WEBVTT

00:00:00.000 --> 00:00:04.920
this is me racing out of bed for our

00:00:03.240 --> 00:00:11.519
front row seat to my life's work Vanishing before my eyes Linus Tech tips

00:00:07.560 --> 00:00:14.099
deleted TechLinked toasted techwiki

00:00:11.519 --> 00:00:18.840
gone the good news is that if you're watching this we're back online

00:00:16.199 --> 00:00:22.680
bad news is that this kind of attack has become so commonplace on YouTube that

00:00:21.060 --> 00:00:27.960
when we sat down to prepare this video it took us less than 10 seconds to find

00:00:25.859 --> 00:00:34.380
a huge channel that was dealing with exactly the same thing in that moment

00:00:32.340 --> 00:00:39.840
let's talk then about the motive for these attacks the process changes that

00:00:36.780 --> 00:00:41.760
we and YouTube need to make and how we

00:00:39.840 --> 00:00:46.860
can all work together as a community to educate and protect each other from Bad

00:00:43.739 --> 00:00:50.100
actors oh and to tell you about our

00:00:46.860 --> 00:00:53.340
sponsor dbrand oh God not dbrand today

00:00:50.100 --> 00:00:56.840
really oh actually no they've got

00:00:53.340 --> 00:00:56.840
something good stay tuned

00:01:00.899 --> 00:01:03.899
foreign

00:01:04.040 --> 00:01:09.960
started a little after three in the morning when the Linus Tech tips account

00:01:07.560 --> 00:01:14.220
was renamed to Tesla and started streaming a podcast style recording of

00:01:12.240 --> 00:01:19.979
self-proclaimed techno King Elon Musk discussing cryptocurrency this in and of

00:01:16.920 --> 00:01:22.920
itself is not a scam but the streams

00:01:19.979 --> 00:01:27.659
linked to a scam website that claimed that for every one Bitcoin you sent they

00:01:25.140 --> 00:01:32.100
would return double complete with fake transaction records showing other users

00:01:29.520 --> 00:01:36.780
definitely getting huge payouts over the next couple of hours then we

00:01:34.259 --> 00:01:40.320
sparred back and forth first I privated the streams revoked the channel stream

00:01:38.579 --> 00:01:44.759
key and attempted to reset the account credentials only to realize as I was

00:01:43.020 --> 00:01:48.780
investigating the source of the breach that I had been completely outmaneuvered

00:01:46.920 --> 00:01:54.720
they were back in and the streams were live again have okay so I logged back in

00:01:52.320 --> 00:02:00.259
Nuke the stream again and I go to and they're up again and now videos are

00:01:56.880 --> 00:02:00.259
being Mass deleted from the channel

00:02:00.780 --> 00:02:07.799
over the next couple of hours playing login whack-a-mole the Linus Tech tips

00:02:05.640 --> 00:02:12.420
TechLinked and Techquickie accounts were each used to host these Elon Musk

00:02:10.920 --> 00:02:16.319
crypto streams until they were ultimately nuked by YouTube altogether

00:02:14.459 --> 00:02:21.599
for violating YouTube's terms of service and I could almost feel your thoughts

00:02:19.080 --> 00:02:24.840
through the screen right now Linus truly after all these lectures about

00:02:22.980 --> 00:02:30.360
two-factor authentication don't you even protect your own accounts

00:02:26.760 --> 00:02:32.940
course I do but while strong passwords

00:02:30.360 --> 00:02:37.560
and multi-factor authentication are very powerful security measures that you

00:02:34.800 --> 00:02:43.319
should use they're not impenetrable first up let's talk to fa not all

00:02:40.620 --> 00:02:48.360
factors or additional authentication elements are equally secure the most

00:02:46.140 --> 00:02:52.860
common second Factor SMS can be compromised by simple social engineering

00:02:50.459 --> 00:02:56.160
targeted at your phone carrier check out this video that we posted the last time

00:02:54.780 --> 00:03:01.080
our account was hijacked for more information about that another common

00:02:58.500 --> 00:03:05.580
factor notification based multi-factor is susceptible to fatigue attacks where

