JONATHAN LEHRICH: Hello, and welcome
to a discussion of cybersecurity,
with CS50's David J Malan, Keeping
Your Laptop and Phone Secure.
This is a socialized
remotely signature event,
brought to you by Harvard's
office of the Vice Provost
for Advances in Learning.
CS50 and socializeremotely.harvard.edu.
Thank you all for joining us tonight
for our discussion of cybersecurity
with CS50's David Malan.
In 2019, the most common password
by one measure was 123456,
and the fourth most common
password was password.
Suffice it to say we can do better.
And there are trade-offs, so let's
have a discussion of cybersecurity
and learn how you can keep your
laptop and phone more secure.
Just how private are
your emails and texts?
What's end-to-end encryption?
Is Zoom actually bad?
Just what does Incognito mode do?
All this and more are
our subjects tonight.
Our speaker tonight, David J
Malan, is Gordon McKay Professor
of the Practice of Computer Science at
the School of Engineering and Applied
Sciences and a member of
the Faculty of Education
at the Graduate School of
Education at Harvard University.
He teaches Computer Science
50, otherwise known as CS50,
which is Harvard University's largest
course and one of Yale University's
largest courses and edX's largest MOOC,
with over 1.9 million registrants.
David also teaches at Harvard Business
School, the law school, the extension
school, and the summer school.
All of his courses are freely
available as OpenCourseWare.
Without further ado, let's begin
our discussion of cybersecurity.
David, the virtual floor is yours.
DAVID MALAN: All right.
Well, hello everyone.
My name is David Malan, indeed.
Thank you, Jonathan,
for that introduction.
So for those of you who
are alumni, I myself
lived in Matthew's
Hall my freshman year.
Familiar?
I went on to live in Mather
House for three years
and ended up graduating class
of 1999, was computer science,
and then eventually years later
found my way back to the PhD program
and then more recently
to the helm of CS50,
teaching at FAS and
HBS, HLS, and the like.
So nice to see so many
faces here tonight.
Please feel free to turn on your video,
if you are comfortable participating
visually as well.
At any point, if you have any
questions or contributions
that you'd like to make, an answer
to any questions I might ask, please
feel free to use the blue
Raise Hand feature of Zoom.
If you open your Participants
window, which is probably
an icon along the bottom
of your screen, that
will reveal all of
tonight's participants,
and there should be an icon via which
you can raise your hand virtually.
And I'll do my best to
field those questions.
But if not, please feel free to
follow up by email afterward instead.
I'm also joined by one of
CS50's own staff members
and a colleague of mine, Brian Yu.
Allow me to draw
attention to him as well.
BRIAN YU: Hi, everyone.
I'm Brian.
I graduated from the college in 2019,
where I lived in Winthrop House.
I studied computer
science and now I work
as a preceptor at Harvard's
Division of Continuing Education,
working with the CS50 and a number
of other computer science classes.
So looking forward to
today's discussion.
DAVID MALAN: All right.
So of course, tonight is entitled
Keeping Your Phone and Laptop Secure.
So let me just start with
kind of a warmup question.
Within Zoom's Participants
window, you should also
see a Yes icon and a No icon,
most likely in green and red.
And let me just ask first one question--
is your laptop or
desktop computer secure?
Those of you who are
here in Zoom with us,
if you'd like to go ahead and
say Yes with the green icon or No
with the red icon.
Let's get a sense of the vote tallies.
So, so far I'm seeing a lot of
secure laptops and desktops.
More than twice as many
of you say Yes versus No.
The votes here are still coming in,
and I'm seeing numbers like 34 of you
at the moment are saying, yes,
your laptop or desktop is secure.
14 of you are saying, no, it's not.
So hopefully we can help the latter
of you to this evening as well.
Let me go ahead and put all the hands
down and ask one follow-up question now
about your phone.
Odds are, these days, you have an iPhone
or Android or perhaps something else.
Is your phone secure?
If you'd like to buzz in with the same
buttons, green for Yes, red for No.
So we're seeing pretty similar numbers.
A few of you who said, yes, your laptop
or desktop is secure seem to now be
saying, no, your phone isn't.
So hopefully we can patch
those holes tonight too.
I'm currently seeing 31 yeses
and 18 no's so some opportunity
for improvement.
But I think I'm being a bit
unfair with the question itself.
What does it even mean for your
phone or your laptop to be secure?
Might anyone with their
microphone on be comfortable
raising your blue virtual
hand for Brian and I
to call on to see if we can get
an initial response to this--
what does it even mean for your
phone or your laptop to be secure?
Taylor, if you want to go ahead
and unmute yourself and respond.
TAYLOR: I think protected
against something malicious.
DAVID MALAN: OK.
I like that.
Protected against something malicious.
Let's take another one.
Yvarro, if I'm pronouncing
your name right.
Do you want to chime in too?
YVARRO: Yes.
It's Yvarro.
Thank you.
Hi, Brian.
I'm a Brian student.
I was actually.
Yes.
I think secure means it's
safe against hackers,
against someone who would try to break
into either your phone or the laptop,
maliciously.
DAVID MALAN: OK.
All of you think about it
in a somewhat different way,
certainly in some way that guides
you, to answering that question
in the first place.
Yes, your phone or laptop
is secure or, no, it's not.
The catch, though, when
it comes to security
is that that question isn't really
fair, because there's really
no absolute truth when it
comes to, is something secure?
What we should really be doing and
what we should really be thinking about
is probabilistic security
or the probability
that someone will or will
not get into your device
and access your data when you
don't want them to actually do so.
And it's helpful too to start thinking
about security in terms of really costs
and benefits, because just
like in the physical world,
you can secure all the more your home or
your apartment or your car or the like.
There's typically some cost for doing
that and adding more and more locks
or more and more security.
And at some point, you may
very well break the bank
when trying to keep
those adversaries out.
So really security is
about finding this balance,
finding that inflection
point where the cost to you
does not out-whelm the benefit to you.
And yet the fundamental catch
with security, I dare say,
is that we, if we're allowed to
think of ourselves as the good guys,
so to speak, we're sort of at
a fundamental disadvantage.
