Rendered at 21:53:29 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
hughw 1 days ago [-]
User nashashmi [1]:
So this kid uses his home computer at his home, and they trace him down with
the IP address, and the IP address also makes a request for Windows Updates.
And that narrows down the Device ID. The device id is now traced to this kid.
That seems more likely, I hope, than Edge/Windows secretly telemetering your GDID and every URL you visit to Redmond. It's a huge privacy hole still, but they can plausibly deny they set out to track you across the web using their OS.
That could be how they initially associated the hacker with his GDID, but the criminal filing explicitly mentions that they were able to use Microsoft records to determine that his computer visited specific webpages:
> According to Microsoft records, on or about May 12, 2025, at 19:21
UTC—when, according to ngrok records, the ngrok account was created—the device
with the GDID accessed, among other ngrok pages,
“https://dashboard.ngrok.com/signup,” the ngrok page to set up an ngrok account.
> Microsoft records also indicate: (1) the user of the device assigned the
GDID accessed multiple sites from Tzulo servers in May 2025, including the .168
server (the IP address used to create the ngrok account) on May 12, 2025; and (2) the user of the device assigned the GDID, on May 12, 2025 at 22:47 UTC, a little more
than three hours after the ngrok account was created, the user visited “[Company
F].com” from the .168 proxy server.
dormento 8 hours ago [-]
> they can plausibly deny they set out to track you across the web using their OS
Only the first time this happens, before it becomes clear to everyone that such mechanism can be used for tracking. After that... well I have this bridge I've been meaning to sell.
14u2c 1 days ago [-]
> The ID is generated when Windows is set up with a Microsoft Account
So not only was this “hacker” using Windows and Edge, they singed in to windows with a Microsoft account. And then used that same computer for their social media. Nice.
crtasm 1 days ago [-]
The ID is generated even if you only create a local user account. I don't know to what extent that affects tracking/telemetry though.
steve1977 1 days ago [-]
It's fascinating, right?
I'm not a "hacker" by any means, but I would probably use a Qubes based system with a dedicated "hacking" VM, only use anonymous VPNs connected from public WiFi access points (having left my mobile at home) while wearing a fake beard and STILL be paranoid that I somehow somewhere make a mistake.
ffaccount2 1 days ago [-]
That's what hackers do in popular stories, right? In reality, most cybercriminsls just don't care that much (they usually use Tor browser, though). I mean they mostly use discord and telegram (both unencrypted).
Serious "hackers" are usually state sponsored now, or members of mature groups.
Cider9986 1 days ago [-]
They don't care, I would say they don't know.
I saw an article where they analyzed the leaked IP addresses from a breach forum, and some of the top ten were Surfshark and iCloud Private relay.
gruez 1 days ago [-]
>and some of the top ten were Surfshark and iCloud Private relay.
what's wrong with icloud private relay? It uses a 2-hop architecture so it's probably more private than any single-hop VPN.
Cider9986 1 days ago [-]
It's good, but it's funny to think about cybercriminals running Safari and an iCloud+ Apple account.
Cider9986 1 days ago [-]
Qubes is probably the best option but, the last time I checked, it didn't have certain deniability features that someone with the feds in their threat model might prefer.
Personally I'd say use Qubes because it might be better at preventing you from getting raided in the first place.
Decisions decisions.
1970-01-01 1 days ago [-]
>The Global Device Identifier (GDID) is a permanent ID assigned when Windows provisions against a Microsoft Account.
So again, the "make an account" is the part you ALWAYS skip. Local accounts or it technically isn't even a PC anymore.
ranger_danger 1 days ago [-]
The article is misleading... the GDID is created even if you don't use a Microsoft account.
1970-01-01 1 days ago [-]
Sources state the opposite. It is driven my the MS account.
>A Global Device ID (GDID) is a permanent, unique digital fingerprint that Microsoft automatically assigns to your computer when you install Windows or sign into a Microsoft account.
Note the "or"
I own a Windows 10 machine which has never signed into a Microsoft account. It still has a GDID in the registry.
