Is Elon Musk a Security Expert? - ThreatWire
ฝัง
- เผยแพร่เมื่อ 6 มิ.ย. 2024
- ⬇️ OPEN FOR LINKS TO ARTICLES TO LEARN MORE ⬇️
@endingwithali →
Twitch: / endingwithali
Twitter: / endingwithali
TH-cam: / @endingwithali
Everywhere else: links.ali.dev
Want to work with Ali? endingwithalicollabs@gmail.com
[❗] Join the Patreon→ / threatwire
0:00 Intro
00:10 1 - NextJS Vulnerabilities Discovered
02:06 2 - New Technique Allows VPN Bypass
04:31 3 - FIDO2 Flaw Exposes MITM Attack
05:51 4 - Signal Vs Telegram
08:24 5 - Outro
LINKS
🔗 Story 1: NextJS Vulnerabilities Discovered
portswigger.net/web-security/...
github.com/advisories/GHSA-77...
github.com/advisories/GHSA-fr...
cybersecuritynews.com/next-js...
🔗 Story 2: New Technique Allows VPN Bypass
www.leviathansecurity.com/blo...
cybersecuritynews.com/tunnelv...
🔗 Story 3: FIDO2 Flaw Exposes MITM Attack
www.silverfort.com/blog/using...
gbhackers.com/fid02-mitm-vuln...
🔗 Story 4: Signal Vs Telegram
www.city-journal.org/article/...
www.ccn.com/news/technology/t...
www.businessinsider.com/elon-...
/ 1787589564917490059
news.ycombinator.com/item?id=...
nitter.poast.org/matthew_d_gr...
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong. - วิทยาศาสตร์และเทคโนโลยี
From the perspective of helping to increase public awareness of AI capabilities, I appreciate the ploy of '1 of our stories is AI generated, can you tell which?' AI has gotten scary capable, and is only improving. Definitely important for people to have as up-to-date as possible an understanding of what it can and is being used for.
The advent of generative AI combined with quantum computing genuinely concerns me for how this could be used to manipulate media.
Thank you for giving us security news in a clear and professional manner.
Signal. No question.
Meshtastic
Yall are responding with answers not allowed by the question. Signal is way less sketch than Telegram, but y'all are right that we shouldn't exclude other alternatives.
Matrix, but its founding is also shady, ex 8200 types, but you can still self host it i guess
XMPP+OMEMO, tox and briar are all better options
@@inund8 I didn't say "exclusively". I just don't have questions about using it.
Neither, no phone easy
Didn't know you were an SE from MIT, that's so cool! Your inherent interest in the topic was more than enough qualification, but it's awesome to know you're thriving in your career space as well!
How about plaintext messages saved locally?
Signal has transport encryption; messages on clients are not encrypted.
This means you can read and exfiltrate messages if you get to the machine.
Or if your machine gets compromised.
Thanks for the heads up on NextJS!
Showing my age here….. but back in the 90’s (in Australia) we weren’t allowed to release a communications service unless it was “interceptable” by the Signals Directorate (with appropriate authorization). Seems like an eon ago now.
So glad I found your channel! You're news is the ish!
Getting better every single show, loving it. Keep it rolling!
Great one Ali! I vote Signal, hands down.
Meshtastic
I used AI to write part of an article on my news website, and asked friends to guess what part AI wrote.
So I absolutely love that you're doing the same thing with threatwire.
Signal - The assumption that the app source code is that app being installed is a big one. There are also host device compromises like the keyboard, general hacking, etc. Not sure if signal uses a secure terminal and trusted execution environment, otherwise you could have some buffer reads from other applications.
Great summary. I love the connect back to previous research.
The FIDO 2 story was written by AI
My guess as well!
@@asksearchknock I'm not trying to pick out the AI. I'm trying to pick out Ali. I think it might be more consistent to find hints of her writing then whatever is left must be the AI.
Great work Ali! I could not guess the story - every time I though I can guess it, I was not really sure. Btw, which AI did you use to write this story ? Keep up great work!
Great video, mom's advice still rings true ' Be humble, and take compliments while you can' - Its wonderful your making Threatwire your own, keep up the excellent work - Your coding channel is interesting.