Why might it be the case that the
bad guys, adversaries so to speak,
have the fundamental advantage when
it comes to matters of security?
Why should we be a little bit afraid?
Why should we be a little bit paranoid?
Any thoughts?
Douglas, over to you.
DOUGLAS: Well, it's kind of
a weakest link thing, right?
If there's a single
hole, they can come in.
We have to plug all of the holes.
DAVID MALAN: Very well said.
Let's take another formulation of it.
Eli, over to you.
ELI: Well, sure.
I was just going to say
we don't necessarily
know what kind of attack vectors
they're going to be using,
and they may be familiar with
all the security measures
that we're trying to use.
DAVID MALAN: Absolutely as well.
And let's take one more thought here.
How about Wendy, over to you.
WENDY: I think that we use our
phones and our computers to do work,
and I think that those people that
are trying to get to us, all they do
is do that.
DAVID MALAN: Indeed.
The bad guys seem to have way
more free time than we do.
And I especially like
Douglas's mental model for it
too, because just as in
the physical world, where
you might have the best, most
expensive, the strongest lock
on your front door of your home,
if you leave the window unlocked,
that's going to be the lower bar for
the adversary to get over and into.
And so it doesn't matter
how secure your front door
is if the window or the back door or
the side door are any less secure.
And so whereas we, the
good guys so to speak,
kind of have to be perfect when it comes
to security on top of, as Wendy says,
doing our own real-world
real work, we also
have to be perfect, because the
adversary, as Douglas notes,
just has to find one mistake.
If we so much as make
one mistake, that's
going to be the window that
they potentially get through.
So it really is this cat-and-mouse
game or really a leaky hose,
if you want yet another
metaphor, whereby every time we
plug one hole or leak in the hose,
another one might very well spring up.
And so the goal really is to raise
all of these security thresholds,
ideally in parallel, so
that no one point of entry
is any less secure than another.
Now, of course, in the digital world, we
have not locks and bars on the windows
per se, but we have other
mechanisms with which all of us
are surely familiar, like
passwords, for instance.
So a password, suffice it
to say, is a good thing,
because it probably
keeps the bad guy out.
Only you, hopefully, know your password
to your email account, to your Mac,
to your PC, to your phone.
And so a password would seem
to keep out the adversaries.
But do passwords make your
laptops and phones secure?
Any verbal response to this
via a show of a blue hand?
Does a password make your
phone or laptop secure?
Anna, what do you think?
ANNA: It depends as to how
cryptic you design your password
and how common it is.
And if you don't write it
down on a piece of paper.
DAVID MALAN: Absolutely.
So it's one thing to have a password.
You're probably shooting
yourself in the foot
if you're one of those folks who has
it on their monitor on a sticky note,
for instance, or even if you're
not that blatant about what it is,
if it's just relatively easy to guess.
And unfortunately, this
is all too often the case.
And as Jonathan noted
with one spoiler, it's
certainly well-known by
researchers that a lot of us
are really bad at choosing passwords.
So case in point, as of 2019, just
a few months ago at year's end,
did security researchers
take a look at essentially
databases worth of stolen passwords from
the internet over the past year or so.
And they made a top-10 list of the
most common passwords that they found.
And it's a little unsettling.
A lot of us are using passwords,
but we're using passwords
like 123456, which as
of last year, which
was the most common
password for people to use.
Two was 123456789, so a little
longer, a little harder to guess.
But frankly, it doesn't seem all
that much harder fundamentally.
The third one was qwerty, which
might look like an unfamiliar word,
but if you're on a US keyboard and
you look down right now on your laptop
or desktop and look at the top left
corner, you should see Q-W-E-R-T-Y.
So not so clever indeed.
Fourth was literally password.
Fifth was 1234567.
Interesting that it came in between
positions one and two there.
Six was 12345678.
You're seeing a pattern perhaps now.
Seven was 12345.
Eight was adorable,
Iloveyou, is apparently
an incredibly common password.
So if you think you're
being clever with that,
no matter who you're
thinking of when you type it,
so are a lot of other
people in the world.
In position nine is just 111111,
and in position 10 was 123123.
And from those last two, you can
probably infer what kind of systems
the people are on.
They're probably on a system
that requires at a minimum
that your password be, what,
six digits or characters long.
And that's the low bar
that they satisfied there.
So it would seem that even though
passwords might very well help secure
our devices, like we have to
participate in the design thereof,
and we need to be a little smarter about
it, because adversaries are out there.
And they can attack our accounts.
But let's be clear on what we mean here.
How might an adversary, someone
perhaps even unbeknownst to you,
get into your Gmail account
or get into your phone?
Like, physically, what might they do?
What is the threat, even
when you have a password?
Could someone put their finger on that?
Even if you have a
password, what physical acts
might you still be worried
about, just to be clear?
How about back to Eli?
ELI: They could brute force your
password or somehow social engineer
it if they know some other
personal information of yours.
DAVID MALAN: Yeah.
Well said.
Brute force means to really
try all possible passwords
and see if you're right eventually.
Social engineering
might be maybe send them
an email that looks like
it's from the IT department
and trick a person into
telling you their password,
maybe by replying to that email
or some other social mechanism.
Stein, would like to offer
your perspective too?
STEIN: I would phrase it as inviting
them into your network, in essence.
You've allowed them into a space
that you thought was secure,
and they can access you
and find out information.
They find out information
maliciously that you
don't realize you're giving up.
DAVID MALAN: Absolutely.
Well said as well.
And how about Christo,
what's your thought here?
CHRISTO: Yeah, if they
indeed have physical access,
they could put malware or a key
logger or any number of things
if they had physical
access to your computer.
DAVID MALAN: Yeah.
And that's a good one.
If you've never heard
the term, a key logger,
which rather says what it is,
if you think about the term,
is some piece of malicious software or
malware that's installed on a Mac or PC
or maybe even a phone that is literally
logging all of your keystrokes.
And at that point, all
of this security is
out the window, because even if you
have the best password ever that no one
else has, it doesn't matter
if you're going and typing it
into a machine that's
listening to every keystroke
and that some adversary can then go and
retrieve from that machine thereafter.
And so as an aside, if you're
currently in the habit,
for instance, of using not only your
own work laptop or desktop, not only
your own home computer,
not only your own phone,
but maybe you sit down at a
colleague's computer once in a while,
maybe you go into a
computer lab, maybe you're
comfortable using a friend's or a
significant other's laptop or desktop,
you might very well want
to rethink those practices,
because who knows what's
on those machines?
It might not be your
friend or significant other
who is the adversary, hopefully, but who
knows indeed what's on their machine.
So keeping that in mind too can at
least narrow the scope of the threats
there too.
But it was Eli noted too this term
of art earlier, a brute-force attack.
And this indeed refers to the
ability of some adversary,
often someone who knows
a bit about programming,
to just guess your password
really by trial and error,
but a little more methodical than that.
Rather than just try random passwords,
what a skilled hacker, so to speak,
might do or frankly anyone who's taken
an introductory programming class might
do, is literally just try
all possible passwords.
So for instance on your iPhone,
if you're required to have like
a four-digit code or on your
Android device, a four-digit code,
four numbers, obviously an adversary, if
they had physical access to your phone,
could try 0000, which wouldn't
of course be a good one.
So maybe you're more clever than
that and 0001 or 0002 or dot dot dot,
all the way up to 9999.
Now, it might be a little tedious in
the physical world to type all of those
guesses in, but eventually that
adversary will figure out your passcode
if it's only four digits long.
And this isn't that hard to do.
Let me go ahead and change
my window a little bit
to another program that's going
to allow me to write some code.
And if you've never seen code before or
written code before, that's quite OK.
I'm going to go ahead and
write a program called crack.
Crack is a term of art which means
to figure out someone's password.
I'm going to use a
language called Python,
and it's fine if you've not seen this.
But it's relatively
straightforward to write
code that tries all possible passcodes
for an iPhone or an Android device.
I'm going to go ahead and
type some code at the top here
that imports all of the digits
that exist that humans use.
So 0 through 10 essentially.
I'm also going to ask
the computer to give me
access to a function called
Product that's just going
to allow me to combine these values.
And lastly, I'm going to do this--
I'm going to say for a passcode in
the product of all possible digits,
repeating them four times, go ahead and
print out essentially that passcode.
So I did this quite quickly to be fair.
But essentially, what I've just done is
write some code that's going to start
at 0000, and it's going to count all the
way up to 9999 to demonstrate with what
four lines of code can
do for an adversary.
I'm going to go ahead and so
long as I've made no mistakes,
I'm going to go ahead and run Python,
the language I've just written this in,
and I've indeed made a mistake.
Let me go ahead and fix that real quick.
And now, as though that never happened,
let me go ahead and run this program.
Done.
So if I am the hacker
you're worried about
or the adversary you're
worried about, you
should be because it took
me, what, 30 seconds to write
the code, less than one second
to run the code, and boom.
I'm potentially into your device.
Now you might think this is a little
silly, because it's quite disconnected
from the physical phone, but
there are ways an adversary could
automate this process.
In fact, Brian, would you
mind going ahead and sharing
a little video of one such adversary?
You should see on the
shared screen, here
is a more robotic approach
to literally what I just
did, where someone wrote code that
controls a little robotic arm that
has a sort of virtual finger that's
pressing down on that Android
device in whatever
location seems appropriate
based on the digits the
code wants them to input.
Now, of course, using a four-digit
code is surely not the best idea.
So let me go ahead and
re-share my screen here
and go ahead and change this
program just a little bit.
Let me go ahead and write a slightly
different version this time.
I'll call this crack2
for my second version.
And this time, let me be smarter.
Much like you, I'm going to try
guessing-- picking a password that
happens to be an English word.
Odds are, for one or more
of your own accounts,
you have some account that
uses an English word that's
a little easy to remember.
There's a lot of words
in the English language.
There's at least, like what,
140,000 that I can think of--
that I know of.
And in fact, I brought
with me a big file
containing all of the English
words available to me,
and I'm going to go ahead and do this.
I'm now going to write code that
says for each word in a file
called dictionary.txt, which is the file
that I brought with me this evening,
I'm going to go ahead
and read that file.
I'm going to go ahead and
split it into separate lines,
because there's one word per line.
And now I'm just going to go
ahead for us and print each word.
So if I were an adversary now,
trying to guess someone's password
that happens to be an
English word, let me
go ahead and try all possible
words among my 140,000
English-word dictionary.
Done.
So now I've just not
counted from 0000 9999,
I literally scrolled through
140,000 separate words.
And that's literally as
quickly as a computer can do.
Now, suffice it to say, you
don't need to use a robot.
You could actually write code,
connect it to someone's iPhone
or Android phone via a cable, and then
have the software sort of automatically
input that for us.
So let me ask a question now.
What would be better than
using a four-digit code or even
an English word for a password?
What might be smarter than this?
Any raises of blue hands?
What might be smarter?
Taylor, what would you say?
TAYLOR: If you could include
letters or other characters
as well and length of the password.
DAVID MALAN: Very well said.
So letters, changing
the length certainly.
Jim, do you have another perspective?
JIM: Also restricting it that
it can't use an English word.
DAVID MALAN: OK.
So good.
So if clearly it's this
easy to pick English words,
let's just avoid English
words in our passwords.
I like that.
Gil, over to you?
GIL: What I was going to
say was you could also
increase the password length, make it
alpha-numeric with special characters.
You could also implement a password
lockout, where after so many attempts
you could freeze the
account so they wouldn't
be able to long in unless they try
some other means of authenticating
who they are.
DAVID MALAN: I like that.
So not only make the password
harder itself, but also
have a second gauntlet in place so
that if the password is somehow--
if an adversary does start guessing,
you can at least slow them down somehow.
So let me try the first of the
ideas here that was offered up
and just write something that actually
uses letters minimally, right?
Instead of restricting myself to English
words or 0 through 9, let me go ahead
and use some English or
some Roman letters here.
So let me go ahead and do this.
This time, let me give
myself access to what I'm
going to call ASCII lowercase, which
is a fancy way of saying go ahead
and give me access to a
through z in all lowercase.
