
English: 
[MUSIC PLAYING]
ANNOUNCER: This is CS50.
DAVID MALAN: Hello world.
This is the CS50 Podcast,
episode 4, zero indexed.
My name is David Malan.
And I'm here with
CS50's own Colton Ogden.
COLTON OGDEN: David, I'm curious what
the first browser that you ever used
was.
DAVID MALAN: It was probably
like Netscape 1.0 or something.
COLTON OGDEN: Netscape Navigator?
DAVID MALAN: Maybe, or even
one of its predecessors,
one of the very first
prototypes of a browser.
But it was old school for sure.
COLTON OGDEN: This would have
been on a Windows computer.
DAVID MALAN: Gosh, probably.
Well, I started off life
using Macs, and then I
switched I think in college
to using PCs and windows.
And then, eventually, I think
after a few years of teaching CS50
did I switch back to Mac.
So--
COLTON OGDEN: I think the
meme is that there are
a lot of browsers that have come out.
There are a lot of popular
browsers these days--
Chrome, Firefox, Opera, Edge.

English: 
[MUSIC PLAYING]
ANNOUNCER: This is CS50.
DAVID MALAN: Hello world.
This is the CS50 Podcast,
episode 4, zero indexed.
My name is David Malan.
And I'm here with
CS50's own Colton Ogden.
COLTON OGDEN: David, I'm curious what
the first browser that you ever used
was.
DAVID MALAN: It was probably
like Netscape 1.0 or something.
COLTON OGDEN: Netscape Navigator?
DAVID MALAN: Maybe, or even
one of its predecessors,
one of the very first
prototypes of a browser.
But it was old school for sure.
COLTON OGDEN: This would have
been on a Windows computer.
DAVID MALAN: Gosh, probably.
Well, I started off life
using Macs, and then I
switched I think in college
to using PCs and windows.
And then, eventually, I think
after a few years of teaching CS50
did I switch back to Mac.
So--
COLTON OGDEN: I think the
meme is that there are
a lot of browsers that have come out.
There are a lot of popular
browsers these days--
Chrome, Firefox, Opera, Edge.

English: 
On that list is not a particular
browser of quite a bit of infamy,
that browser being Internet Explorer.
DAVID MALAN: Yeah, that
one proved the bane
of most developers'
existence for some time
because it was just so non-compliant
when it came to certain standards.
And Microsoft really did its own
thing with various interpretations
of the HTML and/or CSS specs.
I remember even we had struggled with
that for some of our own web apps.
Like you'd get it working on Firefox.
You'd get it working on Chrome.
You'd get it working on Opera.
But, damn it, it doesn't
actually work as you expect
in IE, especially IE6, version 6.
COLTON OGDEN: Indeed.
I mean, we used to even use BrowserStack
internally, which is a website that you
can test on multiple--
you can sort of look
in a browser and see
it working on multiple actual browsers.
DAVID MALAN: Yeah, no, and that
was in large part because of that,
especially if a lot of
us develop here on Macs.
And so it wasn't really easy to
run Internet Explorer, let alone
any Windows-based browser.
But, yeah, we had some third-party
help with that, which was handy.
COLTON OGDEN: Yeah, and IE6 was the
particular offender because they did
have IE7.
They did have IE8.
And, from what I remember, they
improved on some of the noncompliance

English: 
On that list is not a particular
browser of quite a bit of infamy,
that browser being Internet Explorer.
DAVID MALAN: Yeah, that
one proved the bane
of most developers'
existence for some time
because it was just so non-compliant
when it came to certain standards.
And Microsoft really did its own
thing with various interpretations
of the HTML and/or CSS specs.
I remember even we had struggled with
that for some of our own web apps.
Like you'd get it working on Firefox.
You'd get it working on Chrome.
You'd get it working on Opera.
But, damn it, it doesn't
actually work as you expect
in IE, especially IE6, version 6.
COLTON OGDEN: Indeed.
I mean, we used to even use BrowserStack
internally, which is a website that you
can test on multiple--
you can sort of look
in a browser and see
it working on multiple actual browsers.
DAVID MALAN: Yeah, no, and that
was in large part because of that,
especially if a lot of
us develop here on Macs.
And so it wasn't really easy to
run Internet Explorer, let alone
any Windows-based browser.
But, yeah, we had some third-party
help with that, which was handy.
COLTON OGDEN: Yeah, and IE6 was the
particular offender because they did
have IE7.
They did have IE8.
And, from what I remember, they
improved on some of the noncompliance

English: 
that IE6 sort of bore at the time.
But what's funny is this week, in
doing some research for the podcast,
I came across an article--
a blog post, rather, by Chris Zacharias.
DAVID MALAN: Yeah, no
this was wonderful--
"Conspiracy to Kill
Internet Explorer 6."
COLTON OGDEN: Indeed.
He is a former YouTube employee.
And this is back in 2009-ish.
And, back then, I mean YouTube was huge.
You know, it started around
2005, 2006, but 2009 was really
when it started to kick off.
DAVID MALAN: Yeah, and I
think, as the story goes,
they had just been YouTube
acquired by Google.
And they were in the process of
being integrated into Google's
own software-based workflows.
But enough of the developers
on the YouTube team
were just completely fed
up it seemed with having
to support IE6, which was still a
non-trivial percentage of their user
base.
And I think, understandably, YouTube
and presumably in turn Google
didn't want to deprecate
support for IE6 because there's
a lot of employees at companies
whose systems are pretty locked down.
There's teachers in schools whose
computers are pretty locked down.
So there's a lot of users out there
who can't just follow your instructions

English: 
that IE6 sort of bore at the time.
But what's funny is this week, in
doing some research for the podcast,
I came across an article--
a blog post, rather, by Chris Zacharias.
DAVID MALAN: Yeah, no
this was wonderful--
"Conspiracy to Kill
Internet Explorer 6."
COLTON OGDEN: Indeed.
He is a former YouTube employee.
And this is back in 2009-ish.
And, back then, I mean YouTube was huge.
You know, it started around
2005, 2006, but 2009 was really
when it started to kick off.
DAVID MALAN: Yeah, and I
think, as the story goes,
they had just been YouTube
acquired by Google.
And they were in the process of
being integrated into Google's
own software-based workflows.
But enough of the developers
on the YouTube team
were just completely fed
up it seemed with having
to support IE6, which was still a
non-trivial percentage of their user
base.
And I think, understandably, YouTube
and presumably in turn Google
didn't want to deprecate
support for IE6 because there's
a lot of employees at companies
whose systems are pretty locked down.
There's teachers in schools whose
computers are pretty locked down.
So there's a lot of users out there
who can't just follow your instructions

English: 
to update to another browser.
They need like the IT department
to actually do it for them.
So I was an understandable
business concern.
But, as I understand it, the developers
wanted nothing to do anymore with IE6.
And so they started sneaking
into YouTube's own code base
a little banner advert
essentially urging
IE6 users to upgrade to any number
of suggested other browsers.
And they gave some direct links.
COLTON OGDEN: Yeah, no,
it was pretty crazy.
And one of the stories that Chris
even talked about in his blog
is empty source tags
in images would just
load whatever the document root was.
And this would have the effect of
essentially recursively loading,
similar to an iframe, all
of the server's contents.
DAVID MALAN: Yeah, and that
was just one of the bugs
I think that kept tripping them up.
COLTON OGDEN: And that one had the--
from what I remember
reading, it actually
could cause blue screens of
death on Windows machines.
DAVID MALAN: Yeah, no, I believe it.
And I'm amazed that
bugs like that persist.
And, even if they do
eventually get fixed though,
if you have a lot of systems out
there that are not 100% up to date,

English: 
to update to another browser.
They need like the IT department
to actually do it for them.
So I was an understandable
business concern.
But, as I understand it, the developers
wanted nothing to do anymore with IE6.
And so they started sneaking
into YouTube's own code base
a little banner advert
essentially urging
IE6 users to upgrade to any number
of suggested other browsers.
And they gave some direct links.
COLTON OGDEN: Yeah, no,
it was pretty crazy.
And one of the stories that Chris
even talked about in his blog
is empty source tags
in images would just
load whatever the document root was.
And this would have the effect of
essentially recursively loading,
similar to an iframe, all
of the server's contents.
DAVID MALAN: Yeah, and that
was just one of the bugs
I think that kept tripping them up.
COLTON OGDEN: And that one had the--
from what I remember
reading, it actually
could cause blue screens of
death on Windows machines.
DAVID MALAN: Yeah, no, I believe it.
And I'm amazed that
bugs like that persist.
And, even if they do
eventually get fixed though,
if you have a lot of systems out
there that are not 100% up to date,

English: 
then you're stuck dealing
with these kinds of issues.
But what was funny, I thought, about
the blog post disclosure years later,
after which they couldn't really
get all that into trouble,
presumably, was how, coincidentally,
the Google Docs team had recently
started advertising a similar
message on top of Google Documents,
which of course was
already owned by Google.
And that too was
encouraging users to upgrade
to a newer version of a browser.
So they kind of snuck in under the radar
there, but, even when it was detected,
it sounds like there was some
internal tensions with the lawyers,
with the managers.
But, in the end, it
kind of worked out OK.
But it's kind of a fascinating--
I think, if you take a
step back at it, it's
kind of a fascinating
risk for any company.
Unless you are constantly
auditing your own lines of code,
or you have really a
robust process in place,
it's possible for one
or a few developers
to slip something past the
others, for better or for worse.
Now this seemed to work out
for the best in the end.
In fact, I think you noted
IE's usage plummeted actually,
coincidentally or causally, after
this particular change because YouTube

English: 
then you're stuck dealing
with these kinds of issues.
But what was funny, I thought, about
the blog post disclosure years later,
after which they couldn't really
get all that into trouble,
presumably, was how, coincidentally,
the Google Docs team had recently
started advertising a similar
message on top of Google Documents,
which of course was
already owned by Google.
And that too was
encouraging users to upgrade
to a newer version of a browser.
So they kind of snuck in under the radar
there, but, even when it was detected,
it sounds like there was some
internal tensions with the lawyers,
with the managers.
But, in the end, it
kind of worked out OK.
But it's kind of a fascinating--
I think, if you take a
step back at it, it's
kind of a fascinating
risk for any company.
Unless you are constantly
auditing your own lines of code,
or you have really a
robust process in place,
it's possible for one
or a few developers
to slip something past the
others, for better or for worse.
Now this seemed to work out
for the best in the end.
In fact, I think you noted
IE's usage plummeted actually,
coincidentally or causally, after
this particular change because YouTube

English: 
was so popular.
But you could imagine
some adversarial employees
using this power of the ability
to change their code base for more
evil purposes, if you will.
COLTON OGDEN: Yeah, and, on
that note, I can certainly
understand why companies, especially
as large as Google or Facebook,
want to instate these code review
processes and ensure that this doesn't
happen and to make
sure there are no sort
of committing back doors to production,
directly to production, so to speak.
DAVID MALAN: Yeah, absolutely.
We just spoke recently
about a new feature
that you can use on
sites like GitHub where
you can have the notion
of code ownership
so that, if a colleague changes a
particular file or a line of code
really that you or I
wrote, we can actually
have the whole pipeline notify us
before that change to code is approved.
But it seems like the YouTube team here
benefited from a bit of superpowers
when it came to who
could actually push code,
probably some changing processes
because it's not that easy presumably
to integrate an acquisition
like YouTube into Google.
So they had this window of
opportunity where they were actually
able to do something very developer
friendly, but not necessarily

English: 
was so popular.
But you could imagine
some adversarial employees
using this power of the ability
to change their code base for more
evil purposes, if you will.
COLTON OGDEN: Yeah, and, on
that note, I can certainly
understand why companies, especially
as large as Google or Facebook,
want to instate these code review
processes and ensure that this doesn't
happen and to make
sure there are no sort
of committing back doors to production,
directly to production, so to speak.
DAVID MALAN: Yeah, absolutely.
We just spoke recently
about a new feature
that you can use on
sites like GitHub where
you can have the notion
of code ownership
so that, if a colleague changes a
particular file or a line of code
really that you or I
wrote, we can actually
have the whole pipeline notify us
before that change to code is approved.
But it seems like the YouTube team here
benefited from a bit of superpowers
when it came to who
could actually push code,
probably some changing processes
because it's not that easy presumably
to integrate an acquisition
like YouTube into Google.
So they had this window of
opportunity where they were actually
able to do something very developer
friendly, but not necessarily

English: 
managerial or lawyerly friendly.
COLTON OGDEN: Indeed, I like to
think it turned out well in the end.
DAVID MALAN: It did.
In fact, no one really
worries about IE6 anymore,
let alone IE, which has
now been replaced by Edge.
And even Edge now is based in
part on the same core processor
that essentially Chrome itself is.
So things are starting to converge
perhaps, which is interesting.
COLTON OGDEN: Indeed.
And I mean even modern
browsers aren't immune to sort
of some of the issues that plague--
I guess any software at large,
you know, every piece of software
is susceptible to issues.
In particular, this week, Firefox
had a major issue over the weekend.
DAVID MALAN: Yeah, I
heard that someone didn't
renew their certificate, so to speak.
COLTON OGDEN: Indeed.
So Firefox ships with a
certificate that sort of basically
verifies that the add-ons that
are installed onto the browser
are verified by Mozilla as being
legitimate and not malicious.
And it turns out that they forgot to
renew that certificate over the weekend
or by the weekend's arrival.

English: 
managerial or lawyerly friendly.
COLTON OGDEN: Indeed, I like to
think it turned out well in the end.
DAVID MALAN: It did.
In fact, no one really
worries about IE6 anymore,
let alone IE, which has
now been replaced by Edge.
And even Edge now is based in
part on the same core processor
that essentially Chrome itself is.
So things are starting to converge
perhaps, which is interesting.
COLTON OGDEN: Indeed.
And I mean even modern
browsers aren't immune to sort
of some of the issues that plague--
I guess any software at large,
you know, every piece of software
is susceptible to issues.
In particular, this week, Firefox
had a major issue over the weekend.
DAVID MALAN: Yeah, I
heard that someone didn't
renew their certificate, so to speak.
COLTON OGDEN: Indeed.
So Firefox ships with a
certificate that sort of basically
verifies that the add-ons that
are installed onto the browser
are verified by Mozilla as being
legitimate and not malicious.
And it turns out that they forgot to
renew that certificate over the weekend
or by the weekend's arrival.

English: 
And, therefore, all Firefox
users sort of over time,
because it doesn't happen immediately,
but, within about a 24-hour period, all
of their add-ons were
no longer functioning.
DAVID MALAN: I know.
And that's a pretty big
deal because the people are
relying on add-ons or
extensions or plug-ins,
however you want to think about them.
To have all of your
features stop working
is not that exciting or not that good.
And I should concede that this
is a not uncommon problem.
At least, I like to
think I'm in good company
here because I have, for instance,
been guilty of not renewing
some of our certificates in time.
In fact, this happened
just a few months ago
where one of our certificates for
CS50's website, so similar in spirit
in that these things too have an
expiration date just like code signing
certificates can, I had set a reminder
to actually renew this certificate.
And I thought we had migrated
all of our certificates
to an auto-renewal process
on Amazon's cloud platform.
And so I literally kept ignoring,
ignoring, ignoring the email reminders
that I was being sent because I
thought we had automated it all.

English: 
And, therefore, all Firefox
users sort of over time,
because it doesn't happen immediately,
but, within about a 24-hour period, all
of their add-ons were
no longer functioning.
DAVID MALAN: I know.
And that's a pretty big
deal because the people are
relying on add-ons or
extensions or plug-ins,
however you want to think about them.
To have all of your
features stop working
is not that exciting or not that good.
And I should concede that this
is a not uncommon problem.
At least, I like to
think I'm in good company
here because I have, for instance,
been guilty of not renewing
some of our certificates in time.
In fact, this happened
just a few months ago
where one of our certificates for
CS50's website, so similar in spirit
in that these things too have an
expiration date just like code signing
certificates can, I had set a reminder
to actually renew this certificate.
And I thought we had migrated
all of our certificates
to an auto-renewal process
on Amazon's cloud platform.
And so I literally kept ignoring,
ignoring, ignoring the email reminders
that I was being sent because I
thought we had automated it all.

