CS50 2021 - Cybersecurity (pre-release)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right this is cs50 and this is first year family weekend here at harvard so welcome to all the moms and dads brothers sisters cousins aunts uncles grandparents and beyond cs50 here is harvard university's introduction to the intellectual enterprises of computer science and the art of programming and what that means is that what we've been doing in here over the past several weeks is introducing students to computational thinking the process of cleaning up one's thoughts and expressing oneself all the more correctly all the more precisely and ultimately translating those thoughts of course to a computer in the form of programming which is where we've spent quite a bit of time programming writing code over the past several weeks but toward that end we've also been equipping students with some basic building blocks you might already know if a parent uh that computers only somehow speaks zeros and ones even if you're not necessarily a computer person yourself or know what that means but with those zeros and ones can we represent numbers and letters and colors and videos and more and in fact your your child perhaps sitting next to you can perhaps tell you what today's message says here we have 64 light bulbs on stage and if you look at eight of them at a time there's a pattern of bulbs that are either on or off that if you know the code so to speak can you actually convert these bits these zeros and ones in light bulb form to today's particular message now before we begin we thought we'd make this as engaging as interactive as possible rather than focus on any assumptions of prior computing knowledge you need know nothing today other than how to operate for instance your own phone or a laptop or desktop or the like and indeed we'll assume a general audience and in this halloween week will we also see if we can't scare you a little bit into practicing better practices when it comes specifically to the security or cyber security of the device you carry with you every day in your pocket use on your desk on your laptop or beyond so if you haven't already whether you're here in person or tuning in online go to this url here which will lead you to an interactive polling tool any phone or laptop or desktop suffices if it's a little easier than typing in this url you can just scan this code with your phone's camera take a moment to just open your camera and hopefully if you're at a good enough angle and we've made this thing big enough this is a two-dimensional barcode or qr code embedded in which is that exact same url we're increasingly seeing this throughout the world as a mechanism for doing what many of you are doing right now linking the physical world to the virtual but that url again is simply this one here and in a moment you'll see on your screen it's okay if you weren't quite able to get that working feel free to glance to the left or to the right of you for someone else who did let me go ahead and full screen a question just to ask of everyone here as we focus today on cyber security uh is your phone secure an android phone an iphone or anything else if you're holding it in your hand right now here in person or online you should see three possible answers yes or no or unsure we've got over 300 responses come in already in a moment i'll flip over and reveal the results and see if we can't see how much work we have to do together here today a few more seconds almost up to 400 answers almost up to 400 it's okay if those keep coming in i'm going to toggle back and show the results in just a moment here and the results are now in according to a response rate of over 400 it looks like 36 percent of you don't need what we're about to do here today which is great we'll see if we can't poke some holes though and maybe some assumptions you all are making 31 percent 32 percent maybe of you or a little are saying no your phone is not secure so so glad you came and then understandably to another third of you are unsure so in very good company today and we'll see if we can't open the eyes of everyone in each of these disparate audiences well let's consider first for a moment exactly how we might think about the security of our phones representative of just any computing device and in fact everything we discussed today could be extrapolated to laptops and desktops and servers but all of us being so familiar with phones let's start with phones themselves now odds are you have on your phone like so many other things in your life a password or a passcode and in fact without raising your hands and therefore leaking information think to yourself well what is my my password or passcode it's probably four digits it's maybe four letters maybe it's even longer maybe it's even nothing and i think maybe from the chart earlier we can assume that we have a third of each of those possible responses so a password of course is the super common mechanism that you and i are all using all the time to keep our devices secure but do passwords keep things secure like how many of you thinking about your phone right now and that specific password might think it's secure and if so why do you think it's secure we have at least 33 percent of you are ready to say that your password secure don't want to know it but why might it be in your mind secure why might you think it's secure or more generally what makes your password secure it's random okay so it's random so random letters and numbers and the like and that's great because it's not just a word in the dictionary that someone could guess and type in downside of course i dare say is that it might take you as well as anyone else quite a bit of time to guess or figure out what or just to remember what it is if it was indeed random but randomness is going to be a primitive that really actually helps us unfortunately you and i and really the whole world are not very good even at passwords as omnipresent as they are as a defense against adversaries in fact if we look at um if we look at the most common passwords from the past year in 2020 thought we'd share with you some of those results this is the result of security researchers having found uh