Rendered at 12:08:55 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
Someone 40 minutes ago [-]
I guess we’ll see a Windows tool that sets your identifier to this suspect’s “g:6755467234350028” very soon (weird ID, by the way. 16-digits makes sense, but I would have expected it to be hexadecimal)
Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?
If it’s the browser sending that info to Microsoft, wouldn’t somebody have noticed that their PC contacts Microsoft for every web page they open? Or do they batch that data and send it at some later time?
Also, would that mean this ‘only’ affects those using Microsoft’s browser (or does Chrome do the same, sending data to Google?)
Alternatively, is this happening lower in the stack? I can think of a place where a system component has access to the domain name, but not of one where it has the full URL.
cheschire 2 hours ago [-]
Well they can’t use that to track users of Linux.
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton. Edit: and Brave.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
tremon 2 hours ago [-]
Both systemd and dbus have a similar device id for Linux, which e.g. Chrome reads at startup:
The utility of and presence of unique identifiers in software should be no surprise.
But if you are using TelemetryOS (i.e. you cannot fully switch off the chatter) and your daily Web browser doesn't offer privacy extensions, you are the product.
alimbada 46 minutes ago [-]
I went to check if Flatpak would protect against this but it seems although it's a wanted feature it's not so straightforward to implement: https://github.com/flatpak/flatpak/issues/4311
heikkilevanto 2 hours ago [-]
I don't like the idea of a persistent id for my machine. Would there be any harm in rewriting the machine-id at every boot? Or just deleting it as part of the shutdown sequence?
xeyownt 1 hours ago [-]
Whatever you do there will always be uniquely identifiable information (if not an id, a fingerprint) on your machine.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
Eddy_Viscosity2 52 minutes ago [-]
> motivated adversaries.
This sounds like you're referring to state actors and intelligence agencies, but really this applies to the entire advertising/surveillance industry of people trying to sell you a new flavor of soda.
xeyownt 17 minutes ago [-]
Sure, but the problem then is not systemd machineid, but rather the browser reading it and making it available for such identification (don't know if there is a browser out there doing that though).
Unless anonymization is provided by your browser, there is nothing you can do to prevent such identification technology run by these advertisers to build your profile, and send you targeted ads.
type0 12 minutes ago [-]
And petty criminals that set up fake fake websites to steal your money, ad-networks are also commonly used to spread malware so limiting the number of attack surfaces is the only sane thing to do.
gcr 1 hours ago [-]
The supported method to get a new one each boot is to truncate the file to 0 bytes and disable systemd-machine-id-commit.service
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
inigyou 56 minutes ago [-]
I thought the kernel generated SLAAC addresses based on MAC and privacy addresses based on random numbers.
layla5alive 59 minutes ago [-]
dhcp uses it by default nowadays.. but you can tell dhcp to use your mac address instead (like it used to)..
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
ux266478 28 minutes ago [-]
Wow, three pieces of software I don't use for other reasons, just gained a new reason to evangelize against them!
anthk 8 minutes ago [-]
As an Hyperbola user both systemd and dbus are a no-no there.
ezoe 39 minutes ago [-]
But does browser send these id?
xeyownt 13 minutes ago [-]
No.
givinguflac 2 hours ago [-]
Is this specific to Debian?
nickjj 16 minutes ago [-]
Nope, but Debian does use systemd by default so it's there.
I'm running Arch Linux and /etc/machine-id is present.
There's also an optional /etc/machine-info file that could exist. It's not a part of systemd and won't be created by default. It's more of an informal way to have details about the system in 1 spot. It was more popular when provisioning bare metal servers but still has value in the cloud. You can have key / value pairs on who to contact, where it's located, what type of machine it is, etc..
> this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
Good founders already know this. Bad ones don't care.
reactordev 1 hours ago [-]
Aww you missed the Ballmer Years. Chalked full of "me too!"'s and broken promises. But he was right about one thing. Developers, developers, developers...
merb 2 hours ago [-]
Well Enterprises can also enroll Linux machines in intune
contubernio 47 minutes ago [-]
Does this not violate European privacy laws?
tosti 23 minutes ago [-]
Probably yes it does. Not that it matters when you hack a website to have some expensive jewelry sent to your home address.
