COLTON OGDEN: All right, everybody.
This is CS50 on Twitch.
My name is Colton Ogden.
I'm joined today by.
NICK WONG: Nick Wong.
Hello, I'm back.
COLTON OGDEN: He's been
here several times last.
Time we talked about Linux commands.
NICK WONG: Yes.
COLTON OGDEN: Which was awesome.
NICK WONG: We tried to
talk about Linux commands.
COLTON OGDEN: [INAUDIBLE]
because if we go to this screen,
we have the screensaver that you showed
us how you set up, which is awesome.
The very first stream that
you talked with us about was--
what was the first one?
NICK WONG: Machine learning, I think.
Yes.
COLTON OGDEN: Machine learning.
[INAUDIBLE] you did
showcase this as well.
NICK WONG: Also showed this off.
I really like this one.
I think it's super cool.
Whoever made C matrix should really--
this and advertisement for your program.
You did a great job.
COLTON OGDEN: What are you going
to talk about today on the stream?
NICK WONG: Yeah, so
today we're going to talk
about AWS, which is Amazon
Web Services, in case you
have not heard of everyone's favorite
kind of infrastructural support.
And we're going to build
some web servers on it.
That's a very vague term.
All sorts of things are web servers,
like mail servers and stuff like that.
But we're going to talk
about kind of everyone's
kind of mental conception of it'll
deliver a web page to us in some shape
or form.
COLTON OGDEN: So Amazon
Web Services is being
kind of our ability to have a server in
the cloud as opposed to just somewhere
in a building somewhere, basically.
NICK WONG: I don't have to lug
the giant rack server around.
Amazon does that for us.
COLTON OGDEN: Amazon does
all the hard work for us.
Let's go ahead and look
at all the chat here.
We have quite a bit of people.
So [INAUDIBLE] earlier testing.
So bhavik_knight, [? Iso TV. ?]
We have a lot of regulars here.
So bella_kirs. [? Iso-TV ?] was,
I believe, followed us last time,
last stream, which was yesterday.
I apologize if it was before that.
Yesterday I think I had seen
the follow notification.
He or she is saying, yeah,
yesterday was awesome.
They're talking about pizza party where
everybody offered to have a pizza party
yesterday if I chose
the right spaceship.
They had a debate which
spaceship we should choose.
NICK WONG: That's kind of cool.
COLTON OGDEN: [INAUDIBLE] All kinds of
fun stuff. [? Asley's ?] in the chat.
Hello, [? Asley. ?] Nuwanda3333.
Jabkochason, who was a
new person yesterday.
[? mclopenberg. ?] Robert Springer.
Hello, Robert Springer.
Brian Rodriguez.
Good to see you.
And GregDoesThat.
First timer.
Be gentle, please.
NICK WONG: Wow, all right.
COLTON OGDEN: I think [INAUDIBLE].
NICK WONG: Yeah, it's going
to be pretty non-technical.
COLTON OGDEN: Yeah, it's kind of a nice
beginning introduction to if you have
a website you want to set up somewhere.
NICK WONG: Yeah, exactly.
COLTON OGDEN: Much easier to
do it now than it was probably
20 years ago, right?
NICK WONG: I think it's a lot easier
than the days of manual web pages
and web directories kind of just
being exposed willy nilly and PHP.
COLTON OGDEN: Oh yeah.
NICK WONG: Although I guess we'll
actually probably talk about PHP.
COLTON OGDEN: CS50 used
to teach in PHP, and we
convinced David to switch to Python.
NICK WONG: Thank God.
COLTON OGDEN: That was a fine shining
moment, I think, for all of us.
NICK WONG: Yeah, I'm very
grateful for that switch.
I think what I took CS50, we
had switched to Python by then.
Thank God.
COLTON OGDEN: I think it was 2016.
NICK WONG: Yeah, that
was the first year.
COLTON OGDEN: First year.
NICK WONG: Dang.
COLTON OGDEN: It was a good year.
[LAUGHS]
NICK WONG: Yeah, no more PHP.
Actually just to be clear, there's
nothing inherently wrong with PHP.
I just think it's a lot less elegant
and a lot less clean than Python.
COLTON OGDEN: [INAUDIBLE]
I just think it's
a lot more terrible than [INAUDIBLE].
NICK WONG: Yeah, I just don't like it.
COLTON OGDEN: [INAUDIBLE]
To David's point,
they do have pretty good docs,
pretty good documentation.
NICK WONG: If you look at Laravel, it's
a beautiful framework written in PHP.
They do a great job.
I just don't use it.
COLTON OGDEN: It's super easy,
I think when it first came out,
for people to integrate
their HTML with logic,
which was hard to do at that point.
NICK WONG: It was I think
impossible up until that point,
because JavaScript wasn't
even really a thing.
Dang.
COLTON OGDEN: Got some other people.
So Andre's in the chat.
Hello Andre.
Thank you very much for joining.
Please do the stream like we
are a bunch of John Snow's.
NICK WONG: Oh, like we know nothing.
COLTON OGDEN: Oh, got it.
Yeah, yeah, yeah.
NICK WONG: Man, when is that next--
sorry, not to sidetrack.
But we do that constantly.
It's fine.
When's that next season of
Game of Thrones coming out?
COLTON OGDEN: Let's find out.
NICK WONG: Is that next year maybe?
COLTON OGDEN: Game of Thrones.
I've seen advertisements for it.
Game of Thrones season eight.
I think it's season eight, right?
Eighth and final season was announced
in July 2016, but [INAUDIBLE]..
NICK WONG: Not helpful.
COLTON OGDEN: Premiere April 2019.
NICK WONG: Oh wow.
COLTON OGDEN: So April 2019,
tune in for Game of Thrones.
[INAUDIBLE]
NICK WONG: We're getting there.
The end of the school year.
That's perfect.
OK.
Sweet.
And people, I don't know if you guys
just have faster Google than we do
or if you're just smarter.
You always manage-- because I know
the stream lags a little bit, right?
COLTON OGDEN: [INAUDIBLE]
NICK WONG: So the fact that y'all get
that at around the same time as we do
is impressive.
COLTON OGDEN: Maybe they knew already.
They're fast.
Lightning fast.
[INAUDIBLE] can't wait.
NICK WONG: That's awesome.
Yeah, me neither.
Cool.
COLTON OGDEN: All right.
NICK WONG: All right.
So then we're going to get started.
As always, we don't have
a whole lot prepped.
We're just going to kind of
literally sign in in front of you.
And by that, I'm not
going to type everything.
Sorry, this is--
I'll go back.
COLTON OGDEN: Zoom in just a little,
because I think it's a little bit tiny.
NICK WONG: Oh, we can--
oh, nice.
Go Amazon for making
that responsive design.
So this is aws.amazon.com.
It stands for Amazon Web Services.
COLTON OGDEN: Let me toss that in
the chat as well. aws.amazon.com.
NICK WONG: Make sure
there's no hidden parts.
Yep.
There you go.
And so we can log in there.
If you're a student, then you
actually get a bunch of free credits
and all sorts of perks that I
probably don't take full advantage of.
If you're not, then there's all
sorts of free tier things associated
with the Amazon accounts.
So you can do all of what we're
about to do totally for free.
AWS is really cool in that
it basically gives you access
to kind of, as Colton said, just
any sort of server resource,
really, that you could possibly desire.
Now, I think there are
a bunch of articles,
and we'll talk about this a little bit
later, but there are a ton of articles
online about how to mine Bitcoin
with Amazon Web Services servers.
And I would argue that they're
almost all not worth it.
It's cool as an exercise.
Totally not worth the resources.
You do have to pay above some
certain resource usage on Amazon.
COLTON OGDEN: I feel like it
would be really expensive.
NICK WONG: It gets
pretty expensive, yeah.
And I don't think that anyone
has formally studied this,
but I would imagine just
kind of by intuition
there is no service on Amazon
that is powerful enough
to make you more Bitcoin than you are
losing for paying for the service.
So just as an FYI,
don't get scammed that.
We're going to be working
with EC2 instances.
And they are basically your own personal
versions of instances that run servers.
And when I say instance,
I basically mean
that there is some server
physically located somewhere.
And they actually have
different regions.
So I'm in the Oregon region
because it's closer to my hometown.
They didn't have the North
California region for a while.
So I would have otherwise chosen that.
But they have these
physical kind of just data
centers of just racks
and racks of servers,
and there's all sorts
of resources there.
And what this does is it kind
of gives you a high level
interface over those resources.
You can specifically request
to have your own hardware.
It is more expensive.
That one is not free tier.
But for the free tier stuff that
we're going to be doing today,
you actually kind of just get given
a virtual machine within a server.
So any one physical server is probably
hosting hundreds of virtual machines
on it.
I think that would be a
lot more cost effective
than giving every single person
their own server without request.
COLTON OGDEN: You can
imagine millions of machines.
NICK WONG: Yeah.
And it would be awful.
Very difficult to maintain.
Although Amazon has-- for a company
that makes, what, 230 million--
or sorry, billion.
200 billion, I think, per year.
Apple's the one at 230
billion, which is absurd.
[LAUGHS] Cool.
So we're going to go into--
I have a couple of running instances
for just varying things I do on here.
But we can also now see the interface
that is what's going on up here.
You'll see the instance type.
So most of these are micros.
The only one that is not is the one
that I run for an organization here.
And we just happen to need the extra
resources for what's going on there.
Everything else, there's
a bunch of resources here.
There's all sorts of cool
things that AWS lets you do.
Like these status checks I
don't really use a whole lot,
but you can set up all
sorts of things for if you
have some sort of integration testing
or some sort of the servers up or down
or certain services on
a server up or down.
Then that can notify you.
There's these alarms that
do very similar things.
They basically implement the
notification part of that.
The key name is the key--
whatever-- we'll talk
about this in a second,
because you use SSH to
access your server once
you have created it,
with very few caveats.
And this is the name of the
key file that was handed back
to you when you tried to set it up.
There is all sorts
monitoring you can do,
and then there's some
other data over here.
The thing with AWS that can make it
a little bit difficult for people
beginning, and we will
definitely talk about this
and just kind of experience it when
we go and set stuff up, is AWS sets
things up very modularly
and very extensively.
It's actually a really
good feature, not a bug.
But it can be very buggy feeling
when you are just getting started
and you're like, what's
a security group?
What's a user group?
What are these access things?
Why do I need all of this?
And a lot of times, for a
lot of simple use cases,
you don't need all of those things.
But for kind of business and
enterprise use cases, you really do.
And so what we're going
to do is we're going
to just kind of launch a new instance.
And what that means
for us is we're going
to ask Amazon to allocate to us some
sort of new surveyer resource for us.
We're going to open up a micro instance.
And sorry, because we're doing live,
we will have the spinny ball of death
basically a couple of times.
And we're going to spin
up some Linux instances.
You'll see that they usually point
out if they are free tier eligible.
And that's what we're going to try
and stick to, because we don't really
want to spend too much money.
I'm a student.
I don't make a whole lot of money.
So we're basically just trying to
keep everything as cheap as possible.
You can even select the
type of architecture
over on the right hand side.
It's not super visible in the chat,
but I'll move that right there.
It's over on the right hand side.
It's between Colton and myself.
COLTON OGDEN: [INAUDIBLE] might
be a little bit [INAUDIBLE]..
NICK WONG: So basically, what you can
do here is you can select architecture.
We're going to leave
it in 64-bit x86 64.
And I'm going to pick an Ubuntu server.
I happen to really like Ubuntu.
I think it's super
versatile and very clean.
It's a really nice version of Linux.
So I'm going to use that.
And we can go ahead and click Select.
And then it brings up
a bunch of options.
We don't have to really
deal with too many of these.
Our server is not really
going to have too much load
unless you guys all hit it at once.
Please don't.
Or go for it, I don't know.
We'll get there when we do.
That might crash it.
But otherwise, I don't really
have to deal too much with this.
You can scroll down.
There are quite a few
different kinds of server,
and there's all sorts of
options and parameters to them.
They'll tell you if they have
solid state drives, which
are going to be a little bit--
there's certain reasons you
might use a solid state drive
over an actual spinning hard drive.
Hard drive space is
a little bit cheaper.
Solid state drive is a
lot more expensive to use,
but it has all sorts of benefits
as far as robustness and speed
and things like that.
And then you also have the
number of they say vCPUs.
Depending on whether
or not you ask Amazon
to allocate an actual server,
like physical hardware for you,
that might be a real CPU.
It kind of depends on how
it's being allocated for you.
COLTON OGDEN: It's like an abstraction.
NICK WONG: Yeah, it's an abstraction
away from the actual hardware CPU
so that they're promising what
they actually are giving you
rather than something a little bit more.
This is the memory.
So RAM.
Something to keep in
mind for people beginning
with some sort of CS experience or
career is memory does not mean storage.
It is literally the active
memory of your computer.
You can kind of think of what you can
keep in your head at any one time.
It's RAM.
So Random Access Memory.
Your actual storage, I don't
remember what EBS stands for,
but this basically just
means that we're not getting
any sort of fancy caveated storage.
This will probably be some
sort of hard disk space that's
shared with a bunch of other people.
COLTON OGDEN: Is it Elastic Beanstalk?
NICK WONG: Yes, there we go.
It's the other service that Amazon has.
But this one is not particularly--
we're not getting anything special.
It will be the minimum storage
that they can hand to us.
COLTON OGDEN: David was just talking to
me about Elastic Beanstalk yesterday.
And I still don't know
too much in detail.
NICK WONG: That's all right.
COLTON OGDEN: Brenda in the chat did
say she's never seen Game of Thrones.
Shout out to Brenda for joining us.
NICK WONG: Wow.
And for being brave enough to say
you've never seen Game of Thrones.
COLTON OGDEN: I know.
[INAUDIBLE] brave thing to say.
iamakostik says, hello, CS50.
Can I host a website on AWS?
NICK WONG: Yes, you can
totally host a website on AWS.
In fact, that's what we're going to do.
This is the hosting part of it.
In fact, domain names and hosting
are pretty much entirely separate,
although a lot of domain name
providers, like GoDaddy or domain.com
actually allow you to purchase hosting
on top of the domain name itself.
But you can purchase just a domain name
for like $3 depending on the domain.
But you can purchase just the
domain and have it do nothing.
I happen to have a bunch
of domains that do nothing.
COLTON OGDEN: So that when you
do have that killer website.
NICK WONG: Exactly.
Then I can just throw
it behind that domain.
And so then hosting is something
that you can do on Heroku.
You can do it here.
You could do it on Microsoft Azure.
You can do it on I think
Google has hosting services
that would also be really good.
You can do it any way
you'd like and then
just kind of throw that hosting
service behind the domain name.
COLTON OGDEN: Looks like
Robert Springer said, did you
say we can follow along for free?
NICK WONG: Yes.
Yeah, you can totally
follow along for free.
All that we're going to do here
is going to be entirely free,
open access, open source.
Even the kernel is open source, if you
wanted to be really precise about that.
So yeah, just all it requires is
that you have an account with AWS,
and that's it.
If you're a student, you
can do even more things
that technically wouldn't have
been free but are free for you.
COLTON OGDEN: Why do you choose
AWS over Azure or Google Cloud?
Is it more cheap or more functional?
Just curious.
NICK WONG: Sure.
So that's actually a
really cool question,
because up until a little while
ago, that wasn't a question.
People just chose AWS.
There was no other real alternative.
COLTON OGDEN: Didn't they have pure
market share for like seven years?
NICK WONG: Yeah, for a very long time.
I think seven years is about
right, which is insane.
I mean, that's a monopoly.
And the United States
actually has a couple
of interesting court cases
against tech companies
where they don't know how
to define a monopoly as it
applies to tech companies.
They struggle with it,
actually, quite a bit.
There is a famous case
in 1995, I believe,
or in '98, one of the two,
where the United States went
against Microsoft for being a
monopoly because they had packaged
Internet Explorer into Windows.
And that was a really cool court
case, because Microsoft lost.
They lost that court case
and paid a hefty fine for it.
And then they made a
commercial, I believe,
or some sort of
advertisement of Bill Gates
dancing and basically not caring
that they had lost this court case.
Because I think that was one of the
last major ones against a tech company.
So yeah, sorry, it's kind of a
tangent, I just think it's really cool.
The reason I choose AWS
over Azure or over Cloud
is because I started
using it, actually, first.
It was just kind of the
only service at the time.
Google Cloud I do use
for a couple of things,
particularly if I'm using very
Google heavy sources or resources.
So if I'm using a bunch of Google
APIs is and I'm using Firebase
and I'm using a bunch of other
stuff that's all related to Google,
then I'm going to switch over to Google
because it's just a little bit more
convenient.
They have more tutorials
that just naturally
are going to integrate
with their own services.
AWS does a lot of the same thing where
if you are trying to set something up
and you're using AWS's domain
names and you're using,
I think they call it route 53.
And so AWS's domain names, you're
using Beanstalk, you're using EC2,
you're using S3 buckets, then it's
a little bit more convenient for me
to just kind of follow the
whole tutorial by using AWS.
And so for this, I'm
going to recommend AWS
because I know they have all
sorts of free tier stuff that
can be easily scaled, and they're
really good for an enterprise solution.
So if you happen to want to go to a--
what do you call it?
Like some sort of commercial
solution, then this
is actually a really
good service for that.
It scales really well.
It scales at low cost.
But Microsoft Azure is
also a great service.
I think it's a little bit less
developed than Amazon Web Services.
And then Google Cloud
is quite well developed.
They do all sorts of cool things.
I just happen to use AWS for this.
And looking in the chat
at the bottom, I just
happened to notice that
Bill Gates was pissed off.
I'm sure he was.
But then they responded to it
in a very kind of comical way.
I think the response to the loss of
that court case was pretty hilarious.
And very, I think, emblematic of how
tech companies view the United States
court system at the moment.
Cool.
So Brian Rodriguez says, gotta run.
Have to catch the rest
of the stream later.
Love to know your thoughts
on when it might be better
to use this over something like Heroku.
And actually, that is
a great thought that
will help us lead into the next
thing that we're going to do.
So we'll talk about that right after we
read through the rest of the comments.
COLTON OGDEN: Staypeaceful89,
hello Colton, hey everyone.
Hey, staypeaceful.
Glad you're joining us.
Is this AWS S3 says twitchhelloworld.
NICK WONG: Right.
So AWS has-- that's
one of the few things I
think is super annoying about how
you try and figure things out.
