You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently found this project while looking for EDID info, and thought it would be nice to contribute a probe upload about my hardware.
I naively ran the suggested: sudo -E hw-probe -all -upload (using the AppImage) for the first time without checking the output beforehand.
After seeing that a full probe include 58 logs! I now regret this, and have some concerns about overall privacy of this.
README claims
Private information (including the username, machine's hostname, IP addresses, MAC addresses and serial numbers) is NOT uploaded to the database.
I didn't know that it would default to collecting so much detailed info (and often irrelevant to "hardware") which seems can be used to uniquely identify a person/computer.
After the upload, I decided to use the -save option and grep for some things to see what else might be there.
hw.info/logs/efibootmgr DOES CONTAIN my MAC address on a line like: .../MAC(xxxxxxxxxxxx,0)... with the x's being my actual MAC in lowercase hex, no colons.
my username is spattered in a few places:
Due to byobu: hw.info/logs/dev:/dev/shm/byobu-USERNAME-....
Due to systemctl (in 2 forms): hw.info/logs/systemctl: media-USERNAME-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.mount
and in path form (with UUID as a bonus):
loaded active mounted /media/USERNAME/XXXXXXXX-REAL-UUID-HERE-XXXXXXXXXXXX
UUIDs of drives/partitions seem to be masked in some cases, but unmasked versions still slip through all over the place. Mainly as /dev/disk/by-uuid or /dev/disk/by-partuuid
running grep -ri serial over the saved folder shows that many lines have Serial number replaced with ellipses:
hw.info/logs/hwinfo: Serial ID: "..."
But for some reason, other entries in the same file are not replaced in the same way?
Then more in hw.info/logs/usb-devices:S: SerialNumber=
and hw.info/logs/smartctl:Serial Number:
and hw.info/logs/dmidecode: Serial Number:
and finally RAM sticks as hw.info/devices:mem:MFG-MODELNUM-serial-ACTUAL_SERIAL_NUM
Thankfully, at least as far as I can tell, these do get stripped by the time they are stored displayed by the server, but I would have more peace of mind if I didn't see all these being saved.
I can only assume these show up because they are used for calculation of the ID mentioned here:
The tool uploads 32-byte prefix of salted SHA512 hash of MAC addresses and serial numbers to properly identify unique computers and hard drives. All the data is uploaded securely via HTTPS.
And that corresponds to this line hw.info/logs/dmi_id:board_serial: ?
But if that calculated ID is already written to a file on its own, then 1) does it really need to leave them unmasked in all the constituent files? and 2) is it really using ALL of those to calculate that ID?
I haven't (and can't) 100% verify that there's no other uniquely identifying hardware Serial numbers actually stored on the server, but I really wouldn't be surprised if more things are inadvertently slipping through than I've found here, based on the sheer volume of data collected by "-all"
Keeping a listing of all installed deb files just seems particularly excessive and irrelevant to hardware.
I know now that I could have / should have limited which logs to upload, but feel a bit mislead by such privacy statements. And I remain skeptical of the usefulness for collecting ALL of this information.
The text was updated successfully, but these errors were encountered:
I recently found this project while looking for EDID info, and thought it would be nice to contribute a probe upload about my hardware.
I naively ran the suggested:
sudo -E hw-probe -all -upload
(using the AppImage) for the first time without checking the output beforehand.After seeing that a full probe include 58 logs! I now regret this, and have some concerns about overall privacy of this.
README claims
I didn't know that it would default to collecting so much detailed info (and often irrelevant to "hardware") which seems can be used to uniquely identify a person/computer.
After the upload, I decided to use the
-save
option and grep for some things to see what else might be there.hw.info/logs/efibootmgr
DOES CONTAIN my MAC address on a line like: .../MAC(xxxxxxxxxxxx,0)
... with thex
's being my actual MAC in lowercase hex, no colons.Due to byobu:
hw.info/logs/dev:/dev/shm/byobu-USERNAME-....
Due to systemctl (in 2 forms):
hw.info/logs/systemctl: media-USERNAME-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.mount
and in path form (with UUID as a bonus):
UUIDs of drives/partitions seem to be masked in some cases, but unmasked versions still slip through all over the place. Mainly as
/dev/disk/by-uuid
or/dev/disk/by-partuuid
running
grep -ri serial
over the saved folder shows that many lines have Serial number replaced with ellipses:But for some reason, other entries in the same file are not replaced in the same way?
Then more in
hw.info/logs/usb-devices:S: SerialNumber=
and
hw.info/logs/smartctl:Serial Number:
and
hw.info/logs/dmidecode: Serial Number:
and finally RAM sticks as
hw.info/devices:mem:MFG-MODELNUM-serial-ACTUAL_SERIAL_NUM
Thankfully, at least as far as I can tell, these do get stripped by the time they are
storeddisplayed by the server, but I would have more peace of mind if I didn't see all these being saved.I can only assume these show up because they are used for calculation of the ID mentioned here:
And that corresponds to this line
hw.info/logs/dmi_id:board_serial:
?But if that calculated ID is already written to a file on its own, then 1) does it really need to leave them unmasked in all the constituent files? and 2) is it really using ALL of those to calculate that ID?
I haven't (and can't) 100% verify that there's no other uniquely identifying hardware Serial numbers actually stored on the server, but I really wouldn't be surprised if more things are inadvertently slipping through than I've found here, based on the sheer volume of data collected by "-all"
Keeping a listing of all installed deb files just seems particularly excessive and irrelevant to hardware.
I know now that I could have / should have limited which logs to upload, but feel a bit mislead by such privacy statements. And I remain skeptical of the usefulness for collecting ALL of this information.
The text was updated successfully, but these errors were encountered: