eRe4s3r wrote on Aug 13, 2015, 20:01:
From what I understand Ars Technica overlooked a huge part of the spying though, which triggers once your PC goes into idle. (no user action for X minutes) and does NOT trigger when you have wireshark capturing data (since that ain't exactly idle anything, Wireshark has a huge footprint). This idle period is when it sends the most "mysterious" data, encrypted, but surely not just cat pictures, to the domain I posted amongst others. Quick whois revealed who owns it. Do you want anything and everything on your PC sent to an Anti-Piracy/DRM outfit?
Proving anything would be nice though, currently and I freely admit, this is speculations, one can see the connection, but one can not prove what exactly is sent, you'd have to crack the encryption first and trick the idle services to trigger even when capturing (so you have to do it outside the box, by running W10 in a VM) and wireshark outside the VM
Actually one can.
Enterprise NG Firewalls with web content filtering that requires a custom certificate installed on the endpoint so the device can do a man in the middle attack to decrypt https traffic. These enterprise web filters and firewalls use this technique all the time for their company owned machines. It's the only way to stop malware that goes over https. It also stops folks from being able to use a proxy to bypass the content filter. Of course, Financial and Health categories are set not to be decrypted.
Anyway... one can set a machine up as a proxy, put wireshark on it, and use the same decryption technique.
I really don't care what the payload is, though. Theoretically... An easier method is to just have a NG firewall / web filter block everything from the Windows 10 IP, and look at all the denied traffic in the logs on where it's trying to go (better yet, import the logs into Splunk and get the pertinent data out in seconds)... then subsequently block all the domains / ips except windows updates.
Get your games from GOG DAMMIT!