- Classic phishing / session hijacking: apparently Google doesn't _always_ re-prompt for password when you change password / security device, if you have a valid session cookie.
- Poor opsec from Linus (and by association probably also the rest of their upper management team).
Luke, Linus's business partner, was recently "promoted" to CTO and has been working on their many know infra / security deficiencies. Alas, he's a bit too late it seems...
During one WAN show they did mention moving away from LastPass and Linus himself has accidentally revealed private information on streams by being logged in to the wrong account multiple times now.
However, for all we know there's a 0day in some part of the YouTube system. Maybe some (sponsored) device got hooked up to the internal network and laid dormant for a while.
I think one of the staff logged into the primary YouTube account got phished but there are so many ways this could've happened. Luckily for them, their channel is large enough that I think they'll make a full recovery once they've found out how this could have happened.
The unencrypted URLs are such a screw up that no one should ever trust them again. Their security related products would all fail if people understood what a disaster that is.
I was super frustrated by it because I had an old (mostly unused) LastPass vault with a shared folder and a handful of MS365 tenants along with some registrar accounts. That probably puts my vault, and the vault of anyone with access to the share, ahead of many other vaults in terms of being targeted as high value.
Luckily it was only me and 1 other person with access to that shared folder, so it was pretty easy to assess the risk. Both of us had good passwords and hadn't ever used anything weak.
Now imagine in a larger organization. What if a dozen people have access to the LTT channel? All it takes is for one of them to have used a weak password on their vault and now the identifying info that came along with the vaults becomes a huge issue because it allows them to be targeted as a high profile organization and suddenly there's a huge increase in the odds of a weak password causing a compromise.
> Poor opsec from Linus (and by association probably also the rest of their upper management team).
Ultimately they're content creators. Being tech enthusiasts means they're probably doing better than a lot of other creators, so maybe some of the blame should start shifting towards the big tech companies rather than the victims.
My hot take is that by competing to control identity the big tech companies are making the entire security ecosystem significantly more confusing for the average person and I think big tech should be taking the blame for a lot more than they do. How are we supposed to keep up with dozens of complex security schemes from different companies?
Per-user pricing also discourages good security practices because profiles are always treated as users. You see it in everything. I use multiple profiles on Windows to silo work for different people. I have to go against the grain to manage everything and now I'm supposed to buy 4 Office licenses because the licenses have been changed from per device to per user (profile). 99.99% of people will give up and use one big account.
It's the same for password managers too. I switched to Vaultwarden because I can create multiple user accounts and do a better job of keeping different roles separated.
For example, I have some high value passwords that are only ever used from a dedicated machine. In Vaultwarden I use a separate user that only gets set up on that machine. In any other password manager that's an extra user account and, by the time everything shakes out, I'd need a half a dozen accounts just to silo my data responsibly. Not a single normal person is going to pay for that. They'll use one big account for everything.
So IMO big tech takes a lot of the blame for our lack of security because they're building for profitability first and security second.
> Being tech enthusiasts means they're probably doing better than a lot of other creators
From what I've seen, LMG is a large corporation still being run like a startup. Considering how often they churn out videos about their file servers dying because they fail to do things like scrub their ZFS pools, I'm not sure how much actual tech knowledge beyond PC hardware specs they have. It's very much a lay person-oriented channel, not enthusiast-oriented.
This is exactly the kind of thing I expect from LMG. If this were to happen to, say, Level1Techs, I'd be shocked.
Your anonymous comment reduces somebody’s experience and decisions to a single sentence. I’m afraid it completely fails to successfully summarise them.
I actually don't dislike cities and I didn't generalise that they are terrible.
London is one of the busiest and largest mega cities on the planet. It's incomparable to a city of ~400k people where you can walk in 45 minutes from the city centre to the boundary where the urban environment becomes a more natural environment.
The mega city is not for me, and I regret sacrificing quality of life for income. This decision is about rebalancing those two.
Thanks for the clarification, this is probably an interesting point to make:
> I don't have FU money, I still want to work as a software engineer and will have to very soon. The difference is that I will not trade quality of life for money, and I will try to find or create work on the terms that maximise happiness for me. These terms are different for everybody, so my solution is unique to me.
I'm inclined to agree, though of course having adequate savings and planning ahead both feel like pre-requisites to me. Best of luck!
When I wrote this, I had no idea it was going to receive so much attention. It was immediately after a call with my boss where I committed to leaving.
I have learned a valuable lesson: how important it is to be crystal clear with the words you choose and the message you convey.
Reading my post now, I agree it sounds like I'm naively planning on going to live in the mountains where I'll immediately die in a storm or get eaten by a bear. I also wrote "I'm the least fulfilled I've ever been". I should have written "this is the least fulfilling work I've ever done".
I am leaving an unfulfilling job, and an unfulfilling place, to move to a smaller settlement where I am a short walk from the seaside and a short drive from the mountains. I'll have a way higher quality of life, being able to do the things I love (hiking in the mountains and other general outdoor pursuits) at the cost of losing a significant amount of income.
This is a trade I'm willing to make, and it reverses the decisions I've made over the last few years. This is an important learning I hoped to share with others who may be in a similar predicament.
I don't have FU money, I still want to work as a software engineer and will have to very soon. The difference is that I will not trade quality of life for money, and I will try to find or create work on the terms that maximise happiness for me. These terms are different for everybody, so my solution is unique to me.
The TL;DR of my original post is "don't optimise for income over quality of life".
Author here. You'll notice I didn't ask the reader to "follow me on twitter".
I had ~30 people reach out to me in DMs on twitter.
Some were people who feel in a similar position but don't know what to do. Others were people who have been where I am and offered advice.
Twitter is just a tool to connect with people outside of the immediate circle I have around me, I don't think there's any problem with using it as such.
Forgive me, but I don't understand the relevance of "follow" vs "reach out to".
In the post, you wrote a paragraph starting with `Almost everything around me is designed to addict me.`, which seems incongruous with communicating through Twitter. I'm glad it has worked out well for you and those ~30 other folks anyway.
Mainly I intended to say that I have exited and successfully re-entered the rat race (actually, a few times), and fully support others in doing so. Do it while you can!
Many commenters clearly don't get it, and probably never will. But, I do, and I don't have a Twitter account.
