Google Paid Me to Talk About a Security Issue!
HTML-код
- Опубликовано: 30 сен 2019
- Conversation with a bug bounty hunter about a vulnerability found in Google Cloud Shell.
This video is sponsored by Google (Vulnerability Rewards Program)
↓ Check the links
Google VRP: www.google.com/about/appsecur...
Cloud Shell PoC exploit (fixed): github.com/offensi/LiveOverfl...
Cloud Shell docker "escape": github.com/offensi/LiveOverfl...
Theia IDE: theia-ide.org/
wtm: / wtm_offensi
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🔴 Stuff I use ]=
→ Microphone:* geni.us/ntg3b
→ Graphics tablet:* geni.us/wacom-intuos
→ Camera#1 for streaming:* geni.us/sony-camera
→ Lens for streaming:* geni.us/sony-lense
→ Connect Camera#1 to PC:* geni.us/cam-link
→ Keyboard:* geni.us/mech-keyboard
→ Old Microphone:* geni.us/mic-at2020usb
US Store Front:* www.amazon.com/shop/liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
Like everyone else i am also hoping you will get the chance to create more videos for the Google VRP, LiveOverflow! Best wishes, @wtm_offensi
wtm to google: “G E K O L O N I S E E R D”
Google: Sponsors a RUclips video.
RUclips, a Google company: Wait, can we demonetize this?
HAHA! That's funny!
LOL
Is that a money stack-overflow?
Lol
XD
Google is like Italy, it switches sides when you least expect it.
Karlo Bistrički lol...
As Italian I can confirm, no wait I can't
Laughs in Mussolinian
mi scusi mi scusi 👌
Switch? Isn't it more like they are on all sides at the same time?
I can't think of anyone better than you for this job! Glad to see you getting rewarded after all these years of effort here on RUclips. Congratulations !
u know the vibes
Other companies, pay attention. This is the right way to talk about things like this. The more open we are about bugs and problems, the more secure these companies become. I love this model.
@Adolf Hitler They just invest money to keep their income alive, if their systems would fail or be compromised this could cause more harm then the few millions they pay for these bug bounties. These millions compared to the billions that they would risk are like nothing, especially for a company with such size and importancy in our world.
@Adolf Hitler There is just nothing more important than money and growth
@will triumph i think it was sarcasm. in any case, you are way overblowing it.
LiveOverflow to be the official bug reporter for Google? you got my vote!
I really enjoy how you also explained his thought process and how he was able to do the legwork to find the vulnerability. I know people in the cyber world that would just say "there was an issue where it would automatically execute gradle" and then call it a day, if I;m lucky, after giving more details about the vulnerability itself. People rarely talk about the thought process required.
Great video! I would love to see more vulnerability disclosures explained like this in the channel. This also says a lot about what RUclips/Google was saying about demonetize hacking related videos. Even tho this is hacking related, it's clearly more educational than a step by step on how to damage someone by hacking their wifi or creating social engineering sites.
I am very happy that this type of sponsorship is happening !
Way to go and best of luck with next productions.
Congratulations! I've been watching your videos for some time and it warms my heart to see secure these types of partnerships and grow your channel. Well deserved!
And not to mention definitely an interesting video. Kudos for keeping everyone grounded and reminding that videos don't capture everything (on purpose, of course) :)
Awesome video! It's always cool to get the story behind a vulnerability. Would love to see more content like this!
I really enjoyed the format of this video. I liked getting the explanation from the source as well as LiveOverview’s explanation. I would watch more like this in the future.
I really appreciate you pausing to remind the viewer that this work is tedious, and takes time. The problem with RUclips educational videos these days, is that unless you remind yourself of this, they can make some people very discouraged... That's because their expectation is that when they sit down to code, or research, it will look similar to the video they watched... And instead of being smooth, and almost effortless, it's the complete opposite - difficult, slow, challenging.
That's one reason I respect guys like Ippsec so much. He leaves the majority of his "mistakes" and oversights in his videos, so you can get a taste of "why the hell isn't this working??" as a viewer. We need more people like that, for sure!
I can relate to that; I watched too much Mr Robot 😂
It's like this in every branch. Every time books and articles talk about an expert, be it scientist, athlete or artist, they make it sound like these people were simply born this way and that everything they touch turns into gold. In reality those experts failed more times than any "talentless" person.
You can really see how much work you put into this video compared to your usual videos. It's one of your best videos imo, keep it up!
This title sounds like clickbait but it's actually not.
Well done mate! I've been following you for a while now and you totally deserve the sponsorship!! Keep up the good work mate!
Love the new format! I think it is great for the largest developers like Google to be able to facilitate knowledge like this. It could mean that some smaller companies or freelance developers dont end up losing clients or getting into legal trouble over something that a company like Google can fix before it is used as an attack vector. Things like these need to be shared, and I am glad that you are the person sharing it with us!
Bro this is completely EPIC! Google sponsoring. It could get even nicer though, just imagine google asking you to talk about critical historic bug reports on android, drive, youtube, search engine. IT COULD BE AWESOME!
you deserve it! all the sacrifice you've made for learning and working on your skills, keep up the good work!
19:08 magically disapprearing hair? :D
Very nice video
That glorious man's hair flied away in around 19.00
Luckily it came back again
19:00
a bug! maybe you'll get a bounty by liveoverflow
This is hands down the best security vulnerability related video in general I've ever watched. Talk with a full-time bug hunter and very professionally put together. Hard to believe that this is actually an advertisement, and as I can see, it's an advertisement for Google's bug bounty program. Google is rather unusual company. They propose open-source projects, they are very open about their products, even when it comes into the vulnerability of these products, and they actually care about people's opinions. Kind of like Discord as it seems.
Schönes Video! Echt cool, dass du solche Kooperationen realisieren kannst. Sehr sympathisch auch der Bounty hunter :)
nice for making this video, i know that finding bug can be frustrating unless you happen to find it accidentally, but this video showed me how even more frustrating it is. thanks!
It is amazing that you show the effort this guy had to find this bug. I know people who think success is a one time try-get thing based on someone's "talents". This line of thought can lead to many disappoints in life.
Your channel is amazing :)
This is an awesome video. Loved the real life video shots, really made the vid easily digestible
Man I love your videos even as a newb who knows nothing about programming or cybersecurity, you have a way in structuring and presenting and always make them so fascinating! :)
Nicely done, both of you! Congrats!
And please keep reminding us how tedious work it is - I forget.
Very good video!
Wow, thanks for sharing this content and the interview. It was very insightful!
The captions helped a lot because my speakers got water damage today! Thanks :)
Finding hacks is always the result of someone saying "What if...", playing around a bit and then getting an understanding of how things work.
A potential question: Would you have invested the time and effort if Google didn't have a bug bounty program, just to learn something?
im sure someone on the darkweb would pay for it if google didnt
Good question Bjorn. The truth is that I could not have afforded to spent the time i did, without the existence of bounties. If bug bounties did not exist i would have to spent time on offering penetration testing services to clients (or get a job in engineering like i used to have, and practice hacking for fun in my spare time). Best wishes!
Great video! Learned a lot from the explanation, especially the docker escape trick.
I appreciated both efforts: describing and explaining. thumbs up.
Great video! I love the interview format.
Thank you Live Overflow and Google! Cool look into container technology and how the "bug" can be the result of bringing several technologies together.
Whoa, you've expanded my view on a lot of services I'm using in my professional life. I'm using docker on a daily base and I was not aware you can control the container (moreover, other containers) in such way using the docker socket file. Okay, everything isn't exactly the same with comparing GCP(Google Cloud Platform) vs OCP(Openshift Cloud Platform) but technically it seems pretty similar. Anyway, thanks for the video.
15:03 did i just see the famous merkel raute?
Nice catch xD
this concludes there has to be a section about bratwurst in this video aswell.
@@Rebouz Damit hat er unsere Mutti mit Stolz erfüllt
@@Nadox15 stimmt , hab grad meine mutti gefragt
Also referred to as "Merkeldach" ("Merkel's roof") or "Raute der Macht" ("Rhombus of power").
Beautiful idea 💡 thanks to everyone who was involved in this.
Nice video! I would love more of this type of content. Let's hope Google sponsors you more often!
Love your content, love the knowledge, love the way you transmit it :)
This is such an awesome video. Thank you!! :)
Actually YES! This is the best sponsored video I have ever seen!
Awesome video I hope one day I can find some bugs I've been working on it really hard :)
another great video. Great pace, great explanation.
Really awesome, interesting and well presented video.I truly appreciate it :)
Excellent find, love the concept of this video too.
I am really happy for live overflow geting asked by google themselves to make a regular video with a bug they had. feelsgoodman
Very, very interesting video.
You guys are real genius.
I wish I had half your talent.
Love this video! Great work.
Love it
Hey there #liveoverflow!! This was an awesome awesome video, loved it thoroughly!
Loved it. Thank you.
Congratulations, my friend! You are doing such a great job, I'm so glad Google recognized your work.
Awesome video !
I had a question though, why would google put host's docker daemon socket in the shell container ?
One possible explanation would be, because the shell needs to communicate to the thea IDE, but I'm not sure because if that's the case then why not put thea and the shell in the same container ?
wow i was like "i can barley understand that" and the subtitle hint comes up. perfect!
