Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?
If it’s the browser sending that info to Microsoft, wouldn’t somebody have noticed that their PC contacts Microsoft for every web page they open? Or do they batch that data and send it at some later time?
Also, would that mean this ‘only’ affects those using Microsoft’s browser (or does Chrome do the same, sending data to Google?)
Alternatively, is this happening lower in the stack? I can think of a place where a system component has access to the domain name, but not of one where it has the full URL.
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton. Edit: and Brave.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
https://manpages.debian.org/trixie/systemd/machine-id.5.en.h...
https://manpages.debian.org/trixie/dbus-bin/dbus-uuidgen.1.e...
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
Fun fact, Microsoft Defender MAPS was previously named SpyNet.
https://en.wikipedia.org/wiki/Microsoft_Active_Protection_Se...
The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.
I know people who won't use Israeli or Chinese-made tech for fears of sabotage. US tech is quickly making its brand in that market.
> 27. Microsoft records also indicate: <...> a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
MS is just like that person, who drives a dagger into your back.
I had some minor problems after updates once or twice. On Windows i had to boot into restore mode multiple times due to Windows Update screwing something up.
The MS Store also constantly had trouble updating apps and games and i had to manage packages manually and uninstall and reinstall them so it would work again until the next update.
The times were Windows is easy to use and fire and forget are long gone. The decline in quality is noticeable.
It's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.
I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.
Reminds me of Google Safebrowsing.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
This sounds like you're referring to state actors and intelligence agencies, but really this applies to the entire advertising/surveillance industry of people trying to sell you a new flavor of soda.
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
https://askubuntu.com/questions/1498611/ubuntu-dhcp-client-u... (linked because depending on version, there are several different ways to make this change..)