7 minutes ago [-]
midtake 2 hours ago [-]
To me this indicates that Microsoft has some sort of traffic analysis performed on endpoints, then linked to GDID. I'd guess this is part of Defender's real time protection or MAPS.
Fun fact, Microsoft Defender MAPS was previously named SpyNet.
The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.
reactordev 1 hours ago [-]
that's the idea behind SecureBoot and the TPM chip is to provide the GDID based on hardware fingerprint. Some games already do this as "anti-cheat" measurements (tracking you) and Microsoft has been doing it since Windows 7 days. It's just that the TPM now gives you that hardware authority.
Alien1Being 29 minutes ago [-]
The most surprising part of this is a "hacker" using Windows ...
pluc 1 hours ago [-]
US Tech is fast becoming like Russia's and China's.
d5lt5 50 minutes ago [-]
Have you heard of a website called facebook?
pluc 26 minutes ago [-]
There was a time where the default assumption was functionality created tracking opportunities. Nowadays, it's more the opposite. Social media have always been on the forefront of monetizing data, but the same data in the hands of governments is used differently. My point is that the way you/we feel towards Facebook, the entire world is increasingly feeling about most, if not all, US tech.
I know people who won't use Israeli or Chinese-made tech for fears of sabotage. US tech is quickly making its brand in that market.
NordStreamYacht 3 minutes ago [-]
Israeli pagers are a blast.
herbst 23 minutes ago [-]
I know people who avoid US tech and happily use Chinese or Russian tech here in central Europe. Not trusting US tech isn't new, it just gets a lot worse
inigyou 28 minutes ago [-]
It was originally called LifeLog and sponsored by the military as a data collection system to help them identify terrorists.
xnx 2 hours ago [-]
Vague article. No evidence that Microsoft can see what web pages you are visiting in Chrome or Firefox (for example).
x______________ 34 minutes ago [-]
From the reply you're replying to:
> 27. Microsoft records also indicate: <...> a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
crtasm 1 hours ago [-]
Or even Edge with these options turned off:
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
My surprise level is at approximately... zero.
Next we will see some news, that MS was compelled to share that info with some three letters. - Oh wait, that is exactly what has already happened, according to the article.
MS is just like that person, who drives a dagger into your back.
protocolture 2 hours ago [-]
Probably a capability demanded through a TCN or TAN as part of a mechanism like Australias Access and Assistance bill.
Terr_ 3 hours ago [-]
TLDR: Microsoft can (at least) correlate your Windows installation to all website domains you visit while using Windows.
It's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.
pogue 3 hours ago [-]
The article links to this page, which was shared on HN yesterday. [1]
I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
I would be shocked if Microsoft was not using their own layer of certificate-pinning to stop people from doing that, and/or using another layer of encryption separate from the networking layer.
pogue 2 hours ago [-]
Only way to see what's going on is testing to see what's going on. Hopefully, someone who knows more about it than me can take a look at the packets and see what they contain.
cromka 2 hours ago [-]
But you'd still see some encrypted traffic and it wouldn't fly under a radar
8cvor6j844qw_d6 2 hours ago [-]
I was under the impression Windows is unreliable for these kind of activities as they are "leakish".
I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.
red_admiral 2 hours ago [-]
"all" would be troubling indeed. I hope that someone can discover the mechanism, and whether it's depending on any settings like "Share browsing data with other Windows features" or any other settings.
echelon_musk 3 hours ago [-]
Worse than just domains as TFA shows full URLs are recorded.
Reminds me of Google Safebrowsing.
ale42 1 hours ago [-]
Possibly the same but done by Edge?
surcap526 2 hours ago [-]
[dead]
egamirorrim 2 hours ago [-]
Truly terrifying. But also shocking that a 'hacker' is using windows
efilife 2 hours ago [-]
Some hackers want to spend their time doing cool stuff rather than constantly fixing their system
drw85 58 minutes ago [-]
I switched to linux a year ago and in that year had less problems than on Windows.
