the original story is being watched via a government trojan. Maybe there is a backdoor for the government to use to monitor potential criminal. I imagine if ALL Vista systems phoned home like this they'd be drown in data so it's either addition software, activated existing feature or hoax/fluke.

Re:I call bullshit. - About Lame Screen Shots

[Nom du Keyboard]

Lame screen shots from some Windows app isn't enough to validate a conspiracy theory.

They're certainly enough to get you sued, and thereafter spending upwards of $100K in legal defense against the RIAA.

Re:I call bullshit. - About Lame Screen Shots

[monoqlith]

Don't be sillly. The RIAA will sue you with much less evidence than a screenshot.

Re:I call bullshit.

[phayes]

Given that the firehose seems to be broken, there's no way to get this unsubstantiated bullshit off slashdot...

Re:

[spyrochaete]

The XP machine is on 192.168.0.1. Maybe he's using it as a router.

Re:

[Oldsmobile]

Ha, ran in to this on Digg myself and immediately got a red warning light flashing in my head.

I do think it's worth posting about on Slashdot since it'll get a better quality debunking here than on Digg.

Re:

[Ash Vince]

I call you a moron.

I can show you screenshots of a windows XP PC that is made to look like windows NT. Many people I knew when XP came out installed it but chose to make it look like the interface they were used to. I have an XP installation on my PC that looks like Unix.

Also, if I wanted to see what traffic an OS was sending to and from the internet, I would not use an app running under that OS. I would telnet to my router and run a traffic monitor on that PC. In my case that would be an old version of Liu

Re:

[Squirmy McPhee]

The screenshots clearly show WinXP, not Vista.

You can identify his OS from a screenshot? If you saw a screenshot of my system you'd swear I run Win2k. I don't.

Re:

[Maniac-X]

Well PeerGuardian doesn't run on Vista, so that's probably why he RDP'd to it.

Though what I can't figure out is why he didn't use actual port sniffing software like WireShark. I call bullshit on this lame post.

Re:

[twistedcubic]

Are you kidding? I bet if subscriptions declined significantly, the situation would improve. Nevertheless, it's not the stories that make Slahdot great, but the posts from experts in so many diverse areas that make it awesome to read, everyday, over and over again.

PeerGurdian is not a legitimate investigative tool

[Anonymous Coward]

The DOD NIC runs one of the DNS root servers. Yes, that's right... his DNS requests are sometimes going to the Department of Defense! Burn the government down.

Re:PeerGurdian is not a legitimate investigative t

[CastrTroy]

Which when you think of it, makes complete sense, because the Internet was invented for and by the military.

Re:

[arth1]

Indeed. That's why one of the other DNS TLD root servers sits in Al Gore's basement...

Re:PeerGurdian is not a legitimate investigative t

[nEoN nOoDlE]

indeed. When I was running Peer Gaurdian, I got DOD requests all the time in XP. This is a non-story

Re:PeerGurdian is not a legitimate investigative t

[Jherico]

That's as may be, but a default OS installation should have no reason to talk to any of the root servers. Only a machine RUNNING a DNS server should have any reason to communicate with root servers.

Re:PeerGurdian is not a legitimate investigative t

[Sycraft-fu]

Specifically, they run G. Because of the development of the Internet as on originally military project, and then subsequently adding US research institutions, it turns out there's a reasonable chance your query will go to some entity that's a part of, or beholden to, the US government. H is run by the Army Research Lab, and E is run by NASA (which is a government agency). The only roots not run by a US company, university of the US government are I, K, and M.

If this guy wants to actually prove anything ro s

Re:

[Jeremiah Cornelius]

Not since Superman died.

Ba-dump!

Um...

[Perseid]

PeerGuardian does NOT qualify as port-sniffing software. I was expecting to see Ethereal logs or something. I ran PG for about 10 minutes, decided it was insane and uninstalled it.

Highly Suspicious to me...

[tgatliff]

Either M$ is the dumbest company on earth, or this is a scam article. I would assume that if M$ was in fact monitoring users, which I think is quite possible, then all of the information would go back to Redmond and then distributed to the appropriate groups. At least this way they have plausible deniability....

