By Virgil Vaduva
About a week ago a Windows 10 user going by the name of CheesusCrust published a post in the technology subverse on Voat about his research into how Windows 10 user telemetry choices are being violated by Microsoft, even when the user disabled said options and features. Since then, CheesusCrust deleted his post without explanation or indication as to why he did so. (I included his original post at the end of this article)
A few days later, Forbes contributor Gordon Kelly also published an article titled Windows 10 Worst Secret Spinning Out Of Control. In his piece, Kelly makes references to ChessusCrust’s Voat post and older articles from late 2015 confirming the same thing, namely that windows 10 spying cannot be stopped. Kelly also did not hold any punches and pointed out how Microsoft’s refusal to address the issue of what it appears to be outright “spyware” built into the Windows 10 platform is only feeding the fire of distrust that users already have towards the software giant.
Microsoft’s history of violating users’ privacy goes way back to 1999 to Windows NT 4, with the discovery of the _NSAKEY variable in the source code. This key was one of the two used in Windows NT to create valid signatures. At the time, Microsoft vociferously denied that this is a key used by the National Security Agency to undermine users’ privacy and security, stating that this key “is maintained and safeguarded by Microsoft, and we have not shared this key with the NSA or any other party.”
Somehow this explanation did not fly with privacy-conscientious users and to make matters worse, Dr. Nicko van Someren discovered a third key used in Windows 2000 Crypto API, which he called even “more fishy” which did not appear to have any legitimate purpose. Some of the original research and demonstration on how the Windows 2000 Crypto API key can be subverted and used for malicious purposes is still available here.
If the historical evidence is not bad enough, Edward Snowden’s leaks also demonstrated in no uncertain terms that Microsoft has been a close collaborator of the NSA. Snowden’s documents showed how Microsoft provided back-end persistent access to the FBI and the NSA to users’ Skype calls in real time, allowing for the streamlining of access to what is considered by most users private and confidential data. Microsoft also provided access to users’ SkyDrive and Outlook.com accounts, failing to notify users that government actors are accessing their data.
So, with all the empirical data showing that Microsoft has a long and solid history of violating users’ privacy and ignoring users’ desire to keep information close to home, why does the general public continue to be surprised by the revelations that Microsoft is using the latest iteration of its Windows operating system as a tool to collect metrics, usage information, browsing habits and a myriad of other personal information about their users? Why is the public surprised that even the Enterprise edition of Windows 10 appears to be calling back home to Microsoft, subverting an organizations threat boundaries and barriers put in place to prevent ex-filtration of potentially sensitive data?
And the better question yet is, why is some of the research regarding the Windows 10 telemetry data and “spying” disappearing from online forums and web sites? Is Microsoft threatening journalists and users with lawsuits? What is happening behind the scenes? Why did Gordon Kelly change his tune shortly after his piece and started justifying the need for Microsoft’s extended telemetry? Who is reaching out to journalists and researchers trying to silence them or pacify them, and why?
In the spirit of full disclosure I reached out to a Microsoft technical contact almost a week ago with questions about the telemetry issues and the individual failed to even respond to my message.
Virgil Vaduva is a Libertarian security professional, journalist, photographer and overall liberty freak. He spent most of his life in Communist Romania and participated in the 1989 street protests which led to the collapse of the Ceausescu regime. He can be reached at vvaduva at truthvoice.com.
———————–
Attached below is the original Voat post from CheesusCrust
Like many of you, I am concerned about the telemetry, spying and other surveillance features, known or unknown, of Windows 10. It has concerned me enough to push me to Linux Mint as my main operating system. Even so, I wanted to better understand Windows 10, but internet search results for a decent windows 10 traffic analysis leave a lot to be desired. As such, I decided to do my own investigating on what, exactly, Windows 10 is doing traffic-wise, and post the results. For this analysis, I wanted to simply analyse the network traffic of Windows 10 on a clean install, and just let it sit and run without using it.
What I have done for this analysis:
- I have installed DD-WRT on a router connected to the internet and configured remote logging to the Linux Mint laptop in #2.
