honestly that kid is pretty based, wish more people did this so pip/node/etc etc would DO SOMETHING ABOUT THE GARBAGE THAT IS PACKAGE MANGERS. There isn't proper verification or review or literally anything at all basically.
I mean for arch to get popular it needed to have unofficial packages. you shouldn't need to go through 50 levels of verification to get a package uploaded
I think the "not ransomware" idea is good. Guy has no malicious intent, freely provides the encryption key, and in doing this alerts the "victim" to the bad practices they used that led to them getting the ransomware. It would be nice if he let them know that it was not a scam with a short paragraph explaining what he's doing along with the Discord invite, just to reduce the chance of panic like you described.
Developers are not necessarily that great with computers though. A lot of (professional) developers are just in it for the money and don't bother with anything they don't have to, but I agree that he doesn't deserve to be punished.
@@aiuno i mean, the message quite clearly says "join this discord server to unlock your files" so even if you're not too great around computers, you're technical enough to know what discord is
@@FAB1150 And of course developers are those gullible people that would just do what the ransomware says? I know enough about computers to know that my RAM doesn't need to be fixed by clicking a link. Why would i trust this discord server?
@@chrisakaschulbus4903 what? Ransomware 1-doesn't do anything with RAM, and 2- yes that's literally how it works. It encrypts your files and you can decrypt them by receiving a key and putting it into the program (usually by paying a ransom... get it? Ransom-ware? That's where the name comes from.). Obviously you get on the discord that's literally listed on the ransomware page, it's where you expect to find the information to pay the ransom. The "weird" thing this one does is that it just gives you the key for free. You either aren't a dev or are one of those developers who don't know how a computer works at all. Lol
@@FAB1150 Yes, it's not ransomware what he did, but you don't know that. Even as a programmer. You see this pop up and your first instinct would be "lets check this discord server out because it promises me to get my files back"... really?? My example of the RAM scam comes from popups that claim your system needs to be repaired or something. As a programmer (or even a gernal pc-noob tbh) you should know better than to just follow the instructions a funny popup gives you. Don't pretend to miss all those points...
It isn't inherently wrong coding malware. Plenty of researchers and devs do it in white hat sense, to learn more about potential vulnerabilities. I don't think he did a single "wrong" thing.
@@posthsc2635 I think that's a poor way of looking at it frankly. The ease of access and wealth of information on creating such scams and hacks is staggering. More "genuine" people getting experience with these things I believe is always a good thing. No scammer is using his python code, not when there is free programs to create ransomware with your own BTC addresses and the like. In the grand scheme if the researcher is correct and 235 or so people did have their computers irreparably encrypted I'd argue that's a negligible amount of damage in the grand scheme of things. Even script kiddies can get well north of that with minimal effort. All in all, I can't even be mad
@@AnonsTreasures That's not the point i am making. Heck I was on this last summer holiday. I am not blaming the boy, at all. I am just saying that no matter how genuine your actions may be, there are always people out there who will use your "kindness" or "good will" to their advantage. That's why it's up to the people who use the tools.
I was in Honolulu when they had the missed crisis. I was at work and after the sirens went off we made out way to a church nearby. After the news stated the it was a accidentall missle alert. My boss sent all of us back to work.
I'd imagine anyone downloading and installing python packages is a tech-savvy person, likely a software dev. They probably won't just delete the encrypted files
I think the ransomware kid didn't understand it was a potential cybercrime, but I also don't think he's done anything bad either if everything is irreversible for free
The kid did something very impressive. He didn't *have* to include a decrypt mechanism for the victim's files, but he did. It was dumb to actually deploy his idea, but the innovation and hacking behind it was quite clever and should be rewarded and nurtured in a safe environment. Preferably an environment with oversight 😂
Would have been funny if the ransomware guy forgot to set the correct access control for the channel where new "victims" were announced and then he just went with the story once contacted by the security researchers.
