They shouldn't keep these sensitive data in their servers. At least they should keep them temporary, wait for user to downlpad them. Them maybe they can use companies local offline software to use their data.

Dein englischer Slang ist nur für Hacker verständlich, nicht jedoch für Personen, die in der Programmierung arbeiten und schon gar nicht für normale Menschen.

Nope Info~mathiK or koption‘!!!

Warum Filest du nicht das Pw Weg mit Wattstãrke 0,1 is Windows 0,561 is Microsoft 0,8 is read 0,71 is Linux backdoor mit 7100918 reingeballert mit der Stehlampe und Frequendts Minimum 90+ Und nur noch die Zipk-aej&0 Alles bisher Python Den Rest lädste mit Bildretram klappt immer Virtualbox Faken dauert maximal 15sekunden bei allen Cp‘s-Guphjj also bei einer 0,000mbits Stromgenerator mit glatt 91FQhz

Hallo @LiveUnderflow, ich bin zufällig bei diesem Video gelandet. Eine Frage: Wer ist hier deine Zielgruppe? Ich hab keine Ahnung vom Hacken und habe hier sehr wenig verstanden. Ich hoffe zu deiner Zielgruppe gehören nicht solche Leute, wie ich. :) In dem angepinnten Kommentare bittest du die Zuschauer das Video in 1,5 facher Geschwindigkeit anzuschauen. Warum sollte ich das tun, wenn es mir schon so schwer fällt, dir zu folgen? :) Ich wünsch dir weiterhin viel Spaß und Erfolg mit deinen Kanälen. Liebe Grüße von Peter :)

thanks for great content

Gutes Video

"Spent so much time and money on this game" and the legend made it pick your own price on itch. An absolute G (for genius)

Your definition of ethics is shit. If its an "established rule" to be horrible to someone its not unethical to not do that.

10:00

Kudos. Ich nehme den Mann eigentlich nur so wahr, dass er auf irgendwelche Firmen schimpft (Meist in öffentlichen Linkedin Posts), die würden alle nicht richtig reagieren. Dann gibt es irgendwelche dubiosen Zeitungsartikel, in denen irgendwelche massiven Schwachstellen in Excel oder anderen Produkten aufgezählt werden, die er angeblich entdeckt hat. Was das für Schwächen sind, wird verschwiegen. Maximale Aufmerksamkeit erhaschen und inhaltlich null.

Windows 10 ctrl + shift + win + alt + w open Word ctrl + shift + win + w + alt open Microsoft 360

Danke dir ! Sehr nice :-)

It turns out that joern is s*t and codql is a cool sh*t.

Das witzige ist das das Itnetzwerk des Gesundheitsystems in Deutschland bis vor 5oder 10 Jahren quasi brach lag, jeder penner konnte von jedem die Röntgenbilder sehen, in Krankhäuser konnte man die RJ45 steckplätze infiltrieren etc etc. Deutschland ist ganz weit hinterher was internet angeht....listen to what the MERKAL said....ITS NEULÄND xD

Boah - ich wollt sehen wie Leeroy auf Hacker reingefallen ist. Nun hör ich seit über 5Minuten wie gut du bist und was du alles schon gemacht hast, wo dein Namen steht etc. Also, hier für dich, "LiveUnderFlow", Du bist ein Genie, wau, bravo, super.. - Schaue nun weiter und bin gespannt wie lange es noch geht bis wir bei Leeroy sind..

I thought I was getting a handle of Deutsch... I was wrong

this whole thing is confusing to setup, they need to update their instructions to make it less confusing

Really useful video. Liked and subscribed.

Moin @LiveUnderflow, bei allem nötigen Respekt, aber ich finde diese Aktion von dir jetzt ehrlich gesagt nicht wirklich sehr zielführend. Denn, das mag schon sein, dass Jean Pereira die Details in seinem Beitrag nicht ganz optimal herausgearbeitet hat und dass man es auch hätte schöner/professioneller machen können. Aber, mit dem Grundproblem, das die IT-Sicherheit in vielen Bereichen und insbesondere auch im medizinischen Sektor und oder bei den Kommunen oder Bildungseinrichtungen, zum Teil absolut desaströs ist, hat er alles andere als Unrecht. Siehe die aktuelle Geschichte mit der SIT. 😔 Sprich, anstelle dass ihr euch hier unnötig über was das Kernproblem an sich angeht, eher unwesentliche Dinge zankt, würde ich es eher schöner finden, wenn ihr an den angesprochenen Kernproblemen, respektive der Lösung dieser, vielleicht eher zusammenarbeiten würdet. 😉🕊☮ Gruss Alex

"The lockdowns didn't work because we couldn't get haircuts" - LiveOverflow What a d****ss. 🤦‍♂️😂

I have to hard disagree. I have over 400 unique passwords in my vault, are you claiming that without a vault i should remember 400 unique strong passwords? If i use a vault, thats a single point of failure (cough *lastpass* cough) and youre in an even worse position than without it. What sites didnt salt and hash their users' passwords? How did 23andme not notice tens or hundreds of millions of login attempts at complete odds to those accounts' normal behaviour? When storing somebody's actual genome, why not REQUIRE 2fa as a minimum bar? TL;DR youre expecting superhuman abilities of regular people and the supposed professionals in the room are getting let off with incredibly lax procedures for an incredibly personal and private dataset

Could you create a KZbin video discussing the platform's guidelines on ethical hacking, including key dos and don'ts, and share your insights from past experiences with strikes? I faced a channel strike after posting a malware analysis video and would appreciate your expertise on navigating these rules.

