Is Elon Musk a Security Expert? - ThreatWire
Рет қаралды 25,384
Күн бұрын⬇️ OPEN FOR LINKS TO ARTICLES TO LEARN MORE ⬇️
@endingwithali →
Twitch: / endingwithali
Twitter: / endingwithali
KZfaq: / @endingwithali
Everywhere else: links.ali.dev
Want to work with Ali? endingwithalicollabs@gmail.com
[❗] Join the Patreon→ / threatwire
0:00 Intro
00:10 1 - NextJS Vulnerabilities Discovered
02:06 2 - New Technique Allows VPN Bypass
04:31 3 - FIDO2 Flaw Exposes MITM Attack
05:51 4 - Signal Vs Telegram
08:24 5 - Outro
LINKS
🔗 Story 1: NextJS Vulnerabilities Discovered
portswigger.net/web-security/...
github.com/advisories/GHSA-77...
github.com/advisories/GHSA-fr...
cybersecuritynews.com/next-js...
🔗 Story 2: New Technique Allows VPN Bypass
www.leviathansecurity.com/blo...
cybersecuritynews.com/tunnelv...
🔗 Story 3: FIDO2 Flaw Exposes MITM Attack
www.silverfort.com/blog/using...
gbhackers.com/fid02-mitm-vuln...
🔗 Story 4: Signal Vs Telegram
www.city-journal.org/article/...
www.ccn.com/news/technology/t...
www.businessinsider.com/elon-...
/ 1787589564917490059
news.ycombinator.com/item?id=...
nitter.poast.org/matthew_d_gr...
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.
@neverendingstudent Ай бұрын
From the perspective of helping to increase public awareness of AI capabilities, I appreciate the ploy of '1 of our stories is AI generated, can you tell which?' AI has gotten scary capable, and is only improving. Definitely important for people to have as up-to-date as possible an understanding of what it can and is being used for.
@Nichrysalis Ай бұрын
The advent of generative AI combined with quantum computing genuinely concerns me for how this could be used to manipulate media.
@LordDemonos Ай бұрын
Thank you for giving us security news in a clear and professional manner.
@frankey3732 Ай бұрын
How about plaintext messages saved locally? Signal has transport encryption; messages on clients are not encrypted. This means you can read and exfiltrate messages if you get to the machine. Or if your machine gets compromised.
@meh.7539 Ай бұрын
Signal. No question.
@bobbyjohnson116 Ай бұрын
Meshtastic
@inund8 Ай бұрын
Yall are responding with answers not allowed by the question. Signal is way less sketch than Telegram, but y'all are right that we shouldn't exclude other alternatives.
@glowingone1774 Ай бұрын
Matrix, but its founding is also shady, ex 8200 types, but you can still self host it i guess XMPP+OMEMO, tox and briar are all better options
@meh.7539 Ай бұрын
@@inund8 I didn't say "exclusively". I just don't have questions about using it.
@dracula7779 Ай бұрын
Neither, no phone easy
@QR5-cyber-exp Ай бұрын
Showing my age here….. but back in the 90’s (in Australia) we weren’t allowed to release a communications service unless it was “interceptable” by the Signals Directorate (with appropriate authorization). Seems like an eon ago now.
@jamesdriscoll1658 Ай бұрын
The FIDO 2 story was written by AI
@jmr Ай бұрын
My guess as well!
@jmr Ай бұрын
@@asksearchknock I'm not trying to pick out the AI. I'm trying to pick out Ali. I think it might be more consistent to find hints of her writing then whatever is left must be the AI.
@skirk16 Ай бұрын
Didn't know you were an SE from MIT, that's so cool! Your inherent interest in the topic was more than enough qualification, but it's awesome to know you're thriving in your career space as well!
@chadddada Ай бұрын
Thanks for the heads up on NextJS!
@brettlaw4346 Ай бұрын
Signal - The assumption that the app source code is that app being installed is a big one. There are also host device compromises like the keyboard, general hacking, etc. Not sure if signal uses a secure terminal and trusted execution environment, otherwise you could have some buffer reads from other applications.
@mytechnotalent Ай бұрын
Great one Ali! I vote Signal, hands down.
@bobbyjohnson116 Ай бұрын
Meshtastic
@jsaenzMusic Ай бұрын
So glad I found your channel! You're news is the ish!
