Every single UEFI computer sold today has a unique serial number (GUID). There are MAC addresses. There are HDD serial numbers. There are zillions of unique identifiers accessible to the operating system. Various copy protection schemes use one or more of these. But what they all have in common is that they are under the control of the OS. A privacy-conscious OS can forbid access to these identifiers for userspace applications, or can fake them to something else. This is how e.g. sandbox environments like the App Store can force apps to use some kind of "advertising ID" for this stuff, and ensure that apps aren't sneakily fetching some true unique system ID.
But with the PIII serial number, userspace apps can fetch it without the OS knowing about it. And the disable bit is a one-time operation, so it is not possible to grant serial number access to some apps and not others. This leads to a situation where any arbitrary unprivileged userspace app can uniquely identify your machine, and where vendors relying on this feature might compel you to leave it enabled (e.g. DRM). Now random apps running under an untrusted user can fingerprint your machine, just because you want to watch Netflix.
And that is why this design was utterly broken and a privacy nightmare. Not because it's a unique ID. We have tons of those.
* VMs can trap CPUID, but of course VM support came later anyway.
On Intel trapping CPUID is also possible without VMs since Ivy Bridge. (Linux exposes it by arch_prctl(ARCH_SET_CPUID))
Thought it was interesting that they did that but didn’t think much more of it. I don’t even remember what the promo was. Might have just been extended warranty or something?
from spinning up a VM
...and you can change them, even if not easily, for a VM. AFAIK the Windows licensing/activation relies on the same uniqueness.
Also, I have a Sonos system and it works great!
The stolen part I get, but did it used to be easier to counterfeit chips? There's a lot that goes into making something that looks like a PIII, and even then, I assume Intel had state-of-the-art fabs, so I'm surprised this was a concern.
The hardware scams I've heard of stamping better specs on something, for hard drives, a firmware hack that makes it appear to be higher capacity, and unauthorized hardware made in off-hours on the same production line.
Irrelevant now with the switch to ARM, but still pretty interesting they out and out state it.
https://www.csoonline.com/article/3220476/researchers-say-no...
The ME, on the other hand, is obviously good since it "allows" you to watch 4K Netflix on your PC.
The ME has nothing to do with this, it's entirely about the GPU. 7th generation Intel GPUs and 10xx or newer nVidia GPUs support the DRM that Netflix requires, the CPU just needs to be fast enough to handle its part of the equation.
Anyway, speaking of unique identifiers in mobile devices, mobile phones have had IMEIs for ages - pre-dates Apple by a long time.
The internet was faster then too..
What a beautiful world that was
Now it is the norm.
[1] https://web.archive.org/web/20010424155417/http://www.woodma...
Or home users, in which software doesn't expire, just updates and support does. More a terminology aspect in that way.
Today more things are subscription level, but mostly for content to drive that software.
Seems so quaint to think of that as a privacy concern.
We overestimate the change over the course of a year, but seriously underestimate it over a couple of decades.
https://en.m.wikipedia.org/wiki/German_tank_problem
Further, over time, many authorities have to be repeatedly reminded that User-Agents with UUID's != the user themselves, and every attempt by technologists to cram more UUID on more and more closely held technology with more and more ubiquitous and trending toward always on data streams just makes this threat harder and harder to play down.
You don't need to serialize and track everything. We need to stop doing it. This is also why the systemd machine-id was a step in the wrong direction.
