Posted by spc50 | in brave (edited )

SOURCE: https://github.com/brave/brave-core/blob/612896e4b30cca7352dfe2aa1247e2995f97b580/patches/components-metrics-machine_id_provider_win.cc.patch

======================================

diff --git a/components/metrics/machine_id_provider_win.cc b/components/metrics/machine_id_provider_win.cc index 31fe9b46f1fd26db5fbc04b18fb7ae60abf22b66..3df68e8de74d1fd94e73df322bb232e3f45e036b 100644 --- a/components/metrics/machine_id_provider_win.cc +++ b/components/metrics/machine_id_provider_win.cc @@ -18,7 +18,7 @@ namespace metrics {

// static bool MachineIdProvider::HasId() {

  • return true;
  • return !IsMachineIdDisabled(); }

// On windows, the machine id is based on the serial number of the drive Chrome

=========================

Although they hash it - which is better than nothing.. they know the key to the hash and storing value of the SERIAL NUMBER OF THE DRIVE CHROME (assumed to be is installed on).

A browser has ZERO FUCKING LEGITIMATE reason to be looking at such values and none exporting them. Even if the company were entirely legitimately privacy focused, they can unhash the value and expose the actual serial and compare it to other data from third parties or their own silos of data.

This is irresponsible. In face of reversal of the hash by force or by law, people can and will be exposed.

8

Comments

You must log in or register to comment.

Rambler said () (edited )

Womp Womp.

I wonder, do they publish a transparency report or whats their role with assisting governments or law enforcement? On mobile so don't feel like digging through stuff right now.

They knowingly, with the TOR DNS leak, put countless at risk.

3

alltimelow said ()

I would never use Brave to access Tor, that's just asking for trouble. The Tor Browser has actual features to keep you safe.

3

spc50 OP said ()

I wonder if they have a person with responsibility of caring about privacy matters.

Needs to be senior role in such a company to keep developers and direction sane. Otherwise end up with this patchwork of code nerds doing facepalm causing things.

Tired of their apologists casually pushing stuff like this aside as no big deal. People get put on naughty list, people end up imprisoned, people get disappeared, etc. because of leaky software that doesn't protect users.

Stop pretending to be privacy focused or prove me wrong and start cleaning up the messes and 'we've always done this -- industry standards from the 1990's'.

3

dontvisitmyintentions said () (edited )

That patch appears to be part of a set which adds a flag to disable the machine-id feature: https://github.com/brave/brave-core/pull/795

This exchange is informative:

What is the reason for disabling the machine id? We disable the sending of metrics so I'm not sure what the purpose would be. Also, why do you want to disable

I believe they want a portable version where all extensions and passwords are saved between different computers

My impression is that Chromium extensions may rely on machine-id for sync or storage, and this patch works to make sure Brave works without it. I didn't look to see whether machine-id first came from a Chromium source injection into Brave or not.

3

spc50 OP said ()

Good reply.

Portable version should be just that. Free of any machine identity or dependencies thereon.

Whole ball of code and saved settings should as they historically remain stuffed in one tidy directory and those thereunder.

Just like a portable version shouldn't be in system space or user's directory and hidden subdirs it shouldn't be in /etc pulling anything from kernel or proc or their other OS equivalents.

I know it will be yet again OH WE INHERIT THIS FROM CHROMIUM. If Chromium is so bad, and it is, why haven't you cleaned it up yet? Maybe allocating resources doing that should have preceded coin dreaming and pushing ad fluff (aka our ads are less evil).

This is why forking things, rewriting nasty code, severely auditing risks up front, etc. are a thing and sane strategy.

Whole thing reminds me of Redhat when they went public. Like 6 employees doing the real work and 100 marketing people hyping the BS.

4

dontvisitmyintentions said ()

If Chromium is so bad, and it is, why haven't you cleaned it up yet?

Making Chromium a clean, neutral starting point with flags to disable everything for downstream projects (Edge, Brave, Vivaldi, etc) requires Google's cooperation, because Google generates most of the code for their own use in Chrome. Those big names already put money into sustaining it as it is. There's no incentive to make their products easier to be private when downstream doesn't care, either.

Web browsers are too complex for forks to keep up with vulnerabilities and features. Things won't change until some of that complexity goes away. Web sites are too broken for that to happen.

3

spc50 OP said ()

Google's 'Don't Be Evil' abandoned slogan needs upgraded. Something like 'Don't Code Evil' or 'Backdoors Kill Dissidents'. For a company (Google) with such a long history in social change, protests abroad, labor activism movement, etc. you would think they'd be more sane about cleaning things up.

Google has lost its way. Building a company based on their spyware isn't very rationale.

