Transcription

This is me racing out of bed for a front row seat to my life's work vanishing before my eyes. Linus Tech Tips, deleted. Tech Linked, toasted. Tech Quickie, gone. The good news is that if you're watching this, we're back online. The bad news is that this kind of attack has become so commonplace on YouTube that when we sat down to prepare this video, it took us less than 10 seconds to find a huge channel that was dealing with exactly the same thing in that moment. Let's talk then about the motive for these attacks, the process changes that we and YouTube need to make, and how we can all work together as a community to educate and protect each other from bad actors. Oh, and to tell you about our sponsor, Dbrand. Oh God, not Dbrand. Today, really? Oh, actually no, they've got something good. Stay tuned. ♪ Hey, hey, hey, hey, hey, hey, hey, hey, hey, hey, hey ♪ The fireworks started a little after three in the morning when the Linus Tech Tips account was renamed to Tesla and started streaming a podcast-style recording of self-proclaimed techno king Elon Musk discussing cryptocurrency. This in and of itself is not a scam, but the stream's linked to a scam website that claimed that for every one Bitcoin you sent, they would return double, complete with fake transaction records showing other users definitely getting huge payouts. Over the next couple of hours then, we sparred back and forth. First, I privated the streams, revoked the channel stream key, and attempted to reset the account credentials, only to realize, as I was investigating the source of the breach, that I had been completely outmaneuvered. They were back in, and the streams were live again. How the, okay, so I log back in, nuke the stream again, and I go to, and they're up again, and now videos are being mass-deleted from the channel. Over the next couple of hours playing login whack-a-mole, the Linus Tech Tips, TechLinked, and TechQuickie accounts were each used to host these Elon Musk crypto streams until they were ultimately nuked by YouTube altogether for violating YouTube's terms of service. And I can almost feel your thoughts through the screen right now. Linus, truly, after all these lectures about two-factor authentication, don't you even protect your own accounts? Of course I do, but while strong passwords and multi-factor authentication are very powerful security measures that you should use, they're not impenetrable. First up, let's talk 2FA. Not all factors or additional authentication elements are equally secure. The most common second factor, SMS, can be compromised by simple social engineering targeted at your phone carrier. Check out this video that we posted the last time our account was hijacked for more information about that. Another common factor, notification-based multi-factor, is susceptible to fatigue attacks, where a perpetrator will constantly try to log in, hoping that you'll assume, oh, it's probably someone from work, or even just click on the notification by accident. It's very problematic, and I'm looking at you, Google, since you can't disable this factor on Google accounts. Even time-based two-factor, like Google Authenticator or Authy, can be compromised, say if you were to accidentally set it up or access it from an infected device. In spite of all of these issues with two-factor, though, it held the line last night. Our attacker not only never gained access to our additional authentication factors, they never even had our passwords. But how can that be? Well, as it turns out, they didn't need any of that, which is a big part of why it took me so long to clue in and stop the spread. I was so focused on the potential damage that could be done by someone who had commandeered my SMS messages or gained access to my Google Authenticator somehow, that I expended valuable time battening down the wrong hatches. If I had watched Theo Joe's recent video on the subject, or at least skimmed the comments, I could have probably stopped the bleeding in a matter of minutes. Shout out Theo Joe. But I didn't, so I got to be educated the hard way about a breed of attacks that bypass trivial things like passwords and 2FA entirely by targeting what's known as a session token. Now, many of you will know this already, and if you do, give yourself a cookie. But after you log into a website and your credentials have been validated, that site will provide your web browser with a session token. This allows your browser, and by extension you, to stay logged in when you restart your browser and go to access that site again. This isn't a bad thing, it's a good thing, because realistically, nobody wants to type in a password every time they want to post instant regret on the internet. But hold on a second. That cookie is stored locally on your device. How would someone else get it? Well, that's where we made a mistake. Someone on our team, and I'm not saying it was Colton, downloaded what appeared to be a sponsorship offer from a potential partner. It was an innocent enough mistake for the most part. The email came from a legitimate looking source, and it didn't raise any immediate red flags like being full of grammatical errors. So they extracted the contents, launched what appeared to be a PDF containing the terms of the deal, then, presumably when it didn't work, went about the rest of their day. What happened in the background took place over the course of just 30 seconds. The malware accessed all user data from both of their installed browsers, Chrome and Edge, including everything from locally saved passwords to cookies to browser preferences, giving them effectively an exact copy of those browsers on the target machine that they could export, including, that's right, session tokens for every logged in website. Now, no one should unzip an email attachment. File extensions should always be double-checked when you are executing anything, and any file that doesn't do what you expect should raise immediate red flags. But then on the flip side, I can hardly blame a sales rep or a video editor or someone in accounting for not being up on the latest in cybercrime. And I also believe that in a healthy organization, actually rolls up the hill rather than down. So there's not gonna be any disciplinary actions because the simple truth is that if we had more rigorous training for our newcomers and better processes for following up notifications from our site-wide anti-malware, this could have been easily avoided. As for why it took so long for us to lock down the account once we knew what was going on, that's another training issue, but this time it was my training. We use a system for our YouTube channels called Content Manager, which theoretically improves security by allowing us to dole out specific channel access roles to our various team members rather than just sharing the main account credentials with everyone who needs to access it. This made the process of determining the attack vector way more complicated. You could think of it kind of like replacing your one giant vault door with 20 smaller doors, any one of which realistically still gets you into the vault. Now in a perfect world, these smaller doors should have been restricted with less access than we configured, but hindsight is 20-20, or at least I hope it is. The bottom line is that our disaster response processes need to improve because I realized at three-whatever in the morning, shout out Steve from Gamers Nexus for the wake-up call, by the way, that I actually didn't know how to reset the passwords and the access control across all of these channels in Channel Manager. And that is not the sort of thing that you wanna be troubleshooting butt-naked in the wee hours of the morning in the middle of a crisis. In fairness to me, the way that Google handles the intermingling of all their services is not the most intuitive, and both Yvonne and I experienced numerous glitches and timeouts that prevented us from effectively using these tools even once we did figure out how to use them, which leads us nicely then into the next part of our discussion. I've owned what I did wrong, and now it's time to talk about Google. To their credit, I heard back that someone was aware and working on it at the highest levels within about half an hour of reaching out to my YouTube rep. And they have seemingly improved their internal tools for managing this sort of thing a lot since the last time around. They've got forms you can fill out, and the partner reps that we've worked with seem to genuinely care. Shout out MC, I'm so sorry this spoiled your spa day. However, this entire process has been pretty opaque. Other than we're aware and working on it, the internal team doesn't seem to even be allowed to communicate with creators directly. I mean, I get it. Security aside, idiot users probably won't have anything to contribute to their investigation. They figured out that the attack came from one of our non-video production teams pretty quickly, and then actually banned that Google Workspace account almost immediately. I mean, realistically, idiot users could just slow them down. But even a quick, hey, I know you're stressed, here's what's going on, and here's how we can keep this from spreading would almost certainly have calmed my nerves and saved all of us some work by keeping TechLinked and TechQuickie in our hands. And another big problem is that this approach, you know, one-on-one, only benefits larger channels like ours. I've seen quite a few people, rightly, express some resentment that we were able to get this resolved so quickly when their favorite niche creator X or Y struggled with it for an extended period of time or even never got it fully resolved. So it's clear that there are some changes that need to be made. And here are a few of them in no particular order. We need greater security options for key channel attributes. I mean, how can you change the name of a channel without having to re-enter your password and your two-factor? What about resetting a stream key? Same deal, in my opinion. And this is just one of the ways that the impact of a session hijacking can be limited. Rate limiting is also widely used in API access to services like YouTube. For example, Google will only process a certain number of comment moderation actions per day through their API. Well, I could see implementing something similar even if you are directly accessing the service, but then rather than limit it outright, it could prompt for authentication. To be clear, I'm not saying every time you delete a video, it should ask for your password, but say if you were trying to delete 10 or 100 or 1,000 videos at a time, a little, are you sure about that? Are you actually you? Would probably be in order. The funny thing is that none of that stuff would even be necessary with proper security policies on session tokens. The bare minimum would be time-based expiry. You know how when you boot up an old smartphone, all your accounts are usually logged out? Session expiry. But many sites also factor in other attributes like location. So if you were to suddenly try to access a site or service from Antarctica, you should be prompted to log in again. These measures are very common on high-risk websites, like online banking. I'm not saying banks are model citizens when it comes to login security, but they do usually invalidate sessions in a matter of minutes. But can you remember the last time Instagram or Snapchat asked you to log in again? Social media platforms, YouTube, excuse me, tend to be a lot less aggressive since they wanna make using their platforms as frictionless as possible. Now, in fairness, Google does usually require reauthentication when you're changing a password or other security options, or, I don't know, when a session token gets reused by a new IP address on the other side of the freaking planet. But we've heard from multiple people that this isn't always the case. So the big question is that with Google owning the whole chain here, start to finish, really, including the bloody web browser, how is this crap not only still possible, but so prevalent? It's time for them to not just ask these questions internally, but come up with real answers for them. I think the only group whose response here was perfect was our community. And no, this is not like standing on stage, yeah, I love you guys, and whatever. You guys were amazing. Prominent members of our forum, whom I've interacted with over the years, reached out to my team directly. Upstanding citizens were paying real money out of their own pockets to send super chats warning stream viewers that the channel was hijacked. And over 5,000 of you in the last 12 hours alone subscribed to floatplane.com to show your support and to ensure that you wouldn't miss any of our uploads. I have had a pretty rough day, a pretty long day, but you know what? It's also been amazing to see how fast we can bounce back thanks to your unwavering support, the incredible team we have here, like everyone. We got Artie over there, is Colton still there? No? All right, well, whatever. Andrew's there, James is working on guidance for this, Luke was up half the night with me and Yvonne trying to help us figure things out, driving to the office. Really appreciate you all. Oh, our partners at YouTube, and of course, Dbrand. Something, something, Dbrand with me a lot. Yes, it's true. But the thing about Dbrand is as much as they love to poke fun, having partners like them makes losing a full day of YouTube revenue a lot less of a concern. Not a lot of companies are gonna step up and sponsor a video talking about how our account got hacked. That's the, I mean, that's the kind of subject nobody wants to get close to at all. But Dbrand jumped at the chance to help us out, and not just help us out by sponsoring the video today, making it so we don't gotta worry about how to pay all these guys their overtime, but help us out by setting you guys up with an unprecedented deal. For the first time ever, Dbrand is offering a site-wide deal for LTT viewers. Just go to, really guys, shortlinus.com, and you will save 15% on any order using code 5FOOT1. That's one word, all one word, F-I-V-E-F-O-O-T-O-W-N-E. We really couldn't do it without all of you. Thanks to you, my team, and yes, even Dbrand. We'll have them linked down below.