The interesting part is not really the existence of a machine identifier. Almost every modern OS has some equivalent. The bigger question is the boundary: which components can access it, and when does a local identifier become a remote tracking identifier? A machine-id sitting on disk is very different from an OS vendor correlating it with network activity.
J-Kuhn [3 hidden]5 mins ago
Systemd (part of many major linux distributions) has for example machine-id[1], readable by anyone on the machine under /etc/machine-id.
Yeah, this is what's glaringly missing from the article.
Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?
I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.
Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.
nickphx [3 hidden]5 mins ago
from the microsoft store. the ngrok app was downloaded via microsoft store...
dlenski [3 hidden]5 mins ago
And then what?
Does the Microsoft store imprint an identifier into the network traffic of all the binaries downloaded from it?
And if so, how?
All of ngrok's traffic is TLS encrypted which means that only the client software and the server/peer should be able to decrypt or modify it.
Bender [3 hidden]5 mins ago
Adding another example of this is the NetworkID in about:networking#networkid in Firefox. There was a point in time that cause some controversy. Every AI has the wrong information about it's origin and use.
llm_nerd [3 hidden]5 mins ago
This is the part that isn't clear and is by far the most interesting. At what stage and what point did the GDID get correlated with a tool/web request. As is it almost sounds like Microsoft "telemetry" gathers everything and they did a bulk search for certain activity, pulling the GDID and correlating it with a user.
nailer [3 hidden]5 mins ago
Good question. My understand is that it was licensing:
Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.
llm_nerd [3 hidden]5 mins ago
From the reading of the document, I really don't think that's it. The suspects used phishing to get access to one company's servers, then used those servers to push software to other servers.
It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc.
baranul [3 hidden]5 mins ago
But it has long been known that Microsoft actively collaborates with and provides user data to legal entities. It is more a matter of the general public not being aware of this, the kind of data collected, and to what extent will users continue to tolerate Microsoft's behavior.
mysteria [3 hidden]5 mins ago
From reading the official criminal complaint [1] it looks like Microsoft literally logs all web requests along with the GDID and sends it over as "telemetry". It basically associates the URL, the client's IP, and the GDID together.
Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.
Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.
Sophira [3 hidden]5 mins ago
Can you link the specific post you're referring to? It's not "above" at this point in time.
cheschire [3 hidden]5 mins ago
Well they can’t use that to track users of Linux.
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton. Edit: and Brave.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
tremon [3 hidden]5 mins ago
Both systemd and dbus have a similar device id for Linux, which e.g. Chrome reads at startup:
That's good to know, thank you. I'm been considering moving away from systemd, and certainly don't use Chrome.
The number of things you need to try to keep track of merely _improve_ your privacy is maddening. The whole world seems to be against you.
drdexebtjl [3 hidden]5 mins ago
D-Bus is much harder to get rid of than systemd.
It’s best to focus your efforts into rotating these IDs.
mochapwns [3 hidden]5 mins ago
Would OpenBSD solve both of these issues or is there a device ID in there that I’m not aware of.
I’ve seen that it uses a different init system and doesn’t rely on either dbus or systemd
LtWorf [3 hidden]5 mins ago
firejail has a setting to generate a random machine id at every run.
And you should be running the browser inside firejail at all times.
heikkilevanto [3 hidden]5 mins ago
I don't like the idea of a persistent id for my machine. Would there be any harm in rewriting the machine-id at every boot? Or just deleting it as part of the shutdown sequence?
xeyownt [3 hidden]5 mins ago
Whatever you do there will always be uniquely identifiable information (if not an id, a fingerprint) on your machine.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
Eddy_Viscosity2 [3 hidden]5 mins ago
> motivated adversaries.
This sounds like you're referring to state actors and intelligence agencies, but really this applies to the entire advertising/surveillance industry of people trying to sell you a new flavor of soda.
xeyownt [3 hidden]5 mins ago
Sure, but the problem then is not systemd machineid, but rather the browser reading it and making it available for such identification (don't know if there is a browser out there doing that though).
Unless anonymization is provided by your browser, there is nothing you can do to prevent such identification technology run by these advertisers to build your profile, and send you targeted ads.
close04 [3 hidden]5 mins ago
> Unless anonymization is provided by your browser, there is nothing you can do to prevent such identification technology
The OS could treat certain apps as untrusted and spoof or limit the access to these unique identifiers.
ygjb [3 hidden]5 mins ago
That puts the OS in the position of attempting to profile or determine if an application is accessing OS, hardware, and user details to build a fingerprint, vs using those capabilities to do something the user intends, which puts the OS developer into a performance sucking, soul sucking arms race against big and little brother surveillance/advertising platforms. I absolutely support the intention, just know that it's a brutal battle :(
type0 [3 hidden]5 mins ago
And petty criminals that set up fake fake websites to steal your money, ad-networks are also commonly used to spread malware so limiting the number of attack surfaces is the only sane thing to do.
mmooss [3 hidden]5 mins ago
No security is perfect; there is always a way to bypass it. But security can be highly valuable.
vel0city [3 hidden]5 mins ago
When you go really hard with the privacy-enhancing tools, you can potentially just make yourself even more visible. When you're so far outside the normal way a user looks you're making yourself even more unique than if you had normal-ish looking identifiers.
It can take a lot of effort to make yourself truly just blend in and disappear.
gcr [3 hidden]5 mins ago
The supported method to get a new one each boot is to truncate the file to 0 bytes and disable systemd-machine-id-commit.service
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
inigyou [3 hidden]5 mins ago
I thought the kernel generated SLAAC addresses based on MAC and privacy addresses based on random numbers.
The DUID is designed to be unique across all DHCP clients and servers, and stable for any specific client or server. That is, the DUID used by a client or server SHOULD NOT change over time if at all possible; for example, a device's DUID should not change as a result of a change in the device's network hardware or changes to virtual interfaces
layla5alive [3 hidden]5 mins ago
dhcp uses it by default nowadays.. but you can tell dhcp to use your mac address instead (like it used to)..
I went to check if Flatpak would protect against this but it seems although it's a wanted feature it's not so straightforward to implement: https://github.com/flatpak/flatpak/issues/4311
LtWorf [3 hidden]5 mins ago
firejail has a setting to protect against it.
CoastalCoder [3 hidden]5 mins ago
Thanks, I wasn't aware of that.
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
ux266478 [3 hidden]5 mins ago
Wow, three pieces of software I don't use for other reasons, just gained a new reason to evangelize against them!
heresie-dabord [3 hidden]5 mins ago
The utility of and presence of unique identifiers in software should be no surprise.
But if you are using TelemetryOS (i.e. you cannot fully switch off the chatter) and your daily Web browser doesn't offer privacy extensions, you are the product.
MisterTea [3 hidden]5 mins ago
Sounds like chrome is the problem.
jcarrano [3 hidden]5 mins ago
In dbus, it seems the feature is intended for two processes to know they can access the same shmem and other system resources. I'm struggling to understand in which circumstances would that be useful.
salawat [3 hidden]5 mins ago
Creating an excuse for creating a machine-id to associate with network traffic. Sometimes, it is enough to have a plausible enough sounding reason to write down on paper, but you have to look at what something actually is. Any red blooded hacker knows there's what a tool is meant to be used for, and then there's what it can be used for. Less is more.
teaearlgraycold [3 hidden]5 mins ago
Trying to imagine a world where I use Chrome unironically.
ezoe [3 hidden]5 mins ago
But does browser send these id?
xeyownt [3 hidden]5 mins ago
No.
anthk [3 hidden]5 mins ago
As an Hyperbola user both systemd and dbus are a no-no there.
Nope, but Debian does use systemd by default so it's there.
I'm running Arch Linux and /etc/machine-id is present.
There's also an optional /etc/machine-info file that could exist. It's not a part of systemd and won't be created by default. It's more of an informal way to have details about the system in 1 spot. It was more popular when provisioning bare metal servers but still has value in the cloud. You can have key / value pairs on who to contact, where it's located, what type of machine it is, etc..
cryo32 [3 hidden]5 mins ago
FreeBSD has it as well.
noisy_boy [3 hidden]5 mins ago
> this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
Good founders already know this. Bad ones don't care.
reactordev [3 hidden]5 mins ago
Aww you missed the Ballmer Years. Chalked full of "me too!"'s and broken promises. But he was right about one thing. Developers, developers, developers...
gigel82 [3 hidden]5 mins ago
Tangentially related to Device ID: Apple is significantly worse when it comes to machine identifiers; even with Autopilot enabled you can still install Linux on a Microsoft Surface device (or even Windows if you don't use a Microsoft Account). With MDM locks, Apple devices are literally bricks (especially since all ram and storage is soldered down and locked/paired to the secure enclave chip).
merb [3 hidden]5 mins ago
Well Enterprises can also enroll Linux machines in intune
mc32 [3 hidden]5 mins ago
I remember a long time ago intel tried introducing unique IDs for their processors. People got up in arms made a big stink and intel put its tail between its legs. Many years later, the industry through a thousand little cuts has that and more with merely a whimper because it’s not a single big boogey entity but it’s diluted across hundreds of thousands of developers who deployed a myriad ways to fingerprint their users…
midtake [3 hidden]5 mins ago
To me this indicates that Microsoft has some sort of traffic analysis performed on endpoints, then linked to GDID. I'd guess this is part of Defender's real time protection or MAPS.