Surprisingly, most of the known exploit developers on roblox actually started around age 14 or so, and their exploits still exist being updated weekly. OHR is smart, but there are a lot of younger people doing this more and more now
You might want to remove those tones out of the video. FCC might submit a takedown notice thru TH-cam. From the Emergency Broadcast System wiki: To protect the integrity of the system, and prevent false activations, the FCC prohibits the use of actual or simulated EAS/WEA tones and attention signals outside of genuine alerts, tests, or authorized public service announcements
EBS? This is EAS. Also, FCC doesn't care about tones as TH-cam is literally filled with EAS scenarios with no problems (valid tones). If you want to learn how EAS works, watch SomeOrdinaryGamers EAS video and in the comments, you'll see a lot of people giving good explanations on how they work. If you want a quick summary: it is only illegal if you play valid tones on news medias or public places (TH-cam has no EAS equipment so nobody gets in trouble from it)
Those beginning tones, or "alert tones", arent the issue. The long beep after them is the one that is illegal to use. I believe HAI did a video about them. Or Wendover. Theyre the same channel in my mind
The OHR kid is awesome, not only can he make things like that at a young age, but he didn't cause much more than a panic moment for most affected, and likely taught developers and users to be more careful
What is shown in the video is actually an EAS Encoder. While decoders do exist, they cannot send out alerts. Encoders have their own Decoders built in, but since they can encode and send messages, they are called Encoders. The one shown in particular is a Digital Alert Systems DASDEC One-net, which has been discontinued and phased out in favor for the DASDEC II. There are older versions of EAS Encoders which rely on receiving messages through SAME Headers, which it decodes and resends with its stations details. Digital Encoders, which are used today, connect to the internet, and the IPAWS servers, which it gets alerts from.
Kinda troubling to know that the various stations need to be encouraged to update their EAS decoder, you’d have hoped it’d be turnkey that it’d never be out of date
That kid is just doing a public service. People don't take security seriously until it directly effects them. A "this could have been much worse" moment encourages people to take precautions.
If I got access to one of the emergency broadcast systems, I would broadcast out "A working McDonalds icecream machine has just escaped out of Area 52, and is on the run. If you find him, grab him, go to your nearest 5g tower, and perform a satanic ritual"
So it's super easy to fool weather radios and other devices that listen to the analog sound of noaa. If you use a hack rf and broadcast the same codes and the alert tone it will trigger them to go off.
I have a screenshot of a public alert sent out in Missouri, that basically stated a purple ford mustang, with lisence plate saying JKR and in hannibal Missouri...
@@42isTh3Answ3r nah they wont sue, he had intentions to give away the keys from the start. he caused no damage, if someone sues they would be loosing more than gaining
To the part about the ransomware, he should probably realize that content on Discord is a part of the Dark Web (like any chat application), as it is not indexable by search engines (it's private) and requires a special application to access (Discord). Forcing people to open Discord is a concern in an on itself since Discord is known for some Facebook/Microsoft-like behaviour and I wouldn't be surprised it was beaming home. Also let's not forget that it breaks the Discord ToS, as mentioning that hacking exists breaks it so the server might be taken down. Personally, I consider it non-malicious ransomware, similar to rensenWare except it lacks the funny aspect. Instead of using Discord they could've just, shown the decrypt key or smth. I personally would consider that an attack anyways, and while I'd laugh at myself if I was gotten by rensenWare I'd def just be angry at the author of this one. While it's not as bad as if it was some truly malicious software it is still malware. Just to clarify the malware part is the part which installs it, not encrypts the data.
I'd like to defend the ransomware kid by highlighting that's basically what everyone in pentesting is doing. I can't think of a better way to get people vulnerable to this attack vector on their toes and alert to the potential danger, without actually making them lose their data permanently.
@@waxnet respect that you literally made it public and "just for fun" tho but i would still recommend not doing it again, it can create very big legal issues
I believe "technical in-experienced" would not even know how to download the python package, so all the victims were developers that must know what encryption and discord is.
I owned a coffee shop in Hawaii back in 2018 when we got that missle alert. One lady completely freaked out and jump into a muddy ditch like it was a tornado or something. I tried calming her down by telling her that since we were on the Big Island we were safe and that Oahu would be the real target but it didn't help. She stayed in that ditch for 45 minutes or so until the next message came saying it had been a false alarm. Then she got mad at me as if it was my fault
They should've had it patched ages ago. Besides, the EAS system is mostly a nuisance anyway. I've only had it come on for the following: 1. Test (which is meaningless) 2. Severe alert (most of which do not pan out) 3. Amber Alert (which is a needle in a haystack situation and virtually pointless) I think most people have better ways to get alerts nowadays.
@@pmxi That's not all luck. We've had 5.3 inches of rain from a single storm one time and no flooding. We clearly don't flood here so this is certainly a flaw with the EAS system. They issue alerts that aren't always relevant to the area in question. Amber Alerts are the biggest flaw because the odds of any person even having their TV on at the time, let alone paying attention and having the necessary info on the person in question is microscopically small.
