From the perspective of helping to increase public awareness of AI capabilities, I appreciate the ploy of '1 of our stories is AI generated, can you tell which?' AI has gotten scary capable, and is only improving. Definitely important for people to have as up-to-date as possible an understanding of what it can and is being used for.
Didn't know you were an SE from MIT, that's so cool! Your inherent interest in the topic was more than enough qualification, but it's awesome to know you're thriving in your career space as well!
Showing my age here….. but back in the 90’s (in Australia) we weren’t allowed to release a communications service unless it was “interceptable” by the Signals Directorate (with appropriate authorization). Seems like an eon ago now.
Signal - The assumption that the app source code is that app being installed is a big one. There are also host device compromises like the keyboard, general hacking, etc. Not sure if signal uses a secure terminal and trusted execution environment, otherwise you could have some buffer reads from other applications.
I used AI to write part of an article on my news website, and asked friends to guess what part AI wrote. So I absolutely love that you're doing the same thing with threatwire.
How about plaintext messages saved locally? Signal has transport encryption; messages on clients are not encrypted. This means you can read and exfiltrate messages if you get to the machine. Or if your machine gets compromised.
Yall are responding with answers not allowed by the question. Signal is way less sketch than Telegram, but y'all are right that we shouldn't exclude other alternatives.
Good stuff. I appreciate that you stood up to the "cute" comments. Unfortunately this is something you will probably need to be firm about for your entire career. Great content. Keep up the good work.
@@asksearchknock I'm not trying to pick out the AI. I'm trying to pick out Ali. I think it might be more consistent to find hints of her writing then whatever is left must be the AI.
Great work Ali! I could not guess the story - every time I though I can guess it, I was not really sure. Btw, which AI did you use to write this story ? Keep up great work!
Great video, mom's advice still rings true ' Be humble, and take compliments while you can' - Its wonderful your making Threatwire your own, keep up the excellent work - Your coding channel is interesting.
Much as I see the advantage of password-less logins. I dislike them because now you have single factor authentication since the server can't be sure the user has a PIN even if they ask the USB key to require one, and your USB key has to store discoverable credentials. I prefer the U2F model since they use the same math but the credentials are not discoverable, and since they're not stored on the key, they're able to be used for an infinite number of logins. But since U2F is assumed to be a second factor, you now have a forced use of a thing you know and a thing you have in order to log in which is (in my opinion) much better than handing the thing you know to the key to handle, especially if everyone has a USB key in the future.
I would argue using an authentication key as a second factor is superior but for different reasons. How do you think they will discover your credentials on the key?
@@jmr Passwordless login uses what are called "discoverable credentials". They occupy a "slot" and most keys today have only a limited number of slots. So most people will need to have several keys just to log in via passwordless methods if this catches on. As to how discoverable the "discoverable credentials" are, I have not looked into this, I know that I can list them all if I have the key, but I would assume (and hope) that FIDO2 says that the key will only return a credential for a matching account or at least domain. However, someone who has the key can see where it goes which means no plausible deniability, and if there is a bug that allows the PIN to be bypassed or the pin try limit removed, or a leak of the pin another way like by writing it down and losing it, well, now the attacker has the key and knows where it goes. However, with U2F, the credentials are encrypted on the key and sent to the server. so only the right key can use them, but there is no way to prove that a key opens an account without trying every single account and seeing which ones work... even if there is no PIN or the PIN is bypassed (sometimes U2F has PINS too though) if an attacker has access to the key... they don't know which of the several billion locks it opens... not all that helpful for them and gives me time to react by deleting that user's key.
Your tweet " Look at my code and then tell me I'm pretty" Awesome! Your analysis of MIT vs the real world is spot-on. It's impressive you began coding so late, so many just give up. What is your take on the BreachForums 'cartoons"
Let ME let you in on a little secret: If you encrypt your messages with PGP standard implementation, then you too can experience an environment that can only be viewed with the decryption key... and unless a quantuum computer is used to brute-force a decryption key, you're safe. If it's good enough for military and state secrets, I'd wager it's good enough for you too...
