1 00:00:00,000 --> 00:01:17,581 [MUSIC PLAYING] 2 00:01:17,581 --> 00:01:20,791 SPEAKER: All right.This is SC50. 3 00:01:20,791 --> 00:01:23,351 And this is First Year Family Weekends here at Harvard, 4 00:01:23,351 --> 00:01:26,651 so welcome to all of the moms and dads, brothers, sisters, cousins, aunts, 5 00:01:26,651 --> 00:01:28,621 uncles, grandparents, and beyond. 6 00:01:28,621 --> 00:01:31,441 CS50 here is Harvard University's introduction 7 00:01:31,441 --> 00:01:33,721 to the intellectual enterprises of computer science 8 00:01:33,721 --> 00:01:35,191 and the arts of programming. 9 00:01:35,191 --> 00:01:37,651 And what that means is that what we've been doing in here, 10 00:01:37,651 --> 00:01:40,921 over the past several weeks, is introducing students 11 00:01:40,921 --> 00:01:44,943 to computational thinking, the process of cleaning up one's thoughts 12 00:01:44,943 --> 00:01:47,401 and expressing oneself all the more correctly, all the more 13 00:01:47,401 --> 00:01:49,381 precisely, and ultimately translating those thoughts, 14 00:01:49,381 --> 00:01:52,021 of course, to a computer in the form of programming, which 15 00:01:52,021 --> 00:01:54,361 is where we've spent quite a bit of time-- programming, 16 00:01:54,361 --> 00:01:56,311 writing code-- over the past several weeks. 17 00:01:56,311 --> 00:01:59,791 But toward that end, we've also been equipping students 18 00:01:59,791 --> 00:02:01,621 with some basic building blocks. 19 00:02:01,621 --> 00:02:05,371 You might already know, if a parent, that computers only somehow speak 20 00:02:05,371 --> 00:02:08,521 zeros and ones, even if you're not necessarily a computer person yourself 21 00:02:08,521 --> 00:02:09,691 or know what that means. 22 00:02:09,691 --> 00:02:13,171 But with those zeros and ones can we represent numbers and letters 23 00:02:13,171 --> 00:02:15,031 and colors and videos and more. 24 00:02:15,031 --> 00:02:18,061 And in fact, your child perhaps sitting next to you 25 00:02:18,061 --> 00:02:20,161 could perhaps tell you what today's message says. 26 00:02:20,161 --> 00:02:22,261 Here, we have 64 light bulbs on stage. 27 00:02:22,261 --> 00:02:24,871 And if you look at eight of them at a time, 28 00:02:24,871 --> 00:02:27,361 there's a pattern of bulbs that are either on or off 29 00:02:27,361 --> 00:02:31,531 that, if you know the code so to speak, can you actually convert these bits-- 30 00:02:31,531 --> 00:02:34,111 these zeros and ones in light bulb form-- 31 00:02:34,111 --> 00:02:36,443 to today's particular message. 32 00:02:36,443 --> 00:02:38,401 Now, before we begin, we thought we'd make this 33 00:02:38,401 --> 00:02:41,851 as engaging, as interactive as possible. 34 00:02:41,851 --> 00:02:45,721 Rather than focus on any assumptions of prior computing knowledge, 35 00:02:45,721 --> 00:02:47,821 you need know nothing today other than how 36 00:02:47,821 --> 00:02:51,641 to operate, for instance, your own phone or a laptop or desktop or the like. 37 00:02:51,641 --> 00:02:54,041 And indeed, we'll assume a general audience. 38 00:02:54,041 --> 00:02:56,731 And in this Halloween week, will we also see 39 00:02:56,731 --> 00:03:01,261 if we can't scare you a little bit into practicing better practices when 40 00:03:01,261 --> 00:03:04,948 it comes specifically to the security or cybersecurity of the device 41 00:03:04,948 --> 00:03:07,531 you carry with you every day in your pocket, use on your desk, 42 00:03:07,531 --> 00:03:09,094 on your laptop, or beyond. 43 00:03:09,094 --> 00:03:11,011 So if you haven't already, whether you're here 44 00:03:11,011 --> 00:03:14,761 in person or tuning in online, go to this URL 45 00:03:14,761 --> 00:03:19,451 here, which will lead you to an interactive polling tool. 46 00:03:19,451 --> 00:03:22,831 Any phone or laptop or desktop suffices. 47 00:03:22,831 --> 00:03:25,381 If it's a little easier than typing in this URL, 48 00:03:25,381 --> 00:03:29,551 you can just scan this code with your phone's camera. 49 00:03:29,551 --> 00:03:31,411 Take a moment to just open your camera. 50 00:03:31,411 --> 00:03:33,421 And hopefully, if you're at a good enough angle 51 00:03:33,421 --> 00:03:35,171 and we've made this thing big enough, this 52 00:03:35,171 --> 00:03:38,371 is a two-dimensional bar code or QR code embedded 53 00:03:38,371 --> 00:03:40,271 in which is that exact same URL. 54 00:03:40,271 --> 00:03:43,021 We're increasingly seeing this throughout the world as a mechanism 55 00:03:43,021 --> 00:03:45,451 for doing what many of you are doing right now, linking 56 00:03:45,451 --> 00:03:46,981 the physical world to the virtual. 57 00:03:46,981 --> 00:03:50,259 But that URL, again, is simply this one here. 58 00:03:50,259 --> 00:03:52,051 And in a moment, you'll see on your screen. 59 00:03:52,051 --> 00:03:53,971 It's OK if you weren't quite able to get that working. 60 00:03:53,971 --> 00:03:56,461 Feel free to glance to the left or to the right of you 61 00:03:56,461 --> 00:03:57,721 for someone else who did. 62 00:03:57,721 --> 00:04:00,781 Let me go ahead and full-screen a question just 63 00:04:00,781 --> 00:04:05,221 to ask of everyone here as we focus today on cybersecurity. 64 00:04:05,221 --> 00:04:08,821 Is your phone secure? 65 00:04:08,821 --> 00:04:12,031 Whether an Android phone, an iPhone, or anything else, 66 00:04:12,031 --> 00:04:15,001 if you're holding it in your hand right now here in person or online, 67 00:04:15,001 --> 00:04:19,111 you should see three possible answers-- yes or no or unsure. 68 00:04:19,111 --> 00:04:21,571 We've got over 300 responses come in already. 69 00:04:21,571 --> 00:04:24,001 In a moment, I'll flip over and reveal the results 70 00:04:24,001 --> 00:04:29,371 and see if we can't see how much work we have to do together here today. 71 00:04:29,371 --> 00:04:30,311 A few more seconds. 72 00:04:30,311 --> 00:04:33,091 Almost up to 400 answers. 73 00:04:33,091 --> 00:04:34,128 Almost up to 400. 74 00:04:34,128 --> 00:04:35,461 It's OK if those keep coming in. 75 00:04:35,461 --> 00:04:39,001 I'm going to toggle back and show the results in just a moment here. 76 00:04:39,001 --> 00:04:40,861 And the results are now in. 77 00:04:40,861 --> 00:04:45,559 According to a response rate of over 400, it looks like 36% of you 78 00:04:45,559 --> 00:04:48,101 don't need what we're about to do here today, which is great. 79 00:04:48,101 --> 00:04:51,601 We'll see if we can't poke some holes though and maybe some assumptions you 80 00:04:51,601 --> 00:04:52,441 all are making. 81 00:04:52,441 --> 00:04:56,851 31%, 32% maybe of you are saying no, your phone 82 00:04:56,851 --> 00:04:58,771 is not secure, so so glad you came. 83 00:04:58,771 --> 00:05:01,781 And then understandably, to another third of you are unsure. 84 00:05:01,781 --> 00:05:03,871 So in very good company today, and we'll see 85 00:05:03,871 --> 00:05:07,711 if we can't open the eyes of everyone in each of these disparate audiences. 86 00:05:07,711 --> 00:05:11,011 Well, let's consider first for a moment exactly how we 87 00:05:11,011 --> 00:05:13,651 might think about the security of our phones, representative 88 00:05:13,651 --> 00:05:15,131 of just any computing device. 89 00:05:15,131 --> 00:05:17,761 And in fact, everything we discuss today could be extrapolated 90 00:05:17,761 --> 00:05:19,798 to laptops and desktops and servers. 91 00:05:19,798 --> 00:05:21,631 But all of us being so familiar with phones, 92 00:05:21,631 --> 00:05:23,401 let's start with phones themselves. 93 00:05:23,401 --> 00:05:25,651 Now, odds are you have on your phone, like so many 94 00:05:25,651 --> 00:05:29,641 other things in your life, a password or a passcode. 95 00:05:29,641 --> 00:05:33,181 And in fact, without raising your hands and, therefore, leaking information, 96 00:05:33,181 --> 00:05:36,061 think to yourself, well, what is my password or passcode? 97 00:05:36,061 --> 00:05:38,110 It's probably four digits. 98 00:05:38,110 --> 00:05:39,451 It's maybe four letters. 99 00:05:39,451 --> 00:05:40,591 Maybe it's even longer. 100 00:05:40,591 --> 00:05:41,811 Maybe it's even nothing. 101 00:05:41,811 --> 00:05:43,561 And I think maybe, from the chart earlier, 102 00:05:43,561 --> 00:05:47,251 we can assume that we have a third of each of those possible responses. 103 00:05:47,251 --> 00:05:49,561 So a password of course, is this super common mechanism 104 00:05:49,561 --> 00:05:53,971 that you and I are all using all the time to keep our devices secure. 105 00:05:53,971 --> 00:05:55,603 But do passwords keep things secure? 106 00:05:55,603 --> 00:05:57,811 Like how many of you, thinking about your phone right 107 00:05:57,811 --> 00:06:01,511 now and that specific password, might think it's secure? 108 00:06:01,511 --> 00:06:05,191 And if so, why do you think it's secure? 109 00:06:05,191 --> 00:06:08,594 We have at least 33% of you are ready to say that your password's secure. 110 00:06:08,594 --> 00:06:09,511 Don't want to know it. 111 00:06:09,511 --> 00:06:13,951 But why might it be, in your mind, secure? 112 00:06:13,951 --> 00:06:15,571 Why might you think it's secure? 113 00:06:15,571 --> 00:06:19,291 Or more generally, what makes your password secure? 114 00:06:19,291 --> 00:06:20,006 AUDIENCE: Random. 115 00:06:20,006 --> 00:06:20,881 SPEAKER: It's random. 116 00:06:20,881 --> 00:06:21,381 OK. 117 00:06:21,381 --> 00:06:22,061 So it's random. 118 00:06:22,061 --> 00:06:23,741 So random letters and numbers and the like. 119 00:06:23,741 --> 00:06:26,221 And that's great, because it's not just a word in the dictionary 120 00:06:26,221 --> 00:06:27,871 that someone could guess and type in. 121 00:06:27,871 --> 00:06:29,671 Downside, of course, I daresay is that it 122 00:06:29,671 --> 00:06:32,401 might take you as well as anyone else quite a bit of time 123 00:06:32,401 --> 00:06:34,651 to guess or figure out what or just to remember 124 00:06:34,651 --> 00:06:36,331 what it is, if it was indeed random. 125 00:06:36,331 --> 00:06:38,971 But randomness is going to be a primitive that really actually helps 126 00:06:38,971 --> 00:06:39,471 us. 127 00:06:39,471 --> 00:06:41,851 Unfortunately, you and I and really the whole world 128 00:06:41,851 --> 00:06:44,641 are not very good even at passwords, as omnipresent 129 00:06:44,641 --> 00:06:47,761 as they are as a defense against adversaries. 130 00:06:47,761 --> 00:06:56,111 In fact, if we look at the most common passwords from the past year, in 2020, 131 00:06:56,111 --> 00:06:58,801 I thought we'd share with you some of those results. 132 00:06:58,801 --> 00:07:01,291 This is the result of security researchers having 133 00:07:01,291 --> 00:07:05,671 found big exploited, compromised databases, analyzing them 134 00:07:05,671 --> 00:07:07,771 for what passwords are in them and then inferring 135 00:07:07,771 --> 00:07:10,651 from that what the most common passwords you and I are all using. 136 00:07:10,651 --> 00:07:14,611 Unfortunately, in 2020, the most common password, according to one measure, 137 00:07:14,611 --> 00:07:17,911 was one, two, three, four, five, six. 138 00:07:17,911 --> 00:07:18,701 [LAUGHING] 139 00:07:18,701 --> 00:07:20,041 Now, funny, yes. 140 00:07:20,041 --> 00:07:22,591 But if you're seeing your password on the screen already, 141 00:07:22,591 --> 00:07:24,091 not so funny perhaps. 