00:03:03.360 --> 00:03:09.959
a perpetrator will constantly try to log in hoping that you'll assume oh it's

00:03:08.040 --> 00:03:14.760
probably someone from work or even just click on the notification by accident

00:03:12.659 --> 00:03:19.200
very problematic and I'm looking at you Google since you can't disable this

00:03:16.980 --> 00:03:23.280
Factor on Google accounts even time-based two-factor like Google

00:03:21.120 --> 00:03:27.420
Authenticator or authy can be compromised say if you were to

00:03:24.959 --> 00:03:32.879
accidentally set it up or access it from an infected device in spite of all of

00:03:30.180 --> 00:03:37.319
these issues with two Factor though it held the line last night our attacker

00:03:35.220 --> 00:03:42.239
not only never gained access to our additional authentication factors they

00:03:39.480 --> 00:03:48.060
never even had our passwords but how can that be well as it turns out

00:03:45.239 --> 00:03:52.920
they didn't need any of that which is a big part of why it took me so long to

00:03:49.980 --> 00:03:55.920
clue in and stop the spread I was so focused on the potential damage that

00:03:54.720 --> 00:03:59.940
could be done by someone who had commandeered my SMS messages or gained

00:03:58.620 --> 00:04:06.780
access to my Google Authenticator somehow that I expended valuable time

00:04:03.060 --> 00:04:08.459
battening down the wrong hatches if I

00:04:06.780 --> 00:04:12.540
had watched Theo Joe's recent video on the subject or at least skimmed the

00:04:10.500 --> 00:04:15.599
comments I could have probably stopped the bleeding in a matter of minutes

00:04:13.739 --> 00:04:20.880
shout out Theo Joe but I didn't so I got to be educated the

00:04:18.780 --> 00:04:27.120
hard way about a breed of attacks that bypass trivial things like passwords and

00:04:24.419 --> 00:04:30.419
2fa entirely by targeting what's known as a session token

00:04:29.040 --> 00:04:35.940
now many of you will know this already and if you do give yourself a cookie but

00:04:33.900 --> 00:04:39.900
after you log into a website and your credentials have been validated that

00:04:37.680 --> 00:04:45.600
site will provide your web browser with a session token this allows your browser

00:04:42.660 --> 00:04:50.520
and by extension you to stay logged in when you restart your browser and go to

00:04:47.580 --> 00:04:54.960
access that site again this isn't a bad thing it's a good thing because

00:04:52.340 --> 00:04:59.340
realistically nobody wants to type in a password every time they want to post

00:04:57.180 --> 00:05:05.100
instant regret on the internet but hold on a second that cookie is

00:05:02.520 --> 00:05:08.880
stored locally on your device how would someone else get it

00:05:06.419 --> 00:05:14.160
well that's where we made a mistake someone on our team and I'm not saying

00:05:11.400 --> 00:05:18.300
it was Colton downloaded what appeared to be a sponsorship offer from a

00:05:15.960 --> 00:05:21.600
potential partner it was an innocent enough mistake for the most part the

00:05:20.160 --> 00:05:26.280
email came from a legitimate looking source and it didn't raise any immediate

00:05:24.000 --> 00:05:31.199
red flags like being full of grammatical errors so they extracted the contents

00:05:29.160 --> 00:05:34.919
launched what appeared to be a PDF containing the terms of the deal then

00:05:32.759 --> 00:05:38.940
presumably when it didn't work went about the rest of their day

00:05:36.840 --> 00:05:44.340
what happened in the background took place over the course of just 30 seconds

00:05:41.160 --> 00:05:46.320
the malware accessed all user data from

00:05:44.340 --> 00:05:51.660
both of their installed browsers Chrome and Edge including everything from

00:05:48.960 --> 00:05:55.860
locally saved passwords to cookies to browser preferences giving them

00:05:53.100 --> 00:06:01.199
effectively an exact copy of those browsers on the target machine that they

00:05:58.560 --> 00:06:08.340
could export including that's right session tokens for every logged in

