Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,000 --> 00:01:17,581
[MUSIC PLAYING]
2
00:01:17,581 --> 00:01:20,791
SPEAKER: All right.This is SC50.
3
00:01:20,791 --> 00:01:23,351
And this is First Year Family
Weekends here at Harvard,
4
00:01:23,351 --> 00:01:26,651
so welcome to all of the moms and dads,
brothers, sisters, cousins, aunts,
5
00:01:26,651 --> 00:01:28,621
uncles, grandparents, and beyond.
6
00:01:28,621 --> 00:01:31,441
CS50 here is Harvard
University's introduction
7
00:01:31,441 --> 00:01:33,721
to the intellectual
enterprises of computer science
8
00:01:33,721 --> 00:01:35,191
and the arts of programming.
9
00:01:35,191 --> 00:01:37,651
And what that means is that
what we've been doing in here,
10
00:01:37,651 --> 00:01:40,921
over the past several weeks,
is introducing students
11
00:01:40,921 --> 00:01:44,943
to computational thinking, the
process of cleaning up one's thoughts
12
00:01:44,943 --> 00:01:47,401
and expressing oneself all the
more correctly, all the more
13
00:01:47,401 --> 00:01:49,381
precisely, and ultimately
translating those thoughts,
14
00:01:49,381 --> 00:01:52,021
of course, to a computer in
the form of programming, which
15
00:01:52,021 --> 00:01:54,361
is where we've spent quite
a bit of time-- programming,
16
00:01:54,361 --> 00:01:56,311
writing code-- over
the past several weeks.
17
00:01:56,311 --> 00:01:59,791
But toward that end, we've
also been equipping students
18
00:01:59,791 --> 00:02:01,621
with some basic building blocks.
19
00:02:01,621 --> 00:02:05,371
You might already know, if a parent,
that computers only somehow speak
20
00:02:05,371 --> 00:02:08,520
zeros and ones, even if you're not
necessarily a computer person yourself
21
00:02:08,520 --> 00:02:09,690
or know what that means.
22
00:02:09,691 --> 00:02:13,171
But with those zeros and ones can
we represent numbers and letters
23
00:02:13,171 --> 00:02:15,031
and colors and videos and more.
24
00:02:15,031 --> 00:02:18,061
And in fact, your child
perhaps sitting next to you
25
00:02:18,061 --> 00:02:20,161
could perhaps tell you
what today's message says.
26
00:02:20,161 --> 00:02:22,261
Here, we have 64 light bulbs on stage.
27
00:02:22,261 --> 00:02:24,871
And if you look at
eight of them at a time,
28
00:02:24,871 --> 00:02:27,361
there's a pattern of bulbs
that are either on or off
29
00:02:27,361 --> 00:02:31,531
that, if you know the code so to speak,
can you actually convert these bits--
30
00:02:31,531 --> 00:02:34,111
these zeros and ones
in light bulb form--
31
00:02:34,111 --> 00:02:36,443
to today's particular message.
32
00:02:36,443 --> 00:02:38,401
Now, before we begin, we
thought we'd make this
33
00:02:38,401 --> 00:02:41,851
as engaging, as interactive as possible.
34
00:02:41,851 --> 00:02:45,721
Rather than focus on any assumptions
of prior computing knowledge,
35
00:02:45,721 --> 00:02:47,821
you need know nothing
today other than how
36
00:02:47,821 --> 00:02:51,641
to operate, for instance, your own phone
or a laptop or desktop or the like.
37
00:02:51,641 --> 00:02:54,041
And indeed, we'll assume
a general audience.
38
00:02:54,041 --> 00:02:56,731
And in this Halloween
week, will we also see
39
00:02:56,731 --> 00:03:01,261
if we can't scare you a little bit
into practicing better practices when
40
00:03:01,261 --> 00:03:04,948
it comes specifically to the security
or cybersecurity of the device
41
00:03:04,948 --> 00:03:07,531
you carry with you every day in
your pocket, use on your desk,
42
00:03:07,531 --> 00:03:09,094
on your laptop, or beyond.
43
00:03:09,094 --> 00:03:11,011
So if you haven't already,
whether you're here
44
00:03:11,011 --> 00:03:14,761
in person or tuning in
online, go to this URL
45
00:03:14,761 --> 00:03:19,451
here, which will lead you to
an interactive polling tool.
46
00:03:19,451 --> 00:03:22,831
Any phone or laptop or desktop suffices.
47
00:03:22,831 --> 00:03:25,381
If it's a little easier
than typing in this URL,
48
00:03:25,381 --> 00:03:29,551
you can just scan this code
with your phone's camera.
49
00:03:29,551 --> 00:03:31,411
Take a moment to just open your camera.
50
00:03:31,411 --> 00:03:33,421
And hopefully, if you're
at a good enough angle
51
00:03:33,421 --> 00:03:35,171
and we've made this
thing big enough, this
52
00:03:35,171 --> 00:03:38,371
is a two-dimensional bar
code or QR code embedded
53
00:03:38,371 --> 00:03:40,271
in which is that exact same URL.
54
00:03:40,271 --> 00:03:43,021
We're increasingly seeing this
throughout the world as a mechanism
55
00:03:43,021 --> 00:03:45,451
for doing what many of you
are doing right now, linking
56
00:03:45,451 --> 00:03:46,981
the physical world to the virtual.
57
00:03:46,981 --> 00:03:50,259
But that URL, again, is
simply this one here.
58
00:03:50,259 --> 00:03:52,051
And in a moment, you'll
see on your screen.
59
00:03:52,051 --> 00:03:53,971
It's OK if you weren't quite
able to get that working.
60
00:03:53,971 --> 00:03:56,461
Feel free to glance to the
left or to the right of you
61
00:03:56,461 --> 00:03:57,721
for someone else who did.
62
00:03:57,721 --> 00:04:00,781
Let me go ahead and
full-screen a question just
63
00:04:00,781 --> 00:04:05,221
to ask of everyone here as we
focus today on cybersecurity.
64
00:04:05,221 --> 00:04:08,821
Is your phone secure?
65
00:04:08,821 --> 00:04:12,031
Whether an Android phone,
an iPhone, or anything else,
66
00:04:12,031 --> 00:04:15,001
if you're holding it in your hand
right now here in person or online,
67
00:04:15,001 --> 00:04:19,111
you should see three possible
answers-- yes or no or unsure.
68
00:04:19,111 --> 00:04:21,571
We've got over 300
responses come in already.
69
00:04:21,571 --> 00:04:24,001
In a moment, I'll flip
over and reveal the results
70
00:04:24,001 --> 00:04:29,371
and see if we can't see how much work
we have to do together here today.
71
00:04:29,371 --> 00:04:30,311
A few more seconds.
72
00:04:30,311 --> 00:04:33,091
Almost up to 400 answers.
73
00:04:33,091 --> 00:04:34,128
Almost up to 400.
74
00:04:34,128 --> 00:04:35,461
It's OK if those keep coming in.
75
00:04:35,461 --> 00:04:39,001
I'm going to toggle back and show
the results in just a moment here.
76
00:04:39,001 --> 00:04:40,861
And the results are now in.
77
00:04:40,861 --> 00:04:45,559
According to a response rate of
over 400, it looks like 36% of you
78
00:04:45,559 --> 00:04:48,101
don't need what we're about to
do here today, which is great.
79
00:04:48,101 --> 00:04:51,601
We'll see if we can't poke some holes
though and maybe some assumptions you
80
00:04:51,601 --> 00:04:52,441
all are making.
81
00:04:52,441 --> 00:04:56,851
31%, 32% maybe of you
are saying no, your phone
82
00:04:56,851 --> 00:04:58,771
is not secure, so so glad you came.
83
00:04:58,771 --> 00:05:01,781
And then understandably, to
another third of you are unsure.
84
00:05:01,781 --> 00:05:03,871
So in very good company
today, and we'll see
85
00:05:03,871 --> 00:05:07,711
if we can't open the eyes of everyone
in each of these disparate audiences.
86
00:05:07,711 --> 00:05:11,011
Well, let's consider first
for a moment exactly how we
87
00:05:11,011 --> 00:05:13,651
might think about the security
of our phones, representative
88
00:05:13,651 --> 00:05:15,131
of just any computing device.
89
00:05:15,131 --> 00:05:17,761
And in fact, everything we discuss
today could be extrapolated
90
00:05:17,761 --> 00:05:19,798
to laptops and desktops and servers.
91
00:05:19,798 --> 00:05:21,631
But all of us being so
familiar with phones,
92
00:05:21,631 --> 00:05:23,401
let's start with phones themselves.
93
00:05:23,401 --> 00:05:25,651
Now, odds are you have on
your phone, like so many
94
00:05:25,651 --> 00:05:29,641
other things in your life,
a password or a passcode.
95
00:05:29,641 --> 00:05:33,181
And in fact, without raising your hands
and, therefore, leaking information,
96
00:05:33,181 --> 00:05:36,061
think to yourself, well, what
is my password or passcode?
97
00:05:36,061 --> 00:05:38,110
It's probably four digits.
98
00:05:38,110 --> 00:05:39,451
It's maybe four letters.
99
00:05:39,451 --> 00:05:40,591
Maybe it's even longer.
100
00:05:40,591 --> 00:05:41,811
Maybe it's even nothing.
101
00:05:41,811 --> 00:05:43,561
And I think maybe,
from the chart earlier,
102
00:05:43,561 --> 00:05:47,251
we can assume that we have a third
of each of those possible responses.
103
00:05:47,251 --> 00:05:49,561
So a password of course, is
this super common mechanism
104
00:05:49,561 --> 00:05:53,971
that you and I are all using all
the time to keep our devices secure.
105
00:05:53,971 --> 00:05:55,603
But do passwords keep things secure?
106
00:05:55,603 --> 00:05:57,811
Like how many of you, thinking
about your phone right
107
00:05:57,811 --> 00:06:01,511
now and that specific password,
might think it's secure?
108
00:06:01,511 --> 00:06:05,191
And if so, why do you think it's secure?
109
00:06:05,191 --> 00:06:08,594
We have at least 33% of you are ready
to say that your password's secure.
110
00:06:08,594 --> 00:06:09,511
Don't want to know it.
111
00:06:09,511 --> 00:06:13,951
But why might it be,
in your mind, secure?
112
00:06:13,951 --> 00:06:15,571
Why might you think it's secure?
113
00:06:15,571 --> 00:06:19,291
Or more generally, what
makes your password secure?
114
00:06:19,291 --> 00:06:20,006
AUDIENCE: Random.
115
00:06:20,006 --> 00:06:20,881
SPEAKER: It's random.
116
00:06:20,881 --> 00:06:21,381
OK.
117
00:06:21,381 --> 00:06:22,061
So it's random.
118
00:06:22,061 --> 00:06:23,741
So random letters and
numbers and the like.
119
00:06:23,741 --> 00:06:26,221
And that's great, because it's
not just a word in the dictionary
120
00:06:26,221 --> 00:06:27,871
that someone could guess and type in.
121
00:06:27,871 --> 00:06:29,671
Downside, of course,
I daresay is that it
122
00:06:29,671 --> 00:06:32,401
might take you as well as
anyone else quite a bit of time
123
00:06:32,401 --> 00:06:34,651
to guess or figure out
what or just to remember
124
00:06:34,651 --> 00:06:36,331
what it is, if it was indeed random.
125
00:06:36,331 --> 00:06:38,971
But randomness is going to be a
primitive that really actually helps
126
00:06:38,971 --> 00:06:39,471
us.
127
00:06:39,471 --> 00:06:41,851
Unfortunately, you and I
and really the whole world
128
00:06:41,851 --> 00:06:44,641
are not very good even at
passwords, as omnipresent
129
00:06:44,641 --> 00:06:47,761
as they are as a defense
against adversaries.
130
00:06:47,761 --> 00:06:56,111
In fact, if we look at the most common
passwords from the past year, in 2020,
131
00:06:56,111 --> 00:06:58,801
I thought we'd share with
you some of those results.
132
00:06:58,801 --> 00:07:01,291
This is the result of
security researchers having
133
00:07:01,291 --> 00:07:05,671
found big exploited, compromised
databases, analyzing them
134
00:07:05,671 --> 00:07:07,771
for what passwords are in
them and then inferring
135
00:07:07,771 --> 00:07:10,651
from that what the most common
passwords you and I are all using.
136
00:07:10,651 --> 00:07:14,611
Unfortunately, in 2020, the most common
password, according to one measure,
137
00:07:14,611 --> 00:07:17,911
was one, two, three, four, five, six.
138
00:07:17,911 --> 00:07:18,701
[LAUGHING]
139
00:07:18,701 --> 00:07:20,041
Now, funny, yes.
140
00:07:20,041 --> 00:07:22,591
But if you're seeing your
password on the screen already,
141
00:07:22,591 --> 00:07:24,091
not so funny perhaps.
