The Hacker Mind: Hacking Social Media
With more than 600K followers on YouTube, LiveOverflow is one of infosec’s first social media influencers. How did he get started and what’s next?
In this episode, LiveOverflow talks about his six years of producing engaging YouTube content and what the rise of social media influencers might mean for traditional conferences like Black Hat. He also gives a preview of his new YouTube series on the sudo vulnerability.
Robert Vamosi: Before there was the internet as we know it today, there were bulletin boards, BBSs. These were chat-based communities that sprang up around various interests. One of those interests that took off was computer security. And getting invited to join meant you had to know someone to get the phone number to dial in.
Once you were in, you could ask questions, you could learn new skills, and you could find out about even more BBSs. On these BBSs no one would know your true identity or age; you’d only be judged by what you wrote. For bored and smart teenagers, this was the perfect way to learn how to hack. Or share gaming cheats.
Today we have it a bit easier. Surf over to YouTube, or log into Twitter, Instagram, or hop on Discord or Twitch and you’ll find members of the info sec community ready to share information. Much like the BBS of yesterday, these social media sites can be used to teach people how to hack. And that’s really where YouTube comes into play: you can watch over the shoulder of a professional hacker, see what she sees, and then try that hack on your own. Some hackers live stream events. And some hackers are starting to have a large number of followers. Massive numbers.
But, as amazing as all that sounds, there are tradeoffs -- in privacy, for example.
In a moment you hear from someone who’s been publishing high quality infosec content on YouTube for the last six years and now has over half a million subscribers. And, having reached that peak, he’s now wondering what he should do next.
Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about people who hack for a living
I’m Robert Vamosi and in this episode I’m discussing something a bit different, the rise of social media as a means to share hands on knowledge in IT and infosec, and what that might mean for infosecurity conferences, and even who we consider to be infosec influencers. Not all of us like being on camera or before a microphone or even standing on a conference stage, but for some of us this just comes naturally.
LiveOverflow: Given the context of social media nowadays, and the importance of influencers nowadays, in media in general, I guess it's fair to say that what I'm doing now is someone being an influencer.
Vamosi: For more than six years, LiveOverFlow has been generating engaging hacking content on YouTube. His approachable style and his desire to teach others what he’s learned about information security has resulted in a massive following of half a million subscribers. By anyone’s measure that would make him an infosec influencer, would it not?
LiveOverflow: I mean, first of all, it's interesting to think about that. I'm an influencer. It's a very new term. And it's weird to to name myself an influencer. It's not something I have ever considered to become or wanted to become.
Vamosi: So how does one get 600,000 YouTube subscribers? Did LiveOverflow have that goal in mind when he started? What was his motivation?
LiveOverflow: It all started with creating a YouTube channel after I watched live CTF recording from geo hot
Vamosi: Wait a second, GeoHot? That’s George Hotz, aka GeoHot, who played for the CTF team Plaid Parliament of Pawning or PPP in 2016, but previously, at age 17, is much better known for being the very first person to jailbreak his iPhone so that he could use any carrier he wanted. And only a few years later he reverse engineered a Sony PlayStation, enabling it to both read and write to memory within the device. This was such a problem that Sony had to shut down it’s entire Playstation service in order to fix it. So LiveOverFlow was influenced by GeoHot?
LiveOverflow: So GeoHot, George Hotz. He made a live stream where he solved hacking challenges and CTF challenges, and I thought that was fascinating. Because this was the first time where I looked another professional over the shoulder, really watching them code. I don't know what your audience's experience is. clearances, especially people who are developers or who are in it, it's kind of rare to actually look somebody else over the shoulder. We share blog posts, we share our code, you can look at code on GitHub. But the process of actually creating code and hacking also, it's not something you typically are able to see other people do. Even in university also, you usually write your projects alone, and you rarely look somebody else over the shoulder at how they work. And so seeing geo hot work is magic in the terminal, and reading assembly code, writing exploit scripts, that just blew my mind and really, really helped me to move forward with my own education,
Vamosi: At the core LiveOverFlow wanted to learn about computer security, and then share what he knew with others. But it wasn’t an example of “I know everything, follow me.” It's much more organic, sort of a “Here’s what I learned, I’d like to share that with you now.”
LiveOverflow: So to put you in context, where I was at the time I was studying in my bachelor's degree in computer science, and I was focused mainly on becoming a developer, but I did have a huge interest in IT security. And a little bit earlier I discovered these word games in CTF that made it possible for me to even learn about security in the first place, because resources were so sparse. And the problem was that the topics quickly got very, very complicated. You could find tutorials on basics, but anything more advanced just didn't really exist. And it was very, very labor and time intensive to get anywhere forward. And so I was really frustrated because I was really, really eager to learn. I wanted to learn more, I felt I could understand these topics if somebody else could show them to me. But I found it really, really hard to explore these things on my own. And this was until then I stumbled over GeoHot doing the live CTF videos where I saw a professional just hack away in the terminal. And that really showed me how it was done. And that there's not much secret to it, there's just a lot of things you can learn from watching somebody. And that ultimately motivated me
Vamosi: So LiveOverflow was willing to learn on camera. He admits stuff he didn't feel he knew well. Maybe that's what makes this 300 plus videos so genuine.
LiveOverflow: I didn't think I had a lot of experience at the time. Because I was still starting myself. But I did feel like I broke through some walls through learning myself mainly in the basics of binary exploitation, memory corruptions, the basics, that I felt like, they are much simpler than they appear to be. And I could maybe explain it in video form to people coming after me. So I didn't feel like I was a professional being able to show up. But I felt like I was somebody who got a bit further and I could make the videos that I wish I had when I started.
Vamosi: Okay, so maybe influencer is too bloated of a term for live overflow. Maybe we can settle on something else, like a mentor.
LiveOverflow: I mean, in some way, certainly this is how one mentoring could be where a mentor who is more experienced shows their way of working to somebody else. Yeah, in that sense, it could be considered mentoring.
Vamosi: There's a theoretical way to get started in infosec. And there's a hands-on way to get started. Theoretical typically means academic. You go to a university and get a degree. And there's very little hands on education process. So how do you get hands-on experience? Maybe you can get hired at a company that will teach you or maybe you can apprentice with somebody directly. But in the modern world, that type of training program, or apprenticeship, no longer is realistic. So live overflow said about trying to build his hands on experience with his YouTube channel. Did he have a plan? was he thinking he could script out so many episodes in advance
LiveOverflow: No, this wasn't a whole evolution. My name is life overflow because I started doing live streaming as well. I saw Gio her doing the live CTF and I figured I want to do the same. I want people to look over my shoulder and watch me work on basic buffer overflow challenges. Unfortunately, I realized that I'm not really good at it; GeoHot is a very entertaining person. He's very fun to be around. But my English is I'm not a native speaker so my English is not great. And the topics were still too complicated for me to be able to entertain chat and all for insightful commentary while at the same time thinking about complex topics. So, after trying that for a while and doing it this style, I figured that I'm much better at dissecting the information, putting them into a video script and then recording that. And back then I didn't think that it would be a very, very long series. In my mind, I thought these topics are so basic in some sense that I would be able to get from zero to some word experience in in binary exploitation very quickly, and I would be able to make these videos very quickly, not realizing that this was actually years of work in the end.
Vamosi: First and foremost, LiveOverflow is a computer engineer. He's not formally trained in marketing, or multimedia. He's had to learn all of that himself.
LiveOverflow: In any of this. Yeah, in marketing In Video editing and in IT security as well.
Vamosi: So this raises a question, should computer science students also learn a little bit of Adobe Premiere Pro, a little bit of audacity or whatever they choose to use. I mean gamers pick this up, too, offering cheats and what not on YouTube and Twitch, but what about the formal computer science students like LiveOverFlow?
