Rendered at 13:26:10 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
webgambit 34 minutes ago [-]
Couple questions:
1) Do we think this is actually how the FBI found this kid or is this simply what they're saying in order to keep some other tool hidden?
2) Is there a way to block or manually change the GDID from being revealed. If it's the browser leaking it, do all browsers leak it?
hyperrail 14 hours ago [-]
How a Windows device's global ID is generated may be new info in the public sphere, but the fact that the global ID exists is not a secret. This format of device ID has been in Windows since the initial release of Windows 10 in 2015, when it was introduced as part of Windows' current telemetry subsystem. To see your device's global ID, open Windows Feedback Hub, then go to Feedback Hub Settings and look under Device Information.
ranger_danger 13 hours ago [-]
What I'm more interested in is how/where the GDID is used. Imagine if e.g. Edge started sending your GDID as a header in every single web request.
hyperrail 12 hours ago [-]
In a sense it doesn't matter how the global ID is used now. The fact that it exists allows it to be used in ways like what you describe, either by a malicious (?) Microsoft itself or by a malicious third-party attacker.
I'm familiar with these global IDs because I routinely used the Windows telemetry system as part of my work on the Windows core at Microsoft. We had strong policies on how and when we could access or use data for a single device as identified by global ID.
But ultimately, these policies will have a "government or court order" exception in reality even if not in theory, just like in most other consumer software observability systems. The Windows difference is simply the breadth of data that is intentionally collected by Microsoft or can be identified by any Microsoft-controlled IDs. That difference is huge in potential impact but very small conceptually.
m463 11 hours ago [-]
When IE did this at the very beginning of the internet it was a real scandal.
then verizon did it for (to?) mobile phones.
I guess these things get normalized, people might say "those jerks" and then put it out of their mind.
naturalmovement 13 hours ago [-]
I always assumed Chrome and Edge already did this — but sent the data to their respective masters.
Isn't every Chrome download unique?
It used to be even though the package contained an Authenticode signature, each installer stub download had a unique hash, because Windows' digital signatures allow a non-executable data area in the trailer which is not computed as part of the signed data.
There is zero technical reason to do this (generating unique binaries) aside from tracking purposes.
photios 8 hours ago [-]
[dead]
maxo133 7 hours ago [-]
AI-generated "research" once more. How can anyone call it full writeup?
As someone pointed out in the X argument comments, this is unconfirmed and most likely NOT how the actual GDID being sent to microsofts servers looks like.
1. The GDID that most closely resembles the one mentioned in the DOJ indictment of Stokes is found inside the registry key Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\IrisService\IrisActionCreatives, which starts with the "g:" prefix and is explicitly called GLOBALDEVICEID. This keys holds cached json response from microsoft servers and this is clear as night and day what value microsoft servers consider a "GDID"
2. According to the research, a Microsoft account is required. No, it's not necessary. Whether or whether you are not logged into your Microsoft device, GDID is being filled in. Did AI forget to check that?
3. How can author claim this is full writeup of GDID, when you did not verify whether the value your AI found, is the one being sent along with telemetry network requests? Author did not even verify whether he found the right thing
I also verified the value computed as suggested by the repository's creator and it is different from the value discovered inside the Iris registry key that begins with "g:".
Summary: The value author of repo claims is a GDID, is not the same value as saved on microsoft servers.
3 hours ago [-]
fuzzfactor 3 hours ago [-]
Very interesting.
Some users have been deleting the entire IrisService in the registry, it appears to also be related to the systray icons on the taskbar.
The first link is a couple years old but the second one is from a couple months ago. Apparently triggered now by the latest update kb5094126, so there may be some questionable new changes going on in this particular monkey-business department:
"Fix 3" is the one where the IrisService reg key is nuked.
