logoalt Hacker News

Someonetoday at 11:29 AM5 repliesview on HN

I guess we’ll see a Windows tool that sets your identifier to this suspect’s “g:6755467234350028” very soon (weird ID, by the way. 16-digits makes sense, but I would have expected it to be hexadecimal)

Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?

If it’s the browser sending that info to Microsoft, wouldn’t somebody have noticed that their PC contacts Microsoft for every web page they open? Or do they batch that data and send it at some later time?

Also, would that mean this ‘only’ affects those using Microsoft’s browser (or does Chrome do the same, sending data to Google?)

Alternatively, is this happening lower in the stack? I can think of a place where a system component has access to the domain name, but not of one where it has the full URL.


Replies

Kipterstoday at 12:15 PM

> (weird ID, by the way. 16-digits makes sense, but I would have expected it to be hexadecimal)

it's the decimal representation of a 64 bit integer

boopigtoday at 3:39 PM

It was Microsoft Defender SmartScreen in Edge I believe. The visited domain is submitted to Microsoft to check it against known malware and phishing sites. And, as we're learning here, it is associated with the GDID (and Microsoft Account) which can be accessed via law enforcement requests.

ndiddytoday at 1:02 PM

A non-Edge browser would give the OS the domain name from the HTTPS connection and the page title because that's what it sets the window title to. I think that would be enough to identify the URL in a lot of cases (i.e. the sign-up URL sets the title to "ngrok Sign Up".

embedding-shapetoday at 12:18 PM

> Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?

That URL shows 16 blocked requests, it tries to load (at the very least) datadog and googletagmanager, I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.

What surprises me the most is that the guy was using a Windows installation to do all of this. But then again, you only hear about the dumbest criminals who get caught, so I guess it does make sense after all.

show 1 reply
ralferootoday at 1:20 PM

Converting that ID to hex gives 18,000F,C8CB,93CC which rather looks like 32 bits of random data plus the prefix 0x18000f or possibly 40-48 bits of time in ms granularity from some epoch.