upvote
Yeah, this is what's glaringly missing from the article.

Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?

I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.

Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.

reply
> Exactly how does Microsoft's device identifier get associated with the ngrok session

The article has a link to "39-page criminal complaint" PDF, and I'd summarize the prosecution's claims (from sections 21.e, 22, 26) as:

1. The ngrok client was downloaded onto hardware owned by the victims and used by the attacker.

2. The client was later discovered along with an ngrok auth token. (2x0b1363KPV35LCUuZCkJag0G84_2btDjSM5oY82TQuiLZvaz)

3. The ngrok auth data was linked to an ngrok account. (ac_2x0b16MSTJk4PvjLZMoqt4vOvZM)

4. Although a VPN was used by whomever created the ngrok account, the creation-time of the account correlates to Microsoft's telemetry, which indicates that the accused's computer was visiting ngrok sign-up pages.

reply
Thanks. (4) is the critical piece here.
reply
I work at ngrok, and this is not how our freemium plan works. Free plans limit based on usage alone, not on machine IDs.
reply
> I work at ngrok, and this is not how our freemium plan works. Free plans limit based on usage alone, not on machine IDs.

Thank you! This is not only good to know as an ngrok user myself, but it's also more informative than what's in the article.

Sounds like we can rule that out as the avenue of detection.

reply
For what its worth, this has been swiriling around on socials and i saw someone noted that the guy had been busted for something at age 17, maybe he was on some list?
reply
Sure but you still know which connection belongs to which licensed customer which seems to be how this person was identified.
reply
I think the defendant might want to see this. Looks like an expert witness lied in court.
reply
I'm not even clear if it requires Windows. Say if one had a Surface running Arch, would that still be traceable?

Asking for a friend.

reply
from the microsoft store. the ngrok app was downloaded via microsoft store...
reply
And then what?

Does the Microsoft store imprint an identifier into the network traffic of all the binaries downloaded from it?

And if so, how?

All of ngrok's traffic is TLS encrypted which means that only the client software and the server/peer should be able to decrypt or modify it.

reply
They don't need the encrypted payload just domain is the basis here as far as I can tell.
reply
Systemd (part of many major linux distributions) has for example machine-id[1], readable by anyone on the machine under /etc/machine-id.

[1]: https://www.freedesktop.org/software/systemd/man/latest/mach...

reply
Unlike the Microsoft equivalent (?), nothing prevents you from scrambling it or outright chmodding to 700 to protect it from prying eyes.

I go further and bubblewrap software that I don't fully trust like Steam on my gaming machine. I simply don't expose /etc at all in most cases. The Linux security model is actually quite weak against potentially invasive software running in a main user account. For example /home is also completely exposed to programs such as games and anti-cheat software.

reply
Yep, and firefox ships it to it's servers.
reply
Adding another example of this is the NetworkID in about:networking#networkid in Firefox. There was a point in time that cause some controversy. Every AI has the wrong information about it's origin and use.
reply
This is the part that isn't clear and is by far the most interesting. At what stage and what point did the GDID get correlated with a tool/web request. As is it almost sounds like Microsoft "telemetry" gathers everything and they did a bulk search for certain activity, pulling the GDID and correlating it with a user.
reply
From reading the official criminal complaint [1] it looks like Microsoft literally logs all web requests along with the GDID and sends it over as "telemetry". It basically associates the URL, the client's IP, and the GDID together.

Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.

1. https://www.justice.gov/usao-ndil/media/1450651/dl?inline

reply
Clearly a bunch of defensive Microsoft employees are hitting these threads. The official complaint directly cites Microsoft as the source of these logs. They refer to Microsoft as the source of the records for web requests, app usage, and so on.
reply
> Microsoft literally logs all web requests

Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.

reply
It's not unbelievable at all, and it is well-known. It's been publicized that Microsoft sends every URL you visit in Edge back to Microsoft servers, tied with all the IDs on the device:

https://www.itpro.com/security/privacy/355029/microsoft-edge...

reply
> Microsoft literally logs all web requests

> Microsoft sends every URL you visit in Edge back to Microsoft servers,

Not the same thing.

reply
Explain how they differ, in a practical way that's relevant to this discussion?
reply
Are you talking about this post [1]? I don't see anything in the complaint alluding to a VPN license (for all we know he could have used an open source OpenVPN or Wireguard client to connect to the VPN), and the police seem to have gotten everything directly from Microsoft rather than from the VPN provider.

While this is Google and not Microsoft it's worth noting that Chrome literally has a telemetry option which sends URLs to Google [2].

1. https://news.ycombinator.com/item?id=48818984

2. https://ibb.co/k61WKSSB

reply
Can you link the specific post you're referring to? It's not "above" at this point in time.
reply
Good question. My understand is that it was licensing:

Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.

reply
From the reading of the document, I really don't think that's it. The suspects used phishing to get access to one company's servers, then used those servers to push software to other servers.

It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc.

reply
But it has long been known that Microsoft actively collaborates with and provides user data to legal entities. It is more a matter of the general public not being aware of this, the kind of data collected, and to what extent will users continue to tolerate Microsoft's behavior.
reply
Ngrok license not VPN license but yes, it’s correct as other posters have mentioned
reply