3 hours ago [-]
jcarrano 2 hours ago [-]
Aside from the writeup, how stupid must one be to commit cybercrimes from a Windows 11 computer full of spyware?
nullbio 12 hours ago [-]
Can promise you a re-install does nothing for your privacy. Plenty of IDs are embedded in the hardware.
rrix2 15 hours ago [-]
one thing this doesn't touch on that I am curious about is how was browsing history, etc, correlated to the GDID?
murderfs 14 hours ago [-]
Edge history syncing, presumably.
typeofhuman 12 hours ago [-]
Ya. The FBI report to the court said that Microsoft showed the GDID visited the ngrok.com/signip page while using a VPN. I would have figured at that level the OS would not know domains but likely IP addresses. So it must be browser telemetry right?
stackghost 14 hours ago [-]
For those like me who were not abreast of this issue: the FBI was able to arrest some kid who hacked/is alleged to have hacked a jewellery retailer through a VPN. They were able to track the hacker via the user's GDID, which is a stable identifier unaffected by VPN usage.
This surveillance is certainly going to expand in scope as age verification comes into widespread usage. Personally I see little legitimate use case for this telemetry. It seems only useful for the purposes of tracking users for law enforcement or targeted advertising purposes.
Joker_vD 13 hours ago [-]
Well, it's a darn good thing there is nothing like that over here on the Linux side. I'm pretty sure that if e.g. systemd attempted to generate a unique, persistent machine identifier during the installation process, it'd be shot down and patched off extremely quickly.
This isn't "tracking", this is attribution in a court. The defence can't stand there and say "That's not him/this device" when the forensics point exactly at it.
skinfaxi 4 hours ago [-]
It's still tracking. Just like tracking your car movements to attribute them to you is still tracking.
krick 31 minutes ago [-]
To be fair, the courts in USA apparently have a different definition of tracking than all normal people do. Speaking of car movements, Flock claims this isn't tracking people based on some legalese mumbojumbo. Obviously, this and GPs claims are absolutely ridiculous if you speak English, but are apparently true in american legalese doublespeak.
7 hours ago [-]
jimbob45 9 hours ago [-]
How did they query his GDID/PUID to make the arrest though? Does the browser have access to it during some requests? Also, if it’s stored as plaintext, what’s stopping anyone from randomizing it on machine startup?
davikr 9 hours ago [-]
I'm guessing Ngrok gets subpoena'd, hands over the IP who created the account, page access timestamp, etc - FBI hands over to Microsoft, finds which Windows PCs were active with a certain IP on that time period, tries to correlate other characteristics such as OS version or anything to get a single hit, and then return other IPs used by that machine and everything else they have, like SmartDefender / Edge telemetry.
pjc50 5 hours ago [-]
> finds which Windows PCs were active with a certain IP on that time period
.. and how do they do that?
While we're on the subject of telemetry, has anyone got a GDPR orientated writeup of what's known?
pogue 10 hours ago [-]
So can you change/spoof your GDID easily?
ggerules 15 hours ago [-]
Wasn't this the GUID (Globally Unique Identifier) of early 00s Windows?
When did it change to GDID?
Are they the same?
wrs 15 hours ago [-]
No relation. GUID is just a format for a 128-bit unique number, used throughout the software industry. This is a specific 64-bit number assigned to your Windows device.
marysol5 3 hours ago [-]
So another GUID, gotcha
miffy900 15 hours ago [-]
Maybe try reading the writeup? GDID's are 64 bit for one thing, not 128 like GUIDs.
marysol5 3 hours ago [-]
Maybe understanding nuance
15 hours ago [-]
gigel82 13 hours ago [-]
> The court record itself says a reinstall produces a new GDID
That's a half truth if I ever saw one. Telemetry also includes the hardware hash (which does use SMBIOS serial number, CPUID, TPM identifiers, etc.) and that one survives OS reinstalls and even hardware swaps. It is the underlying id used for things like Autopilot (the equivalent to Apple's remote MDM lock).
rks404 9 hours ago [-]
is there a mac equivalent to the windows GDID?
x______________ 2 hours ago [-]
Gonna have to /s this one and say firstname.lastname @ icloud.com
denkmoon 9 hours ago [-]
Every little bit of hardware off an apple line is serialised out the wazoo, and the device's serial number is associated with every apple ID ever used to sign in to the device. I doubt it ever gets deleted. So yeah.
ChrisArchitect 12 hours ago [-]
Related background:
Windows telemetry used to track web activity, link VPN activity to source IP
1) Do we think this is actually how the FBI found this kid or is this simply what they're saying in order to keep some other tool hidden?
2) Is there a way to block or manually change the GDID from being revealed. If it's the browser leaking it, do all browsers leak it?
I'm familiar with these global IDs because I routinely used the Windows telemetry system as part of my work on the Windows core at Microsoft. We had strong policies on how and when we could access or use data for a single device as identified by global ID.
But ultimately, these policies will have a "government or court order" exception in reality even if not in theory, just like in most other consumer software observability systems. The Windows difference is simply the breadth of data that is intentionally collected by Microsoft or can be identified by any Microsoft-controlled IDs. That difference is huge in potential impact but very small conceptually.
then verizon did it for (to?) mobile phones.
I guess these things get normalized, people might say "those jerks" and then put it out of their mind.
Isn't every Chrome download unique?
It used to be even though the package contained an Authenticode signature, each installer stub download had a unique hash, because Windows' digital signatures allow a non-executable data area in the trailer which is not computed as part of the signed data.
There is zero technical reason to do this (generating unique binaries) aside from tracking purposes.
As someone pointed out in the X argument comments, this is unconfirmed and most likely NOT how the actual GDID being sent to microsofts servers looks like.
1. The GDID that most closely resembles the one mentioned in the DOJ indictment of Stokes is found inside the registry key Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\IrisService\IrisActionCreatives, which starts with the "g:" prefix and is explicitly called GLOBALDEVICEID. This keys holds cached json response from microsoft servers and this is clear as night and day what value microsoft servers consider a "GDID"
2. According to the research, a Microsoft account is required. No, it's not necessary. Whether or whether you are not logged into your Microsoft device, GDID is being filled in. Did AI forget to check that?
3. How can author claim this is full writeup of GDID, when you did not verify whether the value your AI found, is the one being sent along with telemetry network requests? Author did not even verify whether he found the right thing
I also verified the value computed as suggested by the repository's creator and it is different from the value discovered inside the Iris registry key that begins with "g:".
Summary: The value author of repo claims is a GDID, is not the same value as saved on microsoft servers.
Some users have been deleting the entire IrisService in the registry, it appears to also be related to the systray icons on the taskbar.
The first link is a couple years old but the second one is from a couple months ago. Apparently triggered now by the latest update kb5094126, so there may be some questionable new changes going on in this particular monkey-business department:
https://gist.github.com/JMMBA/d56923502a74b6b7196dd800fad0a8...
https://thegeekpage.com/taskbar-missing-after-sign-in-6-fixe...
"Fix 3" is the one where the IrisService reg key is nuked.
This surveillance is certainly going to expand in scope as age verification comes into widespread usage. Personally I see little legitimate use case for this telemetry. It seems only useful for the purposes of tracking users for law enforcement or targeted advertising purposes.
.. and how do they do that?
While we're on the subject of telemetry, has anyone got a GDPR orientated writeup of what's known?
That's a half truth if I ever saw one. Telemetry also includes the hardware hash (which does use SMBIOS serial number, CPUID, TPM identifiers, etc.) and that one survives OS reinstalls and even hardware swaps. It is the underlying id used for things like Autopilot (the equivalent to Apple's remote MDM lock).
Windows telemetry used to track web activity, link VPN activity to source IP
https://news.ycombinator.com/item?id=48807767
U.S. v. Stokes https://www.justice.gov/usao-ndil/media/1450651/dl