- I have installed Linux Mint on a laptop, and setup rsyslog to accept remote logging from the DD-WRT router.
- I have installed Virtualbox on the Linux Mint laptop, and installed Windows 10 EnterprisePNG on Virtualbox. I have chosen the customized installation option where I disabled three pages of tracking options.
- I have configured the DD-WRT router to drop and log all connection attempts via iptables through the DD-WRT router by Windows 10 Enterprise.
- Aside from installing Windows 10 Enterprise, and verifying the internet connection through ipconfig and ping yahoo.com, I have not used the Windows 10 installation at all (the basis for the first part of this analysis)
- Let Windows 10 Enterprise run overnight for about 8 hours (while I slept).
- I use perl to parse the data out of syslog files and insert said data into a Mysql database.
- I use perl to obtain route data from whois.radb.net, as well as nslookup PTR data, and insert that into the Mysql database.
- Lastly, I query and format the data for analyzing.
Here is the roughly 8-hour network traffic analysis of 5508 connection attempts of an unused, base install of Windows 10 Enterprise (NOTE: I did not remove any 192.168.1.x home network IP addresses from the analysis):
individual connection attempts by IP address,port, and protocol:
select distinct(ip_address),port,protocol,count(ip_address) as attempts from rejected_connections group by ip_address order by attempts desc;
| ip_address | port | protocol | attempts |
|---|---|---|---|
| 94.245.121.253 | 3544 | UDP | 1619 |
| 65.55.44.108 | 443 | TCP | 764 |
| 192.168.1.1 | 53 | UDP | 630 |
| 192.168.1.255 | 137 | UDP | 602 |
| 65.52.108.92 | 443 | TCP | 271 |
| 64.4.54.254 | 443 | TCP | 242 |
| 65.55.252.43 | 443 | TCP | 189 |
| 65.52.108.29 | 443 | TCP | 158 |
| 207.46.101.29 | 80 | TCP | 107 |
| 207.46.7.252 | 80 | TCP | 96 |
| 64.4.54.253 | 443 | TCP | 83 |
| 204.79.197.200 | 443 | TCP | 63 |
| 23.74.8.99 | 80 | TCP | 45 |
| 23.74.8.80 | 80 | TCP | 45 |
| 65.52.108.103 | 443 | TCP | 29 |
| 134.170.165.251 | 443 | TCP | 27 |
| 23.67.60.73 | 80 | TCP | 21 |
| 65.52.108.27 | 80 | TCP | 21 |
| 157.56.96.58 | 443 | TCP | 19 |
| 134.170.51.247 | 443 | TCP | 18 |
| 23.67.60.97 | 80 | TCP | 18 |
| 134.170.165.253 | 443 | TCP | 18 |
| 65.55.138.126 | 443 | TCP | 18 |
| 131.253.40.53 | 443 | TCP | 16 |
| 134.170.58.118 | 443 | TCP | 15 |
| 131.253.61.100 | 80 | TCP | 14 |
| 104.73.92.149 | 80 | TCP | 14 |
| 157.56.96.123 | 443 | TCP | 14 |
| 157.56.77.139 | 443 | TCP | 13 |
| 65.55.138.111 | 443 | TCP | 12 |
| 40.117.145.132 | 443 | TCP | 12 |
| 131.253.40.59 | 80 | TCP | 12 |
| 23.210.63.75 | 80 | TCP | 12 |
| 65.55.113.13 | 80 | TCP | 11 |
| 134.170.51.246 | 443 | TCP | 9 |
| 134.170.58.190 | 443 | TCP | 9 |
| 191.232.80.58 | 443 | TCP | 9 |
| 207.46.114.58 | 443 | TCP | 9 |
| 23.193.225.197 | 80 | TCP | 9 |
| 134.170.115.62 | 443 | TCP | 9 |
| 104.73.160.51 | 80 | TCP | 9 |
| 104.73.160.16 | 80 | TCP | 9 |
| 23.210.5.16 | 80 | TCP | 8 |
| 157.56.77.138 | 443 | TCP | 8 |
| 131.253.61.84 | 80 | TCP | 8 |
| 23.217.138.11 | 80 | TCP | 8 |
| 23.193.230.88 | 443 | TCP | 7 |
| 198.41.214.183 | 80 | TCP | 6 |
| 13.107.3.128 | 443 | TCP | 6 |
| 198.41.215.186 | 80 | TCP | 6 |
| 198.41.214.186 | 80 | TCP | 6 |
| 198.41.214.184 | 80 | TCP | 6 |
| 104.73.143.160 | 443 | TCP | 6 |
| 157.55.240.220 | 443 | TCP | 6 |
| 198.41.215.185 | 80 | TCP | 6 |
| 72.21.81.200 | 80 | TCP | 6 |
| 23.193.251.132 | 80 | TCP | 6 |
| 23.193.236.70 | 443 | TCP | 5 |
| 72.21.91.8 | 80 | TCP | 5 |
| 23.217.138.25 | 80 | TCP | 4 |
| 131.253.61.96 | 443 | TCP | 4 |
| 131.253.61.82 | 443 | TCP | 3 |
| 23.102.17.214 | 443 | TCP | 3 |
| 23.101.156.198 | 443 | TCP | 3 |
| 23.74.9.198 | 80 | TCP | 3 |
| 104.73.153.9 | 443 | TCP | 3 |
| 23.74.9.217 | 80 | TCP | 3 |
| 23.9.123.27 | 80 | TCP | 3 |
| 94.245.121.254 | 3544 | UDP | 3 |
| 23.101.187.68 | 123 | UDP | 3 |
| 104.91.188.21 | 80 | TCP | 3 |
| 131.253.61.66 | 443 | TCP | 3 |
| 23.217.138.122 | 80 | TCP | 3 |
| 23.101.115.193 | 443 | TCP | 3 |
| 198.41.215.182 | 80 | TCP | 3 |
| 198.41.214.187 | 80 | TCP | 3 |
| 23.210.48.42 | 443 | TCP | 3 |
| 104.208.28.54 | 443 | TCP | 3 |
| 23.217.138.18 | 80 | TCP | 2 |
| 23.193.238.90 | 443 | TCP | 2 |
| 23.217.138.90 | 80 | TCP | 2 |
| 23.217.138.43 | 80 | TCP | 1 |
| 23.67.60.65 | 80 | TCP | 1 |
| 65.52.236.160 | 443 | TCP | 1 |
| 157.56.144.215 | 3544 | UDP | 1 |
| 23.96.212.225 | 443 | TCP | 1 |
| 157.56.144.216 | 3544 | UDP | 1 |
| 65.52.108.252 | 443 | TCP | 1 |
| 65.52.108.94 | 443 | TCP | 1 |
| 134.170.179.87 | 443 | TCP | 1 |
| 104.73.138.217 | 443 | TCP | 1 |
| 104.91.166.82 | 80 | TCP | 1 |
| 104.73.160.58 | 80 | TCP | 1 |
| 137.116.74.190 | 80 | TCP | 1 |
| 23.217.138.97 | 80 | TCP | 1 |
Extended data for each distinct connection attempt:
select distinct(t1.ip_address),nslookup,port,protocol,connection_attempts,route,origin,description from (select distinct(ip_address) as ip_address,port,protocol,count(ip_address) as connection_attempts from rejected_connections group by ip_address order by connection_attempts desc ) as t1 join (select distinct(ip_address) as ip_address,nslookup,route,origin,description from routing_data group by ip_address) as t2 where t1.ip_address=t2.ip_address order by connection_attempts desc;
| ip_address | nslookup | port | protocol | connection_attempts | route | origin | description |
|---|---|---|---|---|---|---|---|
| 94.245.121.253 | 3544 | UDP | 1619 | 94.245.64.0/18 | AS8075 | MICROSOFT | |
| 65.55.44.108 | 443 | TCP | 764 | 65.52.0.0/14 | AS8075 | MICROSOFT | |
| 65.52.108.92 | msnbot-65-52-108-92.search.msn.com | 443 | TCP | 271 | 65.52.0.0/14 | AS8075 | MICROSOFT |
| 64.4.54.254 | 443 | TCP | 242 | 64.4.0.0/18 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 65.55.252.43 | msnbot-65-55-252-43.search.msn.com | 443 | TCP | 189 | 65.52.0.0/14 | AS8075 | MICROSOFT |
| 65.52.108.29 | msnbot-65-52-108-29.search.msn.com | 443 | TCP | 158 | 65.52.0.0/14 | AS8075 | MICROSOFT |
| 207.46.101.29 | 80 | TCP | 107 | 207.46.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 207.46.7.252 | 80 | TCP | 96 | 207.46.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 64.4.54.253 | 443 | TCP | 83 | 64.4.0.0/18 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 204.79.197.200 | a-0001.a-msedge.net | 443 | TCP | 63 | 204.79.197.0/24 | AS8151 | Microsoft Corporation |
| 23.74.8.99 | a23-74-8-99.deploy.static.akamaitechnologies.com | 80 | TCP | 45 | 23.74.8.0/23 | AS20940 | Akamai Technologies |
| 23.74.8.80 | a23-74-8-80.deploy.static.akamaitechnologies.com | 80 | TCP | 45 | 23.74.8.0/23 | AS20940 | Akamai Technologies |
| 65.52.108.103 | 443 | TCP | 29 | 65.52.0.0/14 | AS8075 | MICROSOFT | |
| 134.170.165.251 | 443 | TCP | 27 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.67.60.73 | a23-67-60-73.deploy.static.akamaitechnologies.com | 80 | TCP | 21 | 23.67.60.0/24 | AS7922 | Comcast Cable Communications, Inc. |
| 65.52.108.27 | msnbot-65-52-108-27.search.msn.com | 80 | TCP | 21 | 65.52.0.0/14 | AS8075 | MICROSOFT |
| 157.56.96.58 | 443 | TCP | 19 | 157.56.0.0/16 | AS8075 | MICROSOFT | |
| 134.170.51.247 | 443 | TCP | 18 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.67.60.97 | a23-67-60-97.deploy.static.akamaitechnologies.com | 80 | TCP | 18 | 23.67.60.0/24 | AS7922 | Comcast Cable Communications, Inc. |
| 134.170.165.253 | 443 | TCP | 18 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 65.55.138.126 | 443 | TCP | 18 | 65.52.0.0/14 | AS8075 | MICROSOFT | |
| 131.253.40.53 | 443 | TCP | 16 | 131.253.32.0/20 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 134.170.58.118 | 443 | TCP | 15 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 131.253.61.100 | 80 | TCP | 14 | 131.253.61.0/24 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 104.73.92.149 | a104-73-92-149.deploy.static.akamaitechnologies.com | 80 | TCP | 14 | 104.64.0.0/10 | AS31377 | Akamai Technologies |
| 157.56.96.123 | 443 | TCP | 14 | 157.56.0.0/16 | AS8075 | MICROSOFT | |
| 157.56.77.139 | 443 | TCP | 13 | 157.56.0.0/16 | AS8075 | MICROSOFT | |
| 65.55.138.111 | 443 | TCP | 12 | 65.52.0.0/14 | AS8075 | MICROSOFT | |
| 40.117.145.132 | 443 | TCP | 12 | 40.64.0.0/10 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 131.253.40.59 | 80 | TCP | 12 | 131.253.32.0/20 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.210.63.75 | a23-210-63-75.deploy.static.akamaitechnologies.com | 80 | TCP | 12 | 23.210.48.0/20 | AS16625 | Akamai Technologies |
| 65.55.113.13 | 80 | TCP | 11 | 65.52.0.0/14 | AS8075 | MICROSOFT | |
| 134.170.51.246 | 443 | TCP | 9 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 134.170.58.190 | 443 | TCP | 9 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 191.232.80.58 | 443 | TCP | 9 | 191.232.0.0/13 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 207.46.114.58 | 443 | TCP | 9 | 207.46.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.193.225.197 | a23-193-225-197.deploy.static.akamaitechnologies.com | 80 | TCP | 9 | 23.193.224.0/20 | AS20940 | Akamai Technologies |
| 134.170.115.62 | 443 | TCP | 9 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 104.73.160.51 | a104-73-160-51.deploy.static.akamaitechnologies.com | 80 | TCP | 9 | 104.64.0.0/10 | AS31377 | Akamai Technologies |
| 104.73.160.16 | a104-73-160-16.deploy.static.akamaitechnologies.com | 80 | TCP | 9 | 104.64.0.0/10 | AS31377 | Akamai Technologies |
| 23.210.5.16 | a23-210-5-16.deploy.static.akamaitechnologies.com | 80 | TCP | 8 | 23.208.0.0/14 | AS31377 | Akamai Technologies |
| 157.56.77.138 | 443 | TCP | 8 | 157.56.0.0/16 | AS8075 | MICROSOFT | |
| 131.253.61.84 | 80 | TCP | 8 | 131.253.61.0/24 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.217.138.11 | a23-217-138-11.deploy.static.akamaitechnologies.com | 80 | TCP | 8 | 23.217.138.0/24 | AS7922 | Akamai Technologies |
| 23.193.230.88 | a23-193-230-88.deploy.static.akamaitechnologies.com | 443 | TCP | 7 | 23.193.224.0/20 | AS20940 | Akamai Technologies |
| 198.41.214.183 | 80 | TCP | 6 | 198.41.214.0/24 | AS13335 | CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US | |
| 13.107.3.128 | 443 | TCP | 6 | 13.104.0.0/14 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 198.41.215.186 | 80 | TCP | 6 | 198.41.215.0/24 | AS13335 | CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US | |
| 198.41.214.186 | 80 | TCP | 6 | 198.41.214.0/24 | AS13335 | CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US | |
| 198.41.214.184 | 80 | TCP | 6 | 198.41.214.0/24 | AS13335 | CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US | |
| 104.73.143.160 | a104-73-143-160.deploy.static.akamaitechnologies.com | 443 | TCP | 6 | 104.64.0.0/10 | AS31377 | Akamai Technologies |
| 157.55.240.220 | 443 | TCP | 6 | 157.55.0.0/16 | AS8075 | MICROSOFT | |
| 198.41.215.185 | 80 | TCP | 6 | 198.41.215.0/24 | AS13335 | CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US | |
| 72.21.81.200 | 80 | TCP | 6 | 72.21.81.0/24 | AS15133 | EdgeCast Networks, Inc. | |
| 23.193.236.70 | a23-193-236-70.deploy.static.akamaitechnologies.com | 443 | TCP | 5 | 23.193.224.0/20 | AS20940 | Akamai Technologies |
| 72.21.91.8 | 80 | TCP | 5 | 72.21.91.0/24 | AS15133 | EdgeCast Networks, Inc. | |
| 23.217.138.25 | a23-217-138-25.deploy.static.akamaitechnologies.com | 80 | TCP | 4 | 23.217.138.0/24 | AS7922 | Akamai Technologies |
| 131.253.61.96 | 443 | TCP | 4 | 131.253.61.0/24 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 131.253.61.82 | 443 | TCP | 3 | 131.253.61.0/24 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.101.156.198 | 443 | TCP | 3 | 23.100.0.0/15 | AS8075 | MICROSOFT | |
| 104.73.153.9 | a104-73-153-9.deploy.static.akamaitechnologies.com | 443 | TCP | 3 | 104.64.0.0/10 | AS31377 | Akamai Technologies |
| 23.9.123.27 | a23-9-123-27.deploy.static.akamaitechnologies.com | 80 | TCP | 3 | 23.9.112.0/20 | AS16625 | Akamai Technologies |
| 94.245.121.254 | 3544 | UDP | 3 | 94.245.64.0/18 | AS8075 | MICROSOFT | |
| 23.101.187.68 | 123 | UDP | 3 | 23.100.0.0/15 | AS8075 | MICROSOFT | |
