What I've never understood here is how the Windows GDID is used to correlate with non-Microsoft services. Is the device sending those services the GDID, or is Microsoft storing all of their users' browser activity? If the latter - only on Edge, or through some other means?
Looking at the filing (because tech journalist often mess up reporting) I see that the GDID was associated with the ".168" VPN IP address via Microsoft logs and that same VPN IP address created the ngrok account used in the hack around the same time.
I think it's possible that multiple people were using that VPN IP address at the time, so it's probably not definitive proof. That's like being in the neighborhood when a murder happens, it doesn't make you the murderer, but it could make you a suspect.
Other things, like displaying unexplained wealth and discussing convicted hackers, probably strengthened that suspicion. Of course the search warrant finding exfiltrated data tells a more compelling story.
I don't think the GDID is doing anything special here. Its relevant because Microsoft referred the info to the FBI and likely used the GDID in their analysis. Other companies that collect IP logs associated with account information could have made the same referral.
I would guess Windows sends it to microsoft who log IP and time. This can then be mapped to eg vpn sessions or web server access (anything that can log ip and time plus some interesting action), to connect things the user is doing over time.
That would imply Windows is sending a comprehensive IP access log of every device to Microsoft. That's a million times more concerning than the existence of this GDID, which seems to be the only thing they're focusing on.
The FBI can bring the relevant access logs, they only need MS to get a list of which GDID was using a specific IP at a specific time, with a list of all IP plus time items in MS’s logs that have the same GDID, then match those against other logs they have.
Should be possible to use it that way, and to connect that identity to all actions taken through IPs used by that GDID.
Having the key provided by the OS would be very useful as compared to e.g. from the user being logged in on some website or running an application that's pinging a server - the OS is still pinging even if the user isn't logged in to some site or running some application. But I suppose with many applications auto-starting and remaining active all the time it's maybe not a big difference. Steam sessions could be used instead, for example.
But I'm just speculating, I don't know what they're actually doing.
I think the key here is the person was signed in to their Microsoft account. While just a theory, I wouldn't be surprised if that ping was a periodic check to see if the account was disabled or the password was reset.
gcupc | a day ago
What I've never understood here is how the Windows GDID is used to correlate with non-Microsoft services. Is the device sending those services the GDID, or is Microsoft storing all of their users' browser activity? If the latter - only on Edge, or through some other means?
robalex | 22 hours ago
Looking at the filing (because tech journalist often mess up reporting) I see that the GDID was associated with the ".168" VPN IP address via Microsoft logs and that same VPN IP address created the ngrok account used in the hack around the same time.
I think it's possible that multiple people were using that VPN IP address at the time, so it's probably not definitive proof. That's like being in the neighborhood when a murder happens, it doesn't make you the murderer, but it could make you a suspect.
Other things, like displaying unexplained wealth and discussing convicted hackers, probably strengthened that suspicion. Of course the search warrant finding exfiltrated data tells a more compelling story.
I don't think the GDID is doing anything special here. Its relevant because Microsoft referred the info to the FBI and likely used the GDID in their analysis. Other companies that collect IP logs associated with account information could have made the same referral.
m_eiman | a day ago
I would guess Windows sends it to microsoft who log IP and time. This can then be mapped to eg vpn sessions or web server access (anything that can log ip and time plus some interesting action), to connect things the user is doing over time.
lobstersinabucket | 23 hours ago
That would imply Windows is sending a comprehensive IP access log of every device to Microsoft. That's a million times more concerning than the existence of this GDID, which seems to be the only thing they're focusing on.
m_eiman | 23 hours ago
The FBI can bring the relevant access logs, they only need MS to get a list of which GDID was using a specific IP at a specific time, with a list of all IP plus time items in MS’s logs that have the same GDID, then match those against other logs they have.
mtset | 22 hours ago
So in other words the GDID is basically just a key by which to pivot from IP address to identity?
m_eiman | 11 hours ago
Should be possible to use it that way, and to connect that identity to all actions taken through IPs used by that GDID.
Having the key provided by the OS would be very useful as compared to e.g. from the user being logged in on some website or running an application that's pinging a server - the OS is still pinging even if the user isn't logged in to some site or running some application. But I suppose with many applications auto-starting and remaining active all the time it's maybe not a big difference. Steam sessions could be used instead, for example.
But I'm just speculating, I don't know what they're actually doing.
BD103 | 23 hours ago
I think the key here is the person was signed in to their Microsoft account. While just a theory, I wouldn't be surprised if that ping was a periodic check to see if the account was disabled or the password was reset.
robalex | 23 hours ago
The filing is here: https://www.justice.gov/usao-ndil/media/1450651/dl?inline
BenjaminRi | 22 hours ago
Microsoft confirming it is irrelevant. It was proven to exist without any such statements.
Don't make me laugh. "Windows is spyware" started with the release of Windows 10 at the very latest.
ecksdee | 8 hours ago
This is why default route vpns are kind of a meme tbh