Major New Windows Update Attack - New ChatGPT Model - ShopTalk

ChatGPT: I'm sorry Dave, I'm afraid I can't do that.

Something that Dave forgot to mention about the Windows update exploit is that it only affects the Windows 10 1507 release (This includes the LTSB release still used by corporations). This is the first public Windows 10 version, most users won't be affected by this.

This channel is my Windows news channel as well as electronics fun and processing methodology updates! Thanks Dave! I was a co-op with DEC in Marlboro MA while you were banging out Windows taskman code. :)

Genius. Not the exploitation itself, simply getting windows update to work

Hey Dave, correct me if I'm wrong, but this vulnerability you mentioned at the start only affects Windows 10 build 1507, which is an ancient build long since superseded. This is critical information as without this most people might leap to the conclusion that they're vulnerable to a CVSS 9.8 vulnerability, which they're not. Please present all the facts to reduce the chance of people becoming numb/fatigued when it comes to important announcements like this. If you were going to give a Windows vulnerability top billing, consider the MoTW bypass perhaps!

So Musk has named his latest supercomputer "Colossus". No doubt after the film "Colossus: The Forbin Project", where an AI supercomputer is put in control of the US Nuclear Missile arsenal, then decides things will be much better off if it's in charge of everything...

Thanks for the WinUpate warning! It’s your love of computers, and your Win development history anecdotes, is why I subscribed to your channel. Soldered together my Sinclair Z80 kit in 1981, and was “hooked” ever since. Couldn’t afford an IBM PC, but purchased a clone in 1988 with an 8088 w/512 Kb and a screaming 20 MB, 40ms HDD. Had a “White Box” store for 4 years, until the major PC players jumped in for Win 95. At that point, I realized that I couldn’t afford to compete with eMachines, Gateway, Dell, Samsung, Sony, and HP. Still, it’s been quite a ride. Currently, I buy “ off lease” workstations, unless I’m building dedicated gaming machines. Put Win 10, and now, Win 11 in VM’s under Linux. Today’s processors and SSD’s are SO fast that most of users won’t know the difference.

Hey - I got a great idea:
Why don't we get the new ChatGPT to write the patches for Windows Update?
I mean, it can't make it much worse, right?

Dave, what news sources do you use to stay informed? I try to stay up to date but every so often I find myself finding out first-hand and not finding many google results, but there are already some editors and youtubers posting about the Thing That's Currently Happening. Thanks,
p.s. A co-host to draw out details from Dave is a pretty good move, go go Glen!

Apparently the Windows Update attack only affects a 2015 build of Windows 10, from the Windows Bulletin:
"Are all installations of Windows vulnerable? No. Only Windows 10 (version 1507)(Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) with Optional Components enabled from the following list are vulnerable. All other versions of Windows 10 released since November 2015 are not affected."

Feedback: I'm not sure the addition of the second guy adds much. I much prefer the scripted solo presentations.

On those colourblind glasses, IIRC what they do it block frequencies that two sets of colour receptors are looking for. Now, that does nothing if you straight up don't have the first, second or third kind of receptor, but if you have all three and they're just misaligned(which the glasses people obviously say is a lot more common than we currently think) then blocking out the overlap is a neat hack to help you perceive more colours when the brain is trying to make sense of the data fed to it. At the very least, seeing if you can try before you buy makes sense

200,000 GPUs ... Nice, you got in there before anyone could ask "Can it run Crysis?" :)

4 bots and one real comment. This is why we cant have nice things.

Once you're sure your updates are working properly, you can remove all the old components preventing roll back to before the update by issuing the command dism /online /cleanup-image /startcomponentcleanup /resetbase as an Administrator.

To my knowledge, Chat GPT accesses information that would normally be private and causes implications. For this reason, you should not update and gather everything you can.
They wanted to rewrite functions to ensure queried data is safe for consumption.

I reached 250 thousand dollars invested, it took me 2 years, last month I received 30 thousand only in dividends. Only with believers. This month it will be 40,000 and so on, in the next few years it will be 500 thousand in the year alone in Bitcoin ETFs and other dividend yields. What took me 2 years to invest, I will have in 1 Year

ChatGPT checking its own answers is a great step. Historically there’s been so many queries that would give you the wrong answers to. For example how many R’s in strawberry. It will say 2 about a hundred times and then finally give in and accept that there are 3

exploits are usually discovered by companies like virus software companies that have legal hackers working for them looking for exploits in operating systems that there virus software protects against

Damn, doesn't Windows Update operate on the trusted installer credential level? Subvert it and havoc ensues.

One of my college buddies was using a C-pap but his doctors determined that it was not what he needed. It was that his tongue was partly blocking his airway so they have him wearing both lower and upper mouth guards to reposition it. Whereas I do not have sleep apnea , I do have a considerable overbite and my dentist designed a single upper mouthguard to protect my lower teeth from my upper teeth.

About seven years ago I went to an audiologist (for tinnitus-ha!) and I asked her whether they had hearing-aids which looked like ear-pods because every-body is wearing them. The blank look in her eyes will stay with me for ever. That was a couple years after trying to help an old couple find the old codger's missing minute "invisible" hearing-aid in their car. We never did find it.

Personally I think Dave and Glen playing off each other means the session can go into different and enlightning directions whilst still addressing the topics for todays discussion a win win when all said and done for all of us.
Dave as for USB "C" fine where real estate is not available or at a premium but for instance I see more and more with Lenovo and likely others USB "C" chargeport failures compared to the older Lenovo rectangular charge ports, No doubt such failures are not just Lenovo as USB "C" does not have the machanical stability of USB A""ports which themselves are not immune to poor connections if not outright mechanical failure as easily.

Dave, I have been concerned about this potential attack vector for years. We have seen more and more attacks in this vein, not just Windows but Cloudflare, Crowdstrike, the UEFI BIOS attack and others. I have never been comfortable with the system being designed with what is essentially a "God level" remote account waiting for someone who can genuflect properly and pretend to be the microsoft mothership.

I love how the main safety action against this vulnerability is disabling Windows Update.

Nice to meet you, Dave...

Good job guys! Dave I found you when doing research on the spectrum and how I could better relate to a few friends. Love your show! Nice to hear unbiased tech news regarding Microsoft. Cheers

The color enhancing glasses are made by Enchroma. I have a pair. So, my take on the effectiveness is this: To me, they enhance green pretty good. Green traffic signs on the hyway are much greener. They also reduce light input a little, so they are not recommended for night-time use.

My dad was a pilot for many years and every couple of years he had a new pour molded in-ear headset made for him. Obviously not on par with the in-ear monitors for the music artists, but apparently worked great to block the cockpit noise in the jets he flew. They were pretty expensive for the time though.

great vid to show up right after i just updated

Ahhh... last time I didn't put a question mark in, so this time I will double down: 😁
---
A while back you did a video on how you reprogrammed the ECU for a transmission. That was super cool and ambitious. Car tech subjects are pretty scarce around YT and I'd love to see what you could bring! Can you expand on how your programming chops and general curiosity has served you well in today's car tech??

Been running Linux on a dual boot for a while now. So far it does everything I need it to do. Media center, games, editing audio/video, general office stuff. Been testing Linux on and off since the 90's. It's looking good so far. Hoping I can FINALLY make the jump from Windows to Linux full time within the coming months.
I know Linux isn't 100% bulletproof but at least it is less of target (by far) than Windows.

I am confused. If an attacker has enough access to a system to be able to roll back patches, then don't they already have enough accesses to do whatever it is that they want to do? It's like unlocking a door that you've already opened.

Hey Dave. Been watching your content for some time now. It's really fascinating to hear from an actual windows developer some stories 'from the kitchen' as some might say. Keep up the great content.
On the topic of colorblind glasses there was a series of videos that are more on the investigative side. The channel is called MegaLag (not mine).

Glad you were able to here CCR full concert.

@12:15 Growing up in Korea, I was exposed to the FRAUD that is the back of the comic books. I must have been in 6th grade and I could finally read English well enough to enjoy the comic books. I was so disappointed when the sea monkeys were not a circus troop, and the remote controlled ghost was a balloon, a white garbage back and a string. It was my "Be sure to drink your Ovaltine" moment!! 😂 100% true story.

Like this format a lot, solid addition to the channel. Keep 'em coming! 👍👍

Do we really need/want an AI supercomputer named "Colossus"? I've read the book, I've seen the movie.

FYI: There's not much difference between AirPods and actual hearing aides anymore, pretty much just the shell. From the electronics to the battery to the "3 recharge portable recharger" everything is the same, including the bluetooth capability so you can connect to a monitor, tv or phone.