142
00:07:24,091 --> 00:07:25,141
[LAUGHING]
143
00:07:25,141 --> 00:07:29,761
The number two password
was not much better.
144
00:07:29,761 --> 00:07:33,961
Number three, picture one
presumably for a device,
145
00:07:33,961 --> 00:07:36,121
a website that requires
that it not just be a word,
146
00:07:36,121 --> 00:07:38,551
it have at least one number,
which this person took--
147
00:07:38,551 --> 00:07:40,981
these hundreds of thousands
of people took literally.
148
00:07:40,981 --> 00:07:44,581
Password was number four this past year.
149
00:07:44,581 --> 00:07:46,561
1, 2, 3, 4, 5, 6, 7, 8.
150
00:07:46,561 --> 00:07:50,111
1, 1, 1, 1, 1, 1, really
not trying hard there.
151
00:07:50,111 --> 00:07:53,101
1, 2, 3, 1, 2, 3,
varying it a little bit.
152
00:07:53,101 --> 00:07:55,393
1, 2, 3, 4, 5, was number eight.
153
00:07:55,393 --> 00:07:58,171
1, 2, 3, 4, 5, 6, 7, 8,
9, 0 was number nine.
154
00:07:58,171 --> 00:08:01,861
And then number 10, in
2020, was "senha," which--
155
00:08:01,861 --> 00:08:03,751
any Portuguese speakers here-- means?
156
00:08:03,751 --> 00:08:04,096
AUDIENCE: Password.
157
00:08:04,096 --> 00:08:04,441
AUDIENCE: Password.
158
00:08:04,441 --> 00:08:05,281
SPEAKER: Password.
159
00:08:05,281 --> 00:08:06,101
Means "password."
160
00:08:06,101 --> 00:08:06,601
[LAUGHING]
161
00:08:06,601 --> 00:08:08,981
So made the list twice in this case.
162
00:08:08,981 --> 00:08:12,511
So one take away already today should
be, if your password's on this list,
163
00:08:12,511 --> 00:08:16,231
like probably you're in
one of those other 33%
164
00:08:16,231 --> 00:08:17,801
whereby we can do better than this.
165
00:08:17,801 --> 00:08:18,301
Why?
166
00:08:18,301 --> 00:08:19,471
I mean, really the obvious.
167
00:08:19,471 --> 00:08:22,711
If you're in this list,
there's so many bad guys,
168
00:08:22,711 --> 00:08:25,961
so to speak, out there that are going
to try guessing your password first.
169
00:08:25,961 --> 00:08:26,461
Why?
170
00:08:26,461 --> 00:08:30,061
Because just statistically, if they try
1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 5, 6, 7,
171
00:08:30,061 --> 00:08:32,551
8, 9, they're just going to
get into a lot of devices
172
00:08:32,551 --> 00:08:35,844
quickly, because they're just so
commonly used, those passwords.
173
00:08:35,844 --> 00:08:37,260
You don't want to be on this list.
174
00:08:37,260 --> 00:08:41,040
Ideally, you want to be random, but
we want to somehow balance randomness
175
00:08:41,041 --> 00:08:42,931
with memorability so
that you don't actually
176
00:08:42,931 --> 00:08:45,391
keep forgetting your password,
which, of course, defeats
177
00:08:45,391 --> 00:08:47,591
the whole point of these
things in the first place.
178
00:08:47,591 --> 00:08:51,031
But in a class like this, CS50 and
computer science more generally,
179
00:08:51,031 --> 00:08:57,361
let's be a little more thoughtful as to
what we mean by a device being secure.
180
00:08:57,361 --> 00:08:58,861
Like what does it mean to be secure?
181
00:08:58,861 --> 00:09:01,903
And can we even slap some numbers on
it so that we can make measurements,
182
00:09:01,903 --> 00:09:04,201
so that we can ideally
compare and contrast
183
00:09:04,201 --> 00:09:07,601
one system versus another,
one password versus another
184
00:09:07,601 --> 00:09:11,381
so it's not just our instincts arguing
that my password is better than these,
185
00:09:11,381 --> 00:09:13,381
but how can you quantify that perhaps?
186
00:09:13,381 --> 00:09:14,551
Well, let's start simply.
187
00:09:14,551 --> 00:09:16,861
A lot of Android phones
and iPhones these days
188
00:09:16,861 --> 00:09:20,161
require minimally that you
have a four-digit passcode.
189
00:09:20,161 --> 00:09:22,921
You're minimally encouraged
to have at least this bar
190
00:09:22,921 --> 00:09:26,221
set so that you're not having
no passcode altogether.
191
00:09:26,221 --> 00:09:30,091
So if you do have a
four-digit passcode, well,
192
00:09:30,091 --> 00:09:32,401
let me go ahead and ask this question.
193
00:09:32,401 --> 00:09:37,561
How much time might it take to go
about cracking, so to speak-- that is,
194
00:09:37,561 --> 00:09:38,611
figuring out--
195
00:09:38,611 --> 00:09:41,499
what a four-digit passcode is?
196
00:09:41,499 --> 00:09:42,541
In fact, let me go ahead.
197
00:09:42,541 --> 00:09:45,499
If you want to pull up your devices
again, you should see on the screen
198
00:09:45,499 --> 00:09:46,621
this question now.
199
00:09:46,621 --> 00:09:49,201
How long might it take to crack--
200
00:09:49,201 --> 00:09:51,421
that is, figure out, guess--
201
00:09:51,421 --> 00:09:52,956
a four-digit passcode?
202
00:09:52,956 --> 00:09:54,331
For instance, on someone's phone.
203
00:09:54,331 --> 00:09:57,961
A few seconds, a few minutes,
a few hours, a few days?
204
00:09:57,961 --> 00:10:00,331
Thinking here, from the
adversarial perspective,
205
00:10:00,331 --> 00:10:03,061
if someone got ahold
of your phone somehow,
206
00:10:03,061 --> 00:10:09,811
how long do they need to get into your
phone if it has a four-digit passcode?
207
00:10:09,811 --> 00:10:13,471
A few seconds, few minutes,
few hours, few days?
208
00:10:13,471 --> 00:10:16,661
Got about 300 responses so far.
209
00:10:16,661 --> 00:10:19,831
Let's give folks another
few seconds here.
210
00:10:19,831 --> 00:10:20,981
Another few seconds here.
211
00:10:20,981 --> 00:10:21,481
All right.
212
00:10:21,481 --> 00:10:22,461
Up to 350 or so.
213
00:10:22,461 --> 00:10:25,211
In a moment, let me go ahead and
flip screens over to the results.
214
00:10:25,211 --> 00:10:27,161
So we'll see the
preliminary results here.
215
00:10:27,161 --> 00:10:31,651
And if I now pull this screen
up, we see that 50% of you
216
00:10:31,651 --> 00:10:34,201
claim that it's going to
take only a few seconds.
217
00:10:34,201 --> 00:10:36,501
Few of you say, about
a third, fewer of you
218
00:10:36,501 --> 00:10:40,091
are saying that it takes a few minutes,
few hours, and even a few days.
219
00:10:40,091 --> 00:10:41,341
Well, let's answer that first.
220
00:10:41,341 --> 00:10:44,731
Because honestly, if it's already
a few days or even longer,
221
00:10:44,731 --> 00:10:47,591
our work is here probably
already pretty done.
222
00:10:47,591 --> 00:10:50,941
Unfortunately, the problem with
things like four-digit passcodes
223
00:10:50,941 --> 00:10:53,911
is that anyone who grabs your
phone-- you step out of the room,
224
00:10:53,911 --> 00:10:57,611
you leave it behind, you lose it-- they
could certainly mimic your input device
225
00:10:57,611 --> 00:11:01,651
and just use their finger pretending
to be you, trying 0, 0, 0, 0.
226
00:11:01,651 --> 00:11:02,281
Nope.
227
00:11:02,281 --> 00:11:03,781
0, 0, 0, 1.
228
00:11:03,781 --> 00:11:04,351
Nope.
229
00:11:04,351 --> 00:11:05,771
0, 0, 0, 2.
230
00:11:05,771 --> 00:11:06,271
Nope.
231
00:11:06,271 --> 00:11:07,901
And it's a little slow, to be fair.
232
00:11:07,901 --> 00:11:12,451
It would take me a while to
count all the way up to 9,999.
233
00:11:12,451 --> 00:11:14,921
That's 10,000 total possibilities there.
234
00:11:14,921 --> 00:11:18,501
But let's go ahead and consider
exactly how else you could do it.
235
00:11:18,501 --> 00:11:21,561
For instance, here is an
example of, in computer science,
236
00:11:21,561 --> 00:11:23,151
what we call a "brute force attack."
237
00:11:23,151 --> 00:11:26,721
And just an adversary using their
finger is a brute force attack
238
00:11:26,721 --> 00:11:28,611
if they're trying all
possible passcodes.
239
00:11:28,611 --> 00:11:32,798
The problem is, even if your passcode is
way at the end of the list of numbers,
240
00:11:32,798 --> 00:11:34,881
eventually they're going
to get it by brute force.
241
00:11:34,881 --> 00:11:38,361
Sort of like in yesteryear, using a
battering ram or the like to brute
242
00:11:38,361 --> 00:11:41,211
force your way into a building,
a castle, or the like.
243
00:11:41,211 --> 00:11:44,221
In software sense, it just
means trying all possibilities.
244
00:11:44,221 --> 00:11:46,221
And you don't even have
to just use your finger.
245
00:11:46,221 --> 00:11:46,721
Right?
246
00:11:46,721 --> 00:11:49,461
Anyone with some programming
savvy, who's good with hardware,
247
00:11:49,461 --> 00:11:51,001
could maybe do something like this.
248
00:11:51,001 --> 00:11:52,611
Here's a quick video I'll hit play on.
249
00:11:52,611 --> 00:11:53,361
No sound.
250
00:11:53,361 --> 00:11:56,751
But a little bit of a robot that
has an Android phone underneath it,
251
00:11:56,751 --> 00:12:01,101
and it's got a little robotic finger
that's doing the work for you.
252
00:12:01,101 --> 00:12:03,291
You can step out of the
room now as the adversary.
253
00:12:03,291 --> 00:12:07,401
Let the robot do its work trying
0, 0, 0, 0 through 9, 9, 9, 9.
254
00:12:07,401 --> 00:12:10,921
And ultimately, presumably
get into that phone.
255
00:12:10,921 --> 00:12:15,831
So let's see if we can't quantify then
exactly how fast the human or the robot
256
00:12:15,831 --> 00:12:16,426
could get in.
257
00:12:16,426 --> 00:12:18,301
Well, how many total
possibilities are there?
258
00:12:18,301 --> 00:12:20,301
That's the right way to
begin thinking about it.
259
00:12:20,301 --> 00:12:23,241
If you have 10 digits for
the first one, 0 through 9,
260
00:12:23,241 --> 00:12:26,251
and then another 10 possibilities,
another 10, another 10,
261
00:12:26,251 --> 00:12:30,381
the total number of possibilities, of
course, between 0, 0, 0, 0 and 9, 9, 9,
262
00:12:30,381 --> 00:12:31,611
9 is 10,000--
263
00:12:31,611 --> 00:12:33,901
10 times 10 times 10 times 10--
264
00:12:33,901 --> 00:12:37,611
which gives us that much of a
search space, a universe of possible
265
00:12:37,611 --> 00:12:39,831
passcodes to choose among.
266
00:12:39,831 --> 00:12:43,161
Unfortunately, you can do even
better than your own finger
267
00:12:43,161 --> 00:12:44,211
or even that robot.
268
00:12:44,211 --> 00:12:48,051
Anyone in CS50 now who knows a bit of
programming and languages called "C"
269
00:12:48,051 --> 00:12:52,783
or "Python" or anything else could open
up a programming window and actually
270
00:12:52,783 --> 00:12:53,991
just start writing some code.
271
00:12:53,991 --> 00:12:54,908
And so let me do that.
272
00:12:54,908 --> 00:12:57,081
What you're seeing here,
if a family member,
273
00:12:57,081 --> 00:12:59,481
is a programming environment
called "Visual Studio Code"
274
00:12:59,481 --> 00:13:01,856
that students have been using
for the past several weeks.
275
00:13:01,856 --> 00:13:04,608
Up here, we have a tabbed window
where we can type our code.
276
00:13:04,608 --> 00:13:06,441
Down here, we have
what's called a "terminal
277
00:13:06,441 --> 00:13:09,891
window" where I can type commands
to make the computer run that code.
278
00:13:09,891 --> 00:13:11,631
And then over here is just a menu bar.
279
00:13:11,631 --> 00:13:15,051
So crack.py means I'm going
to write a program to crack--
280
00:13:15,051 --> 00:13:18,861
that is, figure out passwords--
using this language called "Python."
281
00:13:18,861 --> 00:13:21,201
And even though most
CS50 students wouldn't
282
00:13:21,201 --> 00:13:23,721
know what code to start
writing, they'd have
283
00:13:23,721 --> 00:13:27,511
to look up some of what I'm about to
do, it's only going to be a few lines.
284
00:13:27,511 --> 00:13:31,311
So I'm going to go up here and
say from string import digits.
285
00:13:31,311 --> 00:13:33,171
This is a fancy way of
saying, hey, Python.
286
00:13:33,171 --> 00:13:34,941
Give me access to all decimal digits.
287
00:13:34,941 --> 00:13:38,161
It just avoids my having to
type out 0 through 9 manually.
288
00:13:38,161 --> 00:13:38,661
All right.
289
00:13:38,661 --> 00:13:43,051
Then I'm going to say from
either tools import product.
290
00:13:43,051 --> 00:13:46,051
This is another feature of Python
that CS50 students, for the most part,
291
00:13:46,051 --> 00:13:48,111
have not yet seen that
just says, hey, Python.
292
00:13:48,111 --> 00:13:51,781
Give me the ability to do like the cross
product of a whole bunch of numbers.
293
00:13:51,781 --> 00:13:55,641
So these 10 times these 10
times these 10 times these 10.
294
00:13:55,641 --> 00:13:57,451
And then what am I
going to do with that?
295
00:13:57,451 --> 00:14:03,351
Well, for each possible passcode in
the product of those digits repeated
296
00:14:03,351 --> 00:14:06,831
four times, I'm going to go
ahead and, for now, let's just
297
00:14:06,831 --> 00:14:08,751
print out what the passcode is.
298
00:14:08,751 --> 00:14:11,139
In other words, assume that
I am now the adversary.
299
00:14:11,139 --> 00:14:12,931
I don't want to waste
time using my finger.
300
00:14:12,931 --> 00:14:15,891
I don't have a robot that I made,
but I am good at writing software.
301
00:14:15,891 --> 00:14:18,861
And heck, I've got like a USB
or a lightning cable in my bag
302
00:14:18,861 --> 00:14:22,341
that I could connect your
phone to my Mac or PC.
303
00:14:22,341 --> 00:14:24,741
And I could just have my
code that I'm writing now
304
00:14:24,741 --> 00:14:27,801
send all the possible
codes from laptop to phone
305
00:14:27,801 --> 00:14:31,011
to automate this process just using
the little port at the bottom of all
306
00:14:31,011 --> 00:14:31,821
of our phones.
307
00:14:31,821 --> 00:14:34,641
Well, let me go ahead and
maximize this so-called terminal
308
00:14:34,641 --> 00:14:37,371
window, which is, again, where
I'm going to run this code.
309
00:14:37,371 --> 00:14:39,741
And again, the question
a moment ago was, does it
310
00:14:39,741 --> 00:14:41,781
take seconds, minutes, hours, days?
311
00:14:41,781 --> 00:14:44,571
Well, let me go ahead and
run Python of crack.py.
312
00:14:44,571 --> 00:14:47,781
I'm pretending, for the moment, that
I did grab that cable from my bag
313
00:14:47,781 --> 00:14:49,041
and plug it into the phone.
314
00:14:49,041 --> 00:14:53,421
Hitting Enter and it didn't
actually do anything.
315
00:14:53,421 --> 00:14:54,831
That was not supposed to happen.
316
00:14:54,831 --> 00:14:55,441
[LAUGHING]
317
00:14:55,441 --> 00:14:59,421
So in CS50, we spent a lot of
time introducing students to bugs,
318
00:14:59,421 --> 00:15:01,191
which are mistakes in programs.
319
00:15:01,191 --> 00:15:04,581
Sometimes, not so deliberate.
320
00:15:04,581 --> 00:15:08,221
Let me go ahead and apologize.
321
00:15:08,221 --> 00:15:10,701
Let me open this file.
322
00:15:10,701 --> 00:15:12,801
This didn't technically happen.
323
00:15:12,801 --> 00:15:13,491
OK.
324
00:15:13,491 --> 00:15:14,701
Python.
325
00:15:14,701 --> 00:15:15,201
There we go.
326
00:15:15,201 --> 00:15:17,771
OK.
327
00:15:17,771 --> 00:15:20,554
In CS50, we now will run the code here.
328
00:15:20,554 --> 00:15:23,471
And I'm going to go ahead and run a
command called Python of crack.py.
329
00:15:23,471 --> 00:15:25,761
I had the file in the wrong
location a moment ago.
330
00:15:25,761 --> 00:15:29,571
And this is the equivalent, on a Mac
or PC, of double-clicking an icon.
331
00:15:29,571 --> 00:15:30,071
Here we go.
332
00:15:30,071 --> 00:15:33,281
Is it seconds, minutes, hours, or days?
333
00:15:33,281 --> 00:15:36,851
Barely one second to try
all 10,000 possibilities.
334
00:15:36,851 --> 00:15:40,061
You can't even see them all on the
screen, but this printed out 0, 0, 0,
335
00:15:40,061 --> 00:15:42,677
0 all the way down, of
course, to 9, 9, 9, 9.
336
00:15:42,677 --> 00:15:44,231
Plug in that cable and boom.
337
00:15:44,231 --> 00:15:47,231
The adversary doesn't need to
be in that room for very long
338
00:15:47,231 --> 00:15:49,521
in order to get into that phone.
339
00:15:49,521 --> 00:15:50,021
All right.
340
00:15:50,021 --> 00:15:51,251
So what would be better than?
341
00:15:51,251 --> 00:15:56,351
Like clearly, four-digit passcodes,
bad if you have someone in your life
342
00:15:56,351 --> 00:15:59,621
who has a finger or a robot
or the ability to write code.
343
00:15:59,621 --> 00:16:02,201
And unfortunately,
because of us, you now all
344
00:16:02,201 --> 00:16:04,841
have someone in the family with
at least the third of those.
345
00:16:04,841 --> 00:16:08,171
How might we do better than this?
346
00:16:08,171 --> 00:16:10,361
What's better than a
four-digit passcode?
347
00:16:10,361 --> 00:16:11,631
Anyone?
348
00:16:11,631 --> 00:16:12,131
Yeah.
349
00:16:12,131 --> 00:16:13,021
AUDIENCE: Six digits.
350
00:16:13,021 --> 00:16:13,291
SPEAKER: OK.
351
00:16:13,291 --> 00:16:14,086
So six digits.
352
00:16:14,086 --> 00:16:15,851
Heck, or seven digits or eight digits.
353
00:16:15,851 --> 00:16:16,351
Why?
354
00:16:16,351 --> 00:16:19,021
Because that's going to make, of
course, the passcode longer, which means
355
00:16:19,021 --> 00:16:21,188
we're going to have to try
more possibilities, which
356
00:16:21,188 --> 00:16:23,791
doesn't mean that the adversary
is fundamentally stopped.
357
00:16:23,791 --> 00:16:26,341
But it is going to slow them down.
358
00:16:26,341 --> 00:16:28,711
It's going to take them
more time probabilistically
359
00:16:28,711 --> 00:16:30,541
to get to your passcode.
360
00:16:30,541 --> 00:16:34,211
And it in a sense then increases
the cost to the adversary.
361
00:16:34,211 --> 00:16:36,181
And indeed, that's the
theme in cybersecurity,
362
00:16:36,181 --> 00:16:40,351
raising the cost to the adversary,
either financially or time-wise
363
00:16:40,351 --> 00:16:41,039
or the like.
364
00:16:41,039 --> 00:16:42,581
Just like in the real physical world.
365
00:16:42,581 --> 00:16:43,561
Most of you go home.
366
00:16:43,561 --> 00:16:44,911
You lock your doors at night.
367
00:16:44,911 --> 00:16:47,461
You might have invested in a
better deadbolt than another.
368
00:16:47,461 --> 00:16:48,211
Why is that?
369
00:16:48,211 --> 00:16:51,271
You really just want to be more
secure than the house next door.
370
00:16:51,271 --> 00:16:54,571
You want to make sure that it takes
too much time, too much effort,
371
00:16:54,571 --> 00:16:57,301
too much risk to the adversary
to get into your home.
372
00:16:57,301 --> 00:17:00,301
And that's, again, what
cybersecurity is all about.
373
00:17:00,301 --> 00:17:03,691
To say my phone is secure
is sort of nonsensical.
374
00:17:03,691 --> 00:17:07,320
To say that your phone is more secure
than someone else's, that's really
375
00:17:07,320 --> 00:17:09,360
a reasonable, fair statement to make.
376
00:17:09,361 --> 00:17:11,011
So I like this instinct.
377
00:17:11,011 --> 00:17:13,141
Let's see if we can't make
things a little harder.
378
00:17:13,141 --> 00:17:14,808
And actually, let's go one step further.
379
00:17:14,808 --> 00:17:17,560
Rather than just numbers, you've
probably noticed, on your phones,
380
00:17:17,560 --> 00:17:19,080
you can use letters
of the alphabet, too.
381
00:17:19,080 --> 00:17:20,872
If you click the right
option on the phone,
382
00:17:20,873 --> 00:17:22,751
you can start typing
in words and letters.
383
00:17:22,751 --> 00:17:24,330
So how might we do that instead?
384
00:17:24,330 --> 00:17:27,690
Well, let's transition
to four-letter passcodes.
385
00:17:27,691 --> 00:17:29,191
Four-letter passcodes.
386
00:17:29,191 --> 00:17:35,041
And if we do four-letter passcodes
where the letters of the alphabet,
387
00:17:35,041 --> 00:17:38,251
for instance, are A
through Z in English alone,
388
00:17:38,251 --> 00:17:41,881
let's go ahead and
ask this question here
389
00:17:41,881 --> 00:17:44,286
if you have four
letters of the alphabet.
390
00:17:44,286 --> 00:17:45,661
So let's not increase length yet.
391
00:17:45,661 --> 00:17:48,481
Let's just change to
a bigger vocabulary.
392
00:17:48,481 --> 00:17:51,871
Now, we have A through Z
instead of 0 through 9.
393
00:17:51,871 --> 00:17:54,451
How many four-letter
passcodes are possible?
394
00:17:54,451 --> 00:17:56,911
How big is that universe
that the adversary is going
395
00:17:56,911 --> 00:17:59,731
to have to search via brute force?
396
00:17:59,731 --> 00:18:05,771
So I'm seeing a lot of 7 millions, a
bunch of 52,000s, 26,000s, 10,000s,
397
00:18:05,771 --> 00:18:09,971
9,999, a few smaller numbers here.
398
00:18:09,971 --> 00:18:11,521
Hopefully, it's not this low, right.
399
00:18:11,521 --> 00:18:15,301
Because we've already set the bar at
10,000 possibilities for numbers alone.
400
00:18:15,301 --> 00:18:18,211
Hopefully, if we've got
English letters, A through Z,
401
00:18:18,211 --> 00:18:20,101
we can at least do better than 10,000.
402
00:18:20,101 --> 00:18:24,131
So I think we'll start to see maybe
some of these bars change a little bit.
403
00:18:24,131 --> 00:18:27,121
But we've got 60% of
you proposing 7 million.
404
00:18:27,121 --> 00:18:29,051
Well, let's go to the math.
405
00:18:29,051 --> 00:18:32,311
So here we might have a
way of thinking about this,
406
00:18:32,311 --> 00:18:33,871
both uppercase and lowercase.
407
00:18:33,871 --> 00:18:36,961
Even better if you consider it
that way, lowercase A through Z,
408
00:18:36,961 --> 00:18:40,561
uppercase A through Z. That's 52
possibilities for the first digit
409
00:18:40,561 --> 00:18:44,491
times 52 times 52 times 52,
or 52 to the fourth power.
410
00:18:44,491 --> 00:18:48,011
That indeed gives you 7
million-plus possibilities.
411
00:18:48,011 --> 00:18:48,511
All right.
412
00:18:48,511 --> 00:18:50,136
Well, let's now translate this to code.
413
00:18:50,136 --> 00:18:53,641
That already sounds way better,
10,000 versus 7 million.
414
00:18:53,641 --> 00:18:55,981
This is definitely going
to slow that hacker down.
415
00:18:55,981 --> 00:18:59,611
Well, let's consider exactly how
fast or slow it might now be.
416
00:18:59,611 --> 00:19:02,171
Let me go into my crack.py program.
417
00:19:02,171 --> 00:19:05,311
And let me make a little tweak so
that, instead of just using digits,
418
00:19:05,311 --> 00:19:07,351
this time I'm going to use letters--
419
00:19:07,351 --> 00:19:10,231
otherwise, known as Ascii letters,
as CS50 students will know.
420
00:19:10,231 --> 00:19:13,621
That just means familiar
English letters of the alphabet.
421
00:19:13,621 --> 00:19:16,891
And I'm going to change my code
to use these Ascii letters, four
422
00:19:16,891 --> 00:19:18,991
of them still, instead of digits alone.
423
00:19:18,991 --> 00:19:20,191
And that's the only change.
424
00:19:20,191 --> 00:19:23,401
Now, I'm going to pretend to plug my
phone that I just stole from someone
425
00:19:23,401 --> 00:19:25,351
into a USB or a lightning cable.
426
00:19:25,351 --> 00:19:28,201
Let me maximize my window just
so we can see things a bit more.
427
00:19:28,201 --> 00:19:30,811
Let me run Python of
crack.py now, and let's
428
00:19:30,811 --> 00:19:36,151
consider how long it takes to
do 7 million possible codes.
429
00:19:36,151 --> 00:19:36,651
OK.
430
00:19:36,651 --> 00:19:37,881
Slower.
431
00:19:37,881 --> 00:19:39,081
Slower.
432
00:19:39,081 --> 00:19:41,851
Can't dramatically just say
in one breath that we're done,
433
00:19:41,851 --> 00:19:44,991
but we're already at
the Gs and then the Hs.
434
00:19:44,991 --> 00:19:46,903
And it's kind of flying by.
435
00:19:46,903 --> 00:19:49,611
This is where the adversary is
probably getting nervous in the TV
436
00:19:49,611 --> 00:19:50,451
show or movie.
437
00:19:50,451 --> 00:19:50,691
Right?
438
00:19:50,691 --> 00:19:52,611
Someone is tiptoeing
around in the other room.
439
00:19:52,611 --> 00:19:53,903
You don't want them to come in.
440
00:19:53,903 --> 00:19:56,211
You only have this much
time to crack the code.
441
00:19:56,211 --> 00:20:02,661
And we're at the Rs, the Ss, the Ts, Us,
Vs. So this feels like, what a minute
442
00:20:02,661 --> 00:20:03,231
or so?
443
00:20:03,231 --> 00:20:07,131
It's a good number of seconds,
but it's still pretty brief,
444
00:20:07,131 --> 00:20:08,911
certainly if someone has the ability to.
445
00:20:08,911 --> 00:20:10,641
And now, we've got to do
the capital letters, too.
446
00:20:10,641 --> 00:20:12,951
Certainly, if someone has the
ability not to just secretly do it
447
00:20:12,951 --> 00:20:15,801
like in Hollywood in the next
room but just take it with them
448
00:20:15,801 --> 00:20:20,611
and do it over the course of a minute
or two at home, this seems to be faster.
449
00:20:20,611 --> 00:20:21,111
Sorry.
450
00:20:21,111 --> 00:20:24,515
This seems to be slower, because we're
trying so many more possibilities.
451
00:20:24,515 --> 00:20:27,831
But if the adversary takes
your phone, has it long enough,
452
00:20:27,831 --> 00:20:29,604
this doesn't feel like terribly long.
453
00:20:29,604 --> 00:20:31,021
So what might be better than this?
454
00:20:31,021 --> 00:20:33,181
Let's take it one step further.
455
00:20:33,181 --> 00:20:35,121
What might be better than four letters?
456
00:20:35,121 --> 00:20:38,103
What do most websites ask
you to add to the mix?
457
00:20:38,103 --> 00:20:39,311
AUDIENCE: Special characters.
458
00:20:39,311 --> 00:20:40,291
SPEAKER: So special characters.
459
00:20:40,291 --> 00:20:40,441
Right?
460
00:20:40,441 --> 00:20:42,011
And those things are darn annoying.
461
00:20:42,011 --> 00:20:42,511
Right?
462
00:20:42,511 --> 00:20:45,361
Because sometimes, they even tell
you what letters or punctuation
463
00:20:45,361 --> 00:20:46,406
symbols you have to use.
464
00:20:46,406 --> 00:20:48,781
And then you type one and,
oh, it's not on the damn list.
465
00:20:48,781 --> 00:20:49,823
I mean, it's frustrating.
466
00:20:49,823 --> 00:20:50,341
Why?
467
00:20:50,341 --> 00:20:53,381
Well, it's going to raise the
bar, though, to the adversary.
468
00:20:53,381 --> 00:20:55,548
And that's, indeed, going
to be the goal here, again
469
00:20:55,548 --> 00:20:58,291
just to increase the cost or
time required for the adversary
470
00:20:58,291 --> 00:21:02,131
so that it doesn't finish like it did
just now, after a couple of minutes.
471
00:21:02,131 --> 00:21:04,381
But it's going to keep going
and going hopefully, such
472
00:21:04,381 --> 00:21:06,151
that they're going to lose
interest in your phone
473
00:21:06,151 --> 00:21:08,371
and go try to crack into
someone else's, presumably.
474
00:21:08,371 --> 00:21:09,461
So let's try this.
475
00:21:09,461 --> 00:21:13,681
Let me now go over to
one other question here.
476
00:21:13,681 --> 00:21:17,141
And this question will now just
be-- let's go from four characters.
477
00:21:17,141 --> 00:21:20,371
How about let's take it one step
further and mix the two ideas here?
478
00:21:20,371 --> 00:21:23,611
More digits and longer passcodes.
479
00:21:23,611 --> 00:21:27,101
How many eight character
passcodes are possible?
480
00:21:27,101 --> 00:21:31,741
And by character, as a CS50 will
know, I mean number or letter
481
00:21:31,741 --> 00:21:33,601
or punctuation symbol now.
482
00:21:33,601 --> 00:21:37,231
And there's like 32 or so standard
punctuation symbols, so we're
483
00:21:37,231 --> 00:21:39,031
up to a good set of numbers now.
484
00:21:39,031 --> 00:21:42,691
How many eight-character passcodes
do you think are possible?
485
00:21:42,691 --> 00:21:45,901
Million, billion, trillion,
quadrillion, or quintillion?
486
00:21:45,901 --> 00:21:48,911
All of which, of course, are
better than 10,000 possibilities.
487
00:21:48,911 --> 00:21:51,204
So we're in a whole different space now.
488
00:21:51,204 --> 00:21:53,371
Looks like these answers
are coming in a little more
489
00:21:53,371 --> 00:21:57,061
slowly, perhaps as
folks think about this.
490
00:21:57,061 --> 00:22:02,821
Is 10 digits plus 52 letters
plus 32 punctuation symbols.
491
00:22:02,821 --> 00:22:05,591
Much more secure, it would seem.
492
00:22:05,591 --> 00:22:06,091
All right.
493
00:22:06,091 --> 00:22:08,041
We're up to 230 responses.
494
00:22:08,041 --> 00:22:12,181
Give folks another second or so.
495
00:22:12,181 --> 00:22:15,181
If you're trying to do the
math, 10 plus 52 plus 32,
496
00:22:15,181 --> 00:22:19,001
that's going to give you 94
possibilities for each of the digits.
497
00:22:19,001 --> 00:22:19,501
All right.
498
00:22:19,501 --> 00:22:25,461
We're just about at our 350.
499
00:22:25,461 --> 00:22:25,961
All right.
500
00:22:25,961 --> 00:22:27,391
I'm going to toggle
over the screen here.
501
00:22:27,391 --> 00:22:30,121
Going to click over to the results,
show them in just a second on the screen
502
00:22:30,121 --> 00:22:30,621
now.
503
00:22:30,621 --> 00:22:32,491
And this is an interesting distribution.
504
00:22:32,491 --> 00:22:34,533
I think some of you perhaps
have the instinct now
505
00:22:34,533 --> 00:22:36,041
of just go for the biggest one.
506
00:22:36,041 --> 00:22:37,511
[LAUGHING]
507
00:22:37,511 --> 00:22:41,581
It's not quintillion,
nice as that would be.
508
00:22:41,581 --> 00:22:43,851
Maybe it's quadrillion,
trillion, billion, or million.
509
00:22:43,851 --> 00:22:45,101
We have more of a split there.
510
00:22:45,101 --> 00:22:47,161
So let's consider the math.
511
00:22:47,161 --> 00:22:50,221
So if we've got eight
characters, and I claim
512
00:22:50,221 --> 00:22:52,231
that that's 94 possibilities for each.
513
00:22:52,231 --> 00:22:57,751
10 digits, 52 letters,
32 punctuation symbols.
514
00:22:57,751 --> 00:23:00,811
That's 94 to the eighth
power, essentially.
515
00:23:00,811 --> 00:23:04,501
And that indeed is six
quadrillion possibilities.
516
00:23:04,501 --> 00:23:06,901
Now, that's crazy big at this point.
517
00:23:06,901 --> 00:23:09,601
I daresay we're pretty safe
from the human finger now.
518
00:23:09,601 --> 00:23:11,611
We're probably pretty
safe from that robot,
519
00:23:11,611 --> 00:23:13,111
which is going to take a while, too.
520
00:23:13,111 --> 00:23:15,751
But Macs and PCs are pretty darn fast.
521
00:23:15,751 --> 00:23:19,591
And God forbid the adversary have a
big server, use the cloud, so to speak,
522
00:23:19,591 --> 00:23:21,931
and really use a big expensive machine.
523
00:23:21,931 --> 00:23:26,971
How long does it take to get into
six quadrillion possible passcodes?
524
00:23:26,971 --> 00:23:28,511
Well, how might we think about this?
525
00:23:28,511 --> 00:23:30,219
Suppose, just for the
sake of discussion,
526
00:23:30,219 --> 00:23:32,731
it takes the adversary
one second per code.
527
00:23:32,731 --> 00:23:35,101
Just so we have some unit
of measure to start with.
528
00:23:35,101 --> 00:23:39,359
One second per code, which
means, in the worst case,
529
00:23:39,359 --> 00:23:41,401
the adversary really gets
screwed and my passcode
530
00:23:41,401 --> 00:23:47,011
is like 9, 9, 9, 9, 9, 9, 9 or with a
lot of crazy punctuation symbols in it.
531
00:23:47,011 --> 00:23:49,681
If each passcode takes
a second to guess,
532
00:23:49,681 --> 00:23:52,811
how long is it going to take the
adversary if, in the worst case,
533
00:23:52,811 --> 00:23:56,341
they spend six quadrillion seconds?
534
00:23:56,341 --> 00:24:00,861
How many hours or minutes or days or--
535
00:24:00,861 --> 00:24:01,593
AUDIENCE: A lot.
536
00:24:01,593 --> 00:24:02,301
SPEAKER: --years?
537
00:24:02,301 --> 00:24:03,351
I'm hearing a lot.
538
00:24:03,351 --> 00:24:05,361
A lot is in fact correct.
539
00:24:05,361 --> 00:24:06,681
I did do the math.
540
00:24:06,681 --> 00:24:09,801
The adversary, if they're
lucky and get all this way,
541
00:24:09,801 --> 00:24:13,761
they're going to be 193,000
years old by the time they
542
00:24:13,761 --> 00:24:16,701
get to all of those possible passcodes.
543
00:24:16,701 --> 00:24:17,721
So this sounds alluring.
544
00:24:17,721 --> 00:24:20,421
And in fact, let's just change
our code one final time just
545
00:24:20,421 --> 00:24:23,181
to get a sense of how this
might look and behave.
546
00:24:23,181 --> 00:24:26,251
In this version here, let
me go back into my code
547
00:24:26,251 --> 00:24:30,051
and let me change this now to use,
not just Ascii letters, but digits.
548
00:24:30,051 --> 00:24:32,241
And I'm going to add in punctuation.
549
00:24:32,241 --> 00:24:34,371
For CS50 students, there
is, again, this library
550
00:24:34,371 --> 00:24:37,371
called the string library that lets
you just import all of these symbols
551
00:24:37,371 --> 00:24:37,954
automatically.
552
00:24:37,954 --> 00:24:40,941
So we don't have to type out every
character on my keyboard manually.
553
00:24:40,941 --> 00:24:44,061
And then down here, I'm going to take
the product of those Ascii letters
554
00:24:44,061 --> 00:24:47,421
again, plus those digits,
plus the punctuation
555
00:24:47,421 --> 00:24:50,001
repeated eight times I claim this time.
556
00:24:50,001 --> 00:24:52,011
I'm going to now increase
the size of my window
557
00:24:52,011 --> 00:24:53,594
just so we can see more on the screen.
558
00:24:53,594 --> 00:24:56,841
Rerun the code, and
this is going to take
559
00:24:56,841 --> 00:24:59,901
us some hundreds of thousands of years.
560
00:24:59,901 --> 00:25:01,611
So we won't run to the end of this demo.
561
00:25:01,611 --> 00:25:03,261
Now, we seem to be in a better place.
562
00:25:03,261 --> 00:25:03,761
All right.
563
00:25:03,761 --> 00:25:05,301
So what's the takeaway here?
564
00:25:05,301 --> 00:25:08,511
Clearly, you should use
a passcode, a password
565
00:25:08,511 --> 00:25:12,051
that's eight characters with
letters and numbers and punctuation.
566
00:25:12,051 --> 00:25:14,251
Yes?
567
00:25:14,251 --> 00:25:14,879
OK.
568
00:25:14,879 --> 00:25:15,671
There's a mix here.
569
00:25:15,671 --> 00:25:16,471
Some of you are saying yes.
570
00:25:16,471 --> 00:25:17,011
Some are no.
571
00:25:17,011 --> 00:25:18,261
How about someone who says no.
572
00:25:18,261 --> 00:25:20,231
Why?
573
00:25:20,231 --> 00:25:20,781
Why no?
574
00:25:20,781 --> 00:25:21,281
Yeah.
575
00:25:21,281 --> 00:25:22,409
AUDIENCE: Recapture.
576
00:25:22,409 --> 00:25:23,201
SPEAKER: Recapture.
577
00:25:23,201 --> 00:25:23,441
OK.
578
00:25:23,441 --> 00:25:24,461
So there's other mechanisms.
579
00:25:24,461 --> 00:25:25,503
More on that in a second.
580
00:25:25,503 --> 00:25:26,441
Other instincts?
581
00:25:26,441 --> 00:25:27,725
Yeah.
582
00:25:27,725 --> 00:25:30,771
AUDIENCE: The computers are much
faster than just one code per second.
583
00:25:30,771 --> 00:25:31,313
SPEAKER: Yes.
584
00:25:31,313 --> 00:25:34,041
I'm kind of cheating with my
verbal simplification here.
585
00:25:34,041 --> 00:25:37,149
Even this computer is way
faster than one code per second.
586
00:25:37,149 --> 00:25:39,441
So it's not going to be
hundreds of thousands of years.
587
00:25:39,441 --> 00:25:41,871
Might be tens of thousands of
years or hundreds of years,
588
00:25:41,871 --> 00:25:44,431
but it's not going to be
quite as dramatic as this.
589
00:25:44,431 --> 00:25:46,337
So that's a concern.
590
00:25:46,337 --> 00:25:49,295
AUDIENCE: Can't some
passwords be made secure
591
00:25:49,295 --> 00:25:51,669
where you can guess a
certain number every hour?
592
00:25:51,669 --> 00:25:52,211
SPEAKER: Yes.
593
00:25:52,211 --> 00:25:54,141
So maybe there's other mechanisms.
594
00:25:54,141 --> 00:25:57,973
So maybe we don't have to be so extreme
as to introduce all of this randomness,
595
00:25:57,973 --> 00:25:58,931
as was proposed before.
596
00:25:58,931 --> 00:26:02,201
Because honestly, there's this theme
in computer science, too, and really
597
00:26:02,201 --> 00:26:03,941
information technology of trade-offs.
598
00:26:03,941 --> 00:26:04,441
Right?
599
00:26:04,441 --> 00:26:08,261
Sure, I can use a really
big random password.
600
00:26:08,261 --> 00:26:10,751
But my God, I'm going to end
up writing it on my monitor
601
00:26:10,751 --> 00:26:13,991
on a post-it note, which I
suspect statistically some of you
602
00:26:13,991 --> 00:26:15,101
are guilty of.
603
00:26:15,101 --> 00:26:15,731
Right?
604
00:26:15,731 --> 00:26:18,431
And you shouldn't necessarily
just blame yourself
605
00:26:18,431 --> 00:26:20,321
or your colleague who's doing this.
606
00:26:20,321 --> 00:26:23,261
Like this is a symptom
perhaps of bad IT policy.
607
00:26:23,261 --> 00:26:25,751
If we don't have necessarily
very usable systems,
608
00:26:25,751 --> 00:26:29,351
maybe we shouldn't blame the human for
forgetting their very random password.
609
00:26:29,351 --> 00:26:33,081
Maybe we shouldn't require the human
to have a very random password.
610
00:26:33,081 --> 00:26:33,941
So what could we do?
611
00:26:33,941 --> 00:26:36,431
A couple of technical
mechanisms were just proposed.
612
00:26:36,431 --> 00:26:40,624
Let's go down this road of how we
might try to defend against this.
613
00:26:40,624 --> 00:26:43,041
And I'll keep this running
just for fun in the background.
614
00:26:43,041 --> 00:26:45,611
Let me switch back over
to a Visual here now
615
00:26:45,611 --> 00:26:47,381
that we've considered that many codes.
616
00:26:47,381 --> 00:26:50,231
What if we do something
that some of your own phones
617
00:26:50,231 --> 00:26:54,491
already have that slow
the adversary down?
618
00:26:54,491 --> 00:26:57,471
And some of you might have seen,
on your iPhone, a screen like this.
619
00:26:57,471 --> 00:26:58,571
Let me zoom in.
620
00:26:58,571 --> 00:26:59,711
IPhone is disabled.
621
00:26:59,711 --> 00:27:00,971
Try again in one minute.
622
00:27:00,971 --> 00:27:03,561
Has anyone locked themselves
out of their phone like this?
623
00:27:03,561 --> 00:27:04,751
I have.
624
00:27:04,751 --> 00:27:07,871
I mean, it's embarrassing to admit,
but it's not leaking any information.
625
00:27:07,871 --> 00:27:08,371
All right.
626
00:27:08,371 --> 00:27:10,281
So many of you have done that already.
627
00:27:10,281 --> 00:27:12,581
But why is this actually
a compelling feature?
628
00:27:12,581 --> 00:27:15,161
Just to be clear,
annoying as this might be,
629
00:27:15,161 --> 00:27:17,321
because you probably don't
want your phone locked
630
00:27:17,321 --> 00:27:21,731
at the very moment you're trying to get
into it, why might it be a good thing?
631
00:27:21,731 --> 00:27:23,014
Yeah.
632
00:27:23,014 --> 00:27:24,431
Let's go somewhere else if we may.
633
00:27:24,431 --> 00:27:25,839
Yeah, in back.
634
00:27:25,839 --> 00:27:26,936
AUDIENCE: Slows down.
635
00:27:26,936 --> 00:27:27,561
SPEAKER: Sorry?
636
00:27:27,561 --> 00:27:29,221
AUDIENCE: Slows down your response.
637
00:27:29,221 --> 00:27:30,679
SPEAKER: It slows down the process.
638
00:27:30,679 --> 00:27:32,011
It annoys you, to be fair.
639
00:27:32,011 --> 00:27:36,001
Like you pay a bit of this price, but
it really slows down the adversary.
640
00:27:36,001 --> 00:27:39,391
Now, they're going to be able to type
in not one code per second but one
641
00:27:39,391 --> 00:27:41,413
code per minute, a 60 times difference.
642
00:27:41,413 --> 00:27:43,621
That's really going to force
them to pump the brakes.
643
00:27:43,621 --> 00:27:46,531
And unless that adversary
is after you specifically,
644
00:27:46,531 --> 00:27:48,781
odds are they're going to
go take someone else's phone
645
00:27:48,781 --> 00:27:51,781
or lose interest because you've
raised the bar high enough to their
646
00:27:51,781 --> 00:27:52,471
getting in.
647
00:27:52,471 --> 00:27:55,798
On Android, if you do this, it depends
on the operating system version.
648
00:27:55,798 --> 00:27:57,631
Here, might be something
similar on Android.
649
00:27:57,631 --> 00:27:58,381
Too many attempts.
650
00:27:58,381 --> 00:27:59,041
Try again later.
651
00:27:59,041 --> 00:28:00,121
I mean, this is even more annoying.
652
00:28:00,121 --> 00:28:02,251
It doesn't even tell you
when to try again later,
653
00:28:02,251 --> 00:28:05,161
but it does slow down the adversary.
654
00:28:05,161 --> 00:28:08,711
So if you don't have features
like this enabled, you should.
655
00:28:08,711 --> 00:28:12,421
And if you're particularly security
conscious or paranoid even,
656
00:28:12,421 --> 00:28:14,401
you can even enable a
feature on these phones
657
00:28:14,401 --> 00:28:18,701
nowadays where they self-destruct,
so to speak, after 10 wrong guesses.
658
00:28:18,701 --> 00:28:19,201
Right?
659
00:28:19,201 --> 00:28:20,131
Why 10?
660
00:28:20,131 --> 00:28:23,221
The presumption is, among
Apple and Google and others,
661
00:28:23,221 --> 00:28:26,761
that, if you type your
passcode 10 times wrong,
662
00:28:26,761 --> 00:28:28,711
you're probably not who you say you are.
663
00:28:28,711 --> 00:28:30,061
You're probably someone else.
664
00:28:30,061 --> 00:28:32,701
Although if you're a little
groggy first thing in the morning
665
00:28:32,701 --> 00:28:35,281
or if you've been out late
and having a good time,
666
00:28:35,281 --> 00:28:40,871
you might not be a high enough threshold
to protect your phone from you.
667
00:28:40,871 --> 00:28:44,101
And so there, too, is this trade-off
again, and that's an extreme one.
668
00:28:44,101 --> 00:28:48,571
If your phone deletes itself, which
is what I meant by self-destruct, then
669
00:28:48,571 --> 00:28:50,761
that might actually
be to your detriment.
670
00:28:50,761 --> 00:28:54,211
Unless you have backups and all of
that, but that's another technology
671
00:28:54,211 --> 00:28:55,271
question altogether.
672
00:28:55,271 --> 00:28:56,611
So there, too, this theme of trade-offs.
673
00:28:56,611 --> 00:28:59,491
You raise the bar to the adversary,
but you've got to pay the price.
674
00:28:59,491 --> 00:29:01,781
You're not going to get
any such feature for free.
675
00:29:01,781 --> 00:29:02,281
All right.
676
00:29:02,281 --> 00:29:06,931
What's another mechanism that many of
us increasingly, thankfully, are doing?
677
00:29:06,931 --> 00:29:09,601
Might be when you log into
a website, like Gmail,
678
00:29:09,601 --> 00:29:12,241
to have two-factor authentication.
679
00:29:12,241 --> 00:29:14,491
Sometimes, called
"two-step authentication."
680
00:29:14,491 --> 00:29:17,251
I mean, how many of you use
two-factor or two-step authentication
681
00:29:17,251 --> 00:29:18,411
with at least one account?
682
00:29:18,411 --> 00:29:18,911
All right.
683
00:29:18,911 --> 00:29:20,101
So that's amazing.
684
00:29:20,101 --> 00:29:23,181
How many of you use it
with all of your accounts?
685
00:29:23,181 --> 00:29:23,681
All right.
686
00:29:23,681 --> 00:29:25,141
Fewer of us.
687
00:29:25,141 --> 00:29:27,671
And there, too, that's not
necessarily the wrong answer.
688
00:29:27,671 --> 00:29:28,171
Right?
689
00:29:28,171 --> 00:29:30,781
I have a lot of stupid websites
that I have accounts on,
690
00:29:30,781 --> 00:29:32,521
like I bought something once on them.
691
00:29:32,521 --> 00:29:33,781
I don't really care about it.
692
00:29:33,781 --> 00:29:36,781
So there's a judgment call there in
terms of what you really care about.
693
00:29:36,781 --> 00:29:39,811
But maybe your financial websites,
your health care websites,
694
00:29:39,811 --> 00:29:42,571
or anything that's mildly
sensitive to you probably
695
00:29:42,571 --> 00:29:45,491
should be raising the bar to
the adversary by enabling this.
696
00:29:45,491 --> 00:29:46,291
So what is this?
697
00:29:46,291 --> 00:29:50,221
Particularly for those of you who didn't
raise your hand, someone else, what is
698
00:29:50,221 --> 00:29:53,301
two-factor or two-step authentication?
699
00:29:53,301 --> 00:29:54,051
What's two-factor?
700
00:29:54,051 --> 00:29:54,739
Yeah.
701
00:29:54,739 --> 00:29:57,781
AUDIENCE: When you have to use your
phone to verify that it's really you.
702
00:29:57,781 --> 00:29:57,991
SPEAKER: Yeah.
703
00:29:57,991 --> 00:30:00,511
So when you have to pull out your
phone and verify that it's really you.
704
00:30:00,511 --> 00:30:01,651
And in the corporate
world, you might have
705
00:30:01,651 --> 00:30:03,901
a little dongle, a key
fob on your keychain
706
00:30:03,901 --> 00:30:05,291
that's got a little number on it.
707
00:30:05,291 --> 00:30:07,861
But generally speaking,
two-factor authentication
708
00:30:07,861 --> 00:30:10,351
is all about, indeed, a second factor.
709
00:30:10,351 --> 00:30:12,331
It's kind of oversimplified
as two steps,
710
00:30:12,331 --> 00:30:15,421
but it's really key technologically
that it be a different factor.
711
00:30:15,421 --> 00:30:18,031
It is not two-factor
authentication if you just
712
00:30:18,031 --> 00:30:21,148
have two passwords that you have
to remember, because both of those
713
00:30:21,148 --> 00:30:22,231
could be forgotten by you.
714
00:30:22,231 --> 00:30:24,251
Both of those could be
stolen by someone else
715
00:30:24,251 --> 00:30:26,543
if you write them down on
the post-it note or the like.
716
00:30:26,543 --> 00:30:30,211
Two-factor authentication is about
having a fundamentally different factor
717
00:30:30,211 --> 00:30:33,451
available to you so that
the odds that someone
718
00:30:33,451 --> 00:30:36,781
get at something you know, like your
password, and something you have,
719
00:30:36,781 --> 00:30:39,451
like your phone, is
just much, much smaller
720
00:30:39,451 --> 00:30:43,011
than the threat of just figuring out
something you know, like a password
721
00:30:43,011 --> 00:30:43,511
alone.
722
00:30:43,511 --> 00:30:45,469
So the factor is something
that's fundamentally
723
00:30:45,469 --> 00:30:47,171
different from the other thing.
724
00:30:47,171 --> 00:30:49,441
And so once you configure
this, the user typically
725
00:30:49,441 --> 00:30:52,171
sees a screen like this, for
instance, in the context of Gmail.
726
00:30:52,171 --> 00:30:53,926
The screens vary here
at Harvard and Yale.
727
00:30:53,926 --> 00:30:56,551
Students are familiar with
something called "Duo mobile," which
728
00:30:56,551 --> 00:30:57,941
is the exact same idea.
729
00:30:57,941 --> 00:31:01,591
And they typically use one-time
codes, six digits thereabouts.
730
00:31:01,591 --> 00:31:03,571
And you can only use that code once.
731
00:31:03,571 --> 00:31:06,691
And the idea is it's texted to
you or pushed to your device
732
00:31:06,691 --> 00:31:09,421
so that you and only you can use it.
733
00:31:09,421 --> 00:31:13,041
Does this fundamentally
secure your account?
734
00:31:13,041 --> 00:31:18,371
Is this enough, to just have a good
password and two-factor authentication?
735
00:31:18,371 --> 00:31:22,430
Does that keep the
adversaries out altogether?
736
00:31:22,430 --> 00:31:24,483
AUDIENCE: Not if
someone wants to get in.
737
00:31:24,483 --> 00:31:25,691
SPEAKER: Not if someone what?
738
00:31:25,691 --> 00:31:27,051
AUDIENCE: Really wants to get in.
739
00:31:27,051 --> 00:31:27,321
SPEAKER: OK.
740
00:31:27,321 --> 00:31:28,911
Not if someone really wants to get in.
741
00:31:28,911 --> 00:31:32,691
Then you have other problems
are certainly of concern,
742
00:31:32,691 --> 00:31:35,811
but you do want to ideally
keep most adversaries at bay.
743
00:31:35,811 --> 00:31:36,591
And there are two.
744
00:31:36,591 --> 00:31:38,551
All we're doing is like raising the bar.
745
00:31:38,551 --> 00:31:39,051
Right?
746
00:31:39,051 --> 00:31:41,421
There's nothing stopping
someone in physical proximity
747
00:31:41,421 --> 00:31:44,691
to me stealing my phone and getting
into all of those accounts I just
748
00:31:44,691 --> 00:31:45,771
raised my hand about.
749
00:31:45,771 --> 00:31:48,681
But you at least protect
yourself against the billions
750
00:31:48,681 --> 00:31:50,931
of other potential
adversaries in the world that
751
00:31:50,931 --> 00:31:53,941
are geographically not near us,
so you at least narrow the threat.
752
00:31:53,941 --> 00:31:55,251
So that's a good thing.
753
00:31:55,251 --> 00:31:56,391
But what else could we do?
754
00:31:56,391 --> 00:31:59,013
Because I feel like it's not
fair for us to say, all right.
755
00:31:59,013 --> 00:31:59,721
Everyone go home.
756
00:31:59,721 --> 00:32:02,631
Start using better passwords--
longer, more complicated.
757
00:32:02,631 --> 00:32:04,311
Because again, there's this trade-off.
758
00:32:04,311 --> 00:32:07,491
We don't want to send everyone home
essentially with a pad of post-it notes
759
00:32:07,491 --> 00:32:10,504
to then counterbalance what's
an unrealistic expectation.
760
00:32:10,504 --> 00:32:12,921
So how many of you, perhaps
with a show of physical hands,
761
00:32:12,921 --> 00:32:15,801
use a password manager already?
762
00:32:15,801 --> 00:32:17,991
This is something practical
we can equip you with.
763
00:32:17,991 --> 00:32:18,491
OK.
764
00:32:18,491 --> 00:32:19,911
So that was relatively few hands.
765
00:32:19,911 --> 00:32:23,721
And those of you who are in the habit
still of memorizing your password,
766
00:32:23,721 --> 00:32:27,981
or worse, writing down the password,
there are better solutions today.
767
00:32:27,981 --> 00:32:29,961
But here, too, there's
going to be a caveat.
768
00:32:29,961 --> 00:32:31,881
There's no clear win necessarily.
769
00:32:31,881 --> 00:32:34,131
A password manager is
a piece of software
770
00:32:34,131 --> 00:32:36,711
that you install on your
Mac or PC or your phone that
771
00:32:36,711 --> 00:32:38,331
manages your passwords for you.
772
00:32:38,331 --> 00:32:41,661
And these come either built
into the operating system.
773
00:32:41,661 --> 00:32:43,251
Windows has credential manager.
774
00:32:43,251 --> 00:32:45,411
Mac OS has something called "keychain."
775
00:32:45,411 --> 00:32:48,441
There's third-party software
like 1password or LastPass.
776
00:32:48,441 --> 00:32:51,194
Companies and universities
often have site licenses
777
00:32:51,194 --> 00:32:54,111
so that students in particular can
use these kinds of things for free,
778
00:32:54,111 --> 00:32:56,528
but the ones that come with
your operating system or phone
779
00:32:56,528 --> 00:32:57,981
are themselves already free.
780
00:32:57,981 --> 00:33:00,811
And not using them is really
the missed opportunity here.
781
00:33:00,811 --> 00:33:02,489
So what is a password manager?
782
00:33:02,489 --> 00:33:04,531
It's a program that, yes,
manages your passwords.
783
00:33:04,531 --> 00:33:05,811
But it does a few things more.
784
00:33:05,811 --> 00:33:08,451
It generates passwords
for you, typically.
785
00:33:08,451 --> 00:33:10,701
I mean, honestly, it's
been years since I have
786
00:33:10,701 --> 00:33:13,011
chosen my own password on a website.
787
00:33:13,011 --> 00:33:16,011
I instead click a button in
my password manager software
788
00:33:16,011 --> 00:33:19,131
or I use a keyboard shortcut
to generate something
789
00:33:19,131 --> 00:33:23,281
that's eight characters, heck,
maybe 16, 24, 32 characters long.
790
00:33:23,281 --> 00:33:27,381
I don't care because the software's
job is to manage that password for me.
791
00:33:27,381 --> 00:33:30,921
That is, the software remembers
this crazy long password for me.
792
00:33:30,921 --> 00:33:33,921
And better yet, it comes
with a button or a keyboard
793
00:33:33,921 --> 00:33:37,531
shortcut that will automatically
fill out forms for me on the web.
794
00:33:37,531 --> 00:33:41,091
When I say log me in, it will
grab my password from my computer,
795
00:33:41,091 --> 00:33:42,741
plug it in, and voila.
796
00:33:42,741 --> 00:33:43,701
I'm logged in.
797
00:33:43,701 --> 00:33:47,871
The upside of this is that, even
if that website is compromised
798
00:33:47,871 --> 00:33:51,321
and my password leaks out, I'm
not using that password presumably
799
00:33:51,321 --> 00:33:54,561
anywhere else because the software's
job is generally to create
800
00:33:54,561 --> 00:33:57,021
unique passwords for each website.
801
00:33:57,021 --> 00:34:00,021
And it's not going to be
guessed via brute force,
802
00:34:00,021 --> 00:34:03,171
by one of you writing code,
because it's just too long.
803
00:34:03,171 --> 00:34:06,771
Probabilistically, we're all going to be
gone by the time your computer finishes
804
00:34:06,771 --> 00:34:08,491
trying to crack it.
805
00:34:08,491 --> 00:34:09,449
So what's the downside?
806
00:34:09,449 --> 00:34:10,533
I mean, this sounds great.
807
00:34:10,533 --> 00:34:13,581
If the software generates passcodes
for you and plugs them in for you,
808
00:34:13,581 --> 00:34:16,021
where's the downside?
809
00:34:16,021 --> 00:34:16,521
Anyone?
810
00:34:16,521 --> 00:34:17,350
Yeah.
811
00:34:17,350 --> 00:34:19,433
AUDIENCE: If you're using
somebody else's computer
812
00:34:19,433 --> 00:34:22,728
and you need to access it, then
you don't know the password.
813
00:34:22,728 --> 00:34:23,311
SPEAKER: Yeah.
814
00:34:23,311 --> 00:34:25,380
If you use someone
else's computer or you're
815
00:34:25,380 --> 00:34:28,562
in like a library environment,
a lab environment,
816
00:34:28,563 --> 00:34:30,271
you don't have your
passwords accessible.
817
00:34:30,271 --> 00:34:32,701
Now, there's a way to
mitigate that so long as you
818
00:34:32,701 --> 00:34:34,440
sync the same software to your phone.
819
00:34:34,440 --> 00:34:36,870
You might have to pay
another $1.99 or $20
820
00:34:36,871 --> 00:34:38,641
to have the same software on your phone.
821
00:34:38,641 --> 00:34:41,011
You can at least mitigate
that by sharing the passcodes
822
00:34:41,011 --> 00:34:42,241
across your devices.
823
00:34:42,241 --> 00:34:43,170
Not as user-friendly.
824
00:34:43,170 --> 00:34:46,320
You're going to have to now manually
type out this really long password
825
00:34:46,321 --> 00:34:49,081
and that, too, is annoying if
you get one character wrong.
826
00:34:49,081 --> 00:34:50,761
But that's one way to mitigate that.
827
00:34:50,761 --> 00:34:51,623
Other concerns?
828
00:34:51,623 --> 00:34:54,790
AUDIENCE: If someone cracks the code,
then they now have all your passwords.
829
00:34:54,791 --> 00:34:56,201
SPEAKER: That's maybe
the biggest threats.
830
00:34:56,201 --> 00:34:58,841
I mean, you're kind of putting
all of your proverbial eggs
831
00:34:58,841 --> 00:34:59,981
in the same basket.
832
00:34:59,981 --> 00:35:03,821
If someone now gets into my password
manager, which I should stipulate
833
00:35:03,821 --> 00:35:07,001
is supposed to itself have
a really big long password
834
00:35:07,001 --> 00:35:10,841
that I do have to remember, but
only one such long password,
835
00:35:10,841 --> 00:35:12,561
I mean, then I'm really out of luck.
836
00:35:12,561 --> 00:35:16,851
Now, every single account I own
is compromised except for those
837
00:35:16,851 --> 00:35:18,101
that at least have two-factor.
838
00:35:18,101 --> 00:35:20,801
Unless the adversary also
steals my phone or my key fob.
839
00:35:20,801 --> 00:35:22,133
Other concerns?
840
00:35:22,133 --> 00:35:25,239
AUDIENCE: If someone
is like [INAUDIBLE]..
841
00:35:31,701 --> 00:35:32,421
SPEAKER: Exactly.
842
00:35:32,421 --> 00:35:35,541
If someone gets physical access to
your device, honestly in general,
843
00:35:35,541 --> 00:35:36,396
all bets are off.
844
00:35:36,396 --> 00:35:39,021
And this is why some of today's
listeners are really important.
845
00:35:39,021 --> 00:35:42,973
It's only going to matter when you first
lose your phone or someone walks off
846
00:35:42,973 --> 00:35:44,181
with your laptop or the like.
847
00:35:44,181 --> 00:35:46,056
There are certain things
you can do to defend
848
00:35:46,056 --> 00:35:47,961
against that inevitability, dare say.
849
00:35:47,961 --> 00:35:49,881
But you want to make
sure that, if you are
850
00:35:49,881 --> 00:35:52,220
using some of these solutions
like a password manager,
851
00:35:52,220 --> 00:35:57,021
that that long primary password you use
for it is itself really hard to guess.
852
00:35:57,021 --> 00:36:00,141
And I would say, I'm OK with
you writing that down even
853
00:36:00,141 --> 00:36:01,901
but putting it in like
a safe deposit box
854
00:36:01,901 --> 00:36:03,651
or hiding it somewhere
in the house that's
855
00:36:03,651 --> 00:36:05,841
just very low probability
of someone finding.
856
00:36:05,841 --> 00:36:08,970
Because the other problem with putting
all of your eggs in one basket,
857
00:36:08,970 --> 00:36:13,701
if you forget your password,
then you lose everything.
858
00:36:13,701 --> 00:36:16,471
And that, too, seems like a
pretty serious price to pay.
859
00:36:16,471 --> 00:36:19,881
But this is a constant battle
in computing nowadays, usability
860
00:36:19,881 --> 00:36:22,281
and security and finding
that inflection point.
861
00:36:22,281 --> 00:36:24,571
But there, too, you can be selective.
862
00:36:24,571 --> 00:36:25,071
Right?
863
00:36:25,071 --> 00:36:27,661
I called out financial
information, health information,
864
00:36:27,661 --> 00:36:29,151
your personal email, your calendar.
865
00:36:29,151 --> 00:36:31,861
Anything that's mildly more
sensitive to you or important,
866
00:36:31,861 --> 00:36:34,461
raise the bar at least
on those accounts even
867
00:36:34,461 --> 00:36:38,931
if you're not quite ready to go all
in on all of these other factors.
868
00:36:38,931 --> 00:36:41,721
Well, let's consider then where
we're using these passwords.
869
00:36:41,721 --> 00:36:43,971
Consider just a couple
of specific examples.
870
00:36:43,971 --> 00:36:44,871
Email, of course.
871
00:36:44,871 --> 00:36:47,151
Gmail is the example I used earlier.
872
00:36:47,151 --> 00:36:49,431
Gmail and email
accounts, more generally,
873
00:36:49,431 --> 00:36:51,101
are increasingly offering us features.
874
00:36:51,101 --> 00:36:52,851
And in fact, there's
one that I thought we
875
00:36:52,851 --> 00:36:55,011
could highlight as an
example of something
876
00:36:55,011 --> 00:36:58,101
that, as a CS50 student,
a CS50 family member,
877
00:36:58,101 --> 00:37:01,311
you should really start
viewing the world with a more
878
00:37:01,311 --> 00:37:03,741
skeptical eye, a little
more paranoid eye,
879
00:37:03,741 --> 00:37:06,471
and not necessarily just believe
things that websites say.
880
00:37:06,471 --> 00:37:09,021
I mean, it's mostly meaningless
when a website says--
881
00:37:09,021 --> 00:37:11,421
sometimes, with a pretty
little logo or emblem--
882
00:37:11,421 --> 00:37:13,551
our website is secure.
883
00:37:13,551 --> 00:37:14,851
What does that even mean?
884
00:37:14,851 --> 00:37:16,701
And it's again, all about relativity.
885
00:37:16,701 --> 00:37:19,791
And even Gmail, I daresay
somewhat irresponsibly,
886
00:37:19,791 --> 00:37:21,441
has this feature in recent years.
887
00:37:21,441 --> 00:37:23,061
Confidential mode.
888
00:37:23,061 --> 00:37:26,721
Is anyone-- if you're using G Suite
or Google Apps at work or workspace
889
00:37:26,721 --> 00:37:29,859
nowadays-- in the habit of
using confidential mode?
890
00:37:29,859 --> 00:37:30,651
I mean, it sounds--
891
00:37:30,651 --> 00:37:30,861
OK.
892
00:37:30,861 --> 00:37:32,451
No one's using this, so this is great.
893
00:37:32,451 --> 00:37:34,933
And I worry now that I'm
introducing you to a feature
894
00:37:34,933 --> 00:37:36,391
that you shouldn't necessarily use.
895
00:37:36,391 --> 00:37:39,501
But all this time, if
you're a Gmail user,
896
00:37:39,501 --> 00:37:42,081
there is, along the
little menu bar, an icon
897
00:37:42,081 --> 00:37:43,706
that lets you enable confidential mode.
898
00:37:43,706 --> 00:37:45,289
And later tonight, play around for it.
899
00:37:45,289 --> 00:37:47,671
Just look for it, and you'll
see exactly this screenshot,
900
00:37:47,671 --> 00:37:48,891
which I took yesterday.
901
00:37:48,891 --> 00:37:52,131
According to Google, recipients
won't have the option to forward,
902
00:37:52,131 --> 00:37:54,871
copy, print, or download this email.
903
00:37:54,871 --> 00:37:55,371
Right?
904
00:37:55,371 --> 00:37:57,111
Great for lawyers, it would seem.
905
00:37:57,111 --> 00:37:58,041
Great for business.
906
00:37:58,041 --> 00:38:00,501
Great for private correspondence.
907
00:38:00,501 --> 00:38:03,531
But why is this perhaps
a bit misleading?
908
00:38:06,201 --> 00:38:08,391
Where should the
skepticism come from here?
909
00:38:08,391 --> 00:38:10,711
Even a company like
Google, I dare say, they've
910
00:38:10,711 --> 00:38:13,731
probably buried the caveats that
I'm hinting at under the Learn More.
911
00:38:13,731 --> 00:38:15,241
But unfortunately,
that might be too late.
912
00:38:15,241 --> 00:38:15,741
Yeah.
913
00:38:15,741 --> 00:38:16,881
In back.
914
00:38:16,881 --> 00:38:19,381
AUDIENCE: Will they be able to
take screenshots of the mail?
915
00:38:19,381 --> 00:38:19,591
SPEAKER: Yeah.
916
00:38:19,591 --> 00:38:20,461
I mean, those of you
who know how to take
917
00:38:20,461 --> 00:38:21,811
a screenshot, that's the simplest way.
918
00:38:21,811 --> 00:38:23,311
If you don't know how to do
that, well, here's a phone.
919
00:38:23,311 --> 00:38:26,531
I can just take a picture of
what it is I see on the screen.
920
00:38:26,531 --> 00:38:28,681
And so these are software
defenses that are
921
00:38:28,681 --> 00:38:31,771
in place that essentially
disable the Forward button,
922
00:38:31,771 --> 00:38:33,219
disable the Print button.
923
00:38:33,219 --> 00:38:35,011
But honestly, as you
probably already know,
924
00:38:35,011 --> 00:38:37,711
once something is already
digital, I mean, it's out there.
925
00:38:37,711 --> 00:38:39,241
And there are other ways to get it.
926
00:38:39,241 --> 00:38:42,283
It might not be as high quality if
you're taking out your phone to do it,
927
00:38:42,283 --> 00:38:44,611
but you should view things
like this with skepticism.
928
00:38:44,611 --> 00:38:47,111
And even I, when I occasionally
receive something like this,
929
00:38:47,111 --> 00:38:50,221
I kind of roll my eyes but regret
that the user thinks what they're
930
00:38:50,221 --> 00:38:52,771
doing is consistent with this language.
931
00:38:52,771 --> 00:38:54,011
But it isn't necessarily.
932
00:38:54,011 --> 00:38:57,301
And so indeed, in part, from an
introduction to computer science,
933
00:38:57,301 --> 00:39:00,688
you begin to get a little scared
from what's going on out there.
934
00:39:00,688 --> 00:39:03,271
Because there are so many different
threats and so many things
935
00:39:03,271 --> 00:39:05,221
that you can't, in fact, do.
936
00:39:05,221 --> 00:39:09,631
And the onus is, unfortunately, often
on us users to read between the lines
937
00:39:09,631 --> 00:39:11,644
and see what actually is possible.
938
00:39:11,644 --> 00:39:14,311
Here's another one that you might
be more in the habit of using,
939
00:39:14,311 --> 00:39:18,151
incognito mode or private
mode in Chrome or Safari
940
00:39:18,151 --> 00:39:19,961
or Firefox or Edge or the like.
941
00:39:19,961 --> 00:39:24,031
What does incognito
mode do, if familiar?
942
00:39:24,031 --> 00:39:24,961
What's incognito mode?
943
00:39:24,961 --> 00:39:25,726
Yeah.
944
00:39:25,726 --> 00:39:28,981
It doesn't log locally
what you're doing.
945
00:39:28,981 --> 00:39:30,941
It doesn't log locally
what you're doing.
946
00:39:30,941 --> 00:39:31,441
Exactly.
947
00:39:31,441 --> 00:39:34,561
Most people here probably generally
know about things called cookies, even
948
00:39:34,561 --> 00:39:36,301
if you're not quite sure how they work.
949
00:39:36,301 --> 00:39:39,421
But they're like these little
remnants or bread crumbs
950
00:39:39,421 --> 00:39:42,961
you leave behind when visiting websites
that allow the websites to keep track
951
00:39:42,961 --> 00:39:45,121
of who you are in some sense.
952
00:39:45,121 --> 00:39:48,421
According to Google here, when
you're using incognito mode,
953
00:39:48,421 --> 00:39:50,491
Chrome won't save your browsing history.
954
00:39:50,491 --> 00:39:51,811
So that's good.
955
00:39:51,811 --> 00:39:55,321
Cookies and site data,
information entered into forms.
956
00:39:55,321 --> 00:39:58,501
But to their credit, they do disclaim
that your activity might still
957
00:39:58,501 --> 00:40:01,921
be visible to the websites you
visit, your employer or school,
958
00:40:01,921 --> 00:40:03,406
your internet service provider.
959
00:40:03,406 --> 00:40:05,281
So they're getting better
at at least helping
960
00:40:05,281 --> 00:40:07,981
you evaluate by giving more
of the facts whether you
961
00:40:07,981 --> 00:40:09,691
do or don't want to do this.
962
00:40:09,691 --> 00:40:14,461
But this doesn't mean that the
websites you're visiting, indeed,
963
00:40:14,461 --> 00:40:15,271
don't know who you.
964
00:40:15,271 --> 00:40:17,363
Are all of our computers
have unique addresses,
965
00:40:17,363 --> 00:40:20,071
these things called IP addresses
that you might have heard about.
966
00:40:20,071 --> 00:40:22,501
In CS50, we'll explore these
in another week's time.
967
00:40:22,501 --> 00:40:26,341
Your computer is constantly
leaking information that
968
00:40:26,341 --> 00:40:28,691
could be used to infer who you were.
969
00:40:28,691 --> 00:40:30,751
So this is really just
best left when you
970
00:40:30,751 --> 00:40:34,321
don't want to accidentally, on like a
friend's computer or a lab computer,
971
00:40:34,321 --> 00:40:35,448
remain logged in.
972
00:40:35,448 --> 00:40:38,531
Because cookies are typically used to
just remember that you've logged in.
973
00:40:38,531 --> 00:40:41,161
So if you use a friend's
computer, you use incognito mode
974
00:40:41,161 --> 00:40:42,301
and just close the window.
975
00:40:42,301 --> 00:40:42,801
Boom.
976
00:40:42,801 --> 00:40:44,161
You're effectively logged out.
977
00:40:44,161 --> 00:40:49,501
But even as Google disclaims,
there's other caveats there, too.
978
00:40:49,501 --> 00:40:52,801
So what else might we keep in mind?
979
00:40:52,801 --> 00:40:55,621
Let's consider one other
big one that's another thing
980
00:40:55,621 --> 00:41:00,301
to start looking for increasingly
in order to keep yourself secure,
981
00:41:00,301 --> 00:41:02,191
and this one's a little more technical.
982
00:41:02,191 --> 00:41:03,241
Encryption.
983
00:41:03,241 --> 00:41:06,481
And as CS50 students will know, this
is something you can implement in code.
984
00:41:06,481 --> 00:41:08,064
And in fact, let me ask this question.
985
00:41:08,064 --> 00:41:11,221
What does it mean to encrypt something?
986
00:41:11,221 --> 00:41:14,994
Think back to pset2 and
Caesar and the like.
987
00:41:14,994 --> 00:41:16,411
Let me look a little farther back.
988
00:41:16,411 --> 00:41:18,786
Almost any student hands should
theoretically be up here.
989
00:41:18,786 --> 00:41:19,532
Yeah.
990
00:41:19,532 --> 00:41:22,418
AUDIENCE: You can substitute
characters [INAUDIBLE]
991
00:41:22,418 --> 00:41:25,173
so that you can't read
it as the first ones.
992
00:41:25,173 --> 00:41:25,881
SPEAKER: Exactly.
993
00:41:25,881 --> 00:41:28,941
Encryption is all about
substituting one letter for another
994
00:41:28,941 --> 00:41:32,031
and generally scrambling the
appearance of some message
995
00:41:32,031 --> 00:41:35,151
up so that the recipient knows
how to reverse that process
996
00:41:35,151 --> 00:41:36,651
and see what you actually sent.
997
00:41:36,651 --> 00:41:40,011
But anyone intervening in
between you can't actually
998
00:41:40,011 --> 00:41:41,751
see the information between you.
999
00:41:41,751 --> 00:41:48,341
So just to impress the parents in the
room, any students, what does this say?
1000
00:41:48,341 --> 00:41:49,391
We're not ending here.
1001
00:41:49,391 --> 00:41:50,561
AUDIENCE: This was CS50.
1002
00:41:50,561 --> 00:41:51,818
SPEAKER: This was CS50.
1003
00:41:51,818 --> 00:41:53,901
That's what it would say,
but notice the scramble.
1004
00:41:53,901 --> 00:41:56,621
Let me go back and
forth, back and forth.
1005
00:41:56,621 --> 00:42:06,371
In this message, t becomes u, h
becomes i, i becomes j, s becomes t.
1006
00:42:06,371 --> 00:42:10,724
This is what we called a few weeks ago,
in CS50, a rotational cipher a Caesar
1007
00:42:10,724 --> 00:42:12,641
cipher, that literally
does, as you described,
1008
00:42:12,641 --> 00:42:14,531
substitutes one letter for the next.
1009
00:42:14,531 --> 00:42:16,781
But it does so in a
very predictable way.
1010
00:42:16,781 --> 00:42:18,871
A becomes B, B becomes C, and so forth.
1011
00:42:18,871 --> 00:42:22,121
And we also talked, weeks ago, that you
don't have to keep it that simplistic.
1012
00:42:22,121 --> 00:42:24,581
You can use a bigger
mathematical formula
1013
00:42:24,581 --> 00:42:27,671
to make it at least harder for
some adversary to figure out.
1014
00:42:27,671 --> 00:42:33,161
But you and I, as users these days, are
constantly thankfully using encryption.
1015
00:42:33,161 --> 00:42:36,461
You probably generally know
that you should be hoping for,
1016
00:42:36,461 --> 00:42:38,051
expecting this these days.
1017
00:42:38,051 --> 00:42:39,761
Like HTTPS is a good thing.
1018
00:42:39,761 --> 00:42:42,041
S means secure, literally.
1019
00:42:42,041 --> 00:42:45,341
And any website that has
that in its URL indicates
1020
00:42:45,341 --> 00:42:49,031
to you that you and the website
are having an encrypted,
1021
00:42:49,031 --> 00:42:51,041
a scrambled communication,
which means, if you
1022
00:42:51,041 --> 00:42:53,411
type in your password, your
credit card information,
1023
00:42:53,411 --> 00:42:57,461
anything else personally, no one between
you theoretically, points A and B,
1024
00:42:57,461 --> 00:43:00,431
should be able to know what it is
you've typed into that web page.
1025
00:43:00,431 --> 00:43:02,861
The web page absolutely
can, because they
1026
00:43:02,861 --> 00:43:06,701
have the ability to decrypt that
information, to reverse the process.
1027
00:43:06,701 --> 00:43:09,651
But at least encryption
is generally a good thing.
1028
00:43:09,651 --> 00:43:12,881
But today, let's take that one
step further and encourage you all
1029
00:43:12,881 --> 00:43:16,421
to be looking for, expecting, if
you will, as consumers increasingly
1030
00:43:16,421 --> 00:43:19,571
in the coming years, something
better than encryption alone
1031
00:43:19,571 --> 00:43:22,541
but end-to-end encryption.
1032
00:43:22,541 --> 00:43:26,094
And you're starting to hear about,
read about this a little bit more.
1033
00:43:26,094 --> 00:43:27,761
But it's perhaps a little less familiar.
1034
00:43:27,761 --> 00:43:33,221
Someone in the room, who's familiar,
what is end-to-end encryption?
1035
00:43:33,221 --> 00:43:34,371
Let me give folks a moment.
1036
00:43:34,371 --> 00:43:39,231
What is end-to-end encryption?
1037
00:43:39,231 --> 00:43:39,731
OK.
1038
00:43:39,731 --> 00:43:41,477
Yeah.
1039
00:43:41,477 --> 00:43:46,297
AUDIENCE: It's where you
always try [INAUDIBLE]..
1040
00:43:46,297 --> 00:43:49,496
WhatsApp encrypts a message
on one side and sends it
1041
00:43:49,496 --> 00:43:51,121
where it's encrypted on the other side.
1042
00:43:51,121 --> 00:43:51,704
SPEAKER: Good.
1043
00:43:51,704 --> 00:43:54,161
So it's when an app, like
WhatsApp, encrypts a message,
1044
00:43:54,161 --> 00:43:57,131
but it's encrypted all the way to
the other side, to the recipient.
1045
00:43:57,131 --> 00:43:59,491
Even though Facebook, in
this case, owns WhatsApp,
1046
00:43:59,491 --> 00:44:03,061
even though your message is going
through Facebook or MetaServers,
1047
00:44:03,061 --> 00:44:05,731
they do not have
theoretically the ability
1048
00:44:05,731 --> 00:44:09,361
to decrypt your message, whatever
chat message you've sent to a friend.
1049
00:44:09,361 --> 00:44:13,981
They are just sending seemingly random
zeros and ones all the way to the end
1050
00:44:13,981 --> 00:44:15,811
user who can then decrypt it.
1051
00:44:15,811 --> 00:44:19,271
If you're an iPhone user, iMessage,
for instance, does this automatically.
1052
00:44:19,271 --> 00:44:22,218
So long as your text messages
are blue and not green,
1053
00:44:22,218 --> 00:44:25,051
that means you're using iMessage
in Apple's platform that does this.
1054
00:44:25,051 --> 00:44:27,061
But let's focus perhaps
on something that's
1055
00:44:27,061 --> 00:44:30,701
been all too familiar to most
of us over this past year, Zoom.
1056
00:44:30,701 --> 00:44:31,201
Right?
1057
00:44:31,201 --> 00:44:33,271
Zoom actually took some
flack some months ago.
1058
00:44:33,271 --> 00:44:35,063
Because in their
marketing literature, they
1059
00:44:35,063 --> 00:44:37,111
were advertising end-to-end encryption.
1060
00:44:37,111 --> 00:44:41,281
They were not implementing end-to-end
encryption, at least initially.
1061
00:44:41,281 --> 00:44:43,703
This was probably marketing
gone awry, not quite
1062
00:44:43,703 --> 00:44:45,661
understanding what
end-to-end encryption means.
1063
00:44:45,661 --> 00:44:46,921
They were using encryption.
1064
00:44:46,921 --> 00:44:50,071
And what that meant is that, if I
were having a meeting with a colleague
1065
00:44:50,071 --> 00:44:52,691
or you were sitting in on
a class with a teacher,
1066
00:44:52,691 --> 00:44:57,301
you might have an encrypted connection--
all of you-- to Zoom centrally,
1067
00:44:57,301 --> 00:45:01,081
but they had the ability-- early on
and still now if you leave this feature
1068
00:45:01,081 --> 00:45:01,591
off--
1069
00:45:01,591 --> 00:45:05,731
to decrypt that information and see
and listen to theoretically anything
1070
00:45:05,731 --> 00:45:08,341
going on in that meeting
or that classroom.
1071
00:45:08,341 --> 00:45:11,641
Now, technologically, there's not
really a good defense against that
1072
00:45:11,641 --> 00:45:13,411
if using that older approach.
1073
00:45:13,411 --> 00:45:14,941
All it really is is policy.
1074
00:45:14,941 --> 00:45:18,521
Or hopefully, there's rules in place,
there's contracts in place that say,
1075
00:45:18,521 --> 00:45:21,001
well, yeah, that's
possible, but don't do that.
1076
00:45:21,001 --> 00:45:24,631
End-to-end encryption is a
stronger guarantee for you
1077
00:45:24,631 --> 00:45:27,716
that circumvents that risk
altogether by ensuring
1078
00:45:27,716 --> 00:45:30,841
that, if you're tuning into that class
or you're logging into that meeting,
1079
00:45:30,841 --> 00:45:33,691
all of the zeros and ones are
going through Zoom servers,
1080
00:45:33,691 --> 00:45:37,151
just like Facebook's,
but only the end users--
1081
00:45:37,151 --> 00:45:39,901
only the students and teachers,
only the colleague and colleague--
1082
00:45:39,901 --> 00:45:44,251
can actually decrypt and see and
hear what it is that's being said.
1083
00:45:44,251 --> 00:45:47,469
And if you're one who schedules Zoom
meetings, you can actually see this.
1084
00:45:47,469 --> 00:45:50,011
For instance, here's a screenshot
that I took yesterday, too,
1085
00:45:50,011 --> 00:45:52,171
scheduling like a Zoom
meeting for today.
1086
00:45:52,171 --> 00:45:55,441
And you'll see that you can choose
the day and the time, the password.
1087
00:45:55,441 --> 00:45:55,951
Haha.
1088
00:45:55,951 --> 00:45:59,191
And also down here,
the encryption level.
1089
00:45:59,191 --> 00:46:02,701
And by default, it's typically
enhanced encryption, which is stupid.
1090
00:46:02,701 --> 00:46:03,866
Like enhanced encryption.
1091
00:46:03,866 --> 00:46:04,741
It's just encryption.
1092
00:46:04,741 --> 00:46:08,201
And in fact, it's sort of worse
encryption than the other checkbox,
1093
00:46:08,201 --> 00:46:10,991
which is end-to-end encryption.
1094
00:46:10,991 --> 00:46:12,301
But there's this little caveat.
1095
00:46:12,301 --> 00:46:14,941
And here, too, consistent with
this reality in computing,
1096
00:46:14,941 --> 00:46:16,111
there's always a trade-off.
1097
00:46:16,111 --> 00:46:16,611
Right?
1098
00:46:16,611 --> 00:46:19,141
It's not all upside and all win.
1099
00:46:19,141 --> 00:46:21,661
Several features will be
automatically disabled
1100
00:46:21,661 --> 00:46:23,611
when using end-to-end
encryption, including
1101
00:46:23,611 --> 00:46:25,861
cloud recording and some phone stuff.
1102
00:46:25,861 --> 00:46:28,531
I mean, that's already kind
of a big loss for a class,
1103
00:46:28,531 --> 00:46:31,201
for instance, a conference that
wants to keep the sessions.
1104
00:46:31,201 --> 00:46:32,461
But it kind of makes sense.
1105
00:46:32,461 --> 00:46:32,961
Right?
1106
00:46:32,961 --> 00:46:35,821
If the data is encrypted
between all of the end users
1107
00:46:35,821 --> 00:46:39,539
and, therefore, Zoom has no
eyes into the data or ears,
1108
00:46:39,539 --> 00:46:42,331
then it makes sense that they can't
record it for you in the cloud.
1109
00:46:42,331 --> 00:46:45,631
Because it's completely,
completely scrambled to them, too.
1110
00:46:45,631 --> 00:46:49,291
So a good primitive to have
in place but also something
1111
00:46:49,291 --> 00:46:52,261
that you need to sacrifice
in terms of usability.
1112
00:46:52,261 --> 00:46:55,051
Well, in our final moments
here, let me flip back over
1113
00:46:55,051 --> 00:46:57,241
to where our hacking tool is.
1114
00:46:57,241 --> 00:47:01,171
It would seem that eight characters
is doing really well, because we still
1115
00:47:01,171 --> 00:47:03,521
got three As at the beginning of this.
1116
00:47:03,521 --> 00:47:05,621
So that might be, in
fact, one take away.
1117
00:47:05,621 --> 00:47:08,671
And in fact, let me flip over and
proposed three pieces of homework
1118
00:47:08,671 --> 00:47:09,571
for everyone here.
1119
00:47:09,571 --> 00:47:12,094
One, use a password
manager, the one that's
1120
00:47:12,094 --> 00:47:14,011
built into your phone
or your operating system
1121
00:47:14,011 --> 00:47:15,541
or pay a little something
more for something
1122
00:47:15,541 --> 00:47:17,191
that you might like a little better.
1123
00:47:17,191 --> 00:47:21,511
Two, use two-factor authentication
for more of your accounts.
1124
00:47:21,511 --> 00:47:23,576
Maybe not all but at least
more of your accounts,
1125
00:47:23,576 --> 00:47:25,201
and that's certainly a net improvement.
1126
00:47:25,201 --> 00:47:28,681
And then three, use not just
encryption but end-to-end encryption.
1127
00:47:28,681 --> 00:47:32,371
And unfortunately, these features are
not all quite as simple as, oh, well,
1128
00:47:32,371 --> 00:47:35,131
let me just check the
box and turn on something
1129
00:47:35,131 --> 00:47:38,281
that's always been available to me,
because it's not always been available.
1130
00:47:38,281 --> 00:47:40,984
And Zoom, only once they
got in trouble for this,
1131
00:47:40,984 --> 00:47:43,651
did they acquire some other company
that implements this feature
1132
00:47:43,651 --> 00:47:45,551
and then add it to their software.
1133
00:47:45,551 --> 00:47:48,571
But as users, as consumers,
as parents, as students,
1134
00:47:48,571 --> 00:47:52,591
considering choosing one tool or
another because of these features
1135
00:47:52,591 --> 00:47:54,781
is really something you
are empowered to do.
1136
00:47:54,781 --> 00:47:56,761
And do not use those
tools that you don't think
1137
00:47:56,761 --> 00:47:59,473
meet some threshold of comfort for you.
1138
00:47:59,473 --> 00:48:01,681
For more on this and computer
science more generally,
1139
00:48:01,681 --> 00:48:05,073
any of you can take CS50
online at edx.org/cs50.
1140
00:48:05,073 --> 00:48:06,281
It's been so nice to see you.
1141
00:48:06,281 --> 00:48:07,323
Happy to chat one-on-one.
1142
00:48:07,323 --> 00:48:09,601
But otherwise, have a
wonderful day here on campus.
1143
00:48:09,601 --> 00:48:11,031
This was CS50.
1144
00:48:11,031 --> 00:48:12,881
[APPLAUSE]
1145
00:48:12,881 --> 00:48:45,000
[MUSIC PLAYING]
91800
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.