Comment by cheschire
1 day ago
Well they can’t use that to track users of Linux.
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton. Edit: and Brave.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
Both systemd and dbus have a similar device id for Linux, which e.g. Chrome reads at startup:
https://manpages.debian.org/trixie/systemd/machine-id.5.en.h...
https://manpages.debian.org/trixie/dbus-bin/dbus-uuidgen.1.e...
I don't like the idea of a persistent id for my machine. Would there be any harm in rewriting the machine-id at every boot? Or just deleting it as part of the shutdown sequence?
Whatever you do there will always be uniquely identifiable information (if not an id, a fingerprint) on your machine.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
8 replies →
The supported method to get a new one each boot is to truncate the file to 0 bytes and disable systemd-machine-id-commit.service
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
2 replies →
You can replace it with a generic one to hopefully blend in https://madaidans-insecurities.github.io/guides/linux-harden...
dhcp uses it by default nowadays.. but you can tell dhcp to use your mac address instead (like it used to)..
https://askubuntu.com/questions/1498611/ubuntu-dhcp-client-u... (linked because depending on version, there are several different ways to make this change..)
Only side effect I ran into is that journalctl couldn't find the logs of a previous boot.
I do it with an hourly cronjob and haven't noticed any ill effects.
That's good to know, thank you. I'm been considering moving away from systemd, and certainly don't use Chrome.
The number of things you need to try to keep track of merely _improve_ your privacy is maddening. The whole world seems to be against you.
D-Bus is much harder to get rid of than systemd.
It’s best to focus your efforts into rotating these IDs.
1 reply →
As a sysadmin and a former enemy of systemd it's actually pretty good overall, simplifies a lot of things.
If the privacy reasons are driving you, see if you can find fixes to these issues without getting rid of systemd.
Would OpenBSD solve both of these issues or is there a device ID in there that I’m not aware of.
I’ve seen that it uses a different init system and doesn’t rely on either dbus or systemd
1 reply →
firejail has a setting to generate a random machine id at every run.
And you should be running the browser inside firejail at all times.
I went to check if Flatpak would protect against this but it seems although it's a wanted feature it's not so straightforward to implement: https://github.com/flatpak/flatpak/issues/4311
firejail has a setting to protect against it.
Thanks, I wasn't aware of that.
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
Wow, three pieces of software I don't use for other reasons, just gained a new reason to evangelize against them!
The utility of and presence of unique identifiers in software should be no surprise.
But if you are using TelemetryOS (i.e. you cannot fully switch off the chatter) and your daily Web browser doesn't offer privacy extensions, you are the product.
Sounds like chrome is the problem.
In dbus, it seems the feature is intended for two processes to know they can access the same shmem and other system resources. I'm struggling to understand in which circumstances would that be useful.
Creating an excuse for creating a machine-id to associate with network traffic. Sometimes, it is enough to have a plausible enough sounding reason to write down on paper, but you have to look at what something actually is. Any red blooded hacker knows there's what a tool is meant to be used for, and then there's what it can be used for. Less is more.
But does browser send these id?
No.
Trying to imagine a world where I use Chrome unironically.
As an Hyperbola user both systemd and dbus are a no-no there.
Is this specific to Debian?
https://www.freedesktop.org/software/systemd/man/latest/mach...
https://dbus.freedesktop.org/doc/dbus-uuidgen.1.html
Nope, but Debian does use systemd by default so it's there.
I'm running Arch Linux and /etc/machine-id is present.
There's also an optional /etc/machine-info file that could exist. It's not a part of systemd and won't be created by default. It's more of an informal way to have details about the system in 1 spot. It was more popular when provisioning bare metal servers but still has value in the cloud. You can have key / value pairs on who to contact, where it's located, what type of machine it is, etc..
FreeBSD has it as well.
> this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
Good founders already know this. Bad ones don't care.
> Edit: and Brave.
I would suggest staying away from Brave. I recently compiled the debloated Brave edition from source and was rather disappointed. Brave was slower on my machine than Firefox and Chromium according to Speedometer 3.1. The built-in adblocker does a worse job at cosmetic filtering than uBlock Origin on Firefox. On top of that, I had to build the browser from source because the only binaries I could find are Brave's own. Their builds aren't reproducible, and no Linux distro packages their own.
If you think I am being paranoid, you may also want to take a look at this:
https://www.pcmag.com/news/brave-browser-caught-redirecting-...
Aww you missed the Ballmer Years. Chalked full of "me too!"'s and broken promises. But he was right about one thing. Developers, developers, developers...
Well Enterprises can also enroll Linux machines in intune
I remember a long time ago intel tried introducing unique IDs for their processors. People got up in arms made a big stink and intel put its tail between its legs. Many years later, the industry through a thousand little cuts has that and more with merely a whimper because it’s not a single big boogey entity but it’s diluted across hundreds of thousands of developers who deployed a myriad ways to fingerprint their users…
Tangentially related to Device ID: Apple is significantly worse when it comes to machine identifiers; even with Autopilot enabled you can still install Linux on a Microsoft Surface device (or even Windows if you don't use a Microsoft Account). With MDM locks, Apple devices are literally bricks (especially since all ram and storage is soldered down and locked/paired to the secure enclave chip).