It's worth noting that there are exploits for discord that enable you to take control of the account of people joining your server by stealing their login token. Joining a discord server through a random invite is always a bad idea as a result.
I don't think they pressed the big red button by accident. They received a warning message with the words 'THIS IS NOT A DRILL' and proceeded to act accordingly by passing it onwards.
The ransomwhere the kid did is a very basic and simple one. It's not impressive, what's impressive is the integration with Discord. Anyone can write a program to encrypt folders (the code can literally be from cryptography import aes; from uuid import uuid4; key = uuid4().hex(); enc = aes(key); for file in %USERPROFILE% enc(file). But the discord integration and uploading the keys and hosting it on his bot and setting up the bot and thinking of the typo thing is the genius part for a 15 year old.
I feel like if you're watching this channel you've probably "fiddled" around a bit when you were a kid similar to that b8ff kid.. we were all kids once
I remember hacking a federal prison that was by my elementary school in the 5th grade Now I am known for it they come running Especally when there tiktok was hacked
No matter what age you are, there has to be something seriously wrong with your moral compass for you to encrypt random people's files, even if you don't extort them for the decryption key.
I'd say "seriously wrong" is a bit of a stretch, but it's definitely not a very empathic thing to do. My guess is that @OHR did the classical teenager thing of not thinking things through before going ahead with using their new knowledge. Even purely for an egoistical standpoint, committing a crime just for the sake of it isn't a smart thing to do.
I feel bad for the kid but bro he registered the Python packages, he didn't have to do that. He could have totally had a PoC where you install the malicious package via PIP from source and demo it that way. No need to publicly release known infected libraries with the intent of others accidentally installing him. While I don't think he should be imprisoned, he better get the living shit scared out of him by his parents/law because that's just malicious lmfao.
@@painnmisery2582 Yeah people should certainly be more vigilant. Anyone would advocate for that. That doesn't mean people who spread malware shouldn't be held accountable for their actions.
Unfortunately, what the kid deserves and what the law demands are often two very different things. Furthermore, the severity of the punishment often does not so much reflect the malice intended by the bad actor as the amount of embarrassment that the people who should have been putting in protections against this feel over getting caught out.
Yes it was wrong what the 15 year old did.Even if we ignore the fact that no money was asked it would still cause panic to whoever files were encrypted,It would feel soul crushing knowing your stuff is locked and you may need to pay a large sum to get them back(and in this economy the mere thought could bring anyone to tears),for people with extreme anxiety/stress this could tip them over into doing something dumb/extreme.People tend to forget not everyone knows what discord is,a better way to get the key would be a prompt asking for your email/phone after the files are locked and a it being sent to out rather than going to discord as again I cannot stress if someone believes they have been jacked it may be nerve racking/heart racing the prospect of talking to someone who has your files(and if said files had some initmate/nudes photos it could really wreck ones mind) .I can recognize that yes it shouldn't be this easy to lock files while also appreciating the psychological damage this may do especially to those not tech averse,people have commited suicu**e for much less.So props to the 15 year old ,but also WTF is should not be this easy.Should he have a severe punishment,hell no ,but godamb the fact he did this without having a sense of empathy/guilt when it works really depresses me,as their is no way while building this he did not realize that people would panic/be stressed,perhaps he thought since their was a guaranteed way of getting your files it would be fine but it was not fine.
@@waxnet Well it may sound like I am furious,I am concerned about the rational that lead you to do it this way,as where my anger comes from is the side effects of the ransomware.Yes a vulnerability was found and it should not be on one persons shoulders to take the blame,but even if it ended well this time,what I outlined is happening to many people.My anger comes from how I perceive as the digital equivalent to shooting a gun in public,yes no one was hurt,yes no one was intended to be hurt,but people were still effected(size was not the issue).Do I think this warrants an arrest,F**** no,do I think this needs to on record, of course not,you clearly placed safety breaks on.I am just concerned that even as an experiment the gravity of the situation others were placed into(no matter how small) was not properly reconciled with .I dont expect you to apologize/feel bad ,but I dont think its a hot take to say ransomware creates a sense of powerlessness and even if it ended well that feeling does not leave,and for that brief time alot of people were not having a great day.I just hope in future you dont do this
At a certain point, people need to be held responsible for their own poor behaviors, the kid i teaching a free lesson that others charge tens of thousands if not hundreds and millions. We charge several thousand a month for training, this kid is saving the company money. He should be hired by security firms to be used on their clients to get them to see how #$#$#% stupid they are being.
