WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 00:00:00.000 --> 00:00:02.440 [MUSIC PLAYING] 00:00:16.487 --> 00:00:19.320 SPEAKER: So today we're going to have our first of a few discussions 00:00:19.320 --> 00:00:21.420 about cybersecurity, and later on we're going 00:00:21.420 --> 00:00:24.480 to talk a little bit about cybersecurity in the context of the internet 00:00:24.480 --> 00:00:27.510 and some of the challenges that it brings up there. 00:00:27.510 --> 00:00:30.960 But today we're going to focus mostly on cybersecurity issues related 00:00:30.960 --> 00:00:34.050 to your machine, your computer without necessarily 00:00:34.050 --> 00:00:36.060 being connected to the internet. 00:00:36.060 --> 00:00:38.460 Before we do, we need to understand a little bit more 00:00:38.460 --> 00:00:41.445 about our machine's infrastructure, its hardware. 00:00:41.445 --> 00:00:43.320 And the biggest question to ask at the outset 00:00:43.320 --> 00:00:47.948 is, when we talk about the system's memory, what do we mean by that? 00:00:47.948 --> 00:00:51.240 That term kind of gets thrown around and it means a couple of different things, 00:00:51.240 --> 00:00:51.740 potentially. 00:00:51.740 --> 00:00:55.200 It might mean your system's RAM or random access 00:00:55.200 --> 00:00:59.490 memory, which is a rough translation of how much computing power it has, 00:00:59.490 --> 00:01:01.560 how many things it can do. 00:01:01.560 --> 00:01:03.690 And we can also talk about hard drive space 00:01:03.690 --> 00:01:07.780 as another example of system memory. 00:01:07.780 --> 00:01:10.200 Hard drive space is usually just free storage, basically. 00:01:10.200 --> 00:01:15.120 How much room do we have to literally store files on our machine? 00:01:15.120 --> 00:01:17.898 How much memory does your computer have? 00:01:17.898 --> 00:01:19.440 Maybe you do or maybe you don't know. 00:01:19.440 --> 00:01:21.315 If you take a look at your system information 00:01:21.315 --> 00:01:24.780 or look up the computer that you bought on the internet, 00:01:24.780 --> 00:01:28.710 you might find that if we're quoting memory in terms of RAM, 00:01:28.710 --> 00:01:32.823 that your device might have as low as 512 megabytes of RAM, which 00:01:32.823 --> 00:01:33.990 is about half of a gigabyte. 00:01:33.990 --> 00:01:36.823 And that's not very much, most machines have much more than that now 00:01:36.823 --> 00:01:39.210 unless you have a low powered Chromebook, 00:01:39.210 --> 00:01:41.220 for example, that you use for travel. 00:01:41.220 --> 00:01:45.240 Memory on the RAM scale might go as high as 32 gigabytes of RAM, 00:01:45.240 --> 00:01:47.640 which is quite a bit more than that. 00:01:47.640 --> 00:01:49.825 That's generally for really high end computers. 00:01:49.825 --> 00:01:52.200 Computers, in particular, that process a lot of graphics. 00:01:52.200 --> 00:01:56.648 So sometimes computers that are specifically dedicated for gaming 00:01:56.648 --> 00:01:57.690 might have that much RAM. 00:01:57.690 --> 00:02:02.765 But typically the range is somewhere between four and 16 nowadays. 00:02:02.765 --> 00:02:05.640 When we're talking about hard drive space, that number is quite a bit 00:02:05.640 --> 00:02:06.190 bigger. 00:02:06.190 --> 00:02:10.620 So the typical hard drive nowadays might be as low as 128 gigabytes, 00:02:10.620 --> 00:02:14.580 if the drive is a solid state drive, versus a hard disk drive. 00:02:14.580 --> 00:02:17.580 We won't go into too much detail about the distinction between those two 00:02:17.580 --> 00:02:20.070 things, other than right now to say those are just two 00:02:20.070 --> 00:02:22.162 different ways to store data long term. 00:02:22.162 --> 00:02:23.370 So that might be the low end. 00:02:23.370 --> 00:02:26.940 The high end is probably somewhere on two terabytes of information. 00:02:26.940 --> 00:02:30.060 One terabyte is 1000 gigabytes, give or take. 00:02:30.060 --> 00:02:33.120 So two terabytes would be about 2000, give or take, gigabytes. 00:02:33.120 --> 00:02:34.120 So quite a bit. 00:02:34.120 --> 00:02:36.050 Maybe even as high as four terabytes. 00:02:36.050 --> 00:02:37.800 That's quite a bit of storage information. 00:02:37.800 --> 00:02:43.440 That's enough to store several hundred HD, high quality films. 00:02:43.440 --> 00:02:48.150 But there's much more to memory than just RAM and hard disk space. 00:02:48.150 --> 00:02:51.660 There's actually kind of a hierarchy of memory that exists within your machine. 00:02:51.660 --> 00:02:54.360 Most of these numbers, though, aren't usually quoted 00:02:54.360 --> 00:02:56.170 in the specs of a device. 00:02:56.170 --> 00:02:59.310 So there's RAM, random access memory, and then 00:02:59.310 --> 00:03:02.397 there's a series of caches, each of which gets successively smaller. 00:03:02.397 --> 00:03:04.980 So they're going to be quite a bit smaller than the four gigs, 00:03:04.980 --> 00:03:06.902 say, of RAM that your device has. 00:03:06.902 --> 00:03:10.110 But they're also a little bit faster, and the reason these things get faster, 00:03:10.110 --> 00:03:13.110 these caches get faster, is they are getting closer and closer 00:03:13.110 --> 00:03:17.070 to the computer's processor, which is really the only part of the device that 00:03:17.070 --> 00:03:19.350 is able to manipulate information. 00:03:19.350 --> 00:03:21.780 It's the only part that can process information. 00:03:21.780 --> 00:03:24.450 So the memory that we're feeding to that processor 00:03:24.450 --> 00:03:26.490 needs to get faster and faster, such that it 00:03:26.490 --> 00:03:28.300 can continue to swap things in and out. 00:03:28.300 --> 00:03:32.790 So we have the RAM, maybe an L3 cache, a Level 3 cache, Level 2, Level 1, 00:03:32.790 --> 00:03:36.300 and then finally CPU memory, which is the processor memory itself. 00:03:36.300 --> 00:03:38.940 Plus some small bits of memory called registers, 00:03:38.940 --> 00:03:43.350 which are used to be the final sort of pass of information from RAM 00:03:43.350 --> 00:03:47.520 or this hierarchy of memory into the CPU. 00:03:47.520 --> 00:03:51.120 But again, every file on your machine lives somewhere permanently 00:03:51.120 --> 00:03:52.200 on a disk drive. 00:03:52.200 --> 00:03:54.575 And there are, again, two different kinds of disk drives. 00:03:54.575 --> 00:03:57.420 We have solid state drives and hard disk drives. 00:03:57.420 --> 00:03:59.610 We should treat them as effectively identical 00:03:59.610 --> 00:04:01.950 for purposes of our discussion today. 00:04:01.950 --> 00:04:05.310 They-- solid state drives tend to behave a bit differently than hard disk 00:04:05.310 --> 00:04:09.260 drives, they tend to be a bit more secure than some of the vulnerabilities 00:04:09.260 --> 00:04:11.010 that hard disk drives present, which we're 00:04:11.010 --> 00:04:13.740 going to talk about a little bit later in today's lecture. 00:04:13.740 --> 00:04:16.769 But in general, when we talk about hard disks or storage space 00:04:16.769 --> 00:04:19.060 for the rest of today's lecture, we're going 00:04:19.060 --> 00:04:21.147 to be mostly focusing on hard disk drives. 00:04:21.147 --> 00:04:22.980 They're also just much more prevalent still. 00:04:22.980 --> 00:04:27.120 Solid state drives are coming into their own and becoming more and more frequent 00:04:27.120 --> 00:04:29.250 as they appear in devices, but hard disk drives 00:04:29.250 --> 00:04:33.390 are still far and away more and more prevalent within devices 00:04:33.390 --> 00:04:34.530 that exist now. 00:04:34.530 --> 00:04:36.990 They are just storage space, though, we can't do anything 00:04:36.990 --> 00:04:38.970 with data that is stored on disk. 00:04:38.970 --> 00:04:41.550 We have to first move it to RAM and then have 00:04:41.550 --> 00:04:45.540 it sort of go up and down that chain of RAM, the different caches to the CPU, 00:04:45.540 --> 00:04:47.460 in order to actually manipulate the data. 00:04:47.460 --> 00:04:49.500 Once we're done manipulating it, and maybe we're 00:04:49.500 --> 00:04:51.330 turning our computer off for the evening, 00:04:51.330 --> 00:04:55.980 then all of the data that is in RAM will be stored back into the hard disk space 00:04:55.980 --> 00:04:59.313 so that we're able to access it at another time. 00:04:59.313 --> 00:05:01.980 One thing to keep in mind as we begin this discussion of memory, 00:05:01.980 --> 00:05:04.320 though, is that memory is really just an array. 00:05:04.320 --> 00:05:08.520 And we've talked about arrays already, where each cell of that array 00:05:08.520 --> 00:05:10.770 basically is one byte wide. 00:05:10.770 --> 00:05:12.990 And recall that one byte is eight bits. 00:05:12.990 --> 00:05:16.790 We may have anywhere between 512 megabytes of memory, 00:05:16.790 --> 00:05:21.810 so about 512 million of those little one byte 00:05:21.810 --> 00:05:26.060 sized cells, maybe as high as four, 8, 16, and so on gigabytes. 00:05:26.060 --> 00:05:30.030 And we have quite a few of those items in our array. 00:05:30.030 --> 00:05:32.100 But it really is just an array, which means 00:05:32.100 --> 00:05:34.050 we can jump to different addresses. 00:05:34.050 --> 00:05:36.780 It has the same properties as any other random access 00:05:36.780 --> 00:05:39.240 array that we've already discussed. 00:05:39.240 --> 00:05:43.230 Different types of data take up different amounts of memory 00:05:43.230 --> 00:05:44.050 on our systems. 00:05:44.050 --> 00:05:46.800 So if we think about a very low level programming language like C, 00:05:46.800 --> 00:05:48.175 which is this is just an example. 00:05:48.175 --> 00:05:51.630 Different programming languages may store different types of data 00:05:51.630 --> 00:05:53.250 using different amounts of space. 00:05:53.250 --> 00:05:58.090 But if we look to just the most base level of data 00:05:58.090 --> 00:06:01.470 and think about the smallest individual pieces into which we can break it, 00:06:01.470 --> 00:06:04.300 we may be able to store an integer, for example, in four byte. 00:06:04.300 --> 00:06:08.550 Which means we have exactly 32 bits worth of space to store an integer. 00:06:08.550 --> 00:06:12.330 Characters will take up one byte, so we have only eight bits worth of memory 00:06:12.330 --> 00:06:14.470 required to store a single character. 00:06:14.470 --> 00:06:18.600 So capital or lowercase letters, digits, punctuation marks, and so on. 00:06:18.600 --> 00:06:21.210 Not a huge variety of options there. 00:06:21.210 --> 00:06:23.882 Floats are-- you may recall are real numbers, 00:06:23.882 --> 00:06:25.590 numbers that have decimal points in them. 00:06:25.590 --> 00:06:26.580 Doubles are, as well. 00:06:26.580 --> 00:06:28.650 They're double precision floating point values 00:06:28.650 --> 00:06:30.300 and they take up four or eight bytes. 00:06:30.300 --> 00:06:34.020 So basically the idea here is different types of memory 00:06:34.020 --> 00:06:36.030 will take up different amount of space and then 00:06:36.030 --> 00:06:40.590 we eventually can construct these things into pixels, and images, and films, 00:06:40.590 --> 00:06:43.650 each of which will also take up different amounts of space and memory 00:06:43.650 --> 00:06:47.750 if we are manipulating or working with that data. 00:06:47.750 --> 00:06:52.890 So again, let's think of memory as a big array of individual byte-sized cells. 00:06:52.890 --> 00:06:56.370 Because it is an array, that means we have random accessability. 00:06:56.370 --> 00:07:00.360 We can say, I want to go to memory address x and see what is there. 00:07:00.360 --> 00:07:03.208 I want to go to memory address y and change what is there. 00:07:03.208 --> 00:07:04.500 We have the ability to do that. 00:07:04.500 --> 00:07:08.700 We don't have to iterate through step by step by step in order to make changes. 00:07:08.700 --> 00:07:12.840 If we did, the processor would be quite a bit slower having to perform this, 00:07:12.840 --> 00:07:15.960 we might term linear search as we try to iterate through memory 00:07:15.960 --> 00:07:18.130 to find the one byte we're looking for. 00:07:18.130 --> 00:07:21.900 It's very helpful to be able to jump to a particular byte. 00:07:21.900 --> 00:07:26.100 And that means that every location in memory must have an address. 00:07:26.100 --> 00:07:29.790 We must have a way to refer to that individual byte 00:07:29.790 --> 00:07:31.390 in order to randomly access it. 00:07:31.390 --> 00:07:34.920 We can't just look at this grid of cells and say, I want to go to this one 00:07:34.920 --> 00:07:37.680 and sort of, you know, imagine particular spot. 00:07:37.680 --> 00:07:41.940 We need to say, I want to go to exactly this memory address. 00:07:41.940 --> 00:07:43.560 OK? 00:07:43.560 --> 00:07:47.880 So s-- the fact that memory cells have an address 00:07:47.880 --> 00:07:50.130 is what comes into play when you think about this idea 00:07:50.130 --> 00:07:53.480 of a 32-bit system or a 64-bit system, and this 00:07:53.480 --> 00:07:55.290 may be a term that you've heard before. 00:07:55.290 --> 00:07:59.590 It refers to the ability to process an address. 00:07:59.590 --> 00:08:03.540 So for example, a 32-bit computer, a 32-bit system, 00:08:03.540 --> 00:08:06.950 can process memory addresses up to 32 bits in length. 00:08:06.950 --> 00:08:11.400 Which means it understands memory address zero through memory address 00:08:11.400 --> 00:08:14.100 right up to four billion, a little over four billion. 00:08:14.100 --> 00:08:17.250 But it doesn't understand memory past that. 00:08:17.250 --> 00:08:20.130 Now interestingly, this doesn't mean that a 32-bit system 00:08:20.130 --> 00:08:22.240 is limited to four gigabytes of RAM. 00:08:22.240 --> 00:08:25.638 There are some software tricks that we can pull using something called virtual 00:08:25.638 --> 00:08:28.680 memory, which we're not going to get into in any more depth than to refer 00:08:28.680 --> 00:08:32.730 to it as virtual memory today, that allow you to use more than four 00:08:32.730 --> 00:08:35.870 gigabytes of RAM on a 32-bit system by doing-- sort of, you know, 00:08:35.870 --> 00:08:39.135 pretending that things live somewhere where they don't. 00:08:39.135 --> 00:08:41.010 But when you talk about a 64-bit system, that 00:08:41.010 --> 00:08:43.320 means we have many more memory cells that we 00:08:43.320 --> 00:08:47.550 can refer to without running into our sort of artificial limit of how high we 00:08:47.550 --> 00:08:48.450 can count. 00:08:48.450 --> 00:08:51.120 Now granted, there are no memory banks out there 00:08:51.120 --> 00:08:55.350 that have all of the memory addresses from zero to 64 bits worth of memory. 00:08:55.350 --> 00:08:57.270 That's somewhere in the quintillion or higher. 00:08:57.270 --> 00:08:59.640 It's a very, very large number and we don't yet 00:08:59.640 --> 00:09:03.090 have the storage capacity to store that much data on our machines. 00:09:03.090 --> 00:09:06.360 But theoretically, it is possible that with a 64-bit system 00:09:06.360 --> 00:09:11.220 we could have very, very large amounts of RAM and again, the more RAM we have, 00:09:11.220 --> 00:09:14.490 generally the more quickly our computer is 00:09:14.490 --> 00:09:17.510 going to operate because there's more space for it to store information. 00:09:17.510 --> 00:09:20.010 It doesn't have to keep sending stuff back to the hard drive 00:09:20.010 --> 00:09:22.920 when the RAM is full because there's so much information 00:09:22.920 --> 00:09:24.360 being processed at once. 00:09:24.360 --> 00:09:29.940 More of it is available in that quicker, more accessible bit of memory. 00:09:29.940 --> 00:09:34.140 So recall that with each bit, remember a bit can only take on one of two states. 00:09:34.140 --> 00:09:36.403 Zero or one, off or on. 00:09:36.403 --> 00:09:39.570 Or you can think about it in terms of electricity, which is how RAM actually 00:09:39.570 --> 00:09:42.930 works, as being unpowered or powered. 00:09:42.930 --> 00:09:44.790 That again means that we have 32-- 00:09:44.790 --> 00:09:48.510 two to the 32nd power, excuse me, possible memory addresses. 00:09:48.510 --> 00:09:52.360 So about four billion memory addresses. 00:09:52.360 --> 00:09:56.760 Now it is sometimes the case that programmers, and subsequently, 00:09:56.760 --> 00:10:00.120 those who may need to read their code, may need a way 00:10:00.120 --> 00:10:03.600 to refer to specific memory addresses. 00:10:03.600 --> 00:10:06.750 But a memory address like this, which is a memory address. 00:10:06.750 --> 00:10:08.730 There are zeros and ones in this address. 00:10:08.730 --> 00:10:13.410 This is exactly how we would refer to an address in memory. 00:10:13.410 --> 00:10:14.520 This is rather cumbersome. 00:10:14.520 --> 00:10:17.562 No programmer wants to talk to another programmer and no programmer wants 00:10:17.562 --> 00:10:23.340 to talk to an advisor by saying the code that lives at 00101 and so on. 00:10:23.340 --> 00:10:25.390 That's just not-- that doesn't make any sense. 00:10:25.390 --> 00:10:28.410 That's just not how we would talk and it would take forever just 00:10:28.410 --> 00:10:30.480 to say the name of the memory before you even get 00:10:30.480 --> 00:10:32.580 to the point of what is in that memory. 00:10:32.580 --> 00:10:37.140 And so rather than using binary notation to refer to a memory address, 00:10:37.140 --> 00:10:42.030 computer scientists will oftentimes use something called hexadecimal notation. 00:10:42.030 --> 00:10:47.040 Hexadecimal is 16 hexadecimal, 6 and 10. 00:10:47.040 --> 00:10:50.310 And so this is the base 16 number system. 00:10:50.310 --> 00:10:53.190 It's a different number system than the decimal system, base 10, 00:10:53.190 --> 00:10:57.120 that we have used since childhood to count and understand 00:10:57.120 --> 00:10:59.230 place values of numbers and so on. 00:10:59.230 --> 00:11:01.050 What's convenient about hexadecimal being 00:11:01.050 --> 00:11:07.890 base 16 versus binary being base two is that four binary digits or four bits 00:11:07.890 --> 00:11:11.970 can be represented using a single what is often called hex digit. 00:11:11.970 --> 00:11:14.670 So for every group of four binary digits that we have, 00:11:14.670 --> 00:11:18.698 we can represent that more succinctly using just one hexadecimal digit. 00:11:18.698 --> 00:11:20.490 And because there are four bits, that means 00:11:20.490 --> 00:11:23.740 we have two to the fourth, or 16 different combinations. 00:11:23.740 --> 00:11:26.700 So we can account for every single possible on off 00:11:26.700 --> 00:11:32.310 combination of all of the four bits in that cluster using a single hex digit. 00:11:32.310 --> 00:11:35.433 So we might instead refer to this memory address looking like this. 00:11:35.433 --> 00:11:37.350 And there are some letter characters in there, 00:11:37.350 --> 00:11:41.160 and that's because in order to represent a single digit in hexadecimal, 00:11:41.160 --> 00:11:43.800 we need to be on the count higher than 10 00:11:43.800 --> 00:11:46.860 using two digits, as we are confined to in decimal. 00:11:46.860 --> 00:11:48.870 In order to represent the number 10, we need 00:11:48.870 --> 00:11:54.630 a one and zero, a one being in the tens place and a zero in the ones place. 00:11:54.630 --> 00:11:58.380 But in hexadecimal, we need 16 possible digits 00:11:58.380 --> 00:12:03.670 to represent all of the 16 possible values at any given place value. 00:12:03.670 --> 00:12:08.370 So here's an example of something that a programmer might see. 00:12:08.370 --> 00:12:11.490 This is using a tool called GDB, which is 00:12:11.490 --> 00:12:16.560 a debugging tool that is used to debug or root out problems in some low level 00:12:16.560 --> 00:12:17.940 code. 00:12:17.940 --> 00:12:20.983 And all we're seeing here is a bunch of memory addresses. 00:12:20.983 --> 00:12:22.650 So I've highlighted them here in yellow. 00:12:22.650 --> 00:12:25.560 We don't need to worry too much about the context around this, what these all 00:12:25.560 --> 00:12:26.060 refer to. 00:12:26.060 --> 00:12:31.415 But basically, these things on the left, EAX, ECX and so on are registers. 00:12:31.415 --> 00:12:33.540 Those are things that are very close to the memory. 00:12:33.540 --> 00:12:36.688 And they are storing the memory address of something else. 00:12:36.688 --> 00:12:39.480 And so all these things on the left here are just memory addresses, 00:12:39.480 --> 00:12:42.870 and the things on the right are translations of those memory addresses 00:12:42.870 --> 00:12:45.630 in some cases into decimal numbers that make 00:12:45.630 --> 00:12:51.490 more sense to us having used the base 10 or decimal system for quite some time. 00:12:51.490 --> 00:12:55.290 So we can map all of the different possible values in hexadecimal 00:12:55.290 --> 00:12:59.058 to their binary equivalents as well as to decimal numbers 00:12:59.058 --> 00:13:00.100 that we're familiar with. 00:13:00.100 --> 00:13:04.710 So again, here we have all of the possible combinations of four bits 00:13:04.710 --> 00:13:08.550 or zeros and ones showing you what they translate to in decimal, 00:13:08.550 --> 00:13:12.210 recalling that for every set of four bits here we see, the one on the right 00:13:12.210 --> 00:13:15.450 is the ones place, the one to its left is the twos place. 00:13:15.450 --> 00:13:18.705 Then we have the fours place and the eights place. 00:13:18.705 --> 00:13:20.160 Because again, our base is two. 00:13:20.160 --> 00:13:24.510 Every place value is a power of two as opposed to a power of 10 00:13:24.510 --> 00:13:25.638 like we would in decimal. 00:13:25.638 --> 00:13:27.180 And then it's hexadecimal equivalent. 00:13:27.180 --> 00:13:29.850 So again, for every single one of those combinations, 00:13:29.850 --> 00:13:34.503 we have one distinct way to represent it using a single hex digit. 00:13:34.503 --> 00:13:36.420 And sometimes you'll see the hex digits for 10 00:13:36.420 --> 00:13:39.290 through 15, which are a through f, presented in capital letters. 00:13:39.290 --> 00:13:41.040 I like to present them in capital letters, 00:13:41.040 --> 00:13:43.373 but sometimes you see them in lowercase letters as well. 00:13:43.373 --> 00:13:45.960 That is immaterial to it. 00:13:45.960 --> 00:13:48.900 And this zero x at the beginning of it, I should mention that as well. 00:13:48.900 --> 00:13:51.310 Zero x means absolutely nothing. 00:13:51.310 --> 00:13:54.300 It is purely a note for us as human beings 00:13:54.300 --> 00:13:57.690 when we are seeing something like this that we should interpret it 00:13:57.690 --> 00:14:01.800 as hexadecimal numbers as opposed to as decimal, for example. 00:14:01.800 --> 00:14:05.450 Because we could have a valid hexadecimal string that is-- 00:14:05.450 --> 00:14:07.920 I'm going to use the zero x here just for second-- 00:14:07.920 --> 00:14:10.200 0x, five, zero. 00:14:10.200 --> 00:14:13.860 If we saw that, we might read it if we didn't have a 0x in front of it, 00:14:13.860 --> 00:14:17.820 we might read that as 50, which would be not actually accurate, because 0x, 00:14:17.820 --> 00:14:21.180 five, zero is actually 80 in decimal notation. 00:14:21.180 --> 00:14:23.970 So that 0x is really just a guide for us as human beings 00:14:23.970 --> 00:14:29.190 to say, OK, what I'm about to read here is a hexadecimal number. 00:14:29.190 --> 00:14:31.710 Let's just do a quick exercise where we translate 00:14:31.710 --> 00:14:36.870 some binary into hexadecimal and then subsequently into decimal as well. 00:14:36.870 --> 00:14:41.550 And so here, we have eight bits, each of which again is a zero or a one, 00:14:41.550 --> 00:14:45.030 and our goal is to translate this into ultimately decimal, 00:14:45.030 --> 00:14:47.490 but let's start by translating it into hexadecimal. 00:14:47.490 --> 00:14:50.040 The first approach is counting from right to left, 00:14:50.040 --> 00:14:52.080 we want to split these into groups of four. 00:14:52.080 --> 00:14:54.270 It so happens that we have eight bits here, 00:14:54.270 --> 00:14:58.770 and so this splits pretty cleanly into two groups of four. 00:14:58.770 --> 00:15:01.680 But if we, for example, had seven bits, like if this wasn't here, 00:15:01.680 --> 00:15:03.900 we would start by having one zero one zero, 00:15:03.900 --> 00:15:06.750 and then whatever we had left over, we would just 00:15:06.750 --> 00:15:11.850 pad with extra zeros at the front so we always had a cluster of four bits 00:15:11.850 --> 00:15:13.320 at a time to work with. 00:15:13.320 --> 00:15:16.828 Each of these maps directly to a single hexadecimal digit. 00:15:16.828 --> 00:15:19.620 And sometimes you may be able to just quickly do this in your head, 00:15:19.620 --> 00:15:21.710 or you can jump back to the table that we had here 00:15:21.710 --> 00:15:23.460 to see when I see this particular pattern, 00:15:23.460 --> 00:15:26.160 I want to plug in this hexadecimal digit. 00:15:26.160 --> 00:15:29.980 And so if we do that here, we see that the one on the left, 0010, 00:15:29.980 --> 00:15:31.660 this is in binary again. 00:15:31.660 --> 00:15:34.230 A zero in the ones place, a one in the twos place, 00:15:34.230 --> 00:15:36.540 and nothing else, which means we have one times two. 00:15:36.540 --> 00:15:39.090 And so this would be a two. 00:15:39.090 --> 00:15:42.870 And 1010, well, that's a one in the eights place and a one 00:15:42.870 --> 00:15:45.330 in the twos place, which is 10. 00:15:45.330 --> 00:15:48.600 But in hexadecimal, we would represent that as a, because again, 00:15:48.600 --> 00:15:53.160 we need to confine this idea of 10 to a single place value. 00:15:53.160 --> 00:15:57.150 We can't have two digits to represent it using hexadecimal notation. 00:15:57.150 --> 00:16:03.030 And so this binary value, 001010, is 0x-- 00:16:03.030 --> 00:16:07.170 again, human convention to prepend a 0x in front of anything 00:16:07.170 --> 00:16:09.070 that is a hexadecimal number-- 00:16:09.070 --> 00:16:09.570 0x2a. 00:16:12.270 --> 00:16:15.950 Now, how do we translate this to decimal? 00:16:15.950 --> 00:16:19.500 Well, it may help to think about how we translate this or understand 00:16:19.500 --> 00:16:22.590 this number, 123. 00:16:22.590 --> 00:16:25.230 When we see it, one two three just written out, 00:16:25.230 --> 00:16:28.440 we are really doing something like this in our head where we're saying, 00:16:28.440 --> 00:16:33.330 there's a one in the one hundreds place, there's a two in the tens place, 00:16:33.330 --> 00:16:35.490 and there's a three in the ones place. 00:16:35.490 --> 00:16:37.470 And we've just over time internalized that 00:16:37.470 --> 00:16:39.345 and have been able to very quickly understand 00:16:39.345 --> 00:16:42.485 that the number I'm talking about here is 123. 00:16:42.485 --> 00:16:44.610 Well, another way to think about these labels here, 00:16:44.610 --> 00:16:48.870 one hundreds place, tens place, and ones place, might be to say, 00:16:48.870 --> 00:16:52.950 we have the 10 squareds place or the 10 to the second powers place, 00:16:52.950 --> 00:16:56.550 the 10 to the first powers place, and the ten to the zero powers place. 00:16:56.550 --> 00:16:58.560 Any number to the zero power is always one, 00:16:58.560 --> 00:17:02.370 and so this is really the ones place, the tens place, and the hundreds place. 00:17:02.370 --> 00:17:06.540 With hexadecimal, we don't have 10 as the base of the exponent here. 00:17:06.540 --> 00:17:10.140 Instead, we have 16 as the base of the exponent. 00:17:10.140 --> 00:17:11.520 But the rules are the same. 00:17:11.520 --> 00:17:14.630 We have a 16 to the zero place which is one. 00:17:14.630 --> 00:17:17.720 We have 16 to the first power or 16s place, 00:17:17.720 --> 00:17:21.270 and we have a 16 squared or 256s place. 00:17:21.270 --> 00:17:23.609 In our example number here, we didn't go that high. 00:17:23.609 --> 00:17:24.900 We had 0x2a. 00:17:24.900 --> 00:17:27.300 We only had two digits, which means we really 00:17:27.300 --> 00:17:31.740 only needed these two place values, the 16 to the zero power and the 16 00:17:31.740 --> 00:17:33.030 to the one power. 00:17:33.030 --> 00:17:36.660 Now, we just translate this in exactly the same way that we would intuitively 00:17:36.660 --> 00:17:40.740 do it in when we're counting in decimal or reading a decimal number. 00:17:40.740 --> 00:17:44.640 This is zero times 16 squared plus two times 16 00:17:44.640 --> 00:17:49.830 to the first power plus a times one, or 16 to the zero power. 00:17:49.830 --> 00:17:55.170 Two times 16 is 32, and a, which again is hexadecimal's way of representing 00:17:55.170 --> 00:17:57.870 10, 10 times one is ten, so what we're really saying 00:17:57.870 --> 00:18:00.840 is that we have 32 plus 10. 00:18:00.840 --> 00:18:05.310 And so to translate this hexadecimal number, 0x2a, into decimal, 00:18:05.310 --> 00:18:11.240 we end up with 42, because 42 is 32 plus 10. 00:18:11.240 --> 00:18:13.740 So hopefully, that gives you a bit of a better understanding 00:18:13.740 --> 00:18:18.330 of what these cryptic number strings that you might have seen before mean. 00:18:18.330 --> 00:18:21.790 And if you're working with programmers or you're ever analyzing source code 00:18:21.790 --> 00:18:23.790 and you see references like this, hopefully this 00:18:23.790 --> 00:18:26.460 gives you a better understanding of what they mean 00:18:26.460 --> 00:18:28.740 and what they likely refer to on the system 00:18:28.740 --> 00:18:30.660 and how that might affect things. 00:18:30.660 --> 00:18:34.080 Let's talk a little bit more about the function, how memory actually 00:18:34.080 --> 00:18:38.128 works now that we know how to access individual parts of it. 00:18:38.128 --> 00:18:40.170 With the exception of hard disk space-- so again, 00:18:40.170 --> 00:18:42.210 the permanent storage space on your device-- 00:18:42.210 --> 00:18:45.425 memory on your computer is termed volatile, 00:18:45.425 --> 00:18:46.800 which means two different things. 00:18:46.800 --> 00:18:50.340 One, that the memory is constantly changing. 00:18:50.340 --> 00:18:52.470 Things are cycling in and out of it. 00:18:52.470 --> 00:18:55.650 It's very dynamic in terms of the values that are being stored there, 00:18:55.650 --> 00:18:58.290 again because the RAM is sort of this holding ground for everything that's 00:18:58.290 --> 00:19:00.290 going to eventually need to go to the processor, 00:19:00.290 --> 00:19:02.890 and things are getting swapped in and out pretty frequently. 00:19:02.890 --> 00:19:05.190 But the other really key detail about volatile memory 00:19:05.190 --> 00:19:07.110 is that it requires power. 00:19:07.110 --> 00:19:09.630 If it is unpowered, if there is not electricity literally 00:19:09.630 --> 00:19:14.280 flowing to the RAM at any given time, that is a problem 00:19:14.280 --> 00:19:16.140 and that memory will no longer work. 00:19:16.140 --> 00:19:19.540 In fact, after some amount of time, a pretty small amount time 00:19:19.540 --> 00:19:24.180 like 30 seconds to a minute perhaps, without power, the electrical charge 00:19:24.180 --> 00:19:28.630 which is used to maintain each of those individual cells of memory-- 00:19:28.630 --> 00:19:31.060 remember, a little bit of electricity being one, 00:19:31.060 --> 00:19:33.150 and the absence of electricity being zero 00:19:33.150 --> 00:19:35.940 is how the computer can store this idea of zeros and ones 00:19:35.940 --> 00:19:38.400 on a physical manifestation thereof. 00:19:38.400 --> 00:19:41.310 Without power, that electrical charge eventually dissipates. 00:19:41.310 --> 00:19:42.630 It does not just stay. 00:19:42.630 --> 00:19:44.730 it goes away. 00:19:44.730 --> 00:19:48.060 And the state is eventually lost such that unpowered for about a minute 00:19:48.060 --> 00:19:52.970 or so, all the data in RAM has effectively turned into zeros. 00:19:52.970 --> 00:19:55.800 It has completely become completely unpowered. 00:19:55.800 --> 00:19:58.260 Now obviously, that would be very bad if our entire system 00:19:58.260 --> 00:20:00.190 relied on this technology. 00:20:00.190 --> 00:20:06.690 But it's only RAM and the caches from RAM going forward that rely on this. 00:20:06.690 --> 00:20:09.900 Processing can only happen in the processor. 00:20:09.900 --> 00:20:11.710 This probably makes a little bit of sense. 00:20:11.710 --> 00:20:14.310 And again, recall that a 32-bit processor 00:20:14.310 --> 00:20:16.750 can understand 32-bit addresses. 00:20:16.750 --> 00:20:21.850 That also means that it only has 32 bits of space in which to do anything. 00:20:21.850 --> 00:20:25.180 So it only can work with four bytes of information at a time. 00:20:25.180 --> 00:20:27.880 And maybe if you have a computer that has multiple cores, 00:20:27.880 --> 00:20:30.580 maybe you've heard that term before, multicore processors, 00:20:30.580 --> 00:20:35.550 you might have a few of these processors that can do four bytes at a time. 00:20:35.550 --> 00:20:38.950 But either way, we're still talking about a very, very small amount 00:20:38.950 --> 00:20:43.030 of information, maybe four to 16 or 32 bytes. 00:20:43.030 --> 00:20:44.950 That's not very much at all when you consider 00:20:44.950 --> 00:20:48.220 that a basic document perhaps using Microsoft Word 00:20:48.220 --> 00:20:51.670 will contain enough metadata to be about 15,000 bytes before you even 00:20:51.670 --> 00:20:53.920 type a single character into it. 00:20:53.920 --> 00:20:59.680 So a lot of metadata there, and that amount of empty files 00:20:59.680 --> 00:21:02.080 gets pretty big pretty quickly. 00:21:02.080 --> 00:21:06.550 Because the process can only process 32 bits worth of information 00:21:06.550 --> 00:21:11.590 at a time, any given processor, we need to move data to it frequently. 00:21:11.590 --> 00:21:14.040 And that's what the caches are for, and that's 00:21:14.040 --> 00:21:17.080 why each one needs to be faster and be able to get information 00:21:17.080 --> 00:21:18.670 to the processor pretty quickly. 00:21:18.670 --> 00:21:20.500 Because even though the processor can only 00:21:20.500 --> 00:21:27.100 process four bytes or 32 bits worth of information at any given time, 00:21:27.100 --> 00:21:31.250 it can do two to three billion operations per second, 00:21:31.250 --> 00:21:32.560 so that's what a gigahertz is. 00:21:32.560 --> 00:21:35.755 And in terms of when a processor's speed is quoted, 00:21:35.755 --> 00:21:39.950 it's sometimes said it's like 2.4 gigahertz or 2.6 gigahertz or so on. 00:21:39.950 --> 00:21:45.640 That means that the computer can do 2.4 to $2.6 billion things per second. 00:21:45.640 --> 00:21:50.860 So again, 32 bits, not a lot of information at any instant, 00:21:50.860 --> 00:21:55.480 but there's a lot of those instants within a second. 00:21:55.480 --> 00:21:59.230 It can do two to three billion things per second, each one of those things 00:21:59.230 --> 00:22:03.490 operating on exactly four bytes at a time, 32 bits at a time, 00:22:03.490 --> 00:22:06.190 on a 32-bit processor, as opposed to a 64-bit processor which 00:22:06.190 --> 00:22:09.260 can process a little bit more data. 00:22:09.260 --> 00:22:12.340 Let's take a look now at what we determine 00:22:12.340 --> 00:22:15.760 on your computer as the motherboard, or sort of the control 00:22:15.760 --> 00:22:17.980 processor for everything that your computer does, 00:22:17.980 --> 00:22:20.830 and highlight some of the different pieces of where 00:22:20.830 --> 00:22:25.400 things live on your physical device. 00:22:25.400 --> 00:22:28.360 So right here are some slots for RAM, so these are 00:22:28.360 --> 00:22:30.430 basically sticks that get plugged in. 00:22:30.430 --> 00:22:33.250 A RAM stick is just a green chip. 00:22:33.250 --> 00:22:34.750 It looks similar to the motherboard. 00:22:34.750 --> 00:22:35.667 They're usually green. 00:22:35.667 --> 00:22:38.042 They have some gold connector pins at the bottom of them, 00:22:38.042 --> 00:22:39.610 and they plug into the motherboard. 00:22:39.610 --> 00:22:43.270 And information can then be stored there and flow to and from when 00:22:43.270 --> 00:22:45.018 needed by the processor and so on. 00:22:45.018 --> 00:22:46.060 So that's where these go. 00:22:46.060 --> 00:22:48.250 This particular motherboard, which is from a computer that's 00:22:48.250 --> 00:22:49.330 about 15 years old. 00:22:49.330 --> 00:22:51.080 For example, I don't think most of us have 00:22:51.080 --> 00:22:56.770 floppy drive connectors on our computers anymore, but this one still does. 00:22:56.770 --> 00:22:58.660 Here is where the CPU would live, so this 00:22:58.660 --> 00:23:01.120 is where the actual processor goes. 00:23:01.120 --> 00:23:05.380 And that processor again can only do 32 or 64 bits worth of information 00:23:05.380 --> 00:23:06.910 at any given time. 00:23:06.910 --> 00:23:11.200 And on top of the CPU, it's not pictured here, but typically on top of the CPU 00:23:11.200 --> 00:23:16.565 there's a giant fan, literally like mounted or screwed right above it. 00:23:16.565 --> 00:23:19.690 And again, that's because the computer is doing two to three billion things 00:23:19.690 --> 00:23:21.910 a second, so it gets quite hot. 00:23:21.910 --> 00:23:25.600 And to prevent a CPU meltdown or a core meltdown, 00:23:25.600 --> 00:23:28.450 you want to make sure to have air constantly flowing 00:23:28.450 --> 00:23:31.030 across the top of the device as well as a heat 00:23:31.030 --> 00:23:35.200 sink to pull all the heat away from the CPU such that it doesn't overheat, 00:23:35.200 --> 00:23:37.900 which would create quite a big problem and eventually might 00:23:37.900 --> 00:23:40.690 result in computer breakage if left to overheat 00:23:40.690 --> 00:23:43.540 for a prolonged period of time. 00:23:43.540 --> 00:23:45.520 Over here is a graphics processor. 00:23:45.520 --> 00:23:48.280 Graphics processors are really just CPUs that 00:23:48.280 --> 00:23:52.330 are specialized to do certain operations that make interpreting graphics 00:23:52.330 --> 00:23:54.070 on your monitor much easier. 00:23:54.070 --> 00:23:56.450 The math for those is usually a bit more complicated, 00:23:56.450 --> 00:24:01.030 and so modern devices may have both a CPU and a GPU, a Graphical Processor 00:24:01.030 --> 00:24:03.930 Unit, as opposed to relying on just the CPU you to handle 00:24:03.930 --> 00:24:05.180 all of those different things. 00:24:05.180 --> 00:24:09.818 And it similarly would have a heat sink and a fan mounted with it as well. 00:24:09.818 --> 00:24:11.860 And then over here at the top, it's pretty small. 00:24:11.860 --> 00:24:13.527 There are things called SATA connectors. 00:24:13.527 --> 00:24:17.980 SATA connectors are what you might use to connect hard drives to your machine 00:24:17.980 --> 00:24:21.850 so that you can extend the storage capacity of the device. 00:24:21.850 --> 00:24:24.770 But all of these things might live on your computer, 00:24:24.770 --> 00:24:28.960 and also all of these things in shrunk down form will live on your laptop 00:24:28.960 --> 00:24:31.120 and even in your mobile phone. 00:24:31.120 --> 00:24:34.270 This basic idea exists just in smaller and smaller scales 00:24:34.270 --> 00:24:38.240 with all of the parts being similarly scaled down. 00:24:38.240 --> 00:24:41.950 So again, CPU memory, what actually lives in the CPU as well 00:24:41.950 --> 00:24:46.480 as the registers, those really fast things right around the CPU memory, 00:24:46.480 --> 00:24:49.010 is the fastest memory on your machine. 00:24:49.010 --> 00:24:50.420 But there's the least of it. 00:24:50.420 --> 00:24:53.020 And the reason for this is that it's very, very expensive. 00:24:53.020 --> 00:24:56.740 It is the most expensive stuff in your computer. 00:24:56.740 --> 00:24:58.750 That is basically the price that you are paying 00:24:58.750 --> 00:25:01.530 when you buy the computer is for that processor 00:25:01.530 --> 00:25:05.050 and the materials that are used to allow electricity 00:25:05.050 --> 00:25:06.910 to conduct through it very quickly really 00:25:06.910 --> 00:25:09.830 determines the cost of the device. 00:25:09.830 --> 00:25:13.510 So there's the least amount of it, but it is the most important memory 00:25:13.510 --> 00:25:14.540 on your machine. 00:25:14.540 --> 00:25:19.500 The caches, one two and three, are each successively slower than CPU memory 00:25:19.500 --> 00:25:21.000 but also successively cheaper. 00:25:21.000 --> 00:25:24.550 So your l1 cache is going to be a little bit slower than your CPU, 00:25:24.550 --> 00:25:26.300 but there will be a little bit more of it. 00:25:26.300 --> 00:25:31.978 And your l1 cache will be a little bit larger than the CPU space 00:25:31.978 --> 00:25:34.020 that you have, but it'll be a little bit cheaper. 00:25:34.020 --> 00:25:36.418 The l2 cache may be a little bit larger than the l1 cache 00:25:36.418 --> 00:25:37.460 but a little bit cheaper. 00:25:37.460 --> 00:25:40.140 Again, this is really just referring to the materials that are 00:25:40.140 --> 00:25:42.840 used to make the memory operational. 00:25:42.840 --> 00:25:45.330 RAM is slower but cheaper. 00:25:45.330 --> 00:25:47.880 RAM typically used to be the most expensive 00:25:47.880 --> 00:25:49.482 or be considered the driving cost. 00:25:49.482 --> 00:25:52.190 If you had more RAM in your computer, that made it more powerful. 00:25:52.190 --> 00:25:53.413 That was the cost driver. 00:25:53.413 --> 00:25:55.080 This is becoming less and less the case. 00:25:55.080 --> 00:25:57.360 It's still more expensive than hard disk space, which 00:25:57.360 --> 00:25:59.490 is effectively free at this point. 00:25:59.490 --> 00:26:02.070 It's really just how much stuff we can literally 00:26:02.070 --> 00:26:07.290 fit into the container for the hard disk itself, which is just pure storage. 00:26:07.290 --> 00:26:10.390 But RAM is slower memory than any of the caches, 00:26:10.390 --> 00:26:14.670 but you're able to have more of it because it is less expensive. 00:26:14.670 --> 00:26:16.260 So that's memory. 00:26:16.260 --> 00:26:20.490 But in terms of hard disk space, that does not work in the same way 00:26:20.490 --> 00:26:24.630 that RAM and the other volatile memories work, 00:26:24.630 --> 00:26:27.600 and hard disk space is non-volatile. 00:26:27.600 --> 00:26:30.480 Information in the hard disk is not changed terribly often, 00:26:30.480 --> 00:26:34.168 only when we're certain that we're done working with it in RAM. 00:26:34.168 --> 00:26:36.210 And the data there is also persistent, and that's 00:26:36.210 --> 00:26:41.580 because it does not rely on electricity to store state. 00:26:41.580 --> 00:26:44.700 Instead, and we're talking again specifically now about hard disk drive, 00:26:44.700 --> 00:26:46.825 solid state drives behave a little bit differently. 00:26:46.825 --> 00:26:49.450 They use microchips that do some different things. 00:26:49.450 --> 00:26:53.310 But we're talking about hard disk space, HDDs, traditional hard disks. 00:26:53.310 --> 00:26:58.620 Each cell of a hard disk is instead controlled by magnetism, 00:26:58.620 --> 00:27:01.200 so data is stored magnetically. 00:27:01.200 --> 00:27:02.550 If there is a-- 00:27:02.550 --> 00:27:05.130 we'll just say for purposes of this discussion 00:27:05.130 --> 00:27:10.590 here that if the magnetism is in a down position, so south for example, 00:27:10.590 --> 00:27:13.710 it's oriented south, that would be zero. 00:27:13.710 --> 00:27:15.150 That's a way to represent zero. 00:27:15.150 --> 00:27:17.910 And any magnet that is in the up position 00:27:17.910 --> 00:27:24.330 is one, so we can have these flip states of the polarity is pointing up or north 00:27:24.330 --> 00:27:28.470 and the polarity is pointing down or south to represent zero and one as 00:27:28.470 --> 00:27:33.040 opposed to using powered versus unpowered to represent one and zero, 00:27:33.040 --> 00:27:38.340 respectively in a RAM or volatile memory situation. 00:27:38.340 --> 00:27:41.850 Because these magnets, though, don't require power 00:27:41.850 --> 00:27:45.480 in order to work long term, that means that when the computer shuts off 00:27:45.480 --> 00:27:48.355 and they become unpowered, the data remains. 00:27:48.355 --> 00:27:49.980 And this is a really good thing, right? 00:27:49.980 --> 00:27:52.170 Because if every time we shut off our computer 00:27:52.170 --> 00:27:55.410 we lost literally all of the files we'd ever saved on it, 00:27:55.410 --> 00:27:57.930 that would not be very effective. 00:27:57.930 --> 00:28:03.210 We would lose a lot of the utility that we rely on computers for. 00:28:03.210 --> 00:28:07.350 And so the way that hard disks work is specifically designed such that memory 00:28:07.350 --> 00:28:11.280 can persist after the computer is shut off. 00:28:11.280 --> 00:28:15.090 But again, that memory can not be processed directly in the hard disk. 00:28:15.090 --> 00:28:17.580 We have to move it to the processor eventually. 00:28:17.580 --> 00:28:21.240 So if our system detects that we need a chunk of memory 00:28:21.240 --> 00:28:25.260 from the hard disk, that's all going to be moved from the hard disk 00:28:25.260 --> 00:28:28.200 to RAM using something called a bus. 00:28:28.200 --> 00:28:30.990 Much like a bus is used to move human beings from one place 00:28:30.990 --> 00:28:33.630 to another in large quantities, a bus is used 00:28:33.630 --> 00:28:38.400 to move data from one part of your machine to another in large quantities. 00:28:38.400 --> 00:28:43.230 And in fact, if you ever see a SATA connection from a hard drive to RAM 00:28:43.230 --> 00:28:46.110 using one of the SATA connectors we saw a moment ago on the slide, 00:28:46.110 --> 00:28:50.610 there's usually a long, thin strip that connects them together. 00:28:50.610 --> 00:28:52.590 That strip also forms part of the bus that 00:28:52.590 --> 00:28:55.740 is used to transfer data from the hard drive 00:28:55.740 --> 00:29:01.260 to the RAM in fairly large quantities. 00:29:01.260 --> 00:29:03.570 In general, when we're working on a program, 00:29:03.570 --> 00:29:07.140 the data for that program including the code that actually is running 00:29:07.140 --> 00:29:09.720 is moved from hard disk to RAM. 00:29:09.720 --> 00:29:12.405 And it stays in RAM, assuming there's no space constraint that 00:29:12.405 --> 00:29:15.030 forces it to have to leave which sometimes can happen if you're 00:29:15.030 --> 00:29:16.823 running a lot of programs at once. 00:29:16.823 --> 00:29:18.990 You may notice your computer slows down quite a lot. 00:29:18.990 --> 00:29:22.140 That's because the computer is going to have 00:29:22.140 --> 00:29:23.850 to keep swapping things in and out of RAM 00:29:23.850 --> 00:29:25.350 in order to process multiple things. 00:29:25.350 --> 00:29:28.420 That's why you don't want to leave several hundred tabs open, 00:29:28.420 --> 00:29:31.590 for example in your browser, or have 20 or 30 programs running 00:29:31.590 --> 00:29:33.497 at once on your computer if you can avoid it, 00:29:33.497 --> 00:29:35.580 because it's going to slow down and require things 00:29:35.580 --> 00:29:37.890 to be swapped in and out of RAM such that it can 00:29:37.890 --> 00:29:39.640 be moved to the processor quite a bit. 00:29:39.640 --> 00:29:41.790 That's really going to slow things down. 00:29:41.790 --> 00:29:45.303 While the program is running or being used by the computer, 00:29:45.303 --> 00:29:46.470 everything will stay in RAM. 00:29:46.470 --> 00:29:49.440 All the data will keep being manipulated there, 00:29:49.440 --> 00:29:51.340 and then ultimately when we close the program 00:29:51.340 --> 00:29:53.970 or once we otherwise indicate we haven't used it for some time 00:29:53.970 --> 00:29:56.845 and the computer realizes it needs that space for something else, all 00:29:56.845 --> 00:29:59.515 of those bits and bytes have been manipulated in RAM 00:29:59.515 --> 00:30:03.512 will be sort of picked up and moved back on the bus back to a hard disk 00:30:03.512 --> 00:30:06.720 where they will be resaved with the new state, such that any changes that you 00:30:06.720 --> 00:30:10.230 make in a program will ultimately be saved back to hard disk, 00:30:10.230 --> 00:30:13.792 but only once the program is completely done being used by the computer 00:30:13.792 --> 00:30:15.750 and it realizes it can free up that information 00:30:15.750 --> 00:30:19.290 and save it for long term storage. 00:30:19.290 --> 00:30:22.020 Hard drives, though, are not unbreakable. 00:30:22.020 --> 00:30:25.050 They have a lot of moving pieces. 00:30:25.050 --> 00:30:27.820 A typical hard disk drive consists of several platters, 00:30:27.820 --> 00:30:33.840 some thin metal circles spinning around a central axis very rapidly, 00:30:33.840 --> 00:30:36.310 about 4,000 to 5,000 revolutions per minute. 00:30:36.310 --> 00:30:39.240 So very, very quickly, with a magnetic read 00:30:39.240 --> 00:30:46.190 write arm that extends over across the diameter of the disk, basically. 00:30:46.190 --> 00:30:47.940 And each one of the little rings that gets 00:30:47.940 --> 00:30:51.990 formed as you do this, as is the read write arm moves in and out, 00:30:51.990 --> 00:30:53.992 it can access different sectors on the disk, 00:30:53.992 --> 00:30:55.950 and those different sectors are the things that 00:30:55.950 --> 00:30:59.340 get zeroed and oned over time. 00:30:59.340 --> 00:31:02.020 So it is possible for hard drives to fail. 00:31:02.020 --> 00:31:04.020 There's usually a couple ways that this happens. 00:31:04.020 --> 00:31:09.210 If the read write arm jams, because it is on some sort of track that 00:31:09.210 --> 00:31:12.920 moves in and out, if it jams without collapsing, 00:31:12.920 --> 00:31:15.120 your hard drive will just stop working, basically, 00:31:15.120 --> 00:31:18.930 because you can't read or write information anymore using that arm. 00:31:18.930 --> 00:31:22.950 But it is also possible for the hard disk arm to break and fall. 00:31:22.950 --> 00:31:29.282 That arm spins just above the top of these disks, and if it crashes into it, 00:31:29.282 --> 00:31:30.240 you'll hear that sound. 00:31:30.240 --> 00:31:32.910 That'll be a very unique and interesting sound to hear. 00:31:32.910 --> 00:31:34.910 Suffice it to say, your hard drive at that point 00:31:34.910 --> 00:31:37.438 is destroyed, because the collapse will crash everything, 00:31:37.438 --> 00:31:39.480 and these things are spinning very, very quickly, 00:31:39.480 --> 00:31:42.832 and so they're going to shred themselves from the inside. 00:31:42.832 --> 00:31:45.540 And you will no longer be able to get any data off of that drive. 00:31:45.540 --> 00:31:48.790 But if it's just the arm that gets stuck moving in and out but it doesn't fall 00:31:48.790 --> 00:31:52.260 down, you will still be able to recover data from that hard drive, 00:31:52.260 --> 00:31:54.048 and we'll talk about that shortly. 00:31:54.048 --> 00:31:57.090 Because a hard drive failure does not mean that the data is unrecoverable 00:31:57.090 --> 00:32:01.575 if the hard drive hasn't literally suffered this catastrophic shredding 00:32:01.575 --> 00:32:02.700 sort of thing that happens. 00:32:02.700 --> 00:32:04.410 That's going to render it unusable. 00:32:04.410 --> 00:32:08.460 But if it's just the arm that gets stuck, it is still usable. 00:32:08.460 --> 00:32:14.730 So what happens when we actually delete something on our machine? 00:32:14.730 --> 00:32:17.190 It turns out that overwriting hard disk space 00:32:17.190 --> 00:32:20.360 is actually a very, very time consuming and what 00:32:20.360 --> 00:32:24.270 we might consider computationally expensive operation for the machine. 00:32:28.370 --> 00:32:33.660 You could think about it as it has to pull all of the data from the hard disk 00:32:33.660 --> 00:32:38.250 into RAM, change all of those bytes to delete what was there before, 00:32:38.250 --> 00:32:40.200 and then put all of that data back. 00:32:40.200 --> 00:32:42.090 The computer for some large files, say you 00:32:42.090 --> 00:32:44.400 want to delete a video file like a movie, that 00:32:44.400 --> 00:32:48.420 might be several gigabytes, so several billion bytes worth of data 00:32:48.420 --> 00:32:50.280 that we have to delete. 00:32:50.280 --> 00:32:53.520 The computer does not want to incur that sort of cost. 00:32:53.520 --> 00:32:57.900 Deleting a file if it actually had to do it that way would be very, very slow. 00:32:57.900 --> 00:33:02.070 It would compromise any other program that you had running on your machine. 00:33:02.070 --> 00:33:05.430 And so that's not how computers actually delete information. 00:33:05.430 --> 00:33:07.980 Rather, they just forget where the data live. 00:33:07.980 --> 00:33:10.710 It turns out there's also something called a page file that 00:33:10.710 --> 00:33:14.190 exists on your machine that is basically the home 00:33:14.190 --> 00:33:16.590 address of the first byte of every single file 00:33:16.590 --> 00:33:18.780 that you have on your machine. 00:33:18.780 --> 00:33:24.778 And when you delete a file typically in your computer, 00:33:24.778 --> 00:33:26.070 it just forgets where it lives. 00:33:26.070 --> 00:33:28.470 The bytes that made it up are still there. 00:33:28.470 --> 00:33:31.860 The zeros and ones that comprise that file don't go anywhere. 00:33:31.860 --> 00:33:34.803 They may eventually be overwritten by some other file that 00:33:34.803 --> 00:33:37.470 happens to be stored in that same spot, because the computer now 00:33:37.470 --> 00:33:41.160 thinks it's open because it forgot that you live there. 00:33:41.160 --> 00:33:46.080 And even then, this only happens when you empty your recycle bin or trash 00:33:46.080 --> 00:33:47.640 if you're using a Mac. 00:33:47.640 --> 00:33:49.770 If you just put something in the recycle bin, 00:33:49.770 --> 00:33:52.740 that's not actually deleting it in any meaningful way at all. 00:33:52.740 --> 00:33:53.610 It hides the icon. 00:33:53.610 --> 00:33:56.100 You can't really click on that icon anymore, 00:33:56.100 --> 00:33:58.320 but you haven't deleted that file, and you probably 00:33:58.320 --> 00:34:03.480 know this because you can restore things from the recycle bin. 00:34:03.480 --> 00:34:09.420 But even when you empty the recycle bin or empty the trash on your machine, 00:34:09.420 --> 00:34:12.690 you're still not actually deleting anything in the sense 00:34:12.690 --> 00:34:15.300 that you might be thinking is how we delete things. 00:34:15.300 --> 00:34:18.900 Instead, your computer's just forgetting what was there before. 00:34:18.900 --> 00:34:23.250 But those bits and bytes that comprise those files that you have deleted 00:34:23.250 --> 00:34:26.580 are still there, and that creates a couple of really interesting security 00:34:26.580 --> 00:34:28.949 implications. 00:34:28.949 --> 00:34:32.110 So files that get deleted aren't really deleted, 00:34:32.110 --> 00:34:35.969 which means that we can recover the information from them if we need to. 00:34:35.969 --> 00:34:37.447 How exactly might we do that? 00:34:37.447 --> 00:34:40.530 Well, there's definitely some tools out there that can be used to do this. 00:34:40.530 --> 00:34:42.697 And again, this requires that the hard drive was not 00:34:42.697 --> 00:34:46.409 physically destroyed in some way by the collapse of the read write arm. 00:34:46.409 --> 00:34:49.530 But we can literally just connect the hard drive to something and have 00:34:49.530 --> 00:34:53.159 a specialized tool that reads over all of those individual sectors 00:34:53.159 --> 00:34:56.370 on the disk-- and this is a very slow operation for sure-- 00:34:56.370 --> 00:34:58.970 read over all of the individual sectors on that disk and just 00:34:58.970 --> 00:35:01.553 say, well, this is a zero and this is a one and this is a zero 00:35:01.553 --> 00:35:05.040 and this is a one until we end up with this huge file that 00:35:05.040 --> 00:35:08.820 is all the zeros and ones that comprised what was originally 00:35:08.820 --> 00:35:10.830 the state of that hard drive. 00:35:10.830 --> 00:35:13.290 And we usually refer to this file that gets created, 00:35:13.290 --> 00:35:17.250 this clone of the hard drive, as a for forensic image. 00:35:17.250 --> 00:35:21.150 It's really just a huge file that is a complete replication 00:35:21.150 --> 00:35:23.850 of the bit by bit content as well as any metadata that 00:35:23.850 --> 00:35:28.050 might be associated with it that can be then created 00:35:28.050 --> 00:35:32.940 and read on a different computer so that even though the hard drive this was 00:35:32.940 --> 00:35:35.030 plugged into, maybe the computer got destroyed, 00:35:35.030 --> 00:35:39.750 where we can make a copy of it and read it on a different machine instead. 00:35:39.750 --> 00:35:43.950 So we go from this to how do people pick out what those files were? 00:35:43.950 --> 00:35:46.830 Again, computers only understand zeros and ones 00:35:46.830 --> 00:35:49.050 and at the end of the day, all of the stuff that 00:35:49.050 --> 00:35:51.720 is stored in your hard drive, all those files, 00:35:51.720 --> 00:35:55.020 anything that was stored in RAM when it was powered, 00:35:55.020 --> 00:35:56.580 is still just zeros and ones. 00:35:56.580 --> 00:35:59.490 They don't have icons like we see on our desktop. 00:35:59.490 --> 00:36:01.590 They don't mean anything intuitively. 00:36:01.590 --> 00:36:05.390 So how do we figure out what those files are? 00:36:05.390 --> 00:36:08.820 Well, it turns out that many of them have what is called a signature 00:36:08.820 --> 00:36:11.610 or a magic number associated with them. 00:36:11.610 --> 00:36:15.720 A magic number is just a way to refer to the first few bytes of a file 00:36:15.720 --> 00:36:20.850 where many file types, for examples, PDFs, most image files, most music file 00:36:20.850 --> 00:36:23.820 types and so on, happen to start in a particular way. 00:36:23.820 --> 00:36:27.360 This isn't a way that we ever see when we open one of these files. 00:36:27.360 --> 00:36:29.730 But in the metadata at the beginning of those files, 00:36:29.730 --> 00:36:34.080 there's usually a sequence of bytes that represent 00:36:34.080 --> 00:36:38.092 a signature in effect of saying, the file that I'm about to open is a PDF, 00:36:38.092 --> 00:36:40.800 and you can generally rely on that because these first four bytes 00:36:40.800 --> 00:36:43.700 or whatever are these values. 00:36:43.700 --> 00:36:45.450 Now again, it's four to eight bytes, which 00:36:45.450 --> 00:36:51.420 means there are two to the 32 to two to the 256ish possibilities for what 00:36:51.420 --> 00:36:53.525 these first bits are. 00:36:53.525 --> 00:36:55.150 That's a lot of different combinations. 00:36:55.150 --> 00:37:01.120 And so if we see a magic number randomly appear in some forensic image 00:37:01.120 --> 00:37:04.170 or on some hard drive, the odds are pretty 00:37:04.170 --> 00:37:07.950 good that if we see that pattern, we know that that pattern generally 00:37:07.950 --> 00:37:11.130 refers to a file of that type, that what we have found 00:37:11.130 --> 00:37:14.687 is the beginning of a file of exactly that type. 00:37:14.687 --> 00:37:16.520 And we can start to interpret it in that way 00:37:16.520 --> 00:37:19.170 maybe and maybe be able to reconstruct something from it. 00:37:19.170 --> 00:37:23.340 So for example, it turns out that most PDFs have in their metadata-- 00:37:23.340 --> 00:37:25.140 and we never really see this-- 00:37:25.140 --> 00:37:29.370 the characters percent PDF at the beginning of them. 00:37:29.370 --> 00:37:32.010 And that translates into this sequence of bits using the Ascii 00:37:32.010 --> 00:37:33.130 table that we've talked about before, and we 00:37:33.130 --> 00:37:35.505 don't need to get into a lot of detail, and it translates 00:37:35.505 --> 00:37:37.470 into these hexadecimal values. 00:37:37.470 --> 00:37:44.130 And so generally, if we happen to encounter exactly this pattern of 32 00:37:44.130 --> 00:37:48.390 bits, which we should only expect to see at the beginning of a PDF 00:37:48.390 --> 00:37:52.410 or otherwise once every one in two to the 32nd times-- 00:37:52.410 --> 00:37:54.820 like it's pretty uncommon to see exactly this pattern 00:37:54.820 --> 00:37:58.810 and we're looking for exactly that pattern. 00:37:58.810 --> 00:38:01.470 If we see those bits, generally what we can do 00:38:01.470 --> 00:38:05.010 is start to interpret the rest of this file as a PDF 00:38:05.010 --> 00:38:07.988 until we encounter some signature that we've reached the end of that. 00:38:07.988 --> 00:38:10.780 Whether that's a whole bunch of zeros or whether that's a signature 00:38:10.780 --> 00:38:14.453 that is again perhaps the start of another PDF. 00:38:14.453 --> 00:38:17.370 Now, of course it's possible that you'll end up with a false positive. 00:38:17.370 --> 00:38:19.640 For example, anybody who's examining these slides 00:38:19.640 --> 00:38:22.140 at some point in the future-- say that my hard drive crashed 00:38:22.140 --> 00:38:24.348 and I happen to literally have the characters percent 00:38:24.348 --> 00:38:27.060 PDF typed on to this slide. 00:38:27.060 --> 00:38:30.660 If you were to forensically recover my hard drive and analyze it 00:38:30.660 --> 00:38:35.670 and you found this PowerPoint file that is where I'm presenting the slides from 00:38:35.670 --> 00:38:39.810 and you saw literally the characters percent PDF in it as zeros and ones, 00:38:39.810 --> 00:38:43.192 you might mistakenly think, this happens to be a PDF 00:38:43.192 --> 00:38:45.150 and start to interpret from this point forward, 00:38:45.150 --> 00:38:46.745 this yellow point forward as a PDF. 00:38:49.950 --> 00:38:51.660 But it wouldn't work. 00:38:51.660 --> 00:38:52.260 And that's OK. 00:38:52.260 --> 00:38:53.968 You might get a false positive sometimes, 00:38:53.968 --> 00:38:56.550 and then you just kind of disregard it and you keep looking. 00:38:56.550 --> 00:38:57.810 You look for a different type of file. 00:38:57.810 --> 00:38:59.630 You look for a different file signature and so on. 00:38:59.630 --> 00:39:02.047 But it can happen that you have a false positive like this 00:39:02.047 --> 00:39:04.543 in situations where you're trying to sort it out, 00:39:04.543 --> 00:39:06.210 because you have no other context clues. 00:39:06.210 --> 00:39:09.270 All you have are the bits and the information 00:39:09.270 --> 00:39:11.950 that you know about file signatures. 00:39:11.950 --> 00:39:16.490 OK, so we have this empty trash or empty recycle bin icon or menu 00:39:16.490 --> 00:39:17.490 option on our computers. 00:39:17.490 --> 00:39:21.810 But now we know it doesn't actually empty the trash at all. 00:39:21.810 --> 00:39:24.840 So how do we actually delete files from our hard drives 00:39:24.840 --> 00:39:26.940 as opposed to just having our hard drives forget 00:39:26.940 --> 00:39:30.420 or our systems forget where on the hard drive that file lived? 00:39:30.420 --> 00:39:34.140 We probably want to do that at some point, get rid of the data 00:39:34.140 --> 00:39:35.430 on our machines. 00:39:35.430 --> 00:39:36.880 How exactly can we go about that? 00:39:36.880 --> 00:39:41.705 Well, there's actually relatively few ways to actually delete this data. 00:39:41.705 --> 00:39:43.830 The first of which we've already kind of discussed, 00:39:43.830 --> 00:39:46.170 which is physically destroying the hard drive. 00:39:46.170 --> 00:39:49.230 There are services out there that will shred your hard drives for you. 00:39:49.230 --> 00:39:52.020 If your read write arm breaks in a catastrophic way, 00:39:52.020 --> 00:39:55.590 your read write arm will shred the device for you itself. 00:39:55.590 --> 00:39:58.950 That's one way to ensure that your data is protected or deleted 00:39:58.950 --> 00:40:02.070 is to make it absolutely impossible to recover information 00:40:02.070 --> 00:40:04.320 from it by physical destruction. 00:40:04.320 --> 00:40:07.050 You can use a tool called a degausser A degausser is really 00:40:07.050 --> 00:40:12.300 just a very strong magnet that you hold over the device for a period of time. 00:40:12.300 --> 00:40:15.180 It will also usually cause some sort of physical damage, 00:40:15.180 --> 00:40:18.720 because it's also going to mess up some of the metal that 00:40:18.720 --> 00:40:21.730 is inside the machine that is not storing data 00:40:21.730 --> 00:40:23.850 but is just structural metal. 00:40:23.850 --> 00:40:27.000 So usually a degausser will not only wipe out information 00:40:27.000 --> 00:40:30.390 by setting all of the bits, flipping the polarity of all the bits from south 00:40:30.390 --> 00:40:32.490 to north or something like that, but it will also 00:40:32.490 --> 00:40:34.698 usually cause some sort of mechanical wear just based 00:40:34.698 --> 00:40:37.350 on the strength of that magnet. 00:40:37.350 --> 00:40:39.420 But then we have this thing Secure Empty Trash. 00:40:39.420 --> 00:40:40.962 We saw this in the menu a second ago. 00:40:40.962 --> 00:40:43.770 What do you think Secure Empty Trash might do? 00:40:43.770 --> 00:40:45.810 Well, one thing that you might think is that it 00:40:45.810 --> 00:40:48.670 would overwrite the data with random bits, and you would be correct. 00:40:48.670 --> 00:40:50.340 That's what Secure Empty Trash does. 00:40:50.340 --> 00:40:53.850 So instead of just deleting information from the hard drive 00:40:53.850 --> 00:40:57.000 by forgetting where it lives, instead we actually go to that spot. 00:40:57.000 --> 00:41:00.600 And instead of writing all zeros or all ones, 00:41:00.600 --> 00:41:04.970 we just write random bits over it. 00:41:04.970 --> 00:41:08.880 But it turns out that this is actually not good enough 00:41:08.880 --> 00:41:10.802 to delete information on a single pass. 00:41:10.802 --> 00:41:13.260 But a single pass is actually what Secure Empty Trash does. 00:41:13.260 --> 00:41:17.040 It only makes one pass through, randomly setting each bit of that file 00:41:17.040 --> 00:41:18.647 to a one or a zero. 00:41:18.647 --> 00:41:21.480 But it turns out, and the physics of this is a little bit beyond me, 00:41:21.480 --> 00:41:25.470 but it turns out that when the polarity of a magnet on a hard drive 00:41:25.470 --> 00:41:29.880 is flipped from zero to one, there's actually sort of this lingering halo 00:41:29.880 --> 00:41:35.740 effect that it leaves behind so that you can tell that this bit is a one now, 00:41:35.740 --> 00:41:37.350 but it used to be a zero. 00:41:37.350 --> 00:41:40.120 And that effect lingers for a little while. 00:41:40.120 --> 00:41:42.900 But if you keep changing it multiple times over and over, 00:41:42.900 --> 00:41:44.950 eventually that effect gets lost. 00:41:44.950 --> 00:41:46.380 So you can tell what bits-- 00:41:46.380 --> 00:41:49.695 imagine every bit was a one after you make one pass through it. 00:41:49.695 --> 00:41:52.680 All of those things that were ones before, their polarity didn't flip. 00:41:52.680 --> 00:41:54.210 There's no halo effect. 00:41:54.210 --> 00:41:57.390 But everything that used to be zero and is now a one 00:41:57.390 --> 00:42:02.730 has this slight signature left behind that says, this used to be a zero. 00:42:02.730 --> 00:42:06.630 And a good forensic analyst is able to take a look at that. 00:42:06.630 --> 00:42:09.760 As it reads, it can read the polarity of the magnet 00:42:09.760 --> 00:42:14.400 and see that it's slightly not exactly zero and not exactly one and say, OK. 00:42:14.400 --> 00:42:18.730 Well this bit probably used to be the opposite. 00:42:18.730 --> 00:42:22.020 And so even making one random pass across a hard drive 00:42:22.020 --> 00:42:26.162 is not enough to definitely securely erase the data on it. 00:42:26.162 --> 00:42:27.870 You actually have to make it's considered 00:42:27.870 --> 00:42:30.960 to be seven passes is the industry standard 00:42:30.960 --> 00:42:36.810 to make sure that enough randomness has affected each of the individual magnets 00:42:36.810 --> 00:42:39.570 such that you can't tell what was there before. 00:42:39.570 --> 00:42:42.720 So to truly securely erase the hard drive and preserve it in a state where 00:42:42.720 --> 00:42:44.635 you can actually use it, you need to use-- 00:42:44.635 --> 00:42:46.560 and there are software tools that do this-- 00:42:46.560 --> 00:42:49.470 a tool that will overwrite the drive randomly 00:42:49.470 --> 00:42:53.473 multiple times to eliminate any of that lingering halo effect. 00:42:53.473 --> 00:42:55.140 But Secure Empty Trash does not do that. 00:42:55.140 --> 00:42:57.450 It only makes a single pass over the drive. 00:42:57.450 --> 00:43:03.270 So enough to cover it up for undescerning 00:43:03.270 --> 00:43:08.010 eyes, but experts who study this and work with this kind of data 00:43:08.010 --> 00:43:11.520 regularly might still be able to figure out what the original data was 00:43:11.520 --> 00:43:14.490 if just a single pass is made. 00:43:14.490 --> 00:43:16.267 So why is this important? 00:43:16.267 --> 00:43:17.350 Well, there's two reasons. 00:43:17.350 --> 00:43:20.280 One, as attorneys, we want to make sure that we are doing everything 00:43:20.280 --> 00:43:23.250 we can to protect our clients' data. 00:43:23.250 --> 00:43:27.990 And also as we're working with those who may be less technically inclined, it's 00:43:27.990 --> 00:43:32.370 important for us as part of our competent representation of clients 00:43:32.370 --> 00:43:36.870 to inform them about what we can about the technology implications of some 00:43:36.870 --> 00:43:40.150 of the things they do from a legal perspective. 00:43:40.150 --> 00:43:43.680 And so if you're working in a large firm environment or as an in-house counsel, 00:43:43.680 --> 00:43:47.460 it's probably not going to fall to you as an attorney 00:43:47.460 --> 00:43:53.550 to develop some sort of protocol for establishing the best 00:43:53.550 --> 00:43:56.250 practices for working with client data. 00:43:56.250 --> 00:43:59.515 But it is really useful to understand what these protocols are 00:43:59.515 --> 00:44:01.890 and how you might be able to contribute to a conversation 00:44:01.890 --> 00:44:05.010 about making these protocols more robust. 00:44:05.010 --> 00:44:07.830 Here are some basic strategies that you can use as an attorney 00:44:07.830 --> 00:44:11.640 to protect your own client data but also to advise clients 00:44:11.640 --> 00:44:16.090 so that they can protect their data for their clients and so on. 00:44:16.090 --> 00:44:20.280 So the first one is quite easy, and that is to encrypt your hard drive. 00:44:20.280 --> 00:44:22.650 So we talked about encryption previously, 00:44:22.650 --> 00:44:25.020 but you can also encrypt your own hard drive such 00:44:25.020 --> 00:44:30.420 that when your computer turns on, you need to enter a password. 00:44:30.420 --> 00:44:32.610 It's again similar to this public private key idea 00:44:32.610 --> 00:44:34.410 that we've previously discussed. 00:44:34.410 --> 00:44:38.010 You need to type in this password in order for your entire hard drive 00:44:38.010 --> 00:44:41.880 to be unencrypted such that you can then read the data on it. 00:44:41.880 --> 00:44:45.120 Most operating systems now provide tools that 00:44:45.120 --> 00:44:48.780 are built into the operating system itself so that you can do this. 00:44:48.780 --> 00:44:50.850 So there's really no excuse not to do it. 00:44:50.850 --> 00:44:53.730 It is a very easy, straightforward and simple way 00:44:53.730 --> 00:44:58.250 to take a pretty strong step at protecting the data on your machine 00:44:58.250 --> 00:44:59.520 easily. 00:44:59.520 --> 00:45:01.830 Again, this usually requires a password. 00:45:01.830 --> 00:45:04.957 Typically it'll be after you turn your computer on before the operating 00:45:04.957 --> 00:45:08.040 system itself loads, the operating system being one of the few things that 00:45:08.040 --> 00:45:11.550 is not encrypted such that it can then open the files 00:45:11.550 --> 00:45:14.670 and unencrypt everything and so on. 00:45:14.670 --> 00:45:18.120 But it will not proceed past the operating system load point 00:45:18.120 --> 00:45:19.810 until that password is provided. 00:45:19.810 --> 00:45:23.050 But do be careful, because some of these systems, 00:45:23.050 --> 00:45:25.920 particularly the more advanced ones, after a certain number 00:45:25.920 --> 00:45:31.950 of incorrect guesses will begin to securely wipe your hard drive using 00:45:31.950 --> 00:45:34.030 multiple passes of zeros and ones. 00:45:34.030 --> 00:45:39.420 And so if you think there's a danger that you might forget your master 00:45:39.420 --> 00:45:43.890 password so to speak for this hard drive encryption, 00:45:43.890 --> 00:45:46.265 you might want to keep something somewhere to remind you. 00:45:46.265 --> 00:45:48.890 I wouldn't recommend like sticking a sticky note on the monitor 00:45:48.890 --> 00:45:51.243 or anything like that, but have some sort of way 00:45:51.243 --> 00:45:53.910 to remember that password in the event that you might forget it, 00:45:53.910 --> 00:45:58.230 because you might lose data if you guess wrong too many times depending 00:45:58.230 --> 00:46:02.220 on which hard drive encryption tool you are using. 00:46:02.220 --> 00:46:05.460 Another relatively easy thing to do is to avoid 00:46:05.460 --> 00:46:07.950 using insecure wireless networks. 00:46:07.950 --> 00:46:10.600 These are generally not as common anymore. 00:46:10.600 --> 00:46:14.970 Most people have wireless networks that require a password, 00:46:14.970 --> 00:46:18.540 and usually wireless networks that require a password will then 00:46:18.540 --> 00:46:21.570 have encryption for that individual making the connection 00:46:21.570 --> 00:46:24.150 on the system on the network. 00:46:24.150 --> 00:46:26.640 But unsecured networks do provide opportunities 00:46:26.640 --> 00:46:31.140 for those listening using tools that are called packet sniffers, which 00:46:31.140 --> 00:46:32.940 are literally just listening and gathering 00:46:32.940 --> 00:46:36.450 data on all of the packets of information 00:46:36.450 --> 00:46:39.960 that are being transmitted over the internet in the vicinity 00:46:39.960 --> 00:46:42.900 of the unsecured wireless network. 00:46:42.900 --> 00:46:46.710 And so you might see-- this as a screenshot of a tool called Wireshark, 00:46:46.710 --> 00:46:48.150 and it's a little blurry. 00:46:48.150 --> 00:46:51.180 There's not a lot of relevant information here. 00:46:51.180 --> 00:46:54.750 But on an unsecured network, it is possible to read 00:46:54.750 --> 00:46:57.390 all of the bytes and bits that are flowing through, 00:46:57.390 --> 00:47:00.420 translate them into their Ascii equivalence, 00:47:00.420 --> 00:47:02.970 and realize that this person is providing a username 00:47:02.970 --> 00:47:05.910 and password and an action logging in. 00:47:05.910 --> 00:47:09.060 And so anybody who is able to then take this information and see what IP 00:47:09.060 --> 00:47:12.525 address it came from-- and we'll talk about IP addresses shortly as well-- 00:47:12.525 --> 00:47:14.400 or where it was going to might be able to use 00:47:14.400 --> 00:47:17.580 that data to log in as that person, which would definitely not 00:47:17.580 --> 00:47:20.640 be a good thing at all. 00:47:20.640 --> 00:47:23.340 One way to get around this if you find yourself in a situation 00:47:23.340 --> 00:47:26.845 where you need to connect to the internet to do work 00:47:26.845 --> 00:47:29.470 or for whatever reason you need to be connected to the internet 00:47:29.470 --> 00:47:32.220 even if you're not sure about the quality of the network 00:47:32.220 --> 00:47:35.730 is to rely on private or work provided VPN services. 00:47:35.730 --> 00:47:39.090 VPN is a virtual private network, and it provides a way 00:47:39.090 --> 00:47:44.370 to connect to a trusted encrypted network, have that network act as you, 00:47:44.370 --> 00:47:48.960 effectively for providing encryption services for your web traffic 00:47:48.960 --> 00:47:53.550 even if you're not sure that your traffic itself is unencrypted. 00:47:53.550 --> 00:47:58.650 So VPNs are available at most businesses or also available online. 00:47:58.650 --> 00:48:00.870 Relatively inexpensively, you can buy tools 00:48:00.870 --> 00:48:05.880 that would allow you to make use of a virtual private network. 00:48:05.880 --> 00:48:07.380 Password managers. 00:48:07.380 --> 00:48:08.940 Password managers are great. 00:48:08.940 --> 00:48:11.880 Honestly, I can tell you that I don't know most of the passwords 00:48:11.880 --> 00:48:15.367 that I use on a daily basis because I rely on a password manager. 00:48:15.367 --> 00:48:16.950 There are several services out there-- 00:48:16.950 --> 00:48:19.530 Last Pass, One Password, and others. 