| 104.91.188.21 | a104-91-188-21.deploy.static.akamaitechnologies.com | 80 | TCP | 3 | 104.91.176.0/20 | AS20940 | Akamai Technologies |
| 131.253.61.66 | 443 | TCP | 3 | 131.253.61.0/24 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.217.138.122 | a23-217-138-122.deploy.static.akamaitechnologies.com | 80 | TCP | 3 | 23.217.138.0/24 | AS7922 | Akamai Technologies |
| 23.101.115.193 | 443 | TCP | 3 | 23.100.0.0/15 | AS8075 | MICROSOFT | |
| 198.41.215.182 | 80 | TCP | 3 | 198.41.215.0/24 | AS13335 | CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US | |
| 198.41.214.187 | 80 | TCP | 3 | 198.41.214.0/24 | AS13335 | CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US | |
| 23.210.48.42 | a23-210-48-42.deploy.static.akamaitechnologies.com | 443 | TCP | 3 | 23.210.48.0/20 | AS16625 | Akamai Technologies |
| 104.208.28.54 | 443 | TCP | 3 | 104.208.0.0/13 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.217.138.18 | a23-217-138-18.deploy.static.akamaitechnologies.com | 80 | TCP | 2 | 23.217.138.0/24 | AS7922 | Akamai Technologies |
| 23.193.238.90 | a23-193-238-90.deploy.static.akamaitechnologies.com | 443 | TCP | 2 | 23.193.224.0/20 | AS20940 | Akamai Technologies |
| 23.217.138.90 | a23-217-138-90.deploy.static.akamaitechnologies.com | 80 | TCP | 2 | 23.217.138.0/24 | AS7922 | Akamai Technologies |
| 23.217.138.43 | a23-217-138-43.deploy.static.akamaitechnologies.com | 80 | TCP | 1 | 23.217.138.0/24 | AS7922 | Akamai Technologies |
| 23.67.60.65 | a23-67-60-65.deploy.static.akamaitechnologies.com | 80 | TCP | 1 | 23.67.60.0/24 | AS7922 | Comcast Cable Communications, Inc. |
| 65.52.236.160 | 443 | TCP | 1 | 65.52.0.0/14 | AS8075 | MICROSOFT | |
| 157.56.144.215 | 3544 | UDP | 1 | 157.56.0.0/16 | AS8075 | MICROSOFT | |
| 23.96.212.225 | 443 | TCP | 1 | 23.96.0.0/14 | AS8075 | MICROSOFT | |
| 157.56.144.216 | 3544 | UDP | 1 | 157.56.0.0/16 | AS8075 | MICROSOFT | |
| 65.52.108.252 | 443 | TCP | 1 | 65.52.0.0/14 | AS8075 | MICROSOFT | |
| 65.52.108.94 | msnbot-65-52-108-94.search.msn.com | 443 | TCP | 1 | 65.52.0.0/14 | AS8075 | MICROSOFT |
| 134.170.179.87 | 443 | TCP | 1 | 134.170.0.0/16 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 104.73.138.217 | a104-73-138-217.deploy.static.akamaitechnologies.com | 443 | TCP | 1 | 104.64.0.0/10 | AS31377 | Akamai Technologies |
| 104.91.166.82 | a104-91-166-82.deploy.static.akamaitechnologies.com | 80 | TCP | 1 | 104.91.166.0/23 | AS20940 | Akamai Technologies |
| 104.73.160.58 | a104-73-160-58.deploy.static.akamaitechnologies.com | 80 | TCP | 1 | 104.64.0.0/10 | AS31377 | Akamai Technologies |
| 137.116.74.190 | 80 | TCP | 1 | 137.116.0.0/15 | AS8075 | MICROSOFT-CORP-MSN-AS-BLOCK | |
| 23.217.138.97 | a23-217-138-97.deploy.static.akamaitechnologies.com | 80 | TCP | 1 | 23.217.138.0/24 | AS7922 | Akamai Technologies |
I plan on letting this setup run as is for awhile longer (hours? days? weeks?) to get a more complete snapshop of connection attempts before I move on to further analysis of Windows 10.