I think the pip kid as i'm going to refer him to, should be rewarded through his efforts! Instead of blaming an accidental cyber criminal, look at the flaws of you system. Because if some kid with no bad intentions exploited that vulnerability in pypi's system, it's probably really easy for other hackers to exploit that very same vulnerability. If anyone disagrees with this statement, i want to know why, so make sure to reply that you disagree, and your reason for that. I'm quit interested in hearing the feedback.
That's why the juvenile justice system is really lenient in many places. Something like 30 hours of community service would probably be a good wake up call.
If a hospital or a power company got hit by this, it could mean people could have died. Releasing any malware into the public therefore means that one has little regard for human life, since we as humans depend on systems that could be infected with it. I’m no lawyer and this is not legal advice, but this kid should hope and pray he doesn’t face a wrongful death or second-degree murder charge.
The kid deserves a scholarship somewhere and some guidance. He is obviously going places
#seytonicTo1million!
The places are called Jail and Prison.
@@waxnet dw bro, youth offender's ain't that bad haha
@@waxnet bro u will be fine, keep doing you.
People get in trouble, then get pulled in and work for the government
Give this kid a medal for his project. And a job.
@@waxnet also agreed
I too agree!
@@waxnet aceriamo la nasa 😳
@@waxnet ^^^
lol chill... hahahaha.
honestly that kid is pretty based, wish more people did this so pip/node/etc etc would DO SOMETHING ABOUT THE GARBAGE THAT IS PACKAGE MANGERS. There isn't proper verification or review or literally anything at all basically.
I mean for arch to get popular it needed to have unofficial packages. you shouldn't need to go through 50 levels of verification to get a package uploaded
I think the "not ransomware" idea is good. Guy has no malicious intent, freely provides the encryption key, and in doing this alerts the "victim" to the bad practices they used that led to them getting the ransomware. It would be nice if he let them know that it was not a scam with a short paragraph explaining what he's doing along with the Discord invite, just to reduce the chance of panic like you described.
If it was downloaded with a python package, then whoever got infected must be familiar with tech. Easy to use discord. I'd leave the kid alone.
Developers are not necessarily that great with computers though. A lot of (professional) developers are just in it for the money and don't bother with anything they don't have to, but I agree that he doesn't deserve to be punished.
@@aiuno i mean, the message quite clearly says "join this discord server to unlock your files" so even if you're not too great around computers, you're technical enough to know what discord is
@@FAB1150 And of course developers are those gullible people that would just do what the ransomware says?
I know enough about computers to know that my RAM doesn't need to be fixed by clicking a link.
Why would i trust this discord server?
@@chrisakaschulbus4903 what? Ransomware 1-doesn't do anything with RAM, and 2- yes that's literally how it works. It encrypts your files and you can decrypt them by receiving a key and putting it into the program (usually by paying a ransom... get it? Ransom-ware? That's where the name comes from.). Obviously you get on the discord that's literally listed on the ransomware page, it's where you expect to find the information to pay the ransom. The "weird" thing this one does is that it just gives you the key for free.
You either aren't a dev or are one of those developers who don't know how a computer works at all. Lol
@@FAB1150 Yes, it's not ransomware what he did, but you don't know that. Even as a programmer. You see this pop up and your first instinct would be "lets check this discord server out because it promises me to get my files back"... really??
My example of the RAM scam comes from popups that claim your system needs to be repaired or something. As a programmer (or even a gernal pc-noob tbh) you should know better than to just follow the instructions a funny popup gives you.
Don't pretend to miss all those points...
Thank you for these regular updates. I look forward to seeing what illicit shenanigans people are getting up to with each upload!
@Femonic the Hot ***visible confusion***
If this was a series, I'd watch it 😀
Someone please send the SCP:001 "When Day Breaks" EAS through.
You evil man :)
How about SCP-5000 or SCP-096 based one, where 096’s face was posted on multiple Soical medias and it’s obvious for SCP-5000
@@icegamingfiregaming5441 There will be no further communication
This post right here, O-5. XD
That kid is a legend good for him!
In Poland we get SMS messages from a unknown number, with just an "Alert" name tag. This one could be very easily abused.
You mean RCB Alerts?