00:48:19.530 --> 00:48:25.200 Basically, the idea is the tool will generate passwords for you. 00:48:25.200 --> 00:48:27.510 You only have to remember the master password, the one 00:48:27.510 --> 00:48:30.450 password that you can use to unlock everything 00:48:30.450 --> 00:48:33.660 to open the password manager itself. 00:48:33.660 --> 00:48:35.910 And then once you're logged into the password manager, 00:48:35.910 --> 00:48:39.450 you just direct it to log in on your behalf to different services. 00:48:39.450 --> 00:48:42.390 You usually tell it this is the URL I'd like you to go to, 00:48:42.390 --> 00:48:46.500 this is the username to use, and then the secretly generated password 00:48:46.500 --> 00:48:51.220 that you don't generally know is stored in the password manager itself. 00:48:51.220 --> 00:48:54.120 Some of these tools are local to your machine. 00:48:54.120 --> 00:48:56.370 More often than not, they are starting to migrate 00:48:56.370 --> 00:49:00.060 to be cloud based services, which does introduce another interesting question 00:49:00.060 --> 00:49:04.500 of do you trust your data to be stored on the cloud as opposed 00:49:04.500 --> 00:49:06.150 to being stored on your device? 00:49:06.150 --> 00:49:08.250 And that's really a question that you should 00:49:08.250 --> 00:49:11.100 consider when you're thinking about using one of these tools. 00:49:11.100 --> 00:49:14.710 Most of these tools also have an excellent secondary effect, 00:49:14.710 --> 00:49:18.320 which is that they often provide two factor authentication support. 00:49:18.320 --> 00:49:20.070 And two factor authentication is something 00:49:20.070 --> 00:49:22.710 that we will talk about shortly as well, but it is usually something 00:49:22.710 --> 00:49:24.630 that you know, like a password or something 00:49:24.630 --> 00:49:28.460 that the password manager knows, and something you have like your cell 00:49:28.460 --> 00:49:32.055 phone, for example, that might be getting a text message with a code 00:49:32.055 --> 00:49:33.930 that you're you're supposed to enter as well. 00:49:33.930 --> 00:49:37.710 And the idea is that an adversary who is trying to hack into your account 00:49:37.710 --> 00:49:42.510 probably may know your password but won't have your phone, 00:49:42.510 --> 00:49:45.930 or may have your phone because they took it but won't know your password. 00:49:45.930 --> 00:49:51.430 And so these two factors are designed to preempt basic hacking attempts. 00:49:51.430 --> 00:49:54.358 But as I mentioned, these tools are great, 00:49:54.358 --> 00:49:56.400 but you should be skeptical of them, particularly 00:49:56.400 --> 00:50:01.020 if they are cloud based, because it is possible for bad things to happen. 00:50:01.020 --> 00:50:05.370 So for example, not too long ago, a few million users 00:50:05.370 --> 00:50:10.080 of the password manager Blur had information that was leaked online. 00:50:10.080 --> 00:50:12.330 None of this information was actually their passwords. 00:50:12.330 --> 00:50:15.790 It was more customer related information, sort of ancillary 00:50:15.790 --> 00:50:19.510 this is their email address and some other stuff. 00:50:19.510 --> 00:50:21.700 But it hits a little close to home. 00:50:21.700 --> 00:50:25.180 And so again, always be skeptical when thinking 00:50:25.180 --> 00:50:30.280 about your own data and your clients' data. 00:50:30.280 --> 00:50:35.550 But these tools are generally more good than bad. 00:50:35.550 --> 00:50:38.050 But again, the decision of whether to use these tools really 00:50:38.050 --> 00:50:41.890 does ultimately fall to you having done research into them, 00:50:41.890 --> 00:50:45.130 seeing whether or not they make sense for you, 00:50:45.130 --> 00:50:49.600 whether you want to take advantage of the advantages that they offer. 00:50:49.600 --> 00:50:52.990 If you're not going to use a password manager, 00:50:52.990 --> 00:50:56.650 you should at least be sure to use complex passwords 00:50:56.650 --> 00:51:01.098 and certainly make sure to avoid using the same password for multiple services 00:51:01.098 --> 00:51:03.640 unless it's like a throw away password that you use on things 00:51:03.640 --> 00:51:05.230 that you don't care about. 00:51:05.230 --> 00:51:09.790 But you want to definitely avoid using the same password 00:51:09.790 --> 00:51:11.470 on important services. 00:51:11.470 --> 00:51:16.960 So like your Gmail account or any client log in related information 00:51:16.960 --> 00:51:19.090 that you have, or anything banking. 00:51:19.090 --> 00:51:23.150 You want to use different passwords for all of those things. 00:51:23.150 --> 00:51:25.120 Passwords that have less than eight characters 00:51:25.120 --> 00:51:26.870 or less than or equal to eight characters, 00:51:26.870 --> 00:51:29.950 you should effectively consider have been broken and hacked already. 00:51:29.950 --> 00:51:30.880 Those are not secure. 00:51:30.880 --> 00:51:34.840 Computers are definitely powerful enough nowadays that it can be brute forced 00:51:34.840 --> 00:51:36.990 in a relatively short amount of time. 00:51:36.990 --> 00:51:40.570 We're still talking maybe days here for an eight character password, 00:51:40.570 --> 00:51:43.660 but that is not that much of an effort. 00:51:43.660 --> 00:51:47.230 Passwords should be at least 12 characters now for sure. 00:51:47.230 --> 00:51:51.560 You should definitely have a mix of uppercase, lowercase letters, numbers, 00:51:51.560 --> 00:51:52.752 symbols, anything like that. 00:51:52.752 --> 00:51:55.210 But anything that is less than or equal to eight characters 00:51:55.210 --> 00:51:58.572 should definitely be considered to be effectively hacked already. 00:51:58.572 --> 00:52:00.655 And if it hasn't been hacked already, certainly it 00:52:00.655 --> 00:52:03.130 is capable of being hacked very easily by anybody who 00:52:03.130 --> 00:52:06.220 wants to put in the effort to do so. 00:52:06.220 --> 00:52:09.310 You should also change your passwords as frequently as you can. 00:52:09.310 --> 00:52:14.053 For example, I have a bank that requires me to change my password every 90 days 00:52:14.053 --> 00:52:16.470 in order to continue to use their online banking services. 00:52:16.470 --> 00:52:19.030 And on the one hand, yes, you may find that kind of annoying. 00:52:19.030 --> 00:52:23.410 But on the other hand, it's good to keep things changing so that you're never 00:52:23.410 --> 00:52:26.888 having a password get stale and potentially then leaving it vulnerable, 00:52:26.888 --> 00:52:28.930 especially if it's the password that you may have 00:52:28.930 --> 00:52:31.270 used on multiple services in the past. 00:52:31.270 --> 00:52:33.523 It's a good thing to keep in mind, especially 00:52:33.523 --> 00:52:35.440 if you don't have that many passwords that you 00:52:35.440 --> 00:52:41.110 need to maintain to change them as frequently as you're able to. 00:52:41.110 --> 00:52:42.162 Creating backups. 00:52:42.162 --> 00:52:43.870 Creating backups of information is really 00:52:43.870 --> 00:52:47.200 important, because sometimes things will go wrong that you don't expect, 00:52:47.200 --> 00:52:49.300 like maybe your hard drive will suffer some sort 00:52:49.300 --> 00:52:52.480 of catastrophic mechanical failure and you wouldn't otherwise have a way 00:52:52.480 --> 00:52:54.520 to get that information back. 00:52:54.520 --> 00:52:57.280 So periodically backing your data up protects you 00:52:57.280 --> 00:53:00.610 in the event of hardware failure or in the event 00:53:00.610 --> 00:53:05.740 of some sort of ransomware attack where an adversary breaks 00:53:05.740 --> 00:53:09.250 into your network, your office's network for example, 00:53:09.250 --> 00:53:14.440 and doesn't take any data away but encrypts it using their own public 00:53:14.440 --> 00:53:17.560 and private key such that there's no way for you 00:53:17.560 --> 00:53:19.780 to read that information until you usually pay them 00:53:19.780 --> 00:53:22.760 some ransom, which is usually money or something like that 00:53:22.760 --> 00:53:24.668 or bitcoin or the like. 00:53:24.668 --> 00:53:26.710 So you should back your data up pretty regularly. 00:53:26.710 --> 00:53:31.450 You can back it up in the cloud using cloud based document storage services. 00:53:31.450 --> 00:53:34.990 You can also just back it up on paper in certain situations as well. 00:53:34.990 --> 00:53:38.080 But definitely back it up to non network connected machines, 00:53:38.080 --> 00:53:41.110 so a computer that you have that is never connected to the internet 00:53:41.110 --> 00:53:44.470 and is primarily used just for its hard drive space, basically. 00:53:44.470 --> 00:53:48.670 Or to flash drives or CD ROMS if you're still using that technology. 00:53:48.670 --> 00:53:53.200 Just have some offline way to access important data in the event 00:53:53.200 --> 00:53:56.046 that something goes really, really wrong. 00:53:56.046 --> 00:53:58.900 Also, have an archival plan for data. 00:53:58.900 --> 00:54:00.910 You don't need to keep data around forever. 00:54:00.910 --> 00:54:04.090 We oftentimes think that because we're living in this digital age 00:54:04.090 --> 00:54:09.430 that everything we do persists forever and needs to persist forever 00:54:09.430 --> 00:54:10.600 and is tracked. 00:54:10.600 --> 00:54:12.430 But that's not entirely true, particularly 00:54:12.430 --> 00:54:17.230 if we are proactive in doing our part to archive or delete data 00:54:17.230 --> 00:54:19.090 when we no longer need it. 00:54:19.090 --> 00:54:21.460 Particularly when you're considering client data, 00:54:21.460 --> 00:54:25.180 it is important to develop a consistent plan for when 00:54:25.180 --> 00:54:27.010 you are done working with that data. 00:54:27.010 --> 00:54:33.190 So for example, it may be the case that in your firm after three years of no 00:54:33.190 --> 00:54:35.920 longer having any matters related to that client, 00:54:35.920 --> 00:54:40.490 it is just your office's policy to delete that client's data. 00:54:40.490 --> 00:54:42.490 And that might mean transferring other data that 00:54:42.490 --> 00:54:45.460 might be on a shared disk with them off of it 00:54:45.460 --> 00:54:49.030 and literally going through the process of either destroying the drive 00:54:49.030 --> 00:54:54.190 or doing the multiple passes over the drive using zeros and ones randomly 00:54:54.190 --> 00:54:58.030 just to obscure that data, because having that policy of not keeping 00:54:58.030 --> 00:55:03.160 things forever generally protects you, protect your clients if that data is 00:55:03.160 --> 00:55:05.770 no longer needed. 00:55:05.770 --> 00:55:08.198 Also, make talking about data security a priority. 00:55:08.198 --> 00:55:10.240 I know it's not exactly the buzziest conversation 00:55:10.240 --> 00:55:12.430 to have around the water cooler, but a lot of people 00:55:12.430 --> 00:55:18.060 are not as thoughtful about technology as you may be taking this course. 00:55:18.060 --> 00:55:22.050 And it may be a shock to them to realize that when 00:55:22.050 --> 00:55:26.640 they delete a file on their machine, it doesn't actually do anything, 00:55:26.640 --> 00:55:27.420 basically. 00:55:27.420 --> 00:55:31.020 It just forgets that information, but that information still lives on. 00:55:31.020 --> 00:55:34.990 You don't have to be a tech expert to educate others. 00:55:34.990 --> 00:55:38.760 Particularly as someone who's coming into it with maybe a bit more of a leg 00:55:38.760 --> 00:55:41.520 up in understanding technology, speaking to individuals 00:55:41.520 --> 00:55:44.220 who may not know anything about what this technology is you 00:55:44.220 --> 00:55:47.970 can really do yourself and your colleagues and your clients a service 00:55:47.970 --> 00:55:50.320 by making this part of a typical conversation. 00:55:50.320 --> 00:55:56.310 Share your knowledge with others in your office and in your field. 00:55:56.310 --> 00:56:00.693 And finally, think about establishing a compliance protocol. 00:56:00.693 --> 00:56:02.610 A lot of these things that I've just described 00:56:02.610 --> 00:56:05.910 are very, very easy to set up at the outset. 00:56:05.910 --> 00:56:08.730 It is not difficult to say, I'm going to change all my passwords, 00:56:08.730 --> 00:56:10.950 and I'm going to use this password manager, 00:56:10.950 --> 00:56:14.490 and I'm going to write this policy for deleting information and archiving 00:56:14.490 --> 00:56:16.500 information periodically. 00:56:16.500 --> 00:56:22.170 The problem is that it becomes over time something that we forget to do. 00:56:22.170 --> 00:56:25.680 And having regular periods of having someone 00:56:25.680 --> 00:56:29.700 designated to make sure that these policies are being followed 00:56:29.700 --> 00:56:33.540 is really important, as we'll see shortly when we talk about some 00:56:33.540 --> 00:56:37.560 of the ABA ethical requirements for lawyers dealing with technology. 00:56:37.560 --> 00:56:40.920 You want to make sure that if you establish some of these ground rules 00:56:40.920 --> 00:56:45.600 for working with data, that you continue to follow these rules as you work 00:56:45.600 --> 00:56:50.310 with this data for the months and years and so on going forward 00:56:50.310 --> 00:56:53.640 as opposed to just doing it once and forgetting about it. 00:56:53.640 --> 00:56:56.620 Because technology is not static. 00:56:56.620 --> 00:56:58.770 It's going to continue to advance, and we need 00:56:58.770 --> 00:57:00.240 to stay ahead of that as attorneys. 00:57:00.240 --> 00:57:04.650 It's part of our obligation to really understand this technology, 00:57:04.650 --> 00:57:08.820 stay current with any changes, and adapt and change our policies accordingly 00:57:08.820 --> 00:57:13.230 so that we're always staying as close to the cutting edge as we possibly can. 00:57:13.230 --> 00:57:15.847 I really encourage you to volunteer with the compliance team. 00:57:15.847 --> 00:57:17.680 You may have a compliance team, particularly 00:57:17.680 --> 00:57:19.980 if you are at a large office or in-house counsel 00:57:19.980 --> 00:57:24.790 setting, who is tasked with developing these technological policies. 00:57:24.790 --> 00:57:31.650 And even if you don't feel like you want to advise on new avenues to pursue 00:57:31.650 --> 00:57:35.162 or new policies to initiate, you still should be part of that conversation. 00:57:35.162 --> 00:57:38.370 You do bring something valuable to the conversation just having the knowledge 00:57:38.370 --> 00:57:41.520 that you have from a course like this and should be part of this conversation 00:57:41.520 --> 00:57:44.030 so that you can contribute to it more in the future as well. 00:57:46.937 --> 00:57:49.270 I'd like to conclude our discussion today about security 00:57:49.270 --> 00:57:52.810 by drawing your attention to two really important ABA ethical decisions 00:57:52.810 --> 00:57:56.620 that relate to lawyers and technology and what 00:57:56.620 --> 00:58:00.850 lawyers should do in the event of a data breach at their office. 00:58:00.850 --> 00:58:04.420 And let's start by taking a look at formal opinion 477R which 00:58:04.420 --> 00:58:08.380 was released by the ABA in May of 2017. 00:58:08.380 --> 00:58:12.580 This opinion deals with attorneys' obligations with respect to technical 00:58:12.580 --> 00:58:13.600 know how. 00:58:13.600 --> 00:58:17.530 So it is now considered part of competent representation 00:58:17.530 --> 00:58:24.370 for an attorney to be considerate of the technological implications of what 00:58:24.370 --> 00:58:25.600 they do in their office. 00:58:25.600 --> 00:58:27.310 What does it mean to store documents? 00:58:27.310 --> 00:58:31.180 What does it mean to secure communications with clients? 00:58:31.180 --> 00:58:35.197 It is incumbent upon us as lawyers to stay abreast of these developments 00:58:35.197 --> 00:58:37.030 and really be informed about them and inform 00:58:37.030 --> 00:58:39.580 our clients about the ramifications of some 00:58:39.580 --> 00:58:42.760 of these new technological advancements. 00:58:42.760 --> 00:58:46.330 It also formalizes the requirement of offices and firms 00:58:46.330 --> 00:58:48.400 to have a compliance protocol. 00:58:48.400 --> 00:58:52.150 What do you do when you receive client data? 00:58:52.150 --> 00:58:53.950 Now, this opinion came out in 2017. 00:58:53.950 --> 00:58:57.790 It replaced something from 1999, which at the time 00:58:57.790 --> 00:59:02.590 the previous ABA opinion stated that all communications, including 00:59:02.590 --> 00:59:05.320 unsecured unencrypted email, were generally 00:59:05.320 --> 00:59:08.650 considered quote unquote secured. 00:59:08.650 --> 00:59:11.283 Obviously, I think we can agree that is not the case anymore 00:59:11.283 --> 00:59:13.700 and certainly the ABA agrees that is not the case anymore. 00:59:13.700 --> 00:59:19.360 That's because we've transitioned from a time when a lot of lawyerly work 00:59:19.360 --> 00:59:23.130 was done not using the internet, not using emails. 00:59:23.130 --> 00:59:25.420 It was done using fax and paper and so on. 00:59:25.420 --> 00:59:28.810 And now we've transitioned to a mostly electronic way 00:59:28.810 --> 00:59:31.300 of providing legal services to our clients, 00:59:31.300 --> 00:59:35.800 and so our technological rules of our self-governing ethics 00:59:35.800 --> 00:59:40.180 need to evolve to account for that. 00:59:40.180 --> 00:59:44.350 It also brings up a very interesting question which is something just 00:59:44.350 --> 00:59:47.710 to think about going forward or discuss with others in your group of how 00:59:47.710 --> 00:59:51.670 do you reconcile a situation where you have a client who doesn't want 00:59:51.670 --> 00:59:55.390 to use secured communications or doesn't want 00:59:55.390 --> 00:59:58.630 to secure their data in working with you? 00:59:58.630 --> 01:00:01.930 How does that square with your job or your requirement 01:00:01.930 --> 01:00:05.470 as an attorney to ethically abide by this opinion 01:00:05.470 --> 01:00:12.340 and be mindful and guard clients against technological mistakes? 01:00:12.340 --> 01:00:16.150 Is it possible to provide competent representation to a client 01:00:16.150 --> 01:00:21.992 if they are unwilling to adhere to your firm's compliance protocol? 01:00:21.992 --> 01:00:24.700 It's a really interesting question that I don't have an answer to 01:00:24.700 --> 01:00:27.190 but provokes an interesting discussion about what does it 01:00:27.190 --> 01:00:30.700 mean for us to have client intake and work with clients, 01:00:30.700 --> 01:00:33.610 and what happens when the client's wishes run 01:00:33.610 --> 01:00:35.960 against our ethical obligations? 01:00:35.960 --> 01:00:38.080 That's not a novel question to lawyers. 01:00:38.080 --> 01:00:41.470 That presents itself in different ways, but via technology, 01:00:41.470 --> 01:00:47.710 do we have yet another way we might have to consider this dilemma? 01:00:47.710 --> 01:00:52.900 Subsequent to 477R, a year and a half later in October of 2018, 01:00:52.900 --> 01:00:56.440 the ABA issued formal opinion 483, which kind of 01:00:56.440 --> 01:01:00.880 is the natural follow on to 477R, which deals with what 01:01:00.880 --> 01:01:05.920 happens if a lawyer's information is breached? 01:01:05.920 --> 01:01:10.150 If there is a data breach at the firm and client data is compromised, 01:01:10.150 --> 01:01:11.680 what do you have to do? 01:01:11.680 --> 01:01:16.090 One important thing to think about here is that this opinion formalizes 01:01:16.090 --> 01:01:19.330 the notion that has sort have long been held in technological circles 01:01:19.330 --> 01:01:24.010 that there are two kinds of businesses that exist-- 01:01:24.010 --> 01:01:27.520 ones that have been hacked, and ones that will be. 01:01:27.520 --> 01:01:30.460 Not ones that might be or not ones that could be. 01:01:30.460 --> 01:01:33.830 And perhaps even these are ones that have been and they don't know it yet. 01:01:33.830 --> 01:01:36.623 But it's just such a part of life nowadays 01:01:36.623 --> 01:01:39.040 that businesses either have been hacked or will be hacked, 01:01:39.040 --> 01:01:41.200 and that is the mindset that you should have 01:01:41.200 --> 01:01:44.770 when you are thinking about protecting client data, bringing in consultants, 01:01:44.770 --> 01:01:51.690 and hiring people to do their best work to defend your clients' data. 01:01:51.690 --> 01:01:56.350 Now, it turns out that law firms tend to be excellent targets for hackers, 01:01:56.350 --> 01:01:59.360 and the reason for that is that they have a lot of very valuable data. 01:01:59.360 --> 01:02:05.230 And unfortunately, the history is such that it is not always as well protected 01:02:05.230 --> 01:02:08.350 by law firms as it might have been by the clients themselves, 01:02:08.350 --> 01:02:12.490 because we as lawyers have been as equipped 01:02:12.490 --> 01:02:16.060 to have a conversation about technology and how that technology might 01:02:16.060 --> 01:02:19.580 affect our representation of clients. 01:02:19.580 --> 01:02:23.045 The opinion describes a bunch of different cyber episodes, so to speak, 01:02:23.045 --> 01:02:26.170 that might comprise a data breach, which would rise to the level of needing 01:02:26.170 --> 01:02:28.270 to report to a client. 01:02:28.270 --> 01:02:30.310 These include things such as ransomware attacks, 01:02:30.310 --> 01:02:32.790 as we've discussed a little bit earlier today, 01:02:32.790 --> 01:02:37.330 systems attacks that might break or somehow damage 01:02:37.330 --> 01:02:42.050 the infrastructure of the firm or workplace, 01:02:42.050 --> 01:02:44.920 as well as exfiltrations, which are probably the worst 01:02:44.920 --> 01:02:48.110 kind of breach, which is someone hacks into your system 01:02:48.110 --> 01:02:52.700 and is able to remove data such that you may not even have a copy of that data 01:02:52.700 --> 01:02:55.730 anymore, and that's why having backups is so important, but removes 01:02:55.730 --> 01:03:02.150 that data from your servers, for example, to the adversary's servers. 01:03:02.150 --> 01:03:05.090 There is no ethical violation in being hacked. 01:03:05.090 --> 01:03:07.940 It's really important to make that very clear. 01:03:07.940 --> 01:03:14.180 The ethical violation occurs when non reasonable efforts are made, 01:03:14.180 --> 01:03:17.900 unreasonable efforts are made to protect that data. 01:03:17.900 --> 01:03:21.590 If we as attorneys are making reasonable efforts to protect our clients' data 01:03:21.590 --> 01:03:26.310 and we still get hacked, we have not necessarily done anything wrong 01:03:26.310 --> 01:03:30.365 as long as we were doing our best to protect or prevent that 01:03:30.365 --> 01:03:32.240 from happening in the first place and once we 01:03:32.240 --> 01:03:37.880 detect that it has happened, to make every reasonable effort to stop 01:03:37.880 --> 01:03:41.790 the attack if it is ongoing from continuing. 01:03:41.790 --> 01:03:43.790 This also introduces a very interesting question 01:03:43.790 --> 01:03:46.640 of what to do with former client data that has been hacked, 01:03:46.640 --> 01:03:48.860 and that's why it's really important to establish 01:03:48.860 --> 01:03:53.780 some sort of archival or deletion plan for working with that data. 01:03:53.780 --> 01:03:55.640 The ABA proposes a couple of different ways 01:03:55.640 --> 01:04:01.970 to resolve how to deal with informing a former client about information related 01:04:01.970 --> 01:04:02.800 to a hack. 01:04:02.800 --> 01:04:07.130 But one of the most important things to draw from this opinion, I would say, 01:04:07.130 --> 01:04:11.600 is discussion about data retention needs to be 01:04:11.600 --> 01:04:14.600 part of your firm's intake process or your intake 01:04:14.600 --> 01:04:16.760 process for dealing with new clients. 01:04:16.760 --> 01:04:21.260 Who owns what has always sort of been part of the conversation. 01:04:21.260 --> 01:04:24.110 Generally as we know, we return client data to them 01:04:24.110 --> 01:04:25.920 when we are done working with it. 01:04:25.920 --> 01:04:28.700 How does this work in a digital context? 01:04:28.700 --> 01:04:30.980 It is really important for your intake plan 01:04:30.980 --> 01:04:37.550 at your firm to handle what happens to digital versions of client data 01:04:37.550 --> 01:04:44.587 when the representation has concluded because the matter has concluded. 01:04:44.587 --> 01:04:47.420 Speaking of concluded, that is going to wrap up our discussion today 01:04:47.420 --> 01:04:48.215 on security. 01:04:48.215 --> 01:04:50.090 This will be the first of our two discussions 01:04:50.090 --> 01:04:53.902 generally at length about security in the legal context. 01:04:53.902 --> 01:04:55.610 But hopefully you've come away from today 01:04:55.610 --> 01:05:00.830 with a better understanding of how your system works, what memory is, 01:05:00.830 --> 01:05:03.840 and why when we delete things on our hard drives, 01:05:03.840 --> 01:05:06.590 it doesn't actually get deleted and what some of the ramifications 01:05:06.590 --> 01:05:07.782 might be for that. 01:05:07.782 --> 01:05:09.740 And hopefully you also have come away from this 01:05:09.740 --> 01:05:13.040 with an understanding of what to do going forward establishing 01:05:13.040 --> 01:05:16.340 best practices for working with client data 01:05:16.340 --> 01:05:19.220 to stay within the ethical guidelines proposed by the ABA, 01:05:19.220 --> 01:05:23.720 and just to generally have a more technical conversation with clients 01:05:23.720 --> 01:05:27.170 about your representation of them and what happens to their data 01:05:27.170 --> 01:05:30.160 when that representation has concluded.