13 Replies. 1 pages. Viewing page 1.
Newer [  1  ] Older
13.
 
Re: Morning Metaverse
Mar 27, 2023, 05:40
13.
Re: Morning Metaverse Mar 27, 2023, 05:40
Mar 27, 2023, 05:40
 
fujiJuice wrote on Mar 26, 2023, 09:52:
RedEye9 wrote on Mar 26, 2023, 08:38:
In another case of brilliant businessman is brilliant.

Elon Musk puts $20 billion value on Twitter.
That’s less than half of the $44 billion he paid in October 2022.

Twitter did not respond to requests for comment, no doubt due to the fact that Elon got rid of the press department.

Not even the poop emoji reply? Ouch.
Too funny, I don't waste time following people's Twitter accounts and never realized that muskrat had tweeted
"press@twitter.com now auto responds with 💩"
Further cementing the need not to follow anyone on Twitter
“We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces." Carl Sagan
Avatar 58135
12.
 
Re: Morning Metaverse
Mar 26, 2023, 11:37
12.
Re: Morning Metaverse Mar 26, 2023, 11:37
Mar 26, 2023, 11:37
 
The valuation of Twitter was required under SEC rules because Musk is giving shares to employees as bonus rewards. You can mock him (rightly so) for losing half the company's value, but to be fair he said the company was damn near worthless when he bought it (maybe why he tried to back out of the deal). He hopes to rebuild it to a valuable company again. Good luck with that, but I'm just making the point that this valuation didn't just come out of the blue, nor is it unexpected.

What would have been scandalous is if Musk had falsely inflated the valuation. If you're giving stock as a bonus, you have to assign some kind of realistic value to that stock.

For anyone inside the stock investment world, this really isn't any kind of news. If anything, the Wall Street response is that maybe that valuation is a bit to high.

I personally think he's going to fail, but he's trying to do what Michael Dell did when he took Dell private. The value of that company also tanked afterwards, but eventually became worth four times what it was when it went private.
"I want AI to do my laundry and dishes so that I can do art and writing, not for AI to do my art and writing so that I can do my laundry and dishes."
- Joanna Maciejewska
Avatar 22380
11.
 
Re: Morning Metaverse
Mar 26, 2023, 09:52
11.
Re: Morning Metaverse Mar 26, 2023, 09:52
Mar 26, 2023, 09:52
 
RedEye9 wrote on Mar 26, 2023, 08:38:
In another case of brilliant businessman is brilliant.

Elon Musk puts $20 billion value on Twitter.
That’s less than half of the $44 billion he paid in October 2022.

Twitter did not respond to requests for comment, no doubt due to the fact that Elon got rid of the press department.

Not even the poop emoji reply? Ouch.
Avatar 14675
10.
 
Re: Morning Metaverse
Mar 26, 2023, 08:38
10.
Re: Morning Metaverse Mar 26, 2023, 08:38
Mar 26, 2023, 08:38
 
In another case of brilliant businessman is brilliant.

Elon Musk puts $20 billion value on Twitter.
That’s less than half of the $44 billion he paid in October 2022.

Twitter did not respond to requests for comment, no doubt due to the fact that Elon got rid of the press department.

“We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces." Carl Sagan
Avatar 58135
9.
 
Re: Morning Metaverse
Mar 25, 2023, 07:26
9.
Re: Morning Metaverse Mar 25, 2023, 07:26
Mar 25, 2023, 07:26
 
Non-toxic slur, isn't that an oxymoron. How is "To talk about disparagingly or insultingly" not toxic.

Under the new rules you can call me an Asshat and that is not toxic, but you can't call me an Asshat Mick.
Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride! - HT
Avatar 57379
8.
 
Re: Morning Metaverse
Mar 25, 2023, 01:04
Xil
 
8.
Re: Morning Metaverse Mar 25, 2023, 01:04
Mar 25, 2023, 01:04
 Xil
 
Verno wrote on Mar 24, 2023, 15:23:
Burrito of Peace wrote on Mar 24, 2023, 15:12:
My point is that if you secure your own side, it won't matter what YouTube does. It should be blindingly obvious that you can not, and should not, trust any corporation to give more than a cursory glance at user security if user security is not their core business.

There were multiple points of failure on the LMG side, any one of which could have prevented this from the outset. Well before YouTube got involved.

I have no expectations of Linus to do any of these things because he's basically "a guy who is good at computers" running a 100 million dollar company and has been through numerous debacles already. The hope is that he hires someone competent and stops farting around personally in their infrastructure.

And then he manages to make money out of these debacles as it becomes big news every where and his followers see the videos he makes of what happend as transparent and great and what not. It's a win:win for him in the end
Avatar 12935
7.
 
Re: Morning Metaverse
Mar 24, 2023, 16:33
7.
Re: Morning Metaverse Mar 24, 2023, 16:33
Mar 24, 2023, 16:33
 
I hope those cameras in Linus' home are from an offline, non-Internet connected CCTV system, and not some cloud based cameras, otherwise the next hack we see may be of his naked butt running around the house
"I want AI to do my laundry and dishes so that I can do art and writing, not for AI to do my art and writing so that I can do my laundry and dishes."
- Joanna Maciejewska
Avatar 22380
6.
 
Re: Morning Metaverse
Mar 24, 2023, 15:23
6.
Re: Morning Metaverse Mar 24, 2023, 15:23
Mar 24, 2023, 15:23
 
Burrito of Peace wrote on Mar 24, 2023, 15:12:
My point is that if you secure your own side, it won't matter what YouTube does. It should be blindingly obvious that you can not, and should not, trust any corporation to give more than a cursory glance at user security if user security is not their core business.

There were multiple points of failure on the LMG side, any one of which could have prevented this from the outset. Well before YouTube got involved.

I have no expectations of Linus to do any of these things because he's basically "a guy who is good at computers" running a 100 million dollar company and has been through numerous debacles already. The hope is that he hires someone competent and stops farting around personally in their infrastructure.
Avatar 51617
5.
 
Re: Morning Metaverse
Mar 24, 2023, 15:12
5.
Re: Morning Metaverse Mar 24, 2023, 15:12
Mar 24, 2023, 15:12
 
My point is that if you secure your own side, it won't matter what YouTube does. It should be blindingly obvious that you can not, and should not, trust any corporation to give more than a cursory glance at user security if user security is not their core business.

There were multiple points of failure on the LMG side, any one of which could have prevented this from the outset. Well before YouTube got involved.
"Just take a look around you, what do you see? Pain, suffering, and misery." -Black Sabbath, Killing Yourself to Live.

“Man was born free, and he is everywhere in chains” -Jean-Jacques Rousseau

Purveyor of cute, fuzzy, pink bunny slippers.
Avatar 21247
4.
 
Re: Morning Metaverse
Mar 24, 2023, 14:56
4.
Re: Morning Metaverse Mar 24, 2023, 14:56
Mar 24, 2023, 14:56
 
Linus is weird because he employs some really competent people but is only a few rungs above a Geeksquad computer janitor himself and this bleeds into their organization. Most places would establish process controls and domain policy to limit these things from happening. I had to laugh when they lost all of their production videos awhile ago because they were running a raid 0 SSD stripe with no backups, it's a definitely a fly by the seat of your pants company.

That said, MFA wasn't an issue here and no admin access is needed to steal a session token. He's right that Youtube itself doesn't make content management easy for organizations.

Bonus points to Tech Jesus texting him at 3:14am to alert him first!

JSD Edit.

This comment was edited on Oct 14, 2023, 01:08.
Avatar 51617
3.
 
Re: Morning Metaverse
Mar 24, 2023, 13:53
3.
Re: Morning Metaverse Mar 24, 2023, 13:53
Mar 24, 2023, 13:53
 
Without getting into all of that too much, MFA worked where it was supposed to and there was never access to the accounts in question. Which is kind of Linus' point in the video; it shouldn't be so easy to do the damage that was done just by stealing session data, and never having (and YouTube never requiring) actual access to the accounts to do the things they did.

Breaching security to the extent that it was at Linus' end wouldn't have amounted to anything at all if YouTube's end actually required what it should.

2.
 
Re: Morning Metaverse
Mar 24, 2023, 12:35
2.
Re: Morning Metaverse Mar 24, 2023, 12:35
Mar 24, 2023, 12:35
 
LTT's video is interesting in that it doesn't really explain what preventative steps they are going to take in the future outside of "training". If you're solely relying on training to be your bulwark then this is going to happen again. Humans are the weakest, most vulnerable link. Your email infra should be automatically stripping attachments or isolating them if those attachments don't conform to strict security best practices (and dog do I hate that phrase but it is applicable). I use ProtonMail for my personal and business email, for example. They will strip images out of emails if it seems remotely fishy and give you a plain text version of as much of that email as possible. EXEs? Right out the window (not that it would do me any harm). They also explicitly list out the full name of a file without truncation so you know exactly what it is. They even notify you if that totally legit looking email from "Google" fails its DMARC lookup and if the IP or sending agent doesn't match what they know should be Google. Not in a subtle way, either. The only thing missing is the sound of a siren blaring from your speakers and flashing lights on your screen. Even then, I am sure there would be lusers who would ignore that and execute "HappyPuppiesPlayingTotallyNotMalwarefromRussia.pdf.docx.jpg.exe"

The first question I have is...why are the users at LMG allowed to execute random shit on their workstations to begin with? That's classic domain policy and user management failure. No user, that is not an admin with a very limited scope, should be allowed to install or execute anything that isn't preloaded by SCCM as part of their imaging process and digitally signed. The second question I have is why is your firewall allowing random data streams outbound? You should have clearly defined whitelist and blacklist rules whose default behavior should be set to DENY instead of ALLOW. Sometime ago, they did a video on using Pfsense as their core router. Using the product extensively myself, I know that such is possible because I do it myself. No outbound traffic is exiting my node that is not on a carefully curated whitelist. So connections outbound to "235432423423cczxc.com" are going to be blocked. I don't even have to worry about it. As large of an organization as LMG is, I would expect them to have a competent, paranoid, well versed network admin if not architect who can handle that. This would have blocked the exfiltration of the session data. Unless it also setup a temporary VPN connection but that is also viewable and blockable.

Finally, MFA IS NOT SECURITY! IT IS THE ILLUSION OF SECURITY! Yes, I yelled that because it is important. SMS, Google/Authy. email, whatever. All of them assume that you have control of the device that receives that MFA. This is a flawed premise and one that is easily exploitable. The only real auth security are keypairs because one is private and encrypted (or at least, it should be if you can breathe without being constantly reminded to) and should be independent of the device you are receiving the request for tokenization on. For example, I need to unlock and prove my identity on some service. I plug in my Yubikey which is the auth token needed to decrypt the private half of my key that exists on my box. Because the Yubikey is popped at the factory, it is strictly read-only so can not be compromised at the device level. Can my system be? The possibility exists but because the OS I use doesn't run nearly everything as a system service/user or admin user (looking right at you here, Windows), I would get a prompt for an elevated permissions request. That should, and would, make me sit back and go "Huh...that should not be happening. Let's find out what's going on before we proceed." Even so, that's not absolutely foolproof but it is much, much more secure than MFA that relies on you having access to an addressable, writable device.
"Just take a look around you, what do you see? Pain, suffering, and misery." -Black Sabbath, Killing Yourself to Live.

“Man was born free, and he is everywhere in chains” -Jean-Jacques Rousseau

Purveyor of cute, fuzzy, pink bunny slippers.
Avatar 21247
1.
 
Re: Morning Metaverse
Mar 24, 2023, 11:16
1.
Re: Morning Metaverse Mar 24, 2023, 11:16
Mar 24, 2023, 11:16
 
The LTT video is a must watch.

Here was his previous hack.
Linus got hacked!?!?!? - Honest Answers Episode 3

ThioJoe's video
How YouTubers Are Getting Hacked

,.,.,.,.,.,.,.,.,.,.,.

And the advertisers rush back to elon's social media platfail, formerly platform.


“We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces." Carl Sagan
Avatar 58135
13 Replies. 1 pages. Viewing page 1.
Newer [  1  ] Older