this post was submitted on 11 Jul 2026
286 points (99.7% liked)

Privacy

4803 readers
452 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] placebo@lemmy.zip 39 points 2 days ago (3 children)

Now for the version in plain English: Sign into Windows with a Microsoft Account, and a server assigns your installation a permanent ID number. Windows stores it locally, several background services read it, and it gets stamped onto activity your PC reports back to Microsoft.

Wait. I understand that this ID is used for Windows <> Microsoft communications. How did it escalate them to knowing that this ID was used to visit ngrok and the retailer's website? Does Windows report website visits? Does it append this ID to HTTP requests? Or what's the connection here?

[–] RainbowBlite@piefed.ca 30 points 2 days ago (2 children)

The connection is that Windows records everything you do. So the FBI asks for every Windows user who accessed a specific site around a date/time and Microsoft can provide that.

You accessed a site over VPN? Your ISP has no idea it was you, , and the VPN didn't keep records, but Windows recorded that and sent it back to the mothership with your unique identifier.

[–] Honytawk@discuss.tchncs.de 2 points 1 day ago (1 children)

Where did you read that?

Windows does not record everything you do, and especially does not link everything to an ID. Only the MS authentication and MS store stuff uses this GDID.

The GDID isn't even linked to your name if you don't use a Microsoft Account. The FBI had to jump through hoops to get the information they wanted and only managed to do so after 4 separate instances where they tracked every social media the guy owned and compared it with logins that happened.

The FBI can use any form of ID to track, and if Linux had a store it could use that ID as well.

[–] RainbowBlite@piefed.ca 4 points 1 day ago

From the article:

Microsoft’s records showed that at that exact same minute, a Windows device carrying GDID g:6755467234350028 had visited the ngrok signup page.

Seems pretty clear to me. Microsoft tracked acces to an independent sign up page using the GDID.

[–] MasterBlaster@lemmy.world 7 points 1 day ago

glad i ditched window for home use around 1995

[–] ExLisper@lemmy.curiana.net 5 points 2 days ago

My guess is oauth. He basically used fake Microsoft account to access services during the hack and them used his actual microsoft account to access something else. He used VPN for the hack but he connected from his actual IP to the second service. The only thing linking those was the GID. So they figured out his actual IP address and checked other logins from this IP around the same time and found out his other accounts.

[–] serenissi@lemmy.world 10 points 2 days ago (1 children)

my guess is it's either of two things: edge history synced to ms account

[–] angband@lemmy.world 10 points 2 days ago (1 children)

Exactly it, and their claim that it is stored with bitlocker level encryption is obviously meaningless if they have the keys.

[–] 4am@lemmy.zip 27 points 2 days ago

Fun fact, windows 11 backs up your bitlocker private key with Microsoft if you sign in with a Microsoft Account.

There’s a database somewhere with every bitlocker key to almost every Windows 11 device on earth.

I’m sure they let the NSA and the FBI right in. The CIA probably has sleeper agents working devops at Microsoft so they don’t even need to access it procedurally. $10 says Israel can access it too, because why the fuck not.