Hmm... That sounds like it can be faked by just any fake base station.
Here in Brazil telcos use this local emergency system to send ads and plans ¬¬'
It isn't inherently wrong coding malware. Plenty of researchers and devs do it in white hat sense, to learn more about potential vulnerabilities. I don't think he did a single "wrong" thing.
I do it as proof of concept in my little lab.
The matter is not about who developed it, it's about who is using it.
@@posthsc2635 I think that's a poor way of looking at it frankly. The ease of access and wealth of information on creating such scams and hacks is staggering. More "genuine" people getting experience with these things I believe is always a good thing. No scammer is using his python code, not when there is free programs to create ransomware with your own BTC addresses and the like.
In the grand scheme if the researcher is correct and 235 or so people did have their computers irreparably encrypted I'd argue that's a negligible amount of damage in the grand scheme of things. Even script kiddies can get well north of that with minimal effort.
All in all, I can't even be mad
@@AnonsTreasures That's not the point i am making. Heck I was on this last summer holiday.
I am not blaming the boy, at all. I am just saying that no matter how genuine your actions may be, there are always people out there who will use your "kindness" or "good will" to their advantage. That's why it's up to the people who use the tools.
@@posthsc2635 I was only saying that I highly highly doubt anyone would spend the time modifying his code to scam people when free tools already exist
I was in Honolulu when they had the missed crisis. I was at work and after the sirens went off we made out way to a church nearby. After the news stated the it was a accidentall missle alert. My boss sent all of us back to work.
I'd imagine anyone downloading and installing python packages is a tech-savvy person, likely a software dev. They probably won't just delete the encrypted files
I think the ransomware kid didn't understand it was a potential cybercrime, but I also don't think he's done anything bad either if everything is irreversible for free
@@waxnet But, why did you think it was worth the risk?
@@waxnet couldn't you see how many people had downloaded it from your discord bot generating the decrypt keys?
@@ΓεώργιοςΠαπαδόπουλος-μ9μ the vast majority of those messages were probably people testing the code out, so it would be vastly inflated
@@sheeplord4976 he answered on another comment saying that not everyone who downloaded it ran it
The kid did something very impressive. He didn't *have* to include a decrypt mechanism for the victim's files, but he did. It was dumb to actually deploy his idea, but the innovation and hacking behind it was quite clever and should be rewarded and nurtured in a safe environment. Preferably an environment with oversight 😂
Waiting for the national bruh moment alert
Prepare to be rickrolled by your tiny local TV or radio station.
Would have been funny if the ransomware guy forgot to set the correct access control for the channel where new "victims" were announced and then he just went with the story once contacted by the security researchers.
@@waxnet the legend himself.
@@waxnet Absolute madlad
look at all the bots 😂 keep up the hard work sey!
Surprisingly, most of the known exploit developers on roblox actually started around age 14 or so, and their exploits still exist being updated weekly. OHR is smart, but there are a lot of younger people doing this more and more now
You might want to remove those tones out of the video. FCC might submit a takedown notice thru TH-cam.
From the Emergency Broadcast System wiki:
To protect the integrity of the system, and prevent false activations, the FCC prohibits the use of actual or simulated EAS/WEA tones and attention signals outside of genuine alerts, tests, or authorized public service announcements
Many videos use the same sounds like the SCP EAS video or other similar ones
EBS? This is EAS. Also, FCC doesn't care about tones as TH-cam is literally filled with EAS scenarios with no problems (valid tones). If you want to learn how EAS works, watch SomeOrdinaryGamers EAS video and in the comments, you'll see a lot of people giving good explanations on how they work. If you want a quick summary: it is only illegal if you play valid tones on news medias or public places (TH-cam has no EAS equipment so nobody gets in trouble from it)
Those beginning tones, or "alert tones", arent the issue. The long beep after them is the one that is illegal to use. I believe HAI did a video about them. Or Wendover. Theyre the same channel in my mind
No, this only applies to television stations and radio stations
The truth to TH-cam comments always reside within the replies.
Holy s***, with this kind of power, we could be invaded, and never even know it.
5:03 bruh imagine you're downloading a python package but you're not "technical"
The OHR kid is awesome, not only can he make things like that at a young age, but he didn't cause much more than a panic moment for most affected, and likely taught developers and users to be more careful
Yes
I was at the liquor store with a friend yesterday when shit was hacked and it played at the liquor store. I jokingly said it’s the end.
