GDID is the persistent Windows ID that helped FBI trace a Scattered Spider hacker despite VPNs. Here’s how it works and how to limit it.

  • Windex007@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    10 hours ago

    I was asking the same question, quoting that exact excerpt in a different thread… and getting pretty hairbrained responses.

    After a little bit of digging, I can see ngrok has a sign in option where you can sign in with a GITHUB account.

    I suspect that’s how Microsoft has a record of someone interacting with that specific website.

    Still am unclear how the browser has access to this id, which sounds like it’s a registry setting. If browsers are able and willing to just fork over arbitrary registry values when asked, that’s a major issue.

    And if it’s not arbitrary… just THAT value, it seems to suggest complicity on the browsers themselves.

    Can I see this id egressing my system if I’m snooping with wireshark? I really really want to understand how and when this value is going over the wire.

    • nibbler@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 hours ago

      if the hacker signed in with his github… I would assume it’s something hidden behind “telemetry” or such - but either way it’s horrible. And the article is bad for just mentioning this without going into detail.