Comment by heikkilevanto
1 day ago
I don't like the idea of a persistent id for my machine. Would there be any harm in rewriting the machine-id at every boot? Or just deleting it as part of the shutdown sequence?
1 day ago
I don't like the idea of a persistent id for my machine. Would there be any harm in rewriting the machine-id at every boot? Or just deleting it as part of the shutdown sequence?
Whatever you do there will always be uniquely identifiable information (if not an id, a fingerprint) on your machine.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
> motivated adversaries.
This sounds like you're referring to state actors and intelligence agencies, but really this applies to the entire advertising/surveillance industry of people trying to sell you a new flavor of soda.
Sure, but the problem then is not systemd machineid, but rather the browser reading it and making it available for such identification (don't know if there is a browser out there doing that though).
Unless anonymization is provided by your browser, there is nothing you can do to prevent such identification technology run by these advertisers to build your profile, and send you targeted ads.
3 replies →
And petty criminals that set up fake fake websites to steal your money, ad-networks are also commonly used to spread malware so limiting the number of attack surfaces is the only sane thing to do.
When you go really hard with the privacy-enhancing tools, you can potentially just make yourself even more visible. When you're so far outside the normal way a user looks you're making yourself even more unique than if you had normal-ish looking identifiers.
It can take a lot of effort to make yourself truly just blend in and disappear.
No security is perfect; there is always a way to bypass it. But security can be highly valuable.
The supported method to get a new one each boot is to truncate the file to 0 bytes and disable systemd-machine-id-commit.service
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
I thought the kernel generated SLAAC addresses based on MAC and privacy addresses based on random numbers.
It does, but DHCPv6 prescribes a persistent device identifier (DUID): https://www.rfc-editor.org/info/rfc9915/#RFC3315-9
The DUID is designed to be unique across all DHCP clients and servers, and stable for any specific client or server. That is, the DUID used by a client or server SHOULD NOT change over time if at all possible; for example, a device's DUID should not change as a result of a change in the device's network hardware or changes to virtual interfaces
You can replace it with a generic one to hopefully blend in https://madaidans-insecurities.github.io/guides/linux-harden...
dhcp uses it by default nowadays.. but you can tell dhcp to use your mac address instead (like it used to)..
https://askubuntu.com/questions/1498611/ubuntu-dhcp-client-u... (linked because depending on version, there are several different ways to make this change..)
Only side effect I ran into is that journalctl couldn't find the logs of a previous boot.
I do it with an hourly cronjob and haven't noticed any ill effects.