"Remove the video as soon as possible"

LiveOverflow · Beginner ·🔐 Cybersecurity ·2y ago

Key Takeaways

The video discusses a controversy between Nahamsec and Rapid7, where Rapid7 requested Nahamsec to remove a video about API hacking using JetGPT, citing that it threatens their client Ford's security, despite Ford having a public bug bounty program. The video explores the concept of Kerckhoffs's principle in cryptography and its application to web security, emphasizing that security should be designed with the assumption that attackers have knowledge of the system, except for the key or sensitive

Full Transcript

today we have a little bit of company drama involving rapid 7 Ford and nahem SEC so let's check it out [Music] this video is sponsored by hexstreet.io if you are a developer or a student and you want to learn more about it security be it web hacking reverse engineering Hardware hacking or whatever we are creating courses over at x3.io so please check it out so this story starts with a video by nahem SEC API hacking with jet GPT it's a pretty neat video he uses jet GPT to basically generate some word lists and API paths that he then later uses with a huge list of subdomains to then find Swagger files Swagger files are basically API documentation usually used by developers to you know document the different API endpoints that exist as a hacker or bug Monty Hunter the Swagger files are of course interesting because now you save a lot of time instead of having to deal brood all the different API paths you basically just have the documentation on what exists and in this video nahan SEC used Ford as an example because they also have a public back Bounty program and backbone is usually give you a safe harbor so as long as you don't act maliciously you'll probably are fine but then nahan SEC posted this tweet rapid7 is asking me to remove an educational content from YouTube over the fact that use them as an example for publicly accessible Swagger file and here's the email hello rapid7 is an international cyber intelligence provider we serve as an agent for our client to identify and neutralize active cyber threats that endanger their brand customers and employees as the legal representative of Ford Motors ford.com will request the immediate takedown of this video this video directly threatens our clients by using their name and identifiers it operates illegally and is active in aiding criminals in their fraudulent activities we request that you remove the video as soon as possible we appreciate your assistance in handling this matter there were of course lots of reactions here John Hammond with a good yikes but also Daniel Cuthbert wrote that this is odd given that the company has a back Bounty program which is public as you said and this is all public information already published on the YouTube and Corbin Leo also very experienced buckhunter and hacker wow don't comply some other people were arguing well blur the domains why you know expose them but nahan SEC has a really good point he's responding to that domains I found using similar services to Rapid 7's project sonar so what is Project Zona by rapid7 let's have a look here on the website gaining insight into Global exposure project Sona started in September and the goal is to improve security through the active analysis of public networks while the first few months focused almost entirely on SSL DNS and HTTP enumeration the discoveries and insights derived from these data sets especially around blah blah blah blah blah so basically project sonar is actively scanning and scraping the whole internet being DNS names and you know Associated IP addresses HTTP server and they're probably doing full port scans as well they just contact all over the Internet and collect this data this means project sonar does basically exactly what nahan SEC did in his video the subdomain enumeration for example is something that project Zona is doing as well so Ford is a client of Rapid 7 and Rapid 7 has a product where they you know figure out all the exposed stuff from their customers and nahem SEC found a subdomain that exposed a Swagger file I don't know seems fair game to me now here's the thing exposing a Swagger file is not really a security issue because the Swagger file just defines all the different API endpoints the implementation of your IPA and points they now have to be secure now it's true that a Swagger file does help the attacker because it saves a lot of time but so it also helps back Hunters that do alleged work it helps to identify all the API endpoints that you can then test this way you can make sure you don't miss anything during testing I think it improves a lot the back Bounty impact imagine how low some back Bounty amounts are like fifty dollars a hundred dollars maybe 500 or so and then you have hundreds or maybe thousands of bug Hunters trying to find all the different API endpoints all of them running scanners and deal Busters trying to figure out all these different paths provide them a basic Swagger file and none of this has to be done so the buck Hunters as well as the evil hackers they now have access to the Swagger file but hopefully because the backhandles have access to it as well they can also make sure that all the endpoints are implemented method correctly and the basic principle behind this is something that we can take from cryptography because there exists the kalkoff's principle the karkos principle of cryptography was stated by a cryptographer in the 19th century the principle holds that a cryptosystem should be secure even if everything about the system except the key is public knowledge and this can be adapted to web security as well you know there are open source web application basically the full source code and all the API endpoints and basically all the Swagger files are public already and you still want this to be secure so you should always operate under this principle that the attacker knows even all your source code or at least knows all the API endpoints and even if they know that now you have to make sure your API is secure and it's perfectly fine to assume that the attacker does not have a valid key for example they don't have the password or the session tokens of other users or the admin user or whatever it is but they know all the endpoints as a secure researcher when auditing client applications and you know thinking about the threat model this is definitely something I have in mind usually while I might mention it in a report or there are some exposed deck traces there the attacker can get some information about the underlying system and so forth I might mention that but generally my opinion is that these are not security issues it can obviously help with a little bit defense and depth making it harder but if you have a public back Bounty program and you want hackers to hack on there I feel like you should be actually a lot more open anyway nehem said was thinking about how to deal with it and thought about recreating the whole video with notford.com then I suggested Nord maybe it's also something more known in the German hacking Community I'm not so sure but I did find in English a Wikipedia article and Nord is a word that has been used in News Group and hacker culture to indicate irony humor and surrealism and if there isn't a better matching word I don't know so if anything a name six should definitely re-record the video with snort com but to be honest I think Mayhem sex should definitely not remove that video I think this is a mistake by rapid 7. I feel like something like this would set a bad precedence and I'm in full support of name SEC for not taking down this video and helping in whatever way I can if it would ever get into any trouble this happened a few days ago so I did ask him if there were any updates yet but so far he hasn't heard anything back so hopefully the situation just resolved and it was maybe just an automatic email or something like this I don't know I hope this was interesting to you if you want to see more videos they are linked over here and if you want to learn hacking yourself check out our courses over at x3.io