Ha, ha, the good old x-ray specs. Although knowing it wasn't anything to do with x-rays I was curious, so got my mother to get some from a joke shop. They do cause a blur when looking at a hand through them that could be mistaken for an x-ray image. The most interesting thing is that you were actually looking through a bird feather between the card inserts (obviously had to take them apart to see what was inside).

As a modern metal head that still gets up to the stage and next to mosh pits. I can fully recommend soft squishy silicone ear plug blobs. for a really loud concert its brilliant, very comfortable, and protects your hearing and doesn't change the shape of your ear so stuff still sounds right.

You can turn off transparency and noise cancelling on the AirPods Pro 2. Noise cancelling is WAY MORE than 20%.

Popular Mechanics always had those laser and phaser weapon devices if you just wrote to some place in Vermont.

I Bought Loops and love how they really make thing real quiet. (I think they are the *Switch*)

I saw that Charles Atlas parody in one of my Dad's old comics. I think it was in the Apex Treasury of Underground Comics which is still available.

With respect to zero day security vulnerabilities, feels nice to be a Linux user these days. At minimum, the degree of segmentation in the space of installations and use cases makes it a more difficult target

If an attacker is admin on the system to mess with the downgrades they don’t need the vulnerable downgrades packages. And also downgrade attacks are not new

If said attacker has the system access & priv levels to do this, why would they need to roll back the patches... they are already in and can do what they like. De-patching the system and rebooting it is going to be noticed by Ops.

A zero-day that's probably been used by the NSA to do other "update" hacks for many years?

The timed testing comments really pushed one of my buttons. I've been ranting for years how stupid tight timing is because it conflates command of subject matter with issues like dealing with pressure and English as a second language. This worked against me at the core level, but in balance worked for me. The admin at my high school realized that it was highly susceptable to coaching and practice. By testing the crap out of us with SAT, ACT, and NMSQT, and several personality and aptitude tests, they turned timing and consistency features to our advantage.

it sounded like a good idea to make windows update update other programs and drivers... but allowing 3rd parties to use the system opens it up to vulnerabilities.

The cooling at Colossus is concentrated at the rack level

I like the loop earplugs

Hey, still waiting on that Primocache update ;-)

I never fell for those x-ray glasses either , but I was always curious about what the people who did buy them see. If I could have afforded them at the time I would have bought them just to answer that question.

You charge the watch when you're in the shower and 30 mins before bed. The new one charges faster.

Bloody hell you guys, I wind my watch each morning and it never needs electrickery.

Thanks, Dave!

It would be nice to disable automatic updates altogether and do them when we are ready. Just tell us that there is one and let us decide when to get it. It is rare but updates can cause problems.

This is the perfect combination with the recent bios vulnerability.

I like this new format with both of you discussing topics. It would be great to add additional guests that specialize on different topics.

the cheap in-ears monitors on amazon are really good. they come with a few size tips, fit well, sound great

Air gap is the only secure patch

so glad the co host asked o1 or 01 huge difference.

What is needed is a charger watch that is powered by the CPAP machine so you then wear your sleep apnea watch OVER your incredibly flat charger watch so your sleep apnea watch stays charged and your regular watch can charge on its regular charger. Hey! Why's my wrist always warm? Oh well.

When I can put my teeth on the nightstand and charge them in 30 minutes I'll be happy.🤣

One of the key features of the downgrade exploit ('Downdate') is it make the system show that it is up to date even though it has downgraded components.

If that is troubling, what about BEF ? No longer is air gapped devices safe we can now exploit RAM.

Android has colorblind settings for different types of colorblindness.

I was working for AT&T in South Africa; local taxes applied.

You’ve hit the Plus plan limit for o1-preview.
Responses will use another model until your limit resets September 21, 2024.
But we were just about to complete the unifying theory

Highly recommend high fidelity earplugs for concerts. Etymotic is solid and a cheaper version of Eargasm.

All we need is 1 Terminator CPU !

I use musician ear plugs pretty often. It helps with my sensitivity.

Do it Glenn, Do it Do it! Where are those cartoons you used to end with??

My hearing aides have an AI component which adjusts my hearing aides based on the environment. Works pretty well! It also has a companion app that allows me to adjust them when the AI does not get something right. Not flawless, but much better than without.

Hi. Love your new shop chat! @Glen, keep an eye on AD-109. This could be a game changer for sleep apnea. It is still in medical testing, phase 3 already. So things are very promising.
Looking forward to the next episode of shop conversation. ;-)

Get a garmin watch for daily and fitness tracking use.
My Instinct 2x lasts for over 40 days on a charge with all notifications off except for texts. Worth it.

At the very end of the next video, will you please remind people what time/day these Q&A's take place? I know you mentioned it earlier in the vid, but I didn't write it down.

I think the X-ray glasses served their purpose when you were wearing them and everyone else thought the glasses worked. I never had them either but just saying. 😄

Sounds like an inside job at MicroSoft -- maybe an intelligence service paid off a programmer to put this "feature" possible.

For some reason, it seems like Linux had a spate of vulnerabilities over a short-ish period, and now it's back to Windows stealing the limelight. Do you think Microsoft is slowly losing security credibility? It seems to me that security by design was never the strong point of windows to begin with, and the problems are now becoming too hard to combat despite the sheer power of Microsoft's market share, employees paid to find and patch issues, regular updates, etc?

Also, it is harder to attach a computer on a VPN connection, not impossible mind you. Also if you are running custom scripts to prevent updates from being removed without a password, this also helps. Hope this info helps. I am also running a highly modified version of Win 10 22H2, it also includes extreme threat prevention software that took over 3 years to program.

I think I have been hacked because Windows Update is constantly updating and I have never told it to.

So the Windows Update exploit is basically that if someone already has administrator access to your machine, then they can uninstall already-installed Windows Updates? How is that an exploit? That's intended functionality. Administrators NEED the ability to uninstall Windows Updates when (not if) they break things. What am I missing?

Why can't we go back to picking and choosing updates? I realize that's bad for home users, but for admins it was a way to keep some sanity, instead of spending hours trying to get trashed systems back online from a screwed update.

Your advice is beyond most users. My advice:
1) Ensure you're using a top-notch security suite like Norton or Bitdefender.
2) If your VPN has Internet Security, be sure that is enabled as well.
3) Pause updates for 7 days. That should be enough time for Microsoft to get their act together.
4) Watch the news to see when Microsoft rolls out the update to fix their Zero-Day vulnerability.
5) Manually update your system.
6) Reset updates to occur automatically.

Perplexity uses ChatGPT and can access current web material. It can also code, etc. Very useful. The subscription version also includes Claude. It’s very handy for writing code for new micros, because it can access manufacturer’s data. Love your work btw. Cheers.
✌ 👽 🎸

American living abroad and yes, I do my taxes for my country of residence and another set of American expat taxes as well... very annoying

The colorblind glasses really do work! I joined forces (and finances) with the wife of an old friend to get a pair for him. We were riding back to my house one day and he teared up at seeing the sunset. He didn’t realize what an orange and purple sunset really looked like. The funny thing about it all is that he was nearly flawless at color matching paint but never really saw certain blues or greens. He just learned how to compensate. He was a friend and business partner for over a decade and leukemia did it’s worst this past June.

I will not use W11 until I am forced to, even then, maybe not. One thing I like to do once in a while, it run the SFC /scannow file checker.
remember, there are multiple millions of PC's... more PC's than hackers. It is mostly vapor threats.

The 0 day windows exploit is dangerous AF.

I doubt anyone needs a sleep apnea watch feature if you have and use a modern cpap (or apap) machine. The one I have now includes LTE wireless cellular data which it uses to report all kinds of stats to my sleep clinic. At my last yearly checkup the doctor knew I was using my machine all night, every night, and that my machine was keeping my apnea events down in the normal range (about 2 per hour). This is also why the insurance company no longer forces me to undergo another sleep study every couple years to "prove" I still need it.
If you don't KNOW if you have sleep apnea, then sure, it might give you some evidence to bring to your doctor to get a referral to a sleep clinic, but people like me? I'll keep charging my watch overnight.

Dave, seeing these kind of things happening, combined with Microsoft now putting systems like Recall, which are arguably unnecessary but very invasive, do you think it's weird there's a group of people that really liked Windows that are now slowly being put off/turned away?

Human: I am not a robot.
Robot: Prove it! Pull down your pants!
Human: OK
Robot: Hmmmm....let me think this thru...

Dave, that story about the poor quality tape recording testing your ability to add numbers and how that lady told you that your reaction is part of the test, man, that made me laugh so hard that I was crying. I haven’t laughed that hard in a while. What a great story!

Can the AirPod’s😂 noise cancellation get rid of my tinnitus?

New Airpod no longer have silicone tips!

Do an episode on ChatGPT etc usefulness please.

Why do we have regular patches? Surely the OS is pretty much done by now? What’s actually happening every week when we patch our machines?