What is shown in the video is actually an EAS Encoder. While decoders do exist, they cannot send out alerts. Encoders have their own Decoders built in, but since they can encode and send messages, they are called Encoders. The one shown in particular is a Digital Alert Systems DASDEC One-net, which has been discontinued and phased out in favor for the DASDEC II. There are older versions of EAS Encoders which rely on receiving messages through SAME Headers, which it decodes and resends with its stations details. Digital Encoders, which are used today, connect to the internet, and the IPAWS servers, which it gets alerts from.
Ahhh seytonic, always delivering fresh news about current events in the cyber world
Kinda troubling to know that the various stations need to be encouraged to update their EAS decoder, you’d have hoped it’d be turnkey that it’d never be out of date
Keep up the great work 👍
Threaten him with Jail... then offer him a job.
That kid is just doing a public service.
People don't take security seriously until it directly effects them.
A "this could have been much worse" moment encourages people to take precautions.
Someone wanted their Analog Horror series to be as realistic as possible.
Cool video! Mins sharing the background theme?
If I got access to one of the emergency broadcast systems, I would broadcast out "A working McDonalds icecream machine has just escaped out of Area 52, and is on the run. If you find him, grab him, go to your nearest 5g tower, and perform a satanic ritual"
Smart kid, scare him shitless about what will happen the next time and offer him a job with supervision.
Let’s put a sleeper in to sit and wait for an alert, then scramble it to something illegible or replace it with a malicious message.
btw the twitter "onion site" is a joke and isn't private or secure
A remarkable warn for the kid would be necessary
So it's super easy to fool weather radios and other devices that listen to the analog sound of noaa. If you use a hack rf and broadcast the same codes and the alert tone it will trigger them to go off.
th-cam.com/video/49KoUmiJuts/w-d-xo.html
I’m lost. Which part is the one that the EAS got hacked?
I have a screenshot of a public alert sent out in Missouri, that basically stated a purple ford mustang, with lisence plate saying JKR and in hannibal Missouri...
I think the kid deserves enlightenment he didn't intend to do bad stuff he just didn't know better
Im 15 and I'd be doing the same thing if I didn't live in the US with a proper legal system. Lmao
He'll get in trouble also in Italy if one of those people decide to sue
@@42isTh3Answ3r nah they wont sue, he had intentions to give away the keys from the start. he caused no damage, if someone sues they would be loosing more than gaining
To the part about the ransomware, he should probably realize that content on Discord is a part of the Dark Web (like any chat application), as it is not indexable by search engines (it's private) and requires a special application to access (Discord). Forcing people to open Discord is a concern in an on itself since Discord is known for some Facebook/Microsoft-like behaviour and I wouldn't be surprised it was beaming home.
Also let's not forget that it breaks the Discord ToS, as mentioning that hacking exists breaks it so the server might be taken down.
Personally, I consider it non-malicious ransomware, similar to rensenWare except it lacks the funny aspect.
Instead of using Discord they could've just, shown the decrypt key or smth. I personally would consider that an attack anyways, and while I'd laugh at myself if I was gotten by rensenWare I'd def just be angry at the author of this one. While it's not as bad as if it was some truly malicious software it is still malware. Just to clarify the malware part is the part which installs it, not encrypts the data.
I'd like to defend the ransomware kid by highlighting that's basically what everyone in pentesting is doing.
I can't think of a better way to get people vulnerable to this attack vector on their toes and alert to the potential danger, without actually making them lose their data permanently.
The kid in the second story just discovered a way to gather users to increase traffic to a discord server ha ha
Lots of web3 protocols would benefit from that kid’s skills. He’s got a bright future.
it wasnt even a discord bot, it was a webhook
@@waxnet respect that you literally made it public and "just for fun" tho
but i would still recommend not doing it again, it can create very big legal issues
the EAS SAME decoder was hacked? oh no
I believe "technical in-experienced" would not even know how to download the python package, so all the victims were developers that must know what encryption and discord is.
That kid needs a talking to by law enforcement and a job offer from them.
I owned a coffee shop in Hawaii back in 2018 when we got that missle alert. One lady completely freaked out and jump into a muddy ditch like it was a tornado or something. I tried calming her down by telling her that since we were on the Big Island we were safe and that Oahu would be the real target but it didn't help. She stayed in that ditch for 45 minutes or so until the next message came saying it had been a false alarm. Then she got mad at me as if it was my fault
They should've had it patched ages ago. Besides, the EAS system is mostly a nuisance anyway. I've only had it come on for the following:
1. Test (which is meaningless)
2. Severe alert (most of which do not pan out)
3. Amber Alert (which is a needle in a haystack situation and virtually pointless)
I think most people have better ways to get alerts nowadays.
