Remix.run Logo
stackghost a day ago

For those like me who were not abreast of this issue: the FBI was able to arrest some kid who hacked/is alleged to have hacked a jewellery retailer through a VPN. They were able to track the hacker via the user's GDID, which is a stable identifier unaffected by VPN usage.

This surveillance is certainly going to expand in scope as age verification comes into widespread usage. Personally I see little legitimate use case for this telemetry. It seems only useful for the purposes of tracking users for law enforcement or targeted advertising purposes.

marysol5 20 hours ago | parent | next [-]

This isn't "tracking", this is attribution in a court. The defence can't stand there and say "That's not him/this device" when the forensics point exactly at it.

skinfaxi 19 hours ago | parent [-]

It's still tracking. Just like tracking your car movements to attribute them to you is still tracking.

krick 16 hours ago | parent [-]

To be fair, the courts in USA apparently have a different definition of tracking than all normal people do. Speaking of car movements, Flock claims this isn't tracking people based on some legalese mumbojumbo. Obviously, this and GPs claims are absolutely ridiculous if you speak English, but are apparently true in american legalese doublespeak.

Joker_vD a day ago | parent | prev | next [-]

Well, it's a darn good thing there is nothing like that over here on the Linux side. I'm pretty sure that if e.g. systemd attempted to generate a unique, persistent machine identifier during the installation process, it'd be shot down and patched off extremely quickly.

chocolatkey a day ago | parent | next [-]

Linux does though?

  cat /etc/machine-id
ranger_danger a day ago | parent | prev | next [-]

https://www.linux.org/docs/man1/systemd-machine-id-setup.htm...

nullpoint420 a day ago | parent [-]

cool. we definitely needed this

naturalmovement a day ago | parent [-]

Not wanting to be left out, FreeBSD has it too.

typeofhuman a day ago | parent | prev [-]

Is this sarcasm?

a day ago | parent | prev | next [-]
[deleted]
jimbob45 a day ago | parent | prev [-]

How did they query his GDID/PUID to make the arrest though? Does the browser have access to it during some requests? Also, if it’s stored as plaintext, what’s stopping anyone from randomizing it on machine startup?

davikr a day ago | parent [-]

I'm guessing Ngrok gets subpoena'd, hands over the IP who created the account, page access timestamp, etc - FBI hands over to Microsoft, finds which Windows PCs were active with a certain IP on that time period, tries to correlate other characteristics such as OS version or anything to get a single hit, and then return other IPs used by that machine and everything else they have, like SmartDefender / Edge telemetry.

pjc50 21 hours ago | parent [-]

> finds which Windows PCs were active with a certain IP on that time period

.. and how do they do that?

While we're on the subject of telemetry, has anyone got a GDPR orientated writeup of what's known?