Original Description

Learn Hacking (ad): https://hextree.io/ Buy my font (ad): https://shop.liveoverflow.com/ Nahamsec's video: https://www.youtube.com/watch?v=BTlUEWHRldk Nahamsec's tweet: https://twitter.com/NahamSec/status/1694388639994675568 Kerckhoffs's principle: https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle Chapters: 00:00 - API Hacking With ChatGPT! 01:17 - Nahamsec Tweet and Rapid7's Email 03:45 - Is exposing Swagger file a vulnerability? 04:49 - Kerckhoffs's principle =[ 📄 Info. ]= Main Channel: https://youtube.com/@LiveOverflow Support LiveOverflow: → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join =[ 🐕 Social ]= → Twitter: https://twitter.com/LiveOverflow/ → Instagram: https://instagram.com/LiveOverflow/ → TikTok: https://www.tiktok.com/@liveoverflow_ → Twitch: https://twitch.tv/LiveOverflow → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ =[ 📄 P.S. ]= Hack the Planet!
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveUnderflow · LiveUnderflow · 35 of 42

1 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
2 LiveOverflow's Makeup Tutorial #1
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
3 MakeUp Tutorial for Streaming and YouTube
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
4 MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
5 Google CTF 2019 Chat - Looking at Writeups
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
6 Discussing Hacking Videos - Community Guidelines YouTube
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
7 Hacking Skills Perspective
Hacking Skills Perspective
LiveUnderflow
8 Chatting about Cryptography and Exploit Regulations
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
9 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
10 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
11 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
12 Studying Cybersecurity in USA vs. Germany | ReHacked
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
13 Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
14 Reading SECRET U.S. Air Force HACKING Document!!
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
15 Why Don't Use alert(1) for XSS? | Watch Together + Q&A
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
16 Escaping from JavaScript Sandbox (AngularJS)
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
17 Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
18 Password Cracking Explained | ReHacked
Password Cracking Explained | ReHacked
LiveUnderflow
19 HTTP Desync Attack Explained With Paper
HTTP Desync Attack Explained With Paper
LiveUnderflow
20 Better than Stack Overflow for Development
Better than Stack Overflow for Development
LiveUnderflow
21 Thumbnail A/B Test Experiment for CTR
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
22 How To Exploit a Heap Overflow
How To Exploit a Heap Overflow
LiveUnderflow
23 Log4Shell | Bug Bounty Public Service Announcement #shorts
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
24 New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
25 Can AI Hack Websites with XSS? #ChatGPT
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
26 ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
27 Using CodeQL to Investigate GraphQL Resolvers
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
28 Security Issue Found in US Gov CISA Tool?
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
29 Using joern to Find GraphQL Authorization Issue
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
30 Analytics from 7 Years on YouTube...
Analytics from 7 Years on YouTube...
LiveUnderflow
31 3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
32 Attacking VSCode Extension from Browser? - Live Security Research
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
33 I Don't Trust Websites! - The Everything API with ChatGPT
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
34 Do Hackers Need To Know Algorithms and Data Structures?
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
"Remove the video as soon as possible"
"Remove the video as soon as possible"
LiveOverflow
36 Arm®-based Video
Arm®-based Video
LiveOverflow
37 How to make good HACKING videos
How to make good HACKING videos
LiveOverflow
38 LEEROY fällt auf HACKER rein?
LEEROY fällt auf HACKER rein?
LiveOverflow
39 Hacking for an Intelligence Agency
Hacking for an Intelligence Agency
LiveOverflow
40 Tier List of My Worst Tweets
Tier List of My Worst Tweets
LiveOverflow
41 Step by Step Phishing Setup Tutorials are Unethical!
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
42 Hacker Reacts to 23andme Data Leak
Hacker Reacts to 23andme Data Leak
LiveOverflow

The video discusses the controversy between Nahamsec and Rapid7, highlighting the importance of Kerckhoffs's principle in security design and the need for transparency in bug bounty programs. Viewers can learn about the basics of web security, API hacking, and the application of cryptography principles to real-world scenarios.

Key Takeaways
  1. Understand the concept of Kerckhoffs's principle and its application to web security
  2. Learn about API hacking using JetGPT
  3. Recognize the importance of transparency in bug bounty programs
  4. Apply security design principles to real-world scenarios
  5. Consider the potential risks and benefits of AI in security
💡 Kerckhoffs's principle emphasizes that security should be designed with the assumption that attackers have knowledge of the system, except for the key or sensitive information.

Related Reads

📰
Why I built Contextia: stopping secrets before they reach AI chats
Learn how to prevent secrets from being leaked into AI chats with Contextia, a tool that scans chat compositions in real-time
Dev.to AI
📰
The Complete Web Application Penetration Testing Guide (2026)— Part 2
Learn to test web application security by focusing on authentication, authorization, and session management vulnerabilities
Medium · Cybersecurity
📰
The Networking Problem Nobody Talks About (Until It’s Too Late)
Learn about the hidden networking problem that can cripple even the most advanced systems, and why it's crucial for cybersecurity
Medium · Cybersecurity
📰
Built an AI-Powered WAF for PHP/Laravel Apps in Africa — Here’s What It Catches
Learn how a student developer built an AI-powered WAF for PHP/Laravel apps in Africa and what threats it catches
Medium · Programming

Chapters (4)

API Hacking With ChatGPT!
1:17 Nahamsec Tweet and Rapid7's Email
3:45 Is exposing Swagger file a vulnerability?
4:49 Kerckhoffs's principle
Up next
How to Recover from a Site Hack with Sucuri - Detailed Guide
Guide Answers
Watch →