security implications of /var/lib/dbus/machine-id. Thoughts?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yet since the location of the file is well known, nothing stops other software from using the file as a fingerprint. Regenerating at each boot probably throws some sand into data mining and tracking gears, but even Slackware uses and needs the file.
Man, permit me to tell you again: there are lots of ways at disposition of the rogue software to fingerprint you. It is plain and simple: the single way to not be fingerprinted is to not use that rogue software. Or, even better, to disconnect your computer from internet.
And anyways, I seriously doubt that Google uses that machine-id or ever used it for fingerprinting. Or by any other reasonable smart rogue program, because there are many other better ways to fingerprint people. Not that I claim that Google or any other companies do those things.
Just to say that, that Chrome (and Chromium) stores somewhere a value named "gaia_id" and I leave to the reader exercise to find where it is put, for what it is used and how it is obtained.
Last edited by ZhaoLin1457; 12-01-2019 at 08:05 PM.
If you already know where/how it's being used, why aren't you sharing that knowledge?
Yes, there are lots of ways programs could put a fingerprint on your activity, but their man pages state when it does happen. You're stating that Chrome/Chromium are doing it, without being explicit in the matter. If you're going to make that allegation, it's up to you to prove it.
The output of this alone is likely enough to uniquely identify you: stat -c %W /
I don't want you to think I missed your point, but as an aside this returns 0 for me. I tried a few other things, like including the comma (since / is a filepath, that obviously didnt work) and running it as root. But it returns 0. I use stat, I guess my filesystem doesn't know when / was born.
You didn't make the allegation, upnort. ZhaoLin1457 made it.
Excuse me, but anyone of you brave Americans bothered to look into "~/.config/chromium" ?
Because there's a file named "Local State" which contains that mentioned "gaia_id" with value a big number. Also there's "gaia_name" and "gaia_given_name" with values my name from my own Google Account. There's even "gaia_picture_file_name" with value "Google Profile Picture.png"
So, I think this "gaia_id" is somehow connected to my Google Account and represents probably my unique id on Google. True, I am logged in on Chromium.
Certainly, it get a special treatment and it is stored right on Chromium's main configuration file absolutely only to improve my web browsing experience...
Last edited by LuckyCyborg; 12-02-2019 at 11:38 PM.
I don't want you to think I missed your point, but as an aside this returns 0 for me. I tried a few other things, like including the comma (since / is a filepath, that obviously didnt work) and running it as root. But it returns 0. I use stat, I guess my filesystem doesn't know when / was born.
Yes the filesystem does indeed have to include birth date metadata for that specific example to work, and not all do. However, it will work on ext4, so that's going to cover the majority of users.
Distribution: Slackware 64 -current multilib from AlienBob's LiveSlak MATE
Posts: 1,073
Rep:
Quote:
Originally Posted by GazL
... the game is already lost.
The output of this alone is likely enough to uniquely identify you: stat -c %W /, and it's not as if you can prevent programs from calling stat().
Works for me.
Personally, I'm not that worried of what Google and other corporation might do with my identity (which they have, since I use an Android smartphone). I imagine that I can handle them. I reserve my tin foil hat for intrusions from various national security services. In the near future, getting a new smartphone or PC might mean hosting preinstalled spyware unbeknownst to me. And without pop-up ads.
It doesn't work for me and I'm using ext4. If I use stat on / without arguments, I get:
Birth: -
Now what the heck does that mean? That my root directory was never created but goes back to the Big Bang?
PS just tried it on a freshly created file and a freshly created directory. Still get nothing. If this field exists, stat isn't able to read it.
It means that the file system you use on the / mount doesn't store the "created" or "Birth" date/time, which is true for all ext* ones (the date/time stamps stored are only last access, last change and last modified).
Out of my head I do not know which fs'es do store the creation date/time.
Personally, I'm not that worried of what Google and other corporation might do with my identity (which they have, since I use an Android smartphone). I imagine that I can handle them. I reserve my tin foil hat for intrusions from various national security services.
What if the former hands over the information they gather to the latter?
This makes machine-id unique to each running instance of the OS on the machine.
I'm not convinced...
This is more of a mitigation, where deleting a file and rebooting (or manually deleting a file and restarting the daemon) is being touted as a benefit to using that distribution.
If the issue is with chromium, then every startup, newly visited website, newly opened tab - would need a unique ID, to be of any use whatsoever...
chromium uses dbus for IPC and I thought it may check /etc/machine-id, as crude means of checking for a valid the dbus installation.
It could equally use other methods to ID the host system, but it could also use various methods, to gain a better fingerprint.
Without checking the chromium source or understanding the code, it's hard to say:
// The client ID is derived from /etc/machine-id
// (https://www.freedesktop.org/software/systemd/man/machine-id.html). As per
// guidelines, this ID must not be transmitted outside of the machine, which
// is why we hash it first and then encode it in base64 before transmitting
// it.
This is certainly /etc/machine-id being utilised to generate a "client ID" - i.e. it is not being used for any kind of IPC purpose but is being hashed and "transmitted outside of the machine"...
While I believe there are some concerns it is being misused here, it's google after all and entirely unsurprising.
Would be interesting to know examples of other software using the machine-id for such purposes...?
The Devuan project's concerns do seem valid, but I remain unconvinced that rebooting is any kind of "solution" to tracking - because that seems to be in effect what they're proposing...?
The Devuan project don't seem to frequent this site, but I wonder if they would like to comment?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.