Remix.run Logo
lorislab 4 hours ago

The interesting part is not really the existence of a machine identifier. Almost every modern OS has some equivalent. The bigger question is the boundary: which components can access it, and when does a local identifier become a remote tracking identifier? A machine-id sitting on disk is very different from an OS vendor correlating it with network activity.

J-Kuhn an hour ago | parent | next [-]

Systemd (part of many major linux distributions) has for example machine-id[1], readable by anyone on the machine under /etc/machine-id.

[1]: https://www.freedesktop.org/software/systemd/man/latest/mach...

dlenski 37 minutes ago | parent | prev | next [-]

Yeah, this is what's glaringly missing from the article.

Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?

I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.

Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.

Bender 23 minutes ago | parent | prev | next [-]

Adding another example of this is the NetworkID in about:networking#networkid in Firefox. There was a point in time that cause some controversy. Every AI has the wrong information about it's origin and use.

llm_nerd 2 hours ago | parent | prev [-]

This is the part that isn't clear and is by far the most interesting. At what stage and what point did the GDID get correlated with a tool/web request. As is it almost sounds like Microsoft "telemetry" gathers everything and they did a bulk search for certain activity, pulling the GDID and correlating it with a user.

mysteria 2 hours ago | parent | next [-]

From reading the official criminal complaint [1] it looks like Microsoft literally logs all web requests along with the GDID and sends it over as "telemetry". It basically associates the URL, the client's IP, and the GDID together.

Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.

1. https://www.justice.gov/usao-ndil/media/1450651/dl?inline

nailer an hour ago | parent [-]

> Microsoft literally logs all web requests

Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.

nailer an hour ago | parent | prev [-]

Good question. My understand is that it was licensing:

Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.

llm_nerd an hour ago | parent [-]

From the reading of the document, I really don't think that's it. The suspects used phishing to get access to one company's servers, then used those servers to push software to other servers.

It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc.

baranul 23 minutes ago | parent [-]

But it has long been known that Microsoft actively collaborates with and provides user data to legal entities. It is more a matter of the general public not being aware of this, the kind of data collected, and to what extent will users continue to tolerate Microsoft's behavior.