142 00:07:24,091 --> 00:07:25,141 [LAUGHING] 143 00:07:25,141 --> 00:07:29,761 The number two password was not much better. 144 00:07:29,761 --> 00:07:33,961 Number three, picture one presumably for a device, 145 00:07:33,961 --> 00:07:36,121 a website that requires that it not just be a word, 146 00:07:36,121 --> 00:07:38,551 it have at least one number, which this person took-- 147 00:07:38,551 --> 00:07:40,981 these hundreds of thousands of people took literally. 148 00:07:40,981 --> 00:07:44,581 Password was number four this past year. 149 00:07:44,581 --> 00:07:46,561 1, 2, 3, 4, 5, 6, 7, 8. 150 00:07:46,561 --> 00:07:50,111 1, 1, 1, 1, 1, 1, really not trying hard there. 151 00:07:50,111 --> 00:07:53,101 1, 2, 3, 1, 2, 3, varying it a little bit. 152 00:07:53,101 --> 00:07:55,393 1, 2, 3, 4, 5, was number eight. 153 00:07:55,393 --> 00:07:58,171 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 was number nine. 154 00:07:58,171 --> 00:08:01,861 And then number 10, in 2020, was "senha," which-- 155 00:08:01,861 --> 00:08:03,751 any Portuguese speakers here-- means? 156 00:08:03,751 --> 00:08:04,096 AUDIENCE: Password. 157 00:08:04,096 --> 00:08:04,441 AUDIENCE: Password. 158 00:08:04,441 --> 00:08:05,281 SPEAKER: Password. 159 00:08:05,281 --> 00:08:06,101 Means "password." 160 00:08:06,101 --> 00:08:06,601 [LAUGHING] 161 00:08:06,601 --> 00:08:08,981 So made the list twice in this case. 162 00:08:08,981 --> 00:08:12,511 So one take away already today should be, if your password's on this list, 163 00:08:12,511 --> 00:08:16,231 like probably you're in one of those other 33% 164 00:08:16,231 --> 00:08:17,801 whereby we can do better than this. 165 00:08:17,801 --> 00:08:18,301 Why? 166 00:08:18,301 --> 00:08:19,471 I mean, really the obvious. 167 00:08:19,471 --> 00:08:22,711 If you're in this list, there's so many bad guys, 168 00:08:22,711 --> 00:08:25,961 so to speak, out there that are going to try guessing your password first. 169 00:08:25,961 --> 00:08:26,461 Why? 170 00:08:26,461 --> 00:08:30,061 Because just statistically, if they try 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 5, 6, 7, 171 00:08:30,061 --> 00:08:32,551 8, 9, they're just going to get into a lot of devices 172 00:08:32,551 --> 00:08:35,844 quickly, because they're just so commonly used, those passwords. 173 00:08:35,844 --> 00:08:37,261 You don't want to be on this list. 174 00:08:37,261 --> 00:08:41,041 Ideally, you want to be random, but we want to somehow balance randomness 175 00:08:41,041 --> 00:08:42,931 with memorability so that you don't actually 176 00:08:42,931 --> 00:08:45,391 keep forgetting your password, which, of course, defeats 177 00:08:45,391 --> 00:08:47,591 the whole point of these things in the first place. 178 00:08:47,591 --> 00:08:51,031 But in a class like this, CS50 and computer science more generally, 179 00:08:51,031 --> 00:08:57,361 let's be a little more thoughtful as to what we mean by a device being secure. 180 00:08:57,361 --> 00:08:58,861 Like what does it mean to be secure? 181 00:08:58,861 --> 00:09:01,903 And can we even slap some numbers on it so that we can make measurements, 182 00:09:01,903 --> 00:09:04,201 so that we can ideally compare and contrast 183 00:09:04,201 --> 00:09:07,601 one system versus another, one password versus another 184 00:09:07,601 --> 00:09:11,381 so it's not just our instincts arguing that my password is better than these, 185 00:09:11,381 --> 00:09:13,381 but how can you quantify that perhaps? 186 00:09:13,381 --> 00:09:14,551 Well, let's start simply. 187 00:09:14,551 --> 00:09:16,861 A lot of Android phones and iPhones these days 188 00:09:16,861 --> 00:09:20,161 require minimally that you have a four-digit passcode. 189 00:09:20,161 --> 00:09:22,921 You're minimally encouraged to have at least this bar 190 00:09:22,921 --> 00:09:26,221 set so that you're not having no passcode altogether. 191 00:09:26,221 --> 00:09:30,091 So if you do have a four-digit passcode, well, 192 00:09:30,091 --> 00:09:32,401 let me go ahead and ask this question. 193 00:09:32,401 --> 00:09:37,561 How much time might it take to go about cracking, so to speak-- that is, 194 00:09:37,561 --> 00:09:38,611 figuring out-- 195 00:09:38,611 --> 00:09:41,499 what a four-digit passcode is? 196 00:09:41,499 --> 00:09:42,541 In fact, let me go ahead. 197 00:09:42,541 --> 00:09:45,499 If you want to pull up your devices again, you should see on the screen 198 00:09:45,499 --> 00:09:46,621 this question now. 199 00:09:46,621 --> 00:09:49,201 How long might it take to crack-- 200 00:09:49,201 --> 00:09:51,421 that is, figure out, guess-- 201 00:09:51,421 --> 00:09:52,956 a four-digit passcode? 202 00:09:52,956 --> 00:09:54,331 For instance, on someone's phone. 203 00:09:54,331 --> 00:09:57,961 A few seconds, a few minutes, a few hours, a few days? 204 00:09:57,961 --> 00:10:00,331 Thinking here, from the adversarial perspective, 205 00:10:00,331 --> 00:10:03,061 if someone got ahold of your phone somehow, 206 00:10:03,061 --> 00:10:09,811 how long do they need to get into your phone if it has a four-digit passcode? 207 00:10:09,811 --> 00:10:13,471 A few seconds, few minutes, few hours, few days? 208 00:10:13,471 --> 00:10:16,661 Got about 300 responses so far. 209 00:10:16,661 --> 00:10:19,831 Let's give folks another few seconds here. 210 00:10:19,831 --> 00:10:20,981 Another few seconds here. 211 00:10:20,981 --> 00:10:21,481 All right. 212 00:10:21,481 --> 00:10:22,461 Up to 350 or so. 213 00:10:22,461 --> 00:10:25,211 In a moment, let me go ahead and flip screens over to the results. 214 00:10:25,211 --> 00:10:27,161 So we'll see the preliminary results here. 215 00:10:27,161 --> 00:10:31,651 And if I now pull this screen up, we see that 50% of you 216 00:10:31,651 --> 00:10:34,201 claim that it's going to take only a few seconds. 217 00:10:34,201 --> 00:10:36,501 Few of you say, about a third, fewer of you 218 00:10:36,501 --> 00:10:40,091 are saying that it takes a few minutes, few hours, and even a few days. 219 00:10:40,091 --> 00:10:41,341 Well, let's answer that first. 220 00:10:41,341 --> 00:10:44,731 Because honestly, if it's already a few days or even longer, 221 00:10:44,731 --> 00:10:47,591 our work is here probably already pretty done. 222 00:10:47,591 --> 00:10:50,941 Unfortunately, the problem with things like four-digit passcodes 223 00:10:50,941 --> 00:10:53,911 is that anyone who grabs your phone-- you step out of the room, 224 00:10:53,911 --> 00:10:57,611 you leave it behind, you lose it-- they could certainly mimic your input device 225 00:10:57,611 --> 00:11:01,651 and just use their finger pretending to be you, trying 0, 0, 0, 0. 226 00:11:01,651 --> 00:11:02,281 Nope. 227 00:11:02,281 --> 00:11:03,781 0, 0, 0, 1. 228 00:11:03,781 --> 00:11:04,351 Nope. 229 00:11:04,351 --> 00:11:05,771 0, 0, 0, 2. 230 00:11:05,771 --> 00:11:06,271 Nope. 231 00:11:06,271 --> 00:11:07,901 And it's a little slow, to be fair. 232 00:11:07,901 --> 00:11:12,451 It would take me a while to count all the way up to 9,999. 233 00:11:12,451 --> 00:11:14,921 That's 10,000 total possibilities there. 234 00:11:14,921 --> 00:11:18,501 But let's go ahead and consider exactly how else you could do it. 235 00:11:18,501 --> 00:11:21,561 For instance, here is an example of, in computer science, 236 00:11:21,561 --> 00:11:23,151 what we call a "brute force attack." 237 00:11:23,151 --> 00:11:26,721 And just an adversary using their finger is a brute force attack 238 00:11:26,721 --> 00:11:28,611 if they're trying all possible passcodes. 239 00:11:28,611 --> 00:11:32,798 The problem is, even if your passcode is way at the end of the list of numbers, 240 00:11:32,798 --> 00:11:34,881 eventually they're going to get it by brute force. 241 00:11:34,881 --> 00:11:38,361 Sort of like in yesteryear, using a battering ram or the like to brute 242 00:11:38,361 --> 00:11:41,211 force your way into a building, a castle, or the like. 243 00:11:41,211 --> 00:11:44,221 In software sense, it just means trying all possibilities. 244 00:11:44,221 --> 00:11:46,221 And you don't even have to just use your finger. 245 00:11:46,221 --> 00:11:46,721 Right? 246 00:11:46,721 --> 00:11:49,461 Anyone with some programming savvy, who's good with hardware, 247 00:11:49,461 --> 00:11:51,001 could maybe do something like this. 248 00:11:51,001 --> 00:11:52,611 Here's a quick video I'll hit play on. 249 00:11:52,611 --> 00:11:53,361 No sound. 250 00:11:53,361 --> 00:11:56,751 But a little bit of a robot that has an Android phone underneath it, 251 00:11:56,751 --> 00:12:01,101 and it's got a little robotic finger that's doing the work for you. 252 00:12:01,101 --> 00:12:03,291 You can step out of the room now as the adversary. 253 00:12:03,291 --> 00:12:07,401 Let the robot do its work trying 0, 0, 0, 0 through 9, 9, 9, 9. 254 00:12:07,401 --> 00:12:10,921 And ultimately, presumably get into that phone. 255 00:12:10,921 --> 00:12:15,831 So let's see if we can't quantify then exactly how fast the human or the robot 256 00:12:15,831 --> 00:12:16,426 could get in. 257 00:12:16,426 --> 00:12:18,301 Well, how many total possibilities are there? 258 00:12:18,301 --> 00:12:20,301 That's the right way to begin thinking about it. 259 00:12:20,301 --> 00:12:23,241 If you have 10 digits for the first one, 0 through 9, 260 00:12:23,241 --> 00:12:26,251 and then another 10 possibilities, another 10, another 10, 261 00:12:26,251 --> 00:12:30,381 the total number of possibilities, of course, between 0, 0, 0, 0 and 9, 9, 9, 262 00:12:30,381 --> 00:12:31,611 9 is 10,000-- 263 00:12:31,611 --> 00:12:33,901 10 times 10 times 10 times 10-- 264 00:12:33,901 --> 00:12:37,611 which gives us that much of a search space, a universe of possible 265 00:12:37,611 --> 00:12:39,831 passcodes to choose among. 266 00:12:39,831 --> 00:12:43,161 Unfortunately, you can do even better than your own finger 267 00:12:43,161 --> 00:12:44,211 or even that robot. 268 00:12:44,211 --> 00:12:48,051 Anyone in CS50 now who knows a bit of programming and languages called "C" 269 00:12:48,051 --> 00:12:52,783 or "Python" or anything else could open up a programming window and actually 270 00:12:52,783 --> 00:12:53,991 just start writing some code. 271 00:12:53,991 --> 00:12:54,908 And so let me do that. 272 00:12:54,908 --> 00:12:57,081 What you're seeing here, if a family member, 273 00:12:57,081 --> 00:12:59,481 is a programming environment called "Visual Studio Code" 274 00:12:59,481 --> 00:13:01,856 that students have been using for the past several weeks. 275 00:13:01,856 --> 00:13:04,608 Up here, we have a tabbed window where we can type our code. 276 00:13:04,608 --> 00:13:06,441 Down here, we have what's called a "terminal 277 00:13:06,441 --> 00:13:09,891 window" where I can type commands to make the computer run that code. 278 00:13:09,891 --> 00:13:11,631 And then over here is just a menu bar. 279 00:13:11,631 --> 00:13:15,051 So crack.py means I'm going to write a program to crack-- 280 00:13:15,051 --> 00:13:18,861 that is, figure out passwords-- using this language called "Python." 