I understood it perfectly fine, but then again, my own accent is probably just as bad.
You need to do a video on the new iOS bootrom exploit!
I really enjoyed this video and would love to watch more videos exactly like it.
Great video, thanks!
19:08 he's having a bad hair day xD
Yeah I noticed the change in hair style as well. I thought it was a brilliant easter egg! Wonder if the Dutch guy suggested it xD
Hope someday we'll see LiveOverflow talking about bugs on LastPass/Dashlane/NordVPN/PIA/Audible/etc. :3
Well, nordvpn is relevant now lol.
"We connect you with Hackers, just make a simple video.. blah blah" -Google Hmm.. does this mean you think i'm a Hacker, Google?!
Awesome. Keep up the great work.
Amazing! I want more of that!
That’s awesome! Congrats man 😁
One of your best video imo. Thank you
Cool content and research. Thanks for sharing. BTW, I hope you get paid twice because there were 2 commercials in this video also.
love how you emphasized how hard it was
It looked way to easy. Nice collaboration👍🏻
really interesting, i hope you get to do more videos like this
I feel smart 🤣 , you are doing a great job ❤
A video on securing containers and escaping them would be very interesting
Your contents are on another level.
Cool video man keep it up!
The beginning of Google is the ray. I've already heard about this vulnerability, but your explanations are.
Kudos dude. But I mean, with your content quality, it pretty much makes sense!
If only all ads taught me this much.
ps: Google, you should pay more for your bug bounty hunters...
Nice video, really inspiring for people who want to find bugs.
I wonder if you can kubectl to this cluster.
13:33 hey, if you get access to the host, you can use strace to trace the container processes pid.
woah.. I kinda lost sight of this channel for some time (shifting interests and such) and now I come back and he has 374k subscribers? When and how did that happen?! I mean congratulations I'm really happy for him but damn ^^
Very exciting. Thanks for explaining :-)
Wow.Michael cera really is knowledgeable in cyber security.
Implementation of a wrapper, nice stuff.
I find the easiest vulnerabilities to work on are client/server web apps with the logic carried out by some script on a server with the client side in Javascript. Found a few bugs in commercial products, the companies involved were happy to receive the bug reports for fixing, but no reward unfortunately (but I did receive a thank you). Only reward was from Facebook for quite a trivial privacy issue ($500 lowest tier bug bounty reward). I find live chat apps are usually the ones with flaws - best was a complete deletion of an app from a web page without admin privilege (with permission of the owners of the site it was hosted on), and a moderation bypass (done on the providers demo page). Another one is trying to insert HTML markup in a page when you shouldn't be able to (not enough user input sanitation that can lead to cross site scripting vulnerabilities), had a laugh on a Facebook game with that one (before letting the game developers know about the bug).
While this is probably not legal to do, as long as you don't cause any damage and notify the providers so that the 'bug' can be fixed, I've never had anyone be upset about it - better than someone malicious coming along and causing untold havoc for anyone using whatever service has the bugs.
Now I finally know why new JetBrains IDEs asks whether you trust the build system used by a project.
What an eye opener this is... Boy ou boy
Nice vídeo! Good job
I loved the video, thanks for the incredibile content :)
Really great video!
This is awesome, @Google should sponsor more videos like this :D
Awesome video!
Great video!
Only $5k for this? That is way underpay for his skill set
Terry Wu I’ll appreciate 5k, cuz that’s a lot for a kid :)
@@iisky1 nobody asked you
@@makitard nobody asked you to make this negitive comment but yet here we are
@@michaeljones5681 necro
@@makitard what does that mean sorry I'm fairly new to this stuff
That horse playing guitar, drum and [that blow horn thing] 😅
Great job LiveOverflow just one question what software do you use to make these cool paintings and writings ?
you can find making of videos on my channel ;)
@@LiveOverflow Definitely will check it out. Your my Number 1 RUclipsr when it comes to learning security and reversing. Thanks so much for the content
Loved it ❤️
This vidéo was awesome. If you have the opportunity to do something like this again dont hésitate !
I would say: Ehre an Google!
@@effiti2905 huhu xD
@@effiti2905 ich weiß, denkst du er ist dieses Jahr wieder auf dem C3? Will unbedingt ein Autogramm oder so
You've made it! Congratulations
Which piece is that on the piano i kinda want to know
I would really enjoy a video of him playing the piano
Incredible,again!
I guess it's a good sumary (untill you guys release the 4h version :p ? )
Great mind of that person (we're here cuz you have a great mind already, and... Google Agrees... :( )
Good luck to both, very VERY interresting topic and conclusion, and Extremely very interresting trick i'll share soon ;) Thanks guys.
Kepp pushing the boundaries of these bounties!