Is there anything like a standard GUID to identify a PC?

I am asked about my opinion in a case as follows:

Someone visited a (totally legal, in fact US government) website A and identified themselves. At a very different point in time they – allegedly – visited a (doubtlessly very) illegal website B.

US law enforcement claims there is no doubt that the access to B was by the same person/from the same PC as the access to A. If the identification were based on the client’s IPv4 address (outside the US!), say, I’d argue that these are typically reassigned to new client’s every few hours or days (not to mention shared/NATed use by multiple entities, including WiFi guests), hence is at most very weak evidence. In addition, it currently seems that the non-US ISP was not asked to reveal the identity of their customer associated with the IP in question at the point of time in question. Rather the claim of identity is by comparison with said access to A. Meanwhile, it seems that the identification is not claimed to be done by IPv4 address, but rather by something referenced as a “GUID” identifying the PC. I am not aware of a standard or wide-spread use of any such GUID in any internet protocol that would allow cross-site identification between sites that do not even wish to collaborate on such an issue.

Note that the term GUID was specifically mentioned, i.e., we are not talking about browser fingerprinting or cookies.

Q: Is there anything “GUID-like” that can act as described to identify a PC/device across multiple unrelated(!) sites? In TCP? In http? In TLS? “Anywhere else” in the process?

How to identify which device is malicious

I’m facing a surprising problem : A windows 10 computer seem to use keyboard and mouse by himself on the login screen.

So I’m guessing :

  • It’s not a software intrusion, because it that way the program should have access to the shell and should use command by programs instead of attempt to login;

  • It may be a hardware attack, there is some (know and buy) device connected by USB on this computer;

So here is my question : There is a way to identify the malicious device? And even better, to record what kind of command it’s attempt to use ?(Yea, I’m playful.)

— A bit more context I observed this behavior after just open this laptop and leave him alone around 10 min. The virtual keyboard was open, and the program seem quite lost by clicking on empty space where there is usually the menu icon.

Given a DCEL, how do you identify the unbounded face

I have constructed a DCEL using the procedure described in How do I construct a doubly connected edge list given a set of line segments?.

This correctly identifies all faces, however I’m struggling to come up with a way to identify the unbounded face surrounding my graph.

So far my only idea is that by building a polygonal representation of every face, I could find the face polygon which ‘contains’ all the others, but this seems kind of messy.

How can one Identify a Magic Item?

I had a disagreement with one of my groups recently: They believe that the identify spell is the only way to identify a magic item, while I believe a high enough Intelligence (Arcana) check is able to do the same.

What I came here to ask is: What are all the possible ways to identify a magic item?

Identify devices from lsof

We have certain Ubuntu (18.04) servers operating .NET Core apps on Kestrel. Recently the apps and OSes have been hanging, requiring entire VM restart.

What we found was the app had way too many file descriptors for network sockets. i.e. /proc/

Correspondingly, a query with lsof would reveal an ever-growing pool of “protocol:TCP” of type sock the dotnet process leaks.

COMMAND  PID     USER   FD      TYPE             DEVICE SIZE/OFF   NODE NAME dotnet  6905 www-data  675u     sock                0,9      0t0  96816 protocol: TCP dotnet  6905 www-data  676u     sock                0,9      0t0  96863 protocol: TCP dotnet  6905 www-data  677u     sock                0,9      0t0  96910 protocol: TCP dotnet  6905 www-data  678u     sock                0,9      0t0  96959 protocol: TCP dotnet  6905 www-data  679u     sock                0,9      0t0  97006 protocol: TCP dotnet  6905 www-data  680u     sock                0,9      0t0  97053 protocol: TCP dotnet  6905 www-data  681u     sock                0,9      0t0  97101 protocol: TCP 

From another thread with similar reported problem, https://serverfault.com/questions/153983/sockets-found-by-lsof-but-not-by-netstat we understand that is due to some code (likely some library) in the .NET app that is opening sockets without binding IP address or port to it.

However, what we particularly like to know in this case is, what are DEVICE 0 and 9 in this context? I have seen other reports list 0,5 or 0,7 but nobody explains what those numbers represent which type of device.

I don’t know how to identify the password behind the hash

so I am total noob at this , just starting out. I found online an web app that is vulnerable to blind sql injection, I manage to get in users table and I looked at my password, in the table was the hased version, this one->57b0fcbe39b9336d, now I know that my password is dinamo, knowing the hashed version and the original password how I can use this informations to find out the hashed method?

Can someone identify if this host is windows or linux: https://www.shodan.io/host/54.205.54.58 [on hold]

54.205.54.58 http://shodan.io/host/54.205.54.58

AWS amazon machine, nmap claims it’s likely Linux but it’s obviously running both windows and linux software.

My take:

a) Windows machine using docker on windows and then virtualizing the Linux programs shown; b) Linux machine using vmware or something then installing windows and showing IIS and others…

In any case whoever uses this is a fan of docker.

It uses VNC for log on to graphical interface…

Why am I curious? I have reasons to believe said host is either used by foreign hackers or setup by them to use a large botnet + originally host the “antipublic database” which created minihavoc recently. In any case whoever had root access to this was super competent and talented hacker.

Again I need to know at least the host OS on top. Thanx!

Can’t Identify the CA certificate chain in the server’s certification manager to auto enroll it

I’m on Windows Server 2019 with AD/DC,DHCP,DNS,Remote Access and CA roles installed on it. I created a VPN certification (for SSTP and IKEv2) on my server, issued it and installed it in the personal certificate store. now I want my clients (basically Windows 10 pro machines) to automatically receive the CA Certificate Chain so that they can trust certificated issued on my server like the VPN cert. I’m gonna do this using group policy but the problem is I can’t tell which one of the installed certificates in the certificate store of the local machine (Server 2019)is actually the CA Certificate Chain.

I have 3 identical CA certificates, 2 of them are in the Trusted root certificate authority store and one of the is in the personal store.

here is the details of those 3 certs, the screenshots i took from the details are the same in all 3 certificates.

View post on imgur.com

I’d appreciate if someone can help me find the right one.