Fun fact, Microsoft Defender MAPS was previously named SpyNet.
The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.
reactordev [3 hidden]5 mins ago
that's the idea behind SecureBoot and the TPM chip is to provide the GDID based on hardware fingerprint. Some games already do this as "anti-cheat" measurements (tracking you) and Microsoft has been doing it since Windows 7 days. It's just that the TPM now gives you that hardware authority.
gruez [3 hidden]5 mins ago
>that's the idea behind SecureBoot and the TPM chip is to provide the GDID based on hardware fingerprint
hard drive and motherboard serials have been around far longer than TPMs. Not to mention TPMs are far cheaper to replace than hard drives.
midtake [3 hidden]5 mins ago
Poster might mean that the TPM gives you some degree of non-repudiation since the TPM can cryptographically sign stuff.
Someone [3 hidden]5 mins ago
I guess we’ll see a Windows tool that sets your identifier to this suspect’s “g:6755467234350028” very soon (weird ID, by the way. 16-digits makes sense, but I would have expected it to be hexadecimal)
Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?
If it’s the browser sending that info to Microsoft, wouldn’t somebody have noticed that their PC contacts Microsoft for every web page they open? Or do they batch that data and send it at some later time?
Also, would that mean this ‘only’ affects those using Microsoft’s browser (or does Chrome do the same, sending data to Google?)
Alternatively, is this happening lower in the stack? I can think of a place where a system component has access to the domain name, but not of one where it has the full URL.
Kipters [3 hidden]5 mins ago
> (weird ID, by the way. 16-digits makes sense, but I would have expected it to be hexadecimal)
it's the decimal representation of a 64 bit integer
boopig [3 hidden]5 mins ago
It was Microsoft Defender SmartScreen in Edge I believe. The visited domain is submitted to Microsoft to check it against known malware and phishing sites. And, as we're learning here, it is associated with the GDID (and Microsoft Account) which can be accessed via law enforcement requests.
ndiddy [3 hidden]5 mins ago
A non-Edge browser would give the OS the domain name from the HTTPS connection and the page title because that's what it sets the window title to. I think that would be enough to identify the URL in a lot of cases (i.e. the sign-up URL sets the title to "ngrok Sign Up".
embedding-shape [3 hidden]5 mins ago
> Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?
That URL shows 16 blocked requests, it tries to load (at the very least) datadog and googletagmanager, I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.
What surprises me the most is that the guy was using a Windows installation to do all of this. But then again, you only hear about the dumbest criminals who get caught, so I guess it does make sense after all.
advisedwang [3 hidden]5 mins ago
> I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.
But those companies would have no way of knowing the GDID. It's not sent in a header, I assume.
ralferoo [3 hidden]5 mins ago
Converting that ID to hex gives 18,000F,C8CB,93CC which rather looks like 32 bits of random data plus the prefix 0x18000f or possibly 40-48 bits of time in ms granularity from some epoch.
materialpoint [3 hidden]5 mins ago
This goes a long way to prove that Microsoft does NOT care about your privacy, even if the header of their cookie consent claims so. They absolutely do not care, and this should be said about every big-tech vendor, not matter how lame it seems to say so. It is long overdue that we all say what needs to be said: they do not care about your privacy, your independence, or your well being. They DO NOT CARE.
istoleabread [3 hidden]5 mins ago
Big news: Fork found in kitchen
failbuffer [3 hidden]5 mins ago
Yeah, but it's galling we accept these big obvious lies in our society. A legitimate government would impose appropriately stern consequences for misleading and false advertising.
materialpoint [3 hidden]5 mins ago
Since you did not understand the point at all: There are regulations in place to force sites to "ask" for permissions to use cookies and track you. The point is that the regulations completely fail to force the sites to not blatantly lie, and wrap the "consent" with "we care".
kevin_thibedeau [3 hidden]5 mins ago
No site is forced to implement cookie consent. They all have the option to only use strictly necessary cookies without notification.
materialpoint [3 hidden]5 mins ago
That's just pedantic, because you know it is not the reality they choose. Most sites don't want to not track you. So they pretend they care about your privacy, and then proceed to collect and share data on you anyways.
nashashmi [3 hidden]5 mins ago
So this kid uses his home computer at his home, and they trace him down with the IP address, and the IP address also makes a request for Windows Updates. And that narrows down the Device ID. The device id is now traced to this kid.
This is the kind of stuff privacy advocates have been raising the alarms about. This is the kind of capability that de facto erased all privacy assertions. And further led companies like Google to take advantage of this and erase assumptions of privacy all together.
contubernio [3 hidden]5 mins ago
Does this not violate European privacy laws?
tosti [3 hidden]5 mins ago
Probably yes it does. Not that it matters when you hack a website to have some expensive jewelry sent to your home address.
weberer [3 hidden]5 mins ago
So what if it does? They'll get hit with a fine that will be the equivalent of 6 hours of revenue as they continue to be bastards.
Kipters [3 hidden]5 mins ago
GDPR only covers PII, this is a randomly generated ID that changes on every install on the OS.
You can mix it with other info to track a user, but it's not enough to de-anonymize someone on its own.
tjoff [3 hidden]5 mins ago
If they associate it with a Microsoft account (or anything that is identifiable) then it becomes PII.
And of course they are.
totaa [3 hidden]5 mins ago
unfortunately under GDPR, anonymous IDs are personal data as they are used to single out a data subject.
account42 [3 hidden]5 mins ago
unfortunately???
bigbuppo [3 hidden]5 mins ago
And remember, most of this telemetry is just marketing/ad tech, so anyone that works in the martech/adtech space, you're also part of this.
materialpoint [3 hidden]5 mins ago
The (not so) interesting part is how inefficient it is. Marketing by ads on the internet has less than 0.5% hit or click rate, and even then it is mostly accidental clicks due to the over-saturation of ads. It's not a real economy. It is just simply not actually worth it.
xnx [3 hidden]5 mins ago
Vague article. No evidence that Microsoft can see what web pages you are visiting in Chrome or Firefox (for example).
x______________ [3 hidden]5 mins ago
From the reply you're replying to:
> 27. Microsoft records also indicate: <...> a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
crtasm [3 hidden]5 mins ago
Or even Edge with these options turned off:
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
Alien1Being [3 hidden]5 mins ago
The most surprising part of this is a "hacker" using Windows ...
pluc [3 hidden]5 mins ago
US Tech is fast becoming like Russia's and China's.
d5lt5 [3 hidden]5 mins ago
Have you heard of a website called facebook?
pluc [3 hidden]5 mins ago
There was a time where the default assumption was functionality created tracking opportunities. Nowadays, it's more the opposite. Social media have always been on the forefront of monetizing data, but the same data in the hands of governments is used differently. My point is that the way you/we feel towards Facebook, the entire world is increasingly feeling about most, if not all, US tech.
I know people who won't use Israeli or Chinese-made tech for fears of sabotage. US tech is quickly making its brand in that market.
herbst [3 hidden]5 mins ago
I know people who avoid US tech and happily use Chinese or Russian tech here in central Europe. Not trusting US tech isn't new, it just gets a lot worse
BiteCode_dev [3 hidden]5 mins ago
I actually opened a yandex mail account 15 years ago because, since I was going to be tracked, at least it would be from people who have no friendly contact with most gov entities and companies in my society.
Sad.
herbst [3 hidden]5 mins ago
I heard same argument with telegram (however I wouldnt consider it to be Russian tech these days) but yes. Choose your poison, basically. And some entities definitely seem(ed) less evil to our society than others.
NordStreamYacht [3 hidden]5 mins ago
Israeli pagers are a blast.
inigyou [3 hidden]5 mins ago
It was originally called LifeLog and sponsored by the military as a data collection system to help them identify terrorists.
pessimizer [3 hidden]5 mins ago
Why when Americans do something do we feel like we have to mention the Russians and the Chinese?
Maybe I'm just bad at PR, though. If we call this "Chinese" behavior, maybe it will appeal a particular demographic who would normally support it in order to protect them from "Black Crime."
Android has one too. If you don't link your google account to an app, they can use your device id as your profile.
haussman [3 hidden]5 mins ago
Could this identification be through some alternate Windows service like Windows Update, Windows Time ntp server or Windows Defender?
zelphirkalt [3 hidden]5 mins ago
My surprise level is at approximately... zero.
Next we will see some news, that MS was compelled to share that info with some three letters. - Oh wait, that is exactly what has already happened, according to the article.
MS is just like that person, who drives a dagger into your back.
thewebguyd [3 hidden]5 mins ago
My thoughts exactly. Weren't they just caught recently handing over bitlocker keys (that get uploaded to MS by default when you sign in with a microsoft account) to the feds?[1]
Truly terrifying. But also shocking that a 'hacker' is using windows
efilife [3 hidden]5 mins ago
Some hackers want to spend their time doing cool stuff rather than constantly fixing their system
drw85 [3 hidden]5 mins ago
I switched to linux a year ago and in that year had less problems than on Windows.
I had some minor problems after updates once or twice. On Windows i had to boot into restore mode multiple times due to Windows Update screwing something up.
The MS Store also constantly had trouble updating apps and games and i had to manage packages manually and uninstall and reinstall them so it would work again until the next update.
The times were Windows is easy to use and fire and forget are long gone. The decline in quality is noticeable.
nehal3m [3 hidden]5 mins ago
Yeah, that’s why they install Linux
gcr [3 hidden]5 mins ago
when it comes to video gaming I’ve found Bazzite to be generally far less fiddly than windows 11, surprisingly
dizhn [3 hidden]5 mins ago
This is basically FUD and has been for at least 20 years. Please refrain from it. I am not fixing nothing daily.
anthk [3 hidden]5 mins ago
Actual hackers don't need to run debloating tools each boot getting tired of all the adware and bundled crap eating GB's of storage.
Actual hackers would use Guix System and actually hack really cool stuff and, yes, Guix (the package manager) would be eating GB's because of reproducibility... but at least you could restore your system from Grub anytime.
Probably a capability demanded through a TCN or TAN as part of a mechanism like Australias Access and Assistance bill.
diogenescynic [3 hidden]5 mins ago
I assume this likely true for nearly all device manufactures. I assume all devices have some kind of unique ID that they use for tracking, whether they said so or not.
blaqq2 [3 hidden]5 mins ago
I'm more surprised that this already isn't a known fact. I wonder exactly how far into each device activity is being tracked.
Terr_ [3 hidden]5 mins ago
TLDR: Microsoft can (at least) correlate your Windows installation to all website domains you visit while using Windows.
It's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.
pogue [3 hidden]5 mins ago
The article links to this page, which was shared on HN yesterday. [1]
I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
I would be shocked if Microsoft was not using their own layer of certificate-pinning to stop people from doing that, and/or using another layer of encryption separate from the networking layer.
pogue [3 hidden]5 mins ago
Only way to see what's going on is testing to see what's going on. Hopefully, someone who knows more about it than me can take a look at the packets and see what they contain.
cromka [3 hidden]5 mins ago
But you'd still see some encrypted traffic and it wouldn't fly under a radar
boopig [3 hidden]5 mins ago
It's Microsoft Defender SmartScreen in Edge.
You can also use the Windows Diagnostic Viewer to check the telemetry data being shipped to Microsoft. I'd be willing to bet that you could use Edge (with defaults) and see the URLs being sent to Microsoft but nothing would come from Brave, Firefox, Chrome etc.
8cvor6j844qw_d6 [3 hidden]5 mins ago
I was under the impression Windows is unreliable for these kind of activities as they are "leakish".
I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.
red_admiral [3 hidden]5 mins ago
"all" would be troubling indeed. I hope that someone can discover the mechanism, and whether it's depending on any settings like "Share browsing data with other Windows features" or any other settings.
echelon_musk [3 hidden]5 mins ago
Worse than just domains as TFA shows full URLs are recorded.
[1]: https://www.freedesktop.org/software/systemd/man/latest/mach...
Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?
I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.
Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.
Does the Microsoft store imprint an identifier into the network traffic of all the binaries downloaded from it?
And if so, how?
All of ngrok's traffic is TLS encrypted which means that only the client software and the server/peer should be able to decrypt or modify it.
Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.
It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc.
Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.
1. https://www.justice.gov/usao-ndil/media/1450651/dl?inline
Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton. Edit: and Brave.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
https://manpages.debian.org/trixie/systemd/machine-id.5.en.h...
https://manpages.debian.org/trixie/dbus-bin/dbus-uuidgen.1.e...