@cZar_Void Ай бұрын
"New Technique Allows VPN Bypass" absolutely has to be the GPT story. The concluding words were a bit off.
@pcislocked Ай бұрын
yup...
@jmr Ай бұрын
I've given up trying to detect AI and switched to trying to detect Ali. I think it's the Fido story this week.
@lossless4129 Ай бұрын
Getting better every single show, loving it. Keep it rolling!
@AnonMedic Ай бұрын
I used AI to write part of an article on my news website, and asked friends to guess what part AI wrote. So I absolutely love that you're doing the same thing with threatwire.
@QR5-cyber-exp Ай бұрын
Great summary. I love the connect back to previous research.
@jasonirvin6782 Ай бұрын
Thanks friend good stuff!
@jaybrooks1098 Ай бұрын
Let me let everybody in on a secret. There's no such thing as a secure chat.
@andrefriedelnyc Ай бұрын
Let ME let you in on a little secret: If you encrypt your messages with PGP standard implementation, then you too can experience an environment that can only be viewed with the decryption key... and unless a quantuum computer is used to brute-force a decryption key, you're safe. If it's good enough for military and state secrets, I'd wager it's good enough for you too...
@mrmarkom Ай бұрын
Great work Ali! I could not guess the story - every time I though I can guess it, I was not really sure. Btw, which AI did you use to write this story ? Keep up great work!
@paulw3182 Ай бұрын
Great video, mom's advice still rings true ' Be humble, and take compliments while you can' - Its wonderful your making Threatwire your own, keep up the excellent work - Your coding channel is interesting.
@_mrcrypt Ай бұрын
Thanks for the infos! 🍷😎🏴☠️
@MrGFYne1337357 Ай бұрын
lol, (my take) ALI -- "thanks for calling me pretty, But don't forget, I'm an M.I.T. grad. and I'll pwn you in seconds." 😅
@repairstudio4940 Ай бұрын
Thanks Ali! 🎉
@somethingelse25 Ай бұрын
Found the signal and telegram story interesting and also the VPN one too. Thank you! Hopefully I'll be able to do a career in Cyber Security. ☕
@kilosan Ай бұрын
Is Shannon coming back once in a month?
@jmr Ай бұрын
Shannon is doing her own channel. I don't know anything about any guest appearances though.
@awesomesauce804 Ай бұрын
Good stuff. I appreciate that you stood up to the "cute" comments. Unfortunately this is something you will probably need to be firm about for your entire career. Great content. Keep up the good work.
@linuxliaison Ай бұрын
Kudos to you for being able to read out those numbers over and over :P
@paulw3182 Ай бұрын
Your tweet " Look at my code and then tell me I'm pretty" Awesome! Your analysis of MIT vs the real world is spot-on. It's impressive you began coding so late, so many just give up. What is your take on the BreachForums 'cartoons"
@isaacyukon5869 Ай бұрын
00 You mean people don't read RFCs starting with RFC72 anymore? 11 RFC72 is a requirement.
@mrldtj Ай бұрын
😂 I'm a subscriber but that title did make me chuckle.
@tech1238 Ай бұрын
Good vid thanks
@sanantohomie Ай бұрын
Ali the mic needs a foamy top or something, i can hear scratching sounds OR post process the audio to remove the scratchy noises
@itsdeonlol Ай бұрын
W episode Ali!!!
@asificam1 Ай бұрын
Much as I see the advantage of password-less logins. I dislike them because now you have single factor authentication since the server can't be sure the user has a PIN even if they ask the USB key to require one, and your USB key has to store discoverable credentials. I prefer the U2F model since they use the same math but the credentials are not discoverable, and since they're not stored on the key, they're able to be used for an infinite number of logins. But since U2F is assumed to be a second factor, you now have a forced use of a thing you know and a thing you have in order to log in which is (in my opinion) much better than handing the thing you know to the key to handle, especially if everyone has a USB key in the future.
@jmr Ай бұрын
I would argue using an authentication key as a second factor is superior but for different reasons. How do you think they will discover your credentials on the key?
@asificam1 Ай бұрын
@@jmr Passwordless login uses what are called "discoverable credentials". They occupy a "slot" and most keys today have only a limited number of slots. So most people will need to have several keys just to log in via passwordless methods if this catches on. As to how discoverable the "discoverable credentials" are, I have not looked into this, I know that I can list them all if I have the key, but I would assume (and hope) that FIDO2 says that the key will only return a credential for a matching account or at least domain. However, someone who has the key can see where it goes which means no plausible deniability, and if there is a bug that allows the PIN to be bypassed or the pin try limit removed, or a leak of the pin another way like by writing it down and losing it, well, now the attacker has the key and knows where it goes. However, with U2F, the credentials are encrypted on the key and sent to the server. so only the right key can use them, but there is no way to prove that a key opens an account without trying every single account and seeing which ones work... even if there is no PIN or the PIN is bypassed (sometimes U2F has PINS too though) if an attacker has access to the key... they don't know which of the several billion locks it opens... not all that helpful for them and gives me time to react by deleting that user's key.
@azryelkelly7851 Ай бұрын
Nice ASMR hair rubbing the microphone throughout the whole video. 😜 Guessing there's no MIT sound tech on staff. Love the videos!
@itzdm0r3 Ай бұрын
I think the story about signal is the "fake" one.
@C.J... Ай бұрын
❤DIMPLES!❤ nice 70s get up girl.
@herauthon Ай бұрын
Bummr.. there is DHCP/DNS noise - i have to check my cave
@loves2tinker Ай бұрын
Might be interesting to see you and chstgpt 4o have a discussion about the security landscape (instead of reporting important news. That way you can flex your knowledge so people see more of your career side.
@mohamedissa9760 Ай бұрын
The story about VPN DHCP bug was written by an AI
@debugin1227 Ай бұрын
Signal for the win
@blueskyresearch6701 Ай бұрын
What about pgp messages shared via sftp. If you're really concerned with being secure don't trust other people's servers or backends. Also if you can manage it a modern flash drive can hold a one time pad large enough to serve a life time of communication.
@blueskyresearch6701 Ай бұрын
Should also add this should all be done with a properly configured OS such as TAILS. The problem with the diy approach is you likely wind up with scratch files of plain text and if not done on the correct os also plain text fragments in virtual memory swap files. So you do need something that encrypts from the keyboard to the destination, you can't expect everyone to configure firewalls and routers so you do need some minimal backend to handle firewall traversal. Also there is just the matter of remaining anonymous so you should run this all over something like tor. Is tor still considered secure?
@Blessed_2_Be_Born_In_America 25 күн бұрын
All I know is signal sucks for sharing videos with its 50MB filesize limit. Telegrams limit is 4GB. My YT gymnastics channel wouldn't be possible on signal.
@TheGrigerz Ай бұрын
😮
@IshaqIbrahim3 Ай бұрын
Timeline: 5:35 Man in the MIDDLE! 🤣
@fastmover45 Ай бұрын
Signal FTW
@S.C.D. Ай бұрын
💓
@su8z3r03 Ай бұрын
@2:07
@Tech-NO-City Ай бұрын
I need your help plugging in my ethernet cable
@richardlee3253 Ай бұрын
How do you use signal if the smart phones have a cellular cpu with higher priority on the bus?! We are all sitting in the back of the data bus on our smart phones. What can you hide from people with that kind of backdoor? And then there is the continual backdoors in wifi, bluetooth, usb, etc. its a big joke.
@youtubevanced8789 Ай бұрын
I LOVE ALI ❤❤❤
@jmr Ай бұрын
Fido story is AI. I think what I've learned from the one AI story a week game is not that I can't tell them apart but that OUR HOST IS ALSO AI! Duh, duh, duh! 😆 /teasing.
@CapuiICazzu Ай бұрын
Im not sure what the this has to do with elon musk im assuming its the signal stuff
@asksearchknock Ай бұрын
7:55 Elmo decided to tweet about signal, once again showing the world just how little he knows about anything
@CapuiICazzu Ай бұрын
@@asksearchknock yeah thought so thx for timestamp
@LP-fy8wr Ай бұрын
The entire dam thing sounds like AI.
@netoeli Ай бұрын
man elon is the expert on everything , hes got skills for this and that, the dude can do it all, he also does all his shopping! amazing
@MatthewCallier Ай бұрын
Another awesome episode.
@vasquezjesus1020 Ай бұрын
Gamer the movie is irl?
