ikea muster wohnzimmer
>> [music playing] >> david malan: this is cs50, andthis is the start of week 10. and you might remember thisimage from a few weeks back when we talked aboutthe internet and how it's actually implemented physically. and you might recall that there'sactually a whole bunch of cables as well as wirelesstechnologies that interconnect all of the nodes or routers and othersuch technologies on the internet. and a lot of that is underseas.
>> well, it turns out that thoseunderseas cables are a bit of a target. and today's lecture is entirelyabout security, not only the threats that we all facephysically, but also virtually, and also, toward tail endtoday, some of the defenses that we as users canactually put into place. >> but first, one of the first andperhaps most physical threat-- [video playback] -could russia be planningan attack on undersea cables that connect global internet?
>> -russian ships and submarineslurking near undersea cables that carry almost allof the world's internet. >> -the entire internet iscarried along these cables. >> -first of all, what is theinternet doing underwater? last time i checked, i'm notsupposed to get my computer wet. second, if you ask me how the internettravels from continent to continent, i would've said satellitesor lasers, or, honestly, i probably would havejust said the internet. >> and what happened to the cloud?
i was told there was a cloud. remember? hey, let's put that in the cloud. it was like the internet was a vaporof information that circles the earth, and your computer was like a ladlethat scooped out what you needed. >> but it turns out the internetis actually underwater because these cables carry more than95% of daily internet communications. and us intelligence worries thatin times of tension or conflict, russia might resort to severing them.
it would be the biggest disruptionto your internet service since your upstairs neighborput a password on his wi-fi. ok? try his dog's name. [end playback] david malan: before we turn now tosome of the more virtual threats, a couple of announcements. so our friends acrimsonems are currently recruiting for new emts,emergency medical technicians.
and this is actually somethingparticularly close to my heart. >> a long time ago, iremember being in an ikea shortly after graduation, actually. and as i was exiting the store, thislittle boy who was in a stroller started turning literally blue. and he was choking on some pieceof food that had presumably gotten stuck in his throat. >> and his mother was panicking. the parents around them were panicking.
and even i, who had a bit of familiaritywith ems just by way of friends, completely froze. and it was only thanks to somethinglike a 15-year-old lifeguard who ran over and actually knew what todo instinctively and called for help and actually pulled theboy out of his stroller and actually addressed the situation. >> and for me, that was a turning point. and it was that moment intime where i decided, dammit, i need to have my acttogether and actually know
how to respond to thesekinds of situations. and so i myself got licensedyears ago as an emt. and through graduate schooldid i ride on mit's ambulance for some period of time as wellas have kept up my license since. >> and actually, to this day, allof cs50 staff here in cambridge are actually certified in cpr,as well, for similar reasons. so if you're at allinterested in this, there's never going to be enough time inthe day to take on something new. but if you want a new year'sresolution, do join these guys here
or consider reaching out to thered cross for certification, either here or in new haven, as well. >> so cs50's last lunch is this friday. so if you've not yet joined us, or ifyou have and you want one more time, do go on cs50's website tofill out the form there. know, too, that our friends inyale, professor scassellati, has been producing an ai, artificialintelligence, series for us that will start to debutthis week on video. so especially if you are interestedin pursuing a final project somehow
related to artificial intelligence,natural language processing, even robotics, realize that these willbe a wonderful inspiration for that. >> and just to give you a teaserof this, here is scaz himself. >> [video playback] >> -one of the really greatthings about computer science is that with even onlya few weeks of study, you're going to be able to understandmany of the intelligent artifacts and devices that populateour modern world. in this short videoseries, we're going to look
at things like how netflix is ableto suggest and recommend movies that i might like, how it is thatsiri can answer questions that i have, how it is that facebookcan recognize my face and automatically tagme in a photograph, or how google is able to builda car that drives on its own. >> so i hope you'll join me for this shortseries of videos, the cs50 ai series. i think you'll find that you knowmuch more than you thought you did. david malan: so those will appear onthe course's website later this week. stay tuned.
and in the meantime, a fewannouncements as to what lies ahead. so we are here. this is in our lecture on security. this coming wednesday, scaz and andy,our head teaching fellow in new haven, will be here to look atartificial intelligence itself for a look atcomputation for communication-- how to build systems that uselanguage to communicate from eliza, if you're familiar with thissoftware from yesteryear, to siri more recently and to watson, which youmight know from jeopardy or the like.
>> then next monday, we'renot here in cambridge. we're in new haven for a secondlook at artificial intelligence with scaz and company--ai opponents in games. so if you've ever played againstthe computer in some video game or mobile game or the like, we'lltalk about exactly that-- how to build opponents for games,how to represent things underneath the hood using treesfrom games like tic-tac-toe to chess to actual modernvideo games, as well. >> sadly, quiz one is shortly thereafter.
more details on that on cs50'swebsite later this week. and our final lecture at yale willbe that friday after the quiz. and our final lecture at harvardwill be the monday thereafter, by nature of scheduling. >> and so in terms of milestones,besides pset eight out this week; status report, which will be aquick sanity check between you and your teaching fellow;the hackathon, which will be here in cambridge for studentsfrom new haven and cambridge alike. we will take care of alltransportation from new haven.
the implementation of thefinal project will be due. and then for both campuseswill there be a cs50 fair that allows us to takea look at and delight in what everyone has accomplished. >> in fact, i thought this would be a goodmoment to draw attention to this device here, which we've used forsome amount of time here, which is a nice touch screen. and actually, lastyear we had a $0.99 app that we downloaded from the windows appstore in order to draw on the screen.
>> but frankly, it was very cluttered. it allowed us to draw on thescreen, but there were, like, a lot of icons up here. the user interface was pretty bad. if you wanted to changecertain settings, there were just so many damn clicks. and the user interface--or, more properly, the user experience--was pretty suboptimal, especially using it ina lecture environment.
>> and so we reached outto a friend of ours at microsoft, bjorn, who's actuallybeen following along with cs50 online. and as his final project,essentially, did he very graciously take some input from us as to exactlythe features and user experience we want. and he then went about buildingfor windows this application here that allows us to draw--oops-- and spell on the-- wow. thank you. to draw and spell on this screen herewith very minimal user interface.
>> so you've seen me, perhaps, tap uphere ever so slightly where now we can underline things in red. we can toggle and nowgo to white text here. if we want to actually deletethe screen, we can do this. and if we actually prefer awhite canvas, we can do that. so it does so terribly littleby design and does it well. so that i futz, hopefully,far less this year in class. >> and thanks, too, to a protege of hisam i wearing today a little ring. this is benjamin, who wasinterning with bjorn this summer.
so it's a little ring. it's a little larger than my usual ring. but via a little dial onthe side here can i actually move the slides left and right, forwardand back, and actually advance things wirelessly so that, one, i don't haveto keep going back over to the space bar here. and two, i don't have to haveone of those stupid clickers and preoccupy my hand by holdingthe damn thing all the time in order to simply click.
and surely, in time, will the hardwarelike this get super, super smaller. >> so certainly, don't hesitateto think outside the box and do things and createthings that don't even exist yet for final projects. without further ado,a look at what awaits as you dive into your finalprojects at the cs50 hackathon >> [snoring] david malan: all right. so the stephen colbert clipthat i showed just a moment ago
was actually on tv just a few days ago. and in fact, a couple of the other clipswe'll show today are incredibly recent. and in fact, that speaks to thereality that so much of technology and, frankly, a lot of the ideaswe've been talking about in cs50 really are omnipresent. and one of the goals ofthe course is certainly to equip you with technical skills sothat you can actually solve problems programmatically, but two, so thatyou can actually make better decisions and make more informed decisions.
and, in fact, thematic throughout thepress and online videos and articles these days is just a frighteningmisunderstanding or lack of understanding of how technologyworks, especially among politicians. >> and so indeed, in just a bit we'lltake a look at one of those details, as well. but literally just lastnight was i sitting in bertucci's, a localfranchise italian place. and i hopped on their wi-fi. and i was very reassuredto see that it's secure.
and i knew that because it sayshere "secure internet portal" when the screen came up. so this was the little promptthat comes up in mac os or in windows when you connect toa wi-fi network for the first time. and i had to read through their termsand conditions and finally click ok. and then i was allowed to proceed. >> so let's start to rethink what all ofthis means and to no longer take for granted what people tell us when weencounter it with various technology. so one, what does it mean thatthis is a secure internet portal?
what could bertucci'sbe reassuring me of? audience: the packets sentback and forth are encrypted. david malan: good. the packets being sent backand forth are encrypted. is that in fact the case? if that were the case, what would ihave to do or what would i have to know? well, you'd see a littlepadlock icon in mac os or in windows saying thatthere is indeed some encryption or scrambling going on.
but before you can use an encryptedportal or wi-fi connection, what do you have to usually type in? a password. i know no such password, nordid i type any such password. i simply clicked ok. so this is utterly meaningless. this is not a secure internet portal. this is a 100% insecure internet portal. there's absolutely no encryption goingon, and all that is making it secure
is that three-word phraseon the screen there. >> so that means nothing,necessarily, technologically. and a little moreworrisome, if you actually read through the terms and conditions,which are surprisingly readable, was this-- "youunderstand that we reserve the right to log or monitor traffic toensure these terms are being followed." so that's a little creepy, if bertucci'sis watching my internet traffic. but most any agreement thatyou've blindly clicked through has surely said that before.
>> so what does that actuallymean technologically? so if there's some creepyguy or woman in back who's, like, monitoringall the internet traffic, how is he or she accessingthat information exactly? what are the technologicalmeans via which that person-- oradversary, more generally-- can be looking at our traffic? >> well, if there's no encryption, whatkinds of things could they sniff, so to speak, sort of detect in the air.
what would you look at? yeah? >> audience: the packets being sentfrom your computer to the router? >> david malan: yeah. the packets being sent fromthe computer to your router. so you might recall whenwe were in new haven, we passed those envelopes, physically,throughout the audience to represent data going through the internet. and certainly, if we were throwingthem through the audience wirelessly
to reach their destination, anyone cansort of grab it and make a copy of it and actually see what'sinside of that envelope. >> and, of course, what'sinside of these envelopes is any number of things,including the ip address that you're trying toaccess or the host name, like www.harvard.edu oryale.edu that you're trying to access or something else altogether. moreover, the path, too-- you know frompset six that inside of http requests are get slash something.html.
so if you're visiting a specific page,downloading a specific image or video, all of that informationis inside of that packet. and so anyone there in bertucci's canbe looking at that very same data. well, what are some otherthreats along these lines to be mindful of before youjust start accepting as fact what someone likebertucci's simply tells you? well, this was an article--a series of articles that came out just a few months back. all the rage these days arethese newfangled smart tvs.
what's a smart tv, if you'veheard of them or have one at home? audience: internet connectivity? david malan: yeah,internet connectivity. so generally, a smart tv is atv with internet connectivity and a really crappy userinterface that makes it harder to actually use the webbecause you have to use, like, up, down, left, and right or somethingon your remote control just to access things that are so muchmore easily done on a laptop. >> but more worrisome about a smart tv,and samsung tvs in this particular case,
was that samsung tvs and othersthese days come with certain hardware to create what they claim is abetter user interface for you. so one, you can talk tosome of your tvs these days, not unlike siri or any of theother equivalents on mobile phones. so you can say commands,like change channel, raise volume, turn off, or the like. but what's the implicationof that logically? if you've got the tv in your livingroom or the tv at the foot of your bed to fall asleep to,what's the implication?
>> audience: there might be somethinggoing in through the mechanism to detect your speech. david malan: yeah. audience: that couldbe sent via internet. if it's unencrypted,then it's vulnerable. david malan: indeed. if you have a microphone builtinto a tv and its purpose in life is, by design, to listento you and respond to you, it's surely going to belistening to everything you say
and then translating that tosome embedded instructions. but the catch is that most of thesetvs aren't perfectly smart themselves. they're very dependent onthat internet connection. >> so much like siri, whenyou talk into your phone, quickly sends that data acrossthe internet to apple servers, then gets back a response, literallyis the samsung tv and equivalents just sending everything you'resaying in your living room or bedroom to their servers just todetect did he say, turn on the tv or turn off the tv?
and god knows whatelse might be uttered. now, there's some waysto mitigate this, right? like what does siri and whatdoes google and others do to at least defend againstthat risk that they're listening to absolutely everything? it has to be activatedby saying something like, hey, siri, or hi google orthe like or ok, google or the like. >> but we all know that thoseexpressions kind of suck, right? like i was just sitting--actually the last time
i was at office hours at yale, i think,jason or one of the tfs kept yelling, like, hey, siri, hey, siriand was making my phone do things because he was tooproximal to my actual phone. but the reverse is true, too. sometimes those things justkick on because it's imperfect. and indeed, naturallanguage processing-- understanding a human's phrasing andthen doing something based on it-- is certainly imperfect. >> now, worse yet, someof you might have seen
or have a tv where you can dostupid or new-age things like this to change channels to the left orthis to change channels to the right or lower the volume or raise the volume. but what does that mean the tv has? a camera pointed at youat all possible times. >> and in fact, the brouhaha around samsungtvs for which they took some flack is that if you read the terms andconditions of the tv-- the thing you certainly never read when unpackingyour tv for the first time-- embedded in there was a little disclaimersaying the equivalent of,
a you might not want to have personalconversations in front of this tv. and that's what it reduces to. >> but you shouldn't evenneed to be told that. you should be able toinfer from the reality that microphone and camera literallypointing at me all the time maybe is more bad than good. and frankly, i say thissomewhat hypocritically. i literally have, besides those cameras,i have a tiny little camera here in my laptop.
i have another one over here. i have the in mycellphone on both sides. so lest i put it downthe wrong way, they can still watch me and listen to me. >> and all this could behappening all the time. so what's stopping my iphone or androidphone from doing this all the time? how do we know that apple andsome creepy person at google, aren't listening in tothis very conversation through the phone or conversationsi have at home or at work?
>> audience: because our livesaren't that interesting. >> david malan: because ourlives aren't that interesting. that actually is a valid response. if we're not worriedabout a particular threat, there is a sort of whocares aspect to it. little old me is not goingto really be a target. but they certainly could. >> and so even though you see somecheesy things on tvs and movies, like, oh, let's turn on the grid and--like batman does this a lot, actually,
and actually can see gotham, what'sgoing on by way of people's cellphones or the like. some of that's a little futuristic,but we're pretty much there these days. >> almost all of us arewalking around with gps transponders that istelling apple and google and everyone else that wants toknow where we are in the world. we have a microphone. we have a camera. we're telling things like snapchat andother applications everyone we know,
all of their phone numbers,all of their email addresses. and so again, one of the takeawaystoday, hopefully, is to at least pause a little bit beforejust blindly saying, ok when you want theconvenience of snapchat knowing who all of your friends is. but conversely, now snapchatknows everyone you know and any little notes you mighthave made in your contacts. >> so this was a timely one, too. a few months back, snapchatitself was not compromised.
but there had been somethird-party applications that made it easier to savesnaps and the catch was that that third-party servicewas itself compromised, in part because snapchat's servicesupported a feature that they probably shouldn't have, which allowed forthis archiving by a third party. >> and the problem was that an archiveof, like, 90,000 snaps, i think, were ultimately compromised. and so you might take some comfort inthings like snapchat being ephemeral, right?
you have seven seconds to look atthat inappropriate message or note, and then it disappears. but one, most of youhave probably figured out how to take screenshots by now, whichis the most easy way to circumvent that. but two, there's nothing stopping thecompany or the person's on the internet from intercepting thatdata, potentially, as well. >> so this was literallyjust a day or two ago. this was a nice article headline on awebsite online. "epic fail-- power worm ransomware accidentally destroysvictim's data during encryption."
so another ripped from theheadlines kind of thing here. so you might haveheard of malware, which is malicious software-- so bad softwarethat people with too much free time write. and sometimes, it just doesstupid things like delete files or send spam or the like. >> but sometimes, and increasingly,it's more sophisticated, right? you all know how todabble in encryption. and caesar and vigenerearen't super secure,
but there's other ones, certainly,that are more sophisticated. and so what this adversary didwas wrote a piece of malware that somehow infected abunch of people's computers. but he was kind of an idiot andwrote a buggy version of this malware such that when he or sheimplemented the code-- oh, we're getting a lot of-- sorry. we're getting a lot ofhits on the microphone. ok. >> so what the problem was thathe or she wrote some bad code.
and so they generatedpseudorandomly an encryption key with which to encryptsomeone's data maliciously, and then accidentally threwaway the encryption key. so the effect of thismalware was not as intended, to ransom someone's data byencrypting his or her hard drive and then expecting $800 us in returnfor the encryption key, at which point the victim coulddecrypt his or her data. rather, the bad guy simplyencrypted all the data on their hard drive, accidentallydeleted the encryption key,
and got no money out of it. but this also means that the victim istruly a victim because now he or she cannot recover any of the data unlessthey actually have some old-school backup of it. >> so here too is sort of a realitythat you'll read about these days. and how can you defend against this? well, this is a whole canof worms, no pun intended, about viruses and worms and the like. and there is certainly softwarewith which you can defend yourself.
but better than that isjust to be smart about it. >> in fact, i haven't-- this is one ofthese do as i say, not as i do things, perhaps-- i haven't really usedantivirus software in years because if you generally know what tolook for, you can defend against most everything on your own. and actually, timely here atharvard-- there was a bug or an issue last week where harvardis clearly, like, monitoring lots of network traffic. and all of you evenvisiting cs50's website
might have gotten an alert sayingthat you can't visit this website. it's not secure. but if you tried visitinggoogle or other sites, too, those, too, were insecure. >> that's because harvard, too, hassome kind of filtration system that is keeping an eye out onpotentially malicious websites to help protect us against us. but even those things are clearlyimperfect, if not buggy, themselves. >> so here-- if you're curious, i'llleave these slides up online--
is the actual informationthat the adversary gave. and he or she wasasking for in bitcoin-- which is a virtual currency-- $800us to actually decrypt your data. unfortunately, thiswas completely foiled. so now we'll look atsomething more political. and again, the goal here isto start to think about how you can make more informed decisions. and this is somethinghappening currently in the uk. and this was a wonderful taglinefrom an article about this.
the uk is introducing, asyou'll see, a new surveillance bill whereby the uk isproposing to monitor everything the brits do for a period of one year. and then the data is thrown out. quote, unquote, "it wouldserve a tyranny well." >> so let's take a look witha friend of mr. colbert's. and we begin with the uk,earth's least magic kingdom. >> this week, debate has been raging overthere over a controversial new law. >> -the british government isunveiling new surveillance laws
that significantly extend its powerto monitor people's activities online. >> -theresa may there callsit a license to operate. others have called it asnooper's charter, haven't they? >> -well, hold on because-- snooper'scharter is not the right phrase. that sounds like theagreement an eight-year-old is forced to sign promising to knockbefore he enters his parents' bedroom. dexter, sign this snooper's charter orwe cannot be held responsible for what you might see. >> this bill could potentially writeinto law a huge invasion of privacy.
>> -under the plans, a list of websitesvisited by every person in the uk will be recorded for a year and couldbe made available to police and security services. >> -this communicationsdata wouldn't reveal the exact web page you looked at,but it would show the site it was on. -ok. so it wouldn't store theexact page, just the website. but that is still a lot of information. for instance, if someonevisited orbitz.com,
you'd know they werethinking about taking a trip. if they visited yahoo.com, you'dknow they just had a stroke and forgot the word "google." and if they visited vigvoovs.com,you'd know they're horny and their b key doesn't work. >> and yet for all the sweepingpowers the bill contains, british home secretary theresa mayinsists that critics have blown it out of proportion. >> -an internet connection record is arecord of the communication service
that a person has used, not a recordof every web page they have accessed. it is simply the modern equivalentof an itemized phone bill. >> -yeah, but that's not quite asreassuring as she thinks it is. and i'll tell you why. first, i don't want the governmentlooking at my phone calls either. and secondly, aninternet browsing history is a little different froman itemized phone bill. no one frantically deletes their phonebill every time they finish a call. >> [end playback]
david malan: a pattern's emergingas to how i prepare for class. it's just to watch tv for a weekand see what comes out, clearly. so that, too, was just from lastnight on "last week tonight." so let's begin to talk nowabout some of the defenses. indeed, for somethinglike this, where the brits are proposing to keep a log of that kindof data, where might it be coming from? well, recall from pset six,pset seven, and pset eight now that inside of those virtualenvelopes-- at least for http-- are messages that look like this.
and so this message,of course, is not only addressed to a specific ip address,which the government here or there could certainly log. but even inside of that envelope isan explicit mention of the domain name that's being visited. and if it's not justslash, it might actually be a specific file name ora specific image or movie or, again, anything ofinterest to you could be certainly intercepted ifall of the network traffic
is somehow being proxiedthrough governmental servers, as already happens in somecountries, or if there are sort of unknown orundisclosed agreements, as has happened already in thiscountry between certain large players-- isps and phone companies andthe like-- and the government. >> so funny story-- the last time i chosebadplace.com off the top of my head as an example of a sketchywebsite, i didn't actually vet beforehand whether or not thatactually led to a badplace.com. thankfully, this domainname is just parked,
and it doesn't actuallylead to a badplace.com. so we'll continue touse that one for now. but i'm told that could've backfirevery poorly that particular day. >> so let's begin to now talkabout certain defenses and what holes theremight even be in those. so passwords is kind of the go-to answerfor a lot of defense mechanisms, right? just password protect it, thenthat will keep the adversaries out. but what does that actually mean? >> so recall from hackertwo, back if you tackled
that-- when you had to crack passwordsin a file-- or even in problem set seven, when we give you a sample sqlfile of some usernames and passwords. these were the usernames yousaw, and these were the hashes that we distributed for thehacker edition of problem set two. and if you've been wondering all thistime what the actual passwords were, this is what, in fact,they decrypt to, which you could have cracked in pset two, oryou could have playfully figured them out in problem set seven. all of them have some hopefullycute meaning here or in new haven.
>> but the takeaway is thatall of them, at least here, are pretty short, pretty guessable. i mean, based on the list here,which are perhaps the easiest to crack, to figure out by writingsoftware that just guesses and checks, would you say? audience: password. david malan: password'spretty good, right? and it's just-- one, it'sa very common password. in fact, every year there's a list ofthe most common passwords in the world.
and quote, unquote "password"is generally atop that list. two, it's in a dictionary. and you know from problemset five that it's not that hard-- might be alittle time consuming-- but it's not that hard to loada big dictionary into memory and then use it tosort of guess and check all possible words in a dictionary. >> what else might be prettyeasy to guess and check? >> audience: the repetition of letters.
>> david malan: the repetitionof symbols and letters. so kind of sort of. so, in fact-- and we won't go into greatdetail here-- all of these were salted, which you might recall fromproblem set seven's documentation. some of them have different salts. so you could actually avoid havingrepetition of certain characters simply by salting the passwords differently. >> but things like 12345, that'sa pretty easy thing to guess. and frankly, the problemwith all of these passwords
is that they're all just using 26possible characters, or maybe 52 with some uppercase,and then 10 letters. i'm not using any funky characters. i'm not using zeros for o's or onesfor i's or l's or-- if any of you think you're being clever, though, byhaving a zero for an o in your password or-- ok, i saw someone smile. so someone has an zero foran o in his or her password. >> you're not actually being asclever as you might think, right? because if more than one ofus is doing this in the room--
and i've been guilty of this as well--well, if everyone's kind of doing this, what does the adversary have to do? just add zeros and onesand a couple of other-- maybe fours for h's-- to his or herarsenal and just substitute those letters for the dictionary words. and it's just an additionalloop or something like that. >> so really, the bestdefense for passwords is something much, much morerandom-seeming then these. now, of course, threatsagainst passwords
sometimes include emails like that. so i literally just got thisin my inbox four days ago. this is from brittany, whoapparently works at harvard.edu. and she wrote me as awebmail user. "we just noticed that your emailaccount was logged onto another computerin a different location, and you are to verifyyour personal identity." >> so thematic in many emails likethis, which are examples of phishing attacks-- p-h-i-s-h-i-n-g-- wheresomeone is trying to fish and get some
information out of you,generally by an email like this. but what are some of the telltalesigns that this is not, in fact, a legitimate email fromharvard university? what's that? >> so bad grammar, theweird capitalization, how some letters arecapitalized in certain places. there's some odd indentationin a couple of places. what else? well, that certainlyhelps-- the big yellow box
that says this might be spam fromgoogle, which is certainly helpful. >> so there's a lot of telltale signs here. but the reality is theseemails must work, right? it's pretty cheap, if not free, to sendout hundreds or thousands of emails. and it's not just by sendingthem out of your own isp. one of the things thatmalware does tend to do-- so viruses and worms that accidentallyinfect or computers because they've been written by adversaries-- one of thethings they do is just churn out spam. >> so what there does existin the world, in fact,
are things called botnets,which is a fancy way of saying that people with better codingskills than the person who wrote that buggy version of software,have actually written software that people like us unsuspectinglyinstall on our computers and then start running behindthe scenes, unbeknownst to us. and those malwareprograms intercommunicate. they form a network,a botnet if you will. and generally, the mostsophisticated of adversaries has some kind of remote control overthousands, if not tens of thousands,
of computers by just sendingout a message on the internet that all of those bots, so to speak,are able to hear or occasionally request from some central site and thencan be controlled to send out spam. >> and these spam things can bejust sold to the highest bidder. if you're a company orsort of a fringe company that doesn't really care about thesort of ethics of spamming your users but you just want tohit out a million people and hope that 1% ofthem-- which is still a nontrivial numberof potential buyers--
you can actually pay these adversariesin the sort of black market of sorts to send out these spamsvia their botnets for you. >> so suffice it to say, this is nota particularly compelling email. but even harvard andyale and the like often make mistakes, in thatwe know from a few weeks back that you can make alink say www.paypal.com. and it looks like it goes there. but, of course, itdoesn't actually do that. >> and so harvard and yale and others havecertainly been guilty over the years
in sending out emailsthat are legitimate, but they contain hyperlinks in them. and we, as humans, have beentrained by sort of the officials, quite often, to actually just followlinks that we receive in an email. but even that isn't the best practice. so if you do ever getan email like this-- and maybe it is from paypal orharvard or yale or bank of america or the like-- you still should not clickthe link, even if it looks legitimate. you should manually typeout that url yourself.
and frankly, that's whatthe system administrator should be telling us to do so thatwe're not tricked into doing this. >> now, how many of you, perhapsby looking down at your seat, have passwords written down somewhere? maybe in a drawer in your dorm room ormaybe under-- in a backpack somewhere? wallet? no? >> audience: in a fireproof lockbox? >> david malan: in a fireproof lockbox?
so that's better than asticky note on your monitor. so certainly, some ofyou are insisting no. but something tells me that'snot necessarily the case. so how about an easier,more likely question-- how many of you are using thesame password for multiple sites? oh, ok. now we're being honest. >> all right. so that's wonderful news, right?
because if it means if just one of thosesites you all are using is compromised, now the adversary hasaccess to more data about you or more potential exploits. so that's an easy one to avoid. but how many of you have apretty guessable password? maybe not as bad as this, but something? for some stupid site, right? it's not high-risk,doesn't have a credit card? all of us.
like, even i have passwords thatare probably just 12345, surely. so now try logging into every websiteyou can think of with malan@harvard.edu and 12345 and see if that works. >> but we do this, too. so why? why do so many of us have either prettyeasy passwords or the same passwords? what's the real-worldrationale for this? it's easier, right? if i said instead,academically, you guys
should really be choosingpseudorandom passwords that are at least 16 characters long and havea combination of alphabetical letters, numbers, and symbols,who the hell is going to be able to do that orremember those passwords, let alone for each andevery possible website? >> so what's a viable solution? well, one of thebiggest takeaways today, too, pragmatically, wouldbe, honestly, to start using some kind of password manager.
now, there are upsides anddownsides of these things, too. these are two that wetend to recommend in cs50. one's called button 1password. one's called lastpass. and some of you might use these already. but it's generally apiece of software that does facilitate generating bigpseudorandom passwords that you can't possibly remember as a human. it stores those pseudorandompasswords in its own database,
hopefully on your local harddrive-- encrypted, better yet. and all you, the human,have to remember, typically, is one master password, whichprobably is going to be super long. and maybe it's not random characters. maybe it's, like, a sentence or ashort paragraph that you can remember and you can type once a dayto unlock your computer. >> so you use an especially largepassword to protect and to encrypt all of your other passwords. but now you're in thehabit of using software
like this to generate pseudorandompasswords across all of the websites you visit. and indeed, i cancomfortably say now, in 2015, i don't know most ofmy passwords anymore. i know my master password,and i type that, unknowingly, one or more times a day. but the upside is that now, if anyof my one accounts is compromised, there's no way someone isgoing to use that account to get into another because none ofmy passwords are the same anymore.
>> and certainly, no one, even if heor she writes adversarial software to brute force things andguess all possible passwords-- the odds that they are going tochoose my 24-character long passwords is just so, so low i'm just notworried about that threat anymore. >> so what's the trade-off here? that seems wonderful. i'm so much more safe. what's the trade-off? >> audience: time.
david malan: time. it's a lot easier totype 12345 and i'm logged in versus something that's 24characters long or a short paragraph. >> audience: if someone breaksyour master password. so you're kind of changingthe threat scenario. if someone guesses or figuresout or reads the post-it note in your secure file vault,the master password you have, now everything is compromisedwhereby previously it was maybe just one account.
>> audience: if you want to use anyof your accounts on another device and you don't have lastpass [inaudible]. >> david malan: yeah, that'skind of a catch, too. with these tools, too, ifyou don't have your computer and you're in, like, some cafe or you'reat a friend's house or a computer lab or wherever and you wantto log into facebook, you don't even know whatyour facebook password is. now sometimes, you can mitigatethis by having a solution that we'll talk about in just a momentcalled two-factor authentication
whereby facebook will text you orwill send a special encrypted message to your phone or some otherdevice that you carry around on your keychain withwhich you can log in. but that's, perhaps, annoying if you'rein the basement of the science center or elsewhere here at new haven's campus. you might not have signal. and so that's not necessarily solution. so it really is a trade-off. but what i would encourage you todo-- if you go to cs50's website,
we actually arranged for the first ofthese companies for a site license, so to speak, for all cs50 studentsso you don't have to pay the $30 or so it normally costs. for macs and windows, you can check out1password for free on cs50's website, and we'll hook you up with that. >> realize, too, that some ofthese tools-- including lastpass in one of its forms-- iscloud-based, as colbert says, which means your passwordsare encryptedly stored in the cloud. the idea there is that you can go tosome random person or friend's computer
and log in to your facebookaccount or the like because you first go tolastpass.com, access your password, and then type it in. but what's the threat scenario there? if you're storing thingsin the cloud, and you're accessing that websiteon some unknown computer, what could your friend be doingto you or to your keystrokes? i'll be manually advancingslides here on out. >> keylogger, right?
another type of malwareis a keylogger, which is just a program that actuallylogs everything you type. so there, too, it's probably better tohave some secondary device like this. >> so what is two-factor authentication? as the name suggests, it's you havenot one but two factors with which to authenticate to a website. so rather than use just a password,you have some other second factor. now, that generally is, one,factor is something you know. so something kind of inyour mind's eye, which is
your password which you've memorized. but two, not something elsethat you know or have memorized but something you physically have. the idea here beingyour threat no longer could be some random personon the internet who can just guess or figure out your password. he or she has to have physicalaccess to something that you have, which is still possibleand still, perhaps, all the more physically threatening.
but it's at least adifferent kind of threat. it's not a million nameless peopleout there trying to get at your data. now it's a very specificperson, perhaps, that if that's an issue, that'sanother problem altogether, as well. >> so that generally existsfor phones or other devices. and, in fact, yale just rolledthis out mid-semester such that this doesn't affectfolks in this room. but those of you followingalong in new haven know that if you'd loginto your yale.net id,
in addition to typing youruser name and your password, you're then prompted with this. and, for instance, this is ascreenshot i took this morning when i logged into my yale account. and it sends me the equivalentof a text message to my phone. but in reality, i downloaded an appin advance that yale now distributes, and i have to now just type in thecode that they send to my phone. >> but to be clear, theupside of this is that now, even if someone figures outmy yale password, i'm safe.
that's not enough. that's only one key, but ineed two to unlock my account. but what's the downside,perhaps, of yale's system? and we'll let yale know. what's the downside? if you don't have cell service or if youdon't have wi-fi access because you're just in a basement or something, youmight not be able to get the message. thankfully, in this particular case,this will use wi-fi or something else, which works around it.
but a possible scenario. you could lose your phone. you just don't have it. the battery dies. i mean, there's a numberof annoying scenarios but possible scenarios that could happenthat make you regret this decision. and the worst possibleoutcome, frankly, then would be for users todisable this altogether. so there's always goingto be this tension.
and you have to find for yourselfas a user sort of a sweet spot. and to do this, take a coupleof concrete suggestions. if you use google gmail or google apps,know that if you go to this url here, you can enable two-factorauthentication. google calls it 2-step verification. and you click setup, andthen you do exactly that. that's a good thing to do, especiallythese days because, thanks to cookies, you're logged in almost all day long. so you rarely have totype your password anyway.
so you might do it once aweek, once a month, once a day, and it's less of a bigdeal than in the past. >> facebook, too, has this. if you're a little too loose with typingyour facebook password into friends' computers, at least enable two-factorauthentication so that that friend, even if he or she hasa keystroke logger, they can't get into your account. well, why is that? couldn't they just log thecode i've typed in on my phone
that facebook has sent to me? audience: [inaudible]. the well-designed softwarewill change those codes that are sent to your phoneevery few seconds or every time and so that, yeah, evenif he or she figures out what your code is, you're stillsafe because it will have expired. and this is what it lookslike on facebook's website. >> but there's another approach altogether. so if those kinds of trade-offsaren't particularly alluring,
a general principle in security wouldbe, well, just at least audit things. don't kind of put your head in thesand and just never know if or when you've been compromised or attacked. at least set up some mechanismthat informs you instantly if something anomalous has happenedso that you at least narrow the window of time duringwhich someone can do damage. >> and by this, i mean the following--at facebook, for instance, you can turn on whatthey call login alerts. and right now, i've enabled emaillogin alerts but not notifications.
and what that means isthat if facebook notices i've logged into a new computer--like i don't have a cookie, it's a different ip address, it'sa different type of computer-- they will, in this scenario, sendme an email saying, hey, david. looks like you logged in from anunfamiliar computer, just fyi. >> and now my account might becompromised, or my annoying friend might have been logging intomy account now posting things on my news feed or the like. but at least the amount of timewith which i am ignorant of that
is super, super narrow. and i can hopefully respond. so all three of these, i wouldsay, are very good things to do. what are some threatsthat are a little harder for us end users to protect against? does anyone know whatsession hijacking is? it's a more technical threat,but very familiar now that we've done pset six and seven and now eight. so recall that when you send trafficover the internet, a few things happen.
let me go ahead andlog into c9 or cs50.io. give me just one moment tolog into my jharvard account. >> audience: what's your password. >> david malan: 12345. all right. and in here, know that if i goahead and request a web page-- and in the meantime, let me do this. let me open up chrome's inspectortab and my network traffic. and let me go tohttp://facebook.com and clear this.
actually, you know what? let's go to a more familiarone-- https://finance.cs50.net and click enter and logthe network traffic here. >> so notice here, if i lookin my network traffic, response headers-- let's go up here. response headers-- here. so the very first request that isent, which was for the default page, it responded withthese response headers. and we've talked aboutthings like location.
like, location meansredirect to login.php. but one thing we didn't talk a hugeamount about was lines like this. so this is inside of thevirtual envelope that's sent from cs50 finance--the version you guys wrote, too-- to a user's laptopor desktop computer. and this is setting a cookie. but what is a cookie? think back to our discussion of php. yeah, it's a way of telling thewebsite that you're still logged in.
but how does that work? well, upon visiting finance.cs50.net,it looks like that server that we implemented is setting a cookie. and that cookie is conventionallycall phpsessid session id. and you can think of it like avirtual handstamp at a club or, like, an amusement park, a little pieceof red ink that goes on your hand so that the next time you visit thegate, you simply show your hand, and the bouncer at the door will let youpass or not at all based on that stamp. >> so the subsequentrequests that my browser
sends-- if i go to the next requestand you look at the request headers, you'll notice more stuff. but the most important is thishighlighted portion here-- not set cookie but cookie. and if i flip through every oneof those subsequent http requests, every time i would see a handbeing extended with that exact same phpsessid, which is to saythis is the mechanism-- this big pseudorandom number-- that aserver uses to maintain the illusion of php's $_session object, into whichyou can store things like the user's id
or what's in their shopping cart orany number of other pieces of data. >> so what's the implication? well, what if thatdata is not encrypted? and, in fact, we for bestpractice encrypt pretty much every one of cs50's websites these days. but it's very common thesedays for websites still not to have https atthe start of the url. they're just http, colon, slash slash. so what's the implication there?
that simply means thatall of these headers are inside of that virtual envelope. and anyone who sniffsthe air or physically intercepts that packet physicallycan look inside and see what that cookie is. >> and so session hijackingis simply a technique that an adversary uses to sniff datain the air or on some wired network, look inside of thisenvelope, and see, oh. i see that your cookieis 2kleu whatever.
let me go ahead and makea copy of your hand stamp and now start visiting facebookor gmail or whatever myself and just present theexact same handstamp. and the reality is, browsers andservers really are that naive. if the server sees that samecookie, its purpose in life should be to say, oh,that must be david, who just logged in a little bit ago. let me show this same user,presumably, david's inbox or facebook messages or anything elseinto which your logged.
>> and the only defense againstthat is to just encrypt everything inside of the envelope. and thankfully, a lot of sites likefacebook and google and the like are doing that nowadays. but any that don't leave youperfectly, perfectly vulnerable. and one of the things you can do--and one of the nice features, frankly, of 1password, the softwarei mentioned earlier, is if you install it on yourmac or pc, the software, besides storing yourpasswords, will also
warn you if you ever trylogging into a website that's going to send your usernameand password unencrypted and in the clear, so to speak. so session hijacking boils down to that. but there's this otherway that http headers can be used to take advantage of us. and this is still kind of an issue. this is really just an adorableexcuse to put up cookie monster here. but verizon and at&t andothers took a lot of flak
a few months back for injecting,unbeknownst to users initially, an extra http header. >> so those of you who have hadverizon wireless or at&t cell phones, and you've been visitingwebsites via your phone, unbeknownst to you, after your httprequests leave chrome or safari or whatever on your phone, goto verizon or at&t's router, they presumptuouslyfor some time have been injecting a header that lookslike this-- a key-value pair where the key is just x-uidhfor unique identifier
header and then some big random value. and they do this sothat they can uniquely identify all of your web traffic topeople receiving your http request. >> now, why would verizonand at&t and the like want to uniquely identify you toall the websites you're visiting? >> audience: better customer service. >> david malan: better-- no. it's a good thought, but it'snot for better customer service. advertising, right?
so they can build up anadvertising network, presumably, whereby even if youhave turned off cookies, even if you have specialsoftware on your phone that keeps you in incognito mode-- ha. there is no incognito mode when theman in the middle-- literally, verizon or at&t-- is injectingadditional data over which you have no control, thereby revealingwho you are to that resulting website again and again. >> so there are ways to opt out of this.
but here, too, is somethingthat frankly, the only way to push back on this is to leavethe carrier altogether, disable it if they even allow you to,or, as happened in this case, make quite a bit of fuss online suchthat the companies actually respond. this, too, is just anotheradorable opportunity to show this. >> and let's take a look at, let'ssay, one or two final threats. so we talked about cs50 finance here. so you'll notice that we have this cutelittle icon on the login button here. what does it mean if iinstead use this icon?
so before, after. before, after. what does after mean? it's secure. that's what i'd like you to think. but ironically, it is securebecause we do have https. >> but that is how easy it is to changesomething on a website, right? you all know a bit of html and css now. and in fact, it's prettyeasy to-- and if you
didn't do it-- to change the icon. but this, too, is whatcompanies have taught us to do. so here's a screenshot from bankof america's website this morning. and notice, one, they'rereassuring me that's it's a secure sign in at top left. and they also have apadlock icon on the button, which means what to me, the end user? >> truly nothing, right? what does matter is the factthat there's the big green
url up top with https. but if we zoom in on this, is justlike me, knowing a little bit of html and a bit of css, and saying,hey, my website's secure. like, anyone can put a padlock and theword secure sign-on onto their website. and it truly means nothing. what does mean somethingis something like this, where you do see https:// the fact thatbank of america corporation has this big green bar, whereas cs50 does not,just means they paid several hundred dollars more to have additionalverification done of their domain
in the us so that browsers who adhereto this standard will also show us a little bit more than that. >> so we'll leave things at that,frighten you a little more before long. but on wednesday,we'll be joined by scaz from yale for a look atartificial intelligence and what we can do with these machines. we will see you next time.