That reminds me of the Phone notfication of Nukes or whatever it was in Florida or Hawaii
That is not a flaw of EAS. That is you being lucky that there have been no major emergencies in your time.
@@pmxi That's not all luck. We've had 5.3 inches of rain from a single storm one time and no flooding. We clearly don't flood here so this is certainly a flaw with the EAS system. They issue alerts that aren't always relevant to the area in question. Amber Alerts are the biggest flaw because the odds of any person even having their TV on at the time, let alone paying attention and having the necessary info on the person in question is microscopically small.
I highly doubt there are enough people with info to help aid in finding someone out of 7 billion people.
Yet another great video
Whenever it comes to the kid you don't need to worry about him the concern would be his teacher
The kid did good. Mistakes like that can fuck you up beyond believe. Leave his code on the web and rebrand it as an awareness campaign.
Did the researches bother to check if the kids ransomware also, possibly later, installed a trojan or other malware to trigger later?
It's worth noting that there are exploits for discord that enable you to take control of the account of people joining your server by stealing their login token. Joining a discord server through a random invite is always a bad idea as a result.
Elon Musk @ 6:14: "Aaand... _this_ is why we can't have nice things!"
China: Write that down!
I don't think they pressed the big red button by accident. They received a warning message with the words 'THIS IS NOT A DRILL' and proceeded to act accordingly by passing it onwards.
The ransomwhere the kid did is a very basic and simple one. It's not impressive, what's impressive is the integration with Discord. Anyone can write a program to encrypt folders (the code can literally be from cryptography import aes; from uuid import uuid4; key = uuid4().hex(); enc = aes(key); for file in %USERPROFILE% enc(file). But the discord integration and uploading the keys and hosting it on his bot and setting up the bot and thinking of the typo thing is the genius part for a 15 year old.
April 4 zombie attack. Thats a good gag.
Defcon sounds scary. I googled it, and now I'm really scared.
lets hope the telecom companies update their EAS box thingies before tomorrow
I feel like if you're watching this channel you've probably "fiddled" around a bit when you were a kid similar to that b8ff kid.. we were all kids once
Damn, u get busy. Nicee
as always great video
I remember hacking a federal prison that was by my elementary school in the 5th grade Now I am known for it they come running Especally when there tiktok was hacked
If the EAS vulnerability becomes public, get ready to see Elon Musk bitcoin scams on TV
No matter what age you are, there has to be something seriously wrong with your moral compass for you to encrypt random people's files, even if you don't extort them for the decryption key.
@@waxnet sadge
I'd say "seriously wrong" is a bit of a stretch, but it's definitely not a very empathic thing to do. My guess is that @OHR did the classical teenager thing of not thinking things through before going ahead with using their new knowledge.
Even purely for an egoistical standpoint, committing a crime just for the sake of it isn't a smart thing to do.
@@Kenionatus but 'twas just a tad bit of tomfoolery
Ah yes. Analog horror is real now.
U can turn off the alerst in settings. Or use airplane mode often
Nice Video!
i remember sometime recently i was going home on the bus and a thunderstorm warning was issued
not hacked at all. didn’t have a thunderstorm 🤔
Maybe it was a watch… 🤓
I feel bad for the kid but bro he registered the Python packages, he didn't have to do that. He could have totally had a PoC where you install the malicious package via PIP from source and demo it that way. No need to publicly release known infected libraries with the intent of others accidentally installing him. While I don't think he should be imprisoned, he better get the living shit scared out of him by his parents/law because that's just malicious lmfao.
@@painnmisery2582 Yeah people should certainly be more vigilant. Anyone would advocate for that. That doesn't mean people who spread malware shouldn't be held accountable for their actions.
Unfortunately, what the kid deserves and what the law demands are often two very different things. Furthermore, the severity of the punishment often does not so much reflect the malice intended by the bad actor as the amount of embarrassment that the people who should have been putting in protections against this feel over getting caught out.