Also, "Halliburton"? Give me a break.... First, what type of tool is going to return a text output so blunt... Not is not "HA-39214", but instead is just "Haliburton" the evil company.... Also, I am certainly not a fan of the company and its former involvement with the vice president which just smells bad to begin with, but what in the world would a military contracting company that fufills soft drinks, food, oil, and other supplies to military groups want to monitor computers... This is just unrealistic...

Re:

[Anonymous Coward]

whois 34.60.236.180
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Halliburton Company
OrgID: HALLIB-1
Address: 10200 Bellaire Blvd
City: Houston
StateProv: TX
PostalCode: 77072-5299
Country: US

NetRange: 34.0.0.0 - 34.255.255.255
CIDR: 34.0.0.0/8
NetName: HALLIBURTON
NetHandle: NET-34-0-0-0-1

and so on. So, yes, it's in Halliburton's IP range. That still does not mean anything, though. PG as a traffic analysis tool is a joke, as others pointed out already. At least he could have dis

Simple solution

[Enderandrew]

This looks suspect, as it has been noted before. And it may very well be FUD. However, given that the instructions appear to be laid out, why doesn't someone see if they can replicate this to verify or debunk this with some authority?

I'd do it myself, but I don't have Vista.

Re:Simple solution

[MillionthMonkey]

Great plan genius- now we have to find someone who bought Vista! :)

Re:Never trust a compromised box.

[Technician]

Great plan genius- now we have to find someone who bought Vista! :)

Never trust a compromised box to tell the truth. Wake me when he has router logs instead of Vista logs or worse XP logs of a Vista monitor. Many routers will send connection logs to a 3rd machine. This way you don't have to trust the machine under test. Simply log it's traffic as it passes an external router. Now you have evidence of real traffic.

I was skeptical of the original setup. Was it Vista. The author claimed "idle" while runn

FUD

[gregholt]

Yawn. 1/10 for FUD. Slashdot FUD: "...showing connections to..." Source: "...trying to connect to..." Nice faulty translation there. Tons of system try to connect to every other system on the Internet; bad guys, good guys and just curious guys. Also from the source: "...my computer even in an idle state..." The processes active on a target system is not indicative of what other systems are trying to do in most cases. Plz may I'z haves moore FUD. K thx.

nothing to see here.. move along now

[sonictheboom]

this is just normal scans that everyone gets all the time. nothing to do with having vista installed.

Just Vista?

[orkysoft]

So he installed Vista, plus his warez, and now he's seeing suspicious network connections? Get a grip.

I'd like to see a bare install of Vista (legit), with no other programs running, and connection monitoring being done on a router in between the Vista box and the internet, before I will believe this. And I say this as a die-hard Linux user who has barely touched XP.

Connection to or from?

[Britz]

I guess all those computers are botnets (check out the other connections, DoD is only one among a whole bunch of seemingly random international sites including a couple universities from Brazil and China) trying to get more bots using security holes and trying if they have yet been patched on random IPs.

Because those are trying to connect TO his computer from the outside, not the other way around.

What a load of bullcrap. Where does /. pick up its editors?

Statistics

[tsa]

Those are some very strong allegations. I can't understand why /. soiled its pages with this. The guy didn't even try other machines and other operating systems. No statistics at all. This is the worst 'article' I've seen so far on /., and I have seen some really bad stuff here already. Indeed, as one poster said, /. is becoming more and more like Digg. And that is NOT a compliment, Taco at al.!

Re:Statistics

[TopSpin]

I can't understand why /. soiled its pages with this.

As I see it, there are two possibilities:

The first is that the story actually had credibility with Zonk and he was more than happy to put it up. Put Halliburton in a story and the truthers soil themselves. The second; Zonk saw through it like any other technically savy grownup and knew it would be ridiculed. In that case it is a sort of April Fools joke.

Anyhow, there are plenty of reasonable explanations already posted for the 'evidence' provided. Here is one I didn't notice; why would 'they' use easily identified domains to spy on people? 'They' run the world so clearly 'they' could arrange for something less obvious, no?

Finally, is there any recourse for a business that has had it's products publicly slandered? I'd hate to see Microsoft get a piece of /. in court, but it wouldn't surprise me if they tried [slashdot.org].

Ceiling Cat Is Watching You Masturbate

[bmo]

It's goddamn Windows. Even if this was something to get excited about, Windows users get what they deserve, especially if they're p2p'ing warez like the source of this dodgy "article" was doing.