Then I'm going to go ahead and
from that same code earlier,
I'm going to go ahead and import what's
called Product, which just allows
me to combine all of these characters.
And this time around, I'm going
to go ahead and do for pass code
in, the product of all of
those lowercase letters,
and I'll start simple.
I'll keep it short.
Let me go ahead and
repeat it just four times.
And then let me go ahead
and print this again.
So again, some of this code might look
a little cryptic, but all I'm doing here
is now generating four-letter
pass codes or passwords.
So let me go ahead and run this code.
This is my third version
here in crack3.pi,
and you'll see that still kind of fast,
but it did take a second or two longer.
Let me actually harden this a
little bit based on feedback.
What if I change the 4 to a 6.
So now it's a six-letter
phrase using lowercase letters.
What do we have here?
Well, let me go ahead and
rerun the program now.
And you'll see, even if
you're video is a little slow,
it's not nearly done yet.
In fact, as these words--
these not even words-- as these strings
of characters scroll by on your screen,
we haven't even gotten to the
sequences of letters that even start
with b let alone c or d or e or f.
We're only halfway, it
would seem, through the a's.
So just by increasing the length
of our password or passcode,
you really start to create
a huge amount of work
for the adversary that's
going to make it harder
for them to get into your account.
And let me do one final flourish.
If I go in now to this version here,
my fourth and final, let me go ahead
and give myself even
more expressiveness.
So let me go ahead and import what
we'll call ASCII letters, which
means lowercase and uppercase.
Let me give myself some digits
and, as was just proposed by Gil,
let me give myself some punctuation.
I'm again going to use
this Product thing.
So import product.
And now let me do a slightly
different line of code here.
For a passcode in, the product
of any of these ASCII letters,
plus digits, plus punctuation,
let me go ahead and now repeat it
even only four times.
And now let me go ahead and
print out each of these things
so we can see what it is the
adversary might be trying.
So now, we have
four-character passwords that
are going to be much harder,
it would seem, to sift through,
because this seems to be
going much, much more slowly
than when it was only
letters of the alphabet.
And in fact, we're only
up through the C's.
Let me make it a little longer.
Let me go a little crazy here
and say something like eight
this time, which isn't even that long.
Rerun the code now.
And we could be here
for quite a while now.
As you can see, all of these possible
passcodes that start with AAAA
can rather go on for
quite a bit of time.
So let's put some actual
numbers to this too
and how you might think about actually
improving the security of your system
by just choosing better passwords,
longer passwords, for your own devices.
Well, if we had, for
instance, a four-digit
passcode, just how hard
is it for an adversary
to hack into your iPhone
or Android device?
Well, according to the code I wrote,
it took, what, like a split second.
But let's quantify that.
If you have a four-digit
passcode, each of those digits
is 0 through 9, that means you have 10
possible values for the first number
times 10 for the second, times 10
for third, times 10 to the fourth,
or there's 10,000 possible
codes that are only four digits.
So it means the adversary just
has to try 10,000 possibilities,
and they will definitely
hack into your phone.
What if we have a four-letter pass code?
So not digits but letters.
Well, if we just assume
lowercase for simplicity now,
that's 26 possibilities
times 26, times 26, times 26.
That's going to give us 456,976
possible passcodes for the adversary
to get through.
And that's why indeed the code
took a little longer to run,
the longer we actually made the input.
But now let's get a little bold and say
four characters that are alphanumeric.
So let's allow ourselves
numbers or letters
as countless websites have probably
been advising you to do now for years.
Well, why are they doing
that and what's the upside?
Well, if you have 26 lowercase letters
and 26 uppercase letters and 10 digits,
that's 62 possibilities,
times 62, times 62, times 62.
Now we're up to 14 million possible
passcodes for the adversary
to go through or the robot to get
through or the code to get through.
And if we ramp it up ever so slightly
more to eight characters, which
isn't even that long these
days, well, that of course,
is going to be 62 times 62 times
62 times 62, 62, 62, 62, 62,
which is going to give us 218 trillion
possible passcodes for the adversary
to sift through.
So what have we really done?
We've not fundamentally
changed what it is
the adversary has to do
in order to attack us,
we've just made the range of
possible passcodes so much longer
that, sure, the adversary
can try running their code.
They can try using their robot.
But it might very well take
them trillions of steps
in order to figure out
what my passcode is.
So we're really just raising
the bar and equivalently
lowering the probability
that some adversary is
going to get lucky and simply
guess what my passcode is.
But Gil, I like that you suggested
another approach all together.
And if I may, I actually
have a screenshot here.
Has anyone accidentally
done this to themselves?
No need to raise a
digital hand, but maybe
by an admission of physical hands.
OK.
Miley and Thomas.
So a few of us have locked
ourselves out of our own phones.
So certainly annoying and maybe
not the most appreciated feature.
But why is actually this
capability of iPhones and Android
phones a good thing, to be clear?
Gil indeed alluded to
this, but why might it
be a good thing that your phone
might sometimes lock you out?
Let me hang in there for
a couple of more thoughts.
Why might this be a good thing
that your phone locks you out?
Taylor, what do you think?
TAYLOR: It would either slow down
the trial of however many passcodes
or perhaps if it's a
software program, maybe it
would timeout or
something, depending on how
it's working, which would be
something to potentially protect you.
DAVID MALAN: Nice.
I like that.
Well said.
Julian, what do you think?
JULIAN: I think it protects us from the
technology getting faster and faster.
So eventually that number you showed
us, maybe they can do it in a second.
But by stopping us from doing that,
we can actually get [INAUDIBLE]..
DAVID MALAN: Yeah, absolutely.
You might recall seeing all
of the possible passcodes.
The code I wrote just
flew across my screen.
So even though that's the
code version of an attack,
it's not a human manually
typing it in, thereby
blocking my access
from my own device, you
could imagine in software just slowing
down the adversary so that you only
can try one passcode per second or maybe
a few passcodes per hour or per day.
And at that point, you know what?
The adversary is hopefully and
probably just going to give up.
And they're hopefully going to
go steal someone else's phone
who hasn't set the bar quite as high.
Yvarro, what's your thought here too?
YVARRO: Actually, it's similar
to what you just said, professor.
When the phone turned off or
asks you for your password,
mainly if you don't
have the right password,
so you won't be able to access it again.
It's as if [INAUDIBLE] meets the
security measure in case, like,
it wasn't your fault.
Let's say you found that phone.
It wasn't yours, and you're trying.
And that's happened sometimes, when
you try to log into your bank account.
Let's say you put the password,
and it's not working, and you say,
OK, [INAUDIBLE] like for a
couple of minutes, come back,
but you make sure you're going
to have the right password.
If you don't, they might send you to
call the bank or something like that.
I think that's it.
DAVID MALAN: Yeah.
Absolutely.
It adds friction to the process.
And so there's a takeaway here, though,
is that this seems to be a win for us
because it slows down the adversary.
And again, the goal in security,
again, isn't to be 100% secure,
which is a rather
nonsensical, naive claim.
But in the real world, you want your
home, frankly, if not a bit selfishly,
just to be more secure
than your neighbor's.
If there's some adversary
trying to get into a home,
you want to make sure that it's so
expensive or so time-consuming or so
difficult for them to
get into your home,
that they actually go target
some other home instead.
And indeed, by raising
the bar, you hopefully
keep people out just by
the probability that it's
going to take them so long
to actually attack you.
But there's got to be
some price paid, right?
It's not a win-win per se.
I think I and Thomas and Miley--
I hope I'm pronouncing your name right--
we've all paid a price.
What is the price we're paying by
having mechanisms like this ability
for the phone to slow adversaries
down, just to be clear?
What price are we, the consumers,
paying for that added level of security?
Jim, can I call on you for this one?
JIM: Well, certainly, if
it's only three attempts,
it's easy to accidentally put
your own password in wrong.
And I had never thought
of it until you showed
the number that it was, like, 10,000.
And setting it at three
seems to be weighted
a lot more for inconvenience for the
user than for obstacle to the attacker.
DAVID MALAN: Yeah, absolutely.
I mean, I think all
of us who are smiling
on camera with some embarrassment have
locked ourselves out of our phones
because late at night or
you're maybe a little tipsy
or you're just not really
focused on your phone,
you input the wrong
password again and again
and again, enough times that you
lock yourself out of your device.
And that might be the
worst possible time
to do so, because you
know what Apple even does,
it doesn't just lock
you out for a minute.
After a minute passes,
and your phone unlocks,
if you screw up again and mis-type
your password multiple times,
the next time it's like five minutes.
After that, it's maybe like 10 minutes.
After that it's like an hour.
After that, it's like
four hours or whatever
the algorithm is that they've chosen.
It gets worse and worse
and worse and more painful.
The upside of that,
though, is at that point,
the adversary is going to
be as frustrated as you are.
And again, probably
put the device aside,
but there's constantly this friction
between the good guys and the bad,
in that if we want to raise
the bar to the adversary,
odds are we're raising the
bar to our own convenience,
at least in some situations.
All right.
Well, let's assume that
we've got into our devices,
whether it's a phone or a
laptop or desktop computer.
Most of us probably know these
days that when using a computer
and using something like
the web, you probably
have the instincts to
keep in mind things like--
actually, let me-- yeah.
You probably have the wherewithal
these days to keep in mind
that maybe your password
alone should not secure you.
Let me walk that back
a little bit and ask
how we might better defend ourselves
against attacks on our password alone.
It's straightforward.
If we have a password, once we type
it in to gain access to the account,
we can slow down the adversary.
But what other approach
might we take fundamentally?
Well, it's this thing
with which many of you
are probably now familiar in your
personal or professional worlds known
as two-factor authentication.
And for those less familiar,
would someone who is familiar
like to volunteer a layman's definition
of what two-factor authentication is?
Stein, can we go to you?
STEIN: Yeah.
So for example, in
bank accounts, they're
now using a voice recognition
word as your second factor
to allow you into your account.
DAVID MALAN: Nice.
So it's something in
addition to your password.
Literally, a second
factor, perhaps your voice.
Gil, another take on it?
GIL: Essentially, it's combining
what you know and what you have.
So you would have a physical device.
So in a case of [INAUDIBLE],,
we use an app on our phone
that generates a random number that
we would input into the password field
after we put in our
actual known password.
So it's something that we know, our
password, something that we have,
which is generated by the
physical device or the software
on your phone to automatically
generate that key.
DAVID MALAN: Exactly.
And I think that's
the right mental model
to have is two-factor
authentication does not
mean you just have two passwords,
two of what you have to type in.
Rather, it means you have two
fundamentally different things
to input.
Generally, something you know,
which is again your password,
and then, as Gil notes and Stein
notes, it's something that you have.
Maybe that's a physical
device like your phone
that has a number on it
that you need to type in.
Maybe it's one of those key fobs
you carry around on your key chain,
if you've seen those.
Maybe it's your voice, which is
something that presumably only you
have or some other biometric like
your fingerprints or your face
or some other measure of you,
something that is fundamentally
different from the password
such that it's presumed it's
even harder for the adversary to
gain access to that second factor.
Anyone on the internet can try
logging into someone's email address
so long as they have
an internet connection.
But it's going to be a lot harder for
an adversary to physically come here
to Cambridge, steal my phone from
me or my little key fob device,
and then type in my second factor.
Absolutely possible, still a
threat, but these second factors
tend to narrow the scope of the threat.
And so what you're seeing here
on the screen, if unfamiliar,
is a product called Duo
Mobile, which I think
Gil was alluding to earlier, that
Harvard and a lot of universities
and companies use that allow you to
ask your users to type in a code that
has been sent to them on their phone or
text message or even via a phone call.
And there's varying
degrees of security there.
But the fundamental thing is
that it's adding a second factor.
But there's other things
that people can deploy too.
There's other things that
people can deploy too.
For instance, something
known as a password manager.
So those of you who have passwords
that are all four digits or maybe
four letters or just an
English word, suffice
it to say that's got to stop now, at
least for accounts you care about.
Anything that has anything remotely
private or personal or professional,
odds are the lesson
there is already learned.
But if you start to practice these
best practices, having longer, more
random passwords with letters
and numbers and punctuation,
I mean, if you're like
me, you're never going
to remember all of these passwords.
And so that would seem at odds
with what we're preaching here.
And so a password manager is a
piece of software for your phone,
your Mac, or PC that stores
all of your passwords
for websites, apps, and the like.
And that password manager itself has
one so-called master password that's
ideally super long, has a
lot of complexity to it,
but it's just one long, difficult
password for you to remember,
not one per website or
one per application.
And so a password manager,
and here's a couple
that you might want to check
out afterwards, lastpass.com.
Those of you affiliated
with Harvard have access
to this by a site license at Harvard.
1password.com is another,
and there's others as well.
And you can use these to
store all of your passwords,
thereby allowing you to use longer,
harder to guess passwords and not
have to remember them yourselves.
But let me ask that
same question as before.
Sounds like a win, but it's
not necessarily all good.
What price might I pay by
using one of these products?
Christo?
CHRISTO: I guess maybe inadvertently
creating a single point of failure
if someone gets access to
that password database.
DAVID MALAN: Yeah.
I mean, I've kind of
made the situation worse.
Now I've put all of my eggs
in one basket, so to speak.
So if my laptop is stolen,
my phone is stolen,
and I have my password manager on there.
And God forbid, the adversary guesses
or figures out my master password,
that's all of the keys to the kingdom.
That's every account I
have instead of just one.
So there too, it's a trade-off perhaps.
Let me call on Brian.
You had a question by proxy.
BRIAN YU: The question was actually,
you sort of answered it then,
but someone was asking for
suggestions about what is a safe way
to remember your password as your
passwords start to get longer and more
[INAUDIBLE].
DAVID MALAN: I should have caught--
that would've been the perfect segue.
But indeed, password manager
is the typical answer there.
But there too, you want to be
careful to mitigate the risk.
So without going too down the rabbit
hole, in addition to this one master
password, if you really
have sensitive information
in this password manager, what some
people might do is maybe actually
print out that master
password, but don't
keep it taped to your
monitor on a Post-It note.
Maybe literally put it in a safe
deposit box or a safe, more generally,
or somewhere separate from
the device so that if, God
forbid, you forget what
your master password is,
you at least have some recourse.
There, of course, you're
exposing yourself to new risks
if someone steals the piece of paper.
So again, security is all about these
trade-offs and this balancing act.
Miley?
MILEY: My question is,
why not just have one--
instead of having the
password, then just
have one long, really
complicated singular password
you use everywhere and
never write it down.
DAVID MALAN: Really good question,
and that is a good solution
if you only have one website
or app that you want to use.
The problem is if you
reuse passwords, then
if any one of those websites
or applications is compromised,
and honestly, it's hard not
to see every week in the news
some website that has
been hacked in some way,
the problem is, if you're using
the same password everywhere else,
a lot of adversaries assume that.
And so even if it was
facebook.com that was hacked,
they might assume that,
oh, you know, Miley
might be one of these people who
uses her password everywhere.
I'm going to try to log into Gmail
now with that same account or Bank
of America with that same
password and the like.
And so you have this domino
effect that's best left avoided.
Christo, over to you.
CHRISTO: Yeah just a comment
on the question by proxy.
I think a few years ago, I read
something by Bruce Schneier, a security
expert, about long passwords and
that you can take an obscure phrase
or passage from a book or
something meaningful to you
and take the first
letter of each to make
that a long password that is complicated
and obscure and not in a dictionary.
DAVID MALAN: That's a good heuristic,
and there too you want to be careful.
Probably best not to leave that book
on the coffee table, for instance,
or little pencil marks in it.
But absolutely.
There are ways you can help mitigate
the possibility you'll forget,
but there too, you're exposing
yourself to some amount of risk.
And you just need to decide
what that right balance is.
All right.
Well, once we're actually
into our accounts, most of us
probably know to have the instincts to
look for secure websites these days.
That is to say URLs that start
not with age http:// but https://.
Now, unfortunately, Microsoft
Edge and Firefox and Chrome
have been simplifying things
for years, just like Safari,
and so it's hard to see
these in the URLs these days.
But they're often there.
And thankfully, many if not
most websites these days
are secured by https.
What that means is that
your connection between you
and Facebook, between you and
Gmail, between you and harvard.edu
is encrypted.
And for tonight's purposes,
to encrypt something
just means to scramble
the information, such
that if an adversary sees it going
between you and Facebook or you
and Gmail, they don't know
what they're looking at.
It looks like random
data on the internet.
Encryption gives you that property.
But that's not the same thing
as end-to-end encryption.
End-to-end encryption is another term of
art that refers to a stronger property.
Anyone want to give us a definition
of what is meant generally
by end-to-end encryption and
why we as consumers should
be hoping for and looking for
this more frequently these days?
Taylor?
TAYLOR: I think it means--
I think it means or has to do
with who exactly has the ability
to get the plain text back.
So end-to-end encryption, I think means
that if I were to send you a message,
we would each be able to
access the plain text,
but the service through which
we sent the message is not
able to decrypt that message.
They don't have the key.
Only you and I have the key.
DAVID MALAN: Perfect.
So very well said, is
so far as normally when
you encrypt things with just https,
and for instance, you visit gmail.com.
If you send an email from yourself
through Gmail to someone else,
the someone else can
certainly read that email.
But you know who else can?
Employees at Google.
Now, presumably they have various
technical and policy constraints
that prevent that with high
probability from happening,
but it can absolutely happen.
The data is stored on Google servers.
You did not encrypt it
in advance, that is,
scramble it in advance before
sending it to someone else.
So end-to-end encryption
is a stronger property
to look for and hope for in
applications and websites these days.
So for instance, if I want to
send Brian a truly secure message,
I actually probably want to use
a tool like WhatsApp or Signal
or there's other applications
these days that offer what's
indeed called end-to-end encryption.
And what this means is that
when I hit Send on my phone
to send Brian a secure message,
my phone first encrypts it,
that is, scrambles it, then
sends it to WhatsApp servers
and transitively to Brian and
his phone, then decrypts it.
So even though WhatsApp,
otherwise known as Facebook,
has access to the data that's
going between me and Brian,
that data is encrypted and prying
eyes cannot access the data.
Now, is it necessarily
implemented this way?
Hopefully.
A lot of the clamor in the
US and in other countries
for back doors into
encryption protocols boil down
to that, what's a feature for me and
Brian might be a threat to a government
or to politicians or
to companies insofar
as they don't even know what data
is being sent through their service.
And so we should generally beware
poking any holes in these schemes,
because even if the good guys--
and that's perhaps a bit
generous in that story--
even if the good guys are only supposed
to have access, surely at some point so
are the bad guys or
the adversaries going
to have access to those
same loopholes as well.
So speaking of end-to-end encryption,
Zoom got in trouble recently
for saying they use
end-to-end encryption.
They do not.
And this was in some piece
of marketing literature.
Who knows how it actually
slipped in there?
But the technical community
jumped on them, rightly so,
because they were claiming to
have end-to-end encryption.
What would that mean?
That would mean that you and I and Brian
and everyone else in this Zoom window
can see and hear
everything that's going on,
but Zoom and Zoom employees could not
if they supported end-to-end encryption.
But they do not, which means there
could be some prying eyes or a listening
ear at Zoom's company actually
listening in on the same conversation
or storing the same video.
So end-to-end encryption
would mean that all of us
have some kind of scrambling
going on between me and you
and Brian and everyone else.
Now, there's going to
be a price paid for that
and there's a reason companies like
Zoom don't do that maybe by default.
And that's because just scrambling
this information and, my gosh,
there's like 90 of us in the room.
That's a lot of information
to be scrambling in real time.
It's expensive.
And we don't all have super
fast internet connections
and it might slow it down.
And it might make this video conference
a lot worse of an experience,
a lot of buffering, a lot of
pixelation or splotchiness.
And there too is the trade-off.
Do you want a good user
experience, a great phone call,
or do you want that call
to be super, super secure?
So inappropriate of them, absolutely,
to claim they have one thing when they
don't.
And they actually just acquired
a third-party company that
specializes in end-to-end encryption.
But that's the property that
people were calling them out on.
But they've done other things as well.
You've probably nowadays
heard the term Zoom-bombing.
And you've heard claims
that Zoom is insecure.
Well, let me ask a question here.
Via the Participants window, recall
the green Yes and the red No.
Would folks mind chiming in to
say, is Zoom secure or not secure?
Yes secure, or No, not secure.
So the scales have tipped this time.
I'm seeing a lot more red
in the window than green.
At the moment, we've got
like nine green and 27 red.
So many more of you think that Zoom
isn't secure than think it is secure.
So let's tease that apart.
What does that mean?
Just as we began this
evening talking about what
it means for our phone or
our laptop to be secure,
what does it mean for Zoom to be secure?
Well, for instance, many of you have
probably seen URLs like this here.
They're relatively short.
Baked into them is a 10-digit code
like 5551112222, and clicking that URL
or typing in that 10-digit value allows
a human to join a Zoom conference.
With very little friction,
they're into the conference,
and able to start chatting.
But URLs of that format
are arguably insecure.
But why?
Could someone volunteer an explanation
of why Zoom URLs are arguably insecure?
Many of you think they are, but why?
Jim, over to you.
JIM: They would be insecure in the
sense that anybody who has that URL
can join the meeting, even if
they're not welcome in the meeting.
DAVID MALAN: Absolutely.
We've already seen via
the very short code
that I wrote in that
language Python earlier,
it's not that hard to try guessing
10-digit values or four-digit values.
You just write a few lines of
code and try all possible ones.
What is Zoom-bombing all about?
Well, in the simplest case,
it's literally just some person
with too much free time typing in
random meeting numbers, hitting Enter,
and seeing if they
get into a conference.
But of course, if they have
taken some class on programming
or taught themselves how
to write a bit of code,
it's not that hard to simulate
that otherwise manual process
and just try all possible
10-digit values until, boom.
You found an unsuspecting audience.
So what's a solution here?
Well, passwords exist and even before
Zoom started getting flack for this,
they did support passwords.
And you can actually have
slightly longer URLs that
have meeting IDs and passwords, such
that you can either click the link
or you can manually type in that
password in addition to the meeting ID.
So let me ask a more nuanced question.
Is this approach more secure?
Is it more secure to have a
password on your Zoom meeting?
Any thoughts here?
Stein, what do you think?
Yes.
STEIN: It's slightly more
secure, but again, they
could easily come up with that
additional four or six-digit password.
So one workaround has been the host, in
allowing people to enter the meeting.
In other words, controlling entry,
even when they have the correct
URL and password.
DAVID MALAN: Indeed.
So it does make things
more secure in that now you
need more information, just like
any account with a password,
but honestly, if someone just shares
this URL, pastes it into a chat room,
forwards an email, the
cat is out of the bag.
And anyone with the
ability to click that link
is going to get into the meeting.
Now, suppose we don't distribute a link.
Suppose we just tell people the meeting
code is this and the password is that.
Now you might have to
manually type it in,
but again, someone with a
modicum of programming savvy
can write code that not only
tries all possible meeting IDs
but tries all possible passwords until
they can finally get into the meeting.
So has Zoom fundamentally
secured these things?
No, but they've raised
the bar, and there
are other mechanisms they provide.
For instance, you can configure
meetings to require that they be logged
into a company or a university account.
That further raises the bar to entry.
But there must be a trade-off, right?
Otherwise, people would have been
using these features all along,
and Zoom would have made
them the default all along.
So what's the trade-off when you
start adding passwords or requiring
authentication or having a waiting
room, as you all experienced tonight?
What price are we paying for
this additional security?
Eli?
ELI: You're adding a layer of
complexity that impedes ease
of use for the average user, I suppose.
DAVID MALAN: Yeah.
Absolutely.
I mean, one of the business
propositions for something like Zoom
is it's just easy.
Click and it works.
type in a super-short number and boom.
You're focusing on your work
and not on your security.
As was noted as a
trade-off earlier as well.
I mean, many of you have probably
experienced like, oh, damn,
what's the password?
And you have to go sifting through
your email or check your calendar,
find the password to manually type in.
It adds friction and, heck,
if there's too much friction,
I'm going to go use Google Meets
or I'm going to go use Facebook
or I'm going to go use some other
tool for video conferencing.
And so, again, it's
this constant trade-off.
So what has Harvard done?
What have a lot of companies done?
They've recently just started
turning these things on by default.
Zoom didn't set them
by default for people.
They've started to do that as well.
And now in fairness and without
going down this rabbit hole,
Zoom absolutely has made some real
security mistakes in software.
They've exposed people's computers to
malware, unintentionally presumably.
So they have absolutely done some wrong.
But a lot of the flack they've
gotten in recent weeks and months
for Zoom bombing, in some
sense is arguably user error.
Like, don't allow no
password list meetings.
Require that your users log in.
But again, the price you're going to
pay is some form of the user experience.
So what are some other defenses we
might keep in mind moving forward?
You're into your computer, you've
got hopefully a secure connection
to whatever application you're using.
What other features should we all be
mindful of in the world of security
just so we can practice
some better practices?
Well, many of you probably
already know about Incognito mode,
otherwise known as Private mode.
This is a browser feature that allows
you to browse incognito or privately.
Well, what does that really mean?
Well, just to dispel
any potential myths,
that doesn't mean you're
anonymous on the web.
That doesn't mean that the website
can't figure out who you are.
What it tends to do is
something more technical.
When you use Incognito mode or Private
mode, by default you're logged out.
So even if you have Facebook
or Gmail or some other website
open in another window, you won't
be in there, in that window.
And this relates to
what are called cookies,
which are little pieces of
information that websites
are allowed to store in your browser
just to remember who you are.
So by using Incognito
mode or Private mode,
your browser effectively
forgets who you are.
But if you get a little sloppy,
and you use Incognito mode
and visit Facebook and Gmail and
maybe some other websites all
in the same Incognito window, you
start to leak information very quickly.
And those websites, especially the
Googles and the Facebooks of the world
that are heavily into
the advertising world,
they have hooks into so
many different websites.
And suffice it to say, it is still
possible, if not relatively easy,
for websites to know or figure out
who you are or maybe not your name
and address but that
you're the same user.
And they might be able to
infer with high probability
that the same user keeps using
Incognito mode on their site,
because all browsers
unfortunately have signatures.
There's ways with high
probability to infer
that, OK, I don't know for sure that
that's Brian Yu again on my website,
but it sure does look like him.
And therefore, I'm going
to serve him these ads
or assume this about this user.
So it's not the end-all
protection, but it's certainly
better than not using it.
What's another mechanism we
have at our disposal just
to keep ourselves more secure?
And as we began to keep
the adversaries out
with higher probability
but not absolute.
Automatic updates.
Microsoft, Google, Apple and
the like have in recent years
started turning this on by default
so that our phones and our laptops
and desktops automatically
update overnight, thereby
running the latest software that
hopefully has fewer bugs or mistakes
than yesterday's software had.
But of course, there's
a trade-off here too.
What if Apple or Google
or Microsoft screw up,
and the update they push
forcibly to your phone
or your laptop itself is flawed?
In the worst case, your
Mac, you PC, your phone
might stop working
overnight, because they
have presumed to do something for you.
So there too, you might
want to automatically
update your devices but not instantly.
You probably want to wait until
your friend or your neighbor
updates their device, make sure
it's all OK, then update yours.
Of course, then you are
the dummy, because now you
are potentially vulnerable
to being attacked
if there were some flaws in that older
version longer than your neighbor.
So there too, it really needs to be an
educated decision and not necessarily
something we just blindly opt into.
Well, what else, and what else lastly?
So full disk encryption.
So encryption again
is just this technique
of scrambling the information,
maybe between points A and B,
or more simply, on your actual device.
If you have an Apple
device, an iPhone or a Mac,
there's something known as
File Vault on the latter.
This is a feature built
into the operating system,
and Windows 10 has
something similar on PCs,
that allow you to constantly encrypt
all of the information on your laptop
or your desktop or your phone.
And so long as you're
protecting that device
with a good password or passcode,
so pretty long, hard to guess,
not a few letters or
digits or an English word,
then all of the data on your device
should look scrambled to an adversary,
even if they steal it physically.
Even if they open it up and
try to get at the data inside,
it's just going to look
like nonsense to them.
It's not going to
reveal your actual data.
And this is ever so important,
because if someone does walk off
with your phone, and someone
does walk off with your laptop,
they might have all
the time in the world
to write software that
tries to hack into it,
to use a robotic arm
to try logging into it,
and so keeping your device encrypted
is hands down a best practice.
It is much better than
naively just deleting things
that you don't want people to see.
Long story short, when
you drag something
to your Recycle Bin or
your Trash Can on Mac OS
and then even go to Empty
Recycle Bin or Empty Trash Can,
frankly, nothing really happens.
The computer just forgets
where your data is.
The data is still there.
And if an adversary
tomorrow steals the device
that you thought you deleted
files from yesterday,
those files very well
may be recoverable.
So again, if I may, one of
the takeaways for tonight
should hopefully be that encryption
in general is a good thing.
And if you want to learn and
read up more on these topics,
googling things like full disk
encryption or password managers
would all be useful takeaways.
Of course, there are heavier-handed
approaches to learn all this and more.
And in fact, if you'd like
more information academically,
if you go to edx.org/cs50, Brian and I
and some of CS50's team teach not only
CS50 itself, the undergraduate class,
but a number of precursor and follow-on
classes through Harvard's
Division of Continuing Education.
So please feel free to
join us there as well.
And allow me here to turn
things back over to Jonathan.
JONATHAN LEHRICH: Thank you,
David, and thanks to all of you
who have joined us today.
We'd like to remind you that you
can log into future signature events
at socializeremotely.harvard.edu.
Goodbye everyone, and we'll
see you securely soon.