big exploited compromised databases analyzing them for what passwords are in them and then inferring from that what the most common passwords you and i are all using unfortunately in 2020 the most common password according to one measure was one two three four five six now funny yes but if you're seeing your password on the screen already not so funny perhaps the number two password was not much better number three picture one presumably for a device a website that requires that it not just be a word it have at least one number which this person took literally these hundreds of thousands of people took literally password was number four this past year one two three four five six seven eight one one one one one one really not trying hard there one two three one two three varying it a little bit one two three four five was number eight one two three four five six seven eight nine zero was number nine and then number ten in 2020 was senia which any portuguese speakers here means password means password so made the list twice in this case so one takeaway already today should be if your password's on this list like probably you're in one of those other 33 whereby you can do better than this why i mean really the obvious if you're in this list there's so many bad guys so to speak out there that are going to try guessing your password first why because just statistically if they try one two three four five six one two three four five six seven eight nine they're just gonna get into a lot of devices quickly because they're just so commonly used those passwords you don't want to be on this list ideally you want to be random but we want to somehow balance randomness with memorability so that you don't actually keep forgetting your password which of course defeats the whole point of these things in the first place but in a class like this cs50 and computer science more generally let's be a little more thoughtful as to what we mean by a device being secure like what does it mean to be secure and can we even slap some numbers on it so that we can make measurements so that we can ideally compare and contrast one system versus another one password versus another so it's not just our instincts arguing that my password is better than these but how can you quantify that perhaps well let's start simply a lot of android phones and iphones these days require minimally that you have like a four digit passcode you're minimally encouraged to have at least this bar set so that you're not having no passcode altogether so if you do have a four digit passcode well let me go ahead and ask this question how much time might it take to go about cracking so to speak that is figuring out what a four digit passcode is in fact let me go ahead if you want to pull up your devices again you should see on the screen this question now how might how long might it take to crack that is figure out guess a four digit passcode for instance on someone's phone a few seconds a few minutes a few hours a few days thinking here from the adversarial perspective if someone got a hold of your phone somehow how long do they need to get into your phone if it has a four digit passcode a few seconds few minutes a few hours few days got about 300 responses so far let's give folks another few seconds here another few seconds here all right up to 350 or so in a moment let me go ahead and flip screens over to the results so we'll see the preliminary results here and if i now pull this screen up we see that 50 percent of you claim that it's going to take only a few seconds few of you say about a third a few fewer viewers saying that it takes a few minutes a few hours and even a few days well let's answer that first because honestly if it's already a few days or even longer our work is here probably already pretty done unfortunately the problem with things like four digit passcodes is that anyone who grabs your phone you step out of the room you leave it behind you lose it they could certainly mimic your input device and just use their finger pretending to be you trying zero zero zero zero nope zero zero zero one nope zero zero zero two nope and it's a little slow to be fair it would take me a while to count all the way up to 9999 that's 10 000 total possibilities there but let's go ahead and consider exactly how else you could do it for instance here is an example of in computer science what we call a brute force attack and just an adversary using their finger is a brute force attack if they're trying all possible passcodes the problem is even if your passcode is way at the end of the list of numbers eventually they're going to get it by brute 4 sort of like in yesteryear using you know a battering ram or the like to brute force your way into a building a castle or the like in software sense it just means trying all possibilities and you don't even have to just use your finger right anyone with some programming savvy who's good with hardware could maybe do something like this here's a quick video i'll hit play on no sound but a little bit of a robot that has an android phone underneath it and it's got a little robotic finger that's doing the work for you you can step out of the room now as the adversary let the robot do its work trying zero zero zero zero through nine nine nine nine and ultimately presumably get into that phone so let's see if we can't quantify then exactly how fast the human or the robot could get in well how many total possibilities are there that's the right way to begin thinking about it if you have ten digits for the first one zero through nine and then another ten possibilities another ten another ten the total number of possibilities of course between zero zero zero zero and nine nine nine nine is ten thousand ten times ten times 10 times 10 which gives us that much of a search space a universe of possible passcodes to choose among unfortunately you can do even better than your own finger or even that robot anyone in cs50 now who knows a bit of programming in languages called c or python or anything else could open up a programming window and actually just start writing some code and so let me do that what you're seeing here if a family member is a programming environment called visual studio code that students have been using for the past several weeks up here we have a tabbed window where we can type our code down here we have what's called a terminal window where i can type commands to make the computer run that code and then over here is just a menu bar so crack.pi means i'm going to write a program to crack that is figure out passwords using this language called python and you know even though most cs50 students wouldn't know what code to start writing they'd have to look up some of what i'm about to do it's only going to be a few lines so i'm going to go up here and say from string import digits this is a fancy way of saying hey python give me access to all decimal digits it just avoids my having to type out 0 through 9 manually all right then i'm going to say from iter tools import product this is another feature of python that cs50 students for the most part have not yet seen that just says hey python give me the ability to do like the cross product of a whole bunch of numbers so these 10 times these 10 times these tens times these 10 and then what am i going to do with that well for each possible passcode in the product of those digits repeated four times i'm going to go ahead and for now let's just print out what the passcode is in other words assume that i am now the adversary i don't want to waste time using my finger i don't have a robot that i made but i am good at writing software and heck i've got like a usb or a lightning cable in my bag that i could connect your phone to my mac or pc and i could just have my code that i'm writing now send all the possible codes from laptop to phone to automate this process just using the little port at the bottom of all of our phones well let me go ahead and maximize this so-called terminal window which is again where i'm going to run this code and again the question a moment ago was does it take seconds minutes hours days well let me go ahead and run python of crack.pi i'm pretending for the moment that i did grab that cable from my bag and plug it into the phone hitting enter and it doesn't uh didn't actually do anything that was not supposed to happen so in cs50 we spend a lot of time introducing students to bugs uh which aren't mistakes and programs sometimes not so deliberate let me go ahead and apologize let me open this file this didn't technically happen okay python or correct there okay in cs50 we now will run the code here and i'm going to go ahead and run a command called python of crack.pi i had the file in the wrong location a moment ago and this is the equivalent on a macro pc of double clicking an icon here we go is it seconds minutes hours or days barely one second to try all ten thousand possibilities you can't even see them all on the screen but this printed out zero zero zero zero all the way down of course to nine nine nine nine plug in that cable and boom the adversary doesn't need to be in that room for very long in order to get into that that phone all right so what would be better then like clearly four digit passcodes bad if you have someone in your life who has a finger or a robot or the ability to write code and unfortunately uh because of us you now all have someone in the family with at least a third of those how might we do better than this what's better than a four digit passcode anyone yeah okay so six digits heck or seven digits or eight digits why because that's going to make the of course the passcode longer which means we're going to have to try more possibilities which doesn't mean that the adversary is fundamentally stopped but it is going to slow them down it's going to take them more time probabilistically to get to your passcode and in a sense then increases the cost to the adversary and indeed that's the theme in cyber security raising the cost to the adversary either financially or time wise or the like just like in the real physical world most of you go home you lock your doors at night you might have invested in a better deadbolt than another why is that you really just want to be more secure than the house next door you want to make sure that it takes too much time too much effort too much risk to the adversary to get into your home and that's again what cyber security is all about to say my phone is secure it's sort of nonsensical to say that your phone is more secure than someone else's that's really a reasonable fair statement to make so i like this instinct let's see if we can't make things a little harder and actually let's go one step further rather than just numbers you've probably noticed on your phones you can use letters of the alphabet too if you click the right option on the phone you can start typing in words and letters so how might we do that instead well let's transition to four letter passcodes for letter passcodes and if we do four letter passcodes uh where the letters of the alphabet for instance are a through z in english alone let's go ahead and act ask this question here if you have four letters of the alphabet so let's not increase length yet let's just change to a bigger vocabulary now we have a through z instead of zero through nine how many four letter passcodes are possible how big is that universe that the adversary is going to have to search via brute force so i'm seeing a lot of seven millions a bunch of 52 thousands 26 thousands 10 thousands 9999 a few smaller numbers here hopefully it's not this low right because we've already set the bar at 10 000 possibilities for numbers alone hopefully if we've got english letters a through z we can at least do better than 10 000. so i think we'll start to see maybe some of these bars change a little bit but we've got sixty percent of you proposing seven million well let's go let's go to the math so here we might have uh a way of thinking about this both uppercase and lowercase even better if you consider it that way lowercase a through z uppercase a through z that's 52 possibilities for the first digit times 52 times 52 times 52 or 52 to the fourth power that indeed gives you seven million plus possibilities all right well let's now translate this to code that already sounds way better 10 000 versus 7 million this is definitely going to slow that