Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?
I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.
Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.
The article has a link to "39-page criminal complaint" PDF, and I'd summarize the prosecution's claims (from sections 21.e, 22, 26) as:
1. The ngrok client was downloaded onto hardware owned by the victims and used by the attacker.
2. The client was later discovered along with an ngrok auth token. (2x0b1363KPV35LCUuZCkJag0G84_2btDjSM5oY82TQuiLZvaz)
3. The ngrok auth data was linked to an ngrok account. (ac_2x0b16MSTJk4PvjLZMoqt4vOvZM)
4. Although a VPN was used by whomever created the ngrok account, the creation-time of the account correlates to Microsoft's telemetry, which indicates that the accused's computer was visiting ngrok sign-up pages.
Thank you! This is not only good to know as an ngrok user myself, but it's also more informative than what's in the article.
Sounds like we can rule that out as the avenue of detection.
Asking for a friend.
Does the Microsoft store imprint an identifier into the network traffic of all the binaries downloaded from it?
And if so, how?
All of ngrok's traffic is TLS encrypted which means that only the client software and the server/peer should be able to decrypt or modify it.
[1]: https://www.freedesktop.org/software/systemd/man/latest/mach...
I go further and bubblewrap software that I don't fully trust like Steam on my gaming machine. I simply don't expose /etc at all in most cases. The Linux security model is actually quite weak against potentially invasive software running in a main user account. For example /home is also completely exposed to programs such as games and anti-cheat software.
Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.
1. https://www.justice.gov/usao-ndil/media/1450651/dl?inline
Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.
https://www.itpro.com/security/privacy/355029/microsoft-edge...
> Microsoft sends every URL you visit in Edge back to Microsoft servers,
Not the same thing.
While this is Google and not Microsoft it's worth noting that Chrome literally has a telemetry option which sends URLs to Google [2].
Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.
It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc.