The Dangerous Flaw in Windows XP's 45 Million Lines of Code🎙Darknet Diaries Ep. 57: MS08-067
Ғылым және технология
Microsoft gets BILLIONS of error reports from Windows users. So how do they figure out which ones are important? This is the story of how they discovered the Conficker Worm, the worst the world has ever seen.
Visit darknetdiaries.com/episode/57/ for a list of sources, full transcripts, and to listen to all episodes.
Пікірлер: 216
I still can’t get over how great the name Brake Master Cylinder is. I always think of Curtis Blow as a mechanic.
@nazaxprime
Жыл бұрын
Amen
@melok4081
Жыл бұрын
LOL
@nannesoar
Жыл бұрын
I actually named my son Cylinder after him
@GrimReaper-ly8zk
Жыл бұрын
Clutch master cylinder is an alternative.
@stevengill1736
5 ай бұрын
Or spell it Break, like break dancing??
Everyday, every single day i end my day listening to your podcast. These podcasts are music to my ears.
Hi Jack! Huge fan of the show, I discovered you 6 months ago, and since then watched all episodes, you’ve made work a-lot more bearable :)
Love these podcasts! Keep up the amazing work.
@generallowres4636
Жыл бұрын
@@sIXXIsDesigns when did he say that?
i am in love with these thumbnails. i also have a thing for courtroom art, but i think i like these thumbnails even better.
I love your podcast. You've taken the rabbit hole, shone a light down it and "See I told you it's not that deep and it's also pretty cool .And it's not a rabbit hole at all, but the foundation of our modern world" and I love that.
New to this channel. Not computer savvy but mind blown none the less. I learn something new every few minutes watching these. I binge watched for a few hours last night. Subbed!
Windows XP sent off a crash report only if the user clicked yes? How quaint that Microsoft once respected the concept of consent!
@DoubleUSlade
Жыл бұрын
Your using their service. And it’s massively Important to have that data to understand crashes lol
@DoubleUSlade
Жыл бұрын
I mean why wouldn’t you want them to know about a crash
@Singularity24601
Жыл бұрын
@@DoubleUSlade Heh, really? It's simply not for other people to force you to use your computer that you paid for in a certain way. If you were using your computer to present an important meeting or to treat a busy waiting room full of anxious patients, it's grossly inappropriate to sit there waiting for 10 minutes for something that won't help your situation.
@HippieInHeart
Жыл бұрын
True, lol. But it's not just Microsoft, pretty much across all software industries, companies are diligently working to erase the concept of ownership. They want you to pay for their products but at the same time they also want to keep total control over those products and reduce your ability to make decisions on your own down to an absolute minimum. Of course all while gathering every little scrap of data they can possibly get their hands on, stasi-like. (If you don't know what stasi is, it was basically the secret police/government agency in soviet occupied germany, which was tasked with, amongst other things, extensive surveillence and monitoring of the population)
@donovanswift5010
Жыл бұрын
@@Singularity24601 Linux
This channel will be at 1m subs by the end of the year easily. Keep up the great work man!
So nostalgic. Some of these podcast on old security bring back some find memories. Thanks Jack!
one thing to note about jack's commentary, is that he is talking from the perspective of a "novice" character, not himself, then occasionally breaks character and shows a fraction of his true knowledge before returning to both the character and neutral recap. he obviously knows more than what he lets on but obfuscates that for storytelling purposes. that is what makes the podcast so engaging.
A facility i lived in had a system full of (my) PII vulnerable to ms08-067 in 2021 and they refused to update it. This thing was used exclusively for email and printing documents. I fired up wannacry in a VM to force their hand. they asked me what i did. I said “you left a your computer vulnerable to an exploit that was patched in 2008 and a worm infected one of my test machines. They replaced that anemic XP machine straight out of 2012 with something running windows 10.
@fss1704
Жыл бұрын
Full r/maliciouscompliance
I'm not gonna lie, this was my favorite vulnerability to exploit when it was new. I'm happy to hear a story about it from the Microsoft's side. It was juicy!
These stories are so fascinating! Keep up the great work!
Awesome story man. Loved that you had an actual ms engineer on . Fantastic
Great channel , factual, deep and well thougt allround. Great mindset of narator. Love it.
You’re a fantastic storyteller. I’m hooked
dude i'm hooked on your videos... keep the good work up!!
Love this - awesome work!!!
I'm sure many could wrip holes in this podcast regards Microsoft but I'll let Microsoft do that with the millions of lines of closed source code.
