Resources
 WebTools
 Java Resources
 Downloads
 History Of Byte

 Feedback
 Write to Byte

 Newsletter
 Sign Up Now

 Print Archives
 By Issue    By Topic

 BYTE Humor
 Ian Shoales' Page

 About Us
 Byte Editorial Staff
 Feedback
 Sales Staff
 Privacy Policy

 Byte.com
 Bank Systems
     & Technology
 CMPmetrics
 eBusiness Expo
 File Mine
 InformationWeek
 Insurance & Technology
 InternetWeek
 Network Computing
 PC Expo
 Planet IT
 TechCalendar
 TechEncyclopedia
 TechLearning
 TechShopper
 TechWeb News
 TechWeb Today
 Wall Street & Technology
 WebTools
 Winmag.com

Windows 98 Knows Who You Are Author Details Discovery Process By Richard M. Smith, March 12, 1999 Phar Lap Software  In This Article:   •  Windows 98 Knows Who You Are  •  Windows 98 Privacy Issue:    Worse Than You Thought  • Microsoft's Response [Editor's note: Smith is credited with discovering this security hole in Windows 98 and Internet Explorer 4.0] I've been following the Pentium III serial number controversy and became curious how serial numbers are already being used in Windows software. I made a very interesting discovery this week. Apparently Microsoft is "fingerprinting" Excel and Word files with people's hardware Ethernet adapter addresses. Yikes! Ethernet adapter addresses (or MAC addresses) are 48-bit numbers which are designed to be unique just like the Pentium III serial numbers. This fingerprinting scheme could be used (or misused) to trace the origin of document files. For example, if a whistle blower leaked a Word document to the press about a company or government agency, the Ethernet address might be used to track the document back to the author. Here is a hex dump of a Word .DOC file with my Ethernet adapter address written out in Unicode:

3360:02 00 00 00 0A 00 00 00 5F 50 49 44 5F 47 55 49 ........|_PID_GUI
3370:44 00 02 00 00 00 E4 04 00 00 41 00 00 00 4E 00 D.......|..A...N.
3380:00 00 7B 00 45 00 38 00 36 00 43 00 33 00 42 00 ..{.E.8.|6.C.3.B.
3390:36 00 30 00 2D 00 44 00 30 00 31 00 41 00 2D 00 6.0.-.D.|0.1.A.-.
33A0:31 00 31 00 44 00 32 00 2D 00 41 00 36 00 37 00 1.1.D.2.|-.A.6.7.
33B0:46 00 2D 00 30 00 30 00 32 00 30 00 37 00 38 00 F.-.0.0.|2.0.7.8.
33C0:39 00 30 00 30 00 33 00 33 00 37 00 7D 00 00 00 9.0.0.3.|3.7.}...

According to the WINIPCFG utility that comes with Windows 98, my Ethernet adapter address is 00-20-78-90-03-37. To run your own test, simply open a Word document with Notepad and search for the string "GUID" and the Ethernet address will follow shortly in the file. Example:

_PID_GUID { E 8 6 C 3 B 6 0 - D 0 1 A - 1 1 D 2 - A 6 7 F - 0 0 2 0 7 8 9 0 0 3 3 7 }

The address is being stored in something called a GUID, or Globally Unique Identifier. A GUID is 128-bit number that typically is used in Windows to identify ActiveX controls. The low 48-bits of a GUID are usually the Ethernet adapter address. Because no 2 machines should have the same Ethernet adapter address, a GUID generated on one computer should not be duplicated on any other computer. A side effect of putting Ethernet addresses in GUID's is that a GUID is automatically fingerprinted with a hardware ID of the computer that it came from. GUID's were designed to be used with ActiveX controls, but can be used for any purpose that requires a unique serial number. The Windows system calls "UuidCreate" or "CoCreateGuid" are used to make new GUIDs. IDs Without Adapters If a computer doesn't have an Ethernet adapter, Windows seems to use a pseudo-Ethernet address from a modem PPP connection. On 3 different computers that I checked, this address is the same number, 44-45-53-54-00-00. Unlike the most business computer users, the typical home user probably does not don't have an Ethernet adapter in their computer. Therefore their Word and Excel documents will not be marked with a traceable GUID. However as people switch over to using cable modems and ADSL modems for their Internet access, fingerprinting of documents will become much more likely even for the home user. On my laptop I found that the majority of my .DOC and Excel files had my Ethernet address in them. In the few files that didn't, I found the PPP pseudo address, so I assume I wrote these files while on the road. Microsoft has confirmed that the GUID's are being putting in Excel and Word files, but it is still unclear for what purpose. However, both programs seem to generate a new GUID when a file is saved to disk. I've only tested files produced by Office 97 for Windows. I'm unsure if the problem also exists for Office 95 files or Mac Office files. Another interesting question: what other Windows applications are using GUID files for identification purposes. For example, I got e-mail for someone mentioning that GUIDs are also put in Web browser cookies. I did a quick scan on my Netscape cookies file and found a number of websites that were indeed using GUIDs for identification purposes. I think the controversy over the Pentium III serial numbers is blown way out of proportion. On the other hand, I find it very odd that hardware serial numbers are being recorded in Word and Excel files. Fingerprinting seems unnecessary and the practice probably should be stopped. More Mischief I found a file named "REGINFO.TXT" in my Windows directory. It was created when I registered my copy of Windows 98. This file contains all of the information that was sent via the Internet to Microsoft when I registered. Guess what? It contains my Ethernet adapter address as part of a number labeled "HWID". Microsoft never asked me if it was okay to send in this number and it never said it was being sent. Here is an excerpt from that file:

=== Microsoft Registration Wizard === 
Default First Name = Richard M. 
Default Last Name = Smith 
Default Company = 
...
HWID = 13b50d60ce4a11d2a67f002078900337 
MSID = 114e54659a4611d2a6760050c5000246 

Richard M. Smith is President of Phar Lap Software, Inc. Phar Lap is developer of real-time operating systems for embedded PCs. The opinions expressed are those of the author. He lives in Brookline, Mass.     >>>Windows 98 Privacy Issue: Worse Than You Thought