Gutes Video! Vollkommen weird dich deutsch sprechen zu hören

An deiner Stelle würde ich auch einen deutschen Kanal eröffnen oder jedes Video auch in deutsch gesprochen drehen.

information explosion at @17:09

Ich finde es gut, dass du deine persönlichen Schlussfolgerungen von der Faktenlage abgrenzt; und dann immer sagst "könnte natürlich auch sein dass die kollaboriert haben, ohne dass ich das mitgekriegt habe, oder dass der dieses bamboo benutzt hat, oder das ich was falsch verstanden habe" etc. Man will ja keine Falschinformationen verbreiten. Aber ist vielleicht an manchen Stellen etwas verbos :D Ansonsten sehr interessantes video!

This is funny af 😂

Moin was ist deine Meinung zum dem Counter Strike 2 XSS Exploit /watch?v=1TWeeTfTfXs

Hi there, getting everything in a big funnel, I miss your solution for the whole problem? You showed the big-picture, most users use the same passcode for several services. What would solve this issue? Passwordmanager with a single secret, so you only use onepads for a service, restricting the user to only have access to the service by using this manager? From a user sight, good luck typing a 16 character code on a device, thats not provided with a keyboard. It is too clumsy. Either that, I do not have a solution to that problem...

theoreticaly the companies could solve this issue. They could change the authentication technique and use something like passkeys or fingerprints

Would be nice to mention passkeys here. When shifting authentication to private and public keys you have to huge advantage that the user can store the private information itself. Everything stored on the server is the public key which can be stolen. Also phishing is therefore not possible Anyways I still don't like the approach from apple and so on to use multiple device passkeys and store them in the cloud. But for inexperienced users this would be a game changer since it's easy to use und you can't do stupid things (at the end it doesn't help against implementation flaws) Maybe you can make a video about that. Would be interesting to get your opinion

hey can please you do a video on binarly's logofail uefi vulnerability

Giving such a company your data is dumb.

I think there was something else wasn't it? it seems they could harness extra information from relatives because knowing an id (or something) they could actually see the private details for that relative. Sorry if I understood it wrongly

That’s a difficult topic, sure everyone is responsible for their own security but everything should also be secure by default. Then there comes the potential trade off between security and security most of the time. I’m all for that it should be a requirement for service providers to at least offer best practices security features like 2FA or other standards like Fido. But I’m never a big fan of forcing someone to use something they don’t want to understand, so it’s important that for example when you sign up and chose you’re security methods that you get informed what potential impacts your decision may have. Let’s use Passkeys or like it’s really called Fido2 WebAuthn, this could be or should be the nowadays standard instead of using Passwords because with this technology we get rid of a lot of end user mistakes like re-using passwords or phishing.

By this reasoning, we could also state brute force password attacks are soley a result of user error. I don't share this idea as it has been common practice for companies and corporations to create systems that account for these low level attacks, especially to this scale that can produce significant harm.

The main reason we have driver's licenses is not because the driver needs driving education. it's because the driver is in charge of a machine that can cause serious harm to others. We don't care about the driver driving off a cliff as much as we do that driver killer an innocent passers-by. After all, if you're walking down the street, you wouldn't want to be run over by a driver through no fault of your own. You're just walking down the sidewalk, and be run over by a careless driver a moment later. This is why we have driver's licenses - they are to instill the fact that you're in charge of a machine that can cause serious damage to someone through no fault of that someone. Perhaps it's also time for companies, when they get a password change request or new account to check to see if that username and password is already in the database of leaked passwords to prevent reuse of known vulnerable passwords.

Nice Gene's...I'll take them!

Anyone who even sends their DNA to this service and EXPLICITLY gives them the rights to this data afterwards, has not idea about security and privacy and is a complete moron. They are probably also giving away data about relatives without any consent or knowledge. This would be exactly the same if they 2FA, 3FA or F.A. FA.

