Announcements and Demos

  • In case you haven’t seen it yet, check out the story of Saroo, the boy who overslept on a train and found his family 25 years later using Google Maps.

  • We know from collecting statistics that about 50% of you won’t continue on to take any more CS courses. That’s okay! One of our overarching goals is to empower you to understand the world of technology as you pursue other knowledge. Bring your ideas and your Final Projects to other departments!

  • Quiz 1 will take place on Wednesday 11/20! Details are available on the course website.

  • Problem Set 8 is due Friday 11/15. One minor point of clarification: if you’re running into issues with Google Earth crashing and you’re positive it’s not your fault, try disabling buildings with the following line of code:

    earth.getLayerRoot().enableLayerById(earth.LAYER_BUILDINGS, false);
    

    We don’t really recommend this because there will be no buildings, but it’s a failsafe nonetheless. * The CS50 Hackathon will be on 12/4! This is your opportunity to bang out some code for your Final Project among friends and food. * The CS50 Fair will be on 12/9! This is the climax of the course in which you display your Final Project to friends and family. There will also be recruiters from various companies so you can chat about opportunities.

From Last Time

  • We used the superglobal $_SESSION to track the user’s ID so that she doesn’t have to sign in every time she visits the site. HTTP is a stateless protocol. Once you connect to a server and download some HTML, JavaScript, and CSS, your browser’s loading icon stops spinning because the connection has been terminated.

  • Sessions are enabled via cookies, usually a big random number planted on your computer’s hard drive or in its RAM. You can think of cookies as virtual handstamps for the server to remember who you are.

  • There’s a threat here, as well. If you steal someone’s cookie, you can hijack his session and impersonate him.

  • We looked briefly at Ajax, a technique that allows for fetching data from a server without refreshing the page. Google Maps doesn’t load the entire world when you browse it; rather, it loads one square at a time and fetches more as needed using Ajax.

Final Project

  • Just to plant one seed in your mind, check out the list of e-mail addresses for the various cell providers here. With these, you can send text messages programmatically! Be careful, lest you send some 20,000 text messages mistakenly, as David did during lecture last year.

  • Receiving text messages is a little more difficult. You can use the service provided by textmarks.com. For example, if you send a text message to 41411 like "SBOY mather quad," you’ll get a response from the CS50 Shuttleboy app.

  • Consider using Parse as your backend database instead of MySQL!

  • CS50 has its own authentication service called CS50 ID. Check out the manual to see how to verify that a user is someone from Harvard.

Web Hosting

  • Check out your options for web hosting if you want your Final Project to live outside of the Appliance. Namecheap is just one!

  • To see who owns a particular domain, you can look it up using whois from the command line. Under the "Name Servers" heading, you’ll see a list of servers that are the canonical sources for returning the IP address of the domain you looked up. When you type in this domain into your browser, the browser will eventually query these name servers to find the final IP address. When you register for web hosting, you’ll need to tell the registrar what your name servers are. Since CS50 uses DreamHost, you’ll enter in NS1.DREAMHOST.COM, NS2.DREAMHOST.COM, and NS3.DREAMHOST.COM if you use CS50’s hosting account.

  • SSL stands for secure sockets layer and is indicated by a URL that begins with https. To use SSL for your own website, you need a unique IP address for which you’ll have to pay a web hosting company a few more dollars per month.

Security

  • As a random segue into security, check out the first volume of CS50 Flights.

  • As we talked about on Monday, it’s important to be careful when installing software. Often you’ll be prompted to give permission to an installer as a security measure because it needs to run as an administrator. This has very serious security implications because you’re giving this installer the ability to execute almost any command on your computer.

  • The trust you implicitly or explicitly give to the software you run can easily be abused. Sony got a lot of flak a few years ago for including rootkits on the CDs they sold. These rootkits would actually hide themselves so that you couldn’t see they were running if you opened Task Manager.

  • What does the padlock icon on a website mean in terms of security? Virtually nothing. But we’ve been conditioned to think that a website is secure when we see that padlock. That means it’s just as easy for an adversary to put a padlock on his malicious website and trick you into trusting him.

  • Some browsers like Chrome go one step further in showing the owner of the SSL certificate. When you navigate to Bank of America’s website, Chrome shows "Bank of America Corporation [US]" in green in the address bar.

  • But how many of you have actually noticed or changed your behavior because of these security measures?

Session Hijacking

  • You can see the actual value of the cookie that Facebook plants on your computer by using Developer Tools in Chrome. Usually this cookie is planted when you first visit Facebook. But how did you get to Facebook? You probably didn’t type "https" to begin with, so you must have be redirected to the SSL-enabled version of the website. During that redirection, your cookie was forwarded along. If a bad guy is on the same network on you, he may be able to intercept this cookie while you’re being redirected. This attack is called session hijacking.

Man in the Middle

  • A bad guy could even intercept your HTTP request and respond with his own fake version of Facebook in order to steal your credentials. This attack is called man in the middle.

SQL Injection Attack

  • Let’s focus on server-side security now. Imagine you accept a username and password from a user and execute a query against your database like so:

    $username = $_POST["username"];
    $password = $_POST["password"];
    query("SELECT * FROM users WHERE username='$username' AND password='$password'");
    

    This looks reasonable and correct, but it’s vulnerable to a SQL injection attack. What if the user enters skroob as his username and 12345' OR '1' = '1 as his password. Now the query you execute looks like the following:

    SELECT * FROM users WHERE username='skroob' AND password='12345' OR '1' = '1'
    
  • Because 1 = 1, this query will always return a row even if 12345 is not the correct password for username skroob.

  • In Problem Set 7, we asked you to use question marks as placeholders for user input when executing the query function. One thing the query function does with these question marks is guarantee that user input will be properly escaped.