hacker down well let's consider exactly how fast or slow it might now be let me go into my crack.pi program and let me make a little tweak so that instead of just using digits this time i'm going to use letters otherwise known as ascii letters as cs50 students will know that just means familiar english letters of the alphabet and i'm going to change my code to use these ascii letters four of them still instead of digits alone and that's the only change now i'm going to pretend to plug my phone that i just stole from someone into a usb or a lightning cable let me maximize my window just so we can see things a bit more let me run python of crack.pi now and let's consider how long it takes to do 7 million possible codes okay slower slower can't dramatically just say in one breath that we're done but we're already at the g's and then the h is and it's kind of flying by you know this is where the adversary is probably getting nervous in the tv show or movie right someone is tiptoeing around in the other room you don't want them to come in you only have this much time to crack the code and we're at the r's the s's the t's u's these so you know this feels like what a minute or so it's a good number of seconds but it's still pretty brief certainly if someone has the ability to now we got to do the capital letters too certainly if someone has the ability not to just secretly do it like in hollywood in the next room but just take it with them and do it over the course of a minute or two at home this seems to be faster sorry this seems to be slower because we're trying so many more possibilities but you know if the adversary takes your phone has it long enough this doesn't feel like terribly long so what might be better than this let's take it one step further what might be better than four letters what what do most websites ask you to add to the mix so special characters right and those things are darn annoying right because sometimes they even tell you what letters you care of punctuation symbols you have to use and then you type one and you really ah it's not on the damn list i mean it's frustrating why well it's going to raise the bar though to the adversary and that's indeed going to be the goal here again just to increase the cost or time required for the adversary so that it doesn't finish like it did just now after a couple of minutes but it's going to keep going and going hopefully such that they're going to lose interest in your phone and go try to crack into someone else's presumably so let's try this let me now go over to how about one other question here and this question will now just be let's go from four characters how about let's take it one step further and mix the two ideas here more digits and longer passcodes how many eight character passcodes are possible and by character as a cs50 student will know i mean number or letter or punctuation symbol now and there's like 32 or so standard punctuation symbols so we're up to a good set of numbers now how many eight character passcodes do you think are possible million billion trillion quadrillion or quintillion all of which of course are better than 10 000 possibilities so we're in a whole different space now looks like these answers are coming in a little more slowly perhaps as folks think about this this is 10 digits plus 52 letters plus 32 punctuation symbols much more secure it would seem all right we're up to 230 responses give folks another second or so if you're trying to do the math 10 plus 52 plus 32 that's going to give you 94 possibilities for each of the digits all right we're just about at our just about at our 350 all right i'm going to toggle over the screen here going to click over to the results show them in just a second on the screen now and this is an interesting distribution i think some of you perhaps have the instinct now just go for the biggest one um it's not quintillion nice as that would be maybe it's quadrillion trillion billion or million we have more of a split there so let's consider the math so if we've got eight characters and i claim uh that that's 94 possibilities for each 10 digits 52 letters 32 punctuation symbols that's 94 to the eighth power essentially and that indeed is 6 possibilities now that's crazy big at this point i dare say we're pretty safe from the human finger now we're probably pretty safe from that robot which is going to take a while too but max and pcs are pretty darn fast and you know god forbid the adversary have a big server or use the cloud so to speak and really use a big expensive machine how long does it take to get into six quadrillion possible passcodes well how might we think about this suppose just for the sake of discussion it takes the adversary one second per code just so we have some unit of measure to start with one second per code which means in the worst case the adversary really gets screwed and my passcode is like 99999 or with a lot of crazy punctuation symbols in it if each passcode takes a second to guess how long is it going to take the adversary if in the worst case they spend six quadrillion seconds how many hours or minutes or days or years i'm hearing a lot a lot is in fact correct i did do the math the adversary if they're lucky and get all this way they're going to be 193 000 years old by the time they get to all of those possible passcodes so this sounds alluring and in fact let's just change our code one final time just to get a sense of how this might look and behave in this version here let me go back into my code and let me change this now to use not just ascii letters but digits and i'm going to add in punctuation uh for cs50 students there is again this library called the string library that gets lets you just import all of these symbols automatically so we don't have to type out every character on my keyboard manually and then down here i'm going to take the product of those ascii letters again plus those digits plus the punctuation repeated eight times i claim this time i'm going to now increase the size of my window just so we can see more on the screen re-run the code and this is going to take us you know some hundreds of thousands of years so we won't run to the end of this demo now we seem to