My Channel Was Deleted Last Night.

[Shin-Gouki]

Was wearing my WAN Hoodie at Disneyland today and had 4 people over the day ask if I heard about the hack

[Vishera]

11 hours ago, Arika S said:

why does Linus look like Walterific?

It's a Gaelic hair style, it used to be common.

[KazInVan]

10 hours ago, earthman06 said:

Thats interesting.

Im not an av expert, but what you are describing sounds to me like how sandbox works. Functionality is great, but at the cost of performance. 

How is Cylance performance overall from your impressions?

I worked for one of the bigger cybersecurity companies in the past and now run IT so need to make decisions that affect big networks.  Cylance has little impact on system performance and still my preferred endpoint AV product. 

[KazInVan]

9 hours ago, captain_to_fire said:

I'm pretty sure that is not true. While every endpoint protection program uses so-called "ML algorithms, pattern matching, and cloud sandbox detonation", they still have to use signatures to rapidly inoculate other users from the said malware. If patient 0 was infected by a new malware with detection evasion techniques, that AV would still lock that file and upload it to a remote sandbox for detonation or if it needs manual intervention of a security analyst, then they deploy signatures to inoculate others. Heck even those so called ML detection algorithms require new signatures made by human experts because malefactors will always try to figure out how an AV algorithms work until they can bypass them. That's how all AV programs work. Now if a company has an EDR sensor, then it can spot changes into endpoints regardless if the EPP was able to detect it or not.

 

No, they don't have to use signatures.  We have big parts of our network (the OT network) that has no internet access no automated updates, no sandbox, and the system works as designed. 

[norgaladir]

Without reading the rest of this thread in case it was already mentioned, nor being familiar with youtube content manager accounts, and having only watched the video, I assume Linus resetting his password didn't invalidate the session the hacker was using was because they were using a sub account, so having a button to invalidate all sessions with any level of permissions may have helped?

 

I'm not sure what the better solution Google has in the works is, but off the top of my head this is how I would solve it, which AFAIK does not exist yet (verified with 5 minutes of searching), and am curious what others here think of this idea.

 

Basically if you could add a physical key like yubikey as another factor, you could set a very short expiry on all session tokens, say 5 minutes, and have them automatically check the security key to automatically issue new sessions, this way you don't run into notification or password fatigue. So basically the previous session + yubikey can create a new session without needing your password. For the case of actively running malware constantly grabbing the new session, require everyone to remove their yubikeys from their machines when they're done working to prevent this sort of thing from happening at night, or have the machines automatically hibernate when inactive.

[Forky the Forklift]

Yvonne, power up the Cricut 3! Linus needs more pyjama pants...

[CoolJosh3k]

On 3/27/2023 at 1:24 PM, Biohazard777 said:

Just a heads up @CPotter, @LinusTech
searching for Techquickie and Techlinked channels still shows the Tesla logo:

 

 

 

Tried from Incognito / Private browser mode, 2 browsers, with a VPN from a couple of different countries...
So this seems not to be just a local cache or regional server cache issue.

I think it is just a YouTube being a mess issue.

I’m guessing LMG want to fix it, but can’t.

[CoolJosh3k]

So just learned that one of the first things Linux tried was signing out all devices, but due to how broken YouTube is, it would not let him.

Talk about f*** ups. Wow, YT.

[norgaladir]

6 hours ago, CoolJosh3k said:

So just learned that one of the first things Linux tried was signing out all devices, but due to how broken YouTube is, it would not let him.

Talk about f*** ups. Wow, YT.

I think it was because it was another account that had permissions on the channel, I am pretty sure Google lets you invalidate all active sessions to sign out everywhere, and does this when you change your password (active sessions are tracked server side and can be invalidated before expiry). However other sites like wordpress don't have this ability, so the session token is valid until it expires (14 days I think?), and all "signing out" does is delete the session token locally, but if there's a copy of it somewhere else it is still valid for the remainder of the 14 days (active sessions are not tracked server side).

