Author Topic: eevBLAB 110 - Linus Tech Tips HACKED!  (Read 2567 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
eevBLAB 110 - Linus Tech Tips HACKED!
« on: March 24, 2023, 12:09:01 am »
 

Online Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #1 on: March 24, 2023, 09:56:04 am »


2FA stuff and login timeouts aside, how come a nearly 20 year old platform doesn't support multi-user/shared access to accounts by now? Seems like a lot of effort has gone into making sure nobody can say anything mean in the comments or lest the creator themselves play more than 3 seconds of Start Me Up..

This is why Tiktok is winning.
iratus parum formica
 
The following users thanked this post: SiliconWizard

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14309
  • Country: fr
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #2 on: March 24, 2023, 09:30:17 pm »
Using hardware security keys has become a definite must these days.
And don't use a phone app to replace a hardware security key. May be better than nothing, but there are security flaws all over the place with smartphones.
Now of course, the more employees you have and the greater the risk. LTT is not your average YT channel, I think they have nearly 100 employees?
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #3 on: March 24, 2023, 10:13:59 pm »
Using hardware security keys has become a definite must these days.
And don't use a phone app to replace a hardware security key.

FYI, this forum supports 2FA via Google Authenticator, which is very common with crypto exchanges and the like.
For hardware keys I recommend the Yubikey
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #4 on: March 24, 2023, 10:41:21 pm »
Woah! Who knew this?

 
The following users thanked this post: thm_w

Offline DavidAlfa

  • Super Contributor
  • ***
  • Posts: 5835
  • Country: es
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #5 on: March 25, 2023, 03:06:05 pm »
I expected it to be another silly video about enabling the file extensions, wasn't expecting that at all!
Hantek DSO2x1x            Drive        FAQ          DON'T BUY HANTEK! (Aka HALF-MADE)
Stm32 Soldering FW      Forum      Github      Donate
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14309
  • Country: fr
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #6 on: March 26, 2023, 05:22:03 am »
https://xkcd.com/1137/

Always scan files you receive by e-mail. Even if they look like PDF.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11228
  • Country: us
    • Personal site
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #7 on: March 26, 2023, 06:27:36 am »
I expected it to be another silly video about enabling the file extensions, wasn't expecting that at all!
This LTR/RTL stuff was also successfully used to inject security holes in the source code that easily passes regular human review.

With C and other older languages you need to be creative, but many modern languages accept Unicode in the main language part. There are lot of Unicode tricks work and can easily pass reviews.

For code editors and review tools, display of hidden characters should be a standard feature.
Alex
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14309
  • Country: fr
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #8 on: March 26, 2023, 08:26:19 pm »
That's one of many reasons for being ultra-cautious before accepting Unicode in a programming language. It's fine in string literals, but I for one am not convinced for anything else.

Of course you can always restrict Unicode support to avoid all these weird "characters", but I'm not so sure it's even possible, given the gigantic number of Unicode characters available.
And of course same should be done for file names if possible.
Anyway, "interesting" that Unicode be a potential source of security holes.

And that said, the core point with session IDs is a freaking disaster. Good thing if it makes more people aware of that.
Google is particularly bad with this actually (even if it's far from being the only one.)
Take your Google accounts - you can stay connected to them almost indefinitely. On your mobile phone, it's always connected. You enter your account password ONCE when configuring your phone, and that's it. It never asks for it ever again. In a web browser with gmail, almost the same thing. I have a tab opened with one gmail account. It stays open almost all the time, and it almost never gets disconnected on its own. Sure that's convenient for users, but that's a disaster security-wise.
« Last Edit: March 26, 2023, 08:32:11 pm by SiliconWizard »
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #9 on: March 26, 2023, 10:09:43 pm »
I expected it to be another silly video about enabling the file extensions, wasn't expecting that at all!

me too. Totally wasn't expecting that, had no idea it was possible.
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #10 on: March 26, 2023, 10:11:21 pm »
https://xkcd.com/1137/
Always scan files you receive by e-mail. Even if they look like PDF.

Gmail always does that for me, and if it detects something sus then it doesn't import it just leaves it on my server and sends me an email. It's got a built in viewer for PDF too, so I don't need to open an external PDF viewer.
 

Offline thm_w

  • Super Contributor
  • ***
  • Posts: 6278
  • Country: ca
  • Non-expert
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #11 on: March 27, 2023, 09:16:15 pm »
https://xkcd.com/1137/
Always scan files you receive by e-mail. Even if they look like PDF.

Gmail always does that for me, and if it detects something sus then it doesn't import it just leaves it on my server and sends me an email. It's got a built in viewer for PDF too, so I don't need to open an external PDF viewer.

From the other thread, the fake pdf file was zero-padded to be 700MB. Which meant gmail did not scan it for viruses (100MB limit).
Profile -> Modify profile -> Look and Layout ->  Don't show users' signatures
 
The following users thanked this post: SiliconWizard

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37664
  • Country: au
    • EEVblog
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #12 on: March 27, 2023, 10:58:29 pm »
https://xkcd.com/1137/
Always scan files you receive by e-mail. Even if they look like PDF.

Gmail always does that for me, and if it detects something sus then it doesn't import it just leaves it on my server and sends me an email. It's got a built in viewer for PDF too, so I don't need to open an external PDF viewer.

From the other thread, the fake pdf file was zero-padded to be 700MB. Which meant gmail did not scan it for viruses (100MB limit).

Even if it didn't scan it, would code actually be able to exectue using the internal gmail PDF viewer?
 

Offline thm_w

  • Super Contributor
  • ***
  • Posts: 6278
  • Country: ca
  • Non-expert
Re: eevBLAB 110 - Linus Tech Tips HACKED!
« Reply #13 on: March 27, 2023, 11:12:59 pm »
Even if it didn't scan it, would code actually be able to exectue using the internal gmail PDF viewer?

No, it wouldn't execute using the internal PDF viewer.
But it was also zipped. Gmail won't let me read the PDF if its in a zip file. It only lets me see the file names in the zip, and then download said zip file. Maybe there is a way around it but its not obvious.

"Hey heres our sponsor package, please see terms inside: sponsor_docs.zip" something like that.
« Last Edit: March 27, 2023, 11:14:33 pm by thm_w »
Profile -> Modify profile -> Look and Layout ->  Don't show users' signatures
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf