this is more like a declaration of war

they're getting cocky :D

Automated

I mean they did it to a channel called "Linus *Tech Tips* " and it clearly worked so why not!

roll of the dice except its 100 sided

Yeah, it’s strange Windows hides them by default. Makes no sense.

The problem is that tech iliterate people rename a file and then accidentally remove the extension. It doesn't highlight the extension by default, but I've seen it happening a couple of times with other ppl.

@@fusseldieb Windows will warn you though if you try to do this.

It's times like this you really appreciate the execute permission bit on Linux.

There is a solution even for that, the right-to-left writing system. A file named for instance filename.exe.pdf can be actually a .exe if the character announcing the r-to-l is before "exe". I'll try finding the clip with this. I daily drive linux and don't care a lot about these; but on Windows I could have seen myself being fooled by this (not the .scr, as I made a few programs and even screesavers when I was in highschool, many years ago). LE: found it on ThioJoe's channel - kzfaq.info/get/bejne/pK-Tha5lu8W-ppc.html

That and the fact that the domain was Eastern European. The author of this video wants to act like that's totally common and no big deal but it's not. If g fuel is reaching out to you from the Czech Republic you should damn well know better.

Or maybe dont use File Explorer in the First place... Use smth that is more intelligently designed like total Commander

@@khoroshoorange Whatever floats your boat.

That's the case in this example, if the PDF was 'alone' in a folder you wouldn't look twice at a .pdf

The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

Same here, you should check out Professor Messer if you havent already, hes got a free video series on how to pass 💜

Facts, that is why I always activate the config to enable that

It's a pain to keep having to turn it on on every single machine I use that is new. I meaninly use it quickly be able to make back up of files so I can just aad .bak to the name or .orig. this onely works if File extension names are enabled.

That's not even the bad part of all this. MS is now active in keeping you out of some sections of the OS. You don't even know if MS is collecting these tokens or not or for what reason either. I assure you... they can and do if the right people in authority request it. Nothing on a machine is secure.

That's how you can spot computer literacy at a glance.

A file name is just what it is. It doesn't tell anything about its content, just as your name doesn't say anything about your personality. Changing a .xls to .jpg doesn't make it an image, just as changing my name to yours doesn't change my personality to become yours.

It's baffling to me that AVs don't automatically flag these files or warn the user when the scams have been happening since august last year at least

EDR solutions like Crowdstrike DO this. This is a matter of the Linus team cheaping out on InfoSec tools.

@@kaineuler EDR like CS, CB, or S1 do not care about file size. They monitor every single process/thread/command/execution that's running in realtime, so if it catches something it finds sus (which this absolutely would,) it will catch it, regardless of file size.

@@robertgarrison1738 I'm talking about windows defender or other basic antivirus.

@@kaineuler Ah, yeah no, those can't be trusted in 2023 when it comes to proactive monitoring. Those AV's are solely reactive, and by then the damage has already been done. I see this daily at this point in my line of work.

If you're talking about the fire Colton thing, it's an ancient channel meme, Colton has been "fired" hundreds of times. Colton gets blamed for everything and this time it might actually have been him so the meme came back hard. He won't go anywhere though, dudes been there since day 2.

I agree, it’s Linus’ fault here for making his employees use Windows

A company I worked for was hacked due to a security flaw that was introduced in a Microsoft Exchange Server update.. when it was brought to light he quickly rolled back but by then it was already too late and got hacked around the time people were looking for chocolate eggs a certain bunny had been littering.

@@SEMIA123 Yeah lol. When I found out, that was my first thought. "Oh well, Colton's getting fired for the 22nd time I guess." Especially ironic considering the origin of that meme includes iirc him almost getting the channel banned or something and then getting 'fired'.

@@jacquesfaba55 He should probably keep people who have access to anything even remotely import to only those who terminally live inside a computer. Having Windows is not an excuse to fall for a phishing attack. The only excuse is incompetence. Not opening an executable through email is like computer literacy 101.

I certainly use it to send stuff to myself to bypass such scanners. But that is from me to me, so I know what is going on... but it is a fairly obvious bypass all around because no AV tool out there can decrypt it (yet) to scan.

Thats probably the biggest thing here and 99% of tech channels ignore it, im not sure they even know why scammers use the pw/encryption function in the first place.. Theres no need to ever require this unless you encounter it the way I do. From piracy and trying to download unsigned cracks etc. But scammers also use them when a game first comes out to try and trick the normies, but those are the types that dont want yu to have a pw because theres nothing in it, they want you to do surverys for a non existing password.

I agree this is also a giveaway. Any normal company doesn't zip a pdf file so there should be no need to extract it. And even so, a huge zip file to only hold a single pdf file is suspicious. On top of that, even when file extensions are hidden (as the other files didn't show any extension) and this one did show the .pdf extension, you should be aware this won't be the true extension otherwise it was hidden as well so you can be sure there is another extension behind it making the .pdf visible. Also, in an email, look for obvious spelling errors like the first one that was shown: "We are sells energy drinks", this is a dead giveaway this was translated instead of typed and should be treated as suspicious. So Linus (or his staff) made 4 mistakes that led to this tragedy: 1. Ignoring obvious spelling mistakes (if he received such a misspelled email) 2. extracting a huge zip file to get a simple pdf to state an agreement 3. ignoring the huge filesize for a simple pdf 4. running it with a visible file extension when extensions are hidden

@@powerpc6037 That the extension is shown despite extensions being hidden was confusing to me as well. Although, if you spend about 30 sec on this file, you might easily miss that.

Absolutely, a red flag with a fog horn.

1601 is the first year of the Gregorian calendar cycle that was active when Windows was designed

Completely reasonable interpretation, but those aren't the dates of the data, but rather the actual data being interpreted as dates. So because most or all of the data aren't dates, they naturally appear as nonsense when interpreted as such.

That's probably why they did it.

You need to watch a ThioJoe video explaining why file name extensions only it's not bullet proof. To summarize, there is a technique that exploits reverse reading languages to show a different extension at the end. Windows should stop dumbing some things and file extensions should be showed by default, and must be the last thing on a filename NO MATTER WHAT. But for now, it's not the case and it's ridiculous.

n00b

@@MANTISxB but the thing is sometime they send video file too... so if you are not carefull seeing the size... you will presume the big file ZIP is came from the vids

Yeah, I hate the fact that showing file name extensions is not the default on Windows. Makes it a lot easier to disguise executables as harmless files.

They should really stop being a company and putting out that virus, windows.

maybe the reason microsoft create that fituer because for people like us, who know the meaning of extension the hide thing is useless, but for people who doesnt know, mostly they will rename their file wrong (like delete the extension) but i agree with you, they need to update the system like,..they can just show the extension but not editable when rename the file

Agreed

It's optional, you can turn it off, and it's there because that's how Apple does it. Maybe Microsoft should prohibit changing a file extension by renaming the file, and only allow it in the Properties dialogue. And also, Windows should prevent multiple file extensions when any but the last is an executable file type. So something like ".pdf.old" is permitted, but ".pdf.exe" is prohibited.

@@richarda3659 Of course you can turn it off, but it's on for 99.999% of Windows users. It's the default setting from hell. And no, Mac doesn't do this. Mac has 4-character file types and creator that can't be downloaded from the internet. The risk doesn't exist in the same way on Mac. And Mac notarizes executables. Not even a comparison.

I don't know how people function with file extensions off. Sure, there's no guarantee that the contents of the file match the extension, but it seems to be at least an indication of what windows will attempt to do with the file if you open it.

Nowdays hackers use special characters to reverse filename to make it look like a legit file even with „show file extentions“ on

Even if file extensions are disabled, you should be able to see there is something wrong. All other files don't have the extension visible and this one did show the .pdf extension, so there should be another extension behind it, making the .pdf visible.

anyone doesn't look at the details of the file before clicking nowadays, I guess? I have all my download as in detail view showing off the file type. I've been freaking using this account as old as youtube and i'd never been hacked.

@@greatveemon2 since 2006?

exactly. i dont dont do anything like working with sponsors or anything, but last year in the university we had a homework in java programming (basically a game) and our teachers being lazy, we had to grade each others code (everyone gets 5 random people's code). and i specifically set up a vm in case anyone would put malware into it (you would think "oh, they are not stupid to put malware in it, just think about the backlash" but no. seeing how many programming students fall for free dc nitro scams, i will not take a risk)

Maybe that person manage youtube videos, thumbnails, tags, descriptions, tags etc. multiple videos at ones. That kinda apps are most needed. If it was just about editing videos, then they would have done it on an offline machine.

Maybe it was Linus himself.

@@Preetzole A Remote Desktop for YT account actions.

@@kkgt6591 I don't think Linus do those kind of things, I think he is only directing, managing now and prolly he employs PR, marketing, social scientist something, which prolly knows better what works.

Yea running vmware workstation and opening suspicious emails on a vm can go a long way to protecting your PC, definitely a hassle to maintain though.

They said that sponsored videos are uploaded by the marketing department, so that would be why

Linus is barely even at the warehouse unless he has to be in the video.

@tegneren but still that doesn't mean that one system should be used to process both stuff. LTT is a large organization and they can afford to have an isolated system to process outside information, before it enters the main server. Anyways they learned it the hardway!

This guy (LTT)is an Amateur and Arrogant Rich Boy...nothing than a Microsoft Employee that did a anti-linux rally and then his Secure Windows was Bombed till the ground....

New protocol - dont click and open unknown files like you are 7 year old first time using email

No i have seen 400mb pdfs. You obviously a noob.

The problem with a very fast internet connection is the employee probably didn't get a look how big the file and just automatically check the content after it's done downloading

@@HexRox The file is full of 0s, the zip archive would be actually quite small.

Even that is small, I would say. I made the yearbook for my class, and that is around 200MB. So I would be careful with blanket statements like that.

@@dismiggo A yearbook is different than an agreement form..

I would assume they could tie the session token to the current IP address, and if the session token is suddenly used by a different IP they cancel all sessions and request signing in again.

​@@alouiciouswrex7141That IP check would frequently get overboard when home ISPs and online proxies frequently change peoples public IPs. Same thing happens when facebook sends out an alert after every log in with an updated browser.

@@alouiciouswrex7141 That would not work with smartphones that go in and out of Wifi range, and use mobilenet when there is no WiFi. The best you could do is time and location. That's why banks invalidate sessions (log you out) after 5-10 minutes of inactivity. Most websites log you out on a device after a week or so. But youtube/google never does it, since if you are not logged in it's harder to mine your data. The worst part is that (when done right) stealing the environment essentially makes this indistinguishable from the original browser, making it a "trusted device".

@@EvanOfTheDarkness Fair point, I hadn't considered mobile devices

@@EvanOfTheDarkness or mac adres for mobiel devices

The only extension that matters or is actually an extension, is the last one. I fully agree that better file level security is part of the solution, and that begins with not allowing a file to be named .pdf.scr or .pdf.exe.

Why would anyone who's not a complete noob use Explorer as a file manager at all, let alone with hidden extensions?

"You are attempting to open an application file with the file extension [.ext] in front of it. Are you sure you want to open this application?" [info of application, name, publisher etc]

step 1: explore & gain trust

Should've immediately logged out

let's don't blame windows in the most gratuitous way, if feels a malware the OS starts to scream and puts the harmful file in carantine mode, in order to make it work you have to get in security panel and to give the proper rights - which probably the employer did

How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?

How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?

​@@flameshana9 I suspect in this case it was identified as suspicious and generated a message but didn't have enough confidence that it was malware to lock it down. You can decide what actions an AV takes on a file given the risk level determined. And they basically said that the number of false positives they would get at the level of security which would have locked down this file would be too large to manage without seriously harming their business (probably far more than the hijacking and one day of outage did). And, yes, every single business (and person) makes the decision to accept some degree of risk in various formats to facilitate operational efficiency. The question is how you balance the two.