English: 
But, nope, it turns out
that one certificate was not
yet configured to auto-renew.
And so, at the stroke of
midnight or whatever it was,
the darn thing stopped working.
We and some of our students noticed.
And, thankfully, it only
took a few minutes to fix,
but it turns out that constant email
reminders and a Google Calendar
reminder is not sufficient, at least
when I'm in charge of the certificates.
COLTON OGDEN: Yeah, no, problems
like that are somewhat easy to solve.
Unfortunately, Firefox had some
problems because their certificates
were actually deployed
with the browser itself.
They had to remote
deploy a new certificate
through their sort of system called--
what's the series called?
I think it's called series, actually.
I don't think I wrote it down here.
But the system is called Normandy.
And they have a system that
allows them to actually
remote deploy the new certificates.
Or, actually, well, it lets
them perform research studies.
Studies was the name of it.
They have a tool called
Studies, which allows them
to remote deploy and remote test
sort of behavior in folks' browsers.

English: 
But, nope, it turns out
that one certificate was not
yet configured to auto-renew.
And so, at the stroke of
midnight or whatever it was,
the darn thing stopped working.
We and some of our students noticed.
And, thankfully, it only
took a few minutes to fix,
but it turns out that constant email
reminders and a Google Calendar
reminder is not sufficient, at least
when I'm in charge of the certificates.
COLTON OGDEN: Yeah, no, problems
like that are somewhat easy to solve.
Unfortunately, Firefox had some
problems because their certificates
were actually deployed
with the browser itself.
They had to remote
deploy a new certificate
through their sort of system called--
what's the series called?
I think it's called series, actually.
I don't think I wrote it down here.
But the system is called Normandy.
And they have a system that
allows them to actually
remote deploy the new certificates.
Or, actually, well, it lets
them perform research studies.
Studies was the name of it.
They have a tool called
Studies, which allows them
to remote deploy and remote test
sort of behavior in folks' browsers.

English: 
And this allowed them to
ship a new certificate, which
they signed because this is actually
technically an add-on, this feature.
They signed this with a new
certificate that they then
shipped with this feature.
DAVID MALAN: I see.
COLTON OGDEN: Yeah, but it's interesting
that, somewhere in the process,
there's presumably someone who had set
a reminder that didn't quite go off
or didn't quite get noticed.
So it happens to the
best of us, perhaps.
DAVID MALAN: Yeah, thankfully, Mozilla,
in their blog where they sort of break
down this process, a-la how
Facebook recently broke down
how their passwords were stored in plain
text, they outlined sort of the ways
that they got this right, I
guess, in fixing the problem,
but they also did disclose
the issues that they faced
and ways that they would approach making
sure that it doesn't happen again.
COLTON OGDEN: Yeah, no it
was really, to their credit,
a nice post-mortem online, so to
speak, which is worth reading.
If you go to hacks.mozilla.org, you can
find it under the May 2019 listings.
DAVID MALAN: Indeed.
We don't really use
Chromebooks here at CS50,
but we have some of them lying around.
We've seen some folks
using them, but Chromebooks
have up to this point,
up until fairly recently,

English: 
And this allowed them to
ship a new certificate, which
they signed because this is actually
technically an add-on, this feature.
They signed this with a new
certificate that they then
shipped with this feature.
DAVID MALAN: I see.
COLTON OGDEN: Yeah, but it's interesting
that, somewhere in the process,
there's presumably someone who had set
a reminder that didn't quite go off
or didn't quite get noticed.
So it happens to the
best of us, perhaps.
DAVID MALAN: Yeah, thankfully, Mozilla,
in their blog where they sort of break
down this process, a-la how
Facebook recently broke down
how their passwords were stored in plain
text, they outlined sort of the ways
that they got this right, I
guess, in fixing the problem,
but they also did disclose
the issues that they faced
and ways that they would approach making
sure that it doesn't happen again.
COLTON OGDEN: Yeah, no it
was really, to their credit,
a nice post-mortem online, so to
speak, which is worth reading.
If you go to hacks.mozilla.org, you can
find it under the May 2019 listings.
DAVID MALAN: Indeed.
We don't really use
Chromebooks here at CS50,
but we have some of them lying around.
We've seen some folks
using them, but Chromebooks
have up to this point,
up until fairly recently,

English: 
been a fairly limited
operating system in as much
as they're essentially
Chrome on a computer.
COLTON OGDEN: Yeah, dedicated.
So it's meant to be used
really only in cloud.
There isn't any client-side
software or at least the appearance
thereof, even though
there actually is, even
though it supports Google Docs
and Gmail and Google Calendar
and some other apps too
that can be used offline.
But, of course, you can't
actually send and receive
mail and other such notifications
if you're actually offline.
So it's kind of a product that's
a little ahead of its time.
I mean, honestly, I do think it's
kind of inevitable that we'll
see more of this once you have
omnipresent internet access,
both on the ground and in the sky
and elsewhere on Earth, so to speak.
But what's interesting is
that underneath the hood
is an underlying Linux-based operating
system that traditionally hasn't really
been exposed.
It really is meant to be more
of an appliance of sorts,
an internet appliance.
But now I gather that you'll actually
be able to run Linux on these things
so much more easily than in the past,
which is great for power users who
want access to pretty cheap
hardware, but, nonetheless,
with the ability to do
something with Linux on it.

English: 
been a fairly limited
operating system in as much
as they're essentially
Chrome on a computer.
COLTON OGDEN: Yeah, dedicated.
So it's meant to be used
really only in cloud.
There isn't any client-side
software or at least the appearance
thereof, even though
there actually is, even
though it supports Google Docs
and Gmail and Google Calendar
and some other apps too
that can be used offline.
But, of course, you can't
actually send and receive
mail and other such notifications
if you're actually offline.
So it's kind of a product that's
a little ahead of its time.
I mean, honestly, I do think it's
kind of inevitable that we'll
see more of this once you have
omnipresent internet access,
both on the ground and in the sky
and elsewhere on Earth, so to speak.
But what's interesting is
that underneath the hood
is an underlying Linux-based operating
system that traditionally hasn't really
been exposed.
It really is meant to be more
of an appliance of sorts,
an internet appliance.
But now I gather that you'll actually
be able to run Linux on these things
so much more easily than in the past,
which is great for power users who
want access to pretty cheap
hardware, but, nonetheless,
with the ability to do
something with Linux on it.

English: 
DAVID MALAN: Indeed.
Yeah, now folks will be able
to actually fire up a terminal
and interact with a Linux kernel.
And it is actually called Termina.
It runs on a VM.
But the Linux kernel is
actually directly interfaced
with Chrome OS itself.
And, in this case, therefore, you
can pull up graphical applications
and use them directly on Chrome OS like
you would use on a Gnome or the like.
COLTON OGDEN: Yeah, and, to
come back to price too, what's
been compelling historically
about Chromebooks
is that you can get a decent
computer for like $100, $200.
And that's really compelling.
In fact, there's some school districts,
certainly in the US and presumably
abroad, that actually have
their students use Chromebooks
because it's so much more
of an economical approach
to equipping kids with
hardware for the classroom.
Of course, the catch is-- and
we've encountered this with some
of our students out
in more rural areas--
they are sometimes allowed by their
schools to take the laptops home,
but they can't actually
use them very much
because, if they don't have internet
access and, therefore, Wi-Fi at home,
it's not all that useful a device except
for, of course, purely offline access.
But letting people actually use it
for multiple purposes now I think

English: 
DAVID MALAN: Indeed.
Yeah, now folks will be able
to actually fire up a terminal
and interact with a Linux kernel.
And it is actually called Termina.
It runs on a VM.
But the Linux kernel is
actually directly interfaced
with Chrome OS itself.
And, in this case, therefore, you
can pull up graphical applications
and use them directly on Chrome OS like
you would use on a Gnome or the like.
COLTON OGDEN: Yeah, and, to
come back to price too, what's
been compelling historically
about Chromebooks
is that you can get a decent
computer for like $100, $200.
And that's really compelling.
In fact, there's some school districts,
certainly in the US and presumably
abroad, that actually have
their students use Chromebooks
because it's so much more
of an economical approach
to equipping kids with
hardware for the classroom.
Of course, the catch is-- and
we've encountered this with some
of our students out
in more rural areas--
they are sometimes allowed by their
schools to take the laptops home,
but they can't actually
use them very much
because, if they don't have internet
access and, therefore, Wi-Fi at home,
it's not all that useful a device except
for, of course, purely offline access.
But letting people actually use it
for multiple purposes now I think

English: 
is pretty compelling, especially
given those price points.
DAVID MALAN: Indeed,
and, to your point, I
mean I think it is pretty inevitable
that we do have internet, even
commoditized like utilities maybe
eventually in the future just given
how essential it is to modern life.
But I can see, prior to maybe
the last couple of years,
it's not guaranteed that you'll always
have internet access everywhere you go
and that it'll be
quality internet access.
But, for those folks out there who are
trying to learn more about computing,
learn more about Linux, I mean it's
a great device, kind of device.
And there's a bunch
of different versions
made by bunches of different companies.
It's a great device to kind
of hack on and sort of just
play around and learn the ropes.
Back in the day, when
I was growing up, I
used to use actual little tower
computers because there weren't really
laptops in as great supply, let
alone at those price points.
They were much more expensive,
but it's a great device
to just learn and play on I would say.
COLTON OGDEN: I think I've seen one of
those desktops lying around somewhere.
DAVID MALAN: Yeah, we still have them
in the corner somewhere for parts.
COLTON OGDEN: Well, awfully
coincidentally, though,
Microsoft, it turns out,
for Windows 10, they're
going to be shipping a full Linux
kernel with their Linux subsystem,
Windows' subsystem for Linux.

English: 
is pretty compelling, especially
given those price points.
DAVID MALAN: Indeed,
and, to your point, I
mean I think it is pretty inevitable
that we do have internet, even
commoditized like utilities maybe
eventually in the future just given
how essential it is to modern life.
But I can see, prior to maybe
the last couple of years,
it's not guaranteed that you'll always
have internet access everywhere you go
and that it'll be
quality internet access.
But, for those folks out there who are
trying to learn more about computing,
learn more about Linux, I mean it's
a great device, kind of device.
And there's a bunch
of different versions
made by bunches of different companies.
It's a great device to kind
of hack on and sort of just
play around and learn the ropes.
Back in the day, when
I was growing up, I
used to use actual little tower
computers because there weren't really
laptops in as great supply, let
alone at those price points.
They were much more expensive,
but it's a great device
to just learn and play on I would say.
COLTON OGDEN: I think I've seen one of
those desktops lying around somewhere.
DAVID MALAN: Yeah, we still have them
in the corner somewhere for parts.
COLTON OGDEN: Well, awfully
coincidentally, though,
Microsoft, it turns out,
for Windows 10, they're
going to be shipping a full Linux
kernel with their Linux subsystem,
Windows' subsystem for Linux.

English: 
DAVID MALAN: Yeah, you know,
Microsoft, to their credit,
has really gotten a lot more
accommodating of Linux-type usage,
previously with Windows 10,
the earlier incarnation of it,
just being able to run Bash,
a so-called shell program,
so that you have a much better command
prompt than the actual software called
historically Command Prompt, which, in
yesteryear, was an actual DOS prompt--
so terribly limited.
I mean my god.
In like Windows XP and
I think even later,
you couldn't even copy-paste in
the program very easily by default.
And this is in stark contrast to
like any X Window interface on Linux
or Unix or Solaris or even on macOS.
So they just really
didn't adapt for this.
And, frankly, given
just how powerful it is
to have a command-line interface
on a Mac or a PC or a Linux Box,
it just seemed very
silly to sort of expect
users to go to third-party
utilities and not
to optimize for what a lot of power
users and certainly developers
might want.
COLTON OGDEN: Indeed, it is kind
of a barrier, especially when
so much documentation
online too for developers
is catered towards Linus environments.
DAVID MALAN: Yeah.

English: 
DAVID MALAN: Yeah, you know,
Microsoft, to their credit,
has really gotten a lot more
accommodating of Linux-type usage,
previously with Windows 10,
the earlier incarnation of it,
just being able to run Bash,
a so-called shell program,
so that you have a much better command
prompt than the actual software called
historically Command Prompt, which, in
yesteryear, was an actual DOS prompt--
so terribly limited.
I mean my god.
In like Windows XP and
I think even later,
you couldn't even copy-paste in
the program very easily by default.
And this is in stark contrast to
like any X Window interface on Linux
or Unix or Solaris or even on macOS.
So they just really
didn't adapt for this.
And, frankly, given
just how powerful it is
to have a command-line interface
on a Mac or a PC or a Linux Box,
it just seemed very
silly to sort of expect
users to go to third-party
utilities and not
to optimize for what a lot of power
users and certainly developers
might want.
COLTON OGDEN: Indeed, it is kind
of a barrier, especially when
so much documentation
online too for developers
is catered towards Linus environments.
DAVID MALAN: Yeah.

English: 
COLTON OGDEN: To their
credit, to your point,
they just announced the
Windows Terminal, actually,
which is an upgraded terminal.
So it won't be replacing
the Command Prompt.
For legacy purposes, they want to
ensure a backwards compatibility
for so much software that
relies on it, but they
will be releasing this as a separate
application that folks can download.
And it actually looks quite pretty.
It looks really nice.
DAVID MALAN: And, hopefully,
it'll improve the performance too
for people, which is compelling as well.
COLTON OGDEN: Indeed.
Yeah, it's nice to see sort of
this, I guess, all these companies
embracing Linux and really sort
of bringing their computers
to a more usable I guess, end point.
DAVID MALAN: I guess so.
Though, I feel like we're going to
invite some religious debate there
if we claim it's more
usable, but I do agree.
COLTON OGDEN: For developers,
I should say for I
guess in a development environment.
DAVID MALAN: Yeah, absolutely.
I think there's great power
that comes with the command line
and just making it more user friendly.
And there's decades of
experience and expertise
when it comes to all of these
shell-based systems that
might as well, I think, make it
easier for people to use them still.
COLTON OGDEN: Indeed.
Have you heard of a KeePass?
DAVID MALAN: I maybe had,
but I really heard about it

English: 
COLTON OGDEN: To their
credit, to your point,
they just announced the
Windows Terminal, actually,
which is an upgraded terminal.
So it won't be replacing
the Command Prompt.
For legacy purposes, they want to
ensure a backwards compatibility
for so much software that
relies on it, but they
will be releasing this as a separate
application that folks can download.
And it actually looks quite pretty.
It looks really nice.
DAVID MALAN: And, hopefully,
it'll improve the performance too
for people, which is compelling as well.
COLTON OGDEN: Indeed.
Yeah, it's nice to see sort of
this, I guess, all these companies
embracing Linux and really sort
of bringing their computers
to a more usable I guess, end point.
DAVID MALAN: I guess so.
Though, I feel like we're going to
invite some religious debate there
if we claim it's more
usable, but I do agree.
COLTON OGDEN: For developers,
I should say for I
guess in a development environment.
DAVID MALAN: Yeah, absolutely.
I think there's great power
that comes with the command line
and just making it more user friendly.
And there's decades of
experience and expertise
when it comes to all of these
shell-based systems that
might as well, I think, make it
easier for people to use them still.
COLTON OGDEN: Indeed.
Have you heard of a KeePass?
DAVID MALAN: I maybe had,
but I really heard about it

English: 
in the context of what I think
you're about to tell us about.
COLTON OGDEN: Yeah, so KeePass in
an open-source password manager.
And they are hosted
at keepass.info, which
an interesting choice for a domain name.
DAVID MALAN: Oh, yeah.
It sounds legit.
COLTON OGDEN: Well, it turns
out that keepass.info is legit,
but keepass.com is not legit.
DAVID MALAN: Yeah, I gather
keepass.com, the illegit site,
actually has had and maybe still
has some malware built into it.
So it's malicious software that
you are duped into installing.
And yet, the site, I actually pulled
it up before the podcast today.
It actually looked pretty legit.
And, if you search for just KeePass,
K-E-E-P-A-S-S, and hit Enter,
thankfully, the first hit is
indeed the legit one, keepass.info.
But I think, for my browser,
third or fourth among the search
results on Google was keepass.com,
which is the illegitimate site.
So you can't even use Google
search results necessarily
as a compelling signal as to
which one is the official one when
they're so close together, frankly.
COLTON OGDEN: Yeah,
it's kind of alarming.