I had some minor problems after updates once or twice. On Windows i had to boot into restore mode multiple times due to Windows Update screwing something up.
The MS Store also constantly had trouble updating apps and games and i had to manage packages manually and uninstall and reinstall them so it would work again until the next update.
The times were Windows is easy to use and fire and forget are long gone. The decline in quality is noticeable.
nehal3m 1 hours ago [-]
Yeah, that’s why they install Linux
anthk 6 minutes ago [-]
Actual hackers don't need to run debloating tools each boot getting tired of all the adware and bundled crap eating GB's of storage.
Actual hackers would use Guix System and actually hack really cool stuff and, yes, Guix (the package manager) would be eating GB's because of reproducibility... but at least you could restore your system from Grub anytime.
dizhn 9 minutes ago [-]
This is basically FUD and has been for at least 20 years. Please refrain from it. I am not fixing nothing daily.
gcr 1 hours ago [-]
when it comes to video gaming I’ve found Bazzite to be generally far less fiddly than windows 11, surprisingly
Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?
If it’s the browser sending that info to Microsoft, wouldn’t somebody have noticed that their PC contacts Microsoft for every web page they open? Or do they batch that data and send it at some later time?
Also, would that mean this ‘only’ affects those using Microsoft’s browser (or does Chrome do the same, sending data to Google?)
Alternatively, is this happening lower in the stack? I can think of a place where a system component has access to the domain name, but not of one where it has the full URL.
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton. Edit: and Brave.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
https://manpages.debian.org/trixie/systemd/machine-id.5.en.h...
https://manpages.debian.org/trixie/dbus-bin/dbus-uuidgen.1.e...
But if you are using TelemetryOS (i.e. you cannot fully switch off the chatter) and your daily Web browser doesn't offer privacy extensions, you are the product.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
This sounds like you're referring to state actors and intelligence agencies, but really this applies to the entire advertising/surveillance industry of people trying to sell you a new flavor of soda.
Unless anonymization is provided by your browser, there is nothing you can do to prevent such identification technology run by these advertisers to build your profile, and send you targeted ads.
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
https://askubuntu.com/questions/1498611/ubuntu-dhcp-client-u... (linked because depending on version, there are several different ways to make this change..)
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
I'm running Arch Linux and /etc/machine-id is present.
There's also an optional /etc/machine-info file that could exist. It's not a part of systemd and won't be created by default. It's more of an informal way to have details about the system in 1 spot. It was more popular when provisioning bare metal servers but still has value in the cloud. You can have key / value pairs on who to contact, where it's located, what type of machine it is, etc..
https://dbus.freedesktop.org/doc/dbus-uuidgen.1.html
Good founders already know this. Bad ones don't care.
Fun fact, Microsoft Defender MAPS was previously named SpyNet.
https://en.wikipedia.org/wiki/Microsoft_Active_Protection_Se...
The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.
I know people who won't use Israeli or Chinese-made tech for fears of sabotage. US tech is quickly making its brand in that market.
> 27. Microsoft records also indicate: <...> a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
MS is just like that person, who drives a dagger into your back.
It's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.
I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
[1] https://github.com/SmtimesIWndr/gdid-reversal
I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.
Reminds me of Google Safebrowsing.
I had some minor problems after updates once or twice. On Windows i had to boot into restore mode multiple times due to Windows Update screwing something up.
The MS Store also constantly had trouble updating apps and games and i had to manage packages manually and uninstall and reinstall them so it would work again until the next update.
The times were Windows is easy to use and fire and forget are long gone. The decline in quality is noticeable.
Actual hackers would use Guix System and actually hack really cool stuff and, yes, Guix (the package manager) would be eating GB's because of reproducibility... but at least you could restore your system from Grub anytime.