Ultimately, the problem is much bigger than /etc/machine-id since there are dozens of hardware IDs on any PC that can be used by malicious telemetry to silently to uniquely identify and track you, and the only solution to this problem currently is to make sure you really trust any software you use.

Systemd, in particular, acts a lot like malware for Linux because if you try to reset your machine-id a long list of stuff that breaks in in it. You could make a cron script to reset /etc/machine-id every day, but machine-id is so deep in the stack that you’d also have to reboot to ensure it’s updated.

  • hirihit640@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    5 hours ago

    Flatpaks might be the solution here. Flatpaks run in containers, they might have isolated machine-id already.

    Though tbh if you don’t trust the apps on your Linux system, you have more to worry about than fingerprinting. Regular executable binaries and system packages have zero isolation, any malware can wreak havoc. Flatpaks are getting there but many apps still ask for permissions they don’t need, increasing risk.

    For untrusted apps, run them in a browser (if a web-app), a container/distrobox, or a VM.

    • ☆ Yσɠƚԋσʂ ☆@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      4 hours ago

      The browser itself is one of the biggest vectors of attacks here. Both Chrome and Firefox indirectly via libdbus, read your machine-id. Firefox shares browsing data and other unique info with ‘with partners, service providers, suppliers and contractors’ including Cloudflare and Google.

      • hirihit640@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        4 hours ago

        Well browsers are apps, just like any other app on your system. So the same advice applies. If you don’t trust chrome and firefox but you still want to run them, use a container/distrobox/VM. There are plenty of more private browsers though, like Brave or Mullvad Browser.

        Web apps, on the other hand, run inside the browser sandbox, which is an entirely different environment. They don’t have access to machineid unless the browser gave it to them, for example via a browser extension. There’s still a lot of fingerprinting vectors though, so use Tor Browser or Mullvad Browser, ideally with JS disabled. This website is a great way to check your fingerprint: https://abrahamjuliot.github.io/creepjs/

        • ☆ Yσɠƚԋσʂ ☆@lemmy.mlOP
          link
          fedilink
          arrow-up
          5
          ·
          3 hours ago

          Browsers aren’t just apps, they’re effectively platforms which run all kinds of apps you end up accessing online when you visit sites. Since the browser leaks the id to these apps, you’re effectively trusting the apps. Sure, you could run your browser in a VM or whatever, but that’s missing the point entirely. The real question is why your machine needs to have a unique identifier, and why the fuck it’s baked into functionality of systemd which is now replacing the traditional tool chain with a monolith.

          And yes, I’m fully aware of other metadata that the browser leaks, and the fact that people are just starting to talk about that is also a problem. Running with Js disabled or putting a browser in a VM, is not really a solution for vast majority of people. The issue is that we have systems that are designed to enable tracking by default, and you have to jump through hoops to get around that. Telling people here are the hoops isn’t really helpful.

          • hirihit640@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            2 hours ago

            I’m not familiar with the purposes or history of machine-id, I’d guess that it’s just a legacy artifact that can’t be easily removed now.

            There’s definitely a lot to be desired when it comes to privacy on Linux. Unfortunately Linux was designed before many of the privacy and security best practices became established, which is why is it less secure than modern systems like Android (source). Trying to re-architect Linux at this point would be an insane undertaking. Machine-id is just one thing in a long list that would need to be changed. Nothing wrong with advocating for it, but I just wouldn’t expect it to happen for at least 5 years.

            Containers are a modern technology with isolation and security as a core goal from the start. And by now, containers are already deeply integrated into the Linux community, for example look at how the entire Fedora Atomic project (including Bluefin, Aurora, Bazzite) uses container-based infrastructure to build the OS images. So that’s why I’ve been moving towards it as a solution for my privacy needs, and I recommend others look into it as well.

            Edit: rewording some sentences

            • ☆ Yσɠƚԋσʂ ☆@lemmy.mlOP
              link
              fedilink
              arrow-up
              3
              ·
              2 hours ago

              Systemd was designed long after a lot of these security practices and problems with tracking were well understood. There’s very little excuse for it doing a lot of the things it does. Systemd is literally re-architecting how Linux was meant to work originally, and for the worse. I get the impression you’re not actually familiar with the history of Linux or Unix philosophy in general.

              Having to put everything into containers is really just a work around bad architecture that keeps being pushed in the Linux world. Containers are useful, and probably the only way to actually keep apps from having too much access to the system at this point, but I don’t see why bad architecture should be accepted and then have to be worked around.