Might be interesting to see you and chstgpt 4o have a discussion about the security landscape (instead of reporting important news. That way you can flex your knowledge so people see more of your career side.
What about pgp messages shared via sftp. If you're really concerned with being secure don't trust other people's servers or backends. Also if you can manage it a modern flash drive can hold a one time pad large enough to serve a life time of communication.
Should also add this should all be done with a properly configured OS such as TAILS. The problem with the diy approach is you likely wind up with scratch files of plain text and if not done on the correct os also plain text fragments in virtual memory swap files. So you do need something that encrypts from the keyboard to the destination, you can't expect everyone to configure firewalls and routers so you do need some minimal backend to handle firewall traversal. Also there is just the matter of remaining anonymous so you should run this all over something like tor. Is tor still considered secure?
Love the shirt! But Ali, are you sure you can't make yourself look bigger? Like resize yourself so you take up more of the frame? Or rearrange your furniture so you be closer or have the camera pointed lower? You just look so small and short and it is a widdle bit distracting. Which is a shame since everything else feels very high production and well reported!
Fido story is AI. I think what I've learned from the one AI story a week game is not that I can't tell them apart but that OUR HOST IS ALSO AI! Duh, duh, duh! 😆 /teasing.
How do you use signal if the smart phones have a cellular cpu with higher priority on the bus?! We are all sitting in the back of the data bus on our smart phones. What can you hide from people with that kind of backdoor? And then there is the continual backdoors in wifi, bluetooth, usb, etc. its a big joke.
I think the Elon Musk story was AI: absolutely idiotic for him to get involved. How’s that quote go “better to be thought a fool than tweet and remove all doubt”. Of course the same could be said about this comment…
Triggered by your title. Muskrat is an expert at having daddy money, and opening his wallet. That's about it. Don't believe me? Take a look at his original ideas. "hYpErLoOP"
@@asksearchknock I'm shocked at the number of people that have no idea how the world works. They must picture Muskrat rolling up his sleeves and just "building a rocket".
From the perspective of helping to increase public awareness of AI capabilities, I appreciate the ploy of '1 of our stories is AI generated, can you tell which?' AI has gotten scary capable, and is only improving. Definitely important for people to have as up-to-date as possible an understanding of what it can and is being used for.
The advent of generative AI combined with quantum computing genuinely concerns me for how this could be used to manipulate media.
Thank you for giving us security news in a clear and professional manner.
Didn't know you were an SE from MIT, that's so cool! Your inherent interest in the topic was more than enough qualification, but it's awesome to know you're thriving in your career space as well!
Showing my age here….. but back in the 90’s (in Australia) we weren’t allowed to release a communications service unless it was “interceptable” by the Signals Directorate (with appropriate authorization). Seems like an eon ago now.
Signal - The assumption that the app source code is that app being installed is a big one. There are also host device compromises like the keyboard, general hacking, etc. Not sure if signal uses a secure terminal and trusted execution environment, otherwise you could have some buffer reads from other applications.
I used AI to write part of an article on my news website, and asked friends to guess what part AI wrote.
So I absolutely love that you're doing the same thing with threatwire.
"New Technique Allows VPN Bypass" absolutely has to be the GPT story. The concluding words were a bit off.
yup...
I've given up trying to detect AI and switched to trying to detect Ali. I think it's the Fido story this week.
How about plaintext messages saved locally?
Signal has transport encryption; messages on clients are not encrypted.
This means you can read and exfiltrate messages if you get to the machine.
Or if your machine gets compromised.
Signal. No question.
Meshtastic
Yall are responding with answers not allowed by the question. Signal is way less sketch than Telegram, but y'all are right that we shouldn't exclude other alternatives.
Matrix, but its founding is also shady, ex 8200 types, but you can still self host it i guess
XMPP+OMEMO, tox and briar are all better options
@@inund8 I didn't say "exclusively". I just don't have questions about using it.
Neither, no phone easy
Great one Ali! I vote Signal, hands down.
Meshtastic
Thanks for the heads up on NextJS!