be in a better place all right so what's the takeaway here clearly you should use a passcode a password that's eight characters with letters and numbers and punctuation yes okay now there's a mix here some of you are saying yes someone to know how about someone who says no why why no yeah recaptcha okay so there's other mechanisms more on that in a second other instincts yeah the computers are much faster yes i'm kind of cheating with my verbal simplification here even this computer is way faster than one code per second so it's not going to be hundreds of thousands of years might be tens of thousands of years or hundreds of years but it's it's not going to be quite as dramatic as this so that's a concern yes so maybe there's other mechanisms so maybe we don't have to be so extreme as to introduce all of this randomness as was proposed before because honestly there's this theme in computer science too and really information technology of trade-offs right sure i can come up with i can use a really big random password but my god i'm going to end up writing it on my monitor on a post-it note which i suspect statistically some of you are guilty of right and you shouldn't necessarily just blame yourself or you know your colleague who's doing this like this is a symptom perhaps a bad i.t policy if we don't have necessarily very usable systems maybe we shouldn't blame the human for forgetting their very random password maybe we shouldn't require the human to have a very random password so what could we do a couple of technical mechanisms were just proposed let's go down this road of how we might try to defend against this and i'll keep this running just for fun in the background let me switch back over to a visual here now that we've considered that many codes what if we do something that some of your own phones already have that slow the adversary down and some of you might have seen on your iphone a screen like this let me zoom in iphone is disabled try again in one minute has anyone locked themselves out of their phone like this i have this is not i mean it's embarrassing to admit but it's not leaking any information all right so many of you have done that already but why is this actually a compelling feature just to be clear annoying as this might be because you probably don't want your phone locked at the very moment you're trying to get into it why might it be a good thing yeah uh oh let's let's go somewhere else if we make yeah i'm back sorry it slows down the process it annoys you to be fair like you pay a bit of this price but it really slows down the adversary now they're going to be able to type in not one code per second but one code per minute a 60 times difference that's really going to force them to pump the brakes and unless that adversary is after you specifically odds are they're going to go take someone else's phone or lose interest because you've raised the bar high enough to they're getting in on android if you do this it depends on the operating system version here might be something similar on android too many attempts try again later i mean this is even more annoying it doesn't even tell you when to try again later but it does slow down the adversary so if you don't have features like this enabled you should and if you're particularly security conscious or or paranoid even you can even enable a feature on these phones nowadays where they self-destruct so to speak after 10 wrong guesses right y10 you know the presumption is among apple and google and others that if you type your passcode 10 times wrong you're probably not who you say you are you're probably someone else although you know if you're a little groggy first thing in the morning or if you've been out late and having a good time you tend might not be a high enough threshold to sort of protect your phone from you and so there too is this trade-off again and that's an extreme one if your phone deletes itself as which is what i meant by self-destruct then that might actually be to your detriment unless you have backups and all of that but that's another technology question altogether so there too this theme of trade-offs you raised the bar to the adversary but you've got to pay the price you're not going to get any such feature for free all right what's another mechanism that many of us increasingly thankfully are doing might be when you log into a website like gmail to have two-factor authentication sometimes called two-step authentication i mean how many of you use two-factor two-step authentication with at least one account all right so that's amazing how many of you use it with all of your accounts all right fewer of us and there too that's not necessarily the wrong answer right i have a lot of stupid websites that i have accounts on like i bought something once on them i don't really care about it so there's a judgment call there in terms of what you really care about but maybe your financial websites your healthcare websites or anything that's mildly sensitive to you probably should be raising the bar to the adversary by enabling this so what is this particularly for those of you who didn't raise your hand someone else what is two-factor or two-step authentication what's two-factor yeah yeah so when you have to pull out your phone and verify that it's really you or in the corporate world you might have a little dongle a key fob on your keychain that's got a little number on it but generally speaking two-factor authentication is all about indeed a second factor it's kind of oversimplified as two steps but it's really key technologically that it be a different factor it is not two-factor authentication if you just have two passwords that you have to remember because both of those could be forgotten by you both of those could be stolen by someone else if you write them down the post-it note or the like two-factor authentication is about having a fundamentally different factor available to you so that the odds that someone get at something you know like your password and something you have like your phone is just much much smaller than the threat of just figuring out something you know like a password alone so the factor is something that's fundamentally different from