Set up a pristine Vista machine. Put a box inline with it and run Snort. Post the logs in some sort of reasonable format. Then we might have something to talk about. But this? What can I say, besides "bullshit"? The origin of this may as well be ranting about Ceiling Cat.

--
BMO

Re:

[bmo]

Did you RTFA?

Maybe what I said was a bit over the top, but he got exactly what he deserved. He was p2p'ing warez on Windows. That's the _only_ reason to run PeerGuardian, and you _don't_ need PeerGuardian if you're doing something legal like torrenting Linux distros. I don't know about you, but running p2p on Windows and bitching about weird connections is like, oh I dunno, deliberately peeing on an electric fence and then complaining that it hurts.

I'm sorry if my lack of empathy strikes you as callous, b

Halliburton?

[Jeian]

Halliburton?

He's really grasping, isn't he.

LOL Cat!

[Jeremiah Cornelius]

We'rE In uR Ip'S, SteaLiN' Ur GovAminTS!

I might've read the article

[RichPowers]

Until I saw the bit about the "Halliburton Company" in the summary. Are these nutjubs now required to mention it in every one of their hackneyed theories?

The worst part about stories like these is that it obscures what the government is really doing to invade our privacy.

How about some editorial control, Slashdot?

Digg story down.

[Aaron England]

Article buried for lack of journalistic standards.

Re:

[tsa]

Digg is that way --->

You call that a conspiracy?

[Nate Eldredge]

Okay, so maybe the US government and Halliburton are checking up on Vista users, but that's benign compared to the folks after us FreeBSD users. I whois'ed some of my port scan logs and found McGraw Hill, The Washington Post, the BBC, and Ikea. Now that is one terrifying conspiracy. Eisenhower was right when he warned us of the dangers of the media-Swedish furniture complex.

Seriously, though. Worms and botnets are endemic and every organization has boxes probing the internet without their knowledge. Doesn't mean they're out to get you.

I always hated people who would whine about Slashdot story selection, but come on, editors, use a little discretion. You're just helping spread paranoid stupidity.

Highly plausible...

[Ub3rT3Rr0R1St]

With the fairly recent uproar that occurred with the numerous accounts of illegal wire tapping by part of the Bush administration, why, oh why, would anyone discard this as some sort of sham?

Now, I'm not agreeing that the proof is 100% credible, and I'm not completely disregarding the fact that this might really be a sham, but the previous experiences the US has had with any sort of monitoring on the peoples should be enough to regard this with high suspicion.

Monitoring through the internet isn't diff

Re:

[Dachannien]

We have nothing to lose by assuming this is legitimate

Except, perhaps, your credibility?

Never attribute to malice what you can attribute to zombies.

Mods on crack again.

[HornWumpus]

Who modded this dweeb insightful.

Metamoderators please spank these mods.

Your partisan nature colors your experiance!

[HornWumpus]

You ever hear of echelon? It started under FDR or Truman depending on who you believe.

The only difference is that Bush thought he could get away with admitting to doing what the last 10 or so presidents have been up to (tapping overseas calls without warrant).

The fact that this whole story has been shown to be the hyperbole up thread didn't stop you from posting a 'Blame Bush' screed. Which the moderators, being on crack, called insightful. Dweeb!

Not plausible at all

[teg]

Are there hidden things which the US government or others can use in Vista? Not impossible.

Should you trust Vista crypto totally, if you really have something to hide? Probably not.

Would they be as stupid as to let every computer send traffic to DOD computers? Obviously not. Even if most don't know how to monitor traffic, enough do that there would be an immediate uproar.

Possible "hidden features" would either need the system in question (secret keys....) or would be dormant. If turned on by some events, I'

Re:

[smack.addict]

You must be one of the idiots who believes in the Bush/9-11 conspiracy.

You see, your logic suggests that because the Bush administration is capable of nefarious deeds, any nefarious deed is by default plausibly a result of their actions.

Your tires are slashed? Must be the Bush administration! After all, they are capable of it!

You need more than the belief they are capable of the act; you need a) a reason and b) an explanation of the action that shows the action is the most logical path to justify the reason

Hacker took over the box perhaps?

