This exact same thing (same Elon videos promoting the same crypto scam) has been happening to YouTubers with any amount of subscribers for at least a couple of years.
YouTube probably won't share any details, they'll quietly revert it for him since he's prominent enough to get ahold of someone.
Even what can be considered less connected people have gotten this kind of attack resolved. Usually lot slower than LTT, but still have gotten it back.
It seems like malware stealing browser cookies of authenticated sessions can work around even U2F, and highlights a bit of a hole in how sessions are protected (or not), and where it may make sense to reauthenticate the user when in doubt.
I figure that some kind of MAC sandboxing for cookies and similar credentials probably seems like a good idea. I think that macOS has something like this with per-application sandboxes, but I don't know how effective this is.
in practice, this would probably work something like:
- hardware enclave contains public and private key pair
- browser retrieves public key, sends to remote host (website)
- website sends back a unique token with the response to every valid request from that client (kinda like anti-csrf tokens)
- browser asks enclave to write a message containing that token, signed with private key
- when the browser sends the next request, include the cryptographically signed message containing the last token received by the server
- website checks that the returned signed message includes the correct token, and has a valid cryptographic signature matching the provided pubkey
this would be entirely transparent to the end user and would prevent simple replay attacks with the token, which seems to be Gigachad's idea (prevent it from being transferred)
unfortunately, as you point out, even provided the adversary cannot retrieve the private key, this means that as long as the secure enclave is connected and accessible, and as long as the adversary maintains code execution on the victim machine, the attacker could simply issue requests necessary to perform account takeover from the victim machine, rather than their own machine.
in security, it is extremely challenging to design systems that remain secure even when an adversary has access equal to or exceeding that of legitimate, authorized users, as is typically the case when malware is dropped on a machine, which is probably the most common way cookies with secure and httponly flags set get stolen.
Sadly, the security model of most x86 operating systems like Windows is well-suited to protecting system administrative functions, like installing drivers, but is poorly suited to protecting ring 3 / userland software (like the cookies from your browser, which are stored on disk) from other ring 3 / userland software (like that cookie stealer that just got ran with the same privileges of your freshly-exploited PDF reader)
Somewhat interestly, the security model of modern mobile operating systems like Android and iOS is ostensibly much better at protecting against threats like this - even if you install a blatantly malicious app, if you're not rooted, that app is not able to simply read your browser's cookie file from disk. That sort of security model can feel extremely restrictive from the perspective of 'typical' x86 OS users, but will feel right at home for anyone using special compartmentalization-based security-focused OS's like Qubes, where your PDF reader gets opened in a disposable VM entirely distinct from your browser's VM. This isn't unhackable, but as someone who hacks for a living (red team at big tech co), it's a barrier that would stop me unless a fresh, public Xen escape CVE drops tomorrow.
the thing you call "noise" is a vibrant and active community cultivated on their own infrastructure and impervious to whims of social giants. Something 99% of content creators never thing twice about hard linking their livelihood to YT/Amazon/FB/Onlyfans.
Personally not a fan of LTT or their entertainment output masquerading as technical, but you cant deny Linus business smarts.
It's absurd for the channel to be permanently banned, and all its videos deleted, over this, right?
We know it's absurd because it won't happen. But there's two issues at hand. Setting aside that of customer support via profit motive and public scrutiny, banning does not imply deleting. So from where comes YouTube's eagerness to delete videos, the source of all value in the service? Where did the practice of even start?
Is it a distinction of forums and wikis (where user contributions enter the commons) from blogs and and social networking (where users "own" the "content" on their pages)? Then it's misfortunate that this is what should remain of YouTube's rise to its monopoly on video hosting.
(Of course, the opposite situation is also a factor: banned accounts that cannot be deleted)
The "ban" is temporary. This is the exact process that happened to the Corridor Crew channel when they were hacked. YouTube will "ban" the account while they clean up the damage, and it will be un-banned after they finish cleaning up.
It seems like this is either likely a phish or an insider threat. I’m looking forward to the post-mortem.