There’s a very easy trick to defeat this: use Linux.
No you don’t understand… I’ve spent the last 30 years investing in increasingly awful software companies to create “industry standards” and leaving these companies behind would require me to change and learn!!!
I talked with the women i’m working with where we print our price lists about changing from adobe to something else and she told me it would be a bad idea since it would make both of our work much more buggy and time consuming with more chances of the end result being worse. So i’ll keep using indesing and the adobe suite for now but i did switch from sketchup to blender for 3D modeling and it’s a bit challenging and more messy then i’m used to but i get better rendering results from what i tried so far.
As long as you can export to the same format, it shouldn’t matter from the print shop’s perspective, no? They just see the same file they would’ve always seen.
The way we work together is by exchanging full fresh indesing pakages that contain the main indd, the idml, a pdf, the links folder and the fonts folder so that we always have everything we need.
Sorry if this is a dumb question, I don’t know anything about graphics design, just about the technology behind it.
Why do you send all these things as separate files? Is just a rasterised or vector export of the project not enough?
Sounds like the design world really needs a standardised container format that can contain all these separate things otherwise.
So many issues with the world boils down to that last part, people refusing to change and learn. I never understood it, I’ve always loved change and learning. I’ve seen so many people go from having that same openness to only caring about keeping everything the same and never learning, it’s really disturbing. Some are like that from a very early age, others fall into it at any other part of their lives and it’s never a good thing IMO.
Even worse!
Admitting that I was not always doing the most sensible thing, at all times! That I was actually doing really stupid things, for a long time!
I … I can’t make mistakes… no … reality is wrong!
Realizing you’re making mistakes and continuing anyway is the problem.
Yes, I’m trying to be hyperbolically facetious, to illustrate that.
At some point you just have to leave the software behind. That time is now!
If your system uses systemd, it has an etc/machine-id, which is used for a lot of different things. And changing it will break a lot of stuff, probably until you reboot. I guess you could write something to randomly shuffle it every time you reboot? But it is the go-to way for lots of programs (including browsers) to identify themselves. Which means (unless you have done the work to scramble your machine ID) you can be tracked on Linux as well.
The difference is that Linux isn’t sending telemetry to some central entity associating that ID to an IP.
Microsoft’s records showed that at that exact same minute, a Windows device carrying GDID g:6755467234350028 had visited the ngrok signup page. Three hours later, the same GDID visited the retailer’s own website, through the same Tzulo proxy address used to set up the ngrok account.
This article is super vague about this as well. How does Microsoft not only have the GDID->IP link, but they have Web history as well? Are they just exposing all this through advertising telemetry?
Fucking gross. And if you know of anything on Linux exposing/transmitting the machine-id, please do let everyone know because nothing should. Anything that does should be considered malware.
It’s not just Windows tracking your web browsing history. GPU drivers do it too. Source: https://www.neowin.net/news/intel-windows-driver-to-now-collect-user-telemetry-data-like-website-categories-by-default/
It’s not just Windows tracking your web browsing history. GPU drivers do it too.
…on Windows. if you explicitly install their malware and agree to data sharing.
I should have clarified, but yes it’s the windows GPU drivers. Though even on Linux, it’s hard to know what the proprietary GPU drivers do, but from what I read they don’t collect telemetry by default. Luckily Nvidia is developing official open source drivers now so we won’t have to worry about these things.
Also note that for the Windows Nvidia drivers, it’s fairly annoying to disable all telemetry. It’s not just an option in the installer. You have to use unofficial third party tools.
That’s wild. Shit like this makes me distrust proprietary drivers
I distrust proprietary anything at this point
i think i remember hearing the dbus machine-id being read by google chrome on linux. it could be used for privacy violation with proprietary software, though i personally consider linux machines with chrome or equivalent software installed compromised.
Another user said they think machine-id is readable by the browser. This is absolutely true, machine-id is working as described when it is read by any web browser.
So Linux isn’t sending your unique id to a central entity that can associate it with your ip, it’s sending your unique id to any entity you browse to that can then associate it with your ip.
If you’re really worried about that, just change it every time you boot or something. There’s a kernel parameter to change it.
There is not a parameter to automatically change it every time the system boots, that solution doesn’t work for machines that don’t reboot often and it breaks stuff in systemd as volunteered by many people talking about it online and as verified by me two weeks ago when I tried that.