1:12 OMG OG iPhone
The ohr guy is impressive, hope he ends up in a nice place and not in jail
I knew he was a kid when he started giving the keys back seems like he was demoing it
I'm with Mental Outlaw the fact that Twitter made an onion site is completely redundant.
hey seytonic, where do you get that one music where you loop it over and over again across videos, would like to know!
0:30 that wasn’t an accident there was an actual ballistic missile test in between Japan and Hawaii that North Korea told no one about.
"Between Japan and Hawaii" is the entirety of Pacific ocean, though... Pretty sure most people wouldn't care what's going on there really.
Yes it was wrong what the 15 year old did.Even if we ignore the fact that no money was asked it would still cause panic to whoever files were encrypted,It would feel soul crushing knowing your stuff is locked and you may need to pay a large sum to get them back(and in this economy the mere thought could bring anyone to tears),for people with extreme anxiety/stress this could tip them over into doing something dumb/extreme.People tend to forget not everyone knows what discord is,a better way to get the key would be a prompt asking for your email/phone after the files are locked and a it being sent to out rather than going to discord as again I cannot stress if someone believes they have been jacked it may be nerve racking/heart racing the prospect of talking to someone who has your files(and if said files had some initmate/nudes photos it could really wreck ones mind) .I can recognize that yes it shouldn't be this easy to lock files while also appreciating the psychological damage this may do especially to those not tech averse,people have commited suicu**e for much less.So props to the 15 year old ,but also WTF is should not be this easy.Should he have a severe punishment,hell no ,but godamb the fact he did this without having a sense of empathy/guilt when it works really depresses me,as their is no way while building this he did not realize that people would panic/be stressed,perhaps he thought since their was a guaranteed way of getting your files it would be fine but it was not fine.
@@waxnet Well it may sound like I am furious,I am concerned about the rational that lead you to do it this way,as where my anger comes from is the side effects of the ransomware.Yes a vulnerability was found and it should not be on one persons shoulders to take the blame,but even if it ended well this time,what I outlined is happening to many people.My anger comes from how I perceive as the digital equivalent to shooting a gun in public,yes no one was hurt,yes no one was intended to be hurt,but people were still effected(size was not the issue).Do I think this warrants an arrest,F**** no,do I think this needs to on record, of course not,you clearly placed safety breaks on.I am just concerned that even as an experiment the gravity of the situation others were placed into(no matter how small) was not properly reconciled with .I dont expect you to apologize/feel bad ,but I dont think its a hot take to say ransomware creates a sense of powerlessness and even if it ended well that feeling does not leave,and for that brief time alot of people were not having a great day.I just hope in future you dont do this
5:28 impressive at 15????? thats kinda old for it to be even in the grey area
At a certain point, people need to be held responsible for their own poor behaviors, the kid i teaching a free lesson that others charge tens of thousands if not hundreds and millions. We charge several thousand a month for training, this kid is saving the company money. He should be hired by security firms to be used on their clients to get them to see how #$#$#% stupid they are being.
I think the pip kid as i'm going to refer him to, should be rewarded through his efforts! Instead of blaming an accidental cyber criminal, look at the flaws of you system. Because if some kid with no bad intentions exploited that vulnerability in pypi's system, it's probably really easy for other hackers to exploit that very same vulnerability. If anyone disagrees with this statement, i want to know why, so make sure to reply that you disagree, and your reason for that. I'm quit interested in hearing the feedback.
That kid is amazing
I agree!
4:08
Can't wait for the Ligma EAS
Do you people really put all 6 of their certificates in their title like Ken Pyle?
Oops, there's no such thing as an "IPAWS system." Can you figure out why?
Twitter? what is this, the year 2011?
Omg I got this and got scared
The fact that defcon has a YT channel… be prepared for neglected systems to be pwned by some 12yr old within the next couple of weeks
Do something dumb... like call the police.
We all know this kid doesn't deserve jail time for this.
That's why the juvenile justice system is really lenient in many places. Something like 30 hours of community service would probably be a good wake up call.
@@Kenionatus Agreed
I'll watch this later
Soo, have you seen the new rubber ducky on hak5?
might be onne of the reasons i got hacked. BY A FINANCE SCAMMER. Even my discord was hacked by one
If a hospital or a power company got hit by this, it could mean people could have died. Releasing any malware into the public therefore means that one has little regard for human life, since we as humans depend on systems that could be infected with it. I’m no lawyer and this is not legal advice, but this kid should hope and pray he doesn’t face a wrongful death or second-degree murder charge.
Beautiful content