midtake 7 minutes ago

To me this indicates that Microsoft has some sort of traffic analysis performed on endpoints, then linked to GDID. I'd guess this is part of Defender's real time protection or MAPS.

Fun fact, Microsoft Defender MAPS was previously named SpyNet.

https://en.wikipedia.org/wiki/Microsoft_Active_Protection_Se...

The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.

protocolture 11 minutes ago

Probably a capability demanded through a TCN or TAN as part of a mechanism like Australias Access and Assistance bill.

Terr_ 42 minutes ago

TLDR: Microsoft can (at least) correlate your Windows installation to all website domains you visit while using Windows.

It's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.

  • pogue 27 minutes ago

    The article links to this page, which was shared on HN yesterday. [1]

    I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.

    [1] https://github.com/SmtimesIWndr/gdid-reversal

    • Terr_ 21 minutes ago

      I would be shocked if Microsoft was not using their own layer of certificate-pinning to stop people from doing that, and/or using another layer of encryption separate from the networking layer.

      • cromka 13 minutes ago

        But you'd still see some encrypted traffic and it wouldn't fly under a radar

      • pogue 5 minutes ago

        Only way to see what's going on is testing to see what's going on. Hopefully, someone who knows more about it than me can take a look at the packets and see what they contain.

  • echelon_musk 18 minutes ago

    Worse than just domains as TFA shows full URLs are recorded.

    Reminds me of Google Safebrowsing.