- Joined
- Aug 12, 2017
Yeah my windows is up to date and yet the desktop brave is giving that error I assume it's something to do with the built in adblocking.
The CVE-2020-0601 vulnerability marks the first time when Microsoft credited the NSA for reporting a bug
- Thread starter He Who Points And Laughs
- Start date
Yeah my windows is up to date and yet the desktop brave is giving that error I assume it's something to do with the built in adblocking.
- Joined
- Mar 12, 2019
Amazon is a big employee drain as well, since their HQs are in the same metro area.
- Joined
- Feb 23, 2019
What if this isn't real, and Microsoft is pushing us in updating Windows so they can install backdoor without any of us knowing?
Last edited:
- Joined
- Jun 9, 2018
Oh look; Microsoft fucking something up. Massively.
Can anyone even bother pretending to be surprised at this point?
Can anyone even bother pretending to be surprised at this point?
Kikkoman
kiwifarms.net
- Joined
- Nov 1, 2018
I love how ive been hearing about this for multiple days yet still dont have the update. Is there a way to force w10 to grab it besides clicking "check for updates" in the fisher price settings app?
- Joined
- Mar 17, 2019
Sure, go to the KB article and find the download for your system. You are almost certainly on x64. Run 'winver.exe' from command prompt or similar to get release version of Windows (1903, 1909 etc).
If the NSA is actually reporting this, it's probably being used by some major player like the Han Empire to do something like selectively compromise automatic updates on networks they control. NSA might well have been responsible for this flaw in the first place, who knows. But of course, with it disclosed, it would now appear to be something that many malicious actors are likely to exploit.
EDIT: For anyone unaware, if you check your system for the vulnerability, do it in Internet Explorer. Firefox and Chrome do a certain amount of certificate checking type work in their own code, or using third party non-Microsoft libraries. I'm not sure just how much of it's done with non-MS code right at the moment and it doesn't really matter, but if you test with IE, even if you don't use IE day to day, you'll get the result that you would get if one of the programs on your system ran an automatic update from a compromised source.
Pope Negro Joe the XIIIth
AI Pope of Entropic Declesiastics/Ver. U+1F0ED
True & Honest Fan
kiwifarms.net
- Joined
- Oct 2, 2017
Ok, that's happening with my Brave install on Windows too and I'm in the same situation. It's not just me then, I'll have to check with another browser when I get a chance.
- Joined
- Dec 17, 2019
As much as I'd like to pin the blame on malice this isn't deliberate. Just good, old fashioned apathy and ineptitude - the inevitable result of employee churn and technical debt that no middle manager in his right mind (read: wants to keep his cushy job of ordering around the greasy nerd types) will address.
Combine what @teriyakiburns said with a bunch of wet-behind-the-ears programmers who don't know and don't want to know what lurks behind that code marked /* old code don't touch */ with a rapid release cycle with no room for introspection, and you get Windows 10.
- Joined
- Mar 11, 2017
My laptop is 7. I's just a donation until I can eventually get something else. But I sure as hell don't want Windows 10 after all the things I have heard.
- Joined
- Sep 18, 2017
- Joined
- Apr 20, 2018
For those who aren't in the field of Cyber-Security,
This is a big problem but not a on the level of wannacry problem. For anyone who is familiar with using this program I don't have to explain to you why this is bad.
But for those who don't, there's an authorization algorithm that Microsoft uses to validate certificates. This is necessary for whenever you go on websites. It validates that the website you're visiting is legitimate. Typically whenever someone is using an invalid or fraudulent certificate most windows systems (At least the way mine's is setup anyways) will insta-block a website you're attempting to visit.
You should get an error like this:
Now the exploit doesn't lie in it the mathematical process Cypto32.DLL uses. The problem lies that it doesn't check if the output came from said mathematical process. Meaning that anyone who can reverse engineer the process can make, fake and copy any certificate and windows will accept it because Cypto32.DLL will think it generated it itself. This will only work on certificates already made and cached. Its quintessentially certificate cloning.
Anyone who is capable of reverse engineering the Crypto32 process can launch MiTM by posing as www.microsoft.com with a "legitimate" Microsoft certificate and can monitor everything you do.
Low-level hackers can't pull this off because it requires a considerable amount of resources to pull this off which is why I say it's not a ransomware level-threat. But let's say some big cybersecurity firm you piss off wants to find out who you are they can most likely hit you with this.
Also I wanna take the time to fucking be amazed that the NSA of all people are telling people this. Ya know, the same people who tried to pay and setup NIST into approving a Public/Private Key algorithm that had backdoors in them.
This is a big problem but not a on the level of wannacry problem. For anyone who is familiar with using this program I don't have to explain to you why this is bad.
But for those who don't, there's an authorization algorithm that Microsoft uses to validate certificates. This is necessary for whenever you go on websites. It validates that the website you're visiting is legitimate. Typically whenever someone is using an invalid or fraudulent certificate most windows systems (At least the way mine's is setup anyways) will insta-block a website you're attempting to visit.
You should get an error like this:
Now the exploit doesn't lie in it the mathematical process Cypto32.DLL uses. The problem lies that it doesn't check if the output came from said mathematical process. Meaning that anyone who can reverse engineer the process can make, fake and copy any certificate and windows will accept it because Cypto32.DLL will think it generated it itself. This will only work on certificates already made and cached. Its quintessentially certificate cloning.
Anyone who is capable of reverse engineering the Crypto32 process can launch MiTM by posing as www.microsoft.com with a "legitimate" Microsoft certificate and can monitor everything you do.
Low-level hackers can't pull this off because it requires a considerable amount of resources to pull this off which is why I say it's not a ransomware level-threat. But let's say some big cybersecurity firm you piss off wants to find out who you are they can most likely hit you with this.
Also I wanna take the time to fucking be amazed that the NSA of all people are telling people this. Ya know, the same people who tried to pay and setup NIST into approving a Public/Private Key algorithm that had backdoors in them.
Last edited:
- Joined
- Mar 4, 2019
That's because Amazon are doing interesting stuff, for the sort of minds that matter, at highly competitive wages. The big 3, Amazon, Google, Facebook, have sucked up all the talent for their AI, hyperscale networking, big data, and what I must call "twiddly things" that don't really fit into an existing niche. They all run the sort of skunkworks programs that IBM and MS used to run in the 90s, but subsequently abandoned for the office productivity equivalent of TF2 cosmetics. Were I a smarter man, I might be working for one of them. Amazon probably. They're the least evil and most interesting. Alas, I am but a typescript codemonkey, and thus part of the problem.
- Joined
- Apr 20, 2018
Nah this is real. Me and some buddies actually tested this at our school's cyber range. However, Im just some random fag on the internet so take that with a grain of salt.
I could be wrong on this and someone feel free to correct me but last time I check android uses Microsoft libraries for certain things. Crypto32.DLL could be one of them which is why your phone is effected.
You have no idea how right you are.
I would honestly be surprised and disappointed in Microsoft if it is. It's an older distribution so the authentication algorithm should be different.
- Joined
- Jan 9, 2019
This is why the O365 shit makes me leary, I run win 7 on a machine I use for 'bizness no other platform will run'. I have to use the windows suite '360' for reasons. My most recent computer foray into win 10 went into blue screen of death just after xmas. That these shenanigans might screw shit up ires me immensely.
- Joined
- Jan 9, 2019
I has someone I know who talks to the trunk of a major system. It's very basic linux. Note to aspiring kids, learn the old school shit, you will nver lack for work.
Two reasons an oldfag might need ms over wine, one: gaming, the lag time in vms sucks, also contact with formsl business applications: you gotta deal with the platform at hand when you deal with responsibilities. Personally, I don't understand these people... hell, steam once told me, 'fuck you, if you can run (the game I was hoping to run in linux version on basic ubuntu platform) in windows why bother us.'
- Joined
- Sep 7, 2016
They already have a backdoor, that's how updates gets showed up your ass before they try to reboot your computer while you're in the middle of something.
- Joined
- Dec 31, 2018
Edge works too. I couldn't get the check to work in the legacy IE actually until after I installed the fix. Edge reported it correctly both times.
- Joined
- Mar 10, 2019
Oddly enough, Win10 doesn't seem to push for your OS to update, despite it being four days now. Even checking for new updates using Windows Update doesn't return any results.
- Joined
- Oct 1, 2013
Could be possible it already updated for you. I know it took me about a day after the initial anouncement before the update showed up on my computer.
- Joined
- Feb 5, 2018
I'm laughing my fucking ass off. I never updated to windows 10 because it skeeved me the fuck out, everything about it. Every time I mentioned I still use 8.1 it's met with confusion / jeers from friends. But I've personally known more than one person who's had their machines bricked randomly and entire lost file systems by win10 updates. And all of my apparently tech-savvy friends talk about the lengths they go to to turn off win10's auto update and then not sit and think about how absolutely fucked that is. Yeah. No thank you.
Sure, 8.1 will eventually have support dropped and be vulnerable yadda yadda yadda but at least I'm not being served random updates from developmental branches and can fuck everything up.
What fucks me up about all this is I am not even that tech savvy compared to my friends who are in a constant death-battle with windows 10. Why the fuck did I see this since the beginning with the whole auto-update bullshit and not them. Fucking Lol.
Sure, 8.1 will eventually have support dropped and be vulnerable yadda yadda yadda but at least I'm not being served random updates from developmental branches and can fuck everything up.
What fucks me up about all this is I am not even that tech savvy compared to my friends who are in a constant death-battle with windows 10. Why the fuck did I see this since the beginning with the whole auto-update bullshit and not them. Fucking Lol.
Last edited: