Also, how else do you recommend helping the human operators of the email accounts on their guard? People tend to trust by default, and you have to help them become skeptical of what comes in
usb-a, which is another name for a quantum state device is always in two states so you never know how many times you need to flip it, until you find a good method to observe the time it takes for it to flip long enough to understand whether it is wrong or right
The part where he puts in the USB the wrong way, then flips it over and it’s still the wrong way, and then he flips it over again and it’s…somehow the right way now? Happens all the time 😂
I love corporate compliance training programs that preach about security (only social engineering attacks) and then the company has multiple other vulnerabilities like storing plain text passwords, bobby tables, unsanitized html storage etc etc etc that would open them up to being shut down by any malicious individual who doesn't need to communicate with anyone in the organization whatsoever.
I think they do that in trainings because well, what are Jerry the HR Specialist or Alisha the NE Regional Sales Manager going to about locking up unsanitized html storage, or interact with the storage architecture directly at all? And those are the "everyone does this" trainings. Specialists need more knowledge but for most users, they need to not plug in random USB sticks they find under the couch
"bobby tables"? I only know this from the XKCD comic where it is a nick name for the son with the strange SQL injection in his name. Is there actually something else called "bobby tables"? When I google all I find is references to the XKCD comic. Also no mention of any other meaning of "bobby tables" on explainxkcd.
Those type of vulnerabilities are becoming more rare with time in comparison to social engineering attacks. And as others have mentioned isn't something its useful for random employees to know about. Thankfully sane defaults on popular frameworks and systems are slowly removing traditional security vulnerabilities. The price of exploits has skyrocketed with time.
@@GSBarlev with many products its cheaper to buy the single items than the bundle. everyone thinks bundles are cheaper, so the companies profit from it
It’s impossible to. I’ve worked in cybersecurity for 10 years and still got tricked by a very well crafted phishing test lmao. Thankfully real phishing emails are always pathetic.
This unironically can be avery good training video. Most people don't pay attention to security training. Also, my showing how easy it is to hack makes people more paranoid about secuity to a more degree.
I think the most effective way to scare them of emails is to teach them just enough html and css to understand that's how emails are made pretty, then show them the script tag.
To be fair this was pretty much what my training class was like 15 years go. In my 30s now but back when there "Computer Science" included everything under the sun one of the security talks I had to take to get a student job in the university IT department, was basically this. "Trust Windows Defender because Microsoft is super wealthy and so therefore Defender bolsters the security image of their OS and will be the best tool to use." Back in the day when you would put "Computer Skills - Excel and Microsoft Outlook" on your resume and instantly get the job and the boss would ask you why his computer was running slow.
@@andreilikayutub3496 excel is powerful yea and data analysts/scientists and finance depts love their devs (and pay good $). But honestly, ms ecosystem is pure corporate life.
Been an admin for a small startup (well, I AM not an admin, but I did the administration as good as I can; y'know, start-ups, can't afford a professional for each task). Anyway we/I established a "no connection of external to internal devices" rule, so no connection of smartphone, USB stick, hardware etc. to your laptop. CEO after plugging in his iPhone: "Well it's an iPhone, that doesn't apply for my iPhone, right? We don't need to make strict rules, need to make practical rules." My reply was "Okay, then the practical rule will be 'no restrictions whatsoever, because if even the CEO who has access to all the important business accounts refuses to do it right, what's the point in us 'normal' users with limited internal document access trying to secure anything?"
The rules you set in the beginning really matter. The company I work for has grown out of being a flexible little startup into a big company with many moving parts. When I joined the IT team was still having growing pains because users were used to lax rules and a lot of freedom, and trying to set and enforce best practices was causing issues for our users. In particular, I do a lot of software review to determine what can be installed on user machines and I've had to review and approve quite a few things that have no business being on a work computer because, in the past, users were allowed to use their work computers like personal machines and many of those programs were grandfathered in. Now the expectation is "if so-and-so is allowed, why can't I also install this?" Some people still don't have their own personal computers (despite being paid absolutely well enough to afford them) and get upset when we don't allow them to install everything they want on them. (Also we have full access to everything happening on these machines and wish these people would stop putting personal files on these devices. Don't let people do that!!) I've been pushing back much harder on users to justify what programs should be reviewed and approved, and my team has been coming around. But if we just had a clear expectation in the first place nobody would be wasting three people's time time trying to get Goose Game Desktop, Steam Live Wallpapers, and MyRewards Shopping Extensions installed on their company's business computers. (The people who's time is wasted include the user, me, and one of the lawyers who has to review the licensing and the privacy policy. I stop the egregious ones before they get to our poor lawyers but some unnecessary things still technically qualify for review sometimes :/ ) Anyway, wish your business the best of luck and hope you find the right balance of practicality and saving yourself future headaches
Well, in many occasions those strict rules hamper you greatly, causing you to work very inefficiently. For example copy&paste is forbidden between remote desktop sessions. This means I have to manually transfer serial numbers, telephone numbers and the like from customer system or our system and vice versa. The amount of time I waste is incredible, it's error-ridden and totally nerve-wrecking. On top of that it makes no sense whatsoever. If I wanted to steal data I could still send everything via email, messengers or whatever. Okay, at least that leaves traces - but I could also do screenshots without traces. It's just infuriating. Same applies to the stupid password rules. Meanwhile many studies prove what users always new: Mile long cryptic passwords make things LESS secure because no normal human can remember them, especially when you also have to change it every odd month and when you have to manage a dozen or so. And every solution to this (using the same password for everything, writing it down, using generic passwords that cheat the requirements etc) is worse than having a sane password. Of course it should not be "123456" or as simple as your child's name. But forcing everyone to use a minimum of 12 characters including lower and upper cases, numbers and special characters without being similar to the previous password is just too much. OF COURSE people will use the current year as the number, add a "!" to the end and use uppper case at the beginning etc.
@@Puschit1 I saw the password for my contracted-in boss at a bank office by accident. It ended in "22". The Group Policy enforced a password change every two weeks. I asked him, "You've been working here for about nine months, right?" "Yeah, how did you know?"
So you update the... [cut] TemplateVM [cut] AppVM [cut] StandaloneVM [cut] dom0 VM [cut] HVM [cut] PVH [cut] ... [cut] and it's with tor, so it takes six hours... [cut] You don't need a graphics card [cut] It's not like you could use it anyway...
Wonderful! This knowledge and the training overall has taught me so much about security that I finally feel safe. TY Also the reasoning why updating your software asap is better (for hackers ofc) is awesome and truly, I think, has to be backed by experience! luv
TIP: If you're at McDonald's (orderin' a Big Mac + large fries/no-menu of course), the "Don't ever plug anything into your computer rule" doesn't apply. The reason is that, everything runs on computers over there now, even the cashier is a computer, and there's a lot o' computers at McDonald's, but.... These computers don't belong to you! So you may plug in anything, and I mean anything, you want into whatever slot/hole/port/socket whatsoever, to your hearts content! Be creative, but watch out for sparks, cuz those milk-shake machines have lots of tempting little slots to plug things into, but if you're a newbie plug-inner, they'll belch out 220 volts if yer' not careful.... Example: Plug in a paperclip into the "reset" hole of the McDonald's Public-WiFi Access Point (if you can find it...) and hold it there fer' a good 20 Mississippis. That sucker should re-boot right up, except now it is yours! Only downside is that Now the "Don't plug in rule" DOES apply, because it is now "your computer"... ughhh
Oh for phishing it can just be “Hello, Im your CEO. Buy please 2.000$ (thousand) in Apple Giftcards and email them backwards. Many blessings.” no need for any emotional manipulation 😂
You missed the bit where the company you do security for gets hacked and you get fired and immediately rehired somewhere else because no one in the industry thinks it's avoidable.
Once has a dev demand that we turn off the auto-link verification in Teams because "developers are smart and won't fall for phishing links" My team unanimously agreed that this was proof we needed to keep the link verification on lol
I'm going into cybersecurity and this literally sounds like what the professionals who come to give lectures say. If I had a nickel for every time I've heard LastPass mentioned...