281 00:13:18,861 --> 00:13:21,201 And even though most CS50 students wouldn't 282 00:13:21,201 --> 00:13:23,721 know what code to start writing, they'd have 283 00:13:23,721 --> 00:13:27,511 to look up some of what I'm about to do, it's only going to be a few lines. 284 00:13:27,511 --> 00:13:31,311 So I'm going to go up here and say from string import digits. 285 00:13:31,311 --> 00:13:33,171 This is a fancy way of saying, hey, Python. 286 00:13:33,171 --> 00:13:34,941 Give me access to all decimal digits. 287 00:13:34,941 --> 00:13:38,161 It just avoids my having to type out 0 through 9 manually. 288 00:13:38,161 --> 00:13:38,661 All right. 289 00:13:38,661 --> 00:13:43,051 Then I'm going to say from either tools import product. 290 00:13:43,051 --> 00:13:46,051 This is another feature of Python that CS50 students, for the most part, 291 00:13:46,051 --> 00:13:48,111 have not yet seen that just says, hey, Python. 292 00:13:48,111 --> 00:13:51,781 Give me the ability to do like the cross product of a whole bunch of numbers. 293 00:13:51,781 --> 00:13:55,641 So these 10 times these 10 times these 10 times these 10. 294 00:13:55,641 --> 00:13:57,451 And then what am I going to do with that? 295 00:13:57,451 --> 00:14:03,351 Well, for each possible passcode in the product of those digits repeated 296 00:14:03,351 --> 00:14:06,831 four times, I'm going to go ahead and, for now, let's just 297 00:14:06,831 --> 00:14:08,751 print out what the passcode is. 298 00:14:08,751 --> 00:14:11,139 In other words, assume that I am now the adversary. 299 00:14:11,139 --> 00:14:12,931 I don't want to waste time using my finger. 300 00:14:12,931 --> 00:14:15,891 I don't have a robot that I made, but I am good at writing software. 301 00:14:15,891 --> 00:14:18,861 And heck, I've got like a USB or a lightning cable in my bag 302 00:14:18,861 --> 00:14:22,341 that I could connect your phone to my Mac or PC. 303 00:14:22,341 --> 00:14:24,741 And I could just have my code that I'm writing now 304 00:14:24,741 --> 00:14:27,801 send all the possible codes from laptop to phone 305 00:14:27,801 --> 00:14:31,011 to automate this process just using the little port at the bottom of all 306 00:14:31,011 --> 00:14:31,821 of our phones. 307 00:14:31,821 --> 00:14:34,641 Well, let me go ahead and maximize this so-called terminal 308 00:14:34,641 --> 00:14:37,371 window, which is, again, where I'm going to run this code. 309 00:14:37,371 --> 00:14:39,741 And again, the question a moment ago was, does it 310 00:14:39,741 --> 00:14:41,781 take seconds, minutes, hours, days? 311 00:14:41,781 --> 00:14:44,571 Well, let me go ahead and run Python of crack.py. 312 00:14:44,571 --> 00:14:47,781 I'm pretending, for the moment, that I did grab that cable from my bag 313 00:14:47,781 --> 00:14:49,041 and plug it into the phone. 314 00:14:49,041 --> 00:14:53,421 Hitting Enter and it didn't actually do anything. 315 00:14:53,421 --> 00:14:54,831 That was not supposed to happen. 316 00:14:54,831 --> 00:14:55,441 [LAUGHING] 317 00:14:55,441 --> 00:14:59,421 So in CS50, we spent a lot of time introducing students to bugs, 318 00:14:59,421 --> 00:15:01,191 which are mistakes in programs. 319 00:15:01,191 --> 00:15:04,581 Sometimes, not so deliberate. 320 00:15:04,581 --> 00:15:08,221 Let me go ahead and apologize. 321 00:15:08,221 --> 00:15:10,701 Let me open this file. 322 00:15:10,701 --> 00:15:12,801 This didn't technically happen. 323 00:15:12,801 --> 00:15:13,491 OK. 324 00:15:13,491 --> 00:15:14,701 Python. 325 00:15:14,701 --> 00:15:15,201 There we go. 326 00:15:15,201 --> 00:15:17,771 OK. 327 00:15:17,771 --> 00:15:20,554 In CS50, we now will run the code here. 328 00:15:20,554 --> 00:15:23,471 And I'm going to go ahead and run a command called Python of crack.py. 329 00:15:23,471 --> 00:15:25,761 I had the file in the wrong location a moment ago. 330 00:15:25,761 --> 00:15:29,571 And this is the equivalent, on a Mac or PC, of double-clicking an icon. 331 00:15:29,571 --> 00:15:30,071 Here we go. 332 00:15:30,071 --> 00:15:33,281 Is it seconds, minutes, hours, or days? 333 00:15:33,281 --> 00:15:36,851 Barely one second to try all 10,000 possibilities. 334 00:15:36,851 --> 00:15:40,061 You can't even see them all on the screen, but this printed out 0, 0, 0, 335 00:15:40,061 --> 00:15:42,677 0 all the way down, of course, to 9, 9, 9, 9. 336 00:15:42,677 --> 00:15:44,231 Plug in that cable and boom. 337 00:15:44,231 --> 00:15:47,231 The adversary doesn't need to be in that room for very long 338 00:15:47,231 --> 00:15:49,521 in order to get into that phone. 339 00:15:49,521 --> 00:15:50,021 All right. 340 00:15:50,021 --> 00:15:51,251 So what would be better than? 341 00:15:51,251 --> 00:15:56,351 Like clearly, four-digit passcodes, bad if you have someone in your life 342 00:15:56,351 --> 00:15:59,621 who has a finger or a robot or the ability to write code. 343 00:15:59,621 --> 00:16:02,201 And unfortunately, because of us, you now all 344 00:16:02,201 --> 00:16:04,841 have someone in the family with at least the third of those. 345 00:16:04,841 --> 00:16:08,171 How might we do better than this? 346 00:16:08,171 --> 00:16:10,361 What's better than a four-digit passcode? 347 00:16:10,361 --> 00:16:11,631 Anyone? 348 00:16:11,631 --> 00:16:12,131 Yeah. 349 00:16:12,131 --> 00:16:13,021 AUDIENCE: Six digits. 350 00:16:13,021 --> 00:16:13,291 SPEAKER: OK. 351 00:16:13,291 --> 00:16:14,086 So six digits. 352 00:16:14,086 --> 00:16:15,851 Heck, or seven digits or eight digits. 353 00:16:15,851 --> 00:16:16,351 Why? 354 00:16:16,351 --> 00:16:19,021 Because that's going to make, of course, the passcode longer, which means 355 00:16:19,021 --> 00:16:21,188 we're going to have to try more possibilities, which 356 00:16:21,188 --> 00:16:23,791 doesn't mean that the adversary is fundamentally stopped. 357 00:16:23,791 --> 00:16:26,341 But it is going to slow them down. 358 00:16:26,341 --> 00:16:28,711 It's going to take them more time probabilistically 359 00:16:28,711 --> 00:16:30,541 to get to your passcode. 360 00:16:30,541 --> 00:16:34,211 And it in a sense then increases the cost to the adversary. 361 00:16:34,211 --> 00:16:36,181 And indeed, that's the theme in cybersecurity, 362 00:16:36,181 --> 00:16:40,351 raising the cost to the adversary, either financially or time-wise 363 00:16:40,351 --> 00:16:41,039 or the like. 364 00:16:41,039 --> 00:16:42,581 Just like in the real physical world. 365 00:16:42,581 --> 00:16:43,561 Most of you go home. 366 00:16:43,561 --> 00:16:44,911 You lock your doors at night. 367 00:16:44,911 --> 00:16:47,461 You might have invested in a better deadbolt than another. 368 00:16:47,461 --> 00:16:48,211 Why is that? 369 00:16:48,211 --> 00:16:51,271 You really just want to be more secure than the house next door. 370 00:16:51,271 --> 00:16:54,571 You want to make sure that it takes too much time, too much effort, 371 00:16:54,571 --> 00:16:57,301 too much risk to the adversary to get into your home. 372 00:16:57,301 --> 00:17:00,301 And that's, again, what cybersecurity is all about. 373 00:17:00,301 --> 00:17:03,691 To say my phone is secure is sort of nonsensical. 374 00:17:03,691 --> 00:17:07,321 To say that your phone is more secure than someone else's, that's really 375 00:17:07,321 --> 00:17:09,361 a reasonable, fair statement to make. 376 00:17:09,361 --> 00:17:11,011 So I like this instinct. 377 00:17:11,011 --> 00:17:13,141 Let's see if we can't make things a little harder. 378 00:17:13,141 --> 00:17:14,808 And actually, let's go one step further. 379 00:17:14,808 --> 00:17:17,561 Rather than just numbers, you've probably noticed, on your phones, 380 00:17:17,561 --> 00:17:19,081 you can use letters of the alphabet, too. 381 00:17:19,081 --> 00:17:20,873 If you click the right option on the phone, 382 00:17:20,873 --> 00:17:22,751 you can start typing in words and letters. 383 00:17:22,751 --> 00:17:24,331 So how might we do that instead? 384 00:17:24,331 --> 00:17:27,691 Well, let's transition to four-letter passcodes. 385 00:17:27,691 --> 00:17:29,191 Four-letter passcodes. 386 00:17:29,191 --> 00:17:35,041 And if we do four-letter passcodes where the letters of the alphabet, 387 00:17:35,041 --> 00:17:38,251 for instance, are A through Z in English alone, 388 00:17:38,251 --> 00:17:41,881 let's go ahead and ask this question here 389 00:17:41,881 --> 00:17:44,286 if you have four letters of the alphabet. 390 00:17:44,286 --> 00:17:45,661 So let's not increase length yet. 391 00:17:45,661 --> 00:17:48,481 Let's just change to a bigger vocabulary. 392 00:17:48,481 --> 00:17:51,871 Now, we have A through Z instead of 0 through 9. 393 00:17:51,871 --> 00:17:54,451 How many four-letter passcodes are possible? 394 00:17:54,451 --> 00:17:56,911 How big is that universe that the adversary is going 395 00:17:56,911 --> 00:17:59,731 to have to search via brute force? 396 00:17:59,731 --> 00:18:05,771 So I'm seeing a lot of 7 millions, a bunch of 52,000s, 26,000s, 10,000s, 397 00:18:05,771 --> 00:18:09,971 9,999, a few smaller numbers here. 398 00:18:09,971 --> 00:18:11,521 Hopefully, it's not this low, right. 399 00:18:11,521 --> 00:18:15,301 Because we've already set the bar at 10,000 possibilities for numbers alone. 400 00:18:15,301 --> 00:18:18,211 Hopefully, if we've got English letters, A through Z, 401 00:18:18,211 --> 00:18:20,101 we can at least do better than 10,000. 402 00:18:20,101 --> 00:18:24,131 So I think we'll start to see maybe some of these bars change a little bit. 403 00:18:24,131 --> 00:18:27,121 But we've got 60% of you proposing 7 million. 404 00:18:27,121 --> 00:18:29,051 Well, let's go to the math. 405 00:18:29,051 --> 00:18:32,311 So here we might have a way of thinking about this, 406 00:18:32,311 --> 00:18:33,871 both uppercase and lowercase. 407 00:18:33,871 --> 00:18:36,961 Even better if you consider it that way, lowercase A through Z, 408 00:18:36,961 --> 00:18:40,561 uppercase A through Z. That's 52 possibilities for the first digit 409 00:18:40,561 --> 00:18:44,491 times 52 times 52 times 52, or 52 to the fourth power. 410 00:18:44,491 --> 00:18:48,011 That indeed gives you 7 million-plus possibilities. 411 00:18:48,011 --> 00:18:48,511 All right. 412 00:18:48,511 --> 00:18:50,136 Well, let's now translate this to code. 413 00:18:50,136 --> 00:18:53,641 That already sounds way better, 10,000 versus 7 million. 414 00:18:53,641 --> 00:18:55,981 This is definitely going to slow that hacker down. 415 00:18:55,981 --> 00:18:59,611 Well, let's consider exactly how fast or slow it might now be. 416 00:18:59,611 --> 00:19:02,171 Let me go into my crack.py program. 417 00:19:02,171 --> 00:19:05,311 And let me make a little tweak so that, instead of just using digits, 418 00:19:05,311 --> 00:19:07,351 this time I'm going to use letters-- 419 00:19:07,351 --> 00:19:10,231 otherwise, known as Ascii letters, as CS50 students will know. 420 00:19:10,231 --> 00:19:13,621 That just means familiar English letters of the alphabet. 421 00:19:13,621 --> 00:19:16,891 And I'm going to change my code to use these Ascii letters, four 422 00:19:16,891 --> 00:19:18,991 of them still, instead of digits alone. 423 00:19:18,991 --> 00:19:20,191 And that's the only change. 424 00:19:20,191 --> 00:19:23,401 Now, I'm going to pretend to plug my phone that I just stole from someone 425 00:19:23,401 --> 00:19:25,351 into a USB or a lightning cable. 426 00:19:25,351 --> 00:19:28,201 Let me maximize my window just so we can see things a bit more. 427 00:19:28,201 --> 00:19:30,811 Let me run Python of crack.py now, and let's 428 00:19:30,811 --> 00:19:36,151 consider how long it takes to do 7 million possible codes. 429 00:19:36,151 --> 00:19:36,651 OK. 430 00:19:36,651 --> 00:19:37,881 Slower. 431 00:19:37,881 --> 00:19:39,081 Slower. 432 00:19:39,081 --> 00:19:41,851 Can't dramatically just say in one breath that we're done, 433 00:19:41,851 --> 00:19:44,991 but we're already at the Gs and then the Hs. 434 00:19:44,991 --> 00:19:46,903 And it's kind of flying by. 435 00:19:46,903 --> 00:19:49,611 This is where the adversary is probably getting nervous in the TV 436 00:19:49,611 --> 00:19:50,451 show or movie. 437 00:19:50,451 --> 00:19:50,691 Right? 438 00:19:50,691 --> 00:19:52,611 Someone is tiptoeing around in the other room. 439 00:19:52,611 --> 00:19:53,903 You don't want them to come in. 440 00:19:53,903 --> 00:19:56,211 You only have this much time to crack the code. 441 00:19:56,211 --> 00:20:02,661 And we're at the Rs, the Ss, the Ts, Us, Vs. So this feels like, what a minute 442 00:20:02,661 --> 00:20:03,231 or so? 443 00:20:03,231 --> 00:20:07,131 It's a good number of seconds, but it's still pretty brief, 444 00:20:07,131 --> 00:20:08,911 certainly if someone has the ability to. 445 00:20:08,911 --> 00:20:10,641 And now, we've got to do the capital letters, too. 446 00:20:10,641 --> 00:20:12,951 Certainly, if someone has the ability not to just secretly do it 447 00:20:12,951 --> 00:20:15,801 like in Hollywood in the next room but just take it with them 448 00:20:15,801 --> 00:20:20,611 and do it over the course of a minute or two at home, this seems to be faster. 449 00:20:20,611 --> 00:20:21,111 Sorry. 450 00:20:21,111 --> 00:20:24,515 This seems to be slower, because we're trying so many more possibilities. 451 00:20:24,515 --> 00:20:27,831 But if the adversary takes your phone, has it long enough, 452 00:20:27,831 --> 00:20:29,604 this doesn't feel like terribly long. 453 00:20:29,604 --> 00:20:31,021 So what might be better than this? 454 00:20:31,021 --> 00:20:33,181 Let's take it one step further. 455 00:20:33,181 --> 00:20:35,121 What might be better than four letters? 456 00:20:35,121 --> 00:20:38,103 What do most websites ask you to add to the mix? 457 00:20:38,103 --> 00:20:39,311 AUDIENCE: Special characters. 458 00:20:39,311 --> 00:20:40,291 SPEAKER: So special characters. 459 00:20:40,291 --> 00:20:40,441 Right? 460 00:20:40,441 --> 00:20:42,011 And those things are darn annoying. 461 00:20:42,011 --> 00:20:42,511 Right? 462 00:20:42,511 --> 00:20:45,361 Because sometimes, they even tell you what letters or punctuation 463 00:20:45,361 --> 00:20:46,406 symbols you have to use. 464 00:20:46,406 --> 00:20:48,781 And then you type one and, oh, it's not on the damn list. 465 00:20:48,781 --> 00:20:49,823 I mean, it's frustrating. 466 00:20:49,823 --> 00:20:50,341 Why? 467 00:20:50,341 --> 00:20:53,381 Well, it's going to raise the bar, though, to the adversary. 468 00:20:53,381 --> 00:20:55,548 And that's, indeed, going to be the goal here, again 469 00:20:55,548 --> 00:20:58,291 just to increase the cost or time required for the adversary 470 00:20:58,291 --> 00:21:02,131 so that it doesn't finish like it did just now, after a couple of minutes. 471 00:21:02,131 --> 00:21:04,381 But it's going to keep going and going hopefully, such 472 00:21:04,381 --> 00:21:06,151 that they're going to lose interest in your phone 473 00:21:06,151 --> 00:21:08,371 and go try to crack into someone else's, presumably. 474 00:21:08,371 --> 00:21:09,461 So let's try this. 475 00:21:09,461 --> 00:21:13,681 Let me now go over to one other question here. 476 00:21:13,681 --> 00:21:17,141 And this question will now just be-- let's go from four characters. 477 00:21:17,141 --> 00:21:20,371 How about let's take it one step further and mix the two ideas here? 478 00:21:20,371 --> 00:21:23,611 More digits and longer passcodes. 479 00:21:23,611 --> 00:21:27,101 How many eight character passcodes are possible? 480 00:21:27,101 --> 00:21:31,741 And by character, as a CS50 will know, I mean number or letter 481 00:21:31,741 --> 00:21:33,601 or punctuation symbol now. 482 00:21:33,601 --> 00:21:37,231 And there's like 32 or so standard punctuation symbols, so we're 483 00:21:37,231 --> 00:21:39,031 up to a good set of numbers now. 484 00:21:39,031 --> 00:21:42,691 How many eight-character passcodes do you think are possible? 485 00:21:42,691 --> 00:21:45,901 Million, billion, trillion, quadrillion, or quintillion? 486 00:21:45,901 --> 00:21:48,911 All of which, of course, are better than 10,000 possibilities. 487 00:21:48,911 --> 00:21:51,204 So we're in a whole different space now. 488 00:21:51,204 --> 00:21:53,371 Looks like these answers are coming in a little more 489 00:21:53,371 --> 00:21:57,061 slowly, perhaps as folks think about this. 490 00:21:57,061 --> 00:22:02,821 Is 10 digits plus 52 letters plus 32 punctuation symbols. 491 00:22:02,821 --> 00:22:05,591 Much more secure, it would seem. 492 00:22:05,591 --> 00:22:06,091 All right. 493 00:22:06,091 --> 00:22:08,041 We're up to 230 responses. 494 00:22:08,041 --> 00:22:12,181 Give folks another second or so. 495 00:22:12,181 --> 00:22:15,181 If you're trying to do the math, 10 plus 52 plus 32, 496 00:22:15,181 --> 00:22:19,001 that's going to give you 94 possibilities for each of the digits. 497 00:22:19,001 --> 00:22:19,501 All right. 498 00:22:19,501 --> 00:22:25,461 We're just about at our 350. 499 00:22:25,461 --> 00:22:25,961 All right. 500 00:22:25,961 --> 00:22:27,391 I'm going to toggle over the screen here. 501 00:22:27,391 --> 00:22:30,121 Going to click over to the results, show them in just a second on the screen 502 00:22:30,121 --> 00:22:30,621 now. 503 00:22:30,621 --> 00:22:32,491 And this is an interesting distribution. 504 00:22:32,491 --> 00:22:34,533 I think some of you perhaps have the instinct now 505 00:22:34,533 --> 00:22:36,041 of just go for the biggest one. 506 00:22:36,041 --> 00:22:37,511 [LAUGHING] 507 00:22:37,511 --> 00:22:41,581 It's not quintillion, nice as that would be. 508 00:22:41,581 --> 00:22:43,851 Maybe it's quadrillion, trillion, billion, or million. 509 00:22:43,851 --> 00:22:45,101 We have more of a split there. 510 00:22:45,101 --> 00:22:47,161 So let's consider the math. 511 00:22:47,161 --> 00:22:50,221 So if we've got eight characters, and I claim 512 00:22:50,221 --> 00:22:52,231 that that's 94 possibilities for each. 513 00:22:52,231 --> 00:22:57,751 10 digits, 52 letters, 32 punctuation symbols. 514 00:22:57,751 --> 00:23:00,811 That's 94 to the eighth power, essentially. 515 00:23:00,811 --> 00:23:04,501 And that indeed is six quadrillion possibilities. 516 00:23:04,501 --> 00:23:06,901 Now, that's crazy big at this point. 517 00:23:06,901 --> 00:23:09,601 I daresay we're pretty safe from the human finger now. 518 00:23:09,601 --> 00:23:11,611 We're probably pretty safe from that robot, 519 00:23:11,611 --> 00:23:13,111 which is going to take a while, too. 520 00:23:13,111 --> 00:23:15,751 But Macs and PCs are pretty darn fast. 521 00:23:15,751 --> 00:23:19,591 And God forbid the adversary have a big server, use the cloud, so to speak, 522 00:23:19,591 --> 00:23:21,931 and really use a big expensive machine. 523 00:23:21,931 --> 00:23:26,971 How long does it take to get into six quadrillion possible passcodes? 524 00:23:26,971 --> 00:23:28,511 Well, how might we think about this? 525 00:23:28,511 --> 00:23:30,219 Suppose, just for the sake of discussion, 526 00:23:30,219 --> 00:23:32,731 it takes the adversary one second per code. 527 00:23:32,731 --> 00:23:35,101 Just so we have some unit of measure to start with. 528 00:23:35,101 --> 00:23:39,359 One second per code, which means, in the worst case, 529 00:23:39,359 --> 00:23:41,401 the adversary really gets screwed and my passcode 530 00:23:41,401 --> 00:23:47,011 is like 9, 9, 9, 9, 9, 9, 9 or with a lot of crazy punctuation symbols in it. 531 00:23:47,011 --> 00:23:49,681 If each passcode takes a second to guess, 532 00:23:49,681 --> 00:23:52,811 how long is it going to take the adversary if, in the worst case, 533 00:23:52,811 --> 00:23:56,341 they spend six quadrillion seconds? 534 00:23:56,341 --> 00:24:00,861 How many hours or minutes or days or-- 535 00:24:00,861 --> 00:24:01,593 AUDIENCE: A lot. 536 00:24:01,593 --> 00:24:02,301 SPEAKER: --years? 537 00:24:02,301 --> 00:24:03,351 I'm hearing a lot. 538 00:24:03,351 --> 00:24:05,361 A lot is in fact correct. 539 00:24:05,361 --> 00:24:06,681 I did do the math. 540 00:24:06,681 --> 00:24:09,801 The adversary, if they're lucky and get all this way, 541 00:24:09,801 --> 00:24:13,761 they're going to be 193,000 years old by the time they 542 00:24:13,761 --> 00:24:16,701 get to all of those possible passcodes. 543 00:24:16,701 --> 00:24:17,721 So this sounds alluring. 544 00:24:17,721 --> 00:24:20,421 And in fact, let's just change our code one final time just 545 00:24:20,421 --> 00:24:23,181 to get a sense of how this might look and behave. 546 00:24:23,181 --> 00:24:26,251 In this version here, let me go back into my code 547 00:24:26,251 --> 00:24:30,051 and let me change this now to use, not just Ascii letters, but digits. 548 00:24:30,051 --> 00:24:32,241 And I'm going to add in punctuation. 549 00:24:32,241 --> 00:24:34,371 For CS50 students, there is, again, this library 550 00:24:34,371 --> 00:24:37,371 called the string library that lets you just import all of these symbols 551 00:24:37,371 --> 00:24:37,954 automatically. 552 00:24:37,954 --> 00:24:40,941 So we don't have to type out every character on my keyboard manually. 553 00:24:40,941 --> 00:24:44,061 And then down here, I'm going to take the product of those Ascii letters 554 00:24:44,061 --> 00:24:47,421 again, plus those digits, plus the punctuation 555 00:24:47,421 --> 00:24:50,001 repeated eight times I claim this time. 556 00:24:50,001 --> 00:24:52,011 I'm going to now increase the size of my window 557 00:24:52,011 --> 00:24:53,594 just so we can see more on the screen. 558 00:24:53,594 --> 00:24:56,841 Rerun the code, and this is going to take 559 00:24:56,841 --> 00:24:59,901 us some hundreds of thousands of years. 560 00:24:59,901 --> 00:25:01,611 So we won't run to the end of this demo. 561 00:25:01,611 --> 00:25:03,261 Now, we seem to be in a better place. 562 00:25:03,261 --> 00:25:03,761 All right. 563 00:25:03,761 --> 00:25:05,301 So what's the takeaway here? 564 00:25:05,301 --> 00:25:08,511 Clearly, you should use a passcode, a password 565 00:25:08,511 --> 00:25:12,051 that's eight characters with letters and numbers and punctuation. 566 00:25:12,051 --> 00:25:14,251 Yes? 567 00:25:14,251 --> 00:25:14,879 OK. 568 00:25:14,879 --> 00:25:15,671 There's a mix here. 569 00:25:15,671 --> 00:25:16,471 Some of you are saying yes. 570 00:25:16,471 --> 00:25:17,011 Some are no. 571 00:25:17,011 --> 00:25:18,261 How about someone who says no. 572 00:25:18,261 --> 00:25:20,231 Why? 573 00:25:20,231 --> 00:25:20,781 Why no? 574 00:25:20,781 --> 00:25:21,281 Yeah. 575 00:25:21,281 --> 00:25:22,409 AUDIENCE: Recapture. 576 00:25:22,409 --> 00:25:23,201 SPEAKER: Recapture. 577 00:25:23,201 --> 00:25:23,441 OK. 578 00:25:23,441 --> 00:25:24,461 So there's other mechanisms. 579 00:25:24,461 --> 00:25:25,503 More on that in a second. 580 00:25:25,503 --> 00:25:26,441 Other instincts? 581 00:25:26,441 --> 00:25:27,725 Yeah. 582 00:25:27,725 --> 00:25:30,771 AUDIENCE: The computers are much faster than just one code per second. 583 00:25:30,771 --> 00:25:31,313 SPEAKER: Yes. 584 00:25:31,313 --> 00:25:34,041 I'm kind of cheating with my verbal simplification here. 585 00:25:34,041 --> 00:25:37,149 Even this computer is way faster than one code per second. 586 00:25:37,149 --> 00:25:39,441 So it's not going to be hundreds of thousands of years. 587 00:25:39,441 --> 00:25:41,871 Might be tens of thousands of years or hundreds of years, 588 00:25:41,871 --> 00:25:44,431 but it's not going to be quite as dramatic as this. 589 00:25:44,431 --> 00:25:46,337 So that's a concern. 590 00:25:46,337 --> 00:25:49,295 AUDIENCE: Can't some passwords be made secure 591 00:25:49,295 --> 00:25:51,669 where you can guess a certain number every hour? 592 00:25:51,669 --> 00:25:52,211 SPEAKER: Yes. 593 00:25:52,211 --> 00:25:54,141 So maybe there's other mechanisms. 594 00:25:54,141 --> 00:25:57,973 So maybe we don't have to be so extreme as to introduce all of this randomness, 595 00:25:57,973 --> 00:25:58,931 as was proposed before. 596 00:25:58,931 --> 00:26:02,201 Because honestly, there's this theme in computer science, too, and really 597 00:26:02,201 --> 00:26:03,941 information technology of trade-offs. 598 00:26:03,941 --> 00:26:04,441 Right? 599 00:26:04,441 --> 00:26:08,261 Sure, I can use a really big random password. 600 00:26:08,261 --> 00:26:10,751 But my God, I'm going to end up writing it on my monitor 601 00:26:10,751 --> 00:26:13,991 on a post-it note, which I suspect statistically some of you 602 00:26:13,991 --> 00:26:15,101 are guilty of. 603 00:26:15,101 --> 00:26:15,731 Right? 604 00:26:15,731 --> 00:26:18,431 And you shouldn't necessarily just blame yourself 605 00:26:18,431 --> 00:26:20,321 or your colleague who's doing this. 606 00:26:20,321 --> 00:26:23,261 Like this is a symptom perhaps of bad IT policy. 607 00:26:23,261 --> 00:26:25,751 If we don't have necessarily very usable systems, 608 00:26:25,751 --> 00:26:29,351 maybe we shouldn't blame the human for forgetting their very random password. 609 00:26:29,351 --> 00:26:33,081 Maybe we shouldn't require the human to have a very random password. 610 00:26:33,081 --> 00:26:33,941 So what could we do? 611 00:26:33,941 --> 00:26:36,431 A couple of technical mechanisms were just proposed. 612 00:26:36,431 --> 00:26:40,624 Let's go down this road of how we might try to defend against this. 613 00:26:40,624 --> 00:26:43,041 And I'll keep this running just for fun in the background. 614 00:26:43,041 --> 00:26:45,611 Let me switch back over to a Visual here now 615 00:26:45,611 --> 00:26:47,381 that we've considered that many codes. 616 00:26:47,381 --> 00:26:50,231 What if we do something that some of your own phones 617 00:26:50,231 --> 00:26:54,491 already have that slow the adversary down? 618 00:26:54,491 --> 00:26:57,471 And some of you might have seen, on your iPhone, a screen like this. 619 00:26:57,471 --> 00:26:58,571 Let me zoom in. 620 00:26:58,571 --> 00:26:59,711 IPhone is disabled. 621 00:26:59,711 --> 00:27:00,971 Try again in one minute. 622 00:27:00,971 --> 00:27:03,561 Has anyone locked themselves out of their phone like this? 623 00:27:03,561 --> 00:27:04,751 I have. 624 00:27:04,751 --> 00:27:07,871 I mean, it's embarrassing to admit, but it's not leaking any information. 625 00:27:07,871 --> 00:27:08,371 All right. 626 00:27:08,371 --> 00:27:10,281 So many of you have done that already. 627 00:27:10,281 --> 00:27:12,581 But why is this actually a compelling feature? 628 00:27:12,581 --> 00:27:15,161 Just to be clear, annoying as this might be, 629 00:27:15,161 --> 00:27:17,321 because you probably don't want your phone locked 630 00:27:17,321 --> 00:27:21,731 at the very moment you're trying to get into it, why might it be a good thing? 631 00:27:21,731 --> 00:27:23,014 Yeah. 632 00:27:23,014 --> 00:27:24,431 Let's go somewhere else if we may. 633 00:27:24,431 --> 00:27:25,839 Yeah, in back. 634 00:27:25,839 --> 00:27:26,936 AUDIENCE: Slows down. 635 00:27:26,936 --> 00:27:27,561 SPEAKER: Sorry? 636 00:27:27,561 --> 00:27:29,221 AUDIENCE: Slows down your response. 637 00:27:29,221 --> 00:27:30,679 SPEAKER: It slows down the process. 638 00:27:30,679 --> 00:27:32,011 It annoys you, to be fair. 639 00:27:32,011 --> 00:27:36,001 Like you pay a bit of this price, but it really slows down the adversary. 640 00:27:36,001 --> 00:27:39,391 Now, they're going to be able to type in not one code per second but one 641 00:27:39,391 --> 00:27:41,413 code per minute, a 60 times difference. 642 00:27:41,413 --> 00:27:43,621 That's really going to force them to pump the brakes. 643 00:27:43,621 --> 00:27:46,531 And unless that adversary is after you specifically, 644 00:27:46,531 --> 00:27:48,781 odds are they're going to go take someone else's phone 645 00:27:48,781 --> 00:27:51,781 or lose interest because you've raised the bar high enough to their 646 00:27:51,781 --> 00:27:52,471 getting in. 647 00:27:52,471 --> 00:27:55,798 On Android, if you do this, it depends on the operating system version. 648 00:27:55,798 --> 00:27:57,631 Here, might be something similar on Android. 649 00:27:57,631 --> 00:27:58,381 Too many attempts. 650 00:27:58,381 --> 00:27:59,041 Try again later. 651 00:27:59,041 --> 00:28:00,121 I mean, this is even more annoying. 652 00:28:00,121 --> 00:28:02,251 It doesn't even tell you when to try again later, 653 00:28:02,251 --> 00:28:05,161 but it does slow down the adversary. 654 00:28:05,161 --> 00:28:08,711 So if you don't have features like this enabled, you should. 655 00:28:08,711 --> 00:28:12,421 And if you're particularly security conscious or paranoid even, 656 00:28:12,421 --> 00:28:14,401 you can even enable a feature on these phones 657 00:28:14,401 --> 00:28:18,701 nowadays where they self-destruct, so to speak, after 10 wrong guesses. 658 00:28:18,701 --> 00:28:19,201 Right? 659 00:28:19,201 --> 00:28:20,131 Why 10? 660 00:28:20,131 --> 00:28:23,221 The presumption is, among Apple and Google and others, 661 00:28:23,221 --> 00:28:26,761 that, if you type your passcode 10 times wrong, 662 00:28:26,761 --> 00:28:28,711 you're probably not who you say you are. 663 00:28:28,711 --> 00:28:30,061 You're probably someone else. 664 00:28:30,061 --> 00:28:32,701 Although if you're a little groggy first thing in the morning 665 00:28:32,701 --> 00:28:35,281 or if you've been out late and having a good time, 666 00:28:35,281 --> 00:28:40,871 you might not be a high enough threshold to protect your phone from you. 667 00:28:40,871 --> 00:28:44,101 And so there, too, is this trade-off again, and that's an extreme one. 668 00:28:44,101 --> 00:28:48,571 If your phone deletes itself, which is what I meant by self-destruct, then 669 00:28:48,571 --> 00:28:50,761 that might actually be to your detriment. 670 00:28:50,761 --> 00:28:54,211 Unless you have backups and all of that, but that's another technology 671 00:28:54,211 --> 00:28:55,271 question altogether. 672 00:28:55,271 --> 00:28:56,611 So there, too, this theme of trade-offs. 673 00:28:56,611 --> 00:28:59,491 You raise the bar to the adversary, but you've got to pay the price. 674 00:28:59,491 --> 00:29:01,781 You're not going to get any such feature for free. 675 00:29:01,781 --> 00:29:02,281 All right. 676 00:29:02,281 --> 00:29:06,931 What's another mechanism that many of us increasingly, thankfully, are doing? 677 00:29:06,931 --> 00:29:09,601 Might be when you log into a website, like Gmail, 678 00:29:09,601 --> 00:29:12,241 to have two-factor authentication. 679 00:29:12,241 --> 00:29:14,491 Sometimes, called "two-step authentication." 680 00:29:14,491 --> 00:29:17,251 I mean, how many of you use two-factor or two-step authentication 681 00:29:17,251 --> 00:29:18,411 with at least one account? 682 00:29:18,411 --> 00:29:18,911 All right. 683 00:29:18,911 --> 00:29:20,101 So that's amazing. 684 00:29:20,101 --> 00:29:23,181 How many of you use it with all of your accounts? 685 00:29:23,181 --> 00:29:23,681 All right. 686 00:29:23,681 --> 00:29:25,141 Fewer of us. 687 00:29:25,141 --> 00:29:27,671 And there, too, that's not necessarily the wrong answer. 688 00:29:27,671 --> 00:29:28,171 Right? 689 00:29:28,171 --> 00:29:30,781 I have a lot of stupid websites that I have accounts on, 690 00:29:30,781 --> 00:29:32,521 like I bought something once on them. 691 00:29:32,521 --> 00:29:33,781 I don't really care about it. 692 00:29:33,781 --> 00:29:36,781 So there's a judgment call there in terms of what you really care about. 693 00:29:36,781 --> 00:29:39,811 But maybe your financial websites, your health care websites, 694 00:29:39,811 --> 00:29:42,571 or anything that's mildly sensitive to you probably 695 00:29:42,571 --> 00:29:45,491 should be raising the bar to the adversary by enabling this. 696 00:29:45,491 --> 00:29:46,291 So what is this? 697 00:29:46,291 --> 00:29:50,221 Particularly for those of you who didn't raise your hand, someone else, what is 698 00:29:50,221 --> 00:29:53,301 two-factor or two-step authentication? 699 00:29:53,301 --> 00:29:54,051 What's two-factor? 700 00:29:54,051 --> 00:29:54,739 Yeah. 701 00:29:54,739 --> 00:29:57,781 AUDIENCE: When you have to use your phone to verify that it's really you. 702 00:29:57,781 --> 00:29:57,991 SPEAKER: Yeah. 703 00:29:57,991 --> 00:30:00,511 So when you have to pull out your phone and verify that it's really you. 704 00:30:00,511 --> 00:30:01,651 And in the corporate world, you might have 705 00:30:01,651 --> 00:30:03,901 a little dongle, a key fob on your keychain 706 00:30:03,901 --> 00:30:05,291 that's got a little number on it. 707 00:30:05,291 --> 00:30:07,861 But generally speaking, two-factor authentication 708 00:30:07,861 --> 00:30:10,351 is all about, indeed, a second factor. 709 00:30:10,351 --> 00:30:12,331 It's kind of oversimplified as two steps, 710 00:30:12,331 --> 00:30:15,421 but it's really key technologically that it be a different factor. 711 00:30:15,421 --> 00:30:18,031 It is not two-factor authentication if you just 712 00:30:18,031 --> 00:30:21,148 have two passwords that you have to remember, because both of those 713 00:30:21,148 --> 00:30:22,231 could be forgotten by you. 714 00:30:22,231 --> 00:30:24,251 Both of those could be stolen by someone else 715 00:30:24,251 --> 00:30:26,543 if you write them down on the post-it note or the like. 716 00:30:26,543 --> 00:30:30,211 Two-factor authentication is about having a fundamentally different factor 717 00:30:30,211 --> 00:30:33,451 available to you so that the odds that someone 718 00:30:33,451 --> 00:30:36,781 get at something you know, like your password, and something you have, 719 00:30:36,781 --> 00:30:39,451 like your phone, is just much, much smaller 720 00:30:39,451 --> 00:30:43,011 than the threat of just figuring out something you know, like a password 721 00:30:43,011 --> 00:30:43,511 alone. 722 00:30:43,511 --> 00:30:45,469 So the factor is something that's fundamentally 723 00:30:45,469 --> 00:30:47,171 different from the other thing. 