[Adammil2000]

Is it possible that this box was taken over by a hacker and is trying to attack DoD addresses? As opposed to some alleged "phone home" behavior that Vista is showing?

No Destination Ports

[tiny69]

The screenshots conveniently leave out the destination ports. With out that information and without knowing what programs the user had installed or running, the entire article is a waste of time. We have no idea if the traffic is associated with a program he's running or if it's something else. He's concerned about connections that appear to originate from the U.S. Government, but isn't phased by the connections appearing to come from China. Oh noes!?! China has a backdoor in Vista!!

My guess is that he's running some P2P software. Guess what? The U.S. Government does get 0w3nD and does have problems with viruses, trojans, and P2P software.

Nothing to see here. Move along....

Worst /. Story Ever?

[nuintari]

Okay, this has got to one of the most pointless slashdot stories ever.

One, he is sniffing with a crappy piece of software that is barely a sniffer. Secondly, unless he has that XP system he claims is a Vista system, monitoring a HUB, not a switch, that the Vista machine's traffic has to go thru, he isn't sniffing anything relevant. Last, this is pointless paranoia.

You want to see more of your "government conspiracy traffic?" Find someone at an ISP to help you, as you will need a piece of public IP address space. Route it to someplace where you can monitor all the traffic destined to it, and plug nothing into that segment of your network. It just has to exist, and be publicly accessible. It goes nowhere, has no devices in it, it just exists. Then turn your sniffer on, and watch the botnet traffic fly by. Yeah, you will see attacks coming from everywhere, nowhere to go, and still they scan like crazy. And yes, you will see it come from DoD address space too, heaven for-fucking-bid.

Oh, and when do your sniffing, use a real sniffing tool. Then you can tell us what kind attacks the scary US government is mounting against its most paranoid citizens.

Linux and Amiga users can be safe...

[3seas]

http://zapatopi.net/mindguard/ [zapatopi.net]

A better question is

[brennz]

Why does Zonk continually post such uninformed articles?

gotta be careful about rev. lookups on port scans

[bl8n8r]

It's pretty trivial to spoof a source ip. Just ask the folks at DenyHosts [regdeveloper.co.uk]. If the attacker could care less about return packets and simply wants to create a lot of traffic (DoS) count on it. You really have to be careful with the data that's returned from tools like this. A lot of times it's useless. He should have scrubbed his IP from the screenshots too, poor bastard. This article would be perfect Diggchow except he never mentioned Apple in the article. Oh well.

Compromised machine

[ubrgeek]

His machine has been compromised and is being used to more on to other locations on the network. Wipe, reinstall, patch and hope to avoid zero-days. Nothing to see here.

In Soviet Russia ...

[PPH]

... computers keep YOU in an idle state.

First thing I thought when I saw this...

[cswiii]

..."Hrm, sure seems like the whole Prodigy STAGE.DAT [skepticfiles.org] dust-up".

As it turns out, I was wrong - it's even more innocuous than that.

As I've Said Repeatedly in the last couple weeks

[Master of Transhuman]

Yes, NSA has a way to break into Windows Vista (and probably any other version of Windows) since they were allowed by Microsoft to try (and supposedly report their results to Microsoft - which of course they didn't entirely.)

However, this story makes little sense as it stands. Until somebody sets up a proper test, there's nothing to see here.

And if people like the NSA, Halliburton and DOHS were scanning everybody's PC, they damn sure wouldn't be allowing a traceback to their own IP addresses assigned to the

Yawn!

[no-body]

What else is new? That M$oft is in kahuz with all kinds of 3 letter agencies is not new.

Since Windows XP, info from your XP computer is sent out to Microsoft.com - I don't have it, so I can't report much about it, but with a decent firewall installed, many software packages "call home", repeatedly and totally without justification. One does not need to check daily for updates! Adobe on my top list.

And - with the recent court approved installing of a sniffer on a potential suspect's computer - doing non-approved sniffer installs is probably more frequent, not even considering botnets.

It furthers an atmosphere of fear, is not empowering and in short - sucks!

Paranoids

[nurb432]

Sure, they may be out to get us, but this is just plain garbage.

Everyone has infected PCs

[Proudrooster]

If VISTA were connecting to the DoD and uploading data, I would be concerned, however these connections are from infected Zombie PCs running malware and trying to infect/control other PCs. It has NOTHING to do with VISTA, but EVERYTHING to do with Microsoft and their pathetic security in Windows. A large percentage of Internet traffic after bittorrent, streaming content, and spam is zombie PCs looking for more PCs.

