[MUSIC PLAYING]
DAVID MALAN: Security.
Let's start off with some scary stories
about how your data and your devices
are under constant threat,
even if you don't necessarily
realize as much yourself, and then
consider how we might defend ourselves
against some of these threats.
Let's start, for instance,
with privacy, keeping folks
from seeing data or things that you
don't want them necessarily to see.
And specifically, let's consider this.
If you've got some desktop
computer, or some laptop computer,
those devices alone are the most
insecure thing you might have,
and maybe even the device in your
pocket that you even leave lying around,
because at the end of the day, whether
it's a laptop or desktop or phone,
these are computers, and
computers have on them data,
and data is just a fancy
way of saying, like, files.
So files, of course, are just
collections of zeros and ones,
and in those zeros and ones, odds are,
are numbers like financial information,
or photographs that
you've taken on vacation,
or maybe it's financial documents
that you've typed up on your computer.
So suppose that you're
already in the habit
of trying to keep your data
secure, because anything
you don't want someone to see, you
maybe are in the habit of deleting it.
But let's consider first
what it means to be deleted.
Recall, after all, that files are
generally stored on hard drives,
or SSDs.
And in fact, a hard drive is just a
physical device, something like this.
And there's magnetic particles
on this particular device
that represent our data.
So what does it mean,
though, to delete a file?
On Macs and PCs and the
like, when you delete a file,
it simply disappears, typically,
from your desktop or folder.
But what's really happening,
especially when at the end of the day,
those files are on a
physical device like this?
Well, turns out the files are stored
on a computer, and on a platter,
if it's a hard disk,
that might look something
like this, although ideally
it would be a perfect circle
so that it can spin properly.
And anytime you store a file, you
might allocate some part of this disk,
maybe that part of the
disk, or the platter,
so to speak, for all
of your zeros and ones.
And I'll just go ahead and draw
some random zeros and ones up here.
And what those zeros and ones are
completely depend on the file.
Maybe it's a Word document.
Maybe it's an image.
Maybe it's a sound file or a movie.
Who knows?
And then elsewhere on the platter--
and recall that there might
be multiple platters--
will there be any number of other files.
And even if it's not a platter, if
it's instead a solid-state disk,
electronically, are there
still these zeros and ones,
thanks to the tiny little devices
that store those binary values for us.
But what does it mean, now, if a
file exists in your operating system,
and your operating system
is storing it, ultimately,
on a physical device, whether
a platter here in a hard drive,
or electronically in an SSD?
Well, somehow, your computer,
specifically your operating system,
needs to keep track of
where these files are.
And so an operating
system typically has kind
of the equivalent of,
like, a little cheatsheet,
or an Excel file, that keeps
track of where files are.
So for instance, one column
might be the name of the file,
and another column
might be its location.
But location, in this sense, is
the physical location on disk.
So if I've stored, for
instance, my resume somewhere,
and that might be at
location 123, where this
happens to be location
123 on the hard drive,
specifically, byte number 123,
because operating systems are
going to store my data either
at specific byte addresses,
or maybe in certain cluster sizes.
You might actually take collections of
bytes and write files to those clusters
all at once.
But this table, then, of
course, has other values
as well, one value for every
file that I have on my computer.
So what does it mean,
then, to delete a file?
Well, graphically, it tends
to disappear from my screen.
And I know what you might be thinking.
Wait a minute, it goes into the
so-called recycle bin or trash can.
But the funny thing about the
recycle bin or trash can is what?
Especially if you have maybe a
nosy roommate or family member.
It's not really sufficient to leave
deleted files in the trash bin
or recycle bin, because
what can they do?
They can, of course, just
double click on the thing,
drag the file out, and then hang onto
it and actually see what was there.
So oh, no, no.
You're more
security-conscious than that.
You're in the habit of emptying your
recycle bin, or emptying the trash.
And it maybe makes a cute little sound,
and then the little icon of trash
disappears from the lid of the can.
And you might think, whew!
Got rid of that file.
No one can now see it.
But consider what might be happening
underneath the hood, so to speak.
Well, it turns out what
a computer typically
does, whether it's Windows or Mac
OS or some other operating system,
is it does nothing to the
physical device over here.
Instead, it just forgets
that entry from this table.
It just forgets where my resume is.
And therefore, it knows
implicitly, and thereafter it
can continue using location 123.
Sure, there are still zeros and
ones from my old resume there.
But no big deal, because
the computer can just
rearrange those zeros
and ones into other ones
and zeros in some other pattern
and store some other file,
so long as that new file
is added to this table.
But the implication, then,
is that even though you've
deleted a file by dragging it
to the recycle bin or trash can,
and you've had the wherewithal to
empty the recycle bin or trash can,
the computer really is just
forgetting where that file is.
It's not actually physically
destroying the data.
And so if you have the
right software, or you
have a sophisticated enough
adversary who can write software,
you can theoretically recover
data from a hard drive or SSD
just by looking for
familiar patterns of bits
that might represent a Word document
or a JPEG photograph or something else
altogether.
So what's the implication?
If this is the threat, and if
you've got some really sensitive tax
information on your
computer and you really
don't want other people to be able
to see that, because it's personal,
it's not sufficient, it seems, just
to even empty your recycle bin.
You need to somehow
securely erase this file, so
that programs like Norton
Utilities and other tools
can't recover the data subsequently.
So what could you do?
What would the approach be?
Well, you might think that
you maybe open up the file
and then just start typing random
numbers or letters into the file,
resave it, and that might overwrite
some of those same zeros and ones.
But the operating system,
frankly, might just
use a different part of the
disk to save that new data,
especially if there's some kind
of auto-recovery feature built
into the file format itself.
So that might not be secure.
Really, you need to scrub--
or wipe, as people say--
these zeros and ones.
Maybe they should be
changed all to ones, or all
to zeros, or maybe just random zeros and
ones, so that no matter what was there
is absolutely now no longer there.
And for that, frankly,
you need special software.
And there do exist both commercial
and free tools to do that,
either to securely
delete individual files
or to do it to an entire
hard drive, especially
if you're selling it or simply
recycling it, getting rid of it,
and you don't want all of
that data to remain around.
Why do computers seem to have what seems
to be this sort of fatal privacy flaw?
Well, it's actually kind
of a good thing, right,
because if you're like me, odds are
you probably accidentally deleted
something before, or maybe you--
or someone else has deleted it on you.
And so it's actually
kind of a nice thing
that computers don't actually,
by default, necessarily scrub
the information altogether, because
that means we can recover files as well,
if that's indeed a good thing.
And frankly, years ago,
for efficiency, it just
made sense for computers to
forget where the file is,
rather than bother with
this, because if you ever
do try to securely delete
a file or wipe a drive,
you'll find that it actually
takes quite a while, because you
have to touch so many of the
locations on that physical disk.
But it's not just your files, and it's
not just your computers themselves
that are vulnerable to disclosures
of private information.
There's also your browser.
And odds are you spend a lot of
time on the worldwide web using
Chrome or Edge or Firefox or Safari
or some other browser altogether.
And odds are you've heard
of a little something that
might be a little scary-sounding,
as you've heard it,
but cookies, pictured here
adorably with Cookie Monster
being a little surprised that his
computer wants to delete cookies.
What are these cookies, and how do they
too threaten privacy in some sense?
Well, it turns out, when
you visit a website,
these days, most every website frankly
that is dynamic and interactive uses
something called cookies.
Cookies are a features supported by
HTTP, hypertext transfer protocol--
that's the protocol that web
browsers and servers speak--
and cookies are used to remember
a little something about you.
Often, they're used to remember
that you've already logged in.
Right, consider that when you
log in to Gmail or Facebook
or outlook.com or something
else, generally you
just type in your username
and/or password once,
then you see your inbox or your
homepage or your news feed,
and you don't have to log in
on every subsequent click.
Indeed, it would be infuriating
and downright unusable
if every time you
followed a link, you had
to reprove to Google or
Microsoft or Facebook
who you are by logging in again.
And so cookies are these little files--
or really values, numbers or letters--
that a web server puts on your
browser, saves inside of your browser,
to remember that you've
been there before.
So if I log in with my username to some
website, and I log in with my password,
and then hit Enter,
essentially the web server,
upon responding to my authentication, is
going to plant a cookie on my computer,
either in RAM temporarily or maybe
even on disk, on my hard drive or SSD,
to remember that David
is somehow authenticated.
And that cookie hopefully
doesn't actually
contain my name or password or anything
else that's personally identifying.
Instead, it probably just contains a
really big number, a really big value,
that's also stored on a database,
because the way HTTP works is every
time I visit that website again,
unbeknownst to me, at least until now,
the browser is supposed to present
that so-called cookie-- that value,
big numbers, big letters--
to the web server to
remind the server who I am.
So if I log in to Gmail today, check my
mail and maybe even close the window,
and then tomorrow I come
back and open up Gmail,
odds are my browser is not
going to make me log in again.
The browser, or really
the website, is going
to remember that I logged
in reasonably recently,
and it's not going to
pester me to log in again.
And that's because my browser
is, unbeknownst to me, sending
that same cookie value that
was planted there a day
before to remind the
server, this is David.
You know him.
He's already logged in once before.
So how do the mechanics
of this actually work?
Well, consider this.
This is a very simple HTTP request that
might go from a browser to a server.
Get slash, so get me the
homepage using HTTP version 1.1.
The host I'm visiting, in this case,
is just example.com, some website.
Now, typically, a web server is going
to reply, hopefully with a HTTP 200,
OK, all is well.
But it can also reply with some other
values in those so-called HTTP headers.
For instance, a web server can reply
not only with that 200, OK, all is well,
it can also reply with another
header below it called set-cookie.
And then inside of that is a value, a
key-value pair-- the name of the key,
which in this case is Session, which is
commonly used, but could be anything,
equals, and then some big value.
So when I said earlier that a big
random value, numbers or letters,
are planted on your computer, it
looks a little something like this.
This is just a really long, sort of
standardized format for generating
big random values that happen
to contain numbers and letters,
and also, it turns out, some hyphens.
But that number, theoretically,
uniquely identifies me.
The server is not going to send that
cookie to any other customers or users.
It's just going to me.
And my browser, by nature
of understanding HTTP,
knows how to look at that,
knows what to do with it,
and knows on every subsequent
webpage I visit on example.com
to send that value back to the server.
So on every subsequent
HTTP request, my browser
is going to send a little something
like this-- not just get slash
or whatever the page is,
not just host example.com,
it's also going to send cookie.
No Set, because Set came
from server to browser,
but just cookie colon, and
then that same exact value.
So if you've ever been to
a club or an amusement park
where you kind of want to come
and go during the day or evening,
those places might sometimes put
a little ink-based hand stamp
on your hand, so that they
don't have to check your ticket
or who you are every time you go in
and out of the park or in and out
of the club.
You simply show your hand
stamp, thereby reminding
the bouncer, whoever is taking
tickets, that you've actually
gone through this process before, and
don't have to be re-authenticated,
so to speak.
So that's all that's going
on underneath the hood,
and cookies make this possible
because they've planted these values
on your computer, thanks to the server.
But where's the threat to privacy, then?
Well, we're here looking at
these HTTP headers on the screen,
and you can't really see, like,
Wi-Fi things going across the air.
But if you have the technical
savvy, you could certainly
sniff all of the wireless traffic
going between computers and phones
and other devices in this general area.
And that's a little
worrisome, because if you
have the technology and the
technical know-how to do that,
what if an adversary, a hacker,
could actually see values like this,
and could essentially see my hand
stamp as I'm presenting it to a server?
That hacker could,
theoretically, if he or she
knows how, pretend to be me by
duplicating my cookie value, sort
of doing this, like you
might have tried at a club,
and then presenting that stamp as
his or her own to the same server.
And indeed, this is what would be
called a session hijacking attack.
It is a way for a hacker to have
access to a value like this,
steal it as his or her own, and then
send it, using the right software,
to the same server, so
that if you have already
logged in to Google or Facebook
or Outlook or some other site,
you've essentially given this
hacker keys to that same account,
because he or she can just pretend
to be you by sending the same value.
So how do we protect against that?
Well, there is a mechanism, thankfully.
And most websites, including all
three that I keep mentioning--
Facebook and Google and Outlook--
are just three of many, many websites
that these days, thankfully, encrypt
this information, scramble it,
so that even someone sniffing
wireless traffic wherever you are
can't actually see this.
It looks completely scrambled.
But more on that in just a bit.
There is, of course, with your browser,
though, other some privacy concerns.
Right, if you walk up to Edge, or you
walk up to Chrome or Firefox or Safari
or Opera or whatever, odds are, if
you start typing in the URL bar,
what do you see?
You see maybe some search results.
But for convenience, you
also see your own what?
Browser history.
So there aren't just
cookies on your computer
that effectively are little
breadcrumbs as to where
you've been on the internet,
like things like this,
that do have to be saved
somewhere in the computer's memory
or on the computer's disk.
But there's also the very
websites you've visited.
And so another threat to
your privacy, frankly,
is just walking away from
your laptop or desktop,
letting a roommate or a
classmate or a family member just
walk up to that same computer
and just start poking around
your so-called browser history.
And browsers today are pretty powerful.
I mean, they'll remember everything
you've done, everywhere you've gone.
And this is a good thing in
some sense, because it means
it's easier to get you back there.
If you start typing
the first few letters,
your browser might
remember where you've been.
You can search your history.
So if you're like, oh
my god, where did I
see that widget I wanted
to buy online yesterday?
You might be able to search
your own history and find,
among the websites you visited,
what it is you're looking for.
But the counterpoint here, of
course, is that so can anyone else.
So how do you defend against
those threats to privacy?
How do you defend against those threats
to places you've been and breadcrumbs
you've left lying around?
Well, you could clear your cookies.
Any browser, typically under the
Preferences or Settings menu somewhere,
has a way of clearing
your browser history,
and often clearing with
it the cookies that
have been planted on your computer.
So what's the upside and
what's the downside of that?
Well, the upside, of course, is that
all that information is thrown away,
though, frankly, maybe not securely.
To our point earlier about
how files are deleted,
odds are, even your history
is not securely scrubbed.
It just makes it harder
for a bad guy to actually
get at it, if he or she knows
how to actually look at bits
that were once on the computer's disk.
