Week 10

Status report - a quick sanity check for you and your TF

CS50 Hackathon (in Cambridge - buses from Yale)

Implementation

CS50 Fairs (in Cambridge and New Haven)

As it happens, there’s no encryption - if there were, you’d have to type in a password.

There’s actually nothing protecting your information on this WiFi network!

Even more worrisome is this, in the Terms and Conditions: "You understand that we reserve the right to log or monitor traffic to ensure that these terms are being followed."

Because there’s no encryption, someone else on the network could "sniff" or inspect the contents of the packets on the way to your computer. They could see the URL you’re trying to access (domain name as well as path).

Smart TVs have voice sensors, Internet connectivity, and often cameras, and these sensors are always on - they’re listening for voice commands, but they can’t always interpret your commands locally on the TV, so they’re sending everything you say to the distributor’s servers to detect whether a command was given.

This means that everything you say in front of your TV could be broadcast to Samsung’s (for example) servers.

Google & Apple mitigate this problem by requiring that commands start with "OK Google" or "Hey Siri", but this is imperfect, because it can’t always perfectly detect what was said, and natural language processing is difficult.

If you read the terms & conditions of some of these smart TVs, there’s specific language indicating that you might not want to have personal conversations in front of your TV - but who really pays attention to that?

We take for granted that our phones aren’t constantly recording us, but they very well could be! We have GPS transponders, microphones, and cameras on us at all times.

The UK government is proposing to store the domain of every site visited by every person in the UK for a year, and possibly make that data available for security or police purposes.

Proponents of the bill claim that this Internet record is "no different from an itemized phone bill", but as John Oliver points out, that’s not exactly reassuring.

The specific page could be recorded from an HTTP request as well as the domain, if Internet traffic is being routed through a government server (as is the case explicitly in some nations, and even here has been conducted in secret via major ISPs cooperating with the government).

Short, simple passwords are very easy to guess using software that checks lots of likely options.

An attacker can load a huge dictionary into memory and then guess and check against the hash.

Salting a password at least ensures that the hashes of similar passwords won’t be too similar.

A common solution to complicate passwords is to replace letters with similar-looking numbers, but this doesn’t actually help much, because a dictionary attack can just add an extra loop to replace those characters in the dictionary words.

There are better ways of generating passwords, but the best defense for passwords is something much more random.

There are usually telltale signs in these emails (poor spelling, grammar, Gmail Spam indicator), but they’re extremely cheap to send out using botnets (malware that sends spam from many other people’s computers), so they only have to work on a tiny number of un-savvy users to be worth sending.

It’s generally poor practice to follow a link in your email even if it looks legitimate, instead typing out the URL by hand to make sure it doesn’t go somewhere you don’t intend to go.

One solution is to use a password manager like LastPass or 1Password, a piece of software that generates big, pseudorandom passwords that a human couldn’t possibly remember, which are then encrypted on your hard drive, and all you as the human need to remember is a single "master" password (which should be a long string, like a sentence, but doesn’t need to be random).

These long, random passwords are resilient to dictionary attacks, and if they’re different everywhere, one being compromised doesn’t reveal all the others.

There are potential downsides of a system like this, though:

We have a site license for 1Password, so you can sign up for free.

LastPass does have a version where your passwords are stored in the cloud, but then if you log in from a different computer, you could be vulnerable to a keylogger getting your master password.

Rather than just use a password, you need physical access to the device, which is much less likely to be a vulnerability.

Mid-semester, Yale implemented two-factor authentication, whereby to log into your Yale account, you must type in not only your password but also a code that is pushed to your phone.

The downside of this is if you lose the device, or if you don’t have cell service and can’t receive the message, you can’t log in.

Google provides two-factor authentication for your account, which you can opt into in the security settings of your account.

Similarly, Facebook also provides 2-factor authentication.

The code that is sent each time you use 2-factor authentication expires periodically (usually every few seconds to a minute), so if someone grabs the code you use, they still can’t access your account.

For example, Facebook can notify you if someone logs into your account from a different computer than usual.

This means that after an account is compromised, you can narrow the window of time in which the attacker has access to your account and can do bad things with it.

If we go to the CS50 Finance site and watch the network traffic using Chrome’s Network tab, we can see that the HTTP request includes a Set-Cookie parameter.

This parameter contains a value called PHPSESSID (PHP session id) that indicates to the site who you are.

On subsequent requests to the site, there’s instead a Cookie parameter, containing the same PHPSESSID.

This PHPSESSID basically functions like a virtual hand stamp, as you might get to allow reentry at a club or amusement park.

CS50’s sites are encrypted - we access them using the HTTPS protocol - but if there were an unencrypted site, an adversary could intercept the packets, see these headers, and find out what your PHPSESSID value is. They could then pretend to be you by presenting that same PHPSESSID to the website.

One of the nice features of LastPass and 1Password is that in addition to storing your passwords, they will warn you if you try to log into a site that isn’t properly encrypted.

This lets them sell your profile of what sites you visit to advertisers.

Even if you delete cookies or use incognito mode, you can still be clearly identified, because Verizon or AT&T is acting as the "man in the middle" and adding this information to all your requests.

There are ways to opt out of this now, but initially, the only way to avoid this data being injected into all your HTTP headers was to leave the carrier entirely.