LiveOverflow: Actually, I think Basically Video Editing skills are very awesomeness Especially in the social Media It's a it's a little But similar to how you want to teach students how to have Good presentations, a lot of university classes that there will be a class on how to give a good presentation because that's The way how you know the industry works at work you have to constantly question Some patients or you might go to a conference and give a break. There, but with the In Increase the importance of social media. I do think that Being able to create being able to create a small video and how to edit it that it's short. How to you know cut out the unnecessary parts, how to zoom in on it. That window that you are navigating so you don't record a huge 1080P monitor or even larger when nobody can read the text, you know small things like this just to have a base level of quality in the video I think that has huge value.
Vamosi: Given that’s he’s got six years of experience, and he’s been learning video along the way, does LiveOverFlow now cringe at anything he’s done in the past as part of his YouTube channel? Is he proud of the body of work he’s created?
LiveOverflow: Actually, I'm quite happy with how it started. Because I iterated over my video making process. I think what a lot of people struggle with that might want to create something themselves. They want it to be perfect the first time and I'm glad I wasn't Worried and just try to create something and I realized that life trimmings are not my style and then just iterated over it. I recently looked at the first videos I uploaded to my channel that are partially unlisted. They were the same video. Our topic, the same challenge I solved but in 3d Print styles. One was a pure life recording. One was an attempt at having a prepared script but still on the fly. Just Trying to record it. And then the third iteration was writing an actual grip, recording the footage and edit thing and ultimate The eye then You know, figured out how to make the Here's how I like them to be.
Vamosi: And often when creating a blog or any content for that matter, it takes a certain number of tries before it begins to feel natural. How long did it take LiveOverFlow before he fell into a groove?
LiveOverflow: I think there were maybe several dozens, maybe even 100 but you have to consider that these were very low effort video They were mainly just turning on the key I'm writing, talking with you Also they are very easy to create Some of them Or even just like cars From a very long recordings so they had multiple episodes. So it It took a while. It's been a couple of months. So I think I started in March 2015 and in December 2015. I started with my now most popular series, the binary exploitation series.
Vamosi: Some people dream of being famous. For a lot of programmers and security folk, that isn’t necessarily the case. Anonymity and privacy are very important. So there are some downsides to being popular and having a massive following
LiveOverflow: So the biggest negative for me is I'm not a person who likes to have attention on me as a person. It's maybe a weird small difference. But when people say they are a fan of me I cringed a little bit I have a hard time with that but i Do want people to be Fans of my videos So that's a small difference but I don't like this. This kind of celebrity status that maybe comes with social media and for a long time I did the channel anonymously as well. Don't even my colleagues or friends knew that I'm a live overflow doing those videos. Because I want you to stay anonymous It's difficult for me to be a bit Have a personality In this area
Vamosi: And, despite what you hear, there’s really not enough money in making podcasts or videos. Really, don’t quit your day job when your subscriber count reaches 100 thousand. LiveOverflow is well past that number but he still has a pen testing job to support himself.
LiveOverflow: Correct. So, in 2013, I also started working as a penetration tester doing web application penetration tests or application security tests, mostly code audits, code review. blackbox pap tests, that sort of stuff. So it's not necessarily related to Binary exploitation but I'm interested in in all the fields Yeah, I've been doing that for the site since 2013. Over time, I did that Yeah, I Did that while I was still studying and While I was still doing My master's degree I was working as a freelance uncertain that's still What I do today and what I consider my main priority simply because YouTube doesn't pay enough and of course, I never thought that Maybe with YouTube I could even earn
Vamosi: There’s a need for more Infosec content. Again, programmers and hackers aren’t necessarily oriented to public speaking and showmanship. So those who can, well, should step up and start producing more content.
LiveOverflow: So social media has an interesting dynamic, where you know when you become popular by sharing content and on Twitter this can simply be a person who just takes a link and shares On Twitter and they can grow their following this way. on YouTube. It's a bit more complicated. You have to actually make those videos yourself. So it can be very easy to make a YouTube channel IT security Because first of all, there's still a market and a need for it. I think that it's still not fully met. And so if you are consistent and basically take written tutorials that already exist and basically package them into videos. It's a very easy way to, to grow a following I would say.