The browser space is basically a duopoly. That's not choice. That's two fake competitors pretending to compete. Competition is afterall a sin according to great industrialist of old.

Many of issues brave is 'solving' and compromises working around point back to javascript. It's time for a severe pushback and movement to demand javascript free experience. When we started dressing web up all marketing pretty is when the vultures, spies, standards all snuck in.

The bloat of web standards and overly complex foolishness have made the industry unappealing and highly centralized. Very bad for creativity. Very bad for startup culture and prospect of future entrants as competitors. A disaster for free people and democracies inevitably.

4

V3l said ()

Without any logical reason, even without Brave is very bizarre, thinking secuirty focused why would you put together a browser and crypto ?

If you realy think security focused, do you realy need two things in one ? While you can just do each task separately

Do you realy need mining ? Do you realy need your browser to mine ? Do you even tor already bundled in ?

Any security analyst, security oriented programmer will tell you it's bullshit

3

Fisuxcel said ()

Because brave needs to make money. The crypto coin crap is optional anyway and you can disable it.

1

smartypants said ()

GREAT revelation!

A Driver I wrote for SATA long ago, reported a bogus but unique serial derived from the real serial and then reported that lie to OS. I guess its time to do that again, but rather collapse the hash to 24 bits of unique and 8 bits more from hard drive format date/time

the 32 bits would be safe enough to be unique and non colliding

1

spc50 OP said ()

You should share your handiwork. We need more privacy conscious solutions and people creating real solutions.

Your work is appreciated!

2

smartypants said () (edited )

Apple in 2021 now in Big Sur tries hard to prevent me from compiling kernel extensions for others that are a hardware layer sata controller man in the middle... almost all drivers are USER LAND code on mac and windows, and if not , you need to have SIGNED CODE identified to you and a usa mailing address.

Miocrosoft started this "signed authorized kernel code" stuff over 20 years ago, only mailing a Windows DDK CD (for drivr writing) to a known USA mailbox address. Now in 2021 the biggest fear Apple and Google and Microsoft have are people like me who wrote man-in-the-middle tools for VIDEO CARDS, VIDEO COMPRESSION paths, AUDIO CODEC interceptors at chip level, network chip monitors, GPU library intercept shims, SCSI, ATA, ATAPI, USB and SATA man-in-the-middle tools.

Its trivial on windows and mac, if your code is authorized to load, you specify that the machine MUST use your code to service the vendor ID of all the above mentioned devices, and your code merely passes through all data on behalf of normal tools, but SWAPS bytes and such of monitored data.

The methods will never go away, but to protect DRM porn videos... all companies claim I am the evil bad man. My code to intercept data and simulate devices or DOWNGRADE DEVICES by falsely stating lack of crypto, are all somehow evil, and I am evil for making it harder to sell DRM protected porn videos on web sites.

Oh well.

All I know is that the latest crap from astounding M1 chip on macs now makes me have no access to even debuggers for kernel , or even DTRACE (DTRACE was only on unix and Apple, but now even Windows has DTRACE).

https://techcommunity.microsoft.com/t5/windows-kernel-internals/dtrace-on-windows-20h1-updates/ba-p/1127929

DTRACE itself is an enemy of DRM, so programming is also an enemy of DRM.

Commercial public Debuggers being loaded on mac stopped only DVD and BluRay playback in the past (same as windows), but now debuggers BAN ABILITY to run a single iOS app on a M1 desktop/laptop.

iOS is still not liberated and cloned in a VM by hackers, and the machine will not even load it into protected ram if a debugger is running. This month apple is also trying to stop existing m1 macs from running legacy iOS apps at all!!!!!! no more iOS VM soon!!! YOu dont know this, by M1 macs can run the actual real genuine iOS OS and genuine real IOS apps, but you have to side load them from a signed device to your cloud and back to your M1 mac and resign them. Lots of youtube videos exist. Apple realizes people like me might want to make it a permanent , easy, and simple thing to do, so Apple just wants to stop that whole experiment.

I am on a tangent.

If i shared code, it would have to be personally be compiled PER USER PER MACHINE. Apple now no longer lets you compile drivers for machines on a desk unless signed, only on the machine that compiled them.

Apple is turning their computers into DRM content delivery platforms tied to credit cards and cell phones.

You are just supposed to CONSUME, pay for app games and buy digital smurfberries for your apps, and pay for DRM protected porn in this new dystopian tech hell hole.

no more personal computing.

2

spc50 OP said ()

Wow! Just wow!

DRM like most tech = well intentioned. But fails to see the destruction and lack of control for hobbyists.

It's like they don't want a future or tinkerers.

2