724 00:30:47,171 --> 00:30:49,441 And so once you configure this, the user typically 725 00:30:49,441 --> 00:30:52,171 sees a screen like this, for instance, in the context of Gmail. 726 00:30:52,171 --> 00:30:53,926 The screens vary here at Harvard and Yale. 727 00:30:53,926 --> 00:30:56,551 Students are familiar with something called "Duo mobile," which 728 00:30:56,551 --> 00:30:57,941 is the exact same idea. 729 00:30:57,941 --> 00:31:01,591 And they typically use one-time codes, six digits thereabouts. 730 00:31:01,591 --> 00:31:03,571 And you can only use that code once. 731 00:31:03,571 --> 00:31:06,691 And the idea is it's texted to you or pushed to your device 732 00:31:06,691 --> 00:31:09,421 so that you and only you can use it. 733 00:31:09,421 --> 00:31:13,041 Does this fundamentally secure your account? 734 00:31:13,041 --> 00:31:18,371 Is this enough, to just have a good password and two-factor authentication? 735 00:31:18,371 --> 00:31:22,430 Does that keep the adversaries out altogether? 736 00:31:22,430 --> 00:31:24,483 AUDIENCE: Not if someone wants to get in. 737 00:31:24,483 --> 00:31:25,691 SPEAKER: Not if someone what? 738 00:31:25,691 --> 00:31:27,051 AUDIENCE: Really wants to get in. 739 00:31:27,051 --> 00:31:27,321 SPEAKER: OK. 740 00:31:27,321 --> 00:31:28,911 Not if someone really wants to get in. 741 00:31:28,911 --> 00:31:32,691 Then you have other problems are certainly of concern, 742 00:31:32,691 --> 00:31:35,811 but you do want to ideally keep most adversaries at bay. 743 00:31:35,811 --> 00:31:36,591 And there are two. 744 00:31:36,591 --> 00:31:38,551 All we're doing is like raising the bar. 745 00:31:38,551 --> 00:31:39,051 Right? 746 00:31:39,051 --> 00:31:41,421 There's nothing stopping someone in physical proximity 747 00:31:41,421 --> 00:31:44,691 to me stealing my phone and getting into all of those accounts I just 748 00:31:44,691 --> 00:31:45,771 raised my hand about. 749 00:31:45,771 --> 00:31:48,681 But you at least protect yourself against the billions 750 00:31:48,681 --> 00:31:50,931 of other potential adversaries in the world that 751 00:31:50,931 --> 00:31:53,941 are geographically not near us, so you at least narrow the threat. 752 00:31:53,941 --> 00:31:55,251 So that's a good thing. 753 00:31:55,251 --> 00:31:56,391 But what else could we do? 754 00:31:56,391 --> 00:31:59,013 Because I feel like it's not fair for us to say, all right. 755 00:31:59,013 --> 00:31:59,721 Everyone go home. 756 00:31:59,721 --> 00:32:02,631 Start using better passwords-- longer, more complicated. 757 00:32:02,631 --> 00:32:04,311 Because again, there's this trade-off. 758 00:32:04,311 --> 00:32:07,491 We don't want to send everyone home essentially with a pad of post-it notes 759 00:32:07,491 --> 00:32:10,504 to then counterbalance what's an unrealistic expectation. 760 00:32:10,504 --> 00:32:12,921 So how many of you, perhaps with a show of physical hands, 761 00:32:12,921 --> 00:32:15,801 use a password manager already? 762 00:32:15,801 --> 00:32:17,991 This is something practical we can equip you with. 763 00:32:17,991 --> 00:32:18,491 OK. 764 00:32:18,491 --> 00:32:19,911 So that was relatively few hands. 765 00:32:19,911 --> 00:32:23,721 And those of you who are in the habit still of memorizing your password, 766 00:32:23,721 --> 00:32:27,981 or worse, writing down the password, there are better solutions today. 767 00:32:27,981 --> 00:32:29,961 But here, too, there's going to be a caveat. 768 00:32:29,961 --> 00:32:31,881 There's no clear win necessarily. 769 00:32:31,881 --> 00:32:34,131 A password manager is a piece of software 770 00:32:34,131 --> 00:32:36,711 that you install on your Mac or PC or your phone that 771 00:32:36,711 --> 00:32:38,331 manages your passwords for you. 772 00:32:38,331 --> 00:32:41,661 And these come either built into the operating system. 773 00:32:41,661 --> 00:32:43,251 Windows has credential manager. 774 00:32:43,251 --> 00:32:45,411 Mac OS has something called "keychain." 775 00:32:45,411 --> 00:32:48,441 There's third-party software like 1password or LastPass. 776 00:32:48,441 --> 00:32:51,194 Companies and universities often have site licenses 777 00:32:51,194 --> 00:32:54,111 so that students in particular can use these kinds of things for free, 778 00:32:54,111 --> 00:32:56,528 but the ones that come with your operating system or phone 779 00:32:56,528 --> 00:32:57,981 are themselves already free. 780 00:32:57,981 --> 00:33:00,811 And not using them is really the missed opportunity here. 781 00:33:00,811 --> 00:33:02,489 So what is a password manager? 782 00:33:02,489 --> 00:33:04,531 It's a program that, yes, manages your passwords. 783 00:33:04,531 --> 00:33:05,811 But it does a few things more. 784 00:33:05,811 --> 00:33:08,451 It generates passwords for you, typically. 785 00:33:08,451 --> 00:33:10,701 I mean, honestly, it's been years since I have 786 00:33:10,701 --> 00:33:13,011 chosen my own password on a website. 787 00:33:13,011 --> 00:33:16,011 I instead click a button in my password manager software 788 00:33:16,011 --> 00:33:19,131 or I use a keyboard shortcut to generate something 789 00:33:19,131 --> 00:33:23,281 that's eight characters, heck, maybe 16, 24, 32 characters long. 790 00:33:23,281 --> 00:33:27,381 I don't care because the software's job is to manage that password for me. 791 00:33:27,381 --> 00:33:30,921 That is, the software remembers this crazy long password for me. 792 00:33:30,921 --> 00:33:33,921 And better yet, it comes with a button or a keyboard 793 00:33:33,921 --> 00:33:37,531 shortcut that will automatically fill out forms for me on the web. 794 00:33:37,531 --> 00:33:41,091 When I say log me in, it will grab my password from my computer, 795 00:33:41,091 --> 00:33:42,741 plug it in, and voila. 796 00:33:42,741 --> 00:33:43,701 I'm logged in. 797 00:33:43,701 --> 00:33:47,871 The upside of this is that, even if that website is compromised 798 00:33:47,871 --> 00:33:51,321 and my password leaks out, I'm not using that password presumably 799 00:33:51,321 --> 00:33:54,561 anywhere else because the software's job is generally to create 800 00:33:54,561 --> 00:33:57,021 unique passwords for each website. 801 00:33:57,021 --> 00:34:00,021 And it's not going to be guessed via brute force, 802 00:34:00,021 --> 00:34:03,171 by one of you writing code, because it's just too long. 803 00:34:03,171 --> 00:34:06,771 Probabilistically, we're all going to be gone by the time your computer finishes 804 00:34:06,771 --> 00:34:08,491 trying to crack it. 805 00:34:08,491 --> 00:34:09,449 So what's the downside? 806 00:34:09,449 --> 00:34:10,533 I mean, this sounds great. 807 00:34:10,533 --> 00:34:13,581 If the software generates passcodes for you and plugs them in for you, 808 00:34:13,581 --> 00:34:16,021 where's the downside? 809 00:34:16,021 --> 00:34:16,521 Anyone? 810 00:34:16,521 --> 00:34:17,350 Yeah. 811 00:34:17,350 --> 00:34:19,433 AUDIENCE: If you're using somebody else's computer 812 00:34:19,433 --> 00:34:22,728 and you need to access it, then you don't know the password. 813 00:34:22,728 --> 00:34:23,311 SPEAKER: Yeah. 814 00:34:23,311 --> 00:34:25,381 If you use someone else's computer or you're 815 00:34:25,381 --> 00:34:28,563 in like a library environment, a lab environment, 816 00:34:28,563 --> 00:34:30,271 you don't have your passwords accessible. 817 00:34:30,271 --> 00:34:32,701 Now, there's a way to mitigate that so long as you 818 00:34:32,701 --> 00:34:34,441 sync the same software to your phone. 819 00:34:34,441 --> 00:34:36,871 You might have to pay another $1.99 or $20 820 00:34:36,871 --> 00:34:38,641 to have the same software on your phone. 821 00:34:38,641 --> 00:34:41,011 You can at least mitigate that by sharing the passcodes 822 00:34:41,011 --> 00:34:42,241 across your devices. 823 00:34:42,241 --> 00:34:43,171 Not as user-friendly. 824 00:34:43,171 --> 00:34:46,321 You're going to have to now manually type out this really long password 825 00:34:46,321 --> 00:34:49,081 and that, too, is annoying if you get one character wrong. 826 00:34:49,081 --> 00:34:50,761 But that's one way to mitigate that. 827 00:34:50,761 --> 00:34:51,624 Other concerns? 828 00:34:51,624 --> 00:34:54,791 AUDIENCE: If someone cracks the code, then they now have all your passwords. 829 00:34:54,791 --> 00:34:56,201 SPEAKER: That's maybe the biggest threats. 830 00:34:56,201 --> 00:34:58,841 I mean, you're kind of putting all of your proverbial eggs 831 00:34:58,841 --> 00:34:59,981 in the same basket. 832 00:34:59,981 --> 00:35:03,821 If someone now gets into my password manager, which I should stipulate 833 00:35:03,821 --> 00:35:07,001 is supposed to itself have a really big long password 834 00:35:07,001 --> 00:35:10,841 that I do have to remember, but only one such long password, 835 00:35:10,841 --> 00:35:12,561 I mean, then I'm really out of luck. 836 00:35:12,561 --> 00:35:16,851 Now, every single account I own is compromised except for those 837 00:35:16,851 --> 00:35:18,101 that at least have two-factor. 838 00:35:18,101 --> 00:35:20,801 Unless the adversary also steals my phone or my key fob. 839 00:35:20,801 --> 00:35:22,133 Other concerns? 840 00:35:22,133 --> 00:35:25,239 AUDIENCE: If someone is like [INAUDIBLE].. 841 00:35:31,701 --> 00:35:32,421 SPEAKER: Exactly. 842 00:35:32,421 --> 00:35:35,541 If someone gets physical access to your device, honestly in general, 843 00:35:35,541 --> 00:35:36,396 all bets are off. 844 00:35:36,396 --> 00:35:39,021 And this is why some of today's listeners are really important. 845 00:35:39,021 --> 00:35:42,973 It's only going to matter when you first lose your phone or someone walks off 846 00:35:42,973 --> 00:35:44,181 with your laptop or the like. 847 00:35:44,181 --> 00:35:46,056 There are certain things you can do to defend 848 00:35:46,056 --> 00:35:47,961 against that inevitability, dare say. 849 00:35:47,961 --> 00:35:49,881 But you want to make sure that, if you are 850 00:35:49,881 --> 00:35:52,220 using some of these solutions like a password manager, 851 00:35:52,220 --> 00:35:57,021 that that long primary password you use for it is itself really hard to guess. 852 00:35:57,021 --> 00:36:00,141 And I would say, I'm OK with you writing that down even 853 00:36:00,141 --> 00:36:01,901 but putting it in like a safe deposit box 854 00:36:01,901 --> 00:36:03,651 or hiding it somewhere in the house that's 855 00:36:03,651 --> 00:36:05,841 just very low probability of someone finding. 856 00:36:05,841 --> 00:36:08,970 Because the other problem with putting all of your eggs in one basket, 857 00:36:08,970 --> 00:36:13,701 if you forget your password, then you lose everything. 858 00:36:13,701 --> 00:36:16,471 And that, too, seems like a pretty serious price to pay. 859 00:36:16,471 --> 00:36:19,881 But this is a constant battle in computing nowadays, usability 860 00:36:19,881 --> 00:36:22,281 and security and finding that inflection point. 861 00:36:22,281 --> 00:36:24,571 But there, too, you can be selective. 862 00:36:24,571 --> 00:36:25,071 Right? 863 00:36:25,071 --> 00:36:27,661 I called out financial information, health information, 864 00:36:27,661 --> 00:36:29,151 your personal email, your calendar. 865 00:36:29,151 --> 00:36:31,861 Anything that's mildly more sensitive to you or important, 866 00:36:31,861 --> 00:36:34,461 raise the bar at least on those accounts even 867 00:36:34,461 --> 00:36:38,931 if you're not quite ready to go all in on all of these other factors. 868 00:36:38,931 --> 00:36:41,721 Well, let's consider then where we're using these passwords. 869 00:36:41,721 --> 00:36:43,971 Consider just a couple of specific examples. 870 00:36:43,971 --> 00:36:44,871 Email, of course. 871 00:36:44,871 --> 00:36:47,151 Gmail is the example I used earlier. 872 00:36:47,151 --> 00:36:49,431 Gmail and email accounts, more generally, 873 00:36:49,431 --> 00:36:51,101 are increasingly offering us features. 874 00:36:51,101 --> 00:36:52,851 And in fact, there's one that I thought we 875 00:36:52,851 --> 00:36:55,011 could highlight as an example of something 876 00:36:55,011 --> 00:36:58,101 that, as a CS50 student, a CS50 family member, 877 00:36:58,101 --> 00:37:01,311 you should really start viewing the world with a more 878 00:37:01,311 --> 00:37:03,741 skeptical eye, a little more paranoid eye, 879 00:37:03,741 --> 00:37:06,471 and not necessarily just believe things that websites say. 880 00:37:06,471 --> 00:37:09,021 I mean, it's mostly meaningless when a website says-- 881 00:37:09,021 --> 00:37:11,421 sometimes, with a pretty little logo or emblem-- 882 00:37:11,421 --> 00:37:13,551 our website is secure. 883 00:37:13,551 --> 00:37:14,851 What does that even mean? 884 00:37:14,851 --> 00:37:16,701 And it's again, all about relativity. 885 00:37:16,701 --> 00:37:19,791 And even Gmail, I daresay somewhat irresponsibly, 886 00:37:19,791 --> 00:37:21,441 has this feature in recent years. 887 00:37:21,441 --> 00:37:23,061 Confidential mode. 888 00:37:23,061 --> 00:37:26,721 Is anyone-- if you're using G Suite or Google Apps at work or workspace 889 00:37:26,721 --> 00:37:29,859 nowadays-- in the habit of using confidential mode? 890 00:37:29,859 --> 00:37:30,651 I mean, it sounds-- 891 00:37:30,651 --> 00:37:30,861 OK. 892 00:37:30,861 --> 00:37:32,451 No one's using this, so this is great. 893 00:37:32,451 --> 00:37:34,933 And I worry now that I'm introducing you to a feature 894 00:37:34,933 --> 00:37:36,391 that you shouldn't necessarily use. 895 00:37:36,391 --> 00:37:39,501 But all this time, if you're a Gmail user, 896 00:37:39,501 --> 00:37:42,081 there is, along the little menu bar, an icon 897 00:37:42,081 --> 00:37:43,706 that lets you enable confidential mode. 898 00:37:43,706 --> 00:37:45,289 And later tonight, play around for it. 899 00:37:45,289 --> 00:37:47,671 Just look for it, and you'll see exactly this screenshot, 900 00:37:47,671 --> 00:37:48,891 which I took yesterday. 901 00:37:48,891 --> 00:37:52,131 According to Google, recipients won't have the option to forward, 902 00:37:52,131 --> 00:37:54,871 copy, print, or download this email. 903 00:37:54,871 --> 00:37:55,371 Right? 904 00:37:55,371 --> 00:37:57,111 Great for lawyers, it would seem. 905 00:37:57,111 --> 00:37:58,041 Great for business. 906 00:37:58,041 --> 00:38:00,501 Great for private correspondence. 907 00:38:00,501 --> 00:38:03,531 But why is this perhaps a bit misleading? 908 00:38:06,201 --> 00:38:08,391 Where should the skepticism come from here? 909 00:38:08,391 --> 00:38:10,711 Even a company like Google, I dare say, they've 910 00:38:10,711 --> 00:38:13,731 probably buried the caveats that I'm hinting at under the Learn More. 911 00:38:13,731 --> 00:38:15,241 But unfortunately, that might be too late. 912 00:38:15,241 --> 00:38:15,741 Yeah. 913 00:38:15,741 --> 00:38:16,881 In back. 914 00:38:16,881 --> 00:38:19,381 AUDIENCE: Will they be able to take screenshots of the mail? 915 00:38:19,381 --> 00:38:19,591 SPEAKER: Yeah. 916 00:38:19,591 --> 00:38:20,461 I mean, those of you who know how to take 917 00:38:20,461 --> 00:38:21,811 a screenshot, that's the simplest way. 918 00:38:21,811 --> 00:38:23,311 If you don't know how to do that, well, here's a phone. 919 00:38:23,311 --> 00:38:26,531 I can just take a picture of what it is I see on the screen. 920 00:38:26,531 --> 00:38:28,681 And so these are software defenses that are 921 00:38:28,681 --> 00:38:31,771 in place that essentially disable the Forward button, 922 00:38:31,771 --> 00:38:33,219 disable the Print button. 923 00:38:33,219 --> 00:38:35,011 But honestly, as you probably already know, 924 00:38:35,011 --> 00:38:37,711 once something is already digital, I mean, it's out there. 925 00:38:37,711 --> 00:38:39,241 And there are other ways to get it. 926 00:38:39,241 --> 00:38:42,283 It might not be as high quality if you're taking out your phone to do it, 927 00:38:42,283 --> 00:38:44,611 but you should view things like this with skepticism. 928 00:38:44,611 --> 00:38:47,111 And even I, when I occasionally receive something like this, 929 00:38:47,111 --> 00:38:50,221 I kind of roll my eyes but regret that the user thinks what they're 930 00:38:50,221 --> 00:38:52,771 doing is consistent with this language. 931 00:38:52,771 --> 00:38:54,011 But it isn't necessarily. 932 00:38:54,011 --> 00:38:57,301 And so indeed, in part, from an introduction to computer science, 933 00:38:57,301 --> 00:39:00,688 you begin to get a little scared from what's going on out there. 934 00:39:00,688 --> 00:39:03,271 Because there are so many different threats and so many things 935 00:39:03,271 --> 00:39:05,221 that you can't, in fact, do. 936 00:39:05,221 --> 00:39:09,631 And the onus is, unfortunately, often on us users to read between the lines 937 00:39:09,631 --> 00:39:11,644 and see what actually is possible. 938 00:39:11,644 --> 00:39:14,311 Here's another one that you might be more in the habit of using, 939 00:39:14,311 --> 00:39:18,151 incognito mode or private mode in Chrome or Safari 940 00:39:18,151 --> 00:39:19,961 or Firefox or Edge or the like. 941 00:39:19,961 --> 00:39:24,031 What does incognito mode do, if familiar? 942 00:39:24,031 --> 00:39:24,961 What's incognito mode? 943 00:39:24,961 --> 00:39:25,726 Yeah. 944 00:39:25,726 --> 00:39:28,981 It doesn't log locally what you're doing. 945 00:39:28,981 --> 00:39:30,941 It doesn't log locally what you're doing. 946 00:39:30,941 --> 00:39:31,441 Exactly. 947 00:39:31,441 --> 00:39:34,561 Most people here probably generally know about things called cookies, even 948 00:39:34,561 --> 00:39:36,301 if you're not quite sure how they work. 949 00:39:36,301 --> 00:39:39,421 But they're like these little remnants or bread crumbs 950 00:39:39,421 --> 00:39:42,961 you leave behind when visiting websites that allow the websites to keep track 951 00:39:42,961 --> 00:39:45,121 of who you are in some sense. 952 00:39:45,121 --> 00:39:48,421 According to Google here, when you're using incognito mode, 953 00:39:48,421 --> 00:39:50,491 Chrome won't save your browsing history. 954 00:39:50,491 --> 00:39:51,811 So that's good. 955 00:39:51,811 --> 00:39:55,321 Cookies and site data, information entered into forms. 956 00:39:55,321 --> 00:39:58,501 But to their credit, they do disclaim that your activity might still 957 00:39:58,501 --> 00:40:01,921 be visible to the websites you visit, your employer or school, 958 00:40:01,921 --> 00:40:03,406 your internet service provider. 959 00:40:03,406 --> 00:40:05,281 So they're getting better at at least helping 960 00:40:05,281 --> 00:40:07,981 you evaluate by giving more of the facts whether you 961 00:40:07,981 --> 00:40:09,691 do or don't want to do this. 962 00:40:09,691 --> 00:40:14,461 But this doesn't mean that the websites you're visiting, indeed, 963 00:40:14,461 --> 00:40:15,271 don't know who you. 964 00:40:15,271 --> 00:40:17,363 Are all of our computers have unique addresses, 965 00:40:17,363 --> 00:40:20,071 these things called IP addresses that you might have heard about. 966 00:40:20,071 --> 00:40:22,501 In CS50, we'll explore these in another week's time. 967 00:40:22,501 --> 00:40:26,341 Your computer is constantly leaking information that 968 00:40:26,341 --> 00:40:28,691 could be used to infer who you were. 969 00:40:28,691 --> 00:40:30,751 So this is really just best left when you 970 00:40:30,751 --> 00:40:34,321 don't want to accidentally, on like a friend's computer or a lab computer, 971 00:40:34,321 --> 00:40:35,448 remain logged in. 972 00:40:35,448 --> 00:40:38,531 Because cookies are typically used to just remember that you've logged in. 973 00:40:38,531 --> 00:40:41,161 So if you use a friend's computer, you use incognito mode 974 00:40:41,161 --> 00:40:42,301 and just close the window. 975 00:40:42,301 --> 00:40:42,801 Boom. 976 00:40:42,801 --> 00:40:44,161 You're effectively logged out. 977 00:40:44,161 --> 00:40:49,501 But even as Google disclaims, there's other caveats there, too. 978 00:40:49,501 --> 00:40:52,801 So what else might we keep in mind? 979 00:40:52,801 --> 00:40:55,621 Let's consider one other big one that's another thing 980 00:40:55,621 --> 00:41:00,301 to start looking for increasingly in order to keep yourself secure, 981 00:41:00,301 --> 00:41:02,191 and this one's a little more technical. 982 00:41:02,191 --> 00:41:03,241 Encryption. 983 00:41:03,241 --> 00:41:06,481 And as CS50 students will know, this is something you can implement in code. 984 00:41:06,481 --> 00:41:08,064 And in fact, let me ask this question. 985 00:41:08,064 --> 00:41:11,221 What does it mean to encrypt something? 986 00:41:11,221 --> 00:41:14,994 Think back to pset2 and Caesar and the like. 987 00:41:14,994 --> 00:41:16,411 Let me look a little farther back. 988 00:41:16,411 --> 00:41:18,786 Almost any student hands should theoretically be up here. 989 00:41:18,786 --> 00:41:19,532 Yeah. 990 00:41:19,532 --> 00:41:22,418 AUDIENCE: You can substitute characters [INAUDIBLE] 991 00:41:22,418 --> 00:41:25,173 so that you can't read it as the first ones. 992 00:41:25,173 --> 00:41:25,881 SPEAKER: Exactly. 993 00:41:25,881 --> 00:41:28,941 Encryption is all about substituting one letter for another 994 00:41:28,941 --> 00:41:32,031 and generally scrambling the appearance of some message 995 00:41:32,031 --> 00:41:35,151 up so that the recipient knows how to reverse that process 996 00:41:35,151 --> 00:41:36,651 and see what you actually sent. 997 00:41:36,651 --> 00:41:40,011 But anyone intervening in between you can't actually 998 00:41:40,011 --> 00:41:41,751 see the information between you. 999 00:41:41,751 --> 00:41:48,341 So just to impress the parents in the room, any students, what does this say? 1000 00:41:48,341 --> 00:41:49,391 We're not ending here. 1001 00:41:49,391 --> 00:41:50,561 AUDIENCE: This was CS50. 1002 00:41:50,561 --> 00:41:51,818 SPEAKER: This was CS50. 1003 00:41:51,818 --> 00:41:53,901 That's what it would say, but notice the scramble. 1004 00:41:53,901 --> 00:41:56,621 Let me go back and forth, back and forth. 1005 00:41:56,621 --> 00:42:06,371 In this message, t becomes u, h becomes i, i becomes j, s becomes t. 1006 00:42:06,371 --> 00:42:10,724 This is what we called a few weeks ago, in CS50, a rotational cipher a Caesar 1007 00:42:10,724 --> 00:42:12,641 cipher, that literally does, as you described, 1008 00:42:12,641 --> 00:42:14,531 substitutes one letter for the next. 1009 00:42:14,531 --> 00:42:16,781 But it does so in a very predictable way. 1010 00:42:16,781 --> 00:42:18,871 A becomes B, B becomes C, and so forth. 