1
00:00:00,000 --> 00:00:04,920
this is me racing out of bed for our

2
00:00:03,240 --> 00:00:11,519
front row seat to my life's work Vanishing before my eyes Linus Tech tips

3
00:00:07,560 --> 00:00:14,099
deleted TechLinked toasted techwiki

4
00:00:11,519 --> 00:00:18,840
gone the good news is that if you're watching this we're back online

5
00:00:16,199 --> 00:00:22,680
bad news is that this kind of attack has become so commonplace on YouTube that

6
00:00:21,060 --> 00:00:27,960
when we sat down to prepare this video it took us less than 10 seconds to find

7
00:00:25,859 --> 00:00:34,380
a huge channel that was dealing with exactly the same thing in that moment

8
00:00:32,340 --> 00:00:39,840
let's talk then about the motive for these attacks the process changes that

9
00:00:36,780 --> 00:00:41,760
we and YouTube need to make and how we

10
00:00:39,840 --> 00:00:46,860
can all work together as a community to educate and protect each other from Bad

11
00:00:43,739 --> 00:00:50,100
actors oh and to tell you about our

12
00:00:46,860 --> 00:00:53,340
sponsor dbrand oh God not dbrand today

13
00:00:50,100 --> 00:00:56,840
really oh actually no they've got

14
00:00:53,340 --> 00:00:56,840
something good stay tuned

15
00:01:00,899 --> 00:01:03,899
foreign

16
00:01:04,040 --> 00:01:09,960
started a little after three in the morning when the Linus Tech tips account

17
00:01:07,560 --> 00:01:14,220
was renamed to Tesla and started streaming a podcast style recording of

18
00:01:12,240 --> 00:01:19,979
self-proclaimed techno King Elon Musk discussing cryptocurrency this in and of

19
00:01:16,920 --> 00:01:22,920
itself is not a scam but the streams

20
00:01:19,979 --> 00:01:27,659
linked to a scam website that claimed that for every one Bitcoin you sent they

21
00:01:25,140 --> 00:01:32,100
would return double complete with fake transaction records showing other users

22
00:01:29,520 --> 00:01:36,780
definitely getting huge payouts over the next couple of hours then we

23
00:01:34,259 --> 00:01:40,320
sparred back and forth first I privated the streams revoked the channel stream

24
00:01:38,579 --> 00:01:44,759
key and attempted to reset the account credentials only to realize as I was

25
00:01:43,020 --> 00:01:48,780
investigating the source of the breach that I had been completely outmaneuvered

26
00:01:46,920 --> 00:01:54,720
they were back in and the streams were live again have okay so I logged back in

27
00:01:52,320 --> 00:02:00,259
Nuke the stream again and I go to and they're up again and now videos are

28
00:01:56,880 --> 00:02:00,259
being Mass deleted from the channel

29
00:02:00,780 --> 00:02:07,799
over the next couple of hours playing login whack-a-mole the Linus Tech tips

30
00:02:05,640 --> 00:02:12,420
TechLinked and Techquickie accounts were each used to host these Elon Musk

31
00:02:10,920 --> 00:02:16,319
crypto streams until they were ultimately nuked by YouTube altogether

32
00:02:14,459 --> 00:02:21,599
for violating YouTube's terms of service and I could almost feel your thoughts

33
00:02:19,080 --> 00:02:24,840
through the screen right now Linus truly after all these lectures about

34
00:02:22,980 --> 00:02:30,360
two-factor authentication don't you even protect your own accounts

35
00:02:26,760 --> 00:02:32,940
course I do but while strong passwords

36
00:02:30,360 --> 00:02:37,560
and multi-factor authentication are very powerful security measures that you

37
00:02:34,800 --> 00:02:43,319
should use they're not impenetrable first up let's talk to fa not all

38
00:02:40,620 --> 00:02:48,360
factors or additional authentication elements are equally secure the most

39
00:02:46,140 --> 00:02:52,860
common second Factor SMS can be compromised by simple social engineering

40
00:02:50,459 --> 00:02:56,160
targeted at your phone carrier check out this video that we posted the last time

41
00:02:54,780 --> 00:03:01,080
our account was hijacked for more information about that another common

42
00:02:58,500 --> 00:03:05,580
factor notification based multi-factor is susceptible to fatigue attacks where

43
00:03:03,360 --> 00:03:09,959
a perpetrator will constantly try to log in hoping that you'll assume oh it's

44
00:03:08,040 --> 00:03:14,760
probably someone from work or even just click on the notification by accident

45
00:03:12,659 --> 00:03:19,200
very problematic and I'm looking at you Google since you can't disable this

46
00:03:16,980 --> 00:03:23,280
Factor on Google accounts even time-based two-factor like Google

47
00:03:21,120 --> 00:03:27,420
Authenticator or authy can be compromised say if you were to

48
00:03:24,959 --> 00:03:32,879
accidentally set it up or access it from an infected device in spite of all of

49
00:03:30,180 --> 00:03:37,319
these issues with two Factor though it held the line last night our attacker

50
00:03:35,220 --> 00:03:42,239
not only never gained access to our additional authentication factors they

51
00:03:39,480 --> 00:03:48,060
never even had our passwords but how can that be well as it turns out

52
00:03:45,239 --> 00:03:52,920
they didn't need any of that which is a big part of why it took me so long to

53
00:03:49,980 --> 00:03:55,920
clue in and stop the spread I was so focused on the potential damage that

54
00:03:54,720 --> 00:03:59,940
could be done by someone who had commandeered my SMS messages or gained

55
00:03:58,620 --> 00:04:06,780
access to my Google Authenticator somehow that I expended valuable time

56
00:04:03,060 --> 00:04:08,459
battening down the wrong hatches if I

57
00:04:06,780 --> 00:04:12,540
had watched Theo Joe's recent video on the subject or at least skimmed the

58
00:04:10,500 --> 00:04:15,599
comments I could have probably stopped the bleeding in a matter of minutes

59
00:04:13,739 --> 00:04:20,880
shout out Theo Joe but I didn't so I got to be educated the

60
00:04:18,780 --> 00:04:27,120
hard way about a breed of attacks that bypass trivial things like passwords and

61
00:04:24,419 --> 00:04:30,419
2fa entirely by targeting what's known as a session token

62
00:04:29,040 --> 00:04:35,940
now many of you will know this already and if you do give yourself a cookie but

63
00:04:33,900 --> 00:04:39,900
after you log into a website and your credentials have been validated that

64
00:04:37,680 --> 00:04:45,600
site will provide your web browser with a session token this allows your browser

65
00:04:42,660 --> 00:04:50,520
and by extension you to stay logged in when you restart your browser and go to

66
00:04:47,580 --> 00:04:54,960
access that site again this isn't a bad thing it's a good thing because

67
00:04:52,340 --> 00:04:59,340
realistically nobody wants to type in a password every time they want to post

68
00:04:57,180 --> 00:05:05,100
instant regret on the internet but hold on a second that cookie is

69
00:05:02,520 --> 00:05:08,880
stored locally on your device how would someone else get it

70
00:05:06,419 --> 00:05:14,160
well that's where we made a mistake someone on our team and I'm not saying

71
00:05:11,400 --> 00:05:18,300
it was Colton downloaded what appeared to be a sponsorship offer from a

72
00:05:15,960 --> 00:05:21,600
potential partner it was an innocent enough mistake for the most part the

73
00:05:20,160 --> 00:05:26,280
email came from a legitimate looking source and it didn't raise any immediate

74
00:05:24,000 --> 00:05:31,199
red flags like being full of grammatical errors so they extracted the contents

75
00:05:29,160 --> 00:05:34,919
launched what appeared to be a PDF containing the terms of the deal then

76
00:05:32,759 --> 00:05:38,940
presumably when it didn't work went about the rest of their day

77
00:05:36,840 --> 00:05:44,340
what happened in the background took place over the course of just 30 seconds

78
00:05:41,160 --> 00:05:46,320
the malware accessed all user data from

79
00:05:44,340 --> 00:05:51,660
both of their installed browsers Chrome and Edge including everything from

80
00:05:48,960 --> 00:05:55,860
locally saved passwords to cookies to browser preferences giving them

81
00:05:53,100 --> 00:06:01,199
effectively an exact copy of those browsers on the target machine that they

82
00:05:58,560 --> 00:06:08,340
could export including that's right session tokens for every logged in

83
00:06:04,199 --> 00:06:10,979
website now no one should unzip an email

84
00:06:08,340 --> 00:06:15,060
attachment file extensions should always be double checked when you are executing

85
00:06:12,780 --> 00:06:18,660
anything and any file that doesn't do what you expect should raise immediate

86
00:06:17,400 --> 00:06:24,720
red flags but then on the flip side I can hardly

87
00:06:21,479 --> 00:06:27,060
blame a sales rep or a video editor or

88
00:06:24,720 --> 00:06:32,400
someone in accounting for not being up on the latest in cyber crime and I also

89
00:06:30,900 --> 00:06:37,139
believe that in a healthy organization it actually rolls up the hill rather

90
00:06:35,100 --> 00:06:41,340
than down so there's not going to be any disciplinary actions because the simple

91
00:06:39,000 --> 00:06:44,819
truth is that if we had more rigorous training for our newcomers and better

92
00:06:43,020 --> 00:06:49,919
processes for following up notifications from our sitewide anti-malware this

93
00:06:47,100 --> 00:06:53,639
could have been easily avoided as for why it took so long for us to

94
00:06:52,199 --> 00:06:58,259
lock down the account once we knew what was going on that's another training

95
00:06:55,620 --> 00:07:02,120
issue but this time it was my training we use a system for our YouTube channels

96
00:07:00,539 --> 00:07:06,720
called content manager which theoretically improves security by

97
00:07:04,620 --> 00:07:11,280
allowing us to dual out specific Channel access roles to our various team members

98
00:07:09,120 --> 00:07:14,280
rather than just sharing the main account credentials with everyone who

99
00:07:12,780 --> 00:07:19,680
needs to access it this made the process of determining the

100
00:07:16,620 --> 00:07:21,240
attack Vector way more complicated you

101
00:07:19,680 --> 00:07:26,580
can think of it kind of like replacing your one giant vault door with 20

102
00:07:24,660 --> 00:07:29,639
smaller doors any one of which realistically still gets you into the

103
00:07:28,860 --> 00:07:33,780
vault now in a perfect world these smaller

104
00:07:31,919 --> 00:07:39,120
doors should have been restricted with less access than we configured but

105
00:07:36,360 --> 00:07:43,319
hindsight is 20 20. or at least I hope it is the bottom line is that our

106
00:07:41,340 --> 00:07:47,759
Disaster Response processes need to improve because I realized at three

107
00:07:46,139 --> 00:07:51,840
whatever in the morning shout out Steve from Gamers Nexus for the wake-up call

108
00:07:49,259 --> 00:07:55,979
by the way but I actually didn't know how to reset the passwords and the

109
00:07:54,060 --> 00:08:00,120
access control across all of these channels in channel manager and that is

110
00:07:58,259 --> 00:08:04,620
not the sort of thing that you want to be troubleshooting but naked in the wee

111
00:08:03,060 --> 00:08:08,520
hours of the morning in the middle of a crisis

112
00:08:06,360 --> 00:08:13,259
In fairness to me the way that Google handles the intermingling of all their

113
00:08:10,500 --> 00:08:17,580
services is not the most intuitive and both Yvonne and I experienced numerous

114
00:08:15,479 --> 00:08:21,539
glitches and timeouts that prevented us from effectively using these tools even

115
00:08:19,560 --> 00:08:25,919
once we did figure out how to use them which leads us nicely then into the next

116
00:08:24,300 --> 00:08:30,180
part of our discussion I've owned what I did wrong and now it's

117
00:08:28,080 --> 00:08:34,380
time to talk about Google to their credit I heard back that

118
00:08:32,039 --> 00:08:38,039
someone was aware and working on it at the highest levels within about half an

119
00:08:36,539 --> 00:08:42,000
hour of reaching out to my YouTube rep and they have seemingly improved their

120
00:08:40,440 --> 00:08:46,380
internal tools for managing this sort of thing a lot since the last time around

121
00:08:43,979 --> 00:08:51,180
they've got forms you can fill out and the partner reps that we've worked with

122
00:08:47,640 --> 00:08:54,120
seem to genuinely care shout out MC I'm

123
00:08:51,180 --> 00:08:59,700
so sorry this spoiled your spa day however this entire process has been

124
00:08:56,880 --> 00:09:03,720
pretty opaque other than we're aware and working on it the internal team doesn't

125
00:09:01,620 --> 00:09:08,940
seem to even be allowed to communicate with creators directly I mean I get it

126
00:09:06,420 --> 00:09:12,300
security aside idiot users probably won't have anything to contribute to

127
00:09:10,440 --> 00:09:15,180
their investigation they figured out that the attack came from one of our

128
00:09:13,620 --> 00:09:18,839
non-video production teams pretty quickly and then actually banned that

129
00:09:16,980 --> 00:09:24,660
Google workspace account almost immediately I mean realistically idiot

130
00:09:21,899 --> 00:09:29,519
users could just slow them down but even a quick hey I know you're stressed uh

131
00:09:27,360 --> 00:09:33,660
here's what's going on and here's how we can keep this from spreading would

132
00:09:31,440 --> 00:09:39,600
almost certainly have calmed my nerves and saved all of us some work by keeping

133
00:09:36,060 --> 00:09:42,000
techlinked and Techquickie in our hands

134
00:09:39,600 --> 00:09:46,740
and another big problem is that this approach you know one-on-one only

135
00:09:44,279 --> 00:09:51,000
benefits larger channels like ours I've seen quite a few people rightly express

136
00:09:49,080 --> 00:09:55,920
some resentment that we were able to get this resolved so quickly when their

137
00:09:52,920 --> 00:09:57,540
favorite Niche Creator X or Y struggled

138
00:09:55,920 --> 00:10:02,160
with it for an extended period of time or even never got it fully resolved so

139
00:10:00,779 --> 00:10:06,180
it's clear that there are some changes that need to be made and here are a few

140
00:10:04,320 --> 00:10:11,399
of them in no particular order we need greater Security Options for key

141
00:10:09,000 --> 00:10:15,180
Channel attributes I mean how can you change the name of a channel without

142
00:10:13,080 --> 00:10:18,420
having to re-enter your password and your two-factor what about resetting a

143
00:10:17,399 --> 00:10:23,760
stream key same deal in my opinion and this is just

144
00:10:20,940 --> 00:10:28,980
one of the ways that the impact of a session hijacking can be limited rate

145
00:10:26,220 --> 00:10:33,600
limiting is also widely used in API access to services like YouTube for

146
00:10:31,380 --> 00:10:37,980
example Google will only process a certain number of comment moderation

147
00:10:35,040 --> 00:10:41,760
actions per day through their API well I could see implementing something similar

148
00:10:39,540 --> 00:10:46,019
even if you are directly accessing the service but then rather than limited out

149
00:10:43,920 --> 00:10:49,140
right it could prompt for authentication to be clear I'm not saying every time

150
00:10:47,760 --> 00:10:54,000
you delete a video it should ask for your password but say if you were trying

151
00:10:51,300 --> 00:10:59,579
to delete 10 or 100 or a thousand videos at a time a little are you sure about

152
00:10:56,940 --> 00:11:02,820
that are you actually you would probably be in order

153
00:11:00,959 --> 00:11:06,000
the funny thing is that none of that stuff would even be necessary with

154
00:11:04,380 --> 00:11:11,339
proper security policies on session tokens bare minimum would be time based expiry

155
00:11:09,899 --> 00:11:16,380
you know how when you boot up an old smartphone all your accounts are usually

156
00:11:12,899 --> 00:11:19,079
logged out session expiry but many sites

157
00:11:16,380 --> 00:11:23,279
also factor in other attributes like location so if you were to suddenly try

158
00:11:21,420 --> 00:11:27,240
to access a site or service from Antarctica you should be prompted to log

159
00:11:26,100 --> 00:11:31,800
in again these measures are very common on

160
00:11:29,640 --> 00:11:36,120
high-risk websites like online banking I'm not saying banks are model citizens

161
00:11:34,019 --> 00:11:39,420
when it comes to login security but they do usually invalidate sessions in a

162
00:11:38,160 --> 00:11:46,260
matter of minutes but can you remember the last time Instagram or SnapChat asked you to log

163
00:11:43,320 --> 00:11:51,060
in again social media platforms YouTube excuse me tend to be a lot less

164
00:11:49,200 --> 00:11:55,380
aggressive since they want to make using their platforms as frictionless as

165
00:11:52,860 --> 00:11:59,579
possible now In fairness Google does usually require re-authentication when

166
00:11:57,839 --> 00:12:03,839
you're changing a password or other Security Options or I don't know when a

167
00:12:01,980 --> 00:12:08,040
session token gets reused by a new IP address on the other side of the freaking planet

168
00:12:06,180 --> 00:12:13,320
but we've heard from multiple people that this isn't always the case so the

169
00:12:11,100 --> 00:12:16,860
big question is that with Google owning the whole chain here like start to

170
00:12:15,120 --> 00:12:22,620
finish really including the bloody web browser how is this crap not only still

171
00:12:19,320 --> 00:12:24,779
possible but so prevalent

172
00:12:22,620 --> 00:12:28,380
it's time for them to not just ask these questions internally but come up with

173
00:12:26,519 --> 00:12:32,700
real answers for them I think the only group whose response

174
00:12:30,240 --> 00:12:37,160
here was perfect was our community and no this is not like standing on stage

175
00:12:37,680 --> 00:12:43,139
you guys were amazing um prominent members of our Forum whom

176
00:12:41,640 --> 00:12:47,639
I've interacted with over the years reached out to my team directly

177
00:12:45,079 --> 00:12:52,079
upstanding citizens were paying real money out of their own Pockets to send

178
00:12:49,920 --> 00:12:57,899
super chats warning stream viewers that the channel was hijacked and over 5 000

179
00:12:55,620 --> 00:13:02,820
of you in the last 12 hours alone subscribe to Floatplane.com to show your

180
00:13:01,019 --> 00:13:10,019
support and to ensure that you wouldn't miss any of our uploads I have had a

181
00:13:06,600 --> 00:13:12,720
pretty rough day a pretty long day but

182
00:13:10,019 --> 00:13:17,760
you know what it's also been amazing to see how fast we can bounce back thanks

183
00:13:14,700 --> 00:13:19,320
to your unwavering support the

184
00:13:17,760 --> 00:13:24,060
incredible team we have here like everyone we got Artie over there is

185
00:13:21,540 --> 00:13:28,680
Colton still there no all right well whatever Andrew's there James is working

186
00:13:26,399 --> 00:13:31,860
on guidance for this Luke was up half the night with me and Yvonne trying to

187
00:13:30,240 --> 00:13:36,720
help us figure things out driving to the office um

188
00:13:34,139 --> 00:13:40,380
really appreciate you all uh oh our partners at YouTube

189
00:13:38,399 --> 00:13:48,000
um and of course dbrand something something dbrand with

190
00:13:44,339 --> 00:13:49,079
me a lot yes uh it's true

191
00:13:48,000 --> 00:13:54,420
but the thing about dbrand is as much as

192
00:13:52,139 --> 00:13:58,440
they love to poke fun having partners like them makes losing a full day of

193
00:13:56,940 --> 00:14:03,000
YouTube Revenue a lot less of a concern not a lot of

194
00:14:01,500 --> 00:14:08,399
companies are going to step up and sponsor a video talking about how our

195
00:14:05,399 --> 00:14:10,380
account got hacked that's the I mean

196
00:14:08,399 --> 00:14:15,660
that's the kind of subject nobody wants to get close to at all but dbrand jumped

197
00:14:13,380 --> 00:14:19,380
at the chance to help us out and not just help us out by sponsoring the video

198
00:14:17,639 --> 00:14:23,880
today making it so we don't got to worry about how to pay all these guys their

199
00:14:20,880 --> 00:14:26,639
overtime but help us out by setting you

200
00:14:23,880 --> 00:14:32,639
guys up with an unprecedented deal for the first time ever dbrand is offering a

201
00:14:29,760 --> 00:14:38,339
site-wide deal for LTT viewers just go to really guys

202
00:14:34,760 --> 00:14:41,040
shortliness.com and you will save 15 on

203
00:14:38,339 --> 00:14:48,180
any order using code five foot one that's one word all one

204
00:14:44,940 --> 00:14:48,180
word f-i-v-e-f-o-o-t-o-w-n-e

205
00:14:50,040 --> 00:15:00,740
we really couldn't do it without all of you thanks to you my team and yes even

206
00:14:56,699 --> 00:15:00,740
dbrand I'll have them linked down below