Getting better every single show, loving it. Keep it rolling!
Good stuff. I appreciate that you stood up to the "cute" comments. Unfortunately this is something you will probably need to be firm about for your entire career. Great content. Keep up the good work.
lol, (my take) ALI -- "thanks for calling me pretty, But don't forget, I'm an M.I.T. grad. and I'll pwn you in seconds." 😅
The FIDO 2 story was written by AI
My guess as well!
@@asksearchknock I'm not trying to pick out the AI. I'm trying to pick out Ali. I think it might be more consistent to find hints of her writing then whatever is left must be the AI.
Great work Ali! I could not guess the story - every time I though I can guess it, I was not really sure. Btw, which AI did you use to write this story ? Keep up great work!
Great video, mom's advice still rings true ' Be humble, and take compliments while you can' - Its wonderful your making Threatwire your own, keep up the excellent work - Your coding channel is interesting.
Much as I see the advantage of password-less logins. I dislike them because now you have single factor authentication since the server can't be sure the user has a PIN even if they ask the USB key to require one, and your USB key has to store discoverable credentials. I prefer the U2F model since they use the same math but the credentials are not discoverable, and since they're not stored on the key, they're able to be used for an infinite number of logins. But since U2F is assumed to be a second factor, you now have a forced use of a thing you know and a thing you have in order to log in which is (in my opinion) much better than handing the thing you know to the key to handle, especially if everyone has a USB key in the future.
I would argue using an authentication key as a second factor is superior but for different reasons. How do you think they will discover your credentials on the key?
@@jmr Passwordless login uses what are called "discoverable credentials". They occupy a "slot" and most keys today have only a limited number of slots. So most people will need to have several keys just to log in via passwordless methods if this catches on.
As to how discoverable the "discoverable credentials" are, I have not looked into this, I know that I can list them all if I have the key, but I would assume (and hope) that FIDO2 says that the key will only return a credential for a matching account or at least domain. However, someone who has the key can see where it goes which means no plausible deniability, and if there is a bug that allows the PIN to be bypassed or the pin try limit removed, or a leak of the pin another way like by writing it down and losing it, well, now the attacker has the key and knows where it goes.
However, with U2F, the credentials are encrypted on the key and sent to the server. so only the right key can use them, but there is no way to prove that a key opens an account without trying every single account and seeing which ones work... even if there is no PIN or the PIN is bypassed (sometimes U2F has PINS too though) if an attacker has access to the key... they don't know which of the several billion locks it opens... not all that helpful for them and gives me time to react by deleting that user's key.
Your tweet " Look at my code and then tell me I'm pretty" Awesome! Your analysis of MIT vs the real world is spot-on. It's impressive you began coding so late, so many just give up. What is your take on the BreachForums 'cartoons"
Kudos to you for being able to read out those numbers over and over :P
So glad I found your channel! You're news is the ish!
Let me let everybody in on a secret. There's no such thing as a secure chat.
Let ME let you in on a little secret: If you encrypt your messages with PGP standard implementation, then you too can experience an environment that can only be viewed with the decryption key... and unless a quantuum computer is used to brute-force a decryption key, you're safe. If it's good enough for military and state secrets, I'd wager it's good enough for you too...
Thanks friend good stuff!
Great summary. I love the connect back to previous research.
Found the signal and telegram story interesting and also the VPN one too. Thank you! Hopefully I'll be able to do a career in Cyber Security. ☕
Ali the mic needs a foamy top or something, i can hear scratching sounds OR post process the audio to remove the scratchy noises
Nice ASMR hair rubbing the microphone throughout the whole video. 😜 Guessing there's no MIT sound tech on staff. Love the videos!
Thanks Ali! 🎉
00 You mean people don't read RFCs starting with RFC72 anymore? 11 RFC72 is a requirement.
😂 I'm a subscriber but that title did make me chuckle.
Thanks for the infos! 🍷😎🏴☠️
Is Shannon coming back once in a month?
Shannon is doing her own channel. I don't know anything about any guest appearances though.
