Re: Windows XP RC2

From: Christopher McCrory (chrismccat_private)
Date: Tue Aug 21 2001 - 16:50:57 PDT

  • Next message: Dom De Vitto: "RE: MiM Simultaneous close attack"

    Hello...
    
    Dino wrote:
    
    > Well I am not sure if you would consider this a bug, incident, monitoring or
    > a feature, but in Windows XP RC2 that we loaded this weekend
    > I noticed that M$ has Network Time Client built to keep correct time.
    > 
    > This is good so that we do not have to grab a 3rd party app and install it,
    > but what is disturbing is take a guess as to what the "default" Time Server
    > that gets used???
    > 
    > time.windows.com  !!!
    > 
    > 
    > Well for every install M$ can monitor/track who is running XP that has a Net
    > connection.
    
    
    
    Microsoft already does this with their windows update.  About the time 
    the, "this is done without sending any information to microsoft" message 
    is displayed.  The update server sends a DNS query for the reverse 
    in-addr.arpa address.  I have a NAT setup.  Linux for the desktop that 
    also acts as an internal DNS server.  I also have a machine for playing 
    counter-strike that dual boots with MS windows98.  I recently ran 
    windows update, and got this in my logs ( I had bind in querylog mode 
    while I was testing some configs):
    
    (wednesday is my machine name)
    
    messages:Aug 19 11:00:00 wednesday named[590]: client 
    207.46.106.84#8535: query: 101.138.8.24.in-addr.arpa IN PTR
    messages:Aug 19 11:00:00 wednesday named[589]: client 
    207.46.106.84#8535: query: 101.138.8.24.in-addr.arpa IN PTR
    messages:Aug 19 11:00:00 wednesday named[590]: client 
    207.46.106.84#8535: query: 101.138.8.24.in-addr.arpa IN PTR
    messages:Aug 19 11:00:57 wednesday named[590]: client 
    207.46.106.84#8699: query: 101.138.8.24.in-addr.arpa IN PTR
    messages:Aug 19 11:00:57 wednesday named[589]: client 
    207.46.106.84#8699: query: 101.138.8.24.in-addr.arpa IN PTR
    messages:Aug 19 11:00:57 wednesday named[590]: client 
    207.46.106.84#8699: query: 101.138.8.24.in-addr.arpa IN PTR
    
    
    
    [chrismcc@wednesday log]$ host 207.46.106.84
    84.106.46.207.in-addr.arpa. domain name pointer sjwu3dns1.windowsupdate.com.
    
    
    I guess requesting information is not the same as sending it...
    
    
    I just tried again:
    
    messages:Aug 21 16:35:22 wednesday named[2987]: client 
    207.46.106.84#8478: query: 101.138.8.24.in-addr.arpa IN PTR
    messages:Aug 21 16:35:22 wednesday named[2986]: client 
    207.46.106.84#8478: query: 101.138.8.24.in-addr.arpa IN PTR
    messages:Aug 21 16:35:22 wednesday named[2987]: client 
    207.46.106.84#8478: query: 101.138.8.24.in-addr.arpa IN PTR
    
    PIX log:
    
    Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:31: %PIX-6-302005: Built 
    UDP connection for faddr 207.46.106.84/8478 gaddr 24.8.138.101/53 laddr 
    MY.INTER.NAL.IP/53
    Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302006: 
    Teardown UDP connection for faddr 207.46.106.84/8478 gaddr 
    24.8.138.101/53 laddr MY.INTER.NAL.IP/53
    Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302005: Built 
    UDP connection for faddr 207.46.106.84/8478 gaddr 24.8.138.101/53 laddr 
    MY.INTER.NAL.IP/53
    Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302006: 
    Teardown UDP connection for faddr 207.46.106.84/8478 gaddr 
    24.8.138.101/53 laddr MY.INTER.NAL.IP/53
    Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302005: Built 
    UDP connection for faddr 207.46.106.84/8478 gaddr 24.8.138.101/53 laddr 
    MY.INTER.NAL.IP/53
    Aug 21 16:35:27 192.168.9.254 Aug 21 2001 16:35:36: %PIX-6-302006: 
    Teardown UDP connection for faddr 207.46.106.84/8478 gaddr 
    24.8.138.101/53 laddr MY.INTER.NAL.IP/53
    
    
    
    
    
    
    
    
    
    > Yes you can simply pick another like my favorite
    > "time-a.timefreq.bldrdoc.gov" and all is well, but that average user wont
    > know this and may not even care, but they should ;)
    > 
    > If your real paranoid one can think well if the NTP is using
    > time.windows.com what is stopping M$ from having some hidden app that can be
    > communicated to once they grab the IP that queries their time server?!
    > 
    > Thanks for listening
    > 
    > Dino
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    
    
    
    -- 
    Christopher McCrory
    "The guy that keeps the servers running"
    chrismccat_private
    http://www.pricegrabber.com
    
    I don't make jokes in base 13. Anyone who does should get help. 
    --Douglas Adams
    



    This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 21:55:04 PDT