Their naming system is
not the most conventional.
Like Elastic Beanstalk, I don't
necessarily inherently intuitively
know what that means.
And I don't necessarily
know what EC2 means.
It's the way that we host things.
S3 is the way that you store stuff.
It's a storage bucket system.
We probably won't touch
on that today, but if we
do a livestream about
Heroku and hosting there,
then we will certainly talk about it.
COLTON OGDEN: Makes sense.
And [INAUDIBLE] posting,
please explain step by step
how to host a website
on AWS, says iamakostik.
NICK WONG: And that is our video.
So that will happen.
COLTON OGDEN: Frameofref, I believe
they then moved the Microsoft campus
to Canada right across the border.
NICK WONG: Yes.
COLTON OGDEN: I think that
Bill Gates was pissed off.
NICK WONG: They did a bunch
of stuff that was kind of fun.
COLTON OGDEN: AWS requires a credit card
if that's an issue, says [INAUDIBLE]..
NICK WONG: Good to know.
COLTON OGDEN: But do they
charge the credit card?
NICK WONG: I do not believe so.
They just require it in case you
go over your hosting limits, which
is pretty hard to do.
You'd have to be
basically mining Bitcoin.
COLTON OGDEN: Which you might have
a little bit of experience with.
NICK WONG: Which I might have done that.
COLTON OGDEN: [INAUDIBLE] since
you use Google a little bit,
if Google and Microsoft Azure also a
free tier or free tier for students?
NICK WONG: Yes.
So they certainly have
all sorts of, I would say,
above free tier things for
students that are free to students.
Actually, as pointed out in the chat,
Google offers $300 in free credit
to students.
I believe Azure offers 150.
Don't quote me on that.
They do offer money for students.
There's basically a whole
student developer bundle
and you get all sorts of stuff for free.
And if you're not a student, then
they do also have free tier things.
I know you can use Azure for
free being not a student.
But I think that their
access is a little limited.
They do have a little bit less
resources available than AWS does.
Cool.
COLTON OGDEN: That was good.
Think we're all caught up on the chat.
NICK WONG: Awesome.
And so answering the
question above as to why
you would use this as opposed
to something like Heroku,
let's say that I want to control
everything about the server environment
itself.
So I want to configure
some sort of parameters.
If you are maybe leading
a cybersecurity club
and you need to be really sure about
how everything is hosted independently
and I need to actually setup some
sort of interface on top of a docker
container spin up and
spin down, then I'm
going to want to use AWS
as opposed to Heroku.
Because Heroku is not
going to let me do that.
Excuse me.
Heroku is really, really good
for hosting sorts of websites,
having them integrate
with things through APIs
and web hooks and stuff
like that, but not
necessarily all that great if
you want to control everything
about the environment that
is kind of the server itself.
Whereas AWS, you just
get handed a server.
Whatever you do with that is up to you.
They have all sorts
of policies and things
on not hacking the government
through their servers.
But you can do all sorts
of cool stuff on your own.
So what we're doing here is
we picked an entire server.
We picked a general purpose T2 Micro.
And again, their naming
system, it's out there.
But it basically just means that we're
going to be able to use it for free.
It doesn't have a
whole lot of resources.
It has one CPU.
Well, one virtual CPU and
one gigabyte of memory.
And it has they say low to
moderate network performance.
I would classify that as actually
pretty good network performance.
For most purposes, that's
actually really cool.
And then we're going to go
ahead and review and launch.
And you'll notice there was a
button I kind of ignored which
was configure all sorts of details.
I'm going to not configure any details
so that we run into some problems
that people run into all the
time so that we can fix them
in front of you guys instead of just
pretending that we didn't have them.
Because there are some
problems that will
arise by just kind of ignoring
security groups and stuff like that.
Now, you get asked to
like create a pair.
I'm going to create a new key pair so
you can see what this might look like.
We're going to call this AWS Twitch.
Live coding or live
typing is just the worst.
Wow, was Twitch Demo.
You gotta love that auto correct.
And I'm going to download that key pair.
And what this basically means and what
this is talking about is SSH keys.
Oh, right, so you can actually
now see my private key.
Doesn't really matter.
I'm not going to keep
this up for too long.
And if you want to go and
hit my device, that's fine.
Technically, if you were to
sit down and type this all out,
you could actually have
access to my server as well.
However, it's not going to
outlive the length of the stream,
and I don't know, if any
of you wants to really type
that quickly, knock yourselves out.
It's not worth it.
Do it yourself.
COLTON OGDEN: OCR.
NICK WONG: Yeah, actually.
Don't give them ideas.
That would actually probably work.
So yeah, this is my private key, which
you should show anyone, by the way.
Don't ever do this.
This is a terrible idea.
COLTON OGDEN: The first thing
you showed try not to do.
NICK WONG: Yeah.
So don't do this.
This is bad.
And the reason for that is it
gives you access to my AWS instance
if you would like.
So yes, in the chat, they point
out no need to type it out.
Use Google Lens.
Great.
I'm really glad that we all have so
many suggestions on how to do that.
Yeah, so actually, I guess as a pathway
to it, you could take a screenshot,
throw it to Google Lens, it would tell
you the patterns, and you could try it.
Yeah, awesome.
So if I see a bunch
of you on my machine,
I'm going to try my best
to kick you all out.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: It'd be kind of cool.
Actually that's a good challenge.
We'll kind of keep that as a side
path for what's going on here.
So what I'm going to do
is I have a directory
in my home directory called SSH.
It's a hidden directory.
So it starts with a dot.
And I'm going to just copy--
I think it's under Downloads.
And I called it AWS Twitch Demo.
And I'm going to copy that to here.
I'm going to move that to just dot pem.
You also have to chmod.
COLTON OGDEN: Oh, sorry.
NICK WONG: Oh, sorry.
COLTON OGDEN: I was gonna say
kaloiiii, thanks for following.
And Robert Springer
followed just as we started.
So thank you very much
for following as well.
Sorry, didn't mean to interrupt you.
NICK WONG: No, it's all good.
And so I'm going to do what's called
a change modification or chmod.
COLTON OGDEN: They're also saying
your terminal is kind of hard to see.
NICK WONG: Oh, right.
No, you are absolutely right on that.
That should be much better.
COLTON OGDEN: Yeah, that is.
Thank you.
NICK WONG: Sweet.
So what I have in here is a
bunch of other PMs and stuff
and I will do my very best
not to cat any of them.
Oh God.
And then I also have a
subdirectory called keys.
And what I'm going to do is
I'm going to CH mod this.
600 will work.
I actually prefer 400.
Doesn't really matter.
It's slightly tougher restrictions.
That makes it so that SSH doesn't
freak out when I try to use that.
And then what I can do is move
that into my keys subdirectory.
Whoops.
And I just like to keep
everything really organized.
So then what I can do is I can SSH
using that authentication file.
AWS-- or sorry, that's in keys.
Keys slash AWS Twitch.
Wow, do I have multiple
keys starting with AWS?
Cool.
And then the default user for
an Ubuntu machine is Ubuntu.
And oops, that's the other direction.
Now that I've done that, I can
actually launch this instance.
So none of you could have
possibly gotten onto the instance,
because it didn't exist
yet, which is good.
I am a fan.
And so we will wait while that launches.
The only thing that I had
a problem with with the AWS
console, and they've been slowly
fixing this as they-- or not slowly,
but they've been fixing it as they go.
Is it is a little slow and it
feels a little clunky to use.
So if there's any AWS
reps watching this,
I do kind of get annoyed by how
kind of weirdly clunky it feels.
Feel a little 2005.
So we're going to go back into EC2.
And it will hopefully be up.
It's getting there.
It's not named, but I'm going
to call it AWS Twitch Demo.
I don't know why I did that in all
caps, but it sounds cool and aggressive.
So we're going to go with that.
You'll get the spinning blue ball
of not death but we'll say patience.
COLTON OGDEN: Relaxation.
NICK WONG: Yeah, relaxation.
I've never been in a position
where that's relaxing.
I'm always like, all right, let's go.
I'm running late to a class.
It's never fun.
And I'll reload the page too because
I'm not fully trusting in there.
Yeah, see.
I don't always trust
the way they do that.
If you're colorblind, these green--
I don't actually know what
other colors these turn.
For me they're all green.
But I imagine that they change color.
Is this one different
than this one in color?
Stop versus run?
COLTON OGDEN: Are you colorblind?
NICK WONG: I am, yeah.
COLTON OGDEN: Oh wow, OK.
TIL.
So this one right here, that's like
an orange color, and that one's green.
NICK WONG: Nice.
Yeah, so another thing for AWS if they
want to add that to their development
docket, not that it would matter,
but kind of for use cases and things
would be to allow colorblind people to
be able to see what's going on there.
So I pulled up the AWS
Twitch demos kind of stats
and all sorts of things
in specifics here
by clicking it or just selecting it.
And it has this public IP address.
And so I copy that.
And they actually have
this cool little widget.
Copy it to clipboard.
That's what I do.
And now I can SSH into that.
I'm going to paste
that into my terminal.
Which it did get cut off a
little bit, but no worries.
And when I run this, it'll tell me, hey,
it has a fingerprint you don't know.
And that says yes, so it's going
to add it to our known hosts.
And now I'm logged in, which is great.
Now, none of you guys are logged in.
I appreciate that.
W as a kind of throwback to
last week is the who command.
It tests who's on the machine.
It hasn't been up for very
long, so that would make sense.
If I [? CD ?] into dot SSH, I
am actually able to do sudo su.
So I can take full
control over this computer
and I can remove authorized keys.
And you guys would
all be like, no, wait.
Because now you can't log
back in, which is great.
So the SSH key that you guys
all saw is no longer useful.
However, if I get logged out by
some sort of network time out
or breaking a pipe or something,
I am actually screwed.
I can't log myself back
in, which means that I
would have to spin up another instance.
But I'm totally OK with that,
because spinning up these instances
or spinning down, taking snapshots, all
sorts of things, actually very easy.
And Amazon makes that super convenient.
So yes, just verifying that
there's no one else logged in.
That's just me.
So cool.
Now you guys are not able to log in.
Nothing against you.
I'm just, I guess, showing
a little bit [INAUDIBLE]..
COLTON OGDEN: You're part
of the cyber security club.
You gotta be--
NICK WONG: Should really
not get hacked live.
That would really suck.
COLTON OGDEN: Although, I mean, that'd
be a great test of skill, though.
NICK WONG: Yes.
COLTON OGDEN: How can you--
NICK WONG: That'd be very fun.
COLTON OGDEN: How effectively
can you deter [INAUDIBLE]..
NICK WONG: It is something
we do in our club, actually.
And I guess we'll do a kind
of play run of this coming
up on one of our streams.
COLTON OGDEN: [? Cali, ?]
what it was called?
NICK WONG: Yeah, [? Cali. ?]
And we will we will kind of
throw Colton kind of against myself.
But I mean, that's not super great.
It's a little unfair.
I've just seen it before.
Colton's definitely capable of it.
COLTON OGDEN: An infant against
a very strong grown man.
I don't know about that.
NICK WONG: It's not
super fair, actually.
Cool.
COLTON OGDEN: They
were saying Nick can't
see how awesome the screensaver is.
Actually, how much of your
screensaver can you see?
Are you just red green colorblind?
NICK WONG: So I'm deuteranopic.
So red, green, blue, purple and
a couple other colors in there.
According to my eye doctor,
it's like 20% of colors.
I don't really notice
it in my daily life.
I still think my
screensaver is really cool.
I just imagine you guys think
it's even cooler, because you
can see even more colors than I can.
COLTON OGDEN: That's fascinating.
Somebody else also
mentioned something up here.
NICK WONG: I think someone
said that they are also--
COLTON OGDEN: Yes, somebody did.
Yeah, [? Fatma, ?] by the way, thanks
[? Fatma ?] for joining Forsunlight,
same here, Nick.
NICK WONG: Appreciate it.
COLTON OGDEN: And Imran Ahmedh
said Colton and Nick, nice combo.
NICK WONG: I agree.
COLTON OGDEN: I have to agree.
I think that's-- oh, can
you lock the EC2 instance,
only accept connections from your IP?
NICK WONG: Great question.
Love it.
So stooshbatis asks, can you lock the
EC2 instance to only accept connections
from your IP?
Yes.
Actually, that deals
with security groups.
So actually, that doesn't
really matter now.
You guys can look at
that all you'd like.
But yes, it is a really
good question, and it's
something that causes a
lot of bugs when people
go to set up their first
website on an EC2 instance
is they get these security groups.
You can see it here and here.
Launch Wizard 1 is the
incredibly creative name
for the first security group.
COLTON OGDEN: stooshbatis, by
the way, thank you for following.
NICK WONG: We appreciate that.
And so it has all of these
inbound outbound rules.
And if you're not super familiar
with kind of ports and IPs
and networking rules in
general, then don't worry.
We're going to kind of talk about
this as if it was at your house,
except with weird rules that
don't exist in real life.
You'll notice that the inbound
rule, like if I was in my house,
this basically means the only
thing that I allow coming into me
or coming in to talk to me is SSH
through TCP or through port 22.
So what this basically does is
it says you can only SSH into me.
Any sort of web requests,
like a port 80 or a port 443,
is not going to go through.
I'm going to just drop it.
And actually AWS is going to
drop it kind of before it even
gets to your computer, before
it even gets to that server.
So basically, what I did, which
is where I SSHed in on my own,
that was totally valid.
However, any other sort of
operation, if I tried to Telnet 80,
not going to work.
And then you notice that
there's the source 0000/0,
which means from any sort of
range within just anybody.
And just kind of the blank.
I would think of it was as the
wild card for IP addresses.
Total valid.
All of them are totally OK.
Now, outbound my guess or my intuition
should be that anything out is OK.
And that is true.
That's totally fine.
And actually, a lot of network
administrators make the same mistake.
They say that all outbound
traffic should be totally valid.
However, if you have a mail
server, why should it ever
be requesting port 80 is a good
question and it's a question
we ask in cybersecurity all the time.
In fact, a lot of network
administrators set up their servers.
They have an internal mail server.
They have an internal
data storage server.
And those servers have the outbound
rules set to just anything goes.
And the reason that
that's kind of dangerous
is let's say that I manage to get a
shell that reaches out but does not
really reach back in or do anything.
I don't have to attack directly.
I just kind of get a shell
somewhere onto your database server.
If your database server allows
connections back out through port 443,
then you might not notice because
that looks like normal traffic
otherwise that that database server
is actually opened up a shell
and it's paying back
outward, reaching out to me.
And I know that a lot of administrators
use that sort of configuration.
So this is a really dangerous
setup as far as an intuition.
However, in our case,
that works perfectly fine.
I'm not downloading anything off
of this server, which is good.
So it's something to keep in mind, and
it's something that we'll come back to.
You might intuitively say, oh, well,
I should edit these inbound rules
so that I can allow for HTTP.
And that would be a great suggestion.
So we're going to kind
of add that as a rule.
And now we've allowed--
sorry, the colon colon is the wild
card for IPv6, just as an FYI.
That allows HTTP traffic
to also ping our server.
Now, our server doesn't have
anything set up to deal with that.
So it's going to just kind
of go, oops, and drop those.
Or actually, I don't think
the default is to drop.
I think the default is you kind of look
around and see if anything's listening
and then drop it.
And we're actually
going to also add HTTPS,
which is just the secure version.
It uses SSL to encrypt packets.
It should be on.
There we go.
That's another thing where any
time you're looking in a list live,
it disappears.
The item you're looking for is gone.
It's not there.
But everyone else can see it.
There's no way that they can't see it.
Actually, it's the only
thing they can see.
Yeah, one of the perks
of doing things like.
I'm going to leave my
outbound rules as is,
but if I wanted to be really strict
about it, then I might modify SSH
or I might make it just very specific.
And a good network practice is
to only do things as needed,
because it basically helps you restrict
what's going on to actual use cases
that you're thinking of.
Otherwise you get these kind of unknown
use cases or undefined behavior,
give or take, kind of with an asterisk,
that you might not have expected.
And that's usually where
things kind of cause problems.
So just kind of the more you know.
And there's all these tags and things.
And you can do all sorts of
stuff with these security groups.
So cool.
Now that we've kind of
configured our security group,
we know that it's going
to be a web server.
So this allows web servers
to work totally fine.
We can go back to our Instances tab.
And as that loads, we will see
what's going on in our instance.
Now, we have access to our server.
Out of paranoia, I constantly
type W, just as an FYI.
And we know that we basically just
have a fresh Ubuntu installation.
So and sudo is actually not
needed here, because I am root.
Generally I would advise
not doing things as root,
but I'll exit out of root in a second.
Just because kind of keeping in
mind which permissions you have
and which ones you don't, that's a
good kind of safeguard and mental check
to keep.
And people are always
like, oh, it's annoying.
But it's a good annoying.
You should kind of sit
there and be like, well,
I'm really glad I'm
annoyed about this today,
because it prevented you from CH modding
an entire, well, the entire machine,
actually.
That would suck.
COLTON OGDEN: That would be rough, yeah.
NICK WONG: Yeah.
I've done that before.
I did that, actually, I did that
I think a year and a half ago.
I CH mod I think I did this.
I think with the R?
COLTON OGDEN: Dash R, yeah, right.
NICK WONG: Yeah.
And then I was wondering
why nothing worked.
Because a lot of Ubuntu's
stuff and a lot of Linux
stuff is actually based on the
whole permissions restriction stuff.
So don't do that.
That command will screw things up.
And it was because I had
that same thought process.
So then we're also going
to install some stuff.
I think UFW is installed by default,
but we're going to just make sure.
Gonna also install Git just
in case we want to pull it.
And then anything else that I
really would like to have on here?
I think that's it for now.
We are going to install
some other stuff later.
But that's OK.
So I pulled Git onto our Ubuntu server.
You'll notice that this is fairly fast.
And there's no real evidence for that.
It's kind of an empirical observation.
On Harvard WiFi, I'm about the
same speed or a little slower.
So I like this speed.
I think it runs pretty well.
And so then what I'm going to
do is exit out of being root.
And we are now back into being
Ubuntu user, which is good.
And if you wanted to really verify
that, who am I also kind of works.
So then we're going to [? CD ?]
into our home directory.
We've got nothing there, which is great.
So we are back into
color, you'll notice.
The color prompt is disabled for root.
