I've stopped nearly 100% of cyber attacks using this 1 simple trick.

I open all ports on the computer. I never update the OS. I removed all passwords.

When hackers find the computer they say, "This has to be fake. No one is this vulnerable."

Then they turn around and LEAVE.

I use this exact same method with my home.

My wife and I moved to the most dangerous neighborhood in America (Gary, Indiana).

Windows? Open
Door? Open
Car? Keys in ignition

Our only problem is the wildlife

Animals will come into the home and attack you. Possums are STRONG

The entire AV, EDR, and SOC industry is a SCAM.

Has your organization been a victim of ransomware? Start the computer in DEBUG MODE. DUH.

Then simply delete the malware. It's as simple as that.

Sometimes when I make satirical posts about malware people get really mad at me

Anyway, I just woke up. I'm still sick. I checked on the internet stuff to see what's going on and (as is tradition) it's just silly shenanigans.

I'm shocked that the AI slop reply got over 50 likes though. It's pretty obvious it's AI slop (it's also wrong, unironically)

Cat

I've learned some things about Windows Copilot after poking it with a big stick for over 5 hours

1. This should never ship by default
2. This shouldn't be in the task bar
3. They don't need Copilot Gaming

Architecturally (how it's written) is pretty cool. I have an appreciation for Windows Copilot now. I still have a lot of poking to do, but I unironically think Copilot is a banger, they just can't fucking stick it in everything.

tldr I like how Copilot is written, it's a cool thingie, they shouldn't slap it on everything

Oh, I forgot to mention, when I was poking Copilot with a big stick there is code present for PII identification. However, based on my extremely high level overview of it, it looks like it removes PII from ... file paths only? But it has stuff in there to identify all sorts of funky PII

I'll have to look at it more before I say anything else though. I don't want to misspeak and make internet privacy schizos have a psychiatric meltdown.

I've had some people ask me about Microsoft Copilot and what I've been doing since I've been poking it with a stick (reverse engineering it).

Initially I planned on doing a blog post, or something, but I don't feel like doing that. I dislike writing. I also do not know how far down this rabbit hole I'll go. I prefer social media posts sometimes because it's more loose and I don't have to be as crazy verbose (detailing everything). Basically, I just want to share interesting stuff and have fun. I don't plan on doing some crazy write-up.

I decided to poke Microsoft Copilot with a stick because I wanted to understand how it works, what it does, etc. It's a big and (soon to be) popular product. I would like to understand how it works. And (hopefully) you'll feel compelled to poke Microsoft Copilot (or whatever else) with a stick too.

Besides being curious, I hope by better understanding how it works I can also use this knowledge to find potential points-of-interest to manipulate and/or abuse for malicious purposes (I like malware). If I don't find anything I think I can abuse (because I'm a noob or get bored) then at least I can find solace in the fact I learned a little bit along the way.

Because people seem moderately interested, I'll make posts as I poke Copilot with a stick and explore it. Again, to be clear, it is entirely possible I get bored 1/4th of the way into this and say, "meh, good enough".

I've already done quite a bit of poking though, so I'll probably make a post later about the Copilot initialization process and the main Copilot binary. It isn't anything super crazy, but it has some cool things I (personally) haven't seen in awhile.

Also, some of the stuff Microsoft has done architecturally with Copilot I don't understand. I understand the code, but I don't understand WHY they decided to do this with their code (pros and cons).

The core components for Copilot are written using C#.NET and I am not too strong with .NET managed code. I haven't personally done stuff seriously with .NET since the initial release of .NET 4.5 (2012).

Maybe some of you can educate me on why they would do something, or not, whatever. .NET is a beast, man. It has evolved like crazy in the past 13 years

Okay, love u, byebye

Someone was being an Insider Threat at CrowdStrike for $25,000

Dawg, $25,000 IS NOT worth ruining your life, reputation, career, and possibly freedom for

$25,000 in the grand scheme of things isn't shit. Your legal expenses alone are gonna be double that

I honestly don't think there is any possible amount of money you could offer me to make me an Insider Threat.

Think of your family. What's going to happen if you're caught and you can't see them for a few years?

Money can't buy time back

I've been poking Microsoft Copilot with a stick. I've made a bunch of posts on it.

This is my dumb notes and/or discussion part 1.

My current machine is Windows 11 but Microsoft Copilot wasn't on the machine, so I installed it from the Microsoft app store. I don't know if the installation process and libraries present from the Microsoft app store are different than the Microsoft Copilot which will come default with Windows 11 in the future.

The installation of Microsoft Copilot introduced some registry artifacts. Notably the introduction of a protocol handler "URL:ms-copilot". It also introduced a bunch of COM component stuff. I haven't played with the Copilot URI.

The registry also introduces a registry key called "Copilot" under HKCU in Software\Microsoft\Windows\Shell. I haven't played with this registry key yet. However, I am going to assume this enables or disables Copilot for the Windows Shell. Mine defaulted to disabled. This is what it looks like:

"IsCopilotAvailable", DWORD, 0x00000000
"CopilotDisabledReason", SZ, "FeatureIsDisabled"

I am going to assume in the future, if Copilot is forced upon you, Copilot can be removed (or disabled) from the Shell from here.

Under HKLM some registry artifacts are present for Windows File Explorer called CopilotFileExplorerMenu. There is also stuff present for Copilot and Microsoft Edge.

HKLM also keys called "WindowsAI". Windows AI has "DisableCocreator", "DisableGenerateFill", "DisableImageCreator", SetCopilotHardwareKey", "TurnOffWindowsCopilot".

I have no idea what Cocreator, ImageCreator, GenerateFill, or CopilotHardwareKey is or what it means. The TurnOffWindowsCopilot key just provides some insights onto how to disable Windows Copilot. However, GenerateFill, Cocreator, and ImageCreator all point to Paint.exe. I'm going to faithfully assume Microsoft has AI stuff in Paint now.

