45 comments

[ 3.1 ms ] story [ 97.6 ms ] thread
This guy is amazing. I can't even upload videos in the public domain (old movies) without getting an auto-takedown from YouTube's content algorithm...somehow he manages to post a video that includes one of the most famous tracks in rap history?

(slightly less non-facetious question: maybe NWA has asked YouTube to whitelist their work?)

More relevant comment, as if it were going to be a big surprise: the attack vector was SQL injection into what appears to be a custom built PHP site: https://youtu.be/QoSrjrYC3hI?t=6m16s

Well, at least in Germany it is blocked: Unfortunately, this video is not available in your country because it could contain music from UMG, for which we could not agree on conditions of use with GEMA.
Someone should host a mirror--Youtube just pulled it.
Under the "scams" category no less, what a crock.
So YouTube becomes a new sort of interactive Phrack. Neat. I also wish more online tutorials had great soundtracks like this; i'd probably watch more of them.
Open two tabs?
I'm not sure my system could take Firefox with two tabs open, I only have 4GB of RAM.
motherfucking "modern web" ive bought two pc's with 16gb of ram in 8gb sticks just so i can double it to handle even more retarded java/css/webscale cancer #rant
Even though you're clearly not serious, I can recommend using VLC to watch YouTube videos. It is much more efficient than a browser.
The author isn't actually Chema Alonso [1] as the terminal session would lead you to believe, right?

[1] https://twitter.com/chemaalonso

I'm thinking it's just misdirection (along with some other parts of the video).

I saw some nice attention to detail in the video so I would be surprised if something like that was an accident.

Seeing as how the person he is allegedly imitating also works in security and ostensibly would have the means to commit the hack--and who is also Spanish--this seems like a shitty thing to do.
Definitely a shitty thing to do, I can't imagine law enforcement won't investigate Chema after seeing that.

I don't understand the language though so there may be other relevant details I'm missing.

(comment deleted)
No way.

I also noticed that it's 23:14 on his local time, and 05:14 on the local time of the VPS. Assuming he didn't change his clock, that tells you he's 6 hours behind the VPS.

We also see TZ "CLT" aka "Chilean Standard Time" (4 hours left of UTC, 6 hours left of Spain) which fits neatly with previous speculation (here and elsewhere) of Chilean origin (language characteristics).

Assuming it's not all carefully orchestrated or multiple correspondents or...

(comment deleted)
What do ya know, a blackhat with an agenda other than attention and money.
Wouldn't that be called a greyhat then?
I have always thought of greyhats as hackers employed by governments to hack political allies and opponents or by companies for corporate espionage
Personally I view greyhat as immoral/unethical but not illegal
I guess it could be both... Greyhat is the in-between from white which I would assume is anyone doing secure systems vs. blackhat which is full on attacks. The greyhat sits somewhere in between, not specifically part of the government. Elliot from Mr. Robot would of been a Greyhat in my book. Though if they work for the government it depends on whom you tell and what the hacker we're talking about is doing, some could easily consider them blackhat government hackers... while others completely white, and of course you would consider them gray.
Amazing OC. Easy to follow, great ost, really punches in the fragility of the modern web.
Any idea why he renamed the final tar file to index.htm before wgeting it?
When looking through the logs index.htm will look like index.html and may be missed.

But, I have no experience exfiltrating files or gaining access to servers I don't own.

Targeting police? Really?

How about we start targeting the corrupt officials instead that employ them. More Panama like leaks please.

Like when he exposed governments worldwide using the services of Hacking Team to unconstitutionally spy on their constituents?

>The pseudonymous hacker behind the catastrophic breach of notorious police surveillance tool seller Hacking Team is now teaching others how to hack.

Police agencies have their own corruption, they're not the uncorrupted tools of their bosses.
Those tools are pretty amazing the way you give it an URL and it gives you a database shell