Except that many attackers want control of your recovery e-mail only (in that phase).

@@johndododoe1411 you can have emails forwarded to an unattached proxy email for this purpose, using something like POP so they're deleted off the first address as soon as they're sent to the second one, then you'd have to intentionally send it BACK to the first email for them to have access to that one

They're running a youtube channel, not a military base.

@@takatamiyagawa5688 If your youtube channel is your livelyhood, you may as well go the extra mile to protect it well, because if you lose it, you basically lose everything. At least in case of Linus Tech Tips and bigger channels, it's possible to recover this even after a hack happens, but it takes a lot of effort regardless and taking extra security measures to prevent this kind of thing is very worthwhile.

mental outlaw has been saying for months and months if not years to go buy a shitty chrome book and use that to answer the business email.. Whats even worse is a lot of these losers use their personal email to get business emails, which has secured future fuckery. They SHOULD have a email solely for sponsorship offers, and you should only use that email on that latop. Unless you can have a braincapacity above a 5 year old and just not click them. Greed is what makes people fall fr this shit. Being content doesnt leave you with shady business.

yes, i saw that video 😁

Yes, there's some kind of hack involving right-to-left languages.

Interesting. It's U+202E ‮

Pretty sure .scr is one of those superhidden extensions, like .lnk and such. In this case, they didn't need to use that special command.

Well, a bunch of amateurs will amateur.

This is one of the reasons why I'm on Linux 100% since 2007, and never went back to windows, not even for work.

weirdly it can be delegated via API which means if you have the capacity you can "relay" the intent with custom local tool/ web service

They could use clean virtual machine or server for posting only

That is 100% not at all what this ramps down to lmao.

@@dontaskiwasbored2008 True, but cool API fact.

KZfaq Studio is just *incredibly* poorly designed. It's an absolute disgrace, especially since it took them absolutely forever to create and they had a very lengthy (multi year!) feedback period that they literally did not do anything with. In KZfaq Studio you either have too little access or way too much access. If you're an editor you can't even edit a playlist (because that can only be done in the main site, and they simply didn't bother to implement in in Studio!) As someone who's been a professional in this space for half my life it's actually OFFENSIVE to me how poorly designed it is. They literally just didn't bother doing it anywhere close to properly. Everything about it fucking sucks ass from the UI to the core functionality.

There are more in depth videos on the channel. :)

While I agree, there are also issues with having security settings too strict, as they might leed to users circunventing them so they can do their job. Now insted of some security, you have none. So, since they said they couldn't handle the amount of false positive they settle for that. Was it the best idea? No, but they did what they thought was right. It seems that looking forward they should look into how to handle better the false positives or alternatives software suites. That beeing said, as you also said, Google not reauthenticating users attempting to do massive changes on the channel seems like a big mistake on their part.

The fact the Google will allow login from a cookie and then change password + 2FA *without* confirmation from either is downright neglectful.

@@mechwarrior83 you clearly do NOT understand how logging in from a cookie works. It's not that google "lets" them. It's that you're essentially just copying how they logged in, and it's the same session in essence.

@@Pandaptable So confidently incorrect. They could force a reauthentication even with a valid session. Many services do for important changes.

You sound too invested in them personally.

or just don't let applications (like screen savers) read any arbitrary data on the disk. especially web browsers

@@bluemeriadoc BUt you could still read it with regular executable programs.

Would you be okay entering a password every time you launch the browser?

