By Sean Jackson
Earlier this month, YouTube decided not to host instructional content for cybersecurity and ‘how-to’ hacking videos on their ad-driven video platform. This move has been met with criticism by the Infosec community, an industry that regularly practices sharing information on basic practices and the latest techniques for hacking and cyberdefense. Although there are concerns raised over users learning ways to conduct malicious attacks, the educational aspect of the content also helps cybersecurity experts in understanding the angle hackers take in their attacks.
YouTube recently updated their content policy to include ‘instructional hacking and phishing’ content as ‘harmful material’, specifically by “showing users how to bypass secure computer systems of steal user credentials and personal data.” While YouTube does sometimes house hacking content that is specifically for nefarious purposes, there are channels specifically posting content known as ‘ethical hacking’, a term for probing for vulnerabilities in a professional manner to help ensure security.
Null Byte, a prominent ethical hacker on YouTube, received a strike on a video explaining vulnerabilities by using a WPS-Pixie Dust attack on Wi-Fi, which caused another content creator, Kodie Kinzie, not being able to upload. The video was also removed from the platform. After members of the infosec community put pressure on YouTube, they reversed the decision and restored his full channel functionality.
Kinzie took to Twitter where he thanked those who came in support of ethical hacking content, stating, “Thanks to HUNDREDS OF ANGRY NERDS, YouTube has restored our videos, and our video on launching fireworks over Wi-Fi will be going up! I love this community, thank you for supporting me, and stay tuned for more great stuff!”
YouTube claims that the removal of the video was actually a mistake, and the company has begun stating that their content policy has contained rules banning videos that encourage, “dangerous and illegal behavior” which includes hacking since the beginning.
A July 5th tweet from YouTubeInsider stated, “Our community Guidelines have always had policies against videos that encourage dangerous or illegal activities, including those that instruct users how to hack or phish others – this is not a new policy. There are exceptions for videos if the primary purpose is educational, documentary, scientific, or artistic. We enforce this new policy in the same way we do all our policies and users can appeal if they feel a video has been removed mistakenly.
Critics of the policy believe that ensuring ethical hacking instructional videos are accessible helps against the spread of malware and other nefarious hacks. Marcus “MalwareTech” Hutchins, a security expert who helped in thwarting the “WannaCry” ransomware in 2017, spoke out against the banning of instructional hacking videos, stating, “One has to ask, where would we rather kids learn about computer security? A site like YouTube, where security professionals will steer them in the direction of a legitimate job, six figure salaries, and strong ethics? Or a shady forum where they will not only be exposed to crime, but criminals who believe what they are doing is both legal and ethical?”
YouTube’s decision to remove instructional hacking content may seem like a step in the wrong direction according to many in the Infosec community, and they are yet to see the extent to which YouTube will go for moderating this type of content.