I never said there was. There is however a kernel parameter to change the machine id, which I did say.
What you said was that if a person was actually worried about it there is a kernel parameter to change it.
My reply was not intended to refute what you said but instead to illustrate how that approach doesn’t solve the problem of tracking and is not a workable solution for many systems and users.
I made that reply to help you and any reader understand the depth and breadth of the problem, not to start a fight.
It’s intended to be read by applications on the system. That’s like its whole purpose. If you know of any browsers sending it or otherwise making it available without hashing it with an application key first, that would be a problem.
Yes as I said it’s working as intended. The point of machine id is to id a machine.
A better solution would be to not rely on the various programs to hash the unique id and instead have the host read it, hash it and provide the hash to the program that asked.
Yes as I said it’s working as intended. The point of machine id is to id a machine.
Your claim was that Linux was “sending your unique id to any entity you browse” which is misleading at best.
machine-idshould never be transmitted and if it is, that software should be considered spyware.A better solution would be to not rely on the various programs to hash the unique id and instead have the host read it, hash it and provide the hash to the program that asked.
That doesn’t solve anything, really. There’s plenty of ways to fingerprint a machine that doesn’t involve the
machine-id.Machine-id is read as plaintext by programs and transmitted as plaintext by programs.
Hashing the unique id from the host side as opposed to trusting programs to read it and act in a way the user understands and deems appropriate is a much better method of handling calls to identify the equipment than just letting programs read your standardized unique id.
And the above would literally solve something, it would keep programs from just walking directly across the mat tee posing to get a unique id and force them to do some kind of jetpack backflip routine that, when presented to a court, is much more tenuous.
This article is super vague about this as well. How does Microsoft not only have the GDID->IP link, but they have Web history as well? Are they just exposing all this through advertising telemetry?
My interpretation was that they had an IP that they suspected was the perp’s home network, and subpoena’d some major platforms to confirm beyond a shadow of a doubt. Given the perp’s sloppiness in using the same machine for both personal and illicit computing activities, they could even have some network traffic in the capture to indicate which platforms they should subpoena
Or if we want to be more conspiracy-minded, maybe they installed a trojan on his computer and this is the parallel evidence trail that law enforcement created so they don’t have to admit to hacking the hackers
Or he used Edge, so Microsoft just has all his browsing data.
also there’s the TPM chip.
Upvoting both comments for awareness, since Linux is the first of a multi-step process, not a privacy panacea.
But we must be clear that in both theory and practice there’s little comparison between systemd and modern Windows machine-user association.
Someone using Windows regularly has a gaping wound, is actively bleeding out. Switching to Linux is just a tourniquet, but every other treatment is at best no-effect until that tourniquet is applied.
E: transpose
systemd/Windows for clarityAlso as a life long programmer, I have this feeling it is possible to just go in and make some changes so I can have the system just make shit up about the TPM while indeed also doing the equivalent of having system-d decide to respond with random bullshit.
Don’t even need to be a programmer, just find a community of them that you trust that distribute their own “fixes”.
Definitely not doing that with anything else because its both hidden in compilation and buried like herpes across multiple components. Probably/hopefully not directly related but I really want to know what they changed to break the clipboard service.
And you’d be technically correct, the best kind of correct.
To the inquisitor:
any distro that’s fully OSS can be fully compiled from scratch with any modifications you choose).
Though yes, if you’re still using Windows, the learning curve may look like a wall.
I really want to know what they changed to break the clipboard service
Guessing the X11 [X]Wayland migration KDE Plasma bug report? Should be fixed in 6.5.2.
Adjacent comment. I’ve found working in a true posix environment is drastically better than the oddities I dealt with Win32. One annoyance is Microsoft has never been able to implement
fork().Though i never messed with x11 as I was never motivated to see what it was like under the figurative hood.
It really is a hell of a lot more sane, instantly missed once you don’t have it. And yeah Fork’s a blessing when used with care lol
Sorry, switched contexts there. Microsoft broke their clipboard service recently which makes me think they added “telemetry” collecting logic somewhere in there.
Oh right, I misread. And yeah not sure (my win32 repro targets have all been locked for a while) but with all the facepalm regressions I’ve read about lately it really could be anything.