[CoolJosh3k]

9 hours ago, norgaladir said:

I think it was because it was another account that had permissions on the channel, I am pretty sure Google lets you invalidate all active sessions to sign out everywhere, and does this when you change your password (active sessions are tracked server side and can be invalidated before expiry). However other sites like wordpress don't have this ability, so the session token is valid until it expires (14 days I think?), and all "signing out" does is delete the session token locally, but if there's a copy of it somewhere else it is still valid for the remainder of the 14 days (active sessions are not tracked server side).

Whether it would have signed out everyone and not just the owner isn’t the point. Linus said that due to the activity happening many functions just timed out and gave errors.

This says to me that a bad actor can manipulate the system by overloading it such that the owner cannot access features they need.

 

I would expect any site with a log out feature to actually invalidate the session from their server. If not, then this makes session hijacking much more damaging at the fault of the platform.

[SinistralFern23]

LTT is now officially too big to not have a cybersecurity team. This should be a wake up call to Linus about hiring one, that could have been much worse.

[NeekoLionheart]

So, I just had this happen to me... able to bypass my 2FA and changed my Google information... YouTube channel was deactivated, and the associated email was changed to a new gmail domain and locked with a USB key. Does anybody know what else I can possibly do? Finding this out on a Fridayevening, so Google won't even have any humans available until Monday. :\

[CoolJosh3k]

On 4/15/2023 at 2:44 PM, NeekoLionheart said:

So, I just had this happen to me... able to bypass my 2FA and changed my Google information... YouTube channel was deactivated, and the associated email was changed to a new gmail domain and locked with a USB key. Does anybody know what else I can possibly do? Finding this out on a Fridayevening, so Google won't even have any humans available until Monday.

That is quite a mess and Google most certainly should have had reauthorisation required for something as major as that.

Do what you can to at least regain access, then consider a backup service for everything Google/YouTube, such as forwarding through ProtonMail.

 

A very strong and free AV scan be be done with KVRT: https://www.kaspersky.com.au/downloads/free-virus-removal-tool and is good for a pass over your system. It is likely to catch malware even the best (and still very reliable) security software will miss.

 

Certainly mention stuff like the LMG hack, and other examples, when talking to Google/YouTube. The hardest part will be getting in through to someone who can actually do something.

 

It is terrible that such major changes to an account security can happen without any double-checks, but to then make it so incredibly difficult to do any sort of recovery is just not acceptable.

 

Keep us up to date on how things go with this. It could serve as a good example and useful information, while we in turn might be able to help you recover.

[effinAgaming]

Hello Linus. My friends channel suffered the same thing and he has been trying to get it back to no avail. He had his channel (Living on the land/hunting and trapping in Canada's Northwest Territories) The Wild North for more than a decade but has had no success in opening communications with youtube to be able to have his channel reinstated. Hoping there might be something you and your team could do to help him as all two youtubers in our little town of less than 3000 don't seem to have a lot of... voice.

I was granted the honor of doing an edit for him and have one of his videos on my channel to show you the sort of content he was offering, which was a great educational asset for northerners, and those who may not know about northern cultures and practices.

Here is a link to the video I edited for Andrew.  If you think there is anything you may be able to do to help with his situation, please feel free to message me and I will put you in contact with him ASAP.

Thank you in advance for your time.
 

 

[hmcnally]

Here's another little guy that git hacked just like you:

 

https://www.youtube.com/@TesIa_US.2023/

 

It used to be a guy who made videos about fixing up old tools.  But he had 15k subscribers, not 15M.  17 years of work lost.  LTT seems to be sympathetic to the plight of the little guy in this situation; can you help, or report here a better way of reporting hacked YT channels since your incident?  Because Google still doesn't have a "I think this channel has been hacked" path in their abuse UX.

http://dnighswander.blogspot.com is the guy's blog.  He's made a new channel at https://www.youtube.com/@DavidMNighswander-ir7os .  Can anyone help him?