Vamosi: Like the tension I mentioned between earning an academic degree and doing hands on security work. There's also attention with social media influencers Just because someone has a pretty package Great music Awesome editing skills doesn't mean they know what the hell they're talking about. What does live overflow think of people marketing themselves for particular skills and whatnot. Is this good or bad? Otherwise,
LiveOverflow: We like to think that It is very merit based it's The typical response People say you're on You get a job when you are good and it's It's often used in very sexist and viral As well, like, people only get here because they're good and they want to talk down to other people for various reasons. And so I grew up in an environment that felt very merit based. That's also one of the reasons why I didn't Want to expose my own personality.
Vamosi: I’ve talked before about imposter syndrome in infosec. And it's real. It's the feeling that even if you are on top of your profession, you still don't know enough to share with others. Often, you do know enough You really should share what you do know. Who knows, you might be Really good at it.
LiveOverflow: The environments I was around Where you hackerspaces and conferences where people. I felt like that all these people do really, really cool technical work and I want to prove myself and do my own technical work. Otherwise I'm not allowed to present myself as a professional person in this industry. And of course with social media, it's there are different ways of showing off yourself in Took conferences you come with prepared topic you have some cool research to show and you know on YouTube or social media, there are less these requirements so it's a bit easier to to To get a following and advertise yourself, and of course, this is important, I don't want to, I don't want to devalue this. I don't want to sound like I have a huge problem with this because in the end, it's the network. Working part that is important for job finding. We like to think It's all merit based but as you and I No, it's mostly about networking. Knowing the right people To be able to learn Really good jobs. And I can speak about that from my own experience because my penetration job, my penetration testing job as a freelancer I got through connections, knowing people. So, in the end social media is a great opportunity for people To grow a network that that only happened at conferences
Vamosi: We've just been through global pandemic For the moment in person conference They're still somewhat non existent. So, I would think that this would be a boon for social media and for YouTube in particular, for people getting out there in other ways.
LiveOverflow: Yeah, I think Think YouTube and social media is something that the cybersecurity industry hasn't really explored yet. I think one the biggest marketing places we have In IT security was basically The Black Hat conference. And the marketing around that is kind of interesting. You have a conference like Black Hat that has these talks that are very technical and companies that are basically there to advertise. This conference has the merit that they prove themselves to look like we have cool research. But then in the end, it's only to draw people in for the marketing part. In the booths where the vendors can sell the product. And this was kind of only big marketing place that I know of that existed in the IT security industry. And so social media has been growing in that regard, so that somehow companies start to explore how it is to advertise on YouTube. There are also some IT security podcasts that increasingly interview the industry and talk about products from other companies. So yeah, I think these are very new ways that advertising is being done in IT security.
Vamosi: Line con is where you're standing in line at DEF CON, for example with somebody very interesting and you strike up a conversation. Maybe they give you a challenge. coin or lead on a job in return for some information you give them something like that. How's that? Work with social media that
LiveOverflow: Yeah, the line con is actually a really good thing that is not working so well in social media. In some places, however, I do think there are some very cool changes in the recent one or two years with that. So back in the days there were these IRC channels. And if you happen to stumble over the existence of IRC, you might be able to get into a small community that feels very much like stumbling into people at a conference where you can strike up conversations about interesting topics. But then, this kind of the sub communities were kind of lost for some time, but in the recent years, due to discord, there has been an explosion of discord servers. So this cord is like, like slack for IP security communities. And they are I basically get invites sent every day to new discord channels where people want to talk to people, and these are small communities, sometimes about certain topics, sometimes not, but where you can just casually interact with people and read the conversations of other people. You know, if there are very interesting things. So I think they somewhat replace maybe the typical line lines at conferences.
Vamosi: Again, it's at line con at conferences that you sometimes hear about the great job opportunities that are out there.
LiveOverflow: That's true. The people that introduced me To my job So from conferences I saw the person first, the person that gave me my job opportunity. I saw them giving a talk at the conference and meeting other people. Yeah also through conferences in Social media it's a bit different, the motivations Seems a bit different or the capabilities to find jobs. We see. Oh, I observed a huge rise in bug bounties and people wanting to get into bug bounties for a career. Not so many additional jobs. I feel like social media especially Twitter and YouTube is even mainly dominate need to buy the swish of being an Independent bug bounty hunter and getting a job in that area, not in all the other fields that exist
Vamosi: Online community These are still just niche. You have to know somebody to know about the There's no Central Board. For example, for discor
LiveOverflow: Generally the disk Every now means in some way, we are all big them to the social Media algorithms in this case It's the YouTube algorithm That is advertising my videos. And it's the twitch feeds that are algorithmically sorted that Decide if you are exposed to a certain community or not. So it's a weird dynamic. Make sure that you have it's not like an event that you go to and you know there will be people. On the other hand, I would argue that to know that cyber security conferences exist you also already have to be in that community. So I mean, I was a student doing regular computer science and I didn't even know that IP security conferences exist.
Vamosi: Traditional infosec conferences sometimes are inaccessible for whatever reason. We mentioned Black Hat. Well, there's a couple Black Hats around the world. But DEF CON, on the other hand, occurs only in Las Vegas. I would think that using discord or twitch or other social media, we're starting to reach some of those people that might never physically get to attend those conferences.
LiveOverflow: To be honest when I started to get introduced into IT security I started my channel. I asked myself this question, how many professionals are out there that would be even interested in these kinds of topics and I thought maybe it It felt like a maximum maybe 10,000 people worldwide. I might be interested in that. But I think that was a problem of the very small bubble that I was in, namely the German IT security scene or the German hacking scene. And I think what you can see on the road of my channel, just the raw subscriber numbers that free Hundreds of 1000s of people that More or less interested in AI Key security. So there are of course many developers and people that are maybe not in it or maybe maybe not yet in it that maybe find their way into it thanks to these kinds of videos but I think it showed me that the world is much bigger than what it feels like the conference bubble to be at a conference. And also, maybe maybe a couple of 1000 people at a really, really big conference and that is Not the world. There are, you know 10x 100x maybe more people than that in the world.
Vamosi: I believe the last Black Hat USA that I went to in 2019 was around, 15,000 people. Jeff Moss, who founded both DEF CON and Black HAt, makes a point of pointing out at the start of Black Hat the number of countries represented. Some countries had only have one, but they get a huge round of applause. I don't know if anyone can, but can you compare a physical conference to the reach with the 600,000 online followers?
LiveOverflow: So, to the conferences I went to, I actually, especially the professional conferences I don't see actually a lot of diversity but that's probably because of the regionality because the further away you are, you won't travel to these kind of conferences, of course. So, I am able, or I was able to get exposed and get introduced to people from all over the world, and I see a large following from Indonesia or Morocco and Egypt. People, I never realized I never thought about that, there are that there's also a hacking culture developing and evolving, and maybe their hacking industry is not that far yet they don't have many big known companies that are operating on an international scale but these hacking communities are just now evolving in these places and I think I'm able to reach them through social media, and with
Vamosi: Are you able to discern any differences, say like Brazilian hackers are more interested in this as opposed to your Indonesian followers.
LiveOverflow: Oh, I wish I had a detailed market analysis. There are certainly some differences, especially in motivation for why people want certain jobs. And I think there's also just like cultural differences and how people approach, jobs, and I even notice it with the US and Germany a lot, given that I feel the US industry is a lot about public and private sectors, while in Germany the public sector is a little bit frowned upon, always a bit more skeptical skeptical about work for the government. And so there's a lot of cultural differences when it comes to how hacking is kind of viewed.
Vamosi: That's actually very interesting. So, the types of hacking in different regions are a product of local culture.
LiveOverflow: Yeah for sure that Germany has a huge organization called the Paris Computer Club. They organize the largest security or hacker conference in, in Europe, I guess, maybe. And they are very political as well and they advise a lot, the politicians and they are very skeptical, always of new developments in that regard and I guess from through history, especially Stasi and DVR with surveillance, and you know how usable hacking skills are in these skill sets, people are very suspicious. When, when these skill sets are being used for government jobs.