@@rohanjamadagni maybe, but it's not necessary. you can leverage the operating system to encrypt based on the computer's password or protect the address space, or both

@@bluemeriadoc encryption only works when theres a password attached to it. If the browser can launch without needing a password, the hacker can just steal all the app data of the browser and launch it in their system regardless of what the os does. Windows doesn't have strict permission checking for files and even if it did if the program got admin access, it's basically useless. The only way to fix this is to have your whole browser password authenticated, kind of like how password managers are as browser extensions. From a website pov, you should have implemented uuid checking or some hashed hardware Id checking in the cookie, again this should be implemented by browsers as it would be a security risk to allow websites to detect a hw id. Overall, I'd say from a developer perspective these kinds of attacks are really difficult to mitigate without making the ux of the user worse.

Why aren't the session tokens encrypted and only readable by the issuing web browser, based on the browser's internal ID?

@@richarda3659 Encryption doesn't matter when malware runs on _your_ computer. Where would you store the key? If your OS has access, then malware can find a way to gain access as well. Even if a hardware TPM or Secure Enclave was present. And aside from encryption being resource intensive to do (and battery hungry), it also would be highly ineffecient if your browser is already running, as that data would be in memory, unencrypted, anyway.

it's not "the technique", the attack vector was someone being dumb. anyone with an RCE can do anything on the machine that you can do.

​@@dealloc the key does not have to be locally present nor does it have to be static; it can be a calculated value either based on datetime or another system similar to RSA tokens. there is also no need to "store the key" since you can input it every time, e.g. biometric keys. encryption is not resource-heavy, every layer 4+ connection you make has TLS over the top of it. it feels like everyone on here is just making guesses as to how computers work without understanding the stack. scowering memory is not a reliable vector of harvesting tokens.

Like how to monetize someone else's misery?

@@asksearchknock that's kind of super out of context though and not what he said. Obviously it makes sense in certain situations. And while it's probably blasphemy to say this on a malware channel I think he's probably right for most average people.

Your friend is a true friend.

@@jinxterx Yeah he is a true friend for sure. And this feature saved me several times.

Yes, It may help criminals more than users..

never use antivirus, just move linux, lol

@@aoeGamingAEGIS (will only be effective until linux marketshare increases to the point it'll be worth making linux malware, even then i'd still be careful with downloaded files on linux, by lowering your guard you increase your risk of getting hacked by a lot which is why i still triple check downloaded files as a linux user myself)

@@vonKarma1186🤓

Totally DO use an antivirus if you want to throw 95% of your machine's performance away 100% of the time vs. that one time when you should have had the common sense to realize whatever you just downloaded should at least be checked by virustotal.

They totally should sell new underwear with that branding on it.

Yes and no. You could probably come up with ways to determine a file as being potentially unsafe by looking at random bytes in a file to determine whether it contained zero padding or not. But that would likely also issue a ton of false positives. And zero padding is not the only way to circumvent it. It could just be a bunch of random data as well-it's now much harder to determine what the file is. There are anti-malware that does this kind of analysis already, when you run a full scan or manually select a file for a scan. But while in the background, you don't want it to do a full scan and take up all your resources and potentially battery. So it's both a user error and a problem of detection. If you are uncertain about a file, manually scan it with your anti-malware software at least.

Agree. Doesn't take much effort for a virus scanner to pass through the file with a trimmer to validate 99% of it being empty space. But of course, if they were to do that then the hackers would just start padding files with random noise, defeating trimming it .

The sort of person that has file extensions disabled probably isn't paying attention to the end of the file's name,

@@takatamiyagawa5688 And wouldn't think anything of it, even if they did notice it. It's also possible that the person has extensions enabled on their home computer, but disabled on their "LTT work" computer, and missed it because of that. Or maybe it was a new install and somebody forgot to change the setting.

In latest WAN show, Luke said the attack was flagged by their AV. But since they did not set it to highest level, the attack was not shown/seen. So curious about these too.

I believe he did - it's isolating the functions so the machine/person opening the emails doesn't have access to the higher privileges needed to attack. One thing he didn't mention is never use your machine when logged in as a local administrator. Only use those accounts when doing maintenance. I remember reading sometime back that most attacks will fail if the user only has "user" privileges. But people resist anything that gets in the way of doing what they want to do.

how do you activate it?

