Could be using Edge (Account syncing), or using Bing while signed in (Considering they were signing into private accounts while on the VPN, seems possible)
This seems the most likely… but still I want clarity on the mechanism. An identifying token defined in the registry is being sent over the wire. That mechanic is pretty substantial, and I’m surprised a bigger fuss hasn’t been made about that. This is pretty far beyond conventional header fingerprinting.
From other articles I’ve seen (Here’s an example) it was telemetry and cross referencing the IPs used.
VPNs might help hide from passive identification, but they don’t help when you connect to the same service on your normal and private connections alternatively. The computer equivalent of using both your real name and an alias with the same person, they’ll know who you are.
It mentions this GDID is sent in telemetry. So this guy kept using a hosted proxy, meaning his egress IP was always changing accessing different services, but everytime his Windows 11 machine was sending back telemetry (which included his GDID) they were logging the IP address he was appearing from (the proxy) - so they were able to track and identify him.
If you use your Microsoft account to login, they have to be able to identify you somehow when you try to authenticate. It is basic usage. Not Telemetry. That is what caught him.
Any authentication is to establish an identity. At what point does that involve getting a unique id associated with an OS installation instance?
My original question is how the hardware id and ngrok get associated at all.
So, after getting frustrated and just going to sign up for an account myself, it looks like ngrok has options to sign is as a Google account, or sign in as a github account.
I’m guessing they picked github, and that’s why Microsoft had any visibility at all on the fact that they accessed a site that isn’t owned by Microsoft.
It still doesn’t answer the question of how the browser knows this id which is set at the os level. It still begs the question of what github authentication looks like differently between operating systems. Obviously a osx or Linux machine wouldn’t have that id at all. Is it part of the initial authentication request? Is there some kind of challenge and response?
Identifier. Not tracker. They’re not phoning home, thank god.
Ugh… How do you think they correlated the GDID to his social media?
His social was logged into with that identifier
From the article:
Why does Microsoft have a record that includes both the GDID and a web addresses? I am confused by this mechanism.
Because everything you do is tracked
Could be using Edge (Account syncing), or using Bing while signed in (Considering they were signing into private accounts while on the VPN, seems possible)
This seems the most likely… but still I want clarity on the mechanism. An identifying token defined in the registry is being sent over the wire. That mechanic is pretty substantial, and I’m surprised a bigger fuss hasn’t been made about that. This is pretty far beyond conventional header fingerprinting.
From other articles I’ve seen (Here’s an example) it was telemetry and cross referencing the IPs used.
VPNs might help hide from passive identification, but they don’t help when you connect to the same service on your normal and private connections alternatively. The computer equivalent of using both your real name and an alias with the same person, they’ll know who you are.
Yep. Assume the worst, imo
and how do you think the social account was linked with said identifier?
Because that identifier is logged by the website when he logged in.
deleted by creator
It mentions this GDID is sent in telemetry. So this guy kept using a hosted proxy, meaning his egress IP was always changing accessing different services, but everytime his Windows 11 machine was sending back telemetry (which included his GDID) they were logging the IP address he was appearing from (the proxy) - so they were able to track and identify him.
If you use your Microsoft account to login, they have to be able to identify you somehow when you try to authenticate. It is basic usage. Not Telemetry. That is what caught him.
This is where I’m really fuzzy on the mechanics.
Any authentication is to establish an identity. At what point does that involve getting a unique id associated with an OS installation instance?
My original question is how the hardware id and ngrok get associated at all.
So, after getting frustrated and just going to sign up for an account myself, it looks like ngrok has options to sign is as a Google account, or sign in as a github account.
I’m guessing they picked github, and that’s why Microsoft had any visibility at all on the fact that they accessed a site that isn’t owned by Microsoft.
It still doesn’t answer the question of how the browser knows this id which is set at the os level. It still begs the question of what github authentication looks like differently between operating systems. Obviously a osx or Linux machine wouldn’t have that id at all. Is it part of the initial authentication request? Is there some kind of challenge and response?