• placebo@lemmy.zip
    link
    fedilink
    English
    arrow-up
    22
    ·
    4 hours ago

    Now for the version in plain English: Sign into Windows with a Microsoft Account, and a server assigns your installation a permanent ID number. Windows stores it locally, several background services read it, and it gets stamped onto activity your PC reports back to Microsoft.

    Wait. I understand that this ID is used for Windows <> Microsoft communications. How did it escalate them to knowing that this ID was used to visit ngrok and the retailer’s website? Does Windows report website visits? Does it append this ID to HTTP requests? Or what’s the connection here?

    • RainbowBlite@piefed.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      51 minutes ago

      The connection is that Windows records everything you do. So the FBI asks for every Windows user who accessed a specific site around a date/time and Microsoft can provide that.

      You accessed a site over VPN? Your ISP has no idea it was you, , and the VPN didn’t keep records, but Windows recorded that and sent it back to the mothership with your unique identifier.

      • angband@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        2 hours ago

        Exactly it, and their claim that it is stored with bitlocker level encryption is obviously meaningless if they have the keys.

        • 4am@lemmy.zip
          link
          fedilink
          arrow-up
          7
          ·
          2 hours ago

          Fun fact, windows 11 backs up your bitlocker private key with Microsoft if you sign in with a Microsoft Account.

          There’s a database somewhere with every bitlocker key to almost every Windows 11 device on earth.

          I’m sure they let the NSA and the FBI right in. The CIA probably has sleeper agents working devops at Microsoft so they don’t even need to access it procedurally. $10 says Israel can access it too, because why the fuck not.

  • Artwork@lemmy.world
    link
    fedilink
    English
    arrow-up
    29
    ·
    edit-2
    8 hours ago

    When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.

    The PUID lands in your own registry hive, in plain text, at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link, cloud clipboard, and Nearby Share, reads that PUID and registers it into Microsoft’s Device Directory Service, which is the identity graph behind all of Microsoft’s cross device features. There, the number gets a lowercase g stuck in front and gets written as g:decimal. Delivery Optimization then reports that same value back to Microsoft’s servers as UCDOStatus.GlobalDeviceId every time your PC shares or downloads update data peer to peer.

    Source

    It likely uses the motherboard’s burned-in TPM module API to generate the unique hardware ID on, and associate with the account/license.

    It’s quite interesting to compare the percent these civilian-scoped features are actually helping and not used for tracking and control of masses, since every accountable fraudster/killer/thief/professional knows about these and could not care less about it.

    Yes, it may help for telemetry, and is great to have for an accountable business, which is understandable, but there’s a hope these are not used against the civilian, too, respecting the personal lives and the right of human choice out there…

    Ave Linux, the transparency, indeed…

    The following is a related piece of information, yet I am sorry, but I am not sure about the accountability and accuracy of the paper, since it was written by the sorrowful LLM Claude:
    - https://github.com/SmtimesIWndr/gdid-reversal

    • pulsewidth@lemmy.world
      link
      fedilink
      arrow-up
      11
      ·
      6 hours ago

      When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.

      It likely uses the motherboard’s burned-in TPM module API to generate the unique hardware ID on, and associate with the account/license.

      Bruv… it literally says exactly on the statement you quoted that the ID is generated by Microsoft, and explicitly that its not generated on the device. Why would you then go on to speculate that its generated on device by the TPM…?

      AFAIK the TPM doesn’t generate anything, its role is for storing cryptographic information - not creating it.

      • 4am@lemmy.zip
        link
        fedilink
        arrow-up
        2
        ·
        2 hours ago

        Motherboard TPM sends a cryptographically verifiable serial number ID to Microsoft -> Microsoft generates a Device PUID (this ensures all DPUIDs are in the same format) -> Microsoft send generated DPUID back to the device which is stored within the TPM and is cryptographically verifiable to applications which wish to access and know it, and ensure it is genuine and authentic.

        TPMs all have a unique identifier burned into them.

      • Artwork@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        3 hours ago

        Please do consider checking out how TPM may be used, and I’ve provided a reference for more context.

  • 0ndead@infosec.pub
    link
    fedilink
    English
    arrow-up
    5
    ·
    5 hours ago

    Switch SYSTEM and RESTRICTED permissions on the registry key to DENY. It might stop even RO access to that LID value.

  • wizardbeard@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    9
    ·
    7 hours ago

    So it’s a unique id “stamped” to your Windows install during setup when you sign into a Microsoft account during the OOB setup experience. It gets stored in the machine’s registry, and is used for uniquely identifying your hardware and tying it to a Microsoft account for licensing purposes.

    It does not persist between reinstalls, and it is in a known registry location so therefore viewable and editable now that we know it’s there. We don’t yet know the exact effects of editing it, or how exactly they correlated it in this case with the person’s network activity.


    I expect we’ll have some mitigation plan in the next few months. Obviously starting with the recommendations in the article.

    Completely pulling this from my ass:

    • There should be some ways for researchers to watch what accesses that registry key and when.
    • Hypothetically, one could just randomize their GDID.
      • Could target specific known ones to flood the data collected (everyone uses all zeros)
      • Forge evidence against specific targets (collect the GDID off a target’s machine, then set a VM to that and go nuts)
      • or just randomly generate 1000 then activate Windows on all of them using MASgrave and rotate through them. Would probably need to randomly space out the activations, use generic hardware, and randomly shuffle the ones you used. Would also help to have multiple in use at once generating fake cover data to hide the real stuff in.

    At this point it’s probably easier to just go off grid than to try and make Windows “private”.

  • RejZoR@lemmy.ml
    link
    fedilink
    English
    arrow-up
    10
    ·
    7 hours ago

    Soooo, what does it stop Google or Meta from using same thing that Windows already offers to track users? Because as we all know, shit like this is NEVER only used by the good guys only.

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      14
      ·
      7 hours ago

      More so that they used the same Windows machine where they were signed in with their real personal Microsoft account as the machine they used for their illicit actions.

      VPN only masks your source IP, not any of the other identifiers, of which we now know a new one.