@@Gargantura depends on the version of the windows but a quick google search will give you the answer. i usually do it by control panel and folder options. then there should be a checkbox somewhere to make em visible.

@@darthnegativehunter8659 aight thanks

Also obvious if you always show the real extensions for all files. It should be the default in Windows, but it is not.

i Hope More Malware builders test on LTTs Ecosystem.....i hate that guy·....

@@fabricio4794 what's with the retarded captialisation?

@@fabricio4794wait why lol

not like they can get Remote tools to check for them because of one thing Being too famous is asking for problems ----------------------------------------------------------------------- he get out of the shower to check his channel Not getting dress like an fother does If I was an kid I would be outside because of the noise from an hacked channel to scar kids as well

At first I've thought that those channels sold their souls to devils for quite a lot of grands but then I realized that most of them might have been hacked like Linus.

They do something similar to that for passwords, where they will use OS-level security/encryption as appropriate (on Linux and macOS you have KeyChain, Windows also has something similar). It would be nice if cookies are also caught in that.

Um.. the whole point of session tokens is to not have to put in a password... So the real solution is: "don't choose 'remember me'"

@@FrumpyJones I don't agree, having to login every time on every website can be tedious, where one prompt when you open your browser asks the user for much less effort.

The real solution would be to keep your sessions short

yeah but what if I just want to move my data from one pc to another? i just raw copy-paste files and tadaaa, I don't want encryption bllshit to deal with. Isn't windows fault it doesn't has a alert: u're about to open a .exe or.src file, are U SURE? And this to not be annoying, it would pop up only the first time u run a file. And u can even disable it...

Filetype manipulation can be accidental.

Some foreign languages are RTL, so yes there are legitimate use cases for the character appearing in a file name

@@o00nemesis00o but not in the extension, and that's pretty easy to check for.

@@LordSStorm windows warns users when changing the extension, and in this case the user could undo the mistake or make the logical conclusion that the file is or is not suspicious.

Windows likely didn't trigger UAC because then I bet they would've realized something was off. You can copy files and connect to the network without admin priviledges, I've done that myself and you can check by the simple fact that your browser, wich doesn't need admin rights to run, can both read, write and send files.

shut up

No, because hiding file extensions has made this possible for decades, MS cannot possibly be ignorant of it, and they just won't do anything because... hell if I know why.

Why you download this file? Nothing better to do just downliading random stupid files?

@@dzenacs2011 I think I took necessary precautions. And I got this message from artstation, so I couldn't exactly check if they were legitimate or not. As they claimed to be a game company.

Windows and its file signing can be bypassed for years already by just using a official signing tool on any regular executable and moving the bytes to the malware executable.

@@kuromiLayfe Then the signature wouldn't match the file.

@@Hyxtryx all the signature check does is see if the amount of bytes match that sig data and if they are in the correct spot… guess what is correct when those bytes gets moved or copied to a malware version of a executable ( exactly the same method as shown in this video to mask malware code by bloating the filesize to bypass online scanners)

Yes it can be compressed to a very small file.

Yes, it would of been flagged as an unknown file and auto contained.

'cracked applications on my test machine', I had a good laugh.

@@rflair sure..go on. I hope it helps you. People say laughter is the best medicine

@@mellowtones1985 thanks..good to know

In my Linux I can run by double click just fine.

Microshit even requires execute permission on every document you open with doubleclick, thus forcing insecure security settings .

@@FlorinArjocu Huh? Strange. Maybe it depends on the desktop environment. On Linux with KDE (and I think on Gnome too) the default behavior is to just open a file when you double-click it and never execute it unless specified.

@@EricchiYukia Don't remeber exactly, I think I do check the "execute" checkbox, but I think that is not always the case. In the end it depends on the permissions to the file, if it has the +X or not. I am on Gnome (Ubuntu).

@@FlorinArjocuYes, that too! Files downloaded from the internet always have the "executable" flag disabled on Linux, and that was made exactly to prevent incidents like the LTT one.