00:06:04.199 --> 00:06:10.979
website now no one should unzip an email

00:06:08.340 --> 00:06:15.060
attachment file extensions should always be double checked when you are executing

00:06:12.780 --> 00:06:18.660
anything and any file that doesn't do what you expect should raise immediate

00:06:17.400 --> 00:06:24.720
red flags but then on the flip side I can hardly

00:06:21.479 --> 00:06:27.060
blame a sales rep or a video editor or

00:06:24.720 --> 00:06:32.400
someone in accounting for not being up on the latest in cyber crime and I also

00:06:30.900 --> 00:06:37.139
believe that in a healthy organization it actually rolls up the hill rather

00:06:35.100 --> 00:06:41.340
than down so there's not going to be any disciplinary actions because the simple

00:06:39.000 --> 00:06:44.819
truth is that if we had more rigorous training for our newcomers and better

00:06:43.020 --> 00:06:49.919
processes for following up notifications from our sitewide anti-malware this

00:06:47.100 --> 00:06:53.639
could have been easily avoided as for why it took so long for us to

00:06:52.199 --> 00:06:58.259
lock down the account once we knew what was going on that's another training

00:06:55.620 --> 00:07:02.120
issue but this time it was my training we use a system for our YouTube channels

00:07:00.539 --> 00:07:06.720
called content manager which theoretically improves security by

00:07:04.620 --> 00:07:11.280
allowing us to dual out specific Channel access roles to our various team members

00:07:09.120 --> 00:07:14.280
rather than just sharing the main account credentials with everyone who

00:07:12.780 --> 00:07:19.680
needs to access it this made the process of determining the

00:07:16.620 --> 00:07:21.240
attack Vector way more complicated you

00:07:19.680 --> 00:07:26.580
can think of it kind of like replacing your one giant vault door with 20

00:07:24.660 --> 00:07:29.639
smaller doors any one of which realistically still gets you into the

00:07:28.860 --> 00:07:33.780
vault now in a perfect world these smaller

00:07:31.919 --> 00:07:39.120
doors should have been restricted with less access than we configured but

00:07:36.360 --> 00:07:43.319
hindsight is 20 20. or at least I hope it is the bottom line is that our

00:07:41.340 --> 00:07:47.759
Disaster Response processes need to improve because I realized at three

00:07:46.139 --> 00:07:51.840
whatever in the morning shout out Steve from Gamers Nexus for the wake-up call

00:07:49.259 --> 00:07:55.979
by the way but I actually didn't know how to reset the passwords and the

00:07:54.060 --> 00:08:00.120
access control across all of these channels in channel manager and that is

00:07:58.259 --> 00:08:04.620
not the sort of thing that you want to be troubleshooting but naked in the wee

00:08:03.060 --> 00:08:08.520
hours of the morning in the middle of a crisis

00:08:06.360 --> 00:08:13.259
In fairness to me the way that Google handles the intermingling of all their

00:08:10.500 --> 00:08:17.580
services is not the most intuitive and both Yvonne and I experienced numerous

00:08:15.479 --> 00:08:21.539
glitches and timeouts that prevented us from effectively using these tools even

00:08:19.560 --> 00:08:25.919
once we did figure out how to use them which leads us nicely then into the next

00:08:24.300 --> 00:08:30.180
part of our discussion I've owned what I did wrong and now it's

00:08:28.080 --> 00:08:34.380
time to talk about Google to their credit I heard back that

00:08:32.039 --> 00:08:38.039
someone was aware and working on it at the highest levels within about half an

00:08:36.539 --> 00:08:42.000
hour of reaching out to my YouTube rep and they have seemingly improved their

00:08:40.440 --> 00:08:46.380
internal tools for managing this sort of thing a lot since the last time around

00:08:43.979 --> 00:08:51.180
they've got forms you can fill out and the partner reps that we've worked with

00:08:47.640 --> 00:08:54.120
seem to genuinely care shout out MC I'm

00:08:51.180 --> 00:08:59.700
so sorry this spoiled your spa day however this entire process has been