Thats another good example that the greatest security.issues sits between monitor and Keyboard😉☕

On the narrower question of "how do I become a red teamer if I can't find tutorials on how to do what they do?" Answer: A lot of what we do (well, I am actually purple team, but ...) would be: you don't learn to do *that*, you learn materials that then confront you with the choice: how to apply the skills. A tutorial which already makes the ethical decision for you is bad news. There's a actually a very interesting way to see this from the philosopher Mario Bunge: Suppose the pattern "if A then B" is known - perhaps well enough to be taught or appear in texts. The technologist then has two choices knowing that pattern: she can implement A and get B out, if B is regarded as desirable or do what she can to prevent and then minimize B. (Not remove, because of course there will be other ways to it). This is why technology is NOT morally neutral ; one's technology embodies one of those decisions about the way the world SHOULD be. (Compare that to the basic science and applied science which discovers that "if A then B" pattern.) As for how to discover which of the two ways to use the conditional is the way to think about, this is why one needs substantive ethical theory, as well.

TL;DR: It is a security problem wit the company. It is a security problem with every single enterprise BS software. They value UX over security and it bites them. Security comes in layers. Being vulnerable to user stupidity is just embarrassing. I would like to say that this is a problem with their security model, and it is solved problem for two reasons, then present my extreme view for contrast: 1. This is a solved problem: Use a context-aware entropy calculation for password strength - one that's intended to remove the human aspect of passwords - one that would yield low entropy to dictionary words (even with substitutions), and varying entropy based on letter frequency in known dumps (a, 1, e, o, and r would have lower entropy than j, 7, f, and <), and have spatial awareness on common keyboard layouts (a password like qwerty123%^& would be very weak), and then push the bar really high for what entropy is acceptable. This way, a user can decide to use a 9-English-word password or a randomly generated 16-alphanumeric-character password to achieve the same strength, but no matter what they do, they cannot have a password that could be calculated from a salted hash in the event of a database leak (or seizure by armed forces). The closest we have is zxcvbn (dropbox.tech/security/zxcvbn-realistic-password-strength-estimation) but honestly, we can do better. 2. This is a solved problem: Doesn't ZKPP (en.wikipedia.org/wiki/Zero-knowledge_password_proof) make "brute forcing hashes from data breaches" obsolete? Computers, internet connections, and availability (the cloud, y'know) have gotten to the point where 10~15 request chain would take less than a second, and would be acceptable latency for a login. I'm not very knowledgeable on this topic so please challenge me if I'm wrong. 3. My extreme view for contrast: I'm a fan of not letting users choose their passwords. A trusted client randomly generates one using your platform's crypto RNG, gives it to you, and sends it to the server to be hashed or stored in the database. If you choose to reset it, the client decides the new one. I trust adults to be able to store a password safely on an uncompromised device more than I trust them to use strong passwords. a. You can set a password of your choice by sending the POST request yourself, but then, you know what you're doing and you're responsible for it. The server will only check for sufficient entropy. If you choose to recycle a *very strong* password, it's your choice, at your own risk. Attacks on you would fall in the realm of targeted attacks, rather than indiscriminate number crunching on leaked databases, which means your choice does not put my 23andme at risk. b. Then, I'd put a "Can't remember it? Try this free open-source password manager" link for people who are new to managing their credentials. Maybe if more people do like I do, then adults have to deal with hundreds of randomly generated passwords, and then they would think twice about their security. We'd have a new stream of users who keep all their generated passwords in a plain-text file on their machine, but then, it becomes an issue of platform security (just like their ssh keys inside .ssh), and also falls in the realm of targeted attacks, rather than indiscriminate number crunching on leaked databases.

ShOcK & AWE... "the voice of reason" in 2023? Impressive :O)

In general I understand your point, but the security is many times not high enought to prevent such trivial attacks. Just using rate limiting of 1 second per login attempt would add 5000000 seconds or 57 days and some hours. It would have taken nearly 2 months longer to gather all this data and this is just the number of successful logins. I see 23andme at fault.

I'd love to not reuse passwords, but I have a few problems with it. 1. I use a lot of different websites, how should I remember that many individual passwords? Or should I just change them slightly between accounts, in a way I might remember? That is still a lot to remember. 2. Securely generated passwords are things I cannot remember, therefore I cannot log in from anywhere other than my browser which has my password saved. So not from school, work, from my phone, or from someone else's phone or pc if needed. Currently I have like 5 passwords I switch around for different accounts. But if I need one for every account, it would be super annoying. More secure, okay. But super annoying and inefficient.

Alternatively, the blame is still with companies, where they dont force 2FA in order to promote user conversation. Forced 2FA should just be ubiquitous for all logins. But it's not ubiquitous in order to reduce friction of user growth. At least dont charge for 2FA.

Sorry to tell you this, but most people will happily sign off that they are dumb if they do X, do X because they think it's ok for them, then cry foul when they get burned.

23 is still to blame, because they house very sensitive data, and therefore should *require* 2FA for every account. Also, they should have proper rate limiting. That said, I agree there should be a driver's license for the internet. It should also somehow verify the user's mental ability to discern clearly fake news, paid advertisement hidden as news articles, and other utter bollocks. Also, there should be a driver's license for voting. Being alive at 18 is not enough to give you a right for messing up lives of everybody else by voting for frauds.

Many Discord servers require 2FA for mods, because with that role you might endanger others. Probably would have been a good idea to require 2FA for features like the relative search.