HKLM also has "SystemSettings_DesktopTaskbar_Copilot" and points to "SettingsHandlers_DesktopTaskbar.dll" in System32.

There's a bunch of other Copilot shit too, too much to list, but there's stuff "Personalized Chats", "Copilot Gaming", over 9000 thingies for "Copilot Nudges", and stuff for caching.

Later today, or tomorrow, or whenever I feel like it, I'll talk about the main Copilot.exe binary which is actually a loader (.NET runtime host for custom stuff). The actual stuff for Copilot is Copilot.dll and it's jammed with shit

Copilot has introduced A METRIC SHIT TON of functionality into Windows. There are so many DLLs and EXEs to poke. It is exciting.

Microsoft Copilot has functionality for being banned

How do you get banned from Copilot if it's tied to the Operating System? What happens if you're banned from Copilot?

Unless this ban functionality is for detecting if you're banned from something else ... ? Maybe? I don't know. I'm looking at the endpoint stuff and I'm like ???

I've had a surprising amount of people ask me about Copilot and the stick I'm poking it with. Copilot is a hot topic, so I assume people are genuinely interested in how it works?

I can't really give a good tl;dr because I'm still poking it with a stick. There is a lot of stuff I don't quite understand (as is tradition), so I can only share some of my insights and speculations

Copilot.exe (the main binary) is just a .NET runtime host. MSDN has some articles about it. Basically the .exe you execute does a bunch of fancy shit, it modifies some stuff in the .exe itself (Thread Environment Block) for custom error handling to be all fancy, or whatever. It eventually invokes the Windows Library Core Language Runtime library (libcoreclr) function "coreclr_execute_assembly" and the "real" Copilot runs from Copilot.dll.

Copilot.dll (I'll just call it Copilot, whatever) is a big ass fuck off C#.NET application with what feels like over 9000 dependencies and libraries. It's a big heavy bloated son of a bitch.

Copilot determines the .NET version it's supposed to run on from a JSON file in the current directory titled "runtimeconfig.json".

Copilot uses Microsoft UI Xaml (WinUI 3?) so it is ridiculously heavy and feels like it lags constantly.

Copilot does all AI stuff server side at Microsoft at "copilot-dot-microsoft-dot-com/c/api". It looks* like it authenticates to the Copilot servers using the Microsoft account you make when you first setup Windows 11. It looks like it may also support Apple and Google, but I haven't poked it enough.

Every action taken in Copilot is a "view" and goes through a URI thingy. It's some C#.NET bullshit. I barely understand it. You can easily see all the different "views" and the URI it goes through in Copilot to load different "views" (different parts of Copilot?)

Even simple acts as viewing a different "view", scrolling up to see previous messages sent to Copilot, etc. all go through API requests to Microsoft. It is all stored over on their stuff. Hence, Copilot can feel ridiculously slow when scrolling up to review message history. It goes through stuff like "GetConversationHistoryEndpoint" inside of CopilotNative.Platform (1.25111,85.0 .NETCoreApp, v9.0).

So... anything you do is going to through their web API. It slows things down dramatically. Even renaming a conversation makes a web call.

Also, anytime you send a message to Copilot it goes through a fucking MASSIVE nested procedure that bounces all through all the dependencies. However, this is pretty standard stuff for big .NET applications.

To make a long story short-ish, each message you to Copilot is tokenized (or rather, placed into a "Dictionary"). This dictionary contains the data you're sending and any files you're attaching. Part of this process Copilot makes a very minor attempt at sanitizing data for "anonymity".

Copilot has different stuff in place for removing data and sensitive information but the actual act of sending a message to Copilot only censors file paths from your machine (if you send a file). In other words,

C:\Users\TommyPoop\File.txt
transforms into ..
C:\Users\<redacted>\File.txt

I haven't seen anywhere else where this logic is implemented, but it probably does more stuff somewhere. I doubt they'd include all this PII censoring logic for no reason.

Copilot also has stuff in place for advertisement identifiers, health and fitness, shopping habits, etc. I'm not sure what that's all about. I also see the gaming stuff but I haven't poked that yet either.

Copilot also also has a bunch of stuff for PicassoAI for "PicassoLabs", "PicassoFinance", "PicassoBriefings". I don't know if this is a 3rd party thing or something they made internally. I have no idea what I'm looking at.

Anyway, that is my scattered thoughts on Copilot. It is basically a really, really, really fancy web browser that can only be used to communicate with Microsoft's AI endpoints.

I quickly realized though that if you go to

C:\Windows\System32\drivers\etc\hosts

... and make an entry that makes the Microsoft Copilot AI domain resolve to l

[continued]

I quickly realized though that if you go to

C:\Windows\System32\drivers\etc\hosts

... and make an entry that makes the Microsoft Copilot AI domain resolve to localhost, Copilot implodes and drops dead. It can no longer access any API endpoints hence it cannot exist.

tl;dr to kill Copilot forever just block copilot[.]microsoft[.]com

yOurE nOt a ReAl pRoGraMmeR uNlEsS yOu knOw ASSemBly

1. It's an instruction set
2. It's illegal
3. It's for nerds

Absolutely bloodbath on Xitter right now.

New changes have been pushed where you can now see the origins of someones account. Additionally, it flags if they suspect the person is using a VPN

Surprise Pikachu face, lots of people from India, Pakistan, and Indonesia impersonating Americans, Israelis, or Europeans to engagement bait for money.

Also, a surprisingly high amount of people who are heavily involved (commenting on) in United States politics who reside outside of the United States.

Funny stuff. Very silly.

computer time