1 00:00:00,000 --> 00:00:02,440 [MUSIC PLAYING] 2 00:00:02,440 --> 00:00:16,487 3 00:00:16,487 --> 00:00:19,320 SPEAKER: So today we're going to have our first of a few discussions 4 00:00:19,320 --> 00:00:21,420 about cybersecurity, and later on we're going 5 00:00:21,420 --> 00:00:24,480 to talk a little bit about cybersecurity in the context of the internet 6 00:00:24,480 --> 00:00:27,510 and some of the challenges that it brings up there. 7 00:00:27,510 --> 00:00:30,960 But today we're going to focus mostly on cybersecurity issues related 8 00:00:30,960 --> 00:00:34,050 to your machine, your computer without necessarily 9 00:00:34,050 --> 00:00:36,060 being connected to the internet. 10 00:00:36,060 --> 00:00:38,460 Before we do, we need to understand a little bit more 11 00:00:38,460 --> 00:00:41,445 about our machine's infrastructure, its hardware. 12 00:00:41,445 --> 00:00:43,320 And the biggest question to ask at the outset 13 00:00:43,320 --> 00:00:47,948 is, when we talk about the system's memory, what do we mean by that? 14 00:00:47,948 --> 00:00:51,240 That term kind of gets thrown around and it means a couple of different things, 15 00:00:51,240 --> 00:00:51,740 potentially. 16 00:00:51,740 --> 00:00:55,200 It might mean your system's RAM or random access 17 00:00:55,200 --> 00:00:59,490 memory, which is a rough translation of how much computing power it has, 18 00:00:59,490 --> 00:01:01,560 how many things it can do. 19 00:01:01,560 --> 00:01:03,690 And we can also talk about hard drive space 20 00:01:03,690 --> 00:01:07,780 as another example of system memory. 21 00:01:07,780 --> 00:01:10,200 Hard drive space is usually just free storage, basically. 22 00:01:10,200 --> 00:01:15,120 How much room do we have to literally store files on our machine? 23 00:01:15,120 --> 00:01:17,898 How much memory does your computer have? 24 00:01:17,898 --> 00:01:19,440 Maybe you do or maybe you don't know. 25 00:01:19,440 --> 00:01:21,315 If you take a look at your system information 26 00:01:21,315 --> 00:01:24,780 or look up the computer that you bought on the internet, 27 00:01:24,780 --> 00:01:28,710 you might find that if we're quoting memory in terms of RAM, 28 00:01:28,710 --> 00:01:32,823 that your device might have as low as 512 megabytes of RAM, which 29 00:01:32,823 --> 00:01:33,990 is about half of a gigabyte. 30 