the other thing and so once you configure this the user typically sees a screen like this for instance in the context of gmail the screens vary here at harvard and yale students are familiar with something called duo mobile which is the exact same idea and they typically use one-time codes six digits thereabouts and you can only use that code once and the idea is it's texted to you or pushed to your device so that you and only you can use it does this fundamentally secure your account is this enough to just have a good password and two-factor authentication does that keep the adversaries out altogether not if someone what okay not if someone really wants to get in then you have other problems that are are certainly of concern but you do want to ideally keep most adversaries at bay and there too all we're doing is like raising the bar right there's nothing stopping someone in physical proximity to me stealing my phone and getting into all of those accounts i just raised my hand about but you at least protect yourself against the billions of other potential adversaries in the world that are geographically not near us who at least narrow the threat so that's a good thing but what else could we do because i feel like it's not fair for us to say all right everyone go home start using better passwords longer more complicated because again there's this trade-off we don't want to send everyone home essentially with a pad of post-it notes to then counterbalance what's an unrealistic expectation so how many of you perhaps with a show of physical hands use a password manager already this is something practical we can equip you with okay so that was relatively few hands and those of you who are in the habit still of memorizing your password or worse writing down the password there are better solutions today but here too there's going to be a caveat there's no clear win necessarily a password manager is a piece of software that you install on your mac or pc or your phone that manages your passwords for you and these come either built into the operating system mac windows has credential manager mac os is something called keychain there's third-party software like one password or lastpass companies and universities often have site licenses so that students in particular can use these kinds of things for free but the ones that come with your operating system or phone are themselves already free and not using them is really the missed opportunity here so what is a password manager it's a program that yes manages your passwords but it does a few things more it generates passwords for you typically i mean honestly it's been years since i have chosen my own password on a website i instead click a button in my password manager software or i use a keyboard shortcut to generate something that's eight characters heck maybe 16 24 32 characters long i don't care because the software's job is to manage that password for me that is the software remembers this crazy long password for me and better yet it comes with a button or a keyboard shortcut that will automatically fill out forms for me on the web when i say log me in it will grab my password from my computer plug it in and voila i'm logged in the upside of this is that even if that website is compromised and my password leaks out i'm not using that password presumably anywhere else because this job software's job is generally to create unique passwords for each website and it's not going to be guessed by a brute force by one of you writing code because it's just too long probabilistically you know we're all going to be gone by the time your computer finishes trying to crack it so what's the downside i mean this sounds great if the software generates passcodes for you and plugs them in for you where's the downside anyone yeah if you're using somebody else's computer yeah if you use someone else's computer or you're in like a you know a library environment a lab environment you don't have your passwords accessible now there's a way to mitigate that so long as you sync the same software to your phone you might have to pay another dollar ninety nine or twenty dollars to have the same software on your phone you can at least mitigate that by sharing the passcodes across your devices not as user friendly you're still going to have to now manually type out this really long password and that's who is annoying if you get one character wrong but that's one way to mitigate that other concerns that's maybe the biggest threats i mean you're kind of putting all of your proverbial eggs in the same basket if someone now gets into my password manager which i should stipulate is supposed to itself have a really big long password that i do have to remember but only one such long password i mean then i'm really out of luck now every single account i own is compromised except for except for those that at least have two factor unless the adversary also steals my phone or my key fob other concerns exactly if someone gets physical access to your device honestly in general all bets are off and this is why some of today's lessons are really important it's only going to matter when you first lose your phone or someone walks off with your laptop or like there are certain things you can do to defend against that inevitability dare say but you want to make sure that if you are using some of these solutions like a password manager that that long primary password you use for it is itself really hard to guess and you know i would say i'm okay with you writing that down even but putting it in like a safe deposit box or hiding it somewhere in the house that's just very low probability of someone finding because the other problem with putting all of your eggs in one basket if you forget your password then you lose everything and that too seems like a pretty serious price to pay but this is a constant battle in computing nowadays usability and security and finding that inflection point but there to you can be you can be selective right i called out financial information health information your personal email your calendar anything that's mildly more sensitive to you or important raise the bar at least on those accounts even if you're not quite ready to go all in on all of these these other factors well let's consider then where we're using these passwords consider just a couple of specific examples email of course gmail is the example i used earlier gmail and email accounts more generally are increasingly offering us features and in fact there's one that i thought we could highlight as an example of something that as a cs50 student a cs50 family member you should really start viewing the eye a little more the the world with a more skeptical eye a little more paranoid eye and not necessarily just believe things that websites say i mean it's mostly meaningless when a website says sometimes with a pretty little logo or emblem our website is secure like what does that even mean and it's again all about relativity and even gmail i dare say somewhat irresponsibly has this feature in recent years confidential mode like is anyone if you're using g suite or google apps at work or workspace nowadays in the habit of using confidential mode i mean it sounds okay no one's using this so this is great and i worry now that i'm introducing you to a feature that you shouldn't necessarily use but all this time if you're a gmail user there is along the little menu bar an icon that lets you enable confidential mode and later tonight play around for just look for it and you'll see exactly the screenshot which i took yesterday according to google recipients won't have the option to forward copy print or download this email right great for lawyers it would seem great for business great for private correspondence but why is this perhaps a bit misleading like what's the where should the skepticism come from here even a company like google i dare say you know they've probably buried the caveats that i'm hinting at under the learn more but unfortunately that might be too late yeah in fact yeah i mean those of you know how to take a screenshot that's the simplest way if you don't know how to do that well here's a phone i can just take a picture of what it is i see on the screen and so these are software defenses that are in place that essentially disable the forward button disable the print button but honestly as you probably already know once something is already digital i mean it's out there and there are other ways to get it it might not be as high quality if you're taking out your phone to do it but you should view things like this with skepticism and even i when i occasionally receive something like this i kind of roll my eyes but regret that the user thinks what they're doing is consistent with this language but it isn't necessarily and so indeed in part from an introduction to computer science you begin to i mean get a little scared from what's going on out there because there's so many different threats and so many things that you can't in fact do and the onus is unfortunately often on us users to read between the lines and see what actually is possible here's another one that you might be more in the habit of using incognito mode or private mode in chrome or safari or firefox or edge or the like what does uh incognito mode do it's familiar what's incognito mode yeah it doesn't log locally what you're doing exactly most people here probably generally know about things called cookies even if you're not quite sure how they work but they're like these little remnants or breadcrumbs you leave behind when visiting websites that allow the websites to keep track of where who you are in some sense according to google here when you're using incognito mode chrome won't save your browsing history so that's good cookies and site data information entered into forms but to their credit they do disclaim that your activity might still be visible to the websites you visit your employer or school your internet service provider so they're getting better at at least helping you evaluate by giving more of the facts whether you do or don't want to do this but this doesn't mean that the websites you're visiting indeed know um don't know who you are all of our computers have unique addresses these things called ip addresses that you might have heard about in cs50 we'll explore these in another week's time your computer is constantly leaking information that could be used to infer who you were so this is really just best left when you don't want to accidentally unlike a friend's computer or a lab computer remain logged in because cookies are typically used to just remember that you've logged in so if you use a friend's computer you use incognito mode and just close the window boom you're effectively logged out but even as google disclaims there's other caveats there there too so what else might we keep in mind how about let's consider one other big one that's another thing to start looking for increasingly in order to keep yourself secure and this one's a little more technical encryption and that cs50 students will know this is something you can implement in code and in fact let me ask this question what does it mean to encrypt something think back to pset 2 and caesar and the like let me look a little farther back almost any student hand should theoretically be up here yeah exactly encryption is all about substituting one letter for another and generally scrambling the appearance of some message up so that the recipient knows how to reverse that process and see what you actually sent but anyone intervening in between you can't actually see the information between you so just to impress uh the parents in the rooms uh any students what does this say we're not ending here but this was cs50 that's what it would say but notice the scramble let me go back and forth back and forth uh in this message t becomes u h becomes i i becomes j s becomes t this is what we called a few weeks ago in cs50 a rotational cipher a caesar cipher that literally does as you described substitutes one letter for the next but it does so in a very predictable way a becomes b b becomes c and so forth and we also talked weeks ago that you don't have to keep it that simplistic you can use a bigger mathematical formula to make it at least harder for some adversary to figure out but you and i as users these days are constantly thankfully using encryption you probably generally know that you should be hoping for expecting this these days like https is a good thing s means secure literally and any website that has that in its url indicates to you that you and the website are having an encrypted a scrambled communication which means if you type in your password your credit card information anything else personally no one between you theoretically points a and b should be able to know what it is you've typed into that web page the web page absolutely can because they have the process the ability to decrypt that information to reverse the process but at least encryption is generally a good thing but today let's take that one step further and encourage you all to be looking for expecting if you will as consumers increasingly in the coming years something better than encryption alone but end to end encryption and you're starting to hear about read about this a little bit more but it's perhaps a little less familiar someone in the room who's familiar what is end to end encryption let me give folks a moment what is end end-to-end encryption okay good so it's when an app like whatsapp encrypts a message but it's encrypted all the way to the other side to the recipient even though facebook in this case owns whatsapp even though your message is going through facebook or meta servers they do not have theoretically the ability to decrypt your message whatever chat message you've sent to a friend they are just sending seemingly random zeros and ones all the way to the end user who can then decrypt it if you're an iphone user imessage for instance does this automatically so long as your text messages are blue and not green that means you're using imessage and apple's platform that does this but let's let's focus perhaps on something that's been all too familiar to most of us over this past year zoom right zoom actually took some flak some months ago because in their marketing literature they were advertising end-to-end encryption they were not implementing end-to-end encryption at least initially this was probably marketing gone awry not quite understanding what end-to-end encryption means they were using encryption and what that meant is that if i were having a meeting with a colleague or you were sitting in on a class with a teacher you might have an encrypted connection all of you to zoom centrally but they had the ability early on and still now if you leave this feature off to decrypt that information and see and listen to theoretically anything going on in that meeting or that classroom now technologically there's not really a good defense against that if using that older approach all it really is is policy or hopefully there's rules in place there's contracts in place that say well yeah that's possible but don't do that end-to-end encryption is a stronger guarantee for you that circumvents that risk altogether by ensuring that if you're tuning into that class or you're logging into that meeting all of the zeros and ones are going through zoom servers just like facebook's but only the end users only the students and teachers only the colleague and colleague can actually decrypt and see and hear what is is that's being said and if you're uh one who schedules zoom meetings you can actually see this for instance here's a screenshot that i took yesterday too scheduling like a zoom meeting for today and you'll see that you can choose the day and the time the password haha and also down here the encryption level and by default it's typically enhanced encryption which is stupid like enhanced encryption it's just encryption and in fact it's sort of worse encryption than the other checkbox which is end to end encryption but there's this little caveat and here too consistent with this reality and computing there's always a trade-off right it's not all upside and all win several features will be automatically disabled when using end-to-end encryption including cloud recording and some phone stuff i mean that's already kind of a big loss for a class for instance a conference that wants to keep the sessions but it kind of makes sense right if the data is encrypted between all of the end users and therefore zoom has no eyes into the data or ears then it makes sense that they can't record it for you in the cloud because it's completely completely scrambled to them too so a good primitive to have in place but also something that you need to sacrifice in terms of usability well let me in our final moments here let me flip back over to where our hacking tool is it would seem that eight characters is doing really well because we still got three a's at the beginning of this so that might be in fact one takeaway and in fact let me flip over and propose three pieces of homework for everyone here one use a password manager the one that's built into your phone or your operating system or pay a little something more for something that you might like a little better two use two-factor authentication for more of your accounts maybe not all but at least more of your accounts and that's certainly a net improvement and then three use not just encryption but end-to-end encryption and unfortunately these features are not all quite as simple as oh well let me just check the box and turn on that something's something that's always been available to me because it's not always been available and zoom only once they sort of got into trouble for this did they acquire some other company that implements this feature and then add it to their software but as users as consumers as parents as students considering choosing one tool or another because of these features is really something you are empowered to do and do not use those tools that you don't think meet some threshold of comfort for you for more on this and computer science more generally any of you can take cs50 online at edx.org cs50 it's been so nice to see you happy to chat one-on-one but otherwise have a wonderful day here on campus this was cs50 recording stopped you

Info

Channel: CS50

Views: 47,041

Rating: undefined out of 5

Keywords: cs50, harvard, computer, science, david, malan

Id: e7EVbT0W9uU

Channel Id: undefined

Length: 60min 20sec (3620 seconds)

Published: Fri Oct 29 2021