1970-01-01 8 hours ago [-]
What's your point? There are thousands of GUIDs in the registry.
londons_explore 1 days ago [-]
How exactly does Microsoft link their gdid to a hotel booking?
Hotels last I saw don't collect an obscure gdid...
Did this victim use edge and sync their browser history or something perhaps?
ndiddy 1 days ago [-]
Edge has a feature where it will periodically pull the bookmarks and browsing history from any other browsers you have installed, so they'll then get sent to Microsoft and associated with your Microsoft account. This was initially enabled by default without the user's consent, although I believe now you may have to opt into it if you do a fresh Windows install. I only realized this was a thing because one time my work PC rebooted to install an update, then Edge came up instead of Firefox, but with all my Firefox tabs. I guess this was part of some effort to try to trick old people who wouldn't notice the difference into switching to Edge. Here's a news article about someone else running into this when it started happening: https://www.theverge.com/24054329/microsoft-edge-automatic-c...
VerifiedReports 1 days ago [-]
"Old" people? How about the vast majority of the public, which is not represented on HN?
Not to mention that one of the many major UI regressions in Windows is the removal of title bars from application windows, which is fundamental to this "trick." Try opening a PDF in Edge and also in Acrobat. Neither window has a title bar, and they are otherwise almost identical. You have to scrutinize the very few controls around the window to determine which app you're looking at.
Microsoft and its software are trash now.
buccal 1 days ago [-]
Adobe provides PDF viewer that is embedded in Edge...
VCFundedGenYer 1 days ago [-]
Edge has less browser market share than Firefox right now, it's not the "vast majority."
simulator5g 1 days ago [-]
I don’t believe that, there’s probably some missing data. Outside the techno echo chamber that HNers live in, most people use the defaults. I see people using adware browsers that were installed without their knowledge. Computers are just too complex for most people to notice details like what web browser they use.
robotnikman 1 days ago [-]
Until they inevitable use Google, and it shows a big popup saying something like "Hey there you should use Chrome its way better and faster, click this button to get it" and then they end up with Chrome. Its basically how Chrome got such a large share of the market despite default browsers like Safari and IE/Edge.
cesarb 1 days ago [-]
Didn't Chrome also come bundled with other software like torrent clients? That is, unless you unchecked a checkbox in the installer for these software, you ended up with Chrome installed? Unless people were careful to pay attention to every checkbox on every installer, Chrome could end up installed without their knowledge.
smileybarry 1 days ago [-]
> so they'll then get sent to Microsoft and associated with your Microsoft account.
The import is entirely local, the "sent to Microsoft" bit is if you have Edge sync enabled. This is identical to Chrome importing your Firefox data and then syncing it back to Google. Except the Edge import was, by reports at the time, accidentally auto-enabled. But you'd still have to sign into Edge and enable sync.
ndiddy 1 days ago [-]
It's been a while since I last used Windows 11, but as far as I'm aware using a Microsoft account will automatically sign you into Edge and Edge sync is enabled by default unless you go into the settings and disable it.
smileybarry 1 days ago [-]
I think it defaults to showing the account in Edge but enabling sync still requires a button click. I'll see if I can verify this with a spare PC somewhere.
1 days ago [-]
onetokeoverthe 1 days ago [-]
[dead]
CommieBobDole 1 days ago [-]
There's a blurb in the article:
>"Massgrave, the group behind Microsoft Activation Scripts, has noted that Windows setup sends hardware info to Microsoft and receives identifiers back that are later used for Store access and licensing. Blocking GDID assignment breaks both activation and UWP apps."
I think probably it sends the gdid back to Microsoft as part of telemetry/updates/MS account periodic re-auth, which lets them know the current IP address, and then once the government has Microsoft's logs and the various target websites' logs, they can correlate based on IP address. I don't think it's actually sending the gdid to the web sites. Maybe.
This serves to further illustrate that nobody should be using Windows for anything that involves the need for privacy. And doubly, triply, and morefold so, nobody should ever sign a Windows machine into a MS account for any reason.
crtasm 1 days ago [-]
Edge seems likely. Its settings include:
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
mixdup 1 days ago [-]
Probably had his laptop with him and they simply traced the gdid to a specific IP address that they determined belonged to the hotel
WalterGR 1 days ago [-]
How does the GDID compare to the UDID (Unique Device Identifier) and serial number in iOS; and the Apple Hardware UUID and serial number of Macs?
Terr_ 21 hours ago [-]
On the subject of serial numbers, the ones for your hardware and peripherals are also being transmitted as "telemetry", which gives them even more options to spying on you, ex:
1. If your printer has tracking dots [0] then a printed flyer can be tracked back to your computer, IP, and MS/Apple account.
2. If a device is reported on two computers, MS/Apple know there is some kind of connection between the computers.
well, mostly the name. And the fact MS gave away GDID - IP mapping to the govt.
autoexec 1 days ago [-]
Is there any reason to think that the government couldn't force Apple to hand over the same data? They may or may not have taken over entire rooms at Apple (https://en.wikipedia.org/wiki/Room_641A) but you can bet they've at least got devices sitting on their network collecting data.
orev 22 hours ago [-]
They say this is also sent with Windows Update checks, which happen frequently per day, and I think also when you initially connect to a network, so that’s a clear way they could tie the ID back to any IP address you’re using.
AlienRobot 1 days ago [-]
They caught a 19 year old hacker that uses Edge, and all it took was the privacy of 1.4 billion Windows users.
page 18 answers many of the questions in this thread.
drnick1 1 days ago [-]
One more proof that Windows is malware.
ranger_danger 1 days ago [-]
Linux has the same kind of identifier at /etc/machine-id... readable by default by basically any application on the system.
drnick1 1 days ago [-]
This is a systemd identifier, not strictly speaking a "Linux" identifier.
In any case, an executable allowed to run on a host can trivially fingerprint the machine it is running on using a combination of hardware identifiers. Removing or rotating machine-id does not buy you any privacy against a malicious app.
What I find most surprising in this story is how careless these "hackers" were. You would think that people engaged in this type of activities would use throwaway devices running free operating systems and VMs, not personal devices logged into Snapchat and Facebook.
wolvoleo 19 hours ago [-]
You'd still need to have your system compromised by a malicious app to be tracked using that.
On windows, it does that all by itself, Microsoft tracks you with it. Because windows is the malicious app just like the GP said.
aftbit 1 days ago [-]
Which is also well documented and trivially rotatable by anyone with root on the machine. How do you rotate the MS identifier?
sounds like you can rotate it, but it doesn't really matter because the registration/rotation process sends a bunch of static information to microsoft, which means they can re-correlate the the old id back to the new id.
rpdillon 1 days ago [-]
...and that can be changed at-will.
ranger_danger 1 days ago [-]
same for the windows GDID
aniwalunj 1 days ago [-]
At it again!
ChrisArchitect 1 days ago [-]
Discussions:
Microsoft admits Windows 11 has a GDID tracker with no off switch
Yet another reason for Windows 10 users to not upgrade.
crtasm 23 hours ago [-]
Windows 10 also features the GDID, telemetry and Edge history syncing.
globalnode 1 days ago [-]
i wont even dual boot windows on my linux machine, dont trust them not to vacuum up my linux drive data when i boot into windows. also just recently discovered their attempt to hijack the entire pc industry with secure boot, they are consistent gotta give them that. why do i have microsoft keys installed on my motherboard when im not even using windows.
ThePowerOfFuet 1 days ago [-]
> dont trust them not to vacuum up my linux drive data when i boot into windows.
LUKS
yodon 1 days ago [-]
How is this not a the mother of all GDPR violations?
[1] https://news.ycombinator.com/item?id=48815196#48818368
> According to Microsoft records, on or about May 12, 2025, at 19:21 UTC—when, according to ngrok records, the ngrok account was created—the device with the GDID accessed, among other ngrok pages, “https://dashboard.ngrok.com/signup,” the ngrok page to set up an ngrok account.
> Microsoft records also indicate: (1) the user of the device assigned the GDID accessed multiple sites from Tzulo servers in May 2025, including the .168 server (the IP address used to create the ngrok account) on May 12, 2025; and (2) the user of the device assigned the GDID, on May 12, 2025 at 22:47 UTC, a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
Only the first time this happens, before it becomes clear to everyone that such mechanism can be used for tracking. After that... well I have this bridge I've been meaning to sell.