But if we're really not worried
about those kinds of threats,
we're really just worried about
people walking up to our computer
and being a little too nosy,
clearing your browser's history will
address that.
But it will also clear
all of your cookies.
And so what's going to happen
if suddenly all of your cookies
are deleted?
Well, somewhat annoyingly, any
website you've recently logged in
to, or maybe even ever
logged in to, is effectively
going to forget that you have.
And all of those cookies that were
temporarily stored on your computer
are just going to be thrown away.
So the next time you visit
Google or Facebook or Microsoft,
they're going to prompt
you again to log in.
Not a huge deal, and
it's better than just
letting anyone see your own
account, but that is an implication.
And so if you're one of
these people who opens
lots of tabs, uses lots of websites,
doesn't even quit your browser very
often, let alone shut
down your computer,
odds are it might actually be annoying
to have to delete all of your cookies
in this way, because effectively,
it's like washing your hand
so that any hand stamps you had on
your hands are completely washed off.
So what's an alternative?
Well, Chrome and Firefox
and other browsers
often have a sort of private mode, or
incognito mode, as Google calls it.
And this is simply a mode in your
browser where you can open up,
typically, a different-colored
browser window, and in Chrome's case
it's actually kind of a creepy
guy with a little creepy hat on.
We can kind of pull this up here.
If I open up Chrome, for instance,
and I decide I don't really
want any of this ending up
in my browser's history,
I want my history to be
automatically thrown away
without affecting all of
the other places I've been,
I can actually go up to File, New
Incognito Window, and ooh, spooky.
I've gone incognito.
"Pages you view in incognito
tabs won't stick around
in your browser's history,
cookie store, or search history
after you've closed all
your incognito tabs.
Any files you download or
bookmarks you create will be kept."
So essentially, this is
just automating the process
of letting you do your thing online
and then automatically deleting it
once you've deleted--
or once you've closed this and any
other such private or incognito windows.
So that's an alternative when
you know you don't want something
to end up in your browser history.
And frankly, technical
people also use this a lot,
not so much for privacy's
sake, but for technical sake.
When you're building
a website, or you're
writing software that uses
the web, sometimes you
don't want the browser to remember past
pages that your software has generated.
So using incognito mode too is
just a handy technical thing,
because it means the browser
is going to remember less,
and therefore you won't accidentally
see some of your oldest handiwork.
But all of these scenarios rather assume
that I've logged in to my computer
first.
Right, it should kind of go
without saying these days
that if you don't have a password
on your laptop or desktop,
or you don't have a password
or passcode on your phone,
or a fingerprint sensor
these days on your phone,
probably aren't practicing
best security practices.
Right, it's all too easy, then, for
a nosy family member or a roommate
or whoever to just walk right up
to your laptop or desktop or phone
and start poking around, which
may not be a very good thing.
But also, even if you're not really
worried about the people around you
you trust, you know, that laptop might
leave your home or apartment pretty
often.
And certainly that
phone is going with you,
most likely, when you step out
of the house or home as well.
And so what if you just
lose a device like this?
If you don't have a password
or passcode on your phone,
and therefore you never authenticate,
prove to the device who you are
and that you know that password, let
alone username, well, then anyone
off the street, literally,
can pick up that device
and start going through your
emails or your text messages
or really pretend to be you, if
you're logged in to various things.
In fact, if you've ever seen friends
of yours post sort of obnoxious posts
on Facebook, might very
well be your friends.
But it could also be
friends of your friends
who have intentionally walked up
to their phone or laptop or desktop
and posted something on their news
feed, so to speak, without them actually
knowing.
And that's just because they
weren't requiring authentication.
So it should go without saying that
on your Mac or PC or iPhone or Android
phone, you should have some
form of authentication,
some kind of prompt that
challenges you to know something
before you can proceed.
And what you know is typically
a password or passcode.
On a phone, it might
simply be a few digits.
Unfortunately, using
something like a few digits
isn't necessarily the best idea, because
if you only have a four-digit passcode,
as was the default on iOS
for iPhones for some time,
it's not all that secure, right?
Because if you think about a four-digit
passcode, there's four possible values,
and each of these values is 0 to 9.
So this has 10 possible values--
0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, so 10 possible values there.
Another 10 here, another
10 here, another 10 here.
So the total number of possibilities
here is only 10,000 passcodes total,
specifically passcode
number 0000 through 9999.
Now, that's indeed a lot.
And frankly, it's going
to be pretty damn tedious
for a hacker or a nosy family
member to guess your passcode
if he or she has to try as many as
10,000, or at least half of that many,
on average, to just guess
what your passcode is.
Plus, a lot of devices today,
iPhones included, will insert delays.
So if you guess your
password wrong, even
if it's you who've forgotten it
temporarily, maybe three times
or five or 10 times or
some small number of times,
the phone is actually
going to say, slow down.
You're going to have to wait a minute
or so before you can try again.
And this is a good defense mechanism,
because if the search space is
relatively small, the
number of possibilities
is relatively few, you can at
least increase the cost of hacking
into the device through
this brute force method,
where you just try all possible codes,
by just slowing down the bad guy.
Make every code take a full second,
or five seconds, to type in.
Make him or her wait maybe a
minute before they can try again,
because by then, hopefully,
you'll have realized, oh,
shoot, where did I leave my phone?
And you can go chase
it down and chase away
the person who's trying to access it.
Or, you're going to come home before
that nosy neighbor or roommate has
actually finished guessing all
possible values to get into the device.
Of course, there's a more effective way.
Don't use four-digit passcodes.
Maybe use a fifth or
a sixth or a seventh.
Or don't use numeric codes at all.
What if, for instance, we
introduce letters of the alphabet?
If we introduce letters of
the alphabet, even if we just
have a four-digit passcode, that means,
if this can be not just 0 through 9,
but A through Z, and better yet,
how about capital A through Z,
and lowercase a through
lowercase z, that gives me, what?
52 letters and 10 numbers, 0 through 9.
So that's 62 possibilities.
So that's 62 times 62 times 62 times 62,
and already this is starting to add up.
If I pull up a fancy black-and-white
calculator here and go ahead
and just run the math, we know from
before, it was 10 times 10 times
10 times 10, which
is, of course, 10,000.
And 62 times 62 times 62 times 62,
meanwhile, is much, much bigger.
In fact, that's 14,776,336.
So just by using more possible digits--
not just numbers, but letters,
capital and lowercase--
we've really increased
the cost for an adversary.
And as such, we've effectively
increased the security of my device,
because now it's a lot
harder to get into.
And better yet, don't
use four characters.
Use five.
Use six.
Use 12.
Use 20.
There's just a price,
ultimately, you pay.
Right, if you were trying
to be really secure,
and you know therefore you shouldn't
use four-digit codes, maybe even five
or six, so you have a 20-digit
passcode or password, why might
that actually not be a good thing?
Right, because according
to that logic, why not
have a 50-character password
or 100-character password?
No one is ever going
to guess that, surely.
Well, one, nor might you remember
it, if it's that long or that arcane.
Two, it's just going to be damn annoying
to type in again and again and again.
And so that alone is sort
of downward social pressure
on having passwords that long.
So what's the best rule of thumb?
There's not necessarily one fits all.