00:08:56.880 --> 00:09:03.720
pretty opaque other than we're aware and working on it the internal team doesn't

00:09:01.620 --> 00:09:08.940
seem to even be allowed to communicate with creators directly I mean I get it

00:09:06.420 --> 00:09:12.300
security aside idiot users probably won't have anything to contribute to

00:09:10.440 --> 00:09:15.180
their investigation they figured out that the attack came from one of our

00:09:13.620 --> 00:09:18.839
non-video production teams pretty quickly and then actually banned that

00:09:16.980 --> 00:09:24.660
Google workspace account almost immediately I mean realistically idiot

00:09:21.899 --> 00:09:29.519
users could just slow them down but even a quick hey I know you're stressed uh

00:09:27.360 --> 00:09:33.660
here's what's going on and here's how we can keep this from spreading would

00:09:31.440 --> 00:09:39.600
almost certainly have calmed my nerves and saved all of us some work by keeping

00:09:36.060 --> 00:09:42.000
techlinked and Techquickie in our hands

00:09:39.600 --> 00:09:46.740
and another big problem is that this approach you know one-on-one only

00:09:44.279 --> 00:09:51.000
benefits larger channels like ours I've seen quite a few people rightly express

00:09:49.080 --> 00:09:55.920
some resentment that we were able to get this resolved so quickly when their

00:09:52.920 --> 00:09:57.540
favorite Niche Creator X or Y struggled

00:09:55.920 --> 00:10:02.160
with it for an extended period of time or even never got it fully resolved so

00:10:00.779 --> 00:10:06.180
it's clear that there are some changes that need to be made and here are a few

00:10:04.320 --> 00:10:11.399
of them in no particular order we need greater Security Options for key

00:10:09.000 --> 00:10:15.180
Channel attributes I mean how can you change the name of a channel without

00:10:13.080 --> 00:10:18.420
having to re-enter your password and your two-factor what about resetting a

00:10:17.399 --> 00:10:23.760
stream key same deal in my opinion and this is just

00:10:20.940 --> 00:10:28.980
one of the ways that the impact of a session hijacking can be limited rate

00:10:26.220 --> 00:10:33.600
limiting is also widely used in API access to services like YouTube for

00:10:31.380 --> 00:10:37.980
example Google will only process a certain number of comment moderation

00:10:35.040 --> 00:10:41.760
actions per day through their API well I could see implementing something similar

00:10:39.540 --> 00:10:46.019
even if you are directly accessing the service but then rather than limited out

00:10:43.920 --> 00:10:49.140
right it could prompt for authentication to be clear I'm not saying every time

00:10:47.760 --> 00:10:54.000
you delete a video it should ask for your password but say if you were trying

00:10:51.300 --> 00:10:59.579
to delete 10 or 100 or a thousand videos at a time a little are you sure about

00:10:56.940 --> 00:11:02.820
that are you actually you would probably be in order

00:11:00.959 --> 00:11:06.000
the funny thing is that none of that stuff would even be necessary with

00:11:04.380 --> 00:11:11.339
proper security policies on session tokens bare minimum would be time based expiry

00:11:09.899 --> 00:11:16.380
you know how when you boot up an old smartphone all your accounts are usually

00:11:12.899 --> 00:11:19.079
logged out session expiry but many sites

00:11:16.380 --> 00:11:23.279
also factor in other attributes like location so if you were to suddenly try

00:11:21.420 --> 00:11:27.240
to access a site or service from Antarctica you should be prompted to log

00:11:26.100 --> 00:11:31.800
in again these measures are very common on

00:11:29.640 --> 00:11:36.120
high-risk websites like online banking I'm not saying banks are model citizens

00:11:34.019 --> 00:11:39.420
when it comes to login security but they do usually invalidate sessions in a

00:11:38.160 --> 00:11:46.260
matter of minutes but can you remember the last time Instagram or SnapChat asked you to log

00:11:43.320 --> 00:11:51.060
in again social media platforms YouTube excuse me tend to be a lot less

00:11:49.200 --> 00:11:55.380
aggressive since they want to make using their platforms as frictionless as