@omgemilyhd4500
Жыл бұрын
Stolen too. China and Russia were able to download some or all of the source code for Windows OS. Don't trust Windows for a second with your valuables
@jcs0984
Жыл бұрын
They're a multi -platform billion dollar company. Considering the billions of devices, making the source code open at this point would be akin to wreckless abandon. It sucks, but it is what it is
@carnivorebear6582
Жыл бұрын
Haven't there been a few decades old security vulnerabilities found in the Linux kernel in recent history? Not saying open source is useless but it doesn't make complex software immune to bugs
@reyzelcruz393
Жыл бұрын
jjjj
@k.graceross7177
Жыл бұрын
@Carnivore Bear but it does make it possible for the community to fix bugs faster potentially. Obviously Microsoft has money to pay people to do for their code. But the argument remains.
This was a great episode. I really enjoyed it.
Gret episode Jack As somebody who's team has to try and patch thousands of end point when this stuff happens, I can relate to much of it, great work by M$ behind the scenes to get patches out
Thanks for more amazing content.
Great work!
Hey bro I thought you were taking a vacation? I was really excited to listen to this last night but how come your not taking the break? It’s well deserved and we will still be here give yourself some you time. Love your work btw you have very quickly became my fav channel. I’m rewatching from the beginning now. Thanks for all your hard work!
@AshleyEhSMR
Жыл бұрын
I think he may still be taking a break, but has scheduled uploads of which he already made a podcast episode. It’s new to KZread, but he originally shared it January 21, 2020, on his podcast ☺️
@petritikkala8926
Жыл бұрын
Anyother place to listen Jacks podcasts than apple service?
@droffii
Жыл бұрын
Its on most services, Spotify, stitcher etc
Nice modulation. No annoying music or screaming nor shouting. The content is great.
I woke up to another gem!! Thanks bro 🙏
I hate podcasts generally, but your stuff is so good! How do you make your editing decisions, like the random percussive sounds during the intense parts?
You should do an episode with Dave Plummer. Dave’s Garage.
OMG 😱 I am getting addicted to these stories!!!
Glad you didn't really take a break👍
Wow, this episode of Darknet Diaries is mind-blowing! The story of how Microsoft discovered and dealt with the Conficker Worm is incredibly interesting, and I couldn't stop listening. Keep up the great work, Jack! Highly recommended to anyone interested in computer security.
Fun fact, back in the day, Dr. Watson was the reporting tool of windows. Thus where this got its' internal name.
@kenosabi
Жыл бұрын
Yeah. That's what they said in the podcast ... lmfao
Back then my dad recieved mails form our ISP that or network is sending malicious packages but he ignored it since it lkooked like spam. But when we got a letter from our ISP that we had to fix the issue our our internet contract would be terminated he bought virus scanners and they found conficker on our devices. I recently plugged in an old USB device and windows instantly warned me that conficker is on there.
@TDOLLA
Жыл бұрын
you should get that usb framed and hang it on your wall and when someone in 20 years ask what it is you can be like “oh, thats pure vintage conficker”
@fss1704
Жыл бұрын
Nevermind goddamn sality. That shit gets everywhere.
Great stuff! 👊
Excellent content 👍
48:11 Because NS@ has good relationship with MS, and has it's own backdoor
I love what he said about his job at MS, to improve public trust by hardening the operating system. Not a job so many companies now have in marketing, by spinning the bad news, or by deflecting the blame to some other company, or by blaming the right to repair movement.
@fss1704
Жыл бұрын
Don't you know, these techicians might install tiktok on your phone.
Your question at 39 minutes is valid in more scopes. A user who finds and discloses to a company that doesn’t respond raises those same concerns… but the person disclosing has no control over the outcome… so if the vendor decides not to fix… or doesn’t fix it well. That decision to disclose can impact the user disclosing their findings
I enjoyed the story bro, thanks
I like your storys and I'm sure that these are true so keep them going I'm watching the new ones and the older ones as well
Best podcast in the game🤝
Thank you Jack I have learned so much for watching just a couple of your videos and they totally make sense I was hacked a couple months ago they tried to take out money out of my account but it didn't work cuz I'm broke but thank you
During windows XP I had always a linux USB bootable or CD-rom. Malware and hostage software were easy to remove when u booted system on linux.
@arduinoguru7233
Жыл бұрын
I used WinRAR to remove viruses manually after they disabled show hidden files option.
@ImadZeryouh
Жыл бұрын
@@arduinoguru7233 Thats some creative thinking. Never knew winrar could do that. Learned something new, Thank You.
@arduinoguru7233
Жыл бұрын
@@ImadZeryouh Yep, both WinRAR and 7zip still can show hidden files even if the system is infected, Last, you are first one to say about my methods creative. Because (Almost 20 yrs ago) I applied for IT jobs on ( _Europeans companies_ ) and the only company replied, told me we don't need your methods, I should learn more hacking methods instead when I was still young, and make my living of it, I know now why these hackers developed all that nasty tools, simply because nobody actually cares.
Great episode
I have a question for the experts: Is it possible for 4 guys with no electronics devices but sheets of papers and pencils to analyze a 17 million lines code, in 5 days, that runs a multiple choice machine?..Would they be able to find something in the code that favors one choice more than the others?.... this scenario happened in real life about 2 months ago.
@fss1704
Жыл бұрын
Search "god mode unlocked", this is what you're looking for. Of course these people didn't care for a disclosure.
@jakevinton2075
Жыл бұрын
What can I look up to find this story
@spharion7988
Жыл бұрын
@Jake Vinton ...It was the presidential election in Brazil.
@fss1704
Жыл бұрын
@@spharion7988 search _eSAF_qT_FY
5:50 AH HA! The good ole days. Heard people are still using even older OSes. I still remember the upgraded R2 version of XP. 9:00 And oh yes, I remember Dr. Watson. We went all the way back to the 2006. 😃 Not going 2 tell you about that obvious ad banner🚫 that was running back then.🤫 58:07-58:13 L🖤🤍ve that outro.😆
Fun Facts; **When the unknowing factions of the Alphabet Gang [FBI] thought we [the country] were under attack on 9/11/01** **They commandeered Walmart's Servers stating their network was (more) secure than theirs** **Walmart pays Microsoft millions yearly to maintain their Windows XP OS running** (5yrs ago anyway)
yay, an episode of my favorite mainstream OS ever
I totally agree with holding the individual accountable for most of their safety practices. However, it is this absurdity of marketing on behalf of Big Technology that leads to people paying an inordinate amount of money to protect themselves. It's also simple enough to justify that the individual and not the collective corporations are left to figure out what is the best solution for their online security. This makes sense up to the point that most people don't have even novice level understanding of what they need. If you aren't using TOR with a VPN and browser tracking blocking. Then you are under surveillance. Sometimes at every level of the TCP/IP model. Just saying... Great job, great channel and great work! Thank you.
Windows has been compromised ever since 98SE. Permanently opened ports giving access whenever there is an internet connection. Remote connections are not needed to be enabled internally, and there's no extra install necessary. The specific routines cannot be discovered via manually searching due to the exposure being given an exemption from being displayed.
@rpm10k.
Жыл бұрын
Um, citation needed. Run your own firewall eg opnsense and you can decide exactly what traffic you allow
thank you, great viewing
LETS GOOOO NEW VIDEOOO!!!
I have a laptop that's over 15 years old and it has Windows XP on it...that machine is still useful - away from the internet...
Absolute banger
If a researcher discloses a vulnerability and Microsoft spends more than a year not fixing it, we might know why. Fixing the bug may cause more harm to more computers and more companies. So just let the bug live for a while with more likely minimal damage. Microsoft then can sell the exploit to the NSA.
This why I have been using Linux for years. I wonder, has anyone hacked the windows crash reporting system to send data to their remote server. ?
My computer was infected with this or something similar when I was young I was able to fix it by stopping svchost and then doing a fresh install of windows I was pretty young at the time brought the memory back to me as I listened to this
Simple awesome 💥💥🔥
One thing's quickly become evident around 14 minutes in: sidelining, trivializing, discounting bugs because "they aren't security problems" shows scant disregard for their paying customers. Yes, it's a complex coddled-together chunk of software with millions of moving parts but it suggests to me that there are systemic problems with the design and that a really hard re-evaluation of how such projects are built would have been in order. I think that Millenium or whatever it was called should never have hit the shelves. I spent a morning at a friend's place manually having to get bootloading-bits sorted (I forget the exact details) just to get the thing to boot. And it was lucky I knew which files were involved. Having said all that, a pox on the hacker/s who do their best to ruin the lives of people including the company that is trying to put a piece of software out there to make lives easier for people who want to use what amounts to a pile of transistors.
Hey I remember conficker. Haven't heard that word in forever. Man that damn worm took out three of my pc's in 2008.