Re:

[cdrguru]

The only way to have a computer that is truely secure is to have it locked in a closet.

If the user can authorize the installation of WeatherBug any other form of security is pointless. The first step is to disable the installation of unauthorized software.

In a company the IT department may be able to decide what is authorized and what is not. For a home computer the only security can come from disallowing anything - it is all unauthorized. Nothing that can be executed can be added to the computer and not

Great response in his site's comment section

[6350']

I noticed this in one of the comments on his site:

"So the gov't and Haliburton have bot infected computers just like everyone else. What else is new?"

Hah! Awesome.

Laughable.

[Kaenneth]

I actually did contract test work at Microsoft, testing a Vista component that used the network.

So I ran its networking through a seperate machine that ran ethereal, and studied the logs in great detail. I also watched for any 'privacy issues'. Basically, anytime Vista 'phones home' it's required to be by the user Opt-In, and never as a default. If you didn't read the EULA/Privacy Policy, etc. and just kept hitting 'I Agree', 'Accept' and 'Next' every dialog... you might get some things you didn't expect

say you visit a HTTPS url... aside from what actually appears on the page (content + ads) you may need: the digital certificates for the signing authority, revocation lists, accurate time, to check for expiration, DNS, Sytle Sheets, DTDs... a lot of that can be cached, but at some point they may be automatically downloaded.

Playing a (non-DRM) song?, you may get the album information automatically.

Plus all the non-MS software 'phoning home', Adobe Acrobat reader, Quicktime Updater, HP printer drivers, anti-virus updates, *Peer Guardian blocklist updates*

As for the incoming connections mentioned in the article, it seems well within Homeland Securities domain to scan for botnet and such infected machines, in order to defend against DOS attacks on critical infrastructure (like root DNS servers).

I once did a Google search for 'attrs' using Firefox on a Linux box. What popped up was a box asking me to accept a Department of Defense digital signature, served from a DOD server.

why? Google had suggested I was looking for 'atrrs' which was a DOD term, and Firefox tried to pre-load the first result, which was a DOD run website, which popped up the certificate from a site I did not intend to visit! If there is a conspiracy, then Google, Mozilla, and Slackware are in on it.

Re:

[alodien]

ATRRS? LOL...it is a conspiracy - the DOD wants you to sign up in ATRRS to take Defense Acqusition University courses. Heaven help you - don't do it - they will literally bore you to DEATH!

Quality research...

[Shemmie]

I'd like to applaud the commitment and bravery of the researchers in bringing this information into the public domain.

I'm from a similar underground organization, and have been monitoring Vista for some time. Notable connections we have so far made are:

Dinosauroid-like Alien Reptiles using Vista UMPCs are dominating the World
Apollo 11 Moon Landings were faked by Vista
September 11 was orchestrated by the U. S. government using Vista and Workflow Foundation
etc.

It's pretty conclusive stuff, people.
(Conspiracies kindly provided by http://www.2spare.com/item_43133.aspx [2spare.com] - note it's on an IIS server - don't trust it. The truth is out there!)

Re:

[Tablizer]

It's not even a Vista screen

That's because the FBI installed XP in the middle of the night.
       

Re:

[arashi no garou]

I would normally just tell you to see the above thread where as many as six people tell the first dumbass that it's a remote desktop connection (Vista being the OS on the machine the screenshot came from) showing PG2 running on XP, but at this point I seriously doubt your reading comprehension. The point of the article is that the guy started noticing odd connections after he introduced Vista to his network. That doesn't mean he's right or wrong (I wouldn't bet the farm without trying it myself first), but

Re:I can confirm this

[Anonymous Coward]

Posting anonymously for obvious reasons...

I work in one of the extraterrestial government agencies not in question, and I can confirm that we have been doing this. To be fair to United States government, they had no choice to let us in. It's been going on for years now. Right here, directly out of our own network, so that any retard with a freeware tcpdump/traceroute frontend can see exactly what they're up to.

PS: this isn't real.

Re:

[ScrewMaster]

Yes, well ... at least Fox Mulder was usually right, even if he could rarely prove it.