Vamosi: Speaking of politics, conferences themselves can get political. There are certain speakers that always show up, and you start to wonder how do I break that glass ceiling and get invited to be a speaker at some of major these conferences. I would think with social media, we're creating our own stars, individuals who are different from those that you would expect to see at the major conferences,
LiveOverflow: That is probably true, though, I would say, I am very exposed to very technical conferences where the talks are really about showing research, and, and yes there are the people that do really good research that show up, show up multiple times. But in the end they still bring really really good research and from my experience, people that have really good results usually also have a good chance of getting accepted to conferences, but these IP security conferences are obviously more than just the actual technical presentations, and I guess those are the more, the more fun talks I guess the less technical talks. And maybe there is such a thing as, you know, a small knit circle of very good speakers that are always invited all the time. But I'm actually not so experienced in that regard.
Vamosi: Earlier we talked about merit, and I think about that too, and it's like, if you haven't done the work, then why the hell are you telling me about this stuff? There is a little bit of showmanship with YouTube, and some people might razzle dazzle, but not actually have that merit to be able to speak to these things.
LiveOverflow: I think the unfortunate reality is that the line between merit, and just repackaging content is very little. I myself, consider myself, and that's why I also feel not very comfortable with me as a personality is because I don't feel like I have shown a lot of research. What I do is I repackage a lot of stuff other people have done. I take known techniques for exploitation, and package them into a video. I do think that I do it in a very unique way and I have a specific way of thinking about these topics and I present them. Oftentimes in very different ways how they have been traditionally presented, or how they would have been presented in traditional learning environments. I think a lot about how I can educate people on these topics in different ways. So I do think that I have found a good qualification for educational purposes but I don't think I have the merit, or actually like doing research and pushing the field forward. But for the audience. This can look very differently the audience, often puts people like me up on a pedestal, thinking that I'm one of the greatest hackers alive, just by showing off stuff that just other people have figured out.
Vamosi: By training, I'm an infosec journalist, so I have a very broad background in security, but I can't go very deep into any topic. There are some people like me who feel that sharing knowledge about security is good because you're opening people up to stuff they might not have known. Would LiveOverFlow be comfortable with that?
LiveOverflow: Yeah, I, I'm a huge fan of that, I mean, that was what, that is what God was doing as well he was doing live CTF and just showing off. Packaging you know the information that was maybe out there in a unique way of being able to look somebody over the shoulder. And so, I'm a huge fan of that as well. The problem is that it often. So it's a very small thing but it's a way how these other YouTubers are communicating this, it can very quickly sound like I actually know everything and I figured out everything myself rather than a journalist who were the relationship, the story and the journalist is very clear, a journalist is just the person that is transferring that knowledge, while a YouTuber might look like. I am the source of the knowledge and I'm, it's not clear that I myself just repackaged some other story and then through that, it becomes like I'm the great person even though I'm just the messenger of the great information,
Vamosi: There’s value to being a trusted messenger. And there's value in what in what LiveOverFlow is doing.
LiveOverflow: I do think that there's a little bit of a responsibility in highlighting your sources. I really like the academic way, and the journalistic way where you are usually citing your sources. And so in YouTube videos and other social medias, it can very quickly be where you just basically copy and paste some other people's work, and you will not, you may repackage it you may be rewrite it, you put your own spin on it but you are not really honest about that you kind of like, took the other work. Now, I have to say like I am probably not perfect with that either I if I'm completely honest probably people do not realize that maybe I'm also just repackaging other people's content. Mainly, but I do think I tried a lot to showcase where my references are from, and then I'm just learning this stuff too. That's kind of important to me and I have a little bit of an issue with, with people that sometimes present themselves as huge experts, even though it's clear that they just basically read the first Google result.
Vamosi: So with social media, and its limits of 140 characters, or five minutes, comes a lack of depth. There's really a lot of abstraction or simplification of the underlying principle or technology going on deep inside, and sometimes that's a disservice.
LiveOverflow: The IT security or cyber security industry is huge, its massive, and the whole industry is standing upon the technical details the actual hackers that dig deep into the source code and bits and bytes and stuff like this. If there was not this original research that these hackers and security researchers found there would be no discovered vulnerabilities, there would be no scanners that scan for vulnerabilities, there would be no products that can try to defend against these vulnerabilities or detect them and there wouldn't be all the risk management that comes on top of that, I mean the industry is huge. There are a lot of abstraction layers but ultimately it's all standing on the people that really dig deep into the technical details. And I hope with my channel where I focus on very technical topics. I can kind of expose more people to the deep technical details. And in the end I think everybody, a developer or even a manager who can learn a bit more about the technical details will in the end, be able to also do a better job, even though they are maybe a lot of layers away from the actual security research.
Vamosi: There's something else that LiveOverflow is observed: The rise of the developer evangelists.
LiveOverflow: In the area of developers and products that companies software as a service products that companies offer there, there's this job title, A developer evangelist, somebody who basically goes to conferences and presents a certain technology Jeff just in a way to make it public that the company is developing something that maybe other people want to use. And this job doesn't really exist in IT security I think people that publicize kind of the products or the frameworks and the things that exist. And I think there's a hole there and I think maybe social media people will feel that at some point, maybe it's the way where people discover actually the products and services that even exist.
Vamosi: There's also a need with social media for a clear firewall. For example, people need to be told when something is sponsored by a company. They need to decide for themselves if the claims in that sponsored content are fair.
LiveOverflow: on my channel I have done a handful of sponsored videos, mainly for Google, and I think it's a very interesting way of advertisement because Google essentially paid me to present a vulnerability that was found in Google products. And for many companies, it might seem weird to advertise hey look, we had a big vulnerability, and then even showing it off on YouTube, where 1000s of people will see that. So I think in, but I think this is a very clever way of advertisement and I hope more companies will follow in that regard to not feel shame about vulnerabilities, but use this as an opportunity to show. Yeah, we are realistic we are aware we have security issues and they are interesting, so we want to show it to the world with sponsored videos. I really hope we see more of them.
Vamosi: For his next series LiveOverflow is trying something a bit different.
LiveOverflow: Yeah, so my longest running series is the binary exploitation series memory corruptions where I cover the basics of how buffer overflows and so forth, work, and of course throughout the years I've done a multitude of other videos and other series that cover web, web security I've game hacking series, and a new series that I'm starting is on the recent sudo vulnerability. And I do think that there's a very unique series that doesn't really exist yet and I hope this is another way of me making content that has doesn't really exist yet before, because I'm basically trying to slip into the role of somebody who discovers this vulnerability analyzes it and then actually exploits it. There's this concept that I'm not sure if that's actually a real name, but I've heard it before. It's called discovery fiction. It's where you make up a story of how something was discovered, it might not be the real way but it might be a very interesting and fun way to follow along. So, I myself, I put myself when I saw this vulnerability I sat down and told myself, I tried to rediscover this vulnerability now in the great way is, I can always cheat, I can always look up what the actual vulnerability was because it's obviously known, but I deliberately try to limit the information, I look at and try to do it myself. And I think this is a great way to learn. And so I try to package this now into a series for four videos where, you know, a person can follow along as if they were doing the originals pseudo research. So, the series is basically written, I've done the research already I've done the complete run from RE discovery analysis and exploitation. Along the way I've taken notes and saved all my code that I've written to do that. And I've already started writing the scripts, they are in a very rough graph, but I know already that it will be roughly 11 episodes. While I then actually work on the individual episodes I might split them up I'll rearrange things just because I think they don't flow as well. In a video format. Security Research digging deep into technologies that's not really educational content that exists in any form, and I'm not aware of. It's pretty much already prepared. Now I just have to sit down and edit and produce the videos. So, so I'm hoping I can create something that's very interesting to a lot of people.
Vamosi: I'd like to thank live overflow for sharing his thoughts with us. You can find this content on YouTube and subscribe. He has over 300 videos over six years, what he says represents everything he currently knows about information security, so there should be something there for you. Check it out. And there's a need for more people like live overflow to explain what they know and to reach a wider audience. Really, if you want to give this a try, you should really just get a microphone, get a camera and start talking, who knows, you might be really really good at this.