But short, bad, longer, good.
But it's only good so far as
you can remember that password.
And it's not, say, a very popular
word or phrase or sentence,
because the other thing bad guys will do
is they're not just going to guess all
possible values, like 0000, and
0001, and 0002, and so forth.
Soon as you introduce
letters of the alphabet,
they're not just going to
try AAAA, and AAAB, and AAAC.
Odds are, they're going
to start trying words.
So in fact, if your
password is "password,"
that's probably not a very
good password, because it
was the first thing I thought of, too.
Or if your password is
123456, odds are, that's
not too smart either, because it's also
the bad guy's first thought as well.
And now, tragically, while tongue in
cheek with these kinds of examples,
it turns out that these
kinds of passwords
are more common than you might think.
So in fact, let me go ahead and pull
up a list, as of 2017, some of the most
common passwords in the world.
The number-one password, according
to one study online, was 123456.
And odds are, the
website's requiring this,
or required at least
six-character passwords.
The number-two password
this year thus far
has been 123456789, so more
secure in that it's longer,
and that then you have to
kind of guess more tries.
But it's not all that
hard to guess 123456789.
"Qwerty," brilliant.
That is literally the first
five or six characters
on top of the keyboard on the first row.
12345678 came in a close fourth.
So that's brilliant.
111111 is coming in fifth.
1234567890, 1234567, you
can see the pattern here.
"Password" came in,
surprisingly, at number eight.
123123, someone's thinking
they're a little clever.
And then the reverse, 987654321.
And if you go online and just google
"most common passwords of 2000
whatever," you can see
the most common passwords
from any of the most recent years,
thanks to security studies and websites
like this one here that
have been done online.
So pro-tip-- if you see your
password anywhere on this list,
let alone in the top 20
or the top 100 or more,
time to start changing your password.
Because if you're using
it, odds are a bad guy
is going to know to try
that password as well.
And even though most of these
aren't even actually words,
it turns out that adversaries, hackers,
certainly have access to dictionaries,
like a Merriam-Webster dictionary,
and so he or she could certainly
write software that tries
not only these common ones,
but tries all the words
in the dictionary.
So if you think that, you
know, you're being clever
by putting "umbrella" as your password,
because that's a pretty random word.
Why would anyone use it as a password?
Well, the problem is
it's in a dictionary.
And if it's in a
dictionary, an adversary
can write a program to try all
possible words in the dictionary,
and it will eventually get
to "umbrella," at which point
he or she now knows how
to log in to your account.
So not so good as well.
So what's the takeaway,
then, here, for the security
of your accounts and your computers?
Well, maybe you should use
completely random passwords.
Right, if words are bad, and patterns of
numbers are bad, let's just go random.
So bang, bang, bang, bang, bang on
the keyboard, and see what comes out.
Now, unfortunately, when you register
for websites or set a password,
you're going to have to
bang, bang, bang, bang, bang
out the same exact thing multiple
times to confirm you actually know it.
And frankly, if it is a really
weird-looking random set
of characters and numbers
and punctuation symbols,
honestly, I don't know if I'm
going to remember it as well.
So sometimes people think
they're being clever.
So instead of saying an L in a
password, they might use a number 1.
Or instead of an A in a password,
they might use the number 4,
because they all kind of look the same.
But again, any heuristic like that,
even if you think you're being clever,
well, the adversary,
the hacker out there,
can also be just as clever as
you, and try those things first
before he or she even bothers
trying the completely random ones.
So generally, thinking of
some nonsensical phrase,
introducing some disparate
capitalization, some upper case,
some lower case, toss
in some numbers there,
some letters, so it's
not entirely random,
there is still some
implicit mnemonic that
allows you to remember what it is, is a
better approach than choosing patterns
of numbers like this,
or words that you might
think of off the top of your
head, or even actual words.
Introducing deliberate misspellings,
or weird punctuation or capitalization,
all lends itself to that.
Of course, none of this matters
if you're one of these people,
and odds are you could walk around
a lot of offices in the world
and see a whole bunch of
monitors on people's desks
with one of these on the display.
So if you're also one
of these people, you're
not a good person if you're
putting your own passwords
on a post-it note on your monitor.
Or frankly, we don't have to
put the entire blame on you.
Maybe your company or your
university's security policies
are such that they're not
really that reasonable.
Maybe your company makes you change
your password every three months,
or every six months, which
frankly, might be a net negative.
Indeed, increasingly are people
challenging this practice, which
feels very intuitively reasonable.
Like, make people change their
passwords once in a while,
just in case they've been compromised.
This way, at least the
bad guys out there only
have a limited amount
of time-- three months,
six months, whatever-- to
actually use that exploit.
But the problem is, if you make
me change my password every three
months, or every six months,
especially for websites or tools
that I might not even
use that often, thereby
making it harder, and in some
sense, more cognitively expensive,
for me to remember your
password, well, frankly, I'm
going to probably start choosing easier
and easier to remember passwords,
or repeating some
pattern in the past, so
that it's not as hard for me to
remember these ever-changing passwords.
So in that sense, it might
actually be a net negative.
If you're accidentally
conditioning your team members
to lower their threshold for security
by choosing easier passwords,
maybe they should just pick one really
good, really hard-to-guess password
at the get-go, and never
change it, or change it
years later, not so frequently.
So if you're doing
this, though, minimally,
take these down and address the crux
of the issue, not just the symptom.
But there's also other issues that
arise with passwords and authentication.
Now, odds are, you
have, if you're like me,
forgotten your password
to at least one website.
And that's often not such a
dealbreaker, because what can you do?
You've forgotten your password.
You haven't logged in to some site in
a while, or you're using a new computer
and you don't really remember it.
So you can reset most passwords.
You can click a link on most
websites that's literally called,
like, Reset Password, or Forgot
Password, or something like that.
And what do they do?
Well, they typically ask you, then,
to type in, if you haven't already,
your username or your email address.
And then what do they do?
Well, typically, you'll get an email,
hopefully within seconds, maybe
a few minutes, maybe it
ends up in your spam folder,
so you should check there too.
And it contains a link.
And that link is like
your password reset link.
And generally, if you
look close at the URL,
it hopefully goes back to the same
website, so example.com or whatever.
And then odds are it has a really
big, seemingly random value,
not unlike the cookie we saw earlier.
So using random values in
computing, especially for security,
is generally a good practice.
So it has a big, seemingly random value.
You click that link.
You're led back to the same
website, but a different screen,
and it asks you to
choose a new password.
And you type it in once,
probably twice, hit Save,
and your account is now updated.
So what just happened?
Well, when you clicked I Forgot My
Password, or Please Reset My Password,
the website probably has a database.
It generated some big random
code, stored that in a database,
and made essentially a mental note for a
computer, let David reset his password.
How does it know that I'm David
if I don't know my password?
You almost have a sort of
catch-22 situation there.
Well, if David still has access to the
email account with which he registered
for this website, which is pretty
much the assumption being made,
well, let's send him a special link
containing that really big code that we
also stored in the
database, and let's assume
that anyone who can log in to David's
email account is probably David.
So let's let that same
person choose a new password
for this website, example.com.
So you're trusting, to
be fair, that I am indeed
the David who's supposed to have
access to that email account.
But if that's really the
only way, because odds
are you don't want to incur
the expense or the complexity
of, like, having David call
up and say, hi, I'm David,
and then prove this by giving
you personal details about me
or values or information
that I might only know,
you can at least trust
with some probability
that only I have access
to my email account.
And that big random value,
meanwhile, is checked
on the website when I follow that link.
And then you realize, oh, we know that
the person who just followed this link
is David, with high probability, because
the only one in the world to whom we
sent this big random value via email
a moment ago was malan@harvard.edu,
or whatever your actual
email address is.
And so you reset your password
and you're back in business.
Now, sometimes, you've wanted
to know what your password is.
But most websites don't do this.
And if you call customer service--
not that most websites even allow this--
typically, the technical staff can't
even tell you what your password is.
Even if you prove by telling them
who you are, where you were born,
and everything about yourself,
they cannot tell you, technically,
what your password is.
And that's a good
thing, because odds are
that means there's certainly
good security practices in place.
But odds are it means
too that your password,
even the old one you don't remember,
is encrypted in some form-- or hashed,
more technically--
somewhere in their database,
so that even the IT staff cannot see it.
All they see is some seemingly
random value in their database.
And that's not your actual password.
It's a hash thereof, a
scrambled version thereof.
But some websites are really bad.
And in fact, I can think of
several times over the years
when I've gotten a password reset
email, and oh my god, in the email,
is my password.
And so that's fine.
At that point I remember, oh, yeah,
of course, that's the password I used.
And I can just copy and paste
it and go about my business.
But what does that mean?
If the company was able
to email me my password,
odds are it means it is not
encrypted, or hashed, or scrambled,
on their database, which means
any one of their employees,
or a hacker who steals their
database, could see my password,
log in to, and pretend to be me,
whatever the website actually is.
Moreover, they just emailed
out on the internet,
and odds are, partly wirelessly,
if I'm on my laptop or phone,
what my password actually is.
And if my email server is not using
encryption, as is not always the case,
they might have just let anyone in the
local Starbucks or airport or lecture
hall that I'm in actually
see what my password is.
So bad, bad, bad, bad
practice to not actually
scramble passwords on a server.
And yet this happens, tragically,
more often than you might like.
So keep an eye out for this.
And frankly, there's not much you
can do, other than really decide,
I am not using this website
anymore, because they don't really
seem to have their act together
when it comes to security.
So what's one last threat when
it comes to authentication?
You know, odds are, if you're like me
back in the day, though not so much
anymore, you might get a little lazy.
You might have kind of a
favorite go-to password
that maybe you use on your email, maybe
your social media accounts, maybe,
god forbid, your bank account, or more.
This too is bad.
If you are in the habit--
and it's understandable, but still bad--
of using the same password on
different websites, what's the threat?
And what's the upside?
Well, the upside is just
it's convenient, right?
Why remember 10 different
passwords for 10 websites
if I can use one password
on all of these websites?
It's just convenient for us humans.
But what if one of those
websites is hacked?
Or what if a bad guy figures out, by
guessing, maybe your child's birth
date, which happens to be your password,
what your password is on one website?
Well, he or she might get a
little curious, a little greedy,
and try using that same
password on all other websites
that they know you visit to
see if you're also lazily
and insecurely using the same there.
So this is alone a good reason to use
a different password on every website.
But here too there's
this theme of trade-offs.
Right, it's now becoming
more expensive cognitively
for you, just in terms of remembering
all this darn stuff, if we're making
you then have one password
for every website.
And we visit, we humans
these days, probably
way more than just 10 websites.
It might be dozens, if
not hundreds, over time,
that we actually have accounts on.
So surely you can't expect me to
remember 100 different passwords.
Well, there are tools.
There's software, free and commercial
alike, that you can install,
that are generally
called password managers.
And these are tools that store, on your
own phone or hard drive or SSD, all
of your usernames and
all of your passwords.
But, if they're good software,
they encrypt it on your hard drive.
So you choose, when you
install this software,
one main master password, something
that's ideally really big, really
pretty random, still memorable.
And maybe here, just to be super
safe, you write it down somewhere
and tuck it away somewhere super secure,
like, physically in a safe deposit box
or into a vault, somewhere that's
not a post-it note on your monitor.
And then, you store all of
your usernames and passwords
in that software, and protect
all of them with just this
one master password.
So in this way, you can literally
have a completely different
and even a completely random
password for every website you
visit, because these password managers
not just let you copy and paste
your password from them into a
website when logging in, you can often
use keyboard shortcuts,
so you don't even have
to remember your username or password.
You just hit a keyboard
shortcut, and voila,
the password manager logs
you into websites for you,
so long as you have
logged in to the software
itself, as you would
typically do once a day
or every time you wake up your computer.
So this is amazing,
because now it means I
can have 20-character, 100-character
passwords, if websites allow it,
on any website.
And frankly, these days, I
don't know most of my passwords,
because I let the software generate
something big and random and therefore
more secure, theoretically.
But there is a big,
big, big gotcha here.
If, god forbid, I forget or
lose that master password,
I have very, very securely
encrypted all of my accounts, none
of which I can now access.
So that's that one password
you just cannot forget.
And so I literally mean it when I say
you should probably write it down, tuck
it in a bank vault, tell
it to someone you really,
really trust who needs to have access,
because you've just kind of moved
the threat to a different location,
to your own recollection thereof.
So trade-offs to be
sure, but on the whole,
probably much more secure than the
passwords you're currently using.
Now, there are some better defenses.
Not all websites support
this, but increasingly
are they doing so, even
apps on phones as well.
So not too long ago,
this was the primary form
of something called two-factor
authentication, where
two-factor authentication
refers to having not just one
factor, but, surprise, two factors.
So what does this mean?
Well, the first factor, and the
factor we keep talking about,
is a password or a passcode.
It's something you know.
And historically, we
have used something you
know to authenticate you to a device
or a piece of software or to a website.
I am malan@harvard.edu, and
here is my 123456 password,
something theoretically only I know,
at least if it were a better password.
But that's not that
great, because, of course,
passwords can be stolen or guessed
or posted on post-it notes.
So slightly better than
one factor is two factors.
And that second factor
should be something
that's fundamentally different.
Not something you know,
like a second password,
which is at risk for the same exact
threats, but something you have.
So this thing here is
literally something
you would carry around on your
keychain, made by a company called RSA,
and it's got a battery and a
little computational device,
that shows on the screen a number,
six-digit number in this case.
And that number changes
every minute or so.
And it does so on a schedule.
So theoretically, it stays
synchronized with a server.
Indeed, there's a server
somewhere else that knows
what the unique ID of the
device is, and you can usually
read that off of a sticker on
the back or something like that.
And it knows that that sticker, that
device, is currently showing 159759.
And a minute later,
it knows, the server,
what new number this device is showing.
So theoretically, they
should stay synced,
and there's ways to help
them stay synced over time.
But what's nice now is that
if I have an account that's
protected with two-factor
authentication,
or two-step authentication,
then it's not just something
I know that I have to use
and type into the screen.
I also have to pull out my keys, in
this case, read off the number 159759,
and type that in as well.
So if an adversary gains
access to my password,
or just guesses what my
password is, it's not
a huge deal, because he or she is then
going to be prompted for something
they have.
