← Back to context

Comment by llm_nerd

1 day ago

This is the part that isn't clear and is by far the most interesting. At what stage and what point did the GDID get correlated with a tool/web request. As is it almost sounds like Microsoft "telemetry" gathers everything and they did a bulk search for certain activity, pulling the GDID and correlating it with a user.

From reading the official criminal complaint [1] it looks like Microsoft literally logs all web requests along with the GDID and sends it over as "telemetry". It basically associates the URL, the client's IP, and the GDID together.

Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.

1. https://www.justice.gov/usao-ndil/media/1450651/dl?inline

  • Clearly a bunch of defensive Microsoft employees are hitting these threads. The official complaint directly cites Microsoft as the source of these logs. They refer to Microsoft as the source of the records for web requests, app usage, and so on.

  • > Microsoft literally logs all web requests

    Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.

    • Are you talking about this post [1]? I don't see anything in the complaint alluding to a VPN license (for all we know he could have used an open source OpenVPN or Wireguard client to connect to the VPN), and the police seem to have gotten everything directly from Microsoft rather than from the VPN provider.

      While this is Google and not Microsoft it's worth noting that Chrome literally has a telemetry option which sends URLs to Google [2].

      1. https://ibb.co/k61WKSSB

    • Can you link the specific post you're referring to? It's not "above" at this point in time.

Good question. My understand is that it was licensing:

Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.

  • From the reading of the document, I really don't think that's it. The suspects used phishing to get access to one company's servers, then used those servers to push software to other servers.

    It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc.

    • But it has long been known that Microsoft actively collaborates with and provides user data to legal entities. It is more a matter of the general public not being aware of this, the kind of data collected, and to what extent will users continue to tolerate Microsoft's behavior.

    • Ngrok license not VPN license but yes, it’s correct as other posters have mentioned