So not only was this “hacker” using Windows and Edge, they singed in to windows with a Microsoft account. And then used that same computer for their social media. Nice.
I'm not a "hacker" by any means, but I would probably use a Qubes based system with a dedicated "hacking" VM, only use anonymous VPNs connected from public WiFi access points (having left my mobile at home) while wearing a fake beard and STILL be paranoid that I somehow somewhere make a mistake.
Serious "hackers" are usually state sponsored now, or members of mature groups.
I saw an article where they analyzed the leaked IP addresses from a breach forum, and some of the top ten were Surfshark and iCloud Private relay.
what's wrong with icloud private relay? It uses a 2-hop architecture so it's probably more private than any single-hop VPN.
Personally I'd say use Qubes because it might be better at preventing you from getting raided in the first place.
Decisions decisions.
So again, the "make an account" is the part you ALWAYS skip. Local accounts or it technically isn't even a PC anymore.
https://www.windowslatest.com/2026/07/10/you-cant-fully-disa...
Note the "or"
I own a Windows 10 machine which has never signed into a Microsoft account. It still has a GDID in the registry.
Hotels last I saw don't collect an obscure gdid...
Did this victim use edge and sync their browser history or something perhaps?
Not to mention that one of the many major UI regressions in Windows is the removal of title bars from application windows, which is fundamental to this "trick." Try opening a PDF in Edge and also in Acrobat. Neither window has a title bar, and they are otherwise almost identical. You have to scrutinize the very few controls around the window to determine which app you're looking at.
Microsoft and its software are trash now.
The import is entirely local, the "sent to Microsoft" bit is if you have Edge sync enabled. This is identical to Chrome importing your Firefox data and then syncing it back to Google. Except the Edge import was, by reports at the time, accidentally auto-enabled. But you'd still have to sign into Edge and enable sync.
>"Massgrave, the group behind Microsoft Activation Scripts, has noted that Windows setup sends hardware info to Microsoft and receives identifiers back that are later used for Store access and licensing. Blocking GDID assignment breaks both activation and UWP apps."
I think probably it sends the gdid back to Microsoft as part of telemetry/updates/MS account periodic re-auth, which lets them know the current IP address, and then once the government has Microsoft's logs and the various target websites' logs, they can correlate based on IP address. I don't think it's actually sending the gdid to the web sites. Maybe.
This serves to further illustrate that nobody should be using Windows for anything that involves the need for privacy. And doubly, triply, and morefold so, nobody should ever sign a Windows machine into a MS account for any reason.
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
1. If your printer has tracking dots [0] then a printed flyer can be tracked back to your computer, IP, and MS/Apple account.
2. If a device is reported on two computers, MS/Apple know there is some kind of connection between the computers.
[0] https://www.eff.org/pages/list-printers-which-do-or-do-not-d...
page 18 answers many of the questions in this thread.
In any case, an executable allowed to run on a host can trivially fingerprint the machine it is running on using a combination of hardware identifiers. Removing or rotating machine-id does not buy you any privacy against a malicious app.
What I find most surprising in this story is how careless these "hackers" were. You would think that people engaged in this type of activities would use throwaway devices running free operating systems and VMs, not personal devices logged into Snapchat and Facebook.
On windows, it does that all by itself, Microsoft tracks you with it. Because windows is the malicious app just like the GP said.
> well documented and trivially rotatable
Yes, but almost nobody does that or complains about it at all, even though applications may have been silently phoning it home for many years now.
sounds like you can rotate it, but it doesn't really matter because the registration/rotation process sends a bunch of static information to microsoft, which means they can re-correlate the the old id back to the new id.
Microsoft admits Windows 11 has a GDID tracker with no off switch
https://news.ycombinator.com/item?id=48872561
Full Writeup of the Windows GDID
https://news.ycombinator.com/item?id=48811081
Microsoft Can Track Users via a Windows Device ID
https://news.ycombinator.com/item?id=48815196
LUKS