English: 
in the context of what I think
you're about to tell us about.
COLTON OGDEN: Yeah, so KeePass in
an open-source password manager.
And they are hosted
at keepass.info, which
an interesting choice for a domain name.
DAVID MALAN: Oh, yeah.
It sounds legit.
COLTON OGDEN: Well, it turns
out that keepass.info is legit,
but keepass.com is not legit.
DAVID MALAN: Yeah, I gather
keepass.com, the illegit site,
actually has had and maybe still
has some malware built into it.
So it's malicious software that
you are duped into installing.
And yet, the site, I actually pulled
it up before the podcast today.
It actually looked pretty legit.
And, if you search for just KeePass,
K-E-E-P-A-S-S, and hit Enter,
thankfully, the first hit is
indeed the legit one, keepass.info.
But I think, for my browser,
third or fourth among the search
results on Google was keepass.com,
which is the illegitimate site.
So you can't even use Google
search results necessarily
as a compelling signal as to
which one is the official one when
they're so close together, frankly.
COLTON OGDEN: Yeah,
it's kind of alarming.

English: 
And there's a point here about
I guess the responsibility of,
as a developer, as a
company, making sure
that you purchase the right domains
for your application to reach the most
users without giving room to nefarious
actors to I guess kind of trick users
into thinking that they're you.
DAVID MALAN: Yeah, no,
this is a tricky one
because often there's
squatters, people who
have bought domain names in anticipation
of other people wanting them.
And I can only guess
that keepass.com was
taken when the authors of the
software decided to get keepass.info.
But, honestly, there's so many TLDs
or Top-Level Domains now, hundreds,
you certainly can't afford, most people,
to get all of them-- so keepass.com,
keepass.org, keepass.net, and the like--
just to kind of protect yourself.
And even then you're vulnerable
to typographical errors, even
malicious ones.
We, for instance, in a
class I used to teach
used to talk all the time
about bankofthewest.com,
which is the legitimate website for
a bank out west in the United States.

English: 
And there's a point here about
I guess the responsibility of,
as a developer, as a
company, making sure
that you purchase the right domains
for your application to reach the most
users without giving room to nefarious
actors to I guess kind of trick users
into thinking that they're you.
DAVID MALAN: Yeah, no,
this is a tricky one
because often there's
squatters, people who
have bought domain names in anticipation
of other people wanting them.
And I can only guess
that keepass.com was
taken when the authors of the
software decided to get keepass.info.
But, honestly, there's so many TLDs
or Top-Level Domains now, hundreds,
you certainly can't afford, most people,
to get all of them-- so keepass.com,
keepass.org, keepass.net, and the like--
just to kind of protect yourself.
And even then you're vulnerable
to typographical errors, even
malicious ones.
We, for instance, in a
class I used to teach
used to talk all the time
about bankofthewest.com,
which is the legitimate website for
a bank out west in the United States.

English: 
But someone very cleverly years ago
bought bankofthe V-V-E-S-T .com, which,
in a small font, looks
like Bank of the West--
I can't even pronounce it now--
because two Vs together, of course,
look like a W.
And, honestly, at that
point, especially if that one
happens to bubble up in search
results for whatever reasons,
is even harder to spot as well.
So this is kind of a
fundamental challenge, I think,
when it comes to distinguishing
legitimacy on the web.
COLTON OGDEN: I feel like I've seen this
too with like the Russian alphabet has
a Y, but it's actually an "oo."
It's an "oo" character.
DAVID MALAN: Yeah.
COLTON OGDEN: And I feel
like I've seen this in URLs.
Like you can actually get
tricked if the URL has
that character in the place of a Y,
like yahoo.com with that character.
It's actually not technically
the same character.
It's an Unicode character.
DAVID MALAN: No, and,
thanks to Unicode, there's
so many variants that there's
actually other characters that
look quite like the typical
English alphabet that
might trick folks like you and me.
And I used to advise
students that, all right,
if you're not sure what the
address of the URL, at least
rely on your search engine.

English: 
But someone very cleverly years ago
bought bankofthe V-V-E-S-T .com, which,
in a small font, looks
like Bank of the West--
I can't even pronounce it now--
because two Vs together, of course,
look like a W.
And, honestly, at that
point, especially if that one
happens to bubble up in search
results for whatever reasons,
is even harder to spot as well.
So this is kind of a
fundamental challenge, I think,
when it comes to distinguishing
legitimacy on the web.
COLTON OGDEN: I feel like I've seen this
too with like the Russian alphabet has
a Y, but it's actually an "oo."
It's an "oo" character.
DAVID MALAN: Yeah.
COLTON OGDEN: And I feel
like I've seen this in URLs.
Like you can actually get
tricked if the URL has
that character in the place of a Y,
like yahoo.com with that character.
It's actually not technically
the same character.
It's an Unicode character.
DAVID MALAN: No, and,
thanks to Unicode, there's
so many variants that there's
actually other characters that
look quite like the typical
English alphabet that
might trick folks like you and me.
And I used to advise
students that, all right,
if you're not sure what the
address of the URL, at least
rely on your search engine.

English: 
So search for the name of your bank,
or search for the name of this product,
KeePass in this case,
and see what bubbles up.
And, granted, the first hit
is indeed the legitimate one,
but you could imagine, if keepass.com
gets talked about enough, and somehow
the owners of that site sort of
game the system in enough ways
that their result bubbles
up above the legitimate one,
you could trick users even then.
So, frankly, at this point, I'm
wondering how do you avoid this.
You kind of want to maybe start
poking around in various articles,
maybe in tech blogs or tech websites,
and see what some legitimate authors
are recommending people do.
And, hopefully, they haven't been duped.
And, if you see the same URL appearing
again and again on websites that you
do trust, various news outlets
or blogging sites, then
at least that's one additional
signal you can take into account.
But then I dare say you as
the human are reinventing
what Google calls page rank where
you're sort of analyzing in your mind
the number of people that are all
recommending this particular URL.
And so with high probability
it must be legit.
I mean, frankly, that's what the
search engine is supposed to do,
but, clearly, those
results can be gamed,
as we're seeing here on my own browser.

English: 
So search for the name of your bank,
or search for the name of this product,
KeePass in this case,
and see what bubbles up.
And, granted, the first hit
is indeed the legitimate one,
but you could imagine, if keepass.com
gets talked about enough, and somehow
the owners of that site sort of
game the system in enough ways
that their result bubbles
up above the legitimate one,
you could trick users even then.
So, frankly, at this point, I'm
wondering how do you avoid this.
You kind of want to maybe start
poking around in various articles,
maybe in tech blogs or tech websites,
and see what some legitimate authors
are recommending people do.
And, hopefully, they haven't been duped.
And, if you see the same URL appearing
again and again on websites that you
do trust, various news outlets
or blogging sites, then
at least that's one additional
signal you can take into account.
But then I dare say you as
the human are reinventing
what Google calls page rank where
you're sort of analyzing in your mind
the number of people that are all
recommending this particular URL.
And so with high probability
it must be legit.
I mean, frankly, that's what the
search engine is supposed to do,
but, clearly, those
results can be gamed,
as we're seeing here on my own browser.

English: 
COLTON OGDEN: I don't know
if Google does already,
but having some sort of
flag for a malicious website
such that it shows up very blatantly
with maybe some red div or some red tag
somewhere that says this
site is reportedly nefarious.
DAVID MALAN: Yeah, they
do do that sometimes.
And I don't know in this case.
Is keepass.com intentionally
being malicious,
or was it compromised such that
it's now distributing malware
because someone got into it?
COLTON OGDEN: Well, it turns out that
there are a lot of other similar sites
recently within the last 10 months that
look very identical to this website.
DAVID MALAN: Oh, interesting.
COLTON OGDEN: 7-Zip, BlueStacks,
UNetbootin, and GIMP,
which is a very popular image editor,
Snapseed, and a bunch of others--
10 months this has been going on.
It's a pattern that the--
actually, this was originally revealed
in the form of a tweet by berkcgoksel.
And they show this and
reference the other web pages.
DAVID MALAN: Interesting.
Now there is a solution
in the SSL world where
you have a security
certificate for your website
that, if you pay for an
expensive enough one,
browsers will actually
show you a verified signal

English: 
COLTON OGDEN: I don't know
if Google does already,
but having some sort of
flag for a malicious website
such that it shows up very blatantly
with maybe some red div or some red tag
somewhere that says this
site is reportedly nefarious.
DAVID MALAN: Yeah, they
do do that sometimes.
And I don't know in this case.
Is keepass.com intentionally
being malicious,
or was it compromised such that
it's now distributing malware
because someone got into it?
COLTON OGDEN: Well, it turns out that
there are a lot of other similar sites
recently within the last 10 months that
look very identical to this website.
DAVID MALAN: Oh, interesting.
COLTON OGDEN: 7-Zip, BlueStacks,
UNetbootin, and GIMP,
which is a very popular image editor,
Snapseed, and a bunch of others--
10 months this has been going on.
It's a pattern that the--
actually, this was originally revealed
in the form of a tweet by berkcgoksel.
And they show this and
reference the other web pages.
DAVID MALAN: Interesting.
Now there is a solution
in the SSL world where
you have a security
certificate for your website
that, if you pay for an
expensive enough one,
browsers will actually
show you a verified signal

English: 
with an additional padlock or
check mark in the browser's URL
bar indicating that this belongs
to Bank of the West comma Inc
based in Seattle, Washington or wherever
they happen to be or California.
And that's an additional signal,
and they do charge more for it
to do the additional verification.
But, of course, all it takes then is
for an adversary with a few dollars
to spend to actually buy one
of these same legitimate ones
somehow and still trick
users into clicking it.
So it's a real problem of trust, which
is sort of omnipresent on the web
and ever more so with
examples like this.
COLTON OGDEN: And ever
present in our podcasts.
DAVID MALAN: Indeed, and
even in the real world.
In fact, you came across
an article recently,
if we might transition to
the physical world, where
some tenants in an
apartment building were
upset that the owner of
the building had installed
not physical key-based locks, but
rather digital locks that required
an app in order to unlock your door.
Now, at first glance, I
think this sounds fantastic.
I mean it's kind of cool.
It's trendy.
You can unlock the door from your phone.
Maybe there's food
being delivered, and you
won't have to go all the way
downstairs to let them in.

English: 
with an additional padlock or
check mark in the browser's URL
bar indicating that this belongs
to Bank of the West comma Inc
based in Seattle, Washington or wherever
they happen to be or California.
And that's an additional signal,
and they do charge more for it
to do the additional verification.
But, of course, all it takes then is
for an adversary with a few dollars
to spend to actually buy one
of these same legitimate ones
somehow and still trick
users into clicking it.
So it's a real problem of trust, which
is sort of omnipresent on the web
and ever more so with
examples like this.
COLTON OGDEN: And ever
present in our podcasts.
DAVID MALAN: Indeed, and
even in the real world.
In fact, you came across
an article recently,
if we might transition to
the physical world, where
some tenants in an
apartment building were
upset that the owner of
the building had installed
not physical key-based locks, but
rather digital locks that required
an app in order to unlock your door.
Now, at first glance, I
think this sounds fantastic.
I mean it's kind of cool.
It's trendy.
You can unlock the door from your phone.
Maybe there's food
being delivered, and you
won't have to go all the way
downstairs to let them in.

English: 
So there's a lot of like
compelling use cases for this,
but this is also a potential
invasion of privacy
because now the owner of the
building knows exactly who is coming
and when and what time of day and
how frequently or how infrequently,
not unlike a hotel.
But, in this case,
these are people's homes
that they're paying for or renting.
And, therefore, it's a little more
worrisome that someone can effectively
then track all of their movements.
COLTON OGDEN: Yeah, and funny too,
KeePass, we talk about digital keys.
And now we're talking
about physical keys.
The main issue with this
is definitely that it's
putting the power into the people
that are leasing the building,
like an unjust amount of power.
And, thankfully, the court decided that
it was in the favor of the tenants.
The tenants actually won a settlement.
They ended up suing the
landlords for invasion of privacy
and other difficulties
related to this whole process,
one of them being, for example, one of
the tenants was actually 93 years old
and couldn't leave their own
room because they were locked in.
And they couldn't figure out
how to use the app, which

English: 
So there's a lot of like
compelling use cases for this,
but this is also a potential
invasion of privacy
because now the owner of the
building knows exactly who is coming
and when and what time of day and
how frequently or how infrequently,
not unlike a hotel.
But, in this case,
these are people's homes
that they're paying for or renting.
And, therefore, it's a little more
worrisome that someone can effectively
then track all of their movements.
COLTON OGDEN: Yeah, and funny too,
KeePass, we talk about digital keys.
And now we're talking
about physical keys.
The main issue with this
is definitely that it's
putting the power into the people
that are leasing the building,
like an unjust amount of power.
And, thankfully, the court decided that
it was in the favor of the tenants.
The tenants actually won a settlement.
They ended up suing the
landlords for invasion of privacy
and other difficulties
related to this whole process,
one of them being, for example, one of
the tenants was actually 93 years old
and couldn't leave their own
room because they were locked in.
And they couldn't figure out
how to use the app, which

English: 
would have been circumvented had they
had just a basic physical key to open
their door with.
DAVID MALAN: Yeah, absolutely.
And I think, I mean, even if just
your phone dies because it's out
of battery-- you don't
have it with you--
I mean, there's other reasons
where this would be annoying.
Now, to be fair, that could
happen with physical keys as well.
So I'm inclined to say that
maybe the happy medium is
to have both, physical key
as well as the digital key.
But the catch is physical keys
have been insecure for years.
Locks can certainly be picked, more
so physically perhaps than digitally,
especially if you have some
software-based defenses in place,
much like iPhones and
Androids do these days.
And, of course, there's
probably a whole lot of locks
out there such that, when a tenant
moves, and someone else moves in,
the old tenant may very well have
copies of those original keys
because a lot of
landlords probably don't
bother spending the money to change the
locks every time someone new moves in.
So it kind of goes both ways.
It's arguably more secure in some
ways, but it's less secure in others.
But it's hands down more
invasive because your movements
are being tracked.
Now, then again, you can
imagine CCTVs and just
security cameras also
violating that same tenant,

English: 
would have been circumvented had they
had just a basic physical key to open
their door with.
DAVID MALAN: Yeah, absolutely.
And I think, I mean, even if just
your phone dies because it's out
of battery-- you don't
have it with you--
I mean, there's other reasons
where this would be annoying.
Now, to be fair, that could
happen with physical keys as well.
So I'm inclined to say that
maybe the happy medium is
to have both, physical key
as well as the digital key.
But the catch is physical keys
have been insecure for years.
Locks can certainly be picked, more
so physically perhaps than digitally,
especially if you have some
software-based defenses in place,
much like iPhones and
Androids do these days.
And, of course, there's
probably a whole lot of locks
out there such that, when a tenant
moves, and someone else moves in,
the old tenant may very well have
copies of those original keys
because a lot of
landlords probably don't
bother spending the money to change the
locks every time someone new moves in.
So it kind of goes both ways.
It's arguably more secure in some
ways, but it's less secure in others.
But it's hands down more
invasive because your movements
are being tracked.
Now, then again, you can
imagine CCTVs and just
security cameras also
violating that same tenant,

English: 
but, again, this seems
like an interesting tension
when it comes to sort of
convenience and user experience
and also privacy and security I'd say.
COLTON OGDEN: Yeah, and,
at least with a CCTV,
the onus is on the landlord to
actually spend all that time looking
at the video if they want.
I mean, I guess they could use sensors
probably to programmatically figure out
when people go in and out of a place.
DAVID MALAN: But software can
do this a lot quickly, you know?
You could have a little
alert saying ho, ho, ho.
Look who came home
really late last night.
COLTON OGDEN: Yeah, no, it's
a magnifier, the technology.
DAVID MALAN: Yeah, I think
that's a good way of putting it.
And it'll be interesting to see how
this plays out because, in this case,
the situation was indeed settled.
So there's not necessarily
new case law around it,
but it would be interesting to
see how this evolves over time
and how it just becomes more
economical and more compelling
security-wise to track,
as a side effect, users'
movements in this way in the interests
of having software-based security
instead.
COLTON OGDEN: Still on the note of
physical keys too, one of the things
that I recently learned,
which was pretty fascinating,

English: 
but, again, this seems
like an interesting tension
when it comes to sort of
convenience and user experience
and also privacy and security I'd say.
COLTON OGDEN: Yeah, and,
at least with a CCTV,
the onus is on the landlord to
actually spend all that time looking
at the video if they want.
I mean, I guess they could use sensors
probably to programmatically figure out
when people go in and out of a place.
DAVID MALAN: But software can
do this a lot quickly, you know?
You could have a little
alert saying ho, ho, ho.
Look who came home
really late last night.
COLTON OGDEN: Yeah, no, it's
a magnifier, the technology.
DAVID MALAN: Yeah, I think
that's a good way of putting it.
And it'll be interesting to see how
this plays out because, in this case,
the situation was indeed settled.
So there's not necessarily
new case law around it,
but it would be interesting to
see how this evolves over time
and how it just becomes more
economical and more compelling
security-wise to track,
as a side effect, users'
movements in this way in the interests
of having software-based security
instead.
COLTON OGDEN: Still on the note of
physical keys too, one of the things
that I recently learned,
which was pretty fascinating,

English: 
is just how easy it is, even
given an image of a key,
just to create a duplicate of
it because they're standardized.
DAVID MALAN: Yeah, no, and that's true
even of those car clickers, right?
Supposedly, if you walk around
like the Disney World parking
lot with your own personal key
clicker, and you walk far enough,
eventually, you might very
well unlock someone else's car
because the address space
isn't necessarily that large.
And that's absolutely
true for physical keys.
They just rely on probability
that no two people
are going to have the same two keys.
COLTON OGDEN: Yeah,
it's pretty alarming.
When humans are motivated, they'll find
a way to get into just about anything.
DAVID MALAN: Yeah, at
that point, though,
it's probably easier
just to break a window
than to walk up and down
the aisles of Disney World
and get caught on any number of cameras.
So there are some I think downward
pressures on these actual risks,
but it's a trade-off, right?
It's going to probably cost more
time or more money or more metal
to actually make these
things more secure.
COLTON OGDEN: That's true.
We talk about so many things that
are kind of depressing, negative,
but it's fun occasionally
to maybe shine a brighter
spotlight on some of the more
positive, fun things going on.
And you actually brought
this to my attention.
They released a 30th anniversary
edition of Hitchhiker's Guide

English: 
is just how easy it is, even
given an image of a key,
just to create a duplicate of
it because they're standardized.
DAVID MALAN: Yeah, no, and that's true
even of those car clickers, right?
Supposedly, if you walk around
like the Disney World parking
lot with your own personal key
clicker, and you walk far enough,
eventually, you might very
well unlock someone else's car
because the address space
isn't necessarily that large.
And that's absolutely
true for physical keys.
They just rely on probability
that no two people
are going to have the same two keys.
COLTON OGDEN: Yeah,
it's pretty alarming.
When humans are motivated, they'll find
a way to get into just about anything.
DAVID MALAN: Yeah, at
that point, though,
it's probably easier
just to break a window
than to walk up and down
the aisles of Disney World
and get caught on any number of cameras.
So there are some I think downward
pressures on these actual risks,
but it's a trade-off, right?
It's going to probably cost more
time or more money or more metal
to actually make these
things more secure.
COLTON OGDEN: That's true.
We talk about so many things that
are kind of depressing, negative,
but it's fun occasionally
to maybe shine a brighter
spotlight on some of the more
positive, fun things going on.
And you actually brought
this to my attention.
They released a 30th anniversary
edition of Hitchhiker's Guide

English: 
to the Galaxy, which is a game that
you remember playing years back.
DAVID MALAN: Yeah, and it's probably
my favorite book by Douglas Adams,
Hitchhiker's Guide to the Galaxy.
I've read it a few times.
And I'll admit I've started
reading it more times
than I've actually finished reading
it, but I do really enjoy it.
And, years ago, growing
up, there was a company
called Infocom that made
a text-based adventure
game around Hitchhiker's
Guide to the Galaxy
where there is no GUI, no
Graphical User Interface.
It's all text.
And so the first line in
the game is essentially
a statement along the lines
of you wake up, and it's dark.
And you have to start typing commands
like look around or turn on lights--
sorry, spoiler, 30 years later though--
in order to figure out where you
are and what you can do next.
And it was a really rich game
textually because the authors would
describe what it is you're seeing.
And so it kind of puts
into your mind's eye
what the scene is without
actually having to see anything.
And, in fact, fast forward
to decades later when
the Hitchhiker's Guide to the Galaxy
movie came out, like probably 10 years

English: 
to the Galaxy, which is a game that
you remember playing years back.
DAVID MALAN: Yeah, and it's probably
my favorite book by Douglas Adams,
Hitchhiker's Guide to the Galaxy.
I've read it a few times.
And I'll admit I've started
reading it more times
than I've actually finished reading
it, but I do really enjoy it.
And, years ago, growing
up, there was a company
called Infocom that made
a text-based adventure
game around Hitchhiker's
Guide to the Galaxy
where there is no GUI, no
Graphical User Interface.
It's all text.
And so the first line in
the game is essentially
a statement along the lines
of you wake up, and it's dark.
And you have to start typing commands
like look around or turn on lights--
sorry, spoiler, 30 years later though--
in order to figure out where you
are and what you can do next.
And it was a really rich game
textually because the authors would
describe what it is you're seeing.
And so it kind of puts
into your mind's eye
what the scene is without
actually having to see anything.
And, in fact, fast forward
to decades later when
the Hitchhiker's Guide to the Galaxy
movie came out, like probably 10 years

English: 
plus ago now, it really did not
look anything like the book looked
and the game looked like in my own
head, which was an interesting contrast.
But it was such fun.
And, indeed, last
weekend I sort of escaped
into the virtual world
of this game, thanks
to the simulator that's now online.
Frankly, one of the
downsides of playing it
on an online simulator
now 30 years later
is that they've added to it
some images, which is nice.
It's sort of static images, akin
to what you'd see every few pages
in a nice black and white printed book.
But it also kind of spoils
the imagination that I had.
And so I didn't click
around enough, but I'm
hoping there's a button with which
to turn that off so you can just
play the purely text-based version.
COLTON OGDEN: Yeah, you'd
probably even get that probably
as a terminal program.
DAVID MALAN: Probably,
if I dug a little deeper.
And I will admit I got as far as lying
in the mud in front of the bulldozer
where Arthur Dent's house
is about to be knocked down.
That's not really a spoiler.
That happens like in the
first few pages of the book,
but then I got distracted or fell
asleep or bored or something.
So I'm going to have to try to
come back to it this weekend
and see how far I get.
COLTON OGDEN: It is pretty cool.
And it sort of reminds me of the podcast
where we talked about those Infocom
games coming out.

English: 
plus ago now, it really did not
look anything like the book looked
and the game looked like in my own
head, which was an interesting contrast.
But it was such fun.
And, indeed, last
weekend I sort of escaped
into the virtual world
of this game, thanks
to the simulator that's now online.
Frankly, one of the
downsides of playing it
on an online simulator
now 30 years later
is that they've added to it
some images, which is nice.
It's sort of static images, akin
to what you'd see every few pages
in a nice black and white printed book.
But it also kind of spoils
the imagination that I had.
And so I didn't click
around enough, but I'm
hoping there's a button with which
to turn that off so you can just
play the purely text-based version.
COLTON OGDEN: Yeah, you'd
probably even get that probably
as a terminal program.
DAVID MALAN: Probably,
if I dug a little deeper.
And I will admit I got as far as lying
in the mud in front of the bulldozer
where Arthur Dent's house
is about to be knocked down.
That's not really a spoiler.
That happens like in the
first few pages of the book,
but then I got distracted or fell
asleep or bored or something.
So I'm going to have to try to
come back to it this weekend
and see how far I get.
COLTON OGDEN: It is pretty cool.
And it sort of reminds me of the podcast
where we talked about those Infocom
games coming out.

English: 
I'm guessing they're related.
They probably are.
DAVID MALAN: Yeah.
Well, and you mentioned
another release of a game
from yesteryear that you
really liked had come out.
COLTON OGDEN: Yeah, I mean, the old
and the new, we've talked about this.
So, with the old, this is an older game.
It's 30 years old.
But Minecraft is a very
famous game, very popular.
It was really huge,
especially in the early 2010s.
But it's approaching
its 10-year anniversary.
And they just released Classic Minecraft
free to play in the web browser.
DAVID MALAN: Oh, interesting.
Yeah, I never really
got into that, but it's
been big and gotten bigger
I think in recent years.
COLTON OGDEN: Yeah, no, I
mean, I would say it probably
reached its peak in maybe 2015,
2016, but, even to this day,
it's still pretty popular.
It's not Fortnite popular.
That's the new-- that's the new hotness.
And even that I would
imagine is probably
going to be out-competed at
some point in the near future.
I think it's just the
inevitability of games.
They come out.
People play them.
They get so enraptured by them.
And then the next big game comes
out, and everyone just sort of jumps
ship, more or less.
DAVID MALAN: Absolutely.
But I do have a fondness.

English: 
I'm guessing they're related.
They probably are.
DAVID MALAN: Yeah.
Well, and you mentioned
another release of a game
from yesteryear that you
really liked had come out.
COLTON OGDEN: Yeah, I mean, the old
and the new, we've talked about this.
So, with the old, this is an older game.
It's 30 years old.
But Minecraft is a very
famous game, very popular.
It was really huge,
especially in the early 2010s.
But it's approaching
its 10-year anniversary.
And they just released Classic Minecraft
free to play in the web browser.
DAVID MALAN: Oh, interesting.
Yeah, I never really
got into that, but it's
been big and gotten bigger
I think in recent years.
COLTON OGDEN: Yeah, no, I
mean, I would say it probably
reached its peak in maybe 2015,
2016, but, even to this day,
it's still pretty popular.
It's not Fortnite popular.
That's the new-- that's the new hotness.
And even that I would
imagine is probably
going to be out-competed at
some point in the near future.
I think it's just the
inevitability of games.
They come out.
People play them.
They get so enraptured by them.
And then the next big game comes
out, and everyone just sort of jumps
ship, more or less.
DAVID MALAN: Absolutely.
But I do have a fondness.

English: 
Granted, I grew up
with these older games,
albeit not Minecraft in this
case, where it's just kind of fun
to play these older 8-bit games or even
black and white games for which you
have such fond memories.
And even though, admittedly, they don't
necessarily hold my interest as much
anymore, I mean they really
were wonderfully done
and were cutting edge at the time.
And I think they really do speak to
the fact that some of the best games
really are about story or about
puzzles and about challenges
and not necessarily about like
3D-rendered graphics and all
that, which is certainly nice and
immersive and all the more compelling.
But you can have all of that, but
not have a good game, nonetheless.
So that's not what's perhaps core to
some of the best games from yesteryear.
COLTON OGDEN: Yeah, when I played
Minecraft in virtual reality,
I was terrified.
[LAUGHTER]
DAVID MALAN: The blocks almost got you?
COLTON OGDEN: There was
a cave in the distance.
And I've never been more
scared to go and do anything.
And that's a testament
to how powerful VR is.
And I can't wait to see--
I can't wait to get 3D movement with
like those treadmill devices and VR
altogether.
DAVID MALAN: Yeah, that will be amazing.
COLTON OGDEN: That is going to be--
that is going to be cutting edge.

English: 
Granted, I grew up
with these older games,
albeit not Minecraft in this
case, where it's just kind of fun
to play these older 8-bit games or even
black and white games for which you
have such fond memories.
And even though, admittedly, they don't
necessarily hold my interest as much
anymore, I mean they really
were wonderfully done
and were cutting edge at the time.
And I think they really do speak to
the fact that some of the best games
really are about story or about
puzzles and about challenges
and not necessarily about like
3D-rendered graphics and all
that, which is certainly nice and
immersive and all the more compelling.
But you can have all of that, but
not have a good game, nonetheless.
So that's not what's perhaps core to
some of the best games from yesteryear.
COLTON OGDEN: Yeah, when I played
Minecraft in virtual reality,
I was terrified.
[LAUGHTER]
DAVID MALAN: The blocks almost got you?
COLTON OGDEN: There was
a cave in the distance.
And I've never been more
scared to go and do anything.
And that's a testament
to how powerful VR is.
And I can't wait to see--
I can't wait to get 3D movement with
like those treadmill devices and VR
altogether.
DAVID MALAN: Yeah, that will be amazing.
COLTON OGDEN: That is going to be--
that is going to be cutting edge.

English: 
DAVID MALAN: Gaming of
the future I do think
will be all the more immersive
and escapist for sure.
COLTON OGDEN: Yeah, we've
got to get some of that.
So takeaways then for today's
episode, what would you recommend?
DAVID MALAN: Play Hitchhiker's
Guide to the Galaxy.
If you Google this and
type in emulator, you
can find the anniversary edition on the
BBC's website, the British Broadcasting
Company, which has the simulator.
You might have to create--
actually, you do have to create
an account on their website
if you want to be able to save
your progress because I very
quickly realized, wow, you die
constantly in the text-based adventure
by taking too long or by
typing the wrong command.
So definitely go ahead and do that.
COLTON OGDEN: And play Minecraft.
DAVID MALAN: And play Minecraft.
So I think the takeaways there
are, despite all of these dangers
and threats in the world to your
privacy and security and the like,
there is plenty of ways to escape
it, including this weekend.
COLTON OGDEN: And I guess, when
trying to download software,
be mindful of the domains.
You know, find out for sure, if you're
not 100% sure what product you're
downloading or buying, that
you're at the right place for it
because it's so easy now, especially
to your point of all these TLDs

English: 
DAVID MALAN: Gaming of
the future I do think
will be all the more immersive
and escapist for sure.
COLTON OGDEN: Yeah, we've
got to get some of that.
So takeaways then for today's
episode, what would you recommend?
DAVID MALAN: Play Hitchhiker's
Guide to the Galaxy.
If you Google this and
type in emulator, you
can find the anniversary edition on the
BBC's website, the British Broadcasting
Company, which has the simulator.
You might have to create--
actually, you do have to create
an account on their website
if you want to be able to save
your progress because I very
quickly realized, wow, you die
constantly in the text-based adventure
by taking too long or by
typing the wrong command.
So definitely go ahead and do that.
COLTON OGDEN: And play Minecraft.
DAVID MALAN: And play Minecraft.
So I think the takeaways there
are, despite all of these dangers
and threats in the world to your
privacy and security and the like,
there is plenty of ways to escape
it, including this weekend.
COLTON OGDEN: And I guess, when
trying to download software,
be mindful of the domains.
You know, find out for sure, if you're
not 100% sure what product you're
downloading or buying, that
you're at the right place for it
because it's so easy now, especially
to your point of all these TLDs

English: 
that are now available.
Someone could easily trick
you into thinking that you're
going to photoshop.info or what not.
And you're not getting Photoshop.
You're getting malware
installed on your computer.
DAVID MALAN: Yeah, absolutely.
Do own photoshop.info?
Is that what's happening here?
COLTON OGDEN: I cannot confirm or deny.
[LAUGHTER]
DAVID MALAN: Well, maybe
google Photoshop in order
to download Photoshop.
COLTON OGDEN: But, yeah, I think
that's probably a huge thing.
DAVID MALAN: Awesome.
Well, thanks so much to
everyone for tuning in.
And, by all means,
chime in online if you'd
like to suggest some
topics for future episodes.
We'd love to chat about those as well.
COLTON OGDEN: Indeed.
This is the CS50 Podcast,
episode 4, zero indexed.
DAVID MALAN: Take care.
COLTON OGDEN: Bye bye.

English: 
that are now available.
Someone could easily trick
you into thinking that you're
going to photoshop.info or what not.
And you're not getting Photoshop.
You're getting malware
installed on your computer.
DAVID MALAN: Yeah, absolutely.
Do own photoshop.info?
Is that what's happening here?
COLTON OGDEN: I cannot confirm or deny.
[LAUGHTER]
DAVID MALAN: Well, maybe
google Photoshop in order
to download Photoshop.
COLTON OGDEN: But, yeah, I think
that's probably a huge thing.
DAVID MALAN: Awesome.
Well, thanks so much to
everyone for tuning in.
And, by all means,
chime in online if you'd
like to suggest some
topics for future episodes.
We'd love to chat about those as well.
COLTON OGDEN: Indeed.
This is the CS50 Podcast,
episode 4, zero indexed.
DAVID MALAN: Take care.
COLTON OGDEN: Bye bye.