@THEMithrandir09 Ай бұрын
Telegrams encryption was made by 5 math dudes and isn't opensource, so insecure by default. If you're worried use matrix.
@SkillfulHacking Ай бұрын
How about don't commit crime instead of don't get caught. 😢
@dcquence 29 күн бұрын
Don't get caught by the threat actors, not, don't get caught doing illegal stuff.
@inund8 Ай бұрын
Love the shirt! But Ali, are you sure you can't make yourself look bigger? Like resize yourself so you take up more of the frame? Or rearrange your furniture so you be closer or have the camera pointed lower? You just look so small and short and it is a widdle bit distracting. Which is a shame since everything else feels very high production and well reported!
@endingwithali Ай бұрын
clickbait title GOTCHA ;)
@briannunya2838 Ай бұрын
Ad freeeeeeeeee
@mrvincefox Ай бұрын
Clickbait using Elon musk in title
@OurSpaceshipEarth Ай бұрын
Anyone heard FTX can pay it's customers they are LOADED hahaa
@ardawanx Ай бұрын
Lol. Congratulations to JS fans
@hiamealhilwa6684 Ай бұрын
😘
@WickdPerfekT Ай бұрын
Defcon is canceled.
@gary227 12 күн бұрын
noooo
@dazztee Ай бұрын
Ali is Awwsome Hak5 got a upgrade
@stevenpugh5412 Ай бұрын
I think the Elon Musk story was AI: absolutely idiotic for him to get involved. How’s that quote go “better to be thought a fool than tweet and remove all doubt”. Of course the same could be said about this comment…
@GuyMassicotte Ай бұрын
No one can pretend to be a security expert until they are minimaly able to detect and block pegasus;)
@AlexRodriguez-ci8ro Ай бұрын
Where is Shannon
@donamills Ай бұрын
She dedicated her time to her own channel.
@davidholliday6772 Ай бұрын
I deleted Signal over 2 years ago .
@christopherjosephsimmons Ай бұрын
I'm your 711
@wandererx86 Ай бұрын
wack title
@asksearchknock Ай бұрын
Great job on standing up for yourself and I hope that the community will support you I’m telling anyone who makes inappropriate comments where to go. I’m 100% behind you - Us rats 🐀 got to stick together
@carsonjamesiv2512 Ай бұрын
TECHNOLOGY IS 😃 == 😡
@HomeBurger Ай бұрын
Notice how Ali speaks slowly and uses smaller words when talking to the javascript viewers. Gotta know your audience. disclaimer: this is a joke
@UNcommonSenseAUS Ай бұрын
Whats funny is this show going down the toiket.
@asksearchknock Ай бұрын
You know being here is not mandatory right? There are loads of other channels you could go and watch yet you come here and then moan. Why would you watch a channel you don’t like?
@Proxyone444 Ай бұрын
ALI is LOVE
@ActiveResearchYouTube Ай бұрын
What's ur OF tho?
@kevinm3751 Ай бұрын
He build PayPal, so yea I would say he is a security expert!
@Private-GtngxNMBKvYzXyPq Ай бұрын
nolE has it bass ackwards.
@aboselaiman Ай бұрын
With these Dimples I can't pay attention to what she is saying.
@asksearchknock Ай бұрын
I assume then you also missed the part where she reminded you she’s an MIT educated software engineer and your comments are not welcome or appropriate.
@ronak3600 Ай бұрын
Change the host!!!
@budminer0077 Ай бұрын
It was the cute ai generated dimples
@cardrivingdude Ай бұрын
Triggered by your title. Muskrat is an expert at having daddy money, and opening his wallet. That's about it. Don't believe me? Take a look at his original ideas. "hYpErLoOP"
@xyanide0101 Ай бұрын
Looks like someone is woke, or got roasted by shorting tesla, or maybe both.
@cardrivingdude Ай бұрын
@@asksearchknock I'm shocked at the number of people that have no idea how the world works. They must picture Muskrat rolling up his sleeves and just "building a rocket".
Anyaischuk LIVE
Рет қаралды 14 МЛН
New York Times Events
Рет қаралды 3,9 МЛН
Blueberry Lutein
Рет қаралды 285 М.
MAMU TECH
Рет қаралды 262 М.
FISPECKT
Рет қаралды 278 М.