The number of things you need to try to keep track of merely _improve_ your privacy is maddening. The whole world seems to be against you.
It’s best to focus your efforts into rotating these IDs.
I’ve seen that it uses a different init system and doesn’t rely on either dbus or systemd
And you should be running the browser inside firejail at all times.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
This sounds like you're referring to state actors and intelligence agencies, but really this applies to the entire advertising/surveillance industry of people trying to sell you a new flavor of soda.
Unless anonymization is provided by your browser, there is nothing you can do to prevent such identification technology run by these advertisers to build your profile, and send you targeted ads.
The OS could treat certain apps as untrusted and spoof or limit the access to these unique identifiers.
It can take a lot of effort to make yourself truly just blend in and disappear.
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
The DUID is designed to be unique across all DHCP clients and servers, and stable for any specific client or server. That is, the DUID used by a client or server SHOULD NOT change over time if at all possible; for example, a device's DUID should not change as a result of a change in the device's network hardware or changes to virtual interfaces
https://askubuntu.com/questions/1498611/ubuntu-dhcp-client-u... (linked because depending on version, there are several different ways to make this change..)
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
But if you are using TelemetryOS (i.e. you cannot fully switch off the chatter) and your daily Web browser doesn't offer privacy extensions, you are the product.
https://dbus.freedesktop.org/doc/dbus-uuidgen.1.html
I'm running Arch Linux and /etc/machine-id is present.
There's also an optional /etc/machine-info file that could exist. It's not a part of systemd and won't be created by default. It's more of an informal way to have details about the system in 1 spot. It was more popular when provisioning bare metal servers but still has value in the cloud. You can have key / value pairs on who to contact, where it's located, what type of machine it is, etc..
Good founders already know this. Bad ones don't care.
Fun fact, Microsoft Defender MAPS was previously named SpyNet.
https://en.wikipedia.org/wiki/Microsoft_Active_Protection_Se...
The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.
hard drive and motherboard serials have been around far longer than TPMs. Not to mention TPMs are far cheaper to replace than hard drives.
Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?
If it’s the browser sending that info to Microsoft, wouldn’t somebody have noticed that their PC contacts Microsoft for every web page they open? Or do they batch that data and send it at some later time?
Also, would that mean this ‘only’ affects those using Microsoft’s browser (or does Chrome do the same, sending data to Google?)
Alternatively, is this happening lower in the stack? I can think of a place where a system component has access to the domain name, but not of one where it has the full URL.
it's the decimal representation of a 64 bit integer
That URL shows 16 blocked requests, it tries to load (at the very least) datadog and googletagmanager, I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.
What surprises me the most is that the guy was using a Windows installation to do all of this. But then again, you only hear about the dumbest criminals who get caught, so I guess it does make sense after all.
But those companies would have no way of knowing the GDID. It's not sent in a header, I assume.
This is the kind of stuff privacy advocates have been raising the alarms about. This is the kind of capability that de facto erased all privacy assertions. And further led companies like Google to take advantage of this and erase assumptions of privacy all together.
You can mix it with other info to track a user, but it's not enough to de-anonymize someone on its own.
And of course they are.
> 27. Microsoft records also indicate: <...> a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
I know people who won't use Israeli or Chinese-made tech for fears of sabotage. US tech is quickly making its brand in that market.
Sad.
Maybe I'm just bad at PR, though. If we call this "Chinese" behavior, maybe it will appeal a particular demographic who would normally support it in order to protect them from "Black Crime."
MS is just like that person, who drives a dagger into your back.
Windows is malware.
[1] https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro...
I had some minor problems after updates once or twice. On Windows i had to boot into restore mode multiple times due to Windows Update screwing something up.
The MS Store also constantly had trouble updating apps and games and i had to manage packages manually and uninstall and reinstall them so it would work again until the next update.
The times were Windows is easy to use and fire and forget are long gone. The decline in quality is noticeable.
Actual hackers would use Guix System and actually hack really cool stuff and, yes, Guix (the package manager) would be eating GB's because of reproducibility... but at least you could restore your system from Grub anytime.
https://news.ycombinator.com/item?id=48811081
It's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.
I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
[1] https://github.com/SmtimesIWndr/gdid-reversal
You can also use the Windows Diagnostic Viewer to check the telemetry data being shipped to Microsoft. I'd be willing to bet that you could use Edge (with defaults) and see the URLs being sent to Microsoft but nothing would come from Brave, Firefox, Chrome etc.
I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.
Reminds me of Google Safebrowsing.