And if you go into that comment
right above in your bashrc script
where it says the focus should not
be the terminal's pretty colors,
it should be the
commands you're running,
who was written by
someone who hated fun,
they actually have a very good
point there where root actually
gets rid of all color so that you're
kind of in a more serious mindset I
think is the motivation.
So cool.
We are now here.
And we can set up all sorts
of kind of very basic servers.
Now, I'm trying to keep in mind that
y'all also know the IP of the server,
which means you can all connect to it.
So I'm trying not to accidentally
expose any sort of major security flaws,
at least not for very long.
But a kind of very
basic check that you can
do to make sure that you're actually
online is you can ping something.
Although updating and
pulling stuff also--
whoops.
Also guaranteed that we were online.
But just in case, we now
know we are connected
to some portion of the
internet, which is really cool.
I guess, I don't know, if that
makes you really happy, good.
If it doesn't, that's OK.
So we're keeping all of
our stuff set up here.
I keep wanting to go, what
questions might we have?
I'm in lecture mode at the moment.
What questions might we have
about what's going on here?
So that's a very basic setup of just
the server that's going on in AWS.
So the next thing that--
oh, that was the thing I needed.
Python.
I knew I was missing something.
We're going to install Python 3.
And that's going to
pull Python 3 for us.
We're also going to
install Python 3's pip.
I should have run that
in the same command.
That's OK.
And what we're going to do is
Python 3 has this really cool simple
HTT-- oh, there it is.
Yeah.
Simple HTTP server.
And that is-- love
going on Stack Overflow.
Simple HTTP server is something that
is really, really convenient for just
checking and doing all sorts of very
basic things with Python and for web
servers.
So we're going to just
also grab Python 3's pip.
And that's all we really need.
Bhavik_knight in the chat pointed out
that we also would like setup tools.
Totally valid.
I believe pip pulls setup tools.
It might not.
It might end up grabbing them as a
result of being run the first time,
if you don't have them already.
If not, then totally valid.
You can grab a set of tools as well.
COLTON OGDEN: We do have
a few other comments
too if you want to read some of those.
And also thanks to Imran
Ahmedh for following us.
Appreciate it.
He says, Colton, a few days ago I sent
you a mail about outreach inquiry.
Would you please check that mail up?
Did you send it to
outreach@cs50.harvard.edu?
Because I don't get
those emails directly.
So if you want to
specify that in the chat.
GDE 1984.
Thank you very much for following.
[? PresidentMars, ?] you
should create a CS decathlon.
[INAUDIBLE] attack a machine,
50 push ups, et cetera.
NICK WONG: That'd be kind of awesome.
I'd be much more in shape.
Much more buff.
COLTON OGDEN: And then I guess some
of the people in the chat [INAUDIBLE]
and [? PresidentMars ?] are
sending each other postcards.
[INAUDIBLE]
NICK WONG: That's awesome.
COLTON OGDEN: Twitchhelloworld
has a question for you.
Have any thoughts about
the news stories today?
I think it's about malware and open
source libraries such as node.js
and earlier [? pie.pie. ?] Haven't
used open source libraries.
Though of using those in the streams.
How does one protect against this?
NICK WONG: Right.
So there is a really--
I was listening to a cyber
security guy from Rapid7
give a speech at a cyber
defense competition
that I went to a couple of years--
or two years ago.
A year ago.
Something like that.
And he had a really good example
of why you should be really scared
of using open source software, which
was directly related to your question.
Basically being that people,
let's take node.js for example.
Pretty large system.
It's at least a couple hundred
megabytes, I think, give or take.
It's on the order of megabytes.
And there's a lot of data in there.
There's a lot of people
who have contributed to it.
And it's we'd say logistically
impossible to manually check
every single thing.
And even if you could, let's say it's
not logistically impossible, that you
could actually check every
single line of code that
comes into that repository.
It's very difficult for
you as a single person
or even as a group of people to predict
all possible behaviors of that code.
In fact, it's uncomputable.
You cannot compute the behavior of code.
Now, that is given with the
kind of generalist principle.
In general, that's not true.
Sorry, that is true.
That is mathematically true.
But if I do a certain
piece of code, you could
argue that it will do some things
with reasonable highly probability.
I could argue that
typing out LS is going
to do something that I can predict
with almost 100% certainty.
However, given something
like node.js, you
couldn't necessarily look
through its entire repository
and know every single line of
codes or every single functions
is probably an easier way to
look at this behavior and all
the possible behaviors.
So what ends up happening
there is you don't necessarily
have any one surefire protection against
someone including malicious code.
Upon running this certain combination of
commands, open up a shell to the world.
That'd be really bad.
Let's say that you are
some major news network
and you host something
through node.js and you
happen to run that
combination of commands
just by virtue of running many,
many commands all at once.
And you've now opened up
a web shell to the world,
and the web shell is
such that it's persistent
and it continues coming
back even if you've never
typed those commands again.
Well, that's a huge problem,
because then your attacker only
has to wait until you run them.
And then you run them, sees the web
shell's open, and connects to you
and then takes over, steals information.
If they're smart, then they hide
themselves really, really well
and they never get detected and they're
constantly siphoning information.
And maybe the Wall Street
Journal or something.
So that would be really, really, awful.
And there's not necessarily a surefire
protection against that, actually.
There are a lot of really good iterative
coding practices that can help.
There is a difference between
dealing with bugs versus dealing
with malicious inclusions.
And that is another
kind of subtle problem
is how do you detect which one's which?
Let's say I submit a update
to your code repository,
a pull request, if you will, and you
include it in your code repository
and say, yep, looks good.
And then you discover a couple of
days later that it opens you up
to a certain security vulnerability.
Was that intentional or did I just
happen to overlook it and you did too?
I mean, that's kind of the
argument would basically be, well,
you reviewed my code, and
you thought it was good too.
So we're at equal blame here.
And I think that a lot
of people will generally
give you the benefit of the doubt.
Now, if your user name
is hackerman2017, I
might not give you the
benefit of the doubt.
But it is something to really--
COLTON OGDEN: [INAUDIBLE]
NICK WONG: I've totally
never used that, I swear.
There's all sorts of ways to
talk about this and deal with it.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Right.
[INAUDIBLE] Personal
experience [INAUDIBLE]..
And so it is a great question, and
there's not a super satisfying answer
to it.
It's actually one of the reasons
that cybersecurity professionals
are so needed.
There's not a whole lot that
I can really tell you unlike,
you're safe, don't worry.
Use open source software.
That is one of the problems.
That is one of the concerns.
Now, a lot of very, very smart people
are working on open source software
and are monitoring it and
trying to prevent this.
And you have the kind of the thought
is there are way more good people
than there are malicious
people on the development teams
and uses of open source software.
So if I'm someone who's using the
Linux kernel, for example, which
is open source, then
there are enough of us
that want it to work well and secure
that if we discover someone is not
doing that, we will try to fix it.
We kind of as a community,
we will try and help.
Excuse me.
So there are some kind of protections,
and good coding practices definitely
help.
Simpler code is generally
harder to create
this sort of unexpected behavior.
If you can pinpoint out all
of its possible use cases,
technically you could secure that.
But something that I heard from
that cyber security professional
was nothing is really secure
unless you have built it yourself
and thoroughly checked
every possible use case.
And that would make for
a pretty boring computer.
Your computer probably
would be able to do much.
So we don't actually have
a computer or machine--
the government might,
but I would doubt it--
that's something that is purely
built, I guess, in a way.
COLTON OGDEN: Yeah,
because even the compiler,
you can trust the compiler [INAUDIBLE].
NICK WONG: Compiler can do
all sorts of nasty things.
You could build a compiler that just
appends a shell to the end every--
I always rely on like
the shell, because it's
one of my favorite very simple attacks.
But could just append something
that tags every piece of code.
Every piece of code that
comes out of a compiler,
actually they do have
compiler signatures.
So that's literally what it does.
If that was malicious,
then that would be awful.
So yeah, there's all sorts
of nasty things you can do.
Even the kernel could be malicious.
So kernel, compiler, these
are all low level things,
and most people wouldn't be
able to really detect that.
I wouldn't be able to detect that.
COLTON OGDEN: Mosman820, thank
you very much for following.
Imran says included in
the CC, [INAUDIBLE]..
All right, I'll take
a look at that, Imran.
I don't recall offhand, but
I'll definitely check that out.
Ignorance isn't a defense
in the court of law.
LOL, GDE1984.
NICK WONG: That is a great point.
And I think it's something
that a lot of the older--
sorry, not too kind of tangentially go
on this, but I do love cyber security,
and we are talking about
building web servers.
Ignorance not being a
defense in a court of law,
at least not in America,
that is a really good point.
And it's something--
it's a kind of assumption
that a lot of our current lawmakers
and a lot of our current politicians
rely on, actually.
The problem is that if you're
losing billions of dollars,
doesn't really matter if they're
playing ignorance or not.
You're losing billions of dollars.
And so a lot of people
and a lot of hackers
are aware of that fact, which is much--
it takes a lot of precedence
over the whether or not
I can defend myself six months
from now in a court of law.
If I have taken down
your company, well, OK.
There's nothing you can do to me
that is so bad that I will not
get the satisfaction of
tearing down something awful.
And so I think those kinds of people
very clearly do not understand
just kind of the sake of society.
I would count myself
as a white hat hacker
who is trying to educate
people on why we should be
very aware of these sorts of problems.
But it is a good point that
the bad guys, in this case,
have a really good winning
strategy or they have a really good
not losing strategy.
And American lawmakers have a really
robust, very decent winning strategy.
But they're not playing not
to lose, whereas hackers are.
So you have a very different--
I think their goals don't align, and
you see that in of these weird corner
cases where you see a
hospital get ransomwared
and then they pay the ransom.
What are you going to do?
You can't let patients die.
So it gets really interesting.
I think this is a very
interesting field.
We'll talk about it a lot more
in our cyber security discussion.
COLTON OGDEN: Yeah, the
[INAUDIBLE] cyber security streams.
Is it safe if it isn't
absolutely necessary
and just involves more work on my end to
just not include open source software?
NICK WONG: So when you say safe, yes.
If you fully trust
everyone who is building
all of the software and the software.
I mean, to a degree,
there's only so much
that you can be logistically paranoid.
I use this computer and I don't
know anyone who built it, really,
and there's all sorts of things that
can be done against me through it.
If Apple were a malicious, evil
corporation, they might be, who knows,
they could steal all of my information.
They would own all my bank accounts.
There's not much I could do.
And so to a degree, you do
have to surrender yourself
to that, unless you are willing and
capable of building something entirely
yourself.
However, even that is
only half the battle.
Let's say I go and I write my own
kernel, I write my own compiler,
I build everything, I build
it all in machine code.
So it's as low level as it gets.
I don't have to rely on
anyone else's coding.
I could even write my
code in computer language
and then build everything on that.
That in no way guarantees
that it's all safe.
I might not have kind of built something
using the institutional knowledge
that the developers of Python had.
They might be aware of some
very niche, very minor bug
that occurs only every
once in a while and never
really has to be dealt with
except in very particular cases.
And those people can
hack my computer now.
I'm not safe.
So there's this sort of problem with
even if you built it all yourself,
you are not necessarily any safer.
So I guess no, there's not necessarily
any way to be perfectly safe.
But generally speaking,
you can kind of bank
on a lot of these forces
working really well together.
COLTON OGDEN: Makes sense.
I mean, even Apple sometimes has bugs
that come out with their terminal app
after it's been out for years
and for a long time, right?
Had to step away for a moment, so
apologies if you already answered this,
but what's the difference between
using EC2 and AWS Lightsail [INAUDIBLE]
websites, says GregDoesThat.
NICK WONG: That is a great question.
I don't know enough about
Lightsail to tell you definitively.
My guesstimate would be that one of them
gives you full control and one of them
is more similar to
general hosting providers.
And since I know what
EC2 does, my guess is
that Lightsail is more similar
to usual hosting providers.
However, I'm not entirely sure on that,
and you'll want to double check that.
COLTON OGDEN: [INAUDIBLE]
like GoDaddy or whatever.
stooshbatis, this is why I write all
my compilers from scratch and machine
code for all my applications.
You get good at it
after doing it a bunch.
NICK WONG: Yeah, I'd imagine you're
probably pretty solid on that.
Have you ever thought
about teaching a course?
COLTON OGDEN: Yeah, that
would be pretty good.
Are you going to start something
like [INAUDIBLE] society
or any anti of that?
[INAUDIBLE]
NICK WONG: Not that I
know of at the time.
I feel like no comment is the way that
a president would respond on that.
Just I cannot say.
Not that I know of.
All right, so after telling
you that nothing is safe,
nothing will ever work, and
you should trust no one,
we're going to go ahead and trust
this device and these things.
I'm going to implicitly trust you
guys and not just DDOS everything.
And we're going to build
a simple web server.
So we have Python 3.
Oh my God.
M I believe is for Module.
HTTP dot server?
COLTON OGDEN: That was easy.
NICK WONG: I'm really glad
when I get the syntax right.
I'm out.
That's the end of that.
Cool.
I was just shocked that that
worked, because I don't usually
get syntax right on the first go.
Although I guess I had it open a
little while ago, so I was intuiting.
So we're going to copy
that in, and we're
going to go ahead and just
go and see what happens.
Now, I mean, if you're familiar
with what goes on in the web
and if you're familiar
with what this should do,
you should kind of intuit
what's happening here
and what will happen here.
I apologize for the web traffic there.
There we go.
Nothing.
And you're kind of like,
well, that's strange.
And then you look back at here
and you're like, oh, port 8000.
And you're like, oh, of course.
Now, if you're really
kind of hopping along,
you'll be like, this
won't work either, Nick.
You're an idiot.
And I'll be like, yes, you're so right.
Except this is the bug that
people run into constantly.
And if you look on an online forum,
they're like, my AWS does not connect.
I don't understand.
And that's a really--
I mean, I mocked the question, but
it's a very reasonable question given
that we've talked for
a little while, you
might have been reading a
tutorial for a little while.
You might have forgotten
that in your security group,
you actually only
allowed certain IPs in.
And you'll notice 8000
is not amongst them.
So when I try to go to
8000, that didn't work.
Now, if that sounds contrived,
then you are a god who's
never encountered that sort of bug.
[LAUGHS] I have
encountered it frequently.
And this is being someone
who's aware of that bug.
Now, we have the kind of
we'll say required wait
time as we cruise along through.
We'll have to give that a second.
We'll fill that with funny banter.
There we go.
There's only so many
ways that you can be--
no, there's, I think, many, many ways
that you can be humorous on the web.
Let's see.
We're going to add just
our own custom TCP rule.
COLTON OGDEN: Would you
say it's not computable,
the number of ways that you
can be humorous on the web?
NICK WONG: I love it.
Yes.
Our professors here would, I
think, either cringe or think
that was hilarious.
Or maybe both.
Who knows?
All right, so we now allowed it.
And AWS does a really good
job of making that instant.
Now, you might then go, wait a second.
This is terrible.
And I would thoroughly agree with you.
In fact, you all can go here
right now and check this.
COLTON OGDEN: [INAUDIBLE] successful.
NICK WONG: Right, so
that just tells you--
oh, [INAUDIBLE] my default. Love that.
If they're a file, it'll download them
by default. If they're a directory,
you can actually navigate through them.
So the Python simple server just kind
of serves your current directory.
COLTON OGDEN: So you're serving
your SSH directory right now?
NICK WONG: So if I had on this
server, if I had a bunch of SSH keys
and I had my own private keys
that were linked to other things,
this would have immediately invalidated
the security of all of those instantly.
Thank you for copying
that IP into the chat
so that everyone can insta click on it.
Really appreciate that.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: And if you're really kind
of thinking about this, I don't know.
And so we're going to
test this in a second.
But this is technically a web server.
We have technically
fulfilled all of the chat.
We have built a web server.
It works, I can get to it, and it even
displays the worst possible things
for me to be displaying to you.
So technically speaking,
we have accomplished
what we said in the Twitch stream.
Now, we're going to move
on and do other things.
But something that might
be kind of interesting
would be if the relative pathing works.
I believe Python simple server
doesn't let you do that,
unless you have a specific file
in mind, which they might do.
Yeah, it doesn't [? map. ?]
So it doesn't just
take you to that directory.
This is considered the root
directory of the web server.
And it is something
that you want to keep
in mind for web servers is they have
their own kind of root directory
structure.
And so if you're, I guess,
clever, if you're just
doing kind of basic good practices,
that root structure should be pretty far
away from your actual server.
And it should only be owned
by people like www dash data.
And if none of that
made sense, don't worry,
we're going to talk
about it in a second.
But basically, you don't want a
general web server, which is a process,
runs on your computer like any other,
or on the server like any other.
You do not want that process to
be able to access anything else.
Only that small sliver of your server
should be accessible to that thing.
Alternatively, so that is
kind of the old mindset.
I guess I should have clarified that.
That is the mindset
of, I guess, the 2000s
and before is that you should
just kind of carve out this chunk,
and that's for the web server.
And anything that
accesses the web server
should only be able to touch there.
So thus the danger of a web shell.
A PHP web shell is
horrifyingly dangerous,
because it doesn't necessarily
only access that chunk.
However, there are other
paradigms that exist now.
So one of them is kind
of the container paradigm
or the docker styled
paradigm, which basically
says you should have your own
separate kind of containerized service
that is the web server.
So then even if they took
control over the whole thing,
you just shut it down,
spin up a new one.
Problem solved I actually
really like that one.
I think it's super clean.
It's really easy to use.
The other one is you should have a web
server that has a dedicated web server.
Excuse me.
And what that means, and you
might be like, well yeah, duh.
And it sounds intuitive.
It's actually a little less
intuitive than it seems in
that that web server should
have almost nothing else on it.
No data, no images,
barely even its own code.
And it might not even
really have its own code.
There are some people who are really
modular about this where the code lives
somewhere else and the
server just looks at the code
and then kind of pulls it into
memory and runs it from there.
And so for some web servers, that's
actually a really good paradigm.
And so this paradigm means
that you have one device,
and all it does is web server stuff.
It's always funny when
something happens.
Did someone hack into Nick's computer?
I was going to say
no, but very possible.
I don't know.
Possibly.
If they did, they wouldn't see much.
If they want my
homework, they can do it.
COLTON OGDEN: This happened yesterday.
I might have to look at
the script to figure out--
NICK WONG: Oh, it could be [INAUDIBLE].
COLTON OGDEN: It's a Facebook thing.
NICK WONG: [? Killing ?]
every once in a while.
COLTON OGDEN: I'm gonna see
what's up with the live event.
I don't think the live event ended.
NICK WONG: Hopefully not.
COLTON OGDEN: No, the live event's
still going, so it wasn't that.
But it was a Facebook bug
it showed in the shell.
NICK WONG: Interesting.
Mortal Engines ad.
Love it.
All right, cool, so we are back.
COLTON OGDEN: [INAUDIBLE] says frozen.
Hopefully we're not frozen.
I don't think we are.
NICK WONG: Yeah, I think on the
livestream that you pulled up,
we were not frozen.
COLTON OGDEN: Yeah, that might have
been playing video back from before.
Let's just make sure.
It's going to play.
There you go.
OK, we're still going.
NICK WONG: Cool.
All right.
Sweet.
So yeah, you guys may have
gotten some advertisements.
You're welcome.
[LAUGHS] We planned that.
What I was told as a kid is if you
fall on your face, just be like,
I was just checking.
You're all good now.
Gravity is still good.
You're welcome.
COLTON OGDEN: There you go.
NICK WONG: My apologies.
Yeah, so yeah, we're all back hopefully.
A little bit ironic that we're talking
about web servers and one of ours
crashed, kind of.
But yeah.
So what we were talking
about was different ways
of kind of setting up a web server.
And the way that we're dealing
with is kind of the old style.
We're going to carve out a
chunk and have it do that.
It is a little bit of the
new style in that it's
going to be-- it's only
going to host a web server.
But it's not technically the new
style in that we didn't really
provision it that way.
So just as an FYI.
Cool.
We are technically serving web servers.
I think I can see all of your guys'
requests, which is kind of cool.
That's way more than the four
requests that I put there.
So yeah, your web server
will put up requests.
I can do Control C and kill that.
Cool.
And so our web server no longer works.
If you try to go back
to it, doesn't connect.
Which is good.
That's the idea.
Now, a lot of times this happens
in network administration.
You forget that you were
serving on a particular port.
And you actually need
to go back and do stuff
and then you change the
port and things like that.
It is also really important to in EC2's
security group console, edit that rule
and either remove it
or disable it, whatever
you'd like to do, just so that
you don't leave extra ports open
when you don't think they're opened.
I realize that it looked like
I was making a hand gesture,
and then my hand just went whoop.
That's just where this ends.
Cool.
So now 8000 is no longer an
accessible port to our stream.
Cool.
So now this one by default
will work eventually.
What we're going to do is we're going
to install some other stuff to go on.
If I tried to run this
Python script and that
was the only way I did web services,
you would hate me as a website.
It would suck.
Just having five people
on it would kill it.
Now, this server is not
super powerful anyway.
So even when I put kind of
production level things onto it,
it's not going to service
all of us very well.
But that's OK.
In concept, it is the right idea.
So with Python, actually Waitress is
a really common server that is used.
But in Ubuntu, when you have
full control over everything,
then we can design our own
little thing going on here.
And so what we're going to
build is called a LAMP stack.
We already have the L part of it.
That's Linux.
The A is Apache.
So we're going to do sudo apt get.
Oops.
Install.
I add the dash y, because I know I
want to include it, and that's fine.
I don't really care about the size.
Apache 2.
So that is the actual web server itself.
Now, it's weird because we're going to
talk about this device as a web server
and other things as a web server, and
there's not much I can do about that.
We're also going to
grab I believe PHP 7.
I don't remember if they include the
dot 0, but it'll give me an error,
and I'll fix it.
So I'll put that at the end actually.
And that's the P. And
then M is the MySQL.
And I always forget the flags
that are required for this.
It's one combination of those.
Possibly.
COLTON OGDEN: Move this chat over
here so they can see what you typed.
NICK WONG: Oh, sorry.
There we go.
I have been reminded of what--
COLTON OGDEN: And it's a little
bit of something like that, right?
So MySQL Server.
Just MySQL Server.
Oh, MySQL Dev as well up above.
NICK WONG: I tried to grab dev.
Dev apparently doesn't exist.
I know it's like seven point something.
There we go.
I'll pull that command
back up after it runs.
I was like, you build enough
things that eventually
all of their weird little
numbers kind of combine together.
On some things, I want
the dash dev version.
On some things I want 7.2, point three.
Some things I just want 7.1.
Eventually it all blends together.
That's what Google is for.
But the intuition is the right idea.
So I know that I want Apache.
I know that I want MySQL.
I know that I want PHP.
And those are going to be the three kind
of essential back end parts to what's
going on in our web server.
COLTON OGDEN: [INAUDIBLE] smaller.
I'll shrink it down a little bit.
NICK WONG: It's funny, because that
chat window being in the screen
doesn't really help
you guys necessarily.
You guys are like, it's redundant.
But for people watching
later, it's super helpful.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Because otherwise
we're just talking to voices.
We could have just made up people
and then we're talking to them.
COLTON OGDEN: We'd be pretty
talented at it at this point.
NICK WONG: We're very good at it.
COLTON OGDEN: All the ones
that are complimenting us too.
NICK WONG: It's a weird arrogance.
We keep making up people.
Thank you for joining.
COLTON OGDEN: Nick is
such a talented hacker.
Talented white hat hacker.
NICK WONG: Yeah.
We would belong in an insane asylum.
I'm fairly certain.
So yeah, the command I ran was up here.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Yeah, you don't want
that going on down in history.
You become a politician,
they'll bring it up.
Just to kind of point it out,
iamakostik says, but you hate PHP.
And you're right, I still hate
it, but we're going to use it.
[LAUGHS] Because we're going
to build a WordPress website.
COLTON OGDEN: You love it or hate it.
NICK WONG: Yeah, I think people either
just adore it and that's all they do
or they abhor it and
they've never used it.
I'm kind of in the weird state where I
don't like it, but I have used it many,
many times.
I don't know.
I can't really get away from it.
So that's OK.
bhavik_knight also asks,
why do you use apt get?
I think if you don't use
dash get, it still works.
You are correct.
There are a couple instances
where that is not true.
You can use apt without the
dash get with an install
to install just normal
binaries on your actual device.
So if you're on a graphic
version of Ubuntu,
then if you pull the
Google Chrome binary,
then you can install it using the
apt with no get and the install.
But apt yet is not
going to work for that.
And the reason for that
is basically the get
means that you're reaching
out to some sort of repository
somewhere or mirrors, actually,
and you're pulling stuff from them.
That's what it's supposed to mean.
There is a little bit of blending
between those two in that apt
will also do it if it
can't find it locally.
So just kind of things to know.
You can configure that all
over the place if you like.
But that's the kind of
standard idea of it.
COLTON OGDEN: [INAUDIBLE]
what if I don't know PHP well?
NICK WONG: Well, good for you.
We don't have to build anything in PHP.
We're just going to include it
because other stuff that we're
going to use later relies on it.
COLTON OGDEN: And what is it
that you like about WordPress
to choose to build a WordPress
website over options out of curiosity,
says twitchhelloworld.
NICK WONG: Twitchhelloworld,
that's a great question.
I actually don't really
like WordPress either.
So I say that I don't like these
things and you guys are like, well,
then why are we building them?
And that's a great question.
Very good intuition on it.
I do actually like
them as teaching tools.
They do a really good
job of showing you what
exactly is going on behind the scenes.
And they're just extremely
well established.
So people have used them for
almost decades in some cases,
and at least a decade in this case.
And so you have a bunch
of support and community
and things for what
we're trying to build.
The other reason is a little bit
more comical and a little less
of a really good reason in that
I don't have a whole lot of time.
And I forget how much time it takes to
walk through any one of these things.
And I mean, I'm not
particularly pressed for time.
I'm not concerned like, oh man, I
got to get through these things.
So I basically set a series of five
or so goals for any one livestream,
and we usually get through
around two to three.
And the goal for that
basically being is first goal,
can we get a WordPress--
or a AWS server up?
We got that one.
COLTON OGDEN: Goal established.
NICK WONG: Goal complete.
Second goal, can I show that a
simple Python script, a one liner,
can actually run a web server
that is really dangerous?
Got that one.
COLTON OGDEN: [INAUDIBLE].
NICK WONG: Yeah.
I don't think the really dangerous
was originally part of the goal,
but I'm just reemphasizing
that's dangerous.
Don't do it.
And so we've done that.
The third goal is to
build a WordPress website.
Now, if we get all the way through
that and my yammering doesn't--
I guess Colton and I's bantering doesn't
carry us over kind of our time limit,
then we will actually get
to the fourth goal, which
would be to build a Django
website and put that on here.
Because I think basically
what we're going for
is kind of simplicity
in learning to something
that works and is used in production.
It's a commercially built thing.
All the way over to something that
is commercial and super heavily
customizable and really
kind of new agey.
It feels very young and hip to use it.
And then if we get all the way
to the fifth one, the fifth goal
basically being can
we build and customize
a fully functional version of a CS50
[? piece ?] finance and put it online?
And that would just be
kind of a cool last goal.
It builds off of Django really well
in kind of you downgrade to Flask
and that's what we do.
So nothing against the Flask developers.
You guys did a great job.
It's just, I like Django is
kind of wrapping it all in one.
So there we go.
We have now covered the goals that
are set out in a Twitch livestream,
and we're going to see
how far we can get.
COLTON OGDEN: And also
WordPress is fairly--
you can get [INAUDIBLE].
NICK WONG: It does all sorts of things.
COLTON OGDEN: WordPress website.
NICK WONG: Yeah, there's all
sorts of jobs for WordPress people
like developing stuff
ranging from filling it
with content to customizing the whole
thing to maintaining it to securing it.
There's all sorts of reasons that you
might want to do stuff with WordPress.
WordPress is used by a bunch
of enterprise level people too.
Now I'm going to Google this,
because I don't want to be incorrect.
Major WordPress users.
I believe Fox News is
built on WordPress.
COLTON OGDEN: And also [INAUDIBLE],,
Jesus Christ, that haircut [INAUDIBLE]
little bit.
NICK WONG: My haircut?
COLTON OGDEN: No, my hair.
Jimmy Neutron.
He's calling me Jimmy Neutron.
It is a little bit messed up today.
There's a little funkiness
going on on the side here.
NICK WONG: I like the sharpness to it.
It's very clean.
COLTON OGDEN: [INAUDIBLE]
It's a little bit screwed up,
but I did my best to make it work today.
NICK WONG: That's awesome.
Yeah, no, I am a big fan
of this clean cut haircut.
I'm actually going to get a haircut
soon to kind of match a little bit.
COLTON OGDEN: You did yours
similar to that recently.
NICK WONG: Yeah, where I had this down.
COLTON OGDEN: [INAUDIBLE]
and the shaved sides.
Yours comes down a little
bit, as opposed to mine.
It's kind of more vertical.
NICK WONG: Do you use product?
Not at all related to [INAUDIBLE].
That's OK.
COLTON OGDEN: [INAUDIBLE] We
talked about [INAUDIBLE] hairspray
and big sexy hair volumizers.
All this stuff.
[INAUDIBLE]
NICK WONG: Welcome to our stream.
COLTON OGDEN: Fashion tips from CS.
NICK WONG: Colton and Nick.
Yeah.
Oh man.
Yeah, and we do cover
CS from time to time.
We do get there eventually.
Yeah, so I don't know
why I clicked the link.
That was going to be much slower.
Yeah, there is a bunch of
actually major organizations.
If you haven't heard of any of these--
OK, I don't know why the official Star
Wars blog is a major organization.
But Bloomberg's on there.
BBC America, The New
Yorker, things like that.
TechCrunch is a great one.
So they all use WordPress.
And if you ever go
look at their websites,
you might have your own opinion on them,
but they are definitely well built,
and they're definitely major companies.
So WordPress is a totally valid
thing to build and get good at.
At least it will be for the
next, I'd say, two to five years.
And it teaches a bunch of practices
that you'll use later anyway.
Cool.
So we've installed all of
our stuff plus or minus.
I say plus or minus,
because have we really?
But we have technically installed stuff.
And so taking that
statement out of context,
I would criticize a
student for being so vague.
So if I run status all on my services
and if you are a fan of using unit d,
stop.
But also if you're a fan of using system
CTL, things like that, totally fine.
I just use service as my
favorite command of choice
to check on what's going on.
And so we have Apache 2
running now, which is great.
It means that things are going.
I just looked up.
It's funny, because we
look up to make sure
that things are on the screen
where we intend them to be.
But every once in a while,
I kind of skim the chat.
And I saw that--
is that Salty Eric?
COLTON OGDEN: [INAUDIBLE] Wait,
this stream was about tech?
NICK WONG: Yeah.
Yes.
I hope that didn't shock you too much.
Cool.
And we get Apache 2's Ubuntu
default page, which is great.
And I say great because if we
didn't get that, we messed up.
It didn't work.
And I would be like,
well, debugging live.
COLTON OGDEN: Time to debug live.
NICK WONG: Never my favorite.
COLTON OGDEN: Always my favorite time.
NICK WONG: Oh man.
So they give you a little bit
about the directory structure
and a bunch of other stuff.
And you're like, cool.
If you read through all of that, and
I'm sure you're all pinging that now,
there's like stuff there
that's really cool.
But I happen to know var www
HTML is where Ubuntu stores
web stuff by default. And so what we
can do here is we can [? LL ?] that,
and we have index.html.
If we cat index.html,
unsurprisingly, you're
going to get roughly the
page that you just saw.
So that's all really cool,
handy dandy, blah, blah, blah.
But we're also going to
copy over a PHP page.
And we're going to make sure that
it loads PHP home pages as opposed
to HTML home pages first.
So let's go into etc Apache 2.
COLTON OGDEN: And also
Madkingvala, thanks for following.
And mosman.
I think got mosman820.
But if I didn't.
NICK WONG: I love that it has the
little-- did you pull that sprite?
COLTON OGDEN: It's one
of the default theme,
like the widget themes you
can get through the alert box.
And we just integrated
the alert box last week.
It's super cool.
It has a lot of cool stuff.
NICK WONG: That's kind of awesome.
Because I saw that and I
was like, yeah, that's cute.
COLTON OGDEN: Context.
Context is everything.
NICK WONG: Context is everything.
If you read through these
comps, this can tell you
all sorts of things about how you
define where certain users can go.
And it's a really useful file.
I'm just not going to
touch it a whole lot.
We will edit something in
it somewhere, because I
believe we need an option
for WordPress in particular.
I'll have to check
Google out to check it.
But what we are going to
test is in mods enabled.
Oh, and they might have moved this.
It might not be in mods enabled anymore.
I think it's under
[? DirConf. ?] There we are.
Love it.
I think these are sym links.
So unwritable.
Yeah, you're right.
COLTON OGDEN: Colton, when will we
do the part two of Space Invaders?
Probably next week.
This week is going to be a bit busy
with the hackathon going on Thursday.
We have another stream tomorrow.
So Thursday and Friday
and in the weekend.
So probably not this week, but
probably next week, most likely.
Is Windows dead?
NICK WONG: Is Windows dead.
No, certainly not.
All sorts of enterprise level
things are built on Windows.
And I used to be one of those people who
thought it was just really cool to mess
with Windows.
But they built all sorts of--
OK, I should really
remember the name of that.
Built all sorts of just
awesome things and are
responsible for a lot of the world.
Why is that not writable?
Sudo write.
So to answer your
question about Windows,
no they are not dead in the
sense that they are still
responsible for a lot of major
enterprise structure in the world.
However, in tech right now, it
is really cool to rag on Windows.
And I mean, I don't blame them.
I don't like their interface.
I don't really like the way
that their shell is built.
I don't like the way
that their kernel works.
I don't like a lot of
things about Windows.
However, because they are used in all
sorts of enterprise level solutions
and things, and if you're doing
something on a big finance network's IT
department, you really should understand
how to set up a domain controller,
how do you deal with having
certain people on your domain
versus not on a domain, how do
you deal with the different kind
of hierarchical structures for a
Windows, like a proper windows domain?
How do you build all of that?
It scales really, really well.
And so if you're at a
school system-- there's
a reason that schools use
Windows for almost everything.
I think Harvard uses kind of this
weird blend of Windows and Mac.
yeah, Apple Computer.
But they do generally have the kind of
Windows configuration for the domain
setup.
And the reason for that is
it scales brilliantly well.
It was built brilliantly well
for enterprise solutions.
So as an individual
user, I don't like it.
I would never use it.
Well, I would never use it.
I use it for some things like gaming.
But other than that, I
don't really touch it.
But if I was building a business,
I would probably avoid Apple.
They're not super cost effective,
and I can scale a Windows machine.
There's already services
and tutorials and community
built around scaling windows machines
to enterprise level solutions
on the order of thousands of employees.
So as a business owner,
as a young business owner,
and I would say the caveat
being an inexperienced business
owner and non-business
owner, it would seem to me
that that would be a
really obvious solution.
And the reason that I think that's
super important is Windows machines,
a lot of viruses and things
are still written for Windows.
People used to think, oh,
well, a Mac is unhackable.
That's not true.
That's just because why would
I hack Johnny Appleseed when
I could go hack JP Morgan?
And they're built on Windows
and you're running a Mac.
So that's kind of one
of the main reasons
that a lot of viruses and malware
is written for Windows machines
in particular.
Also a lot of hospitals
trying to be cost effective,
they did the same set of choices.
So they are also on Windows.
And hospitals are a awful and kind
of unfortunately somewhat frequent
attack target for ransomware attacks,
because they have such a high priority
on their tech working all the time.
COLTON OGDEN: And [INAUDIBLE]
thank you very much for following.
NICK WONG: Yeah, we appreciate it.
COLTON OGDEN: Hello.
See you in the chat there.
Windows is the WordPress
operating systems.
[INAUDIBLE] And is this the real
life or is this just fantasy?
With the Queen references from Imran.
Imran Ahmedh, I'm not sure what
that's in reference to again.
What's the time limit again?
I don't know if he's
referring to the stream,
but generally we go for about two hours.
NICK WONG: Two hours or so.
Yeah.
At some point, I like to eat dinner.
Which is roughly the
marking limit there.
COLTON OGDEN: I went
for hours yesterday.
That was the longest one that I've done.
Because Space Invader is kind of long.
NICK WONG: Yeah.
That's a very long stream.
COLTON OGDEN: We wanted to end
on a relatively robust note,
so we [INAUDIBLE].
NICK WONG: I mean, if we were--
maybe if we do a livestream during
reading period or right after all
my finals, I could go for a long time.
COLTON OGDEN: Like a hacking
tutorial [INAUDIBLE]..
NICK WONG: Yeah, or if we came
in and played games or something.
COLTON OGDEN: That could be [INAUDIBLE].
NICK WONG: What do you think about it?
OK, so what we did here was this is
an Apache specific web server conf.
But the LAMP stack is one of the
most common and prolific stacks
across the internet.
So we're going to talk
about it somewhat in depth.
So we basically just
said that when you're
looking for the index page,
what do you serve up by default?
Look for index.php first,
then look for index.html.
And originally index.html
is the first one,
and then it goes CGI, PL, and then PHP.
I don't know the reason
for making that choice,
but it is a choice that was made.
So we have now flipped those
two so that it will now
serve PHP by default instead of HTML.
Now, if we wanted to test that, and
this is where you will get to see my--
oh no-- terrible typing and lack
of knowledge of PHP all in one
go, actually.
Oh, this is a root own directory.
Index.php.
You will get to see my complete lack
of knowledge on what PHP actually does.
Well, how to actually properly use PHP.
I don't know if you wrap that in tag.
We'll find out.
That looks roughly correct to me.
COLTON OGDEN: It's been a
while since I've done PHP,
but I think that is correct.
NICK WONG: I hope it's
roughly [INAUDIBLE]..
COLTON OGDEN: We'll find it.
NICK WONG: Oh no.
OK, well, [INAUDIBLE].
Oh, wait, also I always forget this.
[INAUDIBLE] see that live.
We should restart the server to
make those changes take effect.
And when we pull this, we get nothing.
I don't remember the
PHP info page syntax.
That's OK.
We will Google that really quick to--
actually, we can just PHP info page.
PHP info dot PHP page.
Thank you.
Oh, it's literally PHP
info, not dot info.
I was so close.
COLTON OGDEN: That makes sense.
OK.
NICK WONG: That makes a lot of sense.
I'm going to just double check the
rest of my-- oh yeah, so close.
COLTON OGDEN: Yeah, they
have a very functional--
NICK WONG: Very, very
functional paradigm.
COLTON OGDEN: Yeah, API.
NICK WONG: I was thinking about
object oriented programming.
COLTON OGDEN: You should say
procedural, not functional.
NICK WONG: Yeah.
There we go.
Beautiful.
Love PHP.
I don't.
I really dislike it.
[LAUGHS] Cool, so we have
now validated to ourselves.
COLTON OGDEN: It's a
very opinionated stream.
NICK WONG: Yes.
We're getting close to politics.
Hair.
There's some Jimmy Neutron coming out.
We're really going for it here.
And I hate PHP.
There's some developer of PHP that
might come across this one day
and just be like, really, man?
Why?
COLTON OGDEN: Teardrops
into the keyboard.
NICK WONG: Or he's probably more
realistically like, well, you
don't understand anything.
And it's like, yes, I don't understand
a lot about it, and here we are.
So I have both index.html and
index.php in the same directory,
and yet we're serving the PHP
one, which means we're good.
We have configured Apache correctly
to host our WordPress stuff.
Now, the next thing we
need to really configure
is a MySQL database
to fit with WordPress.
Now, I will, I guess, perpetually
forget how to do this properly.
So that's lovely.
I don't actually know if that starts
up by default. Let's double check that.
Any time you can't connect
to something but you
feel like you should be able to.
Oh, of course it's up.
Awesome.
I believe it's something like this.
Dash P might be good.
Except I never set up a password.
Hm.
That is a great question.
You know what we're going to do?
We're going to-- oh, apparently
you can't exit out of that.
We're going to sudo access that
and see what happens there.
Boom, MySQL.
[INAUDIBLE]
COLTON OGDEN: Fantastic.
NICK WONG: That was terrifying.
Cool.
So I don't remember the exact syntax
for what I'm going to try and do.
So what we're going to do is pull up the
WordPress tutorial LAMP stack Ubuntu.
I like to just throw a
bunch of keywords at Google
and see how good it is at filling it.
And it's really surprisingly good.
I throw in all sorts of random crap.
COLTON OGDEN: If you
write the right keywords,
you might even get a job offer.
NICK WONG: That's crazy.
I've never thought of that.
COLTON OGDEN: Have you seen that?
NICK WONG: Oh, right.
Yes, no, I know exactly
what you're talking about.
That is a very good point.
COLTON OGDEN: I haven't gotten
lucky enough to get that.
NICK WONG: I have not.
COLTON OGDEN: I've tried.
No, I'm just kidding.
NICK WONG: If you type in
a high enough prime number,
I think, you can get Google to--
don't quote me on that.
There is something where
you can kind of keep
doing enough mathy things that
eventually Google's like, hey, send
us your resume.
Or you get a coding challenge and
there's like six levels or something.
COLTON OGDEN: That's true.
I saw the coding challenge part.
NICK WONG: Yeah, that's kind of cool.
COLTON OGDEN: I thought that was a cool
way to seek out potential employees.
NICK WONG: Gotta love, I mean,
when you control the search engine,
you might as well.
All right, so what we did here was we
created the database called WordPress.
Shocking.
And we then said some stuff
about its character stuff.
We're going to create a user.
Now, they highlight very nicely
of them in red, I think, or green.
May highlight for you not
to leave those by default.
We're going to type this in
plain text, and you're all
going to see this and possibly
hack my WordPress website.
If I were 12 years old, that
would make me really upset.
COLTON OGDEN: Speaking of 12,
actually, who was it? mosman20.
Where's the message at?
NICK WONG: Oh, right there.
COLTON OGDEN: It says,
I'm 12 and I'd like
to learn more about internet security.
NICK WONG: That is awesome.
COLTON OGDEN: I still
don't understand how you
installed Apache server on a server.
NICK WONG: Right.
So that is a great question.
Apache is actually
just a set of processes
that we call a server,
which is kind of strange,
because we call the hardware
system that it's on also a server.
It's one of those things where
you're actually using the same term
to describe two very different things.
So I could actually run a bunch of
different servers on one hardware
device, one hardware
server or machine or box
is another term frequently used for it.
And so what that basically
means is I can run--
I mean, the only limiting
caveat is which ports go where.
So I can only have one service attached
to or bound to port 80 at a time.
With a caveat.
But generally speaking, that's true.
So what ends up happening
here is I could actually
run NGINX server and an Apache
server and a Django server all
in the same box, totally fine.
Assuming you have the resources for it.
And I could just have them
listed on different ports.
I could have my Apache
server on port 80.
I could have my NGINX server on 443.
And I could have my Django
server only listening to--
maybe it's a mail server?
I don't know why we built
it in Django, but sure.
We built it in Django, and
it only listens on port 21.
So totally valid, and it definitely
causes some sort of confusion
with what's going on as
far as terminology goes.
So great question.
COLTON OGDEN: JPGuy,
thank you for joining us.
Hey, everyone, how are you doing?
And [? Asley ?] was saying that she
was upset about his betrayal over--
they were talking about
choosing the spaceship,
and I think he betrayed [INAUDIBLE].
NICK WONG: That's rough.
That's real rough.
COLTON OGDEN: Offering pineapple
pizza as a crime to humanity.
I don't know, but Dan
[? Coffey ?] would disagree.
Dan [? Coffey ?] is a huge
fan of pineapple on pizza.
Pepperoni pineapple.
NICK WONG: I am also a huge fan.
COLTON OGDEN: Yeah?
I think it's good.
A little sweet and
savory mixed together.
NICK WONG: I like that.
I'm a big fan.
COLTON OGDEN: For refined
palates only, right?
NICK WONG: Yeah, that's true.
You gotta be fashionable.
COLTON OGDEN: Is there a way I can
include a binary into my security?
NICK WONG: I'm not entirely
sure what you mean by that.
Yes and no.
It depends on what exactly you mean.
So if you wouldn't mind specifying,
then we can clarify that for you.
COLTON OGDEN: Not the installation
part says jabkochason.
NICK WONG: I think talking about how
you install the server on a server.
That'd be my guess.
COLTON OGDEN: Oh yeah, that might be it.
I think I'm gonna stick
with Namecheap for now.
This AWS seems too
difficult, says iamakostik.
NICK WONG: Right.
So it does require that you go in and
build some actual parts to the server
yourself.
So if you want to use some sort
of actual hosting, AWS I believe
does have hosting services.
We're kind of just dealing with the low
level hosting where we build all of it.
But yeah, you're totally welcome to
use whatever you're comfortable with.
This gives you a lot more power and
control over what you actually build.
COLTON OGDEN: Yeah, I think for
a lot of people making a blog
or something, something very simple--
NICK WONG: Yeah, probably unnecessary.
COLTON OGDEN: --like Namecheap.
But this would be like
if you're building
a business that has a bunch of
services and other stuff like that.
A lot more complicated.
CS50, for example, uses AWS
for all of its online services.
Well, not everything.
GitHub pages we do use for--
NICK WONG: Right, for some
like our docs, I think.
COLTON OGDEN: Some of our more
static documentation and websites.
Like the course website that you
and I did, that was a GitHub page.
But yeah, definitely for
more sophisticated, I think,
business [INAUDIBLE].
Food is the only subject
we haven't covered yet.
That's true.
NICK WONG: Wow, yeah.
COLTON OGDEN: Covered literally
everything else [INAUDIBLE]..
NICK WONG: Yeah, we've
hit at least [INAUDIBLE]..
Wow, we are the sum total [INAUDIBLE].
There we go.
Now people really think we're crazy.
COLTON OGDEN: What you learn
at Harvard Business School
and what you don't learn
at Harvard Business School.
NICK WONG: I love that.
I love when they put them next
to each other and they're like,
this is everything.
This is it.
COLTON OGDEN: Literally
everything in the world.
I can't watch the stream anymore,
says JP, because we [INAUDIBLE]..
NICK WONG: Ah, pineapple pizza.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Losing subscribers.
COLTON OGDEN: AWS S3 is
good for something simple.
NICK WONG: So AWS S3 is
their storage buckets.
It is really useful if you want
to store static assets somewhere.
So let's say you want to combine the
power of Heroku and the power of AWS.
Then maybe what you would do is,
let's say, I built a Django server.
I'm hosting it on Heroku, and
I want all of my static assets
to not be running from
the Heroku server.
Heroku is not actually
really built that well
for throwing static
assets back out to you.
Let's say you're rebuilding Flickr.
So you're displaying
pictures all over the place.
Then it's actually really
problematic for Heroku
to try and serve each of those images to
your users, especially if you scale up
and maybe you become a
little bit more popular.
Then that becomes really difficult.
Whereas AWS, they're a workhorse.
They are really well optimized
for just delivering content
no matter where you are in the world.
And that's a really cool
infrastructure to be able to leverage.
And S3 does exactly that.
So if I wanted to-- it basically serves
as a content delivery network or CDN.
And if I wanted to take
some sort of images
and just store them on
my bucket, my S3 bucket,
then I can have a Heroku website that
just pulls from that bucket anytime
I want content delivered to some user.
And that's a really great thing to use.
COLTON OGDEN: Alexmlw
and [? NeonZenKnight, ?]
thank you very much, both of you.
NICK WONG: We appreciate that.
COLTON OGDEN: Mosman says, I have
practiced HTML5 for a long time.
Can I use my computer security?
NICK WONG: And then it
is pointed out by Jacob--
oh, how did you say it?
COLTON OGDEN: I'm not sure.
I think it's-- yesterday
we talked in the the chat.
his name is J like Java.
I'm not sure if it's "kochasen" or
"kochosan" or any possible permutation
of syllables.
NICK WONG: We'll get your
name right eventually.
COLTON OGDEN: Jabkochason says
HTML is a markup language.
NICK WONG: Yes, HTML
is a markup language.
However, it does have some
implications for security,
especially when dealing
with browser security.
So HTML5 is really nice.
It has all sorts of things dealing
with caching and whether or not
certain scripted attacks
actually really work well or not.
It also deals in how it interacts
with the browser itself.
So there are certain
practices that Safari
has that they deal with HTML5
better than they do with just HTML.
Actually, I think in
general, browsers are
going to handle HTML5's
practices better than HTML.
A lot of it deals with caching and
whether or not certain things are
stored and where they're stored.
So it is a markup language.
But basically anything that is
delivered along the pipeline from you
to your client does have
some impact in security.
And it is something
that the more of that
you overlook, the more
opportunities, basically,
the bigger the attack surfaces.
So the less of it you overlook,
the smaller the attack services.
Well, in concept.
And then noonboard.
Yeah.
Yeah noonboard or nonboard says S3
can be used to work with big data.
They have scripts to
help you manage data.
Yeah.
AWS, they go the full 10 yards when
it comes to managing data with you
or for you.
For you scares me.
I don't want people touching
my data unless I ask them to.
But AWS does a really good job of
providing you with a bunch of tools
to deal with your data as it comes in,
how it's dealt with, how it goes out,
latency things like that.
They give you all sorts
of metrics and things.
They probably give you way too
many things for the average user.
But it is certainly better to
have that than too few things.
So yeah, they do all
sorts of great things.
Cool.
So we are granting in the web
server that we are building,
in the WordPress website we are
building, we are granting all.
So grant all permissions for
read write and there's probably
a couple other operations you
can do on WordPress dot star.
So WordPress is the database.
Dot star means all tables
within that WordPress database.
And we're giving them to the user
admin at local host identified by--
cool, my character stopped--
oh, that was nifty.
We're going to bring
all our characters back.
Look at that.
COLTON OGDEN: Advanced Linux.
NICK WONG: The best Linux
command you'll ever see
is the left arrow key
and the right arrow key.
Identified by a password, which
you can all see, which is great.
COLTON OGDEN: Invisible ink.
NICK WONG: Yeah, that was kind of cool.
I wish I could control that.
Maybe you can.
So we have now done.
COLTON OGDEN: [INAUDIBLE] password.
NICK WONG: Yeah.
That would be perfect.
There's all sorts of ways to
put in passwords in hidden text.
I'm just not using them and
I don't know if WordPress
or if MySQL does them by default.
Obviously it doesn't need to.
So we've now created the database
and we have created a user.
Well, I don't know if we created a user.
We might want to create a user.
No, we're good.
So we have now also created a
user for what's going on here.
And we have a database.
We have stuff behind here.
We're all good.
So now what we're going to do is flush--
oh, there's-- man, I always forget
how to spell is another one.
Cool.
That worked.
And then we're going to quit.
So we have now left
MySQL to its own devices.
And we're going to move on.
We now basically just
have to grab WordPress.
We don't actually have it on our site.
So now, I know in that
digital ocean blog,
they recommend doing something
different than what I'm about to do.
But we're going to do it this
way, because it works the same,
and the security concerns
that they're dealing with
or kind of the modularity they're
dealing with is not necessary.
And I actually argue this being a little
bit cleaner as far as where you go.
Oh, right, there's a
million PHP extensions
that you can grab for WordPress.
And we'll grab them in the background.
I always forget about
them, and they're not
all useful at all times,
which is the annoying part.
And I don't remember if you append this.
Oh, OK, that works.
So we're going to do this.
I don't actually know.
We're going to find out
what this does on its own.
And we'll see.
So while that's installing, we're
going to go to WordPress's website.
And we're going to grab WordPress.
That's shockingly what we need to do.
So WordPress does this
really cool thing where
they call it their 15 second install.
Or maybe it's their five minute install.
It's this very short time frame, and
they intend it to be really impressive.
I don't know I typed in there.
I could have typed elsewhere.
That's fine.
So let's go to wordpress.com.
And we're going to go to--
they also let you host through
them too, which is cool.
But we want to download.
Maybe they put that under developers.
Howdy, developers.
Cool.
COLTON OGDEN: Howdy, developers.
NICK WONG: Yeah, all two of us.
COLTON OGDEN: Imran says,
who's your girlfriend?
Leave the relations to the databases.
NICK WONG: Love that.
I don't know exactly where they
put their actual code base.
OK, wait.
We can just do WordPress.
Gotta love the power of Google.
WordPress download.
COLTON OGDEN: I think he's saying
his name is pronounced jabkochason.
He or she.
I think that's a male name.
Jabkochason.
I think that's how you're
supposed to say it.
NICK WONG: OK.
Good to know.
Thank you.
Yeah, we always try to
get your usernames right.
I do a noticeably worse
job compared to Colton.
Colton gets them pretty well.
COLTON OGDEN: I try.
I do a lot of practice over 18 episodes.
[INAUDIBLE]
NICK WONG: That's awesome.
So we're going to copy the link to that.
If you're like, wait, why
didn't you just download it?
It's because it wouldn't have worked.
Oh, right, they use the latest tar.gz.
That's one of the greatest
practices ever, by the way,
is you just keep the URL the same
and you just update underneath.
That's super helpful,
because then they don't
have to update to pull the
newest one, which is really cool.
So we now have that tar.gz in here.
So we can do tar.
I think there's a
bunch of other commands
that would have also worked
here, but we're going to do that.
And that's going to unpack it for us.
If you didn't see that command--
I always forget the flags to this.
Well, I know them by memory now.
COLTON OGDEN: xvzf, yeah.
NICK WONG: Yeah, xvzf.
X for extract, V is for
verbose, I don't remember
what Z is, and F I also don't remember.
So they do things.
There's letters.
Hey, yeah, couldn't have
said it better myself.
So then we can go into WordPress, and
we have a whole WordPress directory
structure in here, which is great.
So what we can do is--
and if you were being
pretty cyber conscious,
then what you can actually
do is say check the--
I was saying something, and I completely
forgot what I was saying as I said it.
COLTON OGDEN: I know how that feels.
[INAUDIBLE]
NICK WONG: Ah, there we go.
You can check the hash.
So generally speaking, if you're
downloading some sort of major package
from some sort of repository
or website, they'll
give you a hash to kind
of guarantee or make
you feel slightly more
secure about the fact
that you got what they
intended you to get.
Now, that relies on them
having not been hacked,
which means that it only
really truly protects
against man in the middle attacks.
And what I mean by that is the
only way that that's actually
a secure way of validating
what you've got handed
is if the attacker is in between you
and the person, the provider, CDN.
Because if they got control of your
CDN, they could change the product
and then rewrite the hash,
redisplay a new hash to you,
and you would confirm the
product with the malware in it,
and you'd have no way of checking that.
So we now have an entire
WordPress directory.
And what we're going to do
is copy dash R WordPress
and all of its delightful contents.
And what we're going to do.
That's var www HTML slash dot.
And we're going to just
throw that all in there.
Of course we can't, because
that requires sudo access.
Cool.
And then we're going to go car www HTML.
Now, we're going to do some
interesting things here.
We're gonna chown dash R. I always
forget how exactly chown works.
Oh, wow, that was dumb.
In my head, I was like,
man, chown and then
I just typed man and
expected it to work.
So we're gonna chown R,
change the ownership of.
www dash data.
www dash data.
Oh, that's not gonna work,
because that's not a good user.
Man, I always forget how this works.
Give me one sec to look up chown.
Doo, doo, doo, doo.
Owner group file.
Cool.
So we're going to chown dash R 755 w--
or sorry, Ubuntu.
And the group www dash data dot.
That sounds right.
Oh, and we have to use sudo to do that,
because it's currently owned by us.
COLTON OGDEN: Abblepi,
thank you for following.
Hope I didn't miss any of them.
NICK WONG: I don't exactly
understand why that didn't work.
My apologies.
There's only so many commands
I can keep in my head.
So chown directory syntax.
We'll find out.
Gotta love that.
That looks roughly right.
Oh, right, I'm a dummy.
I was mixing two commands.
So yeah, you don't
actually need to change--
yeah, we were trying to do
something real weird with that.
That worked.
There we go.
So what we were originally
trying to do was mix CH mod,
which changes the modification
and chown, which is something
that you do when you have not slept a
whole lot in the past couple of days.
So there you go.
Live study in how that works.
So now if we do LL, we
can see that these are all
owned by the user Ubuntu and www dash
data, which is kind of just the data
group for the worldwide web.
Cool.
So something that has been pointed
out a little bit earlier, and I
kind of ignored it by accident, was
by twitchhelloworld, which said,
I thought you said in an
earlier stream it is better
to avoid using sudo to gain access
and instead rather to access directly.
Though said you do actually access
using sudo a lot in practice.
Yes.
So what I'm doing here is
I am saying, basically,
don't do this and stay as root.
That means that you're going to
basically just have full control
and nothing will ever stop you.
No one will even really
ask, which is terrible.
Keep yourself in some sort
of sudo accessible user.
Now, what I also advise against
is just arbitrarily typing sudo.
The reason I'm using sudo here
is because we are actually
trying to access the root permissions.
Excuse me.
Because originally, this
directory was owned by root.
So the only user who should really
be able to modify it is root.
And so sudo gives me access
to root, and then I'm
going to do something to
what root actually owns.
And so I'm kind of doing by explicitly
doing it that way is I'm saying,
I acknowledge this is owned by root.
I'm going to kind of temporarily
run a command as root,
and that should all be congruent.
I'm running commands owned by the
same person who owns this directory.
So yes, generally, as a rule
of thumb, if you're using sudo,
you should think in your
head, why am I using sudo?
That is a great question
and a good intuition
that I would never get rid of.
Keep that.
It'll prevent you from running
kind of willy nilly commands.
COLTON OGDEN:
[? Ahmed Osman ?] said, can we
make a stream about building
multitenant architecture, which
is the base for SaaS applications?
NICK WONG: I guess we probably could.
I don't know enough about them,
I don't think, to do a stream.
But we could find someone who does.
COLTON OGDEN: We'd have to
find somebody that could do it.
NICK WONG: Or we could educate
ourselves on it and then do it.
COLTON OGDEN: True, true.
Over the winter break.
NICK WONG: Yeah, that could
be a winter break project.
There's all sorts of things that
are on my winter break docket.
Cool.
And do we have any other
comments that we are missing?
COLTON OGDEN: They're talking
about name pronunciations.
So jabkochason is talking about
how there's no this letter.
I'm not exactly sure
what that translates to.
And Jab, if you wouldn't
mind tossing where
you're from again in the chat,
if you haven't done that already.
I don't recall offhand.
JPGuy says his native tongue is Dutch.
So I'm guessing he's from
the Netherlands, then.
Correct me if I'm wrong.
I apologize, JP, if I'm incorrect.
And seeing you guys have to Google
syntax makes me feel so much better.
NICK WONG: Oh yeah.
Oh, we can do that more if you'd like.
I mean, sometimes I'm just
guessing long intuitions
and hoping that I'm roughly correct.
I mean, syntax is
generally something that I
think in a really kind of
serious way, you shouldn't really
spend too much time memorizing.
I mean, a lot of this I've
memorized just by doing it enough.
But I would recommend not memorizing it.
It's not worth your time.
The only times that I guess
it might be time valuable
are if you, in a job
environment or work environment,
are typing kind of the same set or
set of parameters or set of codes
over and over again.
Then you don't want to have
to Google it every single day.
That'd be kind of ridiculous.
But you'll memorize it by kind of
just doing it over and over again.
I mean, that's how I
generally memorize these.
I would generally say,
generally speaking,
I would usually say that you shouldn't
just sit down and memorize syntax
for the sake of memorizing syntax.
It is very rare that that is useful.
There are some languages,
some functional languages,
that do help you teach and
understand certain paradigms
and things about programming
as kind of a meta concept.
But other than that, I
would generally advocate
against memorizing just syntax.
I would usually try and motivate
it through some sort of project.
Do a couple of those
kinds of projects if you
want to really get that syntax down.
But otherwise, it's not
necessarily super useful.
And Googling syntax is now
a tool available to us.
COLTON OGDEN: Super easy, yeah.
NICK WONG: Why not?
COLTON OGDEN: [INAUDIBLE]
was like 20 years ago.
NICK WONG: Yeah.
Before Google existed,
it would definitely
be very difficult to Google things.
COLTON OGDEN: Books.
NICK WONG: Oh my god.
I can't imagine trying to
just use a book for syntax.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Yeah, that would have hurt.
I have a lot of respect
for the people who
were doing that and who were
writing full programs in assembly.
That terrifies me.
Awesome.
There's some other stuff.
Isn't it useful in C, since the
language is so small and so technical?
I thought maybe Python too, since it
seems like it will be used so often.
This is asked by twitchhelloworld.
So in any language, it is useful to
know syntax off the back of your hand.
Or off the top of your head.
Sorry.
Because it's going to
make you code faster.
However, it has been pointed out
by experienced developers to myself
and just kind of through my
own experience, coding faster
does not always mean
you're coding better.
Frequently people are coding really
quickly and they write a bunch of code
and they write thousands of lines
of code, and then you look at it,
and you ask them, well,
where are your unit tests?
How have you sat down
and debugged each part?
And they might tell
you, oh, I haven't yet.
Haven't yet it's a very scary term in
CS when you are building an enterprise
level project.
Because how do I know that when
you add that into our code base
you don't crash the whole thing?
Now, hopefully we have continuous
integration tests and things like that.
But in general, I would be very, very
careful about how that actually works.
COLTON OGDEN: And thank you to
[? WizAt23 ?] for the follow as well.
Make sure I got that name correct.
And then we have a couple
of other questions.
[INAUDIBLE] future streams list.
That would be interesting,
because [INAUDIBLE] multitenant
architecture most of debates.
I'll have to take a look
and find somebody, probably.
I don't know if realistically we'll
have time us necessarily over the break
to look at that specifically.
But if I know anybody
that knows about that,
definitely we can take a look at that.
For security, you should have the
web directory of your new WordPress
in your user folder and
then deal with permissions,
then use virtual directories and Apache
rules to override some permissions.
NICK WONG: Yes.
I thoroughly agree with that.
Also, you should certainly
configure permissions
before you move stuff into a directory
that's accessible to the web.
And the reason for that being that while
it was in kind of this weird permission
state, there might be something that
they could take advantage of there.
Now, in this case, I showed a
private SSH key on the screen.
I don't know how concerned we are with
really strict practices on security,
but that is a really good point
that you don't want anything
to be available to the public
until you are positive that it
is ready for the public.
COLTON OGDEN: That'll
be for the next stream.
NICK WONG: Yeah, we will talk about
it very rigorous-- well, much more
rigorously in the cyber security stream.
COLTON OGDEN: Which functional
programming language should I
learn first?
[INAUDIBLE] comfortable JavaScript,
least comfortable plus learning Java.
NICK WONG: Right.
So Java is another object
oriented programming language,
and a very good one to know, at that.
I would count it as kind of--
well, actually, I don't want to say
that, because it will upset everybody.
So yes, functional programming
languages are worth learning.
However, I mean, imagine
asking the same question
but with object oriented
programming languages.
Which one should I learn first?
Some people will say Java.
Some will say C#.
Some will say C++.
Some will say Python.
COLTON OGDEN: C# for life, boy.
NICK WONG: C# for life.
Love that.
I actually don't develop too much in C#.
I do love C++.
And they have enough similarities
that they're similar-ish.
I don't mind transitioning
from one to the other.
Functional programming languages.
The first one I learned
was OCaml, actually.
But I am a huge fan of closure.
I think it's really well done.
So as long as you're
focusing on the paradigm
and why functional paradigms
can be really, really useful,
I think you're fine.
I think you might want to also
add in a practicality aspect to it
where OCaml's not used
necessarily all that often.
Whereas something like
closure, we'll probably
be seeing more and more use cases
from that, especially because it can
[INAUDIBLE] to JavaScript.
So it's pretty portable.
Things like that are really
important to a lot of people.
There's all sorts of languages.
I mean, F# is also functional, but I
don't know if many people using it,
necessarily.
There's all sorts of reasons that
you might use any one functional
programming language.
But I think as long as you're focusing
on the paradigm, that'll help.
And technically, you could do some form
of functional programming in a Java
or in even you could technically
do it in any language.
Just whether or not they have kind of
the syntactical sugar tools for it,
that depends a lot on the language.
COLTON OGDEN: C++ even has
lambda expressions now.
NICK WONG: Right.
Yeah.
That's crazy.
And Python has a beautiful
lambda expression syntax.
So yeah, you could do it in
pretty much any language, I think.
COLTON OGDEN: Closure
would be a cool stream.
I would love to do a closure stream.
NICK WONG: That'd be sweet.
COLTON OGDEN: I would need to deep
dive a little bit deeper into it.
NICK WONG: Yeah, same.
I think it'd be fun.
And it's come up a couple
of times now, I think.
[INAUDIBLE]
COLTON OGDEN: I think
our fate is being drawn.
NICK WONG: We're going to closure.
Excellent.
COLTON OGDEN: Jabkochason,
thank you for coming.
[INAUDIBLE]
NICK WONG: Ah yes, I appreciate it.
COLTON OGDEN: How many more
streams will you guys do?
Well, you and I are probably
going to do quite a few more.
NICK WONG: Quite a few, yeah.
Just kind of keep going.
COLTON OGDEN: [INAUDIBLE] We got one
next week on C. You're doing one on C.
And then after the winter break, to
someone else's question, which was--
who asked that question?
[INAUDIBLE] Winter break starts
on the 12th for us, for me.
NICK WONG: I think for me it's the 20th.
COLTON OGDEN: Oh, OK.
And then we'll be back
for the second of January.
And then that week we'll probably
stream on the third and the fourth.
So we'll have a couple of
weeks of a break in the winter
while we get CS50 on
edX going for next year.
And then we're back.
We'll be back at full capacity.
But yeah, definitely
tune in at that point.
And they're saying, you can do
functional programming in Java.
It's ugly, but you can do it.
[INAUDIBLE] I definitely have seen that.
Functional programming from
[INAUDIBLE] practical application.
NICK WONG: Right.
So I guess as far as
learning new syntaxes,
eventually you should be at a
point where learning new syntax
isn't too bad.
I mean, learning new syntax
to the point of being a master
at that programming language I
would argue is very difficult.
But learning new syntax to
where you're comfortable enough
to code up something simple,
that shouldn't be too bad.
I think that requires a
couple hours of learning.
COLTON OGDEN: The basics like map
filter reduce can all be learned.
You can learn that in
Python and JavaScript.
You don't have to go too crazy
and go to a functional language
to understand what those are.
NICK WONG: Yeah, exactly.
And those are, I think a lot of it.
Right?
If you understand that,
tail left, tail right,
you're pretty set as far as a lot
of functional programming things go.
It's then just can you start to see
a lot of the applications for it?
Can you start to see how
it applies to algorithms?
So take a common algorithm
and do it in a functional
way instead of the object oriented way.
And actually being pure about this.
COLTON OGDEN: That's the hardest part
is taking your procedural and object
oriented instincts and
transferring that into the world
of functional programming.
NICK WONG: Put it into functional.
COLTON OGDEN: That's the hard part.
NICK WONG: That can be pretty hard.
COLTON OGDEN: And that's
where it actually--
NICK WONG: I think that's
the first piece, then,
for our functional
programming course here
is literally take a bunch
of stuff you've already done
and do it functionally.
And it's a hard struggle.
People are like, oh God, this hurts.
It's just not something you're used to.
And there's a lot of
things where you're like,
this would be so convenient
in object oriented.
All right, so we are almost
there on our WordPress website.
Things have been configured to where
they are roughly the right permissions.
Someone mentioned using an
htaccess file to configure stuff.
htaccess has been-- there's a
lot of the community on Apache
is moving away from htaccess just
because it is not necessarily
something that is super robust.
And what I mean by that is it's
easy to have a bunch of them
and then have them overwrite
each other and you can control
permissions a little bit easier.
However, they are still used
frequently and a lot of tutorials
still encourage them.
So I'm not going to touch on it
too much, because it is kind of not
necessarily considered
a best practice anymore,
though it is a totally valid practice.
So we're going to kind
of ignore it in favor
of just setting our permissions
to be relatively restricted, which
we actually are not really doing here.
But in concept, you could.
So with that in mind, we're
going to deal with htaccess maybe
never in a stream.
But if we ever cover Apache explicitly,
we will certainly deal with it then.
COLTON OGDEN: Mrc147, thank
you very much for following.
NICK WONG: Yes, we appreciate that.
Every time someone
follows, we appreciate it.
COLTON OGDEN: I love
the sound, the "bring."
NICK WONG: Yeah, it's
a really cool sound.
They don't hear that, right?
COLTON OGDEN: It'll be
in the video, I think.
Yeah.
Everybody in the chat, confirm if
you can hear the follow notifications
when it [INAUDIBLE].
NICK WONG: It's a cool sound.
COLTON OGDEN: [INAUDIBLE] They probably
hear it through the microphone,
if anything.
But I'm pretty sure it's
in the actual video.
NICK WONG: Yeah, that'd
be kind of funny.
It's very interesting to me what
you guys hear versus what we hear.
I don't know why I did status all.
I know exactly what status
I'm trying to change.
COLTON OGDEN: Yeah, they're
saying they hear it, yeah.
NICK WONG: Oh, sweet.
Yeah.
Oh joy.
Spelling.
There we go.
Forgot to restart the database.
COLTON OGDEN: Some people
are saying they can't.
OK, I'm not sure.
NICK WONG: Oh, so it's like the dress.
Everyone's kind of like--
COLTON OGDEN: Yeah, exactly.
NICK WONG: We don't all agree.
[INAUDIBLE]
COLTON OGDEN: The yanny
or whatever it was.
NICK WONG: Yeah, exactly.
COLTON OGDEN: Ahmedosman thank
you very much for following.
NICK WONG: All right.
Now I might be missing
a MySQL extension.
Bummer.
Let's go ahead and grab that from the
tutorial that I so conveniently closed.
Love that.
There is all sorts of extensions.
There's a couple of minor things
that I am certain I am forgetting.
We'll live.
I don't build with WordPress
that often anymore,
so we're going on
knowledge from a while ago.
COLTON OGDEN: It was laurel and yanny.
That was what it was.
NICK WONG: Oh, right.
There we are.
That is the name.
COLTON OGDEN: It was
both names put together,
and that's why you could hear it.
Because the low frequency was Laurel.
NICK WONG: Oh, and they just had
them at different frequencies.
COLTON OGDEN: It was the other way,
but yeah, the lower frequency bands
were one name and the upper
ones were the other one.
So if you filtered out either side,
you would hear the other name.
NICK WONG: That is good to know.
Hm, maybe I am not
missing a MySQL thing.
So let's go ahead and see
if maybe we just messed up.
Oh, we are missing the PHP
MySQL extension, I believe.
COLTON OGDEN: I signed up for edX,
but I have been busy with work.
I haven't started.
Is it possible to catch up or
re sign up for the next session?
I believe you can.
I'm not 100% sure of the--
I forget how the actual details work.
I think you certainly can sign up.
If you're taking it for free, you can
sign up and do it whenever you want.
For the certificate, I
do think you can just
turn in your work for the next
course iteration and still get it.
I don't think you're locked in.
But the details should
be on the website.
I think it'll tell you
what the deadline is.
All of the new content from this year
is going to go up around January.
It'll be up January 1.
So if you want to start taking CS50 with
the lectures that we taught this year,
then that'll be an option to you.
And you can see the lectures on
YouTube right now, actually, too.
NICK WONG: Sweet.
Yeah.
That one I wouldn't necessarily
know a whole lot of an answer on.
Oh, I do know this.
Well, I don't know this one.
I have I guess as to this one.
You probably know this one.
Why isn't CS51 on edX?
I know they just recently
kind of changed course staff,
so they were dealing with
a bunch of stuff with that.
Just recently being the
first year I took it.
I've had that happen to
me all the time, actually.
Every single CS course I
think I've taken except CS50
has had a change in
professor every single time.
Go figure.
I don't know why that is.
COLTON OGDEN: Yeah, I don't know
if they have the resources either,
or at least the production.
They definitely don't have
the production CS50 has.
I've been telling David we should try to
get a 51 of our own implementation done
at some point.
I think that'd be really cool.
How tall is David?
David I believe is 6' 2" 6' 3".
NICK WONG: Yeah, he's pretty tall.
COLTON OGDEN: If David's
lurking in the chat,
then definitely let us know
how tall you are, David.
NICK WONG: Yeah, throw
that out in the chat.
COLTON OGDEN: People want to know.
NICK WONG: In case there aren't
enough people obsessed with you.
I'm sure there's a compiled version
of David somewhere on the internet.
Just like a compiled fan page of David.
There's got to be.
COLTON OGDEN: I think
there probably is, yeah.
He has a Wikipedia page, but I
don't know if that's fan driven
or how that works.
NICK WONG: Yeah, I don't know.
Good question.
So many questions that we all don't
really necessarily know about.
All right, so we have
configured WordPress kind of.
Except we deliberately left
out, we, I deliberately
left out copying over their config page.
And the reason for that
is it can sometimes
cause bugs if you don't
necessarily edit it correctly.
And I promise you, I was going
to edit it entirely incorrectly.
So we're doing that through WordPress's
interface, which is kind of nice.
And so what ends up happening
here is they tell you
that, hey, you didn't actually
create a wp dash config dot PHP file.
And you're like, I totally, and
then when you list everything out,
you're like, didn't do that.
And the reason that we didn't is
because they have a sample PHP file.
And in a lot of WordPress
tutorials, the standard
is to copy that over and
then fill in your parameters.
And they very clearly demarcate where
you should fill in your parameters.
However, we're going to
deal with things here.
And we're going to kind
of actually go through
with WordPress's way of doing it and
talk about why that's kind of cool.
Because it didn't
necessarily exist before.
So the database name is WordPress.
Wow, we're so clever.
The username is admin.
The password is,
shockingly, password123.
COLTON OGDEN: I love how they
don't even give you a-- well,
I guess it doesn't matter
usually that it's not hidden.
For the sake of this, if you actually
had a legitimate password [INAUDIBLE]..
NICK WONG: Yeah, you really
wouldn't want everyone seeing this.
But that's OK.
Here we are.
Table prefix.
We don't really care about this.
But if you were running a bunch
of WordPress databases or servers
or things, like WordPress
actually does in the real world,
then you might want to care about that.
And we're going to submit that,
but I can't write the PHP file.
That's a huge bummer.
[INAUDIBLE] So what this basically does
is it gives you the PHP file yourself.
You can copy all that.
I really hope I copied that.
And then we're going to nano wp dash.
COLTON OGDEN: Paste in your password
on accident that you [INAUDIBLE]..
NICK WONG: Oh man.
That would suck.
COLTON OGDEN: If you
did, that'd be hilarious.
NICK WONG: I would not
put it past myself.
There you go.
And you'll notice that
this all got set up.
Now, it also grabbed these
hashes and salts for us,
which is super convenient.
It might have generated them for us.
I don't exactly remember
how they do that.
I know that when you do it yourself, you
can go to the api.wordpress.org over it
and get them yourself
and manually copy them.
But we don't deal with
any of the rest of these.
Everything else is set up.
There's my password again.
You want to hack my WordPress
website, knock yourselves out.
COLTON OGDEN: It's a good password.
NICK WONG: Yeah, it's
a very solid password.
COLTON OGDEN: It has numbers in it.
That's important.
NICK WONG: Exactly.
There are numbers.
No capital letters, but
we could put one in there.
Cool.
So we have created it manually,
pasted the following text into it.
WordPress promises me that
I can run installation.
So I click that.
Hands off.
COLTON OGDEN: Samuta, thank
you very much for following.
NICK WONG: And now we can
go ahead and create stuff.
So site title, AWS Twitch
Demo in aggressive caps.
There's a username, admin.
COLTON OGDEN: Becausetheworldisrou.
I'm guessing probably
round, but it got cut off.
[INAUDIBLE] Thank you
very much for following.
NICK WONG: And we're not
going to confirm password.
Yeah, we're gonna confirm
the use of a weak password.
There we go.
COLTON OGDEN: A very weak password.
NICK WONG: Very weak password.
WordPress is sitting there
like, ha, ha, ha, you weakling.
Except WordPress gets
hacked all the time.
I'm willing to accept that insult.
And we're going to say admin.
Oh my God, what?
In two keystrokes, I deleted
the URL for the page.
Go figure.
So admin@gmail.com.
That's going to suck.
Discourage search engines.
Well, that's up to them.
I don't know if Google
actually follows that.
You appear to have already
installed WordPress.
Well, that's kind of nifty.
I don't think I did, but OK.
And we log in.
And we're going to log in
with admin password123.
COLTON OGDEN: Nonboard, thank you
very much for following as well.
NICK WONG: That's not valid.
Bummer.
It should be valid.
COLTON OGDEN: Twitchhelloworld
has been rooted out
as [? Jacque ?] in the Facebook group.
NICK WONG: Oh, you guys suck.
Just as an FYI, y'all are the worst.
COLTON OGDEN: What happened?
NICK WONG: Someone beat me to it,
because y'all actually type faster than
I speak.
I've been locked out of
my own WordPress website.
You literally took me up on
the go knock yourselves out.
Now, if I had followed a
user's suggestion at the very--
I'm still laughing at how
hilariously funny that is.
COLTON OGDEN: They
have Illuminati things.
NICK WONG: Yeah, there's a plant.
COLTON OGDEN: [INAUDIBLE] live demo.
NICK WONG: So I love doing live demos.
And actually this is
one of the better parts,
because it's just
unexpected and really funny.
COLTON OGDEN: [INAUDIBLE]
might be here too.
It might be the culprit.
NICK WONG: Whoever is mocking us the
most in the group chat I would imagine
is the person who did it.
And that's kind of awesome.
I did literally tell you to do it.
So I appreciate that you followed that.
And so out of curiosity-- well,
maybe not out of curiosity,
but we are going to, since we
have a little bit of extra time,
since I won't spend that building the
WordPress website, it has been built.
And I cannot admin it at the moment.
We really appreciate that.
You guys are great.
And so what we're going
to do is we're going
to actually run a small hack on it
and see if we catch your password.
So if you weren't clever with your
password, then this will catch it.
Don't change it.
It'll be kind of cool.
Or go ahead and change it, I don't know.
But if it was something simple
like password123 or password1234
or something very entertaining, then
we'll actually crack your password,
and that'll be kind of interesting.
The chat will enjoy it.
So it'll be kind of fun.
I didn't do it, though I saw this.
Paste link into chat.
I'm always scared of
clicking links in chats.
But Colton is fearless.
And he got a picture of team Edward.
Edward from Twilight.
COLTON OGDEN: Some great
contributions from the chat.
Appreciate that.
NICK WONG: The chat,
you guys are hilarious.
So we do all sorts of crazy things here
at, what is it, Twitch, CS50 on Twitch.
COLTON OGDEN: CS50 on Twitch.
NICK WONG: Cool.
So somebody has cheated into this.
I will say they could probably have
been a little bit more creative
with the title of the website.
It could've been hacked
or something like that.
Oh, they're commenting on the hair.
COLTON OGDEN: A little bit.
A little bit [INAUDIBLE].
NICK WONG: That's pretty funny.
All right.
So we have this kind of cool utility.
I have this kind of cool utility.
It was built by some people
that do some cool stuff.
Also, I've changed my
prompt a little bit.
I was inspired by talking about the
prompts customization last time.
So I actually changed it.
COLTON OGDEN: [INAUDIBLE] happy face.
[INAUDIBLE]
NICK WONG: Yeah, so it changes if
you run a command that doesn't exist
or it actually tells you the error
code that prints from that command.
COLTON OGDEN: OK, that's cool.
That's cool too.
I like that.
NICK WONG: Yeah.
So I thought that was kind of cool
and thought it was kind of nifty.
So if I run some sort of valid
command, it goes back to happy face.
Thought that was kind of cute.
But what we're going to run
is something called wp scan.
And what this does is it allows
us to scan a WordPress website.
Ah, no.
Why did that copy with it?
Why does Nick forget
how everything works?
Cool.
And this is going to tell
us it's WordPress website.
And it's going to enumerate some
kind of stuff that's going on there.
And I can actually also
pass in a password list.
I don't remember if that's the
keyword, but we'll find out.
I have this password
list stored somewhere.
No.
I think it's under--
wow, I'm so glad that I called
that something reasonable.
I don't know what's in
passwords2.txt, but we'll find out.
COLTON OGDEN: hiimzackjones,
thank you for following.
NICK WONG: Yes.
We really appreciate that.
I love the noise.
Yeah, that's fantastic.
[INAUDIBLE]
COLTON OGDEN: I see a lot
of seller stuff in there.
NICK WONG: Yeah, there's
some cool stuff in here.
Oh, so this is home brewed.
Where is the password list?
Ah, word list.
Every time.
There's only so many ways that you would
think you could run this sort of thing.
And yet there are way more
than you will ever imagine.
So we're going to throw a
WordPress scanner at it.
And if you are thinking this is a
script kiddie-- hey, we know who it was.
Really good on the name there.
So if you are thinking script
kiddie, you would be entirely right.
This is a script kiddie sort of attack.
However, I can explain to you
what's going on underneath it,
and I'm not going to use
that as validation for me
not being a script kiddie.
But I think it is kind of funny.
So we did end up grabbing
one of your logins.
I don't have a whole lot of
passwords sitting on there.
If you want to tell us your
password, you can see this tool work.
Otherwise it doesn't matter.
But we do know the username
that is actually going on here,
and we know that you're the only
user on this WordPress website.
So if I wanted to be really
thorough, I would probably go onto--
oh, I'm not going to go on there,
because I know some of the passwords
are not pleasant.
They use a lot of bad
words for passwords.
People are naughty.
So if you type in--
COLTON OGDEN: Clearly.
NICK WONG: Y'all are
case in point of that.
You guys are naughty.
And so if you go on GitHub, there's
a [? SEC ?] list or [? SEC ?]
dev that does just
thousands of different kinds
of passwords and where they got them
from and all sorts of cool things.
And so if you go on there, you
can just pull their password lists
and snag them and then throw
them through WordPress scanner
and see if you can crack
people's passwords.
It is a brute force attack.
There are all sorts of ways in which
they can detect this sort of attack.
You'll notice I only threw 500
passwords at [? Maga's ?] way
of hacking our things.
Someone asked, wait, is this at CTF?
What CTF is this?
It is not a CTF, but it's pretty
close in concept in the idea.
And we're kind of getting towards that.
Actually, a lot of the CTFs that I
build are very, very similar to that.
This is not a CTF if you just
happened to hop into the stream.
This is actually us building
a [? word ?] web server.
We are building a web server.
This is not a CTF.
Do not worry.
We will, however, go
through a live CTF later.
So yes, I have now been
locked out of my WordPress
website, which is totally cool.
I own the WordPress
website, which is great.
I can also shut everyone out
using something like this.
Actually, ufw allow.
Let's do allow 22.
ufw allow 20.
Oh no.
That was the worst possible typo.
I'm always afraid of doing that.
I don't remember if it's disallow?
Where is it?
COLTON OGDEN: And thank you [INAUDIBLE].
You've been a regular for a long time.
Thank you for following us.
NICK WONG: So we'll deny port 80,
which means you are no longer allowed--
well, you should be no longer
allowed to connect through our--
oh wait.
Sudo ufw enable.
There we go.
So yes, it may disrupt
existing SSH connections.
That would be normally very
dangerous, because I deleted my SSH
key to literally prevent
you guys from doing
what you did to the WordPress website.
Which let's make sure
that that's still true.
Cool.
And now that should prevent us from
connecting to the WordPress website.
So it's a decent burn
all cut corners strategy
if you notice you've been hacked.
In this case, I noticed
I've been hacked.
Now, my first technique
was to hack back.
Don't do that.
That's a terrible first strategy.
However, a good first strategy would be
for us to then disable all connections,
shut down all resources.
I've explicitly denied 80,
but ufw will deny everything
else too that's not explicitly allowed.
So I am also just being
extra secure in that.
But I also explicitly allowed
22 so I can connect myself.
And that makes sure that
you guys are all shut out.
The world wide web is shut
down with regard to my server.
If I wanted to be really
thorough, then I might go back
into our management console and edit the
inbound rules and say, you know what?
I wasn't even using
443, so get rid of that.
And I'm going to nuke port 80 as well.
And now I'm pretty sure that I have
blocked myself out of the internet.
Now, that might be a
dangerous first strategy.
I'll go on a very brief tangent,
since we have now completed up
to stage three of our plans for today,
and we've completed it roughly on time,
actually.
And it will give me a
little bit of a moment
to talk about a better
strategy, which is
you should actually kind of let
your attacker go for a little bit
and watch them.
Once you've noticed
it, it's a decent idea
to try and contain them, but let
them not know they've been contained.
So if there is some sort of way of
sandboxing them without them noticing,
that's fantastic.
And the reason for that being
that I can design a beacon that
gets implanted on your server
and goes out and pings back to me
and, I don't know, gives me information
or lets me connect back to you
as a shell or something.
And that beacon might detect whether
or not I have internet connectivity
or whether or not the
beacon can reach out.
And if I shut everything
out, I'd kind of just
pull my computer off of the internet
and leave it in some sort of--
you could refer to it as an
air gapped state of some sort.
Then that might actually not help you,
because your attacker might disappear.
You might think your attacker is gone.
Then when you connect it to the internet
again, you put a bunch of new protocols
in place, you change all of your
passwords, all of your keys,
everything's been re encrypted.
That attacker is still there and they're
now just as bad as they were before,
but you think you're safe.
And that's much worse.
So generally speaking,
if you can kind of
play this kind of counter
subterfuge game with your attacker,
that actually helps.
Nonboard points out honey pots.
Honey pots are a really
good idea in concept,
especially if you can
execute them really well.
However, I would advise
being very, very careful
with that, because if your honey pot
is sitting in the middle of a device
that you actually care about or even
a network you actually care about,
it is no longer necessarily a honey pot.
It might be kind of a honey grenade.
It is really good most of the
time and every once in a while
it explodes and ruins
your entire network.
So be very careful in setting things up.
Try and take the right precautions.
There's not necessarily a centralized
repository for how to do it.
But for example, if you set up
a honey pot, I'm the attacker
and I get into your network but I
go into your honey pot by default,
I notice everything is
a little bit too easy
or maybe I just realize that I'm
on a network that only has one node
and I think that's very strange.
Then I might say, hm, it's very
possible I've been trapped,
but they don't realize that I
realize that I have been trapped.
So I can play on that sort
of assumption and start
trashing their system, which
is what they would expect.
I can do all sorts of behaviors
that you might also expect.
And then the second that there
is some sort of vulnerability
that I have noticed or
the second that I realize
I can go one step back in the
network but not all the way out
of your network, then I will use that
point to then branch back into it.
And I will make sure to not
hit the honey pot again.
And so that sort of
thing then buys me time.
So if your honey pot's
not configured correctly,
or if it's configured
in a way that you forget
that your router is a
potential attack surface
or that a firewall can be
a potential attack surface,
there are all sorts of attack surfaces.
You want to minimize those.
But there are reasons for having them.
There's a reason for a
firewall, and there's certainly
a reason for a router.
So you have to be careful, and there's
a lot of balancing that goes on there.
COLTON OGDEN: Yeah, very curious
to see the cyber security stream.
NICK WONG: Yeah, it'll be very fun.
COLTON OGDEN: [INAUDIBLE] stream.
NICK WONG: I'm very excited for it.
COLTON OGDEN: I saw an [INAUDIBLE]
article on outages on Microsoft Azure.
Do you have thoughts on going
to cloud versus your own server?
The main motivation to me is the cyber
security staying up to date constantly
there.
On the Azure I'm guessing
they're talking about.
NICK WONG: Right.
So it is actually definitely
good point to end on, since we've
been talking about web servers.
I'm going to kill mine while
I answer that question.
But basically, the question
being that if you host something
on some sort of remote provider like
AWS, Azure, Google Cloud, they have
have more resources
than me the individual.
I know that's true.
I have $5 in my wallet.
And they do not have just $5 in theirs.
So they are capable of
doing all sorts of things
to update and maintain
security practices.
They can update the hardware
itself, which is really important.
They can do all sorts of really,
really cool things that I can't.
And as my own personal user, if
I'm hosting a server in my house,
it costs me electricity costs,
which they are not really
necessarily charging directly to
me, at least not in the same way.
It also might cost me in
networking for my ISP.
It might cost me in terms of
what if a hardware device breaks.
If I have a hard drive that just breaks,
like they break from time to time,
that would be really bad.
I don't necessarily have data
backing up and things like that.
There are a lot of
really great advantages
to using a cloud service provider.
Now, that being said, that
cloud service provider
has hardware access to your device.
So they could, in concept,
if they were to ever turn out
to be a bad agent, they
could mess with your device,
and that is something to be
kind of paranoidly aware of.
Something else to kind of keep in
mind is having a service on your own,
provisioning for it in your
own in-house or in warehouse,
then you have to take care
of every single part of it,
and there are a lot of security
concerns that you might not be aware of.
Whereas Amazon has their own security
team dedicated to doing just that.
So it's generally worthwhile if you're
a business or enterprise solution.
Unless you're big enough that it is
more cost effective to keep it in-house,
it's usually going to be more worthwhile
to keep it on some sort of service.
Now, examples where that might not
be true despite cost effectiveness
would be maybe hospitals, where data
and sensitivity are really important,
of utmost security, confidential.
And I think AWS actually does follow
enough safety parameters on that
that they are regulation approved
as far as hospital documents go.
If you're a law firm, that might
be of utmost priority to you.
And it's a selling point,
even, to your clients
is that we protect your data
because we own all of it
from the electricity that comes
into the house to all of the data
that you gave to us.
If you are a government, for example.
If I am the foreign government of China,
if I am the Chinese Communist Party,
I might not use AWS to host my things.
Because the US government,
it is an American company,
and the US government might subpoena
things off of that hardware.
And they might be totally
within their rights
to do that if it is a
matter of national security.
So that would be something to consider.
But I don't think any
governments are really watching.
Or if they are, hello.
And that's all I have to say for that.
COLTON OGDEN: All 41.
NICK WONG: Yeah, all 41 of them.
Our foreign governments.
COLTON OGDEN: [INAUDIBLE] house server,
in-house server [INAUDIBLE] running,
but we don't have any web facing stuff
like a website or databases anything
big, just DNS, DHCP, and AD.
NICK WONG: Sure.
And so you're AD basically tells us
that you're using some sort of Windows
environment, which is really cool.
Likely using some form of Windows
Server if you have it all in-house.
And if you have just DNS, DHCP, and AD,
then minimal services definitely helps.
And continuing along the
kind of paranoid track
of this conversation, if I
wanted to be extremely paranoid,
well, you can poison DNS.
You can mess with DHCP.
And I could actually override
the security of your AD
using any number of man in the
middle versus external attacks
versus whatever.
But generally speaking, that
sounds like a good practice.
That seems very reasonable.
And within business, that seems
like a pretty standard practice.
So there's all sorts of ways
of doing that sort of thing,
and I don't think that
there's any realistic threat.
But it is something to keep in mind.
As a computer scientist, as a
cybersecurity person, as a programmer
and as a person, it is definitely a
good idea to be as thorough as possible
and have kind of these cases enumerated
so that in the event that that happens,
even if it is a very unlikely
probability or a very low probability
occurrence, you're still aware
that it could have happened
and you might have
some provision in case.
I believe a good example of that is the
United States occasionally discusses
what happens if the zombies come
and take over in the Senate.
That's a real discussion that occurs.
And it's such a low
probability as to most people
saying that would never happen.
But it is very possible.
It's been considered in
popular culture enough
that maybe something along
those lines could happen.
And considering that
case, still worthwhile.
COLTON OGDEN: Makes sense to me.
It looks like [INAUDIBLE] has asked
about the Humble Bundle currently
running a sale on some
cyber security books.
So these are them if you want to look.
Basically asking, are
any of these worthwhile?
So these are the [INAUDIBLE].
NICK WONG: So things with
books, and the reason
that I am somewhat wary of, though
definitely a huge fan of getting books
on cyber security, block chain, C,
programming, best practices, worst
practices, mediocre practices.
No one ever writes a book mediocre
practices of C programming.
They always write the best practices
and who knows where that came from.
But the reason that I'm wary of
books and of buying information
on a monolithic standpoint is
I am usually of the opinion
that people have some really good
opinions and some really bad opinions.
And myself included.
I probably said something
within the past three streams
that someone was like,
that's either wrong,
that's probably happened many times
maybe, or that's a terrible opinion,
here's why.
And they have real evidence for it.
Yeah, PHP is probably a great example.
I was like, I hate PHP.
And they're like, well,
I have real evidence
backed up by metrics and
standards that says you're wrong.
Sure.
And that's the reason that I advocate
pulling as much information as you can.
Because as you start to make your own
opinions on these sorts of things,
you are capable of actually
looking at a book and reading--
one of these books is Mastering Kali
Linux For Advanced Penetration Testing.
OK, well that's a lot of
words that sound really cool.
And I'm not going to just criticize
the book based on word mincing.
But they're not necessarily meaningful.
What do you mean to master something?
At what level are you
a master of anything?
And if you're talking about
advanced penetration testing, well
what differentiates that from
intermediate penetration testing?
How did you define penetration testing?
Is that the standard?
Is that what the community
and the world has decided on?
Is that a community
within the United States?
Is that a government
has decided on that?
There's a lot of decisions that
are implicit in just the title.
And I might still read that.
I think that sounds like a great book.
That sounds cool.
I might learn some tricks
that I never knew before.
But I would also want to read another
book that claims it's better at it.
Because now I have some
countering opinions.
I can make my own choices
and decisions there.
A lot of programming, a lot of
cyber security, a lot of life
is actually just making choices and
weighing trade offs and benefits.
And that's generally what
I would use as an approach
for learning things about CS.
COLTON OGDEN: Absorb more data.
More information.
NICK WONG: Pull in more and
more information, as much as you
can, and try not to overwhelm yourself.
COLTON OGDEN: They said they're gonna
call you Nick the spy from now on.
NICK WONG: Sure.
COLTON OGDEN: Intelligence
agencies don't need spies
as long as data is already in the cloud.
NICK WONG: Well, their spies
have just gotten upgraded.
All our data is already in the cloud.
There is all sorts of interesting
things on that statement.
I think the FBI would like you
to believe that that is not true.
They follow the law.
They go through courts and at
least in the United States,
they are fully above board.
I think the CIA and NSA would like
to agree with what you just said.
So there's all sorts of
very interesting things.
There's all sorts of interesting
political things on that.
As far as calling me Nick the spy,
just don't tell the government.
And someone also pointed
out there, and it'll
be probably one of the last
comments that we read off,
is a cyber security programmer
told me they try to avoid ever
even nesting one loop in code.
He says the lack of cyclicity,
or something like that,
enables him to test more efficiently.
Thoughts?
So my first intuition on that is
to say that that sounds absurd.
But it might have been very
reasonable given their context.
I don't know exactly
what they were saying,
and I don't know what they
were exactly talking about.
But generally, the
statement of this thing
should never be done is missing
the nuance to make it correct.
And so saying never nest
one loop in code, no loops.
COLTON OGDEN: Done.
NICK WONG: OK.
Sure.
I write everything with if statements.
That's not a loop.
And I can't a for loop.
No while loops.
So all of my loops are
built through recursion.
OK, sure.
COLTON OGDEN: [INAUDIBLE]
go to statements.
NICK WONG: Oh no.
Or go to statements.
So I use go to [INAUDIBLE].
COLTON OGDEN: [INAUDIBLE]
assembly in a nutshell.
NICK WONG: Yeah, the
assembly version of it.
So we end up just doing that.
And now I've avoided loops.
I've not helped my testing at
all, because now all of my unit
tests that rely on using for
loops and while loops are useless.
And so now I have to rebuild all those.
I would argue that--
I mean, I'm kind of openly mocking it.
But I would say that it sounds
like a non-useful statement.
It sounds like the
programmer that told you
that either didn't know what
they were talking about,
or it was in a very particular
scenario, very particular instance,
and they were right in
what they were saying,
but in the general sense, that's
not a hugely useful statement.
COLTON OGDEN: Maybe it was
for [INAUDIBLE] test cases
or something and [INAUDIBLE] run
these test cases fast so no looping.
[INAUDIBLE]
NICK WONG: I've seen--
COLTON OGDEN: Pink Panther.
NICK WONG: Yeah, I was gonna say.
Is Mr. Bean a spy?
COLTON OGDEN: Johnny English.
Those are the tropes.
That's where the joke comes from.
NICK WONG: Right, exactly.
COLTON OGDEN: [INAUDIBLE]
That's the whole point of it.
NICK WONG: That's why they're funny.
There's a good comment
on exploiting code
is more about sanitation and things
like putting too much into an allocated
amount of space to break things.
Sure.
That is a very good example of a
classic buffer overflow where I took--
I know that you wanted a certain
amount of data somewhere.
And actually, that takes advantage of
two things, a buffer overflow does.
But it does have half of what
you're talking about, which is
and I just give it way too much stuff.
And so the things at the end,
nobody knows what they do.
They might be a pointer somewhere.
They might overload your return
address and then return you
to another piece of code that I loaded.
Things like that.
And that also relies on the
fact that code is just data.
And data represented at any
level could be anything.
It could be an image.
It could be a word.
It could be code.
It could be executable.
It could be your mother's maiden name.
No one really knows what it is.
And so you have to be able to deal with
or force data to be a certain kind.
Or you should try to.
And generally, I'm of
the minimalist approach.
Make everything as small
and minimal as possible.
Only what is needed, like needed,
needed, and then build from that.
COLTON OGDEN: Because no loops.
NICK WONG: Yes, no loops.
I don't advocate for
that, just as an FYI.
I use loops.
They're useful.
They have a purpose.
COLTON OGDEN: All the time.
For loops, while loops.
NICK WONG: I use all of them.
It's like the weirdest-- the
programmer's version of dabbling.
COLTON OGDEN: And they
said, why is Nick so smart?
[INAUDIBLE] joke about
there's no actual chat.
NICK WONG: We're just in our heads.
I appreciate it.
I think there's just a lot to learn.
Always lots and lots and lots to learn.
COLTON OGDEN: That's clear to me.
I'm excited for the [INAUDIBLE]
for the hacking stuff.
That's stuff that I've never dived into.
NICK WONG: Nice, there we go.
COLTON OGDEN: I want to say dove in
for some reason, which is not a word,
I don't think.
NICK WONG: No, but it sounds right.
It sounds like the thing
you would say in English.
Who knows?
COLTON OGDEN: I've
never dived into that.
So it'll be cool.
I think a lot of people
would like that too.
NICK WONG: Yeah.
Yeah, I think that'd be awesome.
COLTON OGDEN: Let's go to
your screen saver as the--
NICK WONG: Yeah, no,
that's a great way to end.
Oh yeah, that closed
because I killed it.
COLTON OGDEN: There we go.
NICK WONG: There we go.
COLTON OGDEN: So to bring it back to the
color stuff, so which of those colors
can you differentiate?
NICK WONG: So I generally, looking
at that, I see red, I see orange,
and I see blue.
I see a lighter version
of blue from time to time
and lighter versions
of those three colors.
But I don't really see
anything in between.
So I would imagine there's also
purple and pink, because I know
[? lolcat ?] generates those colors.
I would also imagine that
there is some sort of green.
I don't notice it in here though.
COLTON OGDEN: There is
a bit of green, yeah.
NICK WONG: OK.
So that would be a color that
I don't end up actually seeing.
And I believe there's--
I see white, I think.
There are some colors
that get light enough
that I think they become kind of white.
COLTON OGDEN: I think they're just cyan.
NICK WONG: Yeah, they might
just be a really light blue.
And so I don't necessarily
know which colors I'm missing.
But based on my guesses, those are the
ones that would exist that I don't see.
Well, green is a good example.
COLTON OGDEN: Have you had that your
whole life or is that a development
in your vision?
NICK WONG: Yeah, that's actually
been there ever since I can remember.
Well, I guess I in first
grade was notified about that.
And that was actually the first
and only test I tried to cheat on.
It was a good lesson in why not
to cheat, as just like an FYI.
I tried to cheat on this test.
Basically, the way it worked at our
school was we were a very small school.
They handed out a bunch of cards.
They asked you to write down
what you see in the cards.
And I was like, got it.
I can do that.
And then I looked in the cards
and there's nothing there,
because I'm colorblind, so duh.
And so I looked over at the kid next
to me and I was like, all right,
sailboat, seven, square.
Done.
Got it.
And just tried to look through
the rest of cards, saw nothing.
And so then they came up to me
and I thought they'd caught me.
I thought they'd noticed me cheating.
So I was like, oh man.
In first grade, you're
what, eight or so?
My small brain was kind of just like,
oh crap, I've gotten caught cheating.
And the teacher was like,
yeah, so you're colorblind.
I was like, well, that's kind of
a harsh punishment for cheating.
COLTON OGDEN: Yeah, they
made you colorblind.
NICK WONG: Yeah.
I was like, Jesus, what the?
And then they were like, well, so none
of those answers were remotely correct.
Because there were shapes
and numbers and things.
All of mine were letters.
So I didn't write a single letter down.
I wrote a number, I wrote
a shape, and another shape.
COLTON OGDEN: Well designed test too.
NICK WONG: Very well designed test.
Very easy test.
Simple and just beautifully well done.
And I was like, dang it.
Couldn't have gotten around that one.
And yeah, I couldn't cheat
after that, because I was just
so traumatized by that.
I also then learned I was
colorblind, which was cool.
Cool.
It was an interesting development.
I was kind of like, oh, nifty.
Because it doesn't really
bother you that much.
COLTON OGDEN: Yeah, I can imagine
it's probably not something that
impacts you too much.
Like this can here, do the red
and green look similar to you?
NICK WONG: I actually didn't
know there was red on there.
COLTON OGDEN: On the words, Canada Dry.
That's red.
What does it look like?
Does it look the same?
NICK WONG: It's green.
Yeah.
It's just the same as this.
COLTON OGDEN: Crazy.
NICK WONG: That's kind of cool.
Is any more red on there?
COLTON OGDEN: For
anybody who doesn't know.
NICK WONG: Sorry, I have a soda.
COLTON OGDEN: Oh, the green screen.
NICK WONG: Oh, that's really funny.
COLTON OGDEN: Never mind.
We have a green can
with red words on it.
NICK WONG: You guys are never gonna see.
Oh, well actually, I guess
the letters are red, right?
So they would still show
up on the green screen.
COLTON OGDEN: Yeah, they will.
NICK WONG: Yeah, so
what you guys can see
and what I can see now on
the screen must be red.
Huh.
That's really funny.
COLTON OGDEN: So actually
this background is a yellow.
I don't know if you can
tell that is yellow.
NICK WONG: I know it's, well,
it looks greenish to me.
But OK, I can believe it.
COLTON OGDEN: That's interesting.
So anything that's red tinged is going
to look the same as green for you.
NICK WONG: It tends to.
There are moments where
I can distinguish.
Like that book, Colton has a book on
his screen right now that is, I think,
red or pink.
And that one looks pretty
clearly red and pink.
COLTON OGDEN: It's a
very light red, yeah.
NICK WONG: Yeah.
But if they're kind
of that same hue, they
seem to blend pretty easily for me.
COLTON OGDEN: So you can
differentiate some shades of red.
NICK WONG: Yes.
Yeah, there are definitely some
that I can pretty clearly get.
There's a lot that I can actually
really get by just logic.
If I think about it for a second
before I speak, then I know it's red.
Like I know what you're
wearing right now is red,
but that's because I got one last year.
COLTON OGDEN: But this
looks [INAUDIBLE]..
NICK WONG: It sometimes out of the
corner of my eye looks pretty green.
COLTON OGDEN: Interesting.
That'd be so interesting
to sort of see that.
I wonder if they-- do they
make glasses that do that?
I think they do, right?
NICK WONG: I think so, yeah.
I think you can actually
go online and see
what it would look like for a colorblind
person versus a non-colorblind person,
but it's weird to me, because
they don't look the same.
They don't look like
how I see it, but I'd
imagine for someone who
sees all the colors,
they do actually get pretty close.
COLTON OGDEN: That's
such an interesting TIL.
That's very interesting to me.
NICK WONG: Yeah.
Cool.
You're actually probably
colorblind a little bit too.
COLTON OGDEN: I might be, yeah.
My grandpa had a little bit of
red green colorblind but not much.
My dad is not colorblind.
I don't know how to test if I am.
NICK WONG: It's pretty hard to notice.
COLTON OGDEN: Every test
I've taken a test for that,
though, I've always been able to
clearly see what they're testing for.
NICK WONG: OK, so you
might actually not be.
COLTON OGDEN: Might be.
It'd be such a crazy thing to
learn after 27 years of existing
and not knowing that.
But who knows?
I would love to find out if that's true.
Let's bring it-- actually
we're on the screen.
This is a good place
to sort of segue out.
Maybe we'll bring it to the number
two shot, just because [INAUDIBLE]..
NICK WONG: Yeah, I think
that's a nice shot.
We can get close.
COLTON OGDEN: It was an awesome stream.
So thank you very much for doing this.
NICK WONG: Thank you
again for having me.
COLTON OGDEN: It's cool.
It always goes into the
sort of hacking direction.
So we got hacked live.
NICK WONG: We seem to be, yeah, we've
been hacked live, which is very cool.
I appreciate that.
COLTON OGDEN: YouTube title
Nick gets hacked live on Twitch.
NICK WONG: That'd ruin my job here.
COLTON OGDEN: And we get the
invisible can of Canada Dry here.
Very important.
NICK WONG: Yeah, I didn't even
notice that it was on screen.
It's been on screen for most of--
oh, I guess it was right off screen.
COLTON OGDEN: It was over there.
Yeah.
It was a little bit off.
NICK WONG: Yeah, but if we turn it
like this, it's pretty hard to see.
COLTON OGDEN: It's pretty interesting.
NICK WONG: Yeah, we have a lot of fun.
Thank you guys for,
again, participating.
I love the livestream.
That's fantastic.
COLTON OGDEN: Yeah, it's so much fun.
The chat too.
Just all the directions we get to go.
So next week you'll be doing C.
NICK WONG: Yes, we'll be
talking about low, low C.
COLTON OGDEN: But more of a deep
dive into actually using it.
NICK WONG: We'll hop into C.
COLTON OGDEN: Pretty much
assembly at that point.
NICK WONG: Yeah, we'll be
pretty much one step above.
Just barely.
But we'll actually probably bring up
some assembly and talk through it.
COLTON OGDEN: Doing some GDB.
NICK WONG: Yeah, GDB will
be a couple of things.
COLTON OGDEN: That would
be pretty cool, actually.
NICK WONG: Just some strace as well.
COLTON OGDEN: We'll talk about how
that loop and go to are similar.
That's pretty cool, actually.
And I happen to know a
little bit of assembly, which
is why we're talking about [INAUDIBLE].
Not as much as you.
NICK WONG: We might even build
a buffer overflow example.
That actually, I think, would be cool.
[INAUDIBLE] off the top of our heads.
So we can do it.
COLTON OGDEN: You more than I do.
Yeah, this was awesome.
Thank you everybody who came today.
NICK WONG: Yeah, thank you guys.
COLTON OGDEN: Next week Nick will
be here next Tuesday, same time.
NICK WONG: Yep, same time, same place.
COLTON OGDEN: And then after the
winter break, we have a bunch of stuff.
NICK WONG: Oh, yeah, we'll
have a whole docket of--
COLTON OGDEN: Toss us ideas,
toss us ideas on either YouTube
or here or Facebook.
Tomorrow we have Andy [? Chen, ?]
who's going to be talking about,
if somebody is new to the stream, has
never streamed with us before, he'll
be talking about R. We'll
talking about biostats,
and we'll be using a real world
data set for us to look at
and to do some stuff with.
I've actually never used R before,
so this will be a fun thing for me.
Getting all this information about
all this stuff that I don't even know.
NICK WONG: Colton's learning
all sorts of things.
COLTON OGDEN: This is all just
about me learning new stuff.
Thank you everybody who came today.
Just making trade didn't
miss any comments here.
It looks like everybody is
talking about Canada Dry.
Do you still hate PHP
is what they're asking.
NICK WONG: I do still hate PHP.
That I think will be forever.
I'll probably build something in Laravel
over the winter break just to learn it,
but I don't like it.
COLTON OGDEN: Just to
embrace [INAUDIBLE]..
NICK WONG: Just to embrace
the things that I hate.
COLTON OGDEN: Thank you to
mrdrcarbon for the follow.
That's a [INAUDIBLE] by the way.
But yeah, this was CS50 on Twitch.
I'm Colton Ogden.
This was Nick Wong.
This was AWS Web Server.
We talked about using it with WordPress.
Tune in tomorrow for R and biostats.
But until then, have a
great rest of your evening.
And Nick, we'll see you next week.
NICK WONG: Yep.
So will Colton.
Well, he'll see you tomorrow.
COLTON OGDEN: [INAUDIBLE]
But I'll see you tomorrow.
Have a good rest of your night.
Goodbye.
NICK WONG: Awesome.
See you guys.