Might be interesting to see you and chstgpt 4o have a discussion about the security landscape (instead of reporting important news. That way you can flex your knowledge so people see more of your career side.
Signal for the win
❤DIMPLES!❤ nice 70s get up girl.
What about pgp messages shared via sftp.
If you're really concerned with being secure don't trust other people's servers or backends.
Also if you can manage it a modern flash drive can hold a one time pad large enough to serve a life time of communication.
Should also add this should all be done with a properly configured OS such as TAILS.
The problem with the diy approach is you likely wind up with scratch files of plain text and if not done on the correct os also plain text fragments in virtual memory swap files.
So you do need something that encrypts from the keyboard to the destination, you can't expect everyone to configure firewalls and routers so you do need some minimal backend to handle firewall traversal.
Also there is just the matter of remaining anonymous so you should run this all over something like tor. Is tor still considered secure?
I think the story about signal is the "fake" one.
Signal FTW
Love the shirt! But Ali, are you sure you can't make yourself look bigger? Like resize yourself so you take up more of the frame? Or rearrange your furniture so you be closer or have the camera pointed lower? You just look so small and short and it is a widdle bit distracting. Which is a shame since everything else feels very high production and well reported!
The story about VPN DHCP bug was written by an AI
Good vid thanks
How about don't commit crime instead of don't get caught. 😢
Don't get caught by the threat actors, not, don't get caught doing illegal stuff.
Another awesome episode.
Bummr.. there is DHCP/DNS noise - i have to check my cave
Fido story is AI. I think what I've learned from the one AI story a week game is not that I can't tell them apart but that OUR HOST IS ALSO AI! Duh, duh, duh! 😆 /teasing.
How do you use signal if the smart phones have a cellular cpu with higher priority on the bus?! We are all sitting in the back of the data bus on our smart phones. What can you hide from people with that kind of backdoor? And then there is the continual backdoors in wifi, bluetooth, usb, etc. its a big joke.
I think the Elon Musk story was AI: absolutely idiotic for him to get involved.
How’s that quote go “better to be thought a fool than tweet and remove all doubt”. Of course the same could be said about this comment…
Ali is Awwsome Hak5 got a upgrade
Telegrams encryption was made by 5 math dudes and isn't opensource, so insecure by default. If you're worried use matrix.
😮
man elon is the expert on everything , hes got skills for this and that, the dude can do it all, he also does all his shopping! amazing
The entire dam thing sounds like AI.
Timeline: 5:35 Man in the MIDDLE! 🤣
Clickbait using Elon musk in title
I need your help plugging in my ethernet cable
Im not sure what the this has to do with elon musk im assuming its the signal stuff
@@asksearchknock yeah thought so thx for timestamp
I LOVE ALI ❤❤❤
@2:07
Gamer the movie is irl?
clickbait title GOTCHA ;)
💓
Notice how Ali speaks slowly and uses smaller words when talking to the javascript viewers. Gotta know your audience.
disclaimer: this is a joke
Defcon is canceled.
noooo
Lol. Congratulations to JS fans
wack title
No one can pretend to be a security expert until they are minimaly able to detect and block pegasus;)
I deleted Signal over 2 years ago .
Anyone heard FTX can pay it's customers they are LOADED hahaa
ALI is LOVE
What's ur OF tho?
Ad freeeeeeeeee
He build PayPal, so yea I would say he is a security expert!
😘
TECHNOLOGY IS 😃 == 😡
I'm your 711
Whats funny is this show going down the toiket.
With these Dimples I can't pay attention to what she is saying.
nolE has it bass ackwards.
Change the host!!!
It was the cute ai generated dimples
Triggered by your title. Muskrat is an expert at having daddy money, and opening his wallet. That's about it. Don't believe me?
Take a look at his original ideas.
"hYpErLoOP"
Looks like someone is woke, or got roasted by shorting tesla, or maybe both.
@@asksearchknock I'm shocked at the number of people that have no idea how the world works. They must picture Muskrat rolling up his sleeves and just "building a rocket".