Thanks friend good stuff!
"New Technique Allows VPN Bypass" absolutely has to be the GPT story. The concluding words were a bit off.
yup...
I've given up trying to detect AI and switched to trying to detect Ali. I think it's the Fido story this week.
Let me let everybody in on a secret. There's no such thing as a secure chat.
Let ME let you in on a little secret: If you encrypt your messages with PGP standard implementation, then you too can experience an environment that can only be viewed with the decryption key... and unless a quantuum computer is used to brute-force a decryption key, you're safe. If it's good enough for military and state secrets, I'd wager it's good enough for you too...
lol, (my take) ALI -- "thanks for calling me pretty, But don't forget, I'm an M.I.T. grad. and I'll pwn you in seconds." 😅
Found the signal and telegram story interesting and also the VPN one too. Thank you! Hopefully I'll be able to do a career in Cyber Security. ☕
Your tweet " Look at my code and then tell me I'm pretty" Awesome! Your analysis of MIT vs the real world is spot-on. It's impressive you began coding so late, so many just give up. What is your take on the BreachForums 'cartoons"
Thanks for the infos! 🍷😎🏴☠️
Thanks Ali! 🎉
Kudos to you for being able to read out those numbers over and over :P
Good stuff. I appreciate that you stood up to the "cute" comments. Unfortunately this is something you will probably need to be firm about for your entire career. Great content. Keep up the good work.
😂 I'm a subscriber but that title did make me chuckle.
00 You mean people don't read RFCs starting with RFC72 anymore? 11 RFC72 is a requirement.
Good vid thanks
Ali the mic needs a foamy top or something, i can hear scratching sounds OR post process the audio to remove the scratchy noises
Nice ASMR hair rubbing the microphone throughout the whole video. 😜 Guessing there's no MIT sound tech on staff. Love the videos!
Is Shannon coming back once in a month?
Shannon is doing her own channel. I don't know anything about any guest appearances though.
Much as I see the advantage of password-less logins. I dislike them because now you have single factor authentication since the server can't be sure the user has a PIN even if they ask the USB key to require one, and your USB key has to store discoverable credentials. I prefer the U2F model since they use the same math but the credentials are not discoverable, and since they're not stored on the key, they're able to be used for an infinite number of logins. But since U2F is assumed to be a second factor, you now have a forced use of a thing you know and a thing you have in order to log in which is (in my opinion) much better than handing the thing you know to the key to handle, especially if everyone has a USB key in the future.
I would argue using an authentication key as a second factor is superior but for different reasons. How do you think they will discover your credentials on the key?
@@jmr Passwordless login uses what are called "discoverable credentials". They occupy a "slot" and most keys today have only a limited number of slots. So most people will need to have several keys just to log in via passwordless methods if this catches on.
As to how discoverable the "discoverable credentials" are, I have not looked into this, I know that I can list them all if I have the key, but I would assume (and hope) that FIDO2 says that the key will only return a credential for a matching account or at least domain. However, someone who has the key can see where it goes which means no plausible deniability, and if there is a bug that allows the PIN to be bypassed or the pin try limit removed, or a leak of the pin another way like by writing it down and losing it, well, now the attacker has the key and knows where it goes.
However, with U2F, the credentials are encrypted on the key and sent to the server. so only the right key can use them, but there is no way to prove that a key opens an account without trying every single account and seeing which ones work... even if there is no PIN or the PIN is bypassed (sometimes U2F has PINS too though) if an attacker has access to the key... they don't know which of the several billion locks it opens... not all that helpful for them and gives me time to react by deleting that user's key.
All I know is signal sucks for sharing videos with its 50MB filesize limit.
Telegrams limit is 4GB.
My YT gymnastics channel wouldn't be possible on signal.
W episode Ali!!!
The story about VPN DHCP bug was written by an AI
Might be interesting to see you and chstgpt 4o have a discussion about the security landscape (instead of reporting important news. That way you can flex your knowledge so people see more of your career side.
I think the story about signal is the "fake" one.
Bummr.. there is DHCP/DNS noise - i have to check my cave
Signal for the win
What about pgp messages shared via sftp.
If you're really concerned with being secure don't trust other people's servers or backends.
Also if you can manage it a modern flash drive can hold a one time pad large enough to serve a life time of communication.
Should also add this should all be done with a properly configured OS such as TAILS.
The problem with the diy approach is you likely wind up with scratch files of plain text and if not done on the correct os also plain text fragments in virtual memory swap files.
So you do need something that encrypts from the keyboard to the destination, you can't expect everyone to configure firewalls and routers so you do need some minimal backend to handle firewall traversal.
Also there is just the matter of remaining anonymous so you should run this all over something like tor. Is tor still considered secure?
Signal FTW
😮
Timeline: 5:35 Man in the MIDDLE! 🤣
💓
How do you use signal if the smart phones have a cellular cpu with higher priority on the bus?! We are all sitting in the back of the data bus on our smart phones. What can you hide from people with that kind of backdoor? And then there is the continual backdoors in wifi, bluetooth, usb, etc. its a big joke.
The entire dam thing sounds like AI.
Telegrams encryption was made by 5 math dudes and isn't opensource, so insecure by default. If you're worried use matrix.
I need your help plugging in my ethernet cable
I LOVE ALI ❤❤❤
Gamer the movie is irl?
Fido story is AI. I think what I've learned from the one AI story a week game is not that I can't tell them apart but that OUR HOST IS ALSO AI! Duh, duh, duh! 😆 /teasing.
man elon is the expert on everything , hes got skills for this and that, the dude can do it all, he also does all his shopping! amazing
Another awesome episode.
@2:07
Defcon is canceled.
Love the shirt! But Ali, are you sure you can't make yourself look bigger? Like resize yourself so you take up more of the frame? Or rearrange your furniture so you be closer or have the camera pointed lower? You just look so small and short and it is a widdle bit distracting. Which is a shame since everything else feels very high production and well reported!
Im not sure what the this has to do with elon musk im assuming its the signal stuff
7:55 Elmo decided to tweet about signal, once again showing the world just how little he knows about anything
@@asksearchknock yeah thought so thx for timestamp
How about don't commit crime instead of don't get caught. 😢
Don't get caught by the threat actors, not, don't get caught doing illegal stuff.
Clickbait using Elon musk in title
I think the Elon Musk story was AI: absolutely idiotic for him to get involved.
How’s that quote go “better to be thought a fool than tweet and remove all doubt”. Of course the same could be said about this comment…
Anyone heard FTX can pay it's customers they are LOADED hahaa
No one can pretend to be a security expert until they are minimaly able to detect and block pegasus;)
Lol. Congratulations to JS fans
Ali is Awwsome Hak5 got a upgrade
😘
I deleted Signal over 2 years ago .
❤DIMPLES!❤ nice 70s get up girl.
clickbait title GOTCHA ;)
Ad freeeeeeeeee
Notice how Ali speaks slowly and uses smaller words when talking to the javascript viewers. Gotta know your audience.
disclaimer: this is a joke
Great job on standing up for yourself and I hope that the community will support you I’m telling anyone who makes inappropriate comments where to go. I’m 100% behind you - Us rats 🐀 got to stick together
wack title
Where is Shannon
She dedicated her time to her own channel.
TECHNOLOGY IS 😃 == 😡
ALI is LOVE
I'm your 711
Whats funny is this show going down the toiket.
You know being here is not mandatory right? There are loads of other channels you could go and watch yet you come here and then moan. Why would you watch a channel you don’t like?
He build PayPal, so yea I would say he is a security expert!
nolE has it bass ackwards.
What's ur OF tho?
With these Dimples I can't pay attention to what she is saying.
I assume then you also missed the part where she reminded you she’s an MIT educated software engineer and your comments are not welcome or appropriate.
Change the host!!!
It was the cute ai generated dimples
Triggered by your title. Muskrat is an expert at having daddy money, and opening his wallet. That's about it. Don't believe me?
Take a look at his original ideas.
"hYpErLoOP"
Looks like someone is woke, or got roasted by shorting tesla, or maybe both.
@@asksearchknock I'm shocked at the number of people that have no idea how the world works. They must picture Muskrat rolling up his sleeves and just "building a rocket".