1011 00:42:18,871 --> 00:42:22,121 And we also talked, weeks ago, that you don't have to keep it that simplistic. 1012 00:42:22,121 --> 00:42:24,581 You can use a bigger mathematical formula 1013 00:42:24,581 --> 00:42:27,671 to make it at least harder for some adversary to figure out. 1014 00:42:27,671 --> 00:42:33,161 But you and I, as users these days, are constantly thankfully using encryption. 1015 00:42:33,161 --> 00:42:36,461 You probably generally know that you should be hoping for, 1016 00:42:36,461 --> 00:42:38,051 expecting this these days. 1017 00:42:38,051 --> 00:42:39,761 Like HTTPS is a good thing. 1018 00:42:39,761 --> 00:42:42,041 S means secure, literally. 1019 00:42:42,041 --> 00:42:45,341 And any website that has that in its URL indicates 1020 00:42:45,341 --> 00:42:49,031 to you that you and the website are having an encrypted, 1021 00:42:49,031 --> 00:42:51,041 a scrambled communication, which means, if you 1022 00:42:51,041 --> 00:42:53,411 type in your password, your credit card information, 1023 00:42:53,411 --> 00:42:57,461 anything else personally, no one between you theoretically, points A and B, 1024 00:42:57,461 --> 00:43:00,431 should be able to know what it is you've typed into that web page. 1025 00:43:00,431 --> 00:43:02,861 The web page absolutely can, because they 1026 00:43:02,861 --> 00:43:06,701 have the ability to decrypt that information, to reverse the process. 1027 00:43:06,701 --> 00:43:09,651 But at least encryption is generally a good thing. 1028 00:43:09,651 --> 00:43:12,881 But today, let's take that one step further and encourage you all 1029 00:43:12,881 --> 00:43:16,421 to be looking for, expecting, if you will, as consumers increasingly 1030 00:43:16,421 --> 00:43:19,571 in the coming years, something better than encryption alone 1031 00:43:19,571 --> 00:43:22,541 but end-to-end encryption. 1032 00:43:22,541 --> 00:43:26,094 And you're starting to hear about, read about this a little bit more. 1033 00:43:26,094 --> 00:43:27,761 But it's perhaps a little less familiar. 1034 00:43:27,761 --> 00:43:33,221 Someone in the room, who's familiar, what is end-to-end encryption? 1035 00:43:33,221 --> 00:43:34,371 Let me give folks a moment. 1036 00:43:34,371 --> 00:43:39,231 What is end-to-end encryption? 1037 00:43:39,231 --> 00:43:39,731 OK. 1038 00:43:39,731 --> 00:43:41,477 Yeah. 1039 00:43:41,477 --> 00:43:46,297 AUDIENCE: It's where you always try [INAUDIBLE].. 1040 00:43:46,297 --> 00:43:49,496 WhatsApp encrypts a message on one side and sends it 1041 00:43:49,496 --> 00:43:51,121 where it's encrypted on the other side. 1042 00:43:51,121 --> 00:43:51,704 SPEAKER: Good. 1043 00:43:51,704 --> 00:43:54,161 So it's when an app, like WhatsApp, encrypts a message, 1044 00:43:54,161 --> 00:43:57,131 but it's encrypted all the way to the other side, to the recipient. 1045 00:43:57,131 --> 00:43:59,491 Even though Facebook, in this case, owns WhatsApp, 1046 00:43:59,491 --> 00:44:03,061 even though your message is going through Facebook or MetaServers, 1047 00:44:03,061 --> 00:44:05,731 they do not have theoretically the ability 1048 00:44:05,731 --> 00:44:09,361 to decrypt your message, whatever chat message you've sent to a friend. 1049 00:44:09,361 --> 00:44:13,981 They are just sending seemingly random zeros and ones all the way to the end 1050 00:44:13,981 --> 00:44:15,811 user who can then decrypt it. 1051 00:44:15,811 --> 00:44:19,271 If you're an iPhone user, iMessage, for instance, does this automatically. 1052 00:44:19,271 --> 00:44:22,218 So long as your text messages are blue and not green, 1053 00:44:22,218 --> 00:44:25,051 that means you're using iMessage in Apple's platform that does this. 1054 00:44:25,051 --> 00:44:27,061 But let's focus perhaps on something that's 1055 00:44:27,061 --> 00:44:30,701 been all too familiar to most of us over this past year, Zoom. 1056 00:44:30,701 --> 00:44:31,201 Right? 1057 00:44:31,201 --> 00:44:33,271 Zoom actually took some flack some months ago. 1058 00:44:33,271 --> 00:44:35,063 Because in their marketing literature, they 1059 00:44:35,063 --> 00:44:37,111 were advertising end-to-end encryption. 1060 00:44:37,111 --> 00:44:41,281 They were not implementing end-to-end encryption, at least initially. 1061 00:44:41,281 --> 00:44:43,703 This was probably marketing gone awry, not quite 1062 00:44:43,703 --> 00:44:45,661 understanding what end-to-end encryption means. 1063 00:44:45,661 --> 00:44:46,921 They were using encryption. 1064 00:44:46,921 --> 00:44:50,071 And what that meant is that, if I were having a meeting with a colleague 1065 00:44:50,071 --> 00:44:52,691 or you were sitting in on a class with a teacher, 1066 00:44:52,691 --> 00:44:57,301 you might have an encrypted connection-- all of you-- to Zoom centrally, 1067 00:44:57,301 --> 00:45:01,081 but they had the ability-- early on and still now if you leave this feature 1068 00:45:01,081 --> 00:45:01,591 off-- 1069 00:45:01,591 --> 00:45:05,731 to decrypt that information and see and listen to theoretically anything 1070 00:45:05,731 --> 00:45:08,341 going on in that meeting or that classroom. 1071 00:45:08,341 --> 00:45:11,641 Now, technologically, there's not really a good defense against that 1072 00:45:11,641 --> 00:45:13,411 if using that older approach. 1073 00:45:13,411 --> 00:45:14,941 All it really is is policy. 1074 00:45:14,941 --> 00:45:18,521 Or hopefully, there's rules in place, there's contracts in place that say, 1075 00:45:18,521 --> 00:45:21,001 well, yeah, that's possible, but don't do that. 1076 00:45:21,001 --> 00:45:24,631 End-to-end encryption is a stronger guarantee for you 1077 00:45:24,631 --> 00:45:27,716 that circumvents that risk altogether by ensuring 1078 00:45:27,716 --> 00:45:30,841 that, if you're tuning into that class or you're logging into that meeting, 1079 00:45:30,841 --> 00:45:33,691 all of the zeros and ones are going through Zoom servers, 1080 00:45:33,691 --> 00:45:37,151 just like Facebook's, but only the end users-- 1081 00:45:37,151 --> 00:45:39,901 only the students and teachers, only the colleague and colleague-- 1082 00:45:39,901 --> 00:45:44,251 can actually decrypt and see and hear what it is that's being said. 1083 00:45:44,251 --> 00:45:47,469 And if you're one who schedules Zoom meetings, you can actually see this. 1084 00:45:47,469 --> 00:45:50,011 For instance, here's a screenshot that I took yesterday, too, 1085 00:45:50,011 --> 00:45:52,171 scheduling like a Zoom meeting for today. 1086 00:45:52,171 --> 00:45:55,441 And you'll see that you can choose the day and the time, the password. 1087 00:45:55,441 --> 00:45:55,951 Haha. 1088 00:45:55,951 --> 00:45:59,191 And also down here, the encryption level. 1089 00:45:59,191 --> 00:46:02,701 And by default, it's typically enhanced encryption, which is stupid. 1090 00:46:02,701 --> 00:46:03,866 Like enhanced encryption. 1091 00:46:03,866 --> 00:46:04,741 It's just encryption. 1092 00:46:04,741 --> 00:46:08,201 And in fact, it's sort of worse encryption than the other checkbox, 1093 00:46:08,201 --> 00:46:10,991 which is end-to-end encryption. 1094 00:46:10,991 --> 00:46:12,301 But there's this little caveat. 1095 00:46:12,301 --> 00:46:14,941 And here, too, consistent with this reality in computing, 1096 00:46:14,941 --> 00:46:16,111 there's always a trade-off. 1097 00:46:16,111 --> 00:46:16,611 Right? 1098 00:46:16,611 --> 00:46:19,141 It's not all upside and all win. 1099 00:46:19,141 --> 00:46:21,661 Several features will be automatically disabled 1100 00:46:21,661 --> 00:46:23,611 when using end-to-end encryption, including 1101 00:46:23,611 --> 00:46:25,861 cloud recording and some phone stuff. 1102 00:46:25,861 --> 00:46:28,531 I mean, that's already kind of a big loss for a class, 1103 00:46:28,531 --> 00:46:31,201 for instance, a conference that wants to keep the sessions. 1104 00:46:31,201 --> 00:46:32,461 But it kind of makes sense. 1105 00:46:32,461 --> 00:46:32,961 Right? 1106 00:46:32,961 --> 00:46:35,821 If the data is encrypted between all of the end users 1107 00:46:35,821 --> 00:46:39,539 and, therefore, Zoom has no eyes into the data or ears, 1108 00:46:39,539 --> 00:46:42,331 then it makes sense that they can't record it for you in the cloud. 1109 00:46:42,331 --> 00:46:45,631 Because it's completely, completely scrambled to them, too. 1110 00:46:45,631 --> 00:46:49,291 So a good primitive to have in place but also something 1111 00:46:49,291 --> 00:46:52,261 that you need to sacrifice in terms of usability. 1112 00:46:52,261 --> 00:46:55,051 Well, in our final moments here, let me flip back over 1113 00:46:55,051 --> 00:46:57,241 to where our hacking tool is. 1114 00:46:57,241 --> 00:47:01,171 It would seem that eight characters is doing really well, because we still 1115 00:47:01,171 --> 00:47:03,521 got three As at the beginning of this. 1116 00:47:03,521 --> 00:47:05,621 So that might be, in fact, one take away. 1117 00:47:05,621 --> 00:47:08,671 And in fact, let me flip over and proposed three pieces of homework 1118 00:47:08,671 --> 00:47:09,571 for everyone here. 1119 00:47:09,571 --> 00:47:12,094 One, use a password manager, the one that's 1120 00:47:12,094 --> 00:47:14,011 built into your phone or your operating system 1121 00:47:14,011 --> 00:47:15,541 or pay a little something more for something 1122 00:47:15,541 --> 00:47:17,191 that you might like a little better. 1123 00:47:17,191 --> 00:47:21,511 Two, use two-factor authentication for more of your accounts. 1124 00:47:21,511 --> 00:47:23,576 Maybe not all but at least more of your accounts, 1125 00:47:23,576 --> 00:47:25,201 and that's certainly a net improvement. 1126 00:47:25,201 --> 00:47:28,681 And then three, use not just encryption but end-to-end encryption. 1127 00:47:28,681 --> 00:47:32,371 And unfortunately, these features are not all quite as simple as, oh, well, 1128 00:47:32,371 --> 00:47:35,131 let me just check the box and turn on something 1129 00:47:35,131 --> 00:47:38,281 that's always been available to me, because it's not always been available. 1130 00:47:38,281 --> 00:47:40,984 And Zoom, only once they got in trouble for this, 1131 00:47:40,984 --> 00:47:43,651 did they acquire some other company that implements this feature 1132 00:47:43,651 --> 00:47:45,551 and then add it to their software. 1133 00:47:45,551 --> 00:47:48,571 But as users, as consumers, as parents, as students, 1134 00:47:48,571 --> 00:47:52,591 considering choosing one tool or another because of these features 1135 00:47:52,591 --> 00:47:54,781 is really something you are empowered to do. 1136 00:47:54,781 --> 00:47:56,761 And do not use those tools that you don't think 1137 00:47:56,761 --> 00:47:59,473 meet some threshold of comfort for you. 1138 00:47:59,473 --> 00:48:01,681 For more on this and computer science more generally, 1139 00:48:01,681 --> 00:48:05,073 any of you can take CS50 online at edx.org/cs50. 1140 00:48:05,073 --> 00:48:06,281 It's been so nice to see you. 1141 00:48:06,281 --> 00:48:07,323 Happy to chat one-on-one. 1142 00:48:07,323 --> 00:48:09,601 But otherwise, have a wonderful day here on campus. 1143 00:48:09,601 --> 00:48:11,031 This was CS50. 1144 00:48:11,031 --> 00:48:12,881 [APPLAUSE] 1145 00:48:12,881 --> 00:48:45,000 [MUSIC PLAYING]