Nice backdrop !
I have a work computer that still runs windows 95 lol.. Its just hooked up to a lable printer, but I guarantee this dinosaur has not been updated. I don't know if it's ever been hooked up to the internet.
I've been beta testing Windows in the wild for decades. Tracking hours on a spreadsheet. Hoping for a check. /s
John Lambert just confirmed what I've always said : "You are a beta tester for M$FT if you use their new OS in it's first 3 years." Let the sheep test it......
They get a billion error reports a week.. remember the first time you got one and submitted it like they were going to reach back out to you and help? 😂
"Go play videogames Honey."
@ultra568jinx
Жыл бұрын
You have to go back
How can patching this vulnerability cause applications to stop working? Presumably the fix affects that service's code only and adds error checking for RPC packets, and would not affect anything _other_ than what happens when malformed packets are received. So why does installing that patch make other code stop working, such that you have to wait for each vendor to update their code first?
But you never explained how the vulnerability worked, or how it was in an area that's already been fixed (and reviewed for other problems).
The NSA wants the patch of a known exploit to develop a new long life exploit -
So... unless the exploit causes a crash, the vulnerability will not be noticed or fixed... M$ makes sense now.
Sup Jack, you gonna be at Defcon this year?
If NSA and Microsoft not having fully aligned interests confuses you, you need to reevaluate your worldview lol.
A billion crashes a day, maybe 1 or 2 billion internet users on a legitimate version of windows. Maybe half that actually enable error reporting. And they still have over a billion a day. Assuming it's one per user, you're statistically likely to have a crash at least once every day. That's insane.
Love da channel
Windows, Mac... nah dude, I use Linux!
I guess Jack didnt take the vacation.
@ParisLawLess
Жыл бұрын
It's old
I miss my doggy, Now i cant eat food without thinkin about how i used to give him a little share every time >w
Great quality content 👍
What if the way people get zero days is a Microsoft insider letting them know private
You should interview DoingFedTime.
Which one is the best, windows 7 , 10 or 11??
Microsoft has a security team? Yeah, a token one, to be able to say they have one.
PLEASE DO A KZread PODCAST OF - THE COMPUTER,KGB AND ME... YOU WILL LOVE IT, PLEASE!!!!
It would be better to just make a worm that patches this stuff automagically
This is exactly why Windows 10 and 11 force updates to be download and installed (can't trust the end users, or techs to install updates) whether the users like it or not.
kids, this is why you use linux
I thought u taking a hiatus 😂😂
@baked921
Жыл бұрын
It would be well deserved. But that being said I was very pleasantly surprised to see this episode pop up! He should take a bit of time for himself tho at least a couple weeks. We will still be here waiting his content is worth it.
@thejoe4975
Жыл бұрын
@@baked921 I'm pretty sure this is an older episode.
operator, love that word
Yeaaaaaa RxBot IRC Golden age of sit back and relax.
DistriBUTED FentaNOL 😅
I have two computers one is my gaming rig and the other is a gaming rig I haven't done anything with it just has a fresh copy of windows. Is it legal to hack my own computer to teach my self the trade? My goal is to get into infosec
@TadiclsOperator
Жыл бұрын
@Ricardo where can I get hacking tools without getting malware from a sketchy site
@jonnyfatboy7563
Жыл бұрын
yes running on virtual machines might be worth considering.. also not sure if ur isp would be too happy.. good hunting to ya kali linux has a plethora of tools for just what ur after
@brena3582
Жыл бұрын
@tadwaller3281 Kali Linux maybe 🤔
@rpm10k.
Жыл бұрын
@@TadiclsOperator look up Kali Linux. There's tons of tools included, it's a pen test learning industry standard.
I love you man
I wonder how may WER deliveries were counterfeit, false, or misdirections from exploiters.
42:37 could you send the patch out via the worm itself?
Haaaa dang maaan , I member Dr.Watson from Windows 3.1!!!!
But I was told to NEVER send the error report! ;)
I ditched proprietary trash long ago, I am not a zealot but still listening to this gives me bad vibes, mesianic saviors from M$ and their struggle to save our souls, where are we now, apple, android, ppl are terrible and do not deserve nice things, let it all burn.
Keeping your apps and system updated is a very good way to stay protected on the internet, but let's be honest here, not the best. If you want to have a safe browsing experience, make sure to get finger cots.
@shibbidydoowop
3 ай бұрын
😂
I wonder if some white hat went and created a worm using the vulnerability to force the vulnerable computers to update 😂