00:11:52.860 --> 00:11:59.579
possible now In fairness Google does usually require re-authentication when

00:11:57.839 --> 00:12:03.839
you're changing a password or other Security Options or I don't know when a

00:12:01.980 --> 00:12:08.040
session token gets reused by a new IP address on the other side of the freaking planet

00:12:06.180 --> 00:12:13.320
but we've heard from multiple people that this isn't always the case so the

00:12:11.100 --> 00:12:16.860
big question is that with Google owning the whole chain here like start to

00:12:15.120 --> 00:12:22.620
finish really including the bloody web browser how is this crap not only still

00:12:19.320 --> 00:12:24.779
possible but so prevalent

00:12:22.620 --> 00:12:28.380
it's time for them to not just ask these questions internally but come up with

00:12:26.519 --> 00:12:32.700
real answers for them I think the only group whose response

00:12:30.240 --> 00:12:37.160
here was perfect was our community and no this is not like standing on stage

00:12:37.680 --> 00:12:43.139
you guys were amazing um prominent members of our Forum whom

00:12:41.640 --> 00:12:47.639
I've interacted with over the years reached out to my team directly

00:12:45.079 --> 00:12:52.079
upstanding citizens were paying real money out of their own Pockets to send

00:12:49.920 --> 00:12:57.899
super chats warning stream viewers that the channel was hijacked and over 5 000

00:12:55.620 --> 00:13:02.820
of you in the last 12 hours alone subscribe to Floatplane.com to show your

00:13:01.019 --> 00:13:10.019
support and to ensure that you wouldn't miss any of our uploads I have had a

00:13:06.600 --> 00:13:12.720
pretty rough day a pretty long day but

00:13:10.019 --> 00:13:17.760
you know what it's also been amazing to see how fast we can bounce back thanks

00:13:14.700 --> 00:13:19.320
to your unwavering support the

00:13:17.760 --> 00:13:24.060
incredible team we have here like everyone we got Artie over there is

00:13:21.540 --> 00:13:28.680
Colton still there no all right well whatever Andrew's there James is working

00:13:26.399 --> 00:13:31.860
on guidance for this Luke was up half the night with me and Yvonne trying to

00:13:30.240 --> 00:13:36.720
help us figure things out driving to the office um

00:13:34.139 --> 00:13:40.380
really appreciate you all uh oh our partners at YouTube

00:13:38.399 --> 00:13:48.000
um and of course dbrand something something dbrand with

00:13:44.339 --> 00:13:49.079
me a lot yes uh it's true

00:13:48.000 --> 00:13:54.420
but the thing about dbrand is as much as

00:13:52.139 --> 00:13:58.440
they love to poke fun having partners like them makes losing a full day of

00:13:56.940 --> 00:14:03.000
YouTube Revenue a lot less of a concern not a lot of

00:14:01.500 --> 00:14:08.399
companies are going to step up and sponsor a video talking about how our

00:14:05.399 --> 00:14:10.380
account got hacked that's the I mean

00:14:08.399 --> 00:14:15.660
that's the kind of subject nobody wants to get close to at all but dbrand jumped

00:14:13.380 --> 00:14:19.380
at the chance to help us out and not just help us out by sponsoring the video

00:14:17.639 --> 00:14:23.880
today making it so we don't got to worry about how to pay all these guys their

00:14:20.880 --> 00:14:26.639
overtime but help us out by setting you

00:14:23.880 --> 00:14:32.639
guys up with an unprecedented deal for the first time ever dbrand is offering a

00:14:29.760 --> 00:14:38.339
site-wide deal for LTT viewers just go to really guys

00:14:34.760 --> 00:14:41.040
shortliness.com and you will save 15 on

00:14:38.339 --> 00:14:48.180
any order using code five foot one that's one word all one

00:14:44.940 --> 00:14:48.180
word f-i-v-e-f-o-o-t-o-w-n-e

00:14:50.040 --> 00:15:00.740
we really couldn't do it without all of you thanks to you my team and yes even

00:14:56.699 --> 00:15:00.740
dbrand I'll have them linked down below