And so long as they also haven't stolen
my keychain, they don't have this.
They therefore don't know
the number to type in,
and they don't have the second factor.
And they can't get
past that second gate.
So it really raises the bar.
It does not stop a hacker from
taking or guessing my password.
And it certainly doesn't
stop them from physically
going after the device I have on me.
But it does raise the bar.
And at least I'm a little less
worried about the people in this room
than I am about millions of random
potential hackers on the internet.
And thankfully, this technology,
two-factor, is getting even easier.
You don't need a physical
device like a company
like RSA used to have to send you.
You don't need your bank, for instance,
to send one of these dedicated devices.
You can actually use software.
So Google Authenticator exists.
There's something called Duo Mobile,
that's a commercial alternative there
too, that allows you, on
your phone, Android or iOS,
to just hit a software-based button,
see what the code is, and type it in.
So Gmail supports something like
this, as do many other websites
these days, increasingly
so, especially banks.
Right, and there, too,
I would encourage you
to consider these various trade-offs,
and to consider which accounts
are really the most vulnerable.
Which accounts do you
worry the most about?
Maybe you don't really
care all that much
about one of your social media accounts.
But maybe you care a lot more about
your bank and your savings amounts
and so forth.
And so maybe you should
be thinking about which
websites to enable two-factor
on, if it supports it.
And frankly, maybe you should
even be choosing websites or banks
based on which of them support
these kinds of defenses,
because it only raises the bar.
And they don't even
require special software.
You can actually use the SMS app on
your own iPhone or Android device.
And what companies
can increasingly do is
they'll send you a text message with
a code that you then have to type in.
So now those two factors
are something you know
and also something you have already,
something physical, like this.
All right.
So what about the network itself?
We've talked really about physical,
proximal threats thus far.
But what about the security of
the networks we actually use,
especially when so
many of the networks we
use these days are wireless-- my phone,
my laptop, other devices in my home
too, all somehow use
wireless especially.
So typically, you can pull up
a little menu on your computer,
whether it's Windows
or Mac OS, and see all
of the wireless networks in proximity.
And odds are, by now, you've been
conditioned to look for free Wi-Fi
in some form.
Right, one of the icons that
does not have a padlock on it.
And you choose that one, whether it's
Harvard University or some other SSID,
as it's called, the identifier
for a wireless network.
You connect to it.
And then usually a little icon
kind of blinks and pulses.
And then hopefully, within a couple
seconds, you're connected to Wi-Fi.
Now, sometimes it doesn't work.
And sometimes, even though a
network doesn't have a padlock
and it seems to be free, just doesn't
work for any number of reasons.
One, it might not be working properly.
Two, it might require that
you pre-register the device
on that network.
So there's different reasons
that it might not work.
But sometimes it does, especially at
Starbucks and airports and hotels.
Sometimes you have to pay for it.
And indeed, sometimes the
first time you visit a site,
you're prompted to pay, or at least
tell them your room number, in a hotel.
But otherwise, it just works.
But the problem is, in
all of those scenarios,
even if you pay for
that Wi-Fi, if there's
no padlock on the wireless
network to which you've connected,
it's insecure by definition.
It's not encrypted, at least not by
the network in the room that you're in.
Now, you might still visit
websites that start with https://,
that are using secure connections
and encrypted connection.
And that's a good thing.
And that mitigates this issue.
But maybe your email
doesn't use encryption.
Maybe a lot of websites you visit
don't use encryption either.
They start with http://,
and so that means,
on insecure wireless networks that have
no padlock and therefore no built-in
encryption, everything you do on
the internet can in fact be seen,
or sniffed, so to speak, by
someone else in the nearby area,
let alone elsewhere on the internet.
So if you see some creepy
person on their laptop,
you know, Mr. Robot there
in the corner, he or she
might actually be on
their laptop sniffing
all of the wireless
traffic in that Starbucks,
and anyone who is not
using HTTPS-based websites,
for instance, he or she might see
everything that's actually happening.
And what can you do then?
Well, one, don't use
that particular network.
Or two, maybe use something like
a VPN, a virtual private network.
Now, not all people
have access to these.
Sometimes, if you work for a
company, or go to a university,
you can actually install software
that allows you to connect
to a VPN, a virtual private network.
And what this means is that
your connection to the internet
is indeed encrypted.
So for instance, if this
is you here on your laptop,
and here we have the
internet, and here we
have some websites inside
some company's building
that you're trying to connect
to, typically, if you're
using insecure Wi-Fi,
your zeros and ones
might go here through the
internet onto that company
and then back in the other
direction, completely insecurely,
which means anyone in
Starbucks near you over here,
anyone theoretically with
physical access to the wires
and such on the internet
itself could access that data,
if it's all unencrypted from the get-go.
But what you could do, especially
if you're worried about Mr.
Robot in the cafe in
which you're sitting,
if you do have a VPN at your company
or university, like this one here--
we'll call it Acme--
where you work or go to school, you can
first establish an encrypted connection
here, where "encrypted" is going
to mean scrambled in some way.
It's not just text and
numbers that you see.
It's sort of random
permutations thereof,
because of an algorithm
that's being used.
And now you can let your
company or university
do all of the talking with
the rest of the internet.
So you're essentially tunneling, so
to speak, all of your internet traffic
through your own company or university
by way of this thing called a VPN.
There's still a flaw here, though, and
you can kind of see it in the picture.
VPN is between you and, like,
your company, or university,
or frankly, there's
third parties you can
pay these days some
number of dollars a month
so you can actually have a VPN
connection somewhere else in the world,
even.
But there's still an insecurity here.
Where?
Well, I've only labeled this
channel of communication
back and forth as encrypted.
And that's because odds are, if you're
just visiting an insecure website
that's just http://, well, it might
actually still be insecure once it
leaves your company.
So here, too, there's a trade-off.
You've increased the
security around you,
but you've really just
pushed the threat away.
There's still a threat.
It's just now random
people on the internet.
It's not Mr. Robot in the
very same cafe that you're in.
So maybe that's OK, because maybe you're
really only worried about nosy people
here, and not random
people on the internet.
Or-- but, rather, you've
paid another price.
Turns out that any time you do something
more to a process, as we're doing here,
odds are you're increasing
the cost involved.
Right, I don't know much about
encryption right now in the story.
But I do know it's something
I wasn't doing earlier.
So surely, doing something must
take more time than doing nothing,
to put it simply.
And so by encrypting my data,
by doing whatever algorithm
is necessary to scramble
my zeros and ones,
must be taking some amount of time.
And indeed, it might somewhat
slow down your connection,
to use a VPN, which might be a
trade-off, especially if you're
on a plane or something like that, where
your network connectivity is really
quite limited.
So a trade-off there.
Now, fortunately, companies,
and even personal computers,
have special devices, or special
software, called firewalls,
that I'll depict there.
And even your own laptop,
in some sense, has
turned on, or most likely has
turned on, its own firewall.
And I'm drawing it as a physical
line, as though it's a physical wall.
It's not.
It's just software.
A firewall is just, in the
physical world, an actual wall.
So if you've got, like, a strip mall
with lots of little companies and lots
of stores, one of which might
catch fire for some reason,
historically, a lot of
these kind of setups
would have physical walls, special
layers of bricks or other material,
in between the stores, so that
if there's a fire in one store,
it might still get hot,
but hopefully it does not
pass through into the
next-door store, because
of that additional insulation
between them, firewall.
Now, in the software world, it's kind
of the same idea, but it's all digital.
You might have software running on
your Mac or PC over here at left,
or your company is going to have
some kind of special software running
on the periphery of their network, where
the routers typically hand off data
to other networks
altogether, or other ISPs.
And those firewalls look at
things like the IP addresses
to which you're sending, or from
which you're receiving data, the TCP
port numbers that are being used.
And these firewalls can
help keep bad guys out
and help keep internal data inside.
So there's that additional
defense as well,
which is just yet another
piece of the puzzle.
Now, if you're running
Mac OS or Windows,
odds are you just want to
check if you're actually
enabling that on your
computer, so that when
you are on a public, especially insecure
network, unencrypted, to be sure
that no one can really be
hacking into your computer
with this high probability,
because at least
your computer is kind
of keeping them at bay.
But what does it mean to encrypt data?
Right, I've just kind of
been taking for granted
that you can encrypt
information in this way.
Well, what does that actually mean?
Well, suppose that I want to
send a message to someone,
like, the message, "Hi."
But I don't want anyone else in
the room, anyone else in the cafe,
to know whom I'm saying hi
to, or that I'm saying hi.
I might want to scramble this message.
So how might I scramble it?
Well, you know what?
Rather than send "H-I,"
I'm going to send "I-J,"
because that is not English, and
that makes no apparent sense.
So I'm going to send that in
a message, or that in an email
or a text message or some other digital
medium, from me to some other person.
Now, why did I choose "I-J"?
It's deliberate.
It's a little stupid.
It's not very secure.
But it's an attempt to be more secure.
"H-I" is the message I want to send.
"I-J" is what I'm actually sending.
But I've just used a
simple algorithm here.
I took a letter that I want to
send, and I changed it by one.
So H became I, and I, coincidentally,
became J. So I send "I-J,"
and I send that message to someone else
in the cafe, or across the internet.
What does he or she have to now do?
Well, he or she has to know that
the secret algorithm I'm using
is to not only rotate letters
by some number of places,
but they need to know the key.
The key to this algorithm is the number
of places that I'm shifting letters by.
So he or she has to know
that it was just one.
And that's why I say it's kind
of dumb, because one is not
that hard to just guess.
I could just try one,
and oops, there it is.
Hello.
But they have to know to unrotate
these letters by one place.
So I now becomes H
again, and J becomes I.
So this, then, was my plain text.
This, then, is my so-called cipher text.
And once decrypted, becomes
my plain text as well.
Now, it turns out this is
an example of something
called a Caesar cipher,
a rotational cipher.
We could make it a little more
interesting by rotating by two
places, or three, or 13, or even more.
But it's not all that secure if
it's pretty easy to just guess.
Right, even a bad guy who intercepts
this message could just try rotating
by one, rotating by two,
rotating by 25, and figure out,
just intuitively, and a little
methodically, what it is I'm
actually sending.
So rotational ciphers, not really
used on the actual internet.
There's more sophisticated means.
But there's also another
glaring flaw here to encryption,
which is, my friend to whom I'm
sending this message apparently
needs to know what that key is.
He or she has to know that the
secret was, in this case, one.
Now, that's kind of a
chicken and the egg problem.
Right, because for him or her to know
what key we're going to be using,
we have to agree upon it in advance.
So how do we agree upon it in advance?
I can't just send them a message
and write the number one on it
and send it, because it
would be unencrypted.
And if I even wanted
to encrypt it, I can't,
because he or she doesn't know how many
numbers of places to rotate it yet.
So maybe I pick up the phone.
I use a different technology, and
I say, hey, let's use a key of one!
But at that point, the story is kind
of stupid for a different reason.
Why don't I just tell them
"hi" at that same time?
Right, so if I'm already talking
to them via some other channel,
just give them the message.
Don't worry about a key.
And this is absolutely the
case when you visit a website.
Like, I don't really
know anyone personally
at amazon.com who can sell me a book.
I don't really personally know anyone
at Gmail who can send me my emails.
I know the website gmail.com.
I know the website amazon.com.
And my computer certainly doesn't
know another computer there.
It just knows its domain name and
maybe its IP address, eventually.
So it turns out, what we just described,
rotating characters one place,
is what's called secret
key cryptography.
So secret key cryptography
is predicated, of course,
on keeping that key, the number one
or 13 or 25 or something else, secret.
But there's also something called
public key cryptography that
satisfies this issue of chicken
and egg, where you need a secret,
but you can't establish a
secret before you have a secret.
Public key cryptography
addresses this as follows.
Whereas in the secret key
scenario, you have just one key,
in the public key scenario,
every person has two keys.
One key is private,
and one key is public.
And it turns out, there's a mathematical
relationship between these two values,
public and private, so that you use
the public key to encrypt information,
but you use the private
key to decrypt it,
which is to say that if I have two
people here, let's say Alice and Bob,
Alice has her private
key, we'll call it A,
and her public key, public
A. And Bob, meanwhile,
has his private key,
B, and public key, B.
And so when Alice wants to send Bob
a message, she sends it from A to B.
And she uses Bob's public key.
Bob, upon receipt of
that message, uses what?
His private key to decrypt it.
And again, for now, let's
just stipulate there's
a mathematical relationship
such that algorithmically,
Bob's private key can undo the
effects of Bob's public key.
Meanwhile, if Bob wants to reply,
let's consider what Bob uses.
Bob wants to send a reply to Alice.
So Bob uses Alice's public key.
Alice receives the message
and uses what to decrypt it?
Alice's private key.
And by nature of public,
these keys, A and B,
can literally be posted on the internet.
They can be read aloud on the phone.
They can be sent in an
email or a text message.
They are public because
mathematically, they
are meant to be divulged to anyone
who wants to know it, but especially
the person who's going to use it.
The private keys, though, meanwhile,
Alice and Bob have to keep private.
They can't reveal that.
They can't email it out.
And all of this happens
automatically in today's browsers.
In fact, when your browser,
Chrome or Edge or whatever,
uses the internet to connect
to amazon.com or gmail.com,
your browser has its own public and
private key, as does Amazon's server,
as does Google and Facebook
and any other website.
And unbeknownst to you, just
underneath the hood, so to speak,
is your browser using this crypto
system, this public key cryptography
mechanism, to exchange a secure message
with Amazon or Google or Facebook,
even though your laptop has never
met anyone at those companies before.
And so turns out, for efficiency,
what's ultimately used later
is very often secret key cryptography.
In other words, you use
this whole public key system
to just exchange a secret, like
the number one, but much bigger
number than number one, and
much bigger than 13 and 25.
You just use it to exchange a secret
that you probably dynamically randomly
generate.
But this public key system is what
solves, ultimately, that chicken
and the egg problem.
So even then, within the
world of our network,
do we have not only constant threats,
especially these days wirelessly, we
do have a number of
protections-- software,
but also algorithms-- that help
keep some of those threats at bay,
and also help us avoid some
of those threats altogether.
So what remains?
Well, going around this campus lately
are actually posters like this--
Report Phishing.
And this is a technique that's
actually been around for years now,
but it seems to kind of be gaining
even more momentum, frankly,
especially as email clients are
getting a little more sophisticated
and a little more featureful.
Phishing attacks are when
some adversary, some bad guy,
sends you an email, typically,
that looks legitimate,
looks like it's from paypal.com,
looks like it's from your own bank,
looks like it's from an actual website
on which you might have an account.
And it usually says something
stupid like, please click here to--
it's not even stupid.
It's just completely malicious.
"Click here to reset your password."
Or, "click here to
confirm your identity."
Or, "click here to confirm
your bank account details."
And sometimes it will start
with a preamble explaining
how they're doing this as
standard security practice,
or sometimes they're doing this--
they say that, oh,
something has been hacked
and we need you to change your password.
It doesn't even matter
what the story is.
The point is, they're sort of trying
to fish and reel you in and trick you
into giving them information
that they really shouldn't have.
And so this is so
rampant lately at Harvard
that there's posters all over
campus encouraging people
to report phishing attacks,
so then at the network
level and the email servers,
these kinds of attacks
can hopefully be filtered out.
Because what actually
happens in these attacks?
You get an email that might
look like it came from Gmail.
It might have Google's logo.
You get an email that looks like
it might have come from PayPal,
and it's got their logo, and
it's got a lot of fancy text,
and it has even a secure message on it.
But the link that's in it, odds
are, does not go to paypal.com,
and does not go to google.com,
or your own particular website.
Odds are it goes to a
completely random URL,
or maybe it goes to a slight
misspelling of that URL
that someone else has bought.
And it might even lead, once
clicked, to a website that
looks like identical to the
real PayPal or gmail.com,
but that's just because someone knows
HTML and copied PayPal's or Google's
or whoever's HTML.
All that's pretty darn easy.
They're just trying to socially
engineer you, trick you as a human,
into believing them, because it
looks like a legitimate email,
into behaving in a reasonable
way, but in the wrong place.
And the phishing attack
leads, generally,
to you accidentally or unknowingly
giving someone your identity, giving
them, god forbid, your bank
account details, your usernames,
your passwords, because you've been
duped by a social engineering attack.
So what's the giveaway there?
Well, one, distrust most
emails that you get.
Even when you do get an email
from your bank and it looks legit
and maybe it is legit, don't click the
link in the email, right, just in case.
You know you're a customer
at BankOfAmerica.com.
So you go to your browser and type in,
literally, BankOfAmerica.com, Enter.
Go there without using
the link in the email.
Log in, and then find
your way to whatever
it is that email was telling you to do.
Don't click on a link from Google.
Go to gmail.com, hit Enter,
log in in the usual way,
and don't trust the email.
But look at these emails
with a discerning eye, too.
Does it look like it came from
a sketchy-looking email address,
sort of a random Gmail address,
not an official-looking account?
But even that can be spoofed.
So it's not a tell.
But sometimes you'll see
typographical errors.
Hopefully, you think,
good marketing departments
don't send out emails
with typographical errors.
So that could be a tell.
These are not reliable tells, though,
because you can forge an email address,
and you can certainly
spellcheck a phishing attack.
But these are just things that
should raise red flags in your mind
and should set your radar off.
But in general, just
avoid clicking things
that themselves might not be
safe, because what might happen?
Well, you might indeed end up giving
away sort of the keys to the kingdom,
like your identity, your bank account,
your usernames, passwords, and more.
But your computer might
even get infected somehow.
Right, it's often the case that these
URLs lead you to websites that are
infected with something--
malware, malicious software--
that can do anything.
Especially in the Windows world,
where computers have historically
tended to be under
greater attack, you might
be led to a website that somehow
injects into your browser,
and in turn into your computer, a
piece of software that someone with way
too much free time and way
too many malicious intentions
has written in order to erase your hard
drive or send spam from your computer
or encrypt all of your files.
Indeed, some of the attacks these
days do something really draconian,
which is they'll encrypt data on
your hard drive, or for a company,
they'll encrypt a company's
database, and then send them
a nasty-written email saying,
pay us $500, pay us $5 million,
in order to get the key
to decrypt your data.
And maybe that key doesn't even work--
that's even unclear-- effectively
giving term to the word
"ransomware," where it's
software that effectively ransoms
your data, expecting some kind of
payout before it's given back to you,
or effectively, decrypted for you.
So malware can be anything.
At the end of the day,
any piece of software
can do anything on your computer
that it wants, especially
if it's been installed somehow
with administrative privileges,
or has taken advantage
of bugs in software,
to somehow get onto your computer
in ways that weren't intended,
but that are nonetheless possible.
And so this is even a
more worrisome threat,
because you might not
even realize thereafter
that you've been compromised,
and the software might just
keep running and running and running.
And that, at the end of the
day, is kind of the core issue
with all of these threats
to one's security,
privacy, your data,
your devices, and more.
It really boils down to trust.
Do you trust the people around you?
Do you trust the algorithms and
the software that you're using?
Do you trust the manufacturers of
the hardware that you're using?
Consider, after all, that
we've focused for the most
part on Mr. Robot in cafes,
random people on the internet,
and nosy neighbors and
roommates and family members.
But where did all of the
hardware and software
come from that's legitimately being
used by you on your phones and laptops
and desktops every day?
Well, a lot of it comes from
Apple, or Microsoft, or Google,
or other companies.
But odds are, all of us have installed
software from the so-called App Store
or Google Play, or from
random websites, or we've
bought software and
installed it on a computer,
or downloaded it in some form.
But who's to say that Microsoft Word
isn't logging every keystroke you type,
whether or not you're
inside the program itself?
Who's to say that Google is not watching
everything you do within Chrome, even
if you're not on google.com?
If they wrote the software,
Microsoft or Google,
they could be doing both, or
all of those things, or none.
Hopefully none.
But it's all about trust, because even
though we could audit our computers
and we could kind of use the
activity monitor or process
manager to see what it
is they're doing, there
have been cases where the
specially malicious software has
been written to cover its tracks.
So it doesn't even appear in the process
monitor or process manager or activity
monitor.
So it's still there and running, but
it's kind of hiding itself altogether.
And that makes it even harder for all
but the most sophisticated security
folks to actually find,
let alone little old
me or random users on the
internet who might be infected.
Right, so who's to say the
very software we're using
is actually doing what we say?
Who's to say that Snapchat
is actually deleting messages
after three seconds, or 10 seconds?
It's just what they say.
What if there's a bug?
What if there's a malicious intent?
What if there's a malicious
employee who simply programmed
those devices to do something else?
So at the end of the
day, it is very easy
to sort of curl up into a ball and
sort of tearfully worry about all
of these various threats.
But at the end of the day, what really
we need to do is decide whom to trust,
and how much to trust, and
what kind of risks to take.
At the end of the day, there
are no surefire answers
to any of these threats.
There are defenses, but they really
just raise the bar to the adversary.
They raise the cost to
him or her, and they
increase the probability of
your security and your privacy,
but they don't guarantee it.
You yourself have to decide
how much you're comfortable
doing on the internet,
how much data you're
comfortable storing on your computers,
and ultimately, whom to trust,
and just how much to trust them.
That, then, is security.