Yeah, motherboard-level tracking is scary because even the OS won’t be able to detect it. The truly paranoid people (and security researchers) go as far as desoldering chips to ensure nothing phones home.
Where in the source does Firefox expose machine-id to websites?
With a quick grep I’m only seeing it around audio?
I wouldn’t call overhauling your entire operating system, including finding alternatives to software you use daily, making sure your hardware is compatible and relearning your entire work method as an “easy trick”.
In any other context I’d agree with you, but hacking is the one context where you really do want to do things the hard way. Use ephemeral VMs with passwords only saved in your head, have a dedicated machine for your illegal activities to help isolate your real identity from your hacking.
Honestly even if you’re just doing HackTheBox and similar best practice is to spin up a Kali VM and only use that VM for the activity since you’re literally connecting to a network with a bunch of hackers, even though what you’re doing is entirely above the board
I think you might actually be surprised…
If that hacker only knew about tracking by Windows…
I switched to Linux Mint a long ass time ago. Micropenis can go fuck themselves.
So they’re saying that all these “secret” societies online, like the Peter Thiel psychopathy, are relatively easily identified and rounded up and prosecuted to the fullest extent of the law, and they’re just choosing not to do it? I’m shocked.
I mean Epstein was actively talking about his crimes over plaintext Gmail
Why would they catch pedophiles? Their founder is one
I can’t believe Microslop would do something like this to its loyal customers!
What idiot hacker uses Windows?
A genz hacker. In a world where “hacking” is writing prompts and calling IT help desks.
and calling IT help desks.
It always amazes me how much people shit talk social engineering, when it’s been a power house for hackers since the beginning.
The human (or I guess AI now) element is always the weakest link
Wait, calling IT Help Desks isn’t social engineering now?
It always is. Even if you’re actually calling for help, you need to basically trick them into helping you these days.
Tbf, some of the best hackers were social engineering their way into the backend just by calling up certain support numbers in the 80s
I refuse to call social engineers hackers, conmen is more fitting.
Hacking is making something work in an unconventional or unexpected way. Social engineers hack people in that way.
Defcon would disagree. I’ve watched so many presenters talk about all forms of penetration testing, many of which used social engineering and lockpicking as a way to create exploitable vulnerabilities in networks. Whether or not you care to call them hackers… It doesn’t really matter, won’t stop them from hacking.
The weakest link in cybersecurity are usually the users after all.
You can refuse to call them hackers, everyone is entitled to be wrong about something.
Kevin Mitnick was a prolific hacker who used social engineering regularly to infiltrate, and hackers still do today. Humans are a massive weak point in any org, that’s why we have to take quarterly training not to be a moron and let someone into our network through doing something stupid.
Mitnick was also a hacker, but I never considered his social engineering feats as hacking themselves. They were definitely what let him accomplish his goals though and I consider those skills adjacent, just like lock picking. If you see someone picking a lock, I doubt your brain says “OMG a hacker!”.
Real hackers social-engineered their way into high security systems decades before the first blue haired femboy nerd proudly announced “Btw i am usin Arch!”
Sounds like the tagline for a really crap movie. How far we’ve fallen from two people on one keyboard.
Don’t forget breaking out a second keyboard, but both people use one hand on each keyboard instead of one keyboard each!
I know, right. . . Now that’s real hacking!
Gen Z knows how to use Windows?
A script kiddie
None of the articles I’ve read about this explains how the GDID gets mapped onto the user’s activity.
“Windows device carrying GDID g:6755467234350028 had visited the ngrok signup page”
So does it mean that Windows monitors your activity outwith just Microsoft services and sends all data to their servers? Is it maybe MS Edge history sync?
I was gonna comment something about Linux distro also having a machine ID, but then I remembered that it’s not in a big database, and it’s so well enforced I routinely have multiple machines with the same ID pop up :D
Linux users will probably tell you their id if you ask them nicely and seem interested in their distro of choice.
I’ve been using Linux for more than 10 years and I had no idea this was a thing lol.
But yeah after reading up on it I don’t see the issue with giving someone this id (though I also don’t see any reason why someone would need it). It’s just a file on disk that can be changed at will with a kernel parameter.
The level of naivete to think it’s a good idea using a microsoft account on a microsoft product for your illegal activity is astounding. Especially when you consider the amount of technical knowledge required to do such a thing.