2:50 This is not wrong. I worked at a company a long time ago. The owner refused to shell out the money for antivirus software. One morning before i came into the office one of the support guys had had to go get a faulty machine from a client's site. The machine in question had a virus. Once the guy got it back to the office he found that the machine turned on but he couldn't make it respond to any keyboard or mouse input. In a moment of what can only be described as pure genius he decided the next thing he should try was connecting via RDP. so he plugged the infected machine into the network with no virus scanners. I arrived in the office shortly after and it was a horror show.
I died at "I use arch linux so I'm beyond humans, but that still doesn't make me safe" how can you hit the punchline at the beginning of the video already.
![Using the Internet for the 2nd time [Startups & News Websites]](/img/n.gif)
A friend works in a company where they send dummy fraudulent mails so those who bite are sent to classes.
yup, that's the worst ever
Why is that bad?
they do this shit in my company too
Also, how else do you recommend helping the human operators of the email accounts on their guard? People tend to trust by default, and you have to help them become skeptical of what comes in
Hoxhunt?
Literally more informative than my job's cybersecurity training
Let me come train your company
He's so entertaining he actually made me stop staring at the Netscape icon to look at him for part of the video.
When I see two laptops I see an amateur... he has to have at least 6 laptops on that desk for me to take him seriously.
you livin in 2050. im using ibrowse 2.5 on amiga os 3.1
I run arch linux, that means I'm beyond human 😂
When he said it, I cried tears of joy
I use arch, btw
arch btw
@@e-jarod4110 Using ‘btw’ is now considered insecure since it was compromised in 2021. You should update to ‘btw v2.0’
Is Manjaro an option?
"How did that affect the power supply?" - "I might have had access..."
funniest thing lmao
this aged well…. „dont outsource all your security work to a third party!“ if only we had listened
3:20 Flips the USB two times. Relatable as always.
Edit: 5:09
USB has half integer spin
usb-a, which is another name for a quantum state device is always in two states so you never know how many times you need to flip it, until you find a good method to observe the time it takes for it to flip long enough to understand whether it is wrong or right
@@psymoozoo 1/2? I stole it.
The part where he puts in the USB the wrong way, then flips it over and it’s still the wrong way, and then he flips it over again and it’s…somehow the right way now? Happens all the time 😂
😭
Happens to me every single damn time.
In physics, the electron has a wave function that has to be rotated through 720° to bring it back to its original orientation. #Relatable
@@lawrencedoliveiro9104 Yup, USB drives have a spin greater than 1.
That part about going to a website and getting distracted by the site is so true!
😭
I need to get one of those password managers too, he seemed like a nice guy
I love corporate compliance training programs that preach about security (only social engineering attacks) and then the company has multiple other vulnerabilities like storing plain text passwords, bobby tables, unsanitized html storage etc etc etc that would open them up to being shut down by any malicious individual who doesn't need to communicate with anyone in the organization whatsoever.
I think they do that in trainings because well, what are Jerry the HR Specialist or Alisha the NE Regional Sales Manager going to about locking up unsanitized html storage, or interact with the storage architecture directly at all? And those are the "everyone does this" trainings. Specialists need more knowledge but for most users, they need to not plug in random USB sticks they find under the couch
"bobby tables"?
I only know this from the XKCD comic where it is a nick name for the son with the strange SQL injection in his name. Is there actually something else called "bobby tables"? When I google all I find is references to the XKCD comic. Also no mention of any other meaning of "bobby tables" on explainxkcd.
@@epajarjestys9981 that's the intended meaning, any software dev will know immediately what "bobby tables" is referring to
unsatinized html and unsatinized javascript forms are my daily dose of cybersecurity awareness.
Those type of vulnerabilities are becoming more rare with time in comparison to social engineering attacks. And as others have mentioned isn't something its useful for random employees to know about.
Thankfully sane defaults on popular frameworks and systems are slowly removing traditional security vulnerabilities. The price of exploits has skyrocketed with time.
3:20 I love how it appropriately takes 3 tries to plug in the USB.
I once heard that USB connectors are four dimensional, so rotating them 360 degrees actually presents the correct face to the jack.
"Don't outsource all your security work to fivrr !" 😂👍
Yep
I don't even know if this is legit advice dressed as parody or the other way around.
Some true some satire :)
Both!
it's all legit advice. It's just the technology world become a parody.
I'm pretty sure that Big Mac hack no longer works...
@@GSBarlev with many products its cheaper to buy the single items than the bundle.
everyone thinks bundles are cheaper, so the companies profit from it
I love this as being n the tech industry and hearing how “security” experts don’t always live by what they tell everyone else to do.
It’s impossible to. I’ve worked in cybersecurity for 10 years and still got tricked by a very well crafted phishing test lmao. Thankfully real phishing emails are always pathetic.
As a cyber security architect and guru I must say its easier to earn millions scamming people than living that life.
like a fat doctor
Most of us are under the accidental stupidity category.
@@lanelesic 💯
"recorded on proprietary codecs"
So this wasn't cut entirely in FFmpeg then?
"written on non-free software" not made on libre/openoffice
i'll send this to our interns as a legit good security training video
Script involuntarily by Kevin Mitnick 😂
😂😂😂 I can recall the resemblance now
😂
This guy 😅
Somehow this video is better than a course from a Mitnick-owned company.
We just had to take a Kevin Mitnick security course at our company, lol. At first I assumed that the email telling us to take it was a scam...
waltuh... put your usb drive away, waltuh... im not going to have security training with you right now, waltuh...
This unironically can be avery good training video. Most people don't pay attention to security training. Also, my showing how easy it is to hack makes people more paranoid about secuity to a more degree.
I think the most effective way to scare them of emails is to teach them just enough html and css to understand that's how emails are made pretty, then show them the script tag.
Loved the USB quantum state!
To be fair this was pretty much what my training class was like 15 years go. In my 30s now but back when there "Computer Science" included everything under the sun one of the security talks I had to take to get a student job in the university IT department, was basically this. "Trust Windows Defender because Microsoft is super wealthy and so therefore Defender bolsters the security image of their OS and will be the best tool to use."
Back in the day when you would put "Computer Skills - Excel and Microsoft Outlook" on your resume and instantly get the job and the boss would ask you why his computer was running slow.
Jen, is that you? If so, great job breaking the internet...
Everything's come full circle because defender edr is one of the better options at this point
Oh gosh should I take excel off my resume?
@@andreilikayutub3496 excel is powerful yea and data analysts/scientists and finance depts love their devs (and pay good $).
But honestly, ms ecosystem is pure corporate life.
15 years ago? You mean Windows Defender is not still an entirely new meme? I'm going to need to lay down and process this for a bit.
Who came here after crowdstrike failure 😂
I was waiting for some kind of ad throughout all the video. What a legend, no profit high quality content machine
This might just be the best security training I've ever seen. Sending it to my mother immediately xP
Please do a video on the ceo that tries too hard to sounds tech savvy in a dev meeting
Nice
Wasn't expecting the Arch flex that soon into the training.
I use Arch btw.
You should always expect it. Arch users are like vegans or tesla owners. You'll know within 5 mins.
Please do an interview with a database engineer!
“Just grab the session from someone” 😂😂😂
Thank you so much for this training, now I can go and click links without worrying about getting hacked.
Everybody: laughs
Me: painful flashbacks
The best one yet. Please don’t ever stop doing what you’re doing ser
This is legitimately really good.
Big fan from South Africa!!
I love this channel.
This is the best Cybersecurity training I have ever been a part of.
Been an admin for a small startup (well, I AM not an admin, but I did the administration as good as I can; y'know, start-ups, can't afford a professional for each task).
Anyway we/I established a "no connection of external to internal devices" rule, so no connection of smartphone, USB stick, hardware etc. to your laptop.
CEO after plugging in his iPhone: "Well it's an iPhone, that doesn't apply for my iPhone, right? We don't need to make strict rules, need to make practical rules."
My reply was "Okay, then the practical rule will be 'no restrictions whatsoever, because if even the CEO who has access to all the important business accounts refuses to do it right, what's the point in us 'normal' users with limited internal document access trying to secure anything?"
The rules you set in the beginning really matter. The company I work for has grown out of being a flexible little startup into a big company with many moving parts. When I joined the IT team was still having growing pains because users were used to lax rules and a lot of freedom, and trying to set and enforce best practices was causing issues for our users. In particular, I do a lot of software review to determine what can be installed on user machines and I've had to review and approve quite a few things that have no business being on a work computer because, in the past, users were allowed to use their work computers like personal machines and many of those programs were grandfathered in. Now the expectation is "if so-and-so is allowed, why can't I also install this?"
Some people still don't have their own personal computers (despite being paid absolutely well enough to afford them) and get upset when we don't allow them to install everything they want on them. (Also we have full access to everything happening on these machines and wish these people would stop putting personal files on these devices. Don't let people do that!!)
I've been pushing back much harder on users to justify what programs should be reviewed and approved, and my team has been coming around. But if we just had a clear expectation in the first place nobody would be wasting three people's time time trying to get Goose Game Desktop, Steam Live Wallpapers, and MyRewards Shopping Extensions installed on their company's business computers.
(The people who's time is wasted include the user, me, and one of the lawyers who has to review the licensing and the privacy policy. I stop the egregious ones before they get to our poor lawyers but some unnecessary things still technically qualify for review sometimes :/ )
Anyway, wish your business the best of luck and hope you find the right balance of practicality and saving yourself future headaches
Well, in many occasions those strict rules hamper you greatly, causing you to work very inefficiently. For example copy&paste is forbidden between remote desktop sessions. This means I have to manually transfer serial numbers, telephone numbers and the like from customer system or our system and vice versa. The amount of time I waste is incredible, it's error-ridden and totally nerve-wrecking. On top of that it makes no sense whatsoever. If I wanted to steal data I could still send everything via email, messengers or whatever. Okay, at least that leaves traces - but I could also do screenshots without traces. It's just infuriating.
Same applies to the stupid password rules. Meanwhile many studies prove what users always new: Mile long cryptic passwords make things LESS secure because no normal human can remember them, especially when you also have to change it every odd month and when you have to manage a dozen or so. And every solution to this (using the same password for everything, writing it down, using generic passwords that cheat the requirements etc) is worse than having a sane password. Of course it should not be "123456" or as simple as your child's name. But forcing everyone to use a minimum of 12 characters including lower and upper cases, numbers and special characters without being similar to the previous password is just too much. OF COURSE people will use the current year as the number, add a "!" to the end and use uppper case at the beginning etc.
@@Puschit1 I saw the password for my contracted-in boss at a bank office by accident. It ended in "22". The Group Policy enforced a password change every two weeks. I asked him, "You've been working here for about nine months, right?" "Yeah, how did you know?"
Great content as always, I can't wait to see an interview with a Qubes OS user now lol
So you update the... [cut] TemplateVM [cut] AppVM [cut] StandaloneVM [cut] dom0 VM [cut] HVM [cut] PVH [cut] ... [cut] and it's with tor, so it takes six hours... [cut] You don't need a graphics card [cut] It's not like you could use it anyway...
Wonderful! This knowledge and the training overall has taught me so much about security that I finally feel safe. TY
Also the reasoning why updating your software asap is better (for hackers ofc) is awesome
and truly, I think, has to be backed by experience! luv
TIP: If you're at McDonald's (orderin' a Big Mac + large fries/no-menu of course), the "Don't ever plug anything into your computer rule" doesn't apply. The reason is that, everything runs on computers over there now, even the cashier is a computer, and there's a lot o' computers at McDonald's, but.... These computers don't belong to you! So you may plug in anything, and I mean anything, you want into whatever slot/hole/port/socket whatsoever, to your hearts content! Be creative, but watch out for sparks, cuz those milk-shake machines have lots of tempting little slots to plug things into, but if you're a newbie plug-inner, they'll belch out 220 volts if yer' not careful....
Example: Plug in a paperclip into the "reset" hole of the McDonald's Public-WiFi Access Point (if you can find it...) and hold it there fer' a good 20 Mississippis. That sucker should re-boot right up, except now it is yours! Only downside is that Now the "Don't plug in rule" DOES apply, because it is now "your computer"... ughhh
This is gold
amazing.
@@BusinessWolf1 Thought you'd like that one... True story, happened to S.W.I.M.!
This is the best Harley-Davidson ad I have ever seen. I should buy a bike.
this has got to be the funniest thing i've seen in a very long time. more so, because it is absolutely spot-on! keep going, we love your work!
For anyone wondering, the song is "Fresh" by Kawai Sprite
I was forced to doing a week long course like this and he got it perfect.
What is most impressive is being hacked while watching the video. Didn't even see that one coming.
Hey, it's our PERL programmer Walter Wallis!
I remember in 19
I was shattered when I wasn't able to visit the Harley Davidsone website
Perl Poet is back, baby!
There is no wrong information here.
'Update to the newest version' while I stare at a giant Catalina desktop! And yeah I only dabble in Arch, I'm not crazy!
Amazing music choice
love the FnF music.
Gettin' freaky on a Friday night!
He forgot the one where a Spec ops team blows the door off your building, seizes you and all your hard drives and makes you unlock them :P
This made my day. Thank You
Annual corporate cybersecurity training should just show this video from now on.
Yes yes very funny but isn't this actually a very accurate and correctly informative video too!?? Very nice work
Oh for phishing it can just be “Hello, Im your CEO. Buy please 2.000$ (thousand) in Apple Giftcards and email them backwards. Many blessings.” no need for any emotional manipulation 😂
This is emotional manipulation: you're scared of losing your job
more of this please! this was so good!
That transition music is absolutely incredible hahaha.
Netscape Navigator deep cut
I love the attention to detail in setting up all of Walter's accounts!
You missed the bit where the company you do security for gets hacked and you get fired and immediately rehired somewhere else because no one in the industry thinks it's avoidable.
This should be in the yearly system security meeting in every company.
Make a DevOps/SRE one
Once has a dev demand that we turn off the auto-link verification in Teams because "developers are smart and won't fall for phishing links"
My team unanimously agreed that this was proof we needed to keep the link verification on lol
As a pen tester I was waiting for this
The fnf music really makes this
Putting the USB in three times 🤣🙌🏾
"young hansome 60 year old"
best beards on youtube
8:28
"Waiting for as*" pops up
_smacks lip_ "Beautiful"
nice
6:10 more relevant than ever haha
“Is this encryption”
Lesson 3c: concentrate during your Trojan demo 😂😂😂
I wish my company's security training was like this. So much better!
It’s so true it’s painful.
I'm going into cybersecurity and this literally sounds like what the professionals who come to give lectures say. If I had a nickel for every time I've heard LastPass mentioned...
This is actually pretty good security training.
very entertaining,,and Informative too
This is all hilarious, but these videos are also highly educational!!
Fucking hell. After 30 years in IT I never thought of "password manager" in this way. I'm dying from laughter rn.
"In terms of security all Windows is horrible"
I use Arch btw
Fantastic Video!
Can we get one for LaTeX?
are we going to ignore 3:02 the greatest secure operating system here?
This is pure gold. TYVM! I'm looking forward to the next video.
These are....... actually good points
This is more relevant this year than ever
I work as a SOC analyst and this should be in every in company training
This is actually really solid advice :-D
2:50 This is not wrong. I worked at a company a long time ago. The owner refused to shell out the money for antivirus software. One morning before i came into the office one of the support guys had had to go get a faulty machine from a client's site. The machine in question had a virus. Once the guy got it back to the office he found that the machine turned on but he couldn't make it respond to any keyboard or mouse input. In a moment of what can only be described as pure genius he decided the next thing he should try was connecting via RDP. so he plugged the infected machine into the network with no virus scanners. I arrived in the office shortly after and it was a horror show.
first non -sleepy security guide. order without menu
I don't like the slides style
It is better when he only talks
Friday night phishin
I died at "I use arch linux so I'm beyond humans, but that still doesn't make me safe" how can you hit the punchline at the beginning of the video already.
3:20 the USB wrong, wrong , right was Epic.
I expected ffmpeg to be mentioned in credits.
best one so far
Please make one on hardware engineers
I received a phishing while reading this video. Thanks Walter