Take from the article: do these 20 steps to avoid

My take; use linux.

This is enough to never use Windows as your primary device.

SOAP in 2026? I need a REST.

When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.

The PUID lands in your own registry hive, in plain text, at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link, cloud clipboard, and Nearby Share, reads that PUID and registers it into Microsoft’s Device Directory Service, which is the identity graph behind all of Microsoft’s cross device features. There, the number gets a lowercase g stuck in front and gets written as g:decimal. Delivery Optimization then reports that same value back to Microsoft’s servers as UCDOStatus.GlobalDeviceId every time your PC shares or downloads update data peer to peer.

Source

It likely uses the motherboard's burned-in TPM module API to generate the unique hardware ID on, and associate with the account/license.

It's quite interesting to compare the percent these civilian-scoped features are actually helping and not used for tracking and control of masses, since every accountable fraudster/killer/thief/professional knows about these and could not care less about it.

Yes, it may help for telemetry, and is great to have for an accountable business, which is understandable, but there's a hope these are not used against the civilian, too, respecting the personal lives and the right of human choice out there...

Ave Linux, the transparency, indeed...

The following is a related piece of information, yet I am sorry, but I am not sure about the accountability and accuracy of the paper, since it was written by the sorrowful LLM Claude:
- https://github.com/SmtimesIWndr/gdid-reversal

Soooo, what does it stop Google or Meta from using same thing that Windows already offers to track users? Because as we all know, shit like this is NEVER only used by the good guys only.

So it's a unique id "stamped" to your Windows install during setup when you sign into a Microsoft account during the OOB setup experience. It gets stored in the machine's registry, and is used for uniquely identifying your hardware and tying it to a Microsoft account for licensing purposes.

It does not persist between reinstalls, and it is in a known registry location so therefore viewable and editable now that we know it's there. We don't yet know the exact effects of editing it, or how exactly they correlated it in this case with the person's network activity.


I expect we'll have some mitigation plan in the next few months. Obviously starting with the recommendations in the article.

Completely pulling this from my ass:

  • There should be some ways for researchers to watch what accesses that registry key and when.
  • Hypothetically, one could just randomize their GDID.
    • Could target specific known ones to flood the data collected (everyone uses all zeros)
    • Forge evidence against specific targets (collect the GDID off a target's machine, then set a VM to that and go nuts)
    • or just randomly generate 1000 then activate Windows on all of them using MASgrave and rotate through them. Would probably need to randomly space out the activations, use generic hardware, and randomly shuffle the ones you used. Would also help to have multiple in use at once generating fake cover data to hide the real stuff in.

At this point it's probably easier to just go off grid than to try and make Windows "private".

If you're a hacker and use Windows, you deserve to get caught tbh

More so that they used the same Windows machine where they were signed in with their real personal Microsoft account as the machine they used for their illicit actions.

VPN only masks your source IP, not any of the other identifiers, of which we now know a new one.

midwest.social

Rules

  1. No porn.
  2. No bigotry, hate speech.
  3. No ads / spamming.
  4. No conspiracies / QAnon / antivaxx sentiment
  5. No zionists
  6. No fascists

Chat Room

Matrix chat room: https://matrix.to/#/#midwestsociallemmy:matrix.org

Communities

Communities from our friends:

Donations

LiberaPay link: https://liberapay.com/seahorse