I legitimately cannot make that connection, Microsoft has never been shy about tracking you or their tight relationship with 3 letter agencies. It doesn’t take a genius to know they are going to snitch, I figured that was a foregone conclusion.
Kids need to learn about OPSEC.
Agreed, using the same device for illegal and personal activity is dumb.
Then why haven’t we heard about all the criminals (pedophiles, terrorists,…) being caught by Microsoft surveillance? Because they don’t care about the crimes you do. Their tracking is for money making only.
If I were a criminal I would not bank on it - they might use it for blackmail, too - but for the most part they are not in danger.
The current federal government is pedophiles, they aren’t going to arrest themselves.
Because you aren’t looking they take down people and groups all the time, it’s not their job to prosecute
Yeah. What a moron.
Cant wait for someone to make or reveal they already have a GDID spoofer and can now make grandma look like the worlds number 1 hacker.
My laptop came with Win11, I’ve removed that drive a few months ago and replaced it with Mint.
Does this mean MS has my motherboard, WiFi, other hardware identifiers that would still tie that laptop to their database?
Yup!
Motherboard, CPU, GPU models and serial numbers. Ram size and speed. Those were used during Windows activation as old as windows 95. But likely yes, a full list of every component connected.
Your Android phone collects every WiFi network it has ever seen and sends it to Google, so we should assume Microsoft does the same (Android can locate you without GPS by using your neighbors’ WiFi signals as position identifiers, and can triangulate you to a few feet using the relative networks’ signal strengths)
GrapheneOS babyyyyy
Cannot wait for the Motorola/GrapheneOS collab phones.
And if you dont have Pixel, try /e/os, SailfishOS, Mobian, PostmarketOS or anything other than vendor Android.
Um… You’re aware that your pixel was known to google before you graphened it?
Never knew a google account, so it was known to Google but not to me. … but while on the topic, know of a better option?
Jolla Phone is just starting to ship
Promising…
so it was known to Google but not to me
Right, but you can assume google knows the imei and other hardware details, so they can probably link you to your identity on other platforms.
There is also the baseband issue. It is currently assumed that manufacturers could have access to snoop your LTE/5g and WiFi traffic, because the software running most phone baseband units is closed and not audited.
So you are probably private, but if you really want a phone with no Big Brother, you should get one from Pine64 or Jolla.
I’d love to. I bought an early pinephone and after about a day of trying to make it do basic functions I gave up. I’d LOVE to have a real Linux option but in my experiences so far we’re not there yet. I don’t see a better option than Graphene at the moment- it’s that solid.
Yes, I agree. We might not have rock-solid solutions, but less google is better.
I keep a oneplus 6t just to test Linux phone options.
Wait, what is the solution then? Genz are not going to settle on 10 yo laptop. They are going to buy new expensive AI-ready windows machine, replacing with Linux will do nothing privacywise? The only viable alt is to buy some obscure Linux laptop or old device? How old should it be anyway?
Oh, so to clear up confusion - switching to Linux destroys the local storage of the GDID, and Linux has generally much better privacy (to the degree the OS is involved - browser privacy is a related subject). However, it doesn’t undo the past - if you previously signed in with your MS account on that system, Microsoft will have that record in perpetuity.
Best solution would be to wipe any system you acquire without ever signing in to Microsoft. While switching to Linux will not change any of the components serial numbers that Microsoft has, you will at least not be actively associating most of your web activity with your M$ account.
Tangent - if you’re gonna do shady stuff, use VMs or TailsOS.
Android phone collects every WiFi network it has ever seen and sends it to Google
Possibly, but how often do you use WiFi on a phone?
Possibly, but how often do you use WiFi on a phone?
Basically whenever I’m at home or a relative’s house?
But why? Mobile networks are very fast nowadays. And how many homes still have routers?
…are you joking?
I would have used WiFi on my phone perhaps two or three times in the last year. My home does have a router, because we’re dinos, but most new houses don’t since everyone has a smartphone anyway.
fast ≠ widespread or consistent. mobile data tends to have excruciatingly low upload speeds (at least in my region)
Ah, then it makes sense.
Please note: I didn’t say you had to connect to these networks. This happens as a background process unless you do a ritual to shut off location services and actively work to keep it off. Most people do not know/care to do this. And even if it’s off in settings, some apps have the permission to temporarily override this (and will ask you once to grant it such permission and then have that permission for the lifetime of the app). And regardless of which app overrides said setting, Google gets a copy of whatever the background scan finds (for all Android phones that have the Play store installed, which is most of them).
Am I the only person who switches off the WiFi after use? I thought that was common advice to save battery.
I use WiFi at home and friends. I use cellular for work and travel (usually between home and friends). I’m glad you have a simple enough arrangement that it’s worthwhile to manage it by hand.
Further, in recent versions of Android, factory settings are set to automatically turn WiFi back on if turned off - plus there’s several methods to indirectly turn WiFi back on (https://thedroidguy.com/stop-android-turning-wifi-on-automatically-1261625). This is that dark patterns thing. Getting people to do what you want by being frictionless with your preferred options and ‘polite’ but obstinate about options you wish to steer people away from.
I use WiFi at home and friends.
This is the part I don’t understand. Mobile data would work in your houses too, right?
Further, in recent versions of Android, factory settings are set to automatically turn WiFi back on if turned off
I haven’t seen this happen, but I use MIUI (Xiaomi’s Android ROM) which tends to be aggressive in limiting battery use. It will actually cut hotspot if unused for a few minutes.
This is the part I don’t understand. Mobile data would work in your houses too, right?
Actually, first - ironically mobile coverage is terrible right at my new home since I moved. Great about 200 yards from home and most everywhere I go, but there’s a weird blind spot at my address specifically.
Second, Most mobile data plans are 30-80 Mbps†, most home WiFi plans are 300 Mbps-1Gbps†. WiFi isn’t just faster, it’s a lot faster. † your milage may vary, these are based on my experience
Finally, again this is another case of maybe I’m weird, but my friends and I are into retro gaming, and self-hosting and both of those have LAN-specific options that only work within the WiFi and home network.
If it was registered, probably. They use a mixture of that to allow re-enabling the same license on the same hardware.
OEM systems come with the license key stored in the firmware (ACPI tables specifically), you can read them from *nix easily enough.
sudo strings /sys/firmware/acpi/tables/MSDMIf you boot the system and login an account then yeah they’ll be able to link that, but the install itself can “self activate”.
Its doesn’t have a off switch but you can generate a new one.
Elaborate, Please…
I don’t remember the command but it was easy to find. There are a couple of ways to do it. I used a scheduled power shell script for the persons computer I did it for. They used it to avoid a annoying set of trackers that kept her from getting the lowest price on some equipment website. That was in 2020 or 2021.
Edit: I was mistaken about what generated ID I was talking about. You can however change GDID but it will force microsoft to reregister the installation so I don’t know how many times you could do it before microsoft refuses to do it again
By design.

Ctrl-f NSAKEY (sees nothing) — it seems the internet has forgotten the NSAKEY debacle https://en.wikipedia.org/wiki/NSAKEY
Identifier. Not tracker. They’re not phoning home, thank god.
Ugh… How do you think they correlated the GDID to his social media?
It mentions this GDID is sent in telemetry. So this guy kept using a hosted proxy, meaning his egress IP was always changing accessing different services, but everytime his Windows 11 machine was sending back telemetry (which included his GDID) they were logging the IP address he was appearing from (the proxy) - so they were able to track and identify him.
If you use your Microsoft account to login, they have to be able to identify you somehow when you try to authenticate. It is basic usage. Not Telemetry. That is what caught him.
This is where I’m really fuzzy on the mechanics.
Any authentication is to establish an identity. At what point does that involve getting a unique id associated with an OS installation instance?
My original question is how the hardware id and ngrok get associated at all.
So, after getting frustrated and just going to sign up for an account myself, it looks like ngrok has options to sign is as a Google account, or sign in as a github account.
I’m guessing they picked github, and that’s why Microsoft had any visibility at all on the fact that they accessed a site that isn’t owned by Microsoft.
It still doesn’t answer the question of how the browser knows this id which is set at the os level. It still begs the question of what github authentication looks like differently between operating systems. Obviously a osx or Linux machine wouldn’t have that id at all. Is it part of the initial authentication request? Is there some kind of challenge and response?






















