A wave of dissatisfaction with Google’s YouTube policies has recently spread around the ethical hacking community. On July 2, Kody Kinzie who runs the Null Byte channel on YouTube reported that he was denied the right to upload a new security video. This was because the Null Byte got a strike for one of the previous videos (one about the WPS Pixie Dust Wi-Fi vulnerability). The reason was: posting “harmful or dangerous content”.
Google’s Uneven Policy
According to the investigation by The Register, community guidelines regarding hacking videos were last updated on April 5:
Don’t post content on YouTube if it fits any of the descriptions noted below. (…)
Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data.
This policy is causing a big stir in the cybersecurity community. First of all, it uses the term hacking in a derogatory manner. Second of all, it mentions hacking videos along with instructions to kill or harm as well as instructional theft. This impairs how the community is perceived.
Cybersecurity researchers are angry that YouTube, which is after all run by Google, does not understand the purpose of instructional hacking. The primary argument is the fact that there are very few official ways to learn cybersecurity. It develops too quickly for universities to keep up. Also, the huge demand for IT security personnel means that it’s absolutely vital to teach cybersecurity in any way possible.
Additionally, the community cannot understand how can Google be so uneven with their approach to ethical hacking. After all, Google is one of the global leaders of bounty programs for independent security researchers so the company must realize that hacking on its own is just a tool that can be used for good and bad purposes. Google also has an official site which teaches you how to perform XSS attacks.
Wrath of Angry Computer Nerds
A couple of days after Kody’s tweet, YouTube reversed the strike and the new video was uploaded to Null Byte. The company stated that this strike was a mistake although the community feels that it was the “wrath of angry computer nerds” that caused the quick reaction.
However, YouTube also stated that the community guidelines have always had policies against videos that instruct users how to hack others but that there are exceptions if videos are of educational nature. And yet, the guidelines still remain the same. Will YouTube change them so that hacking is not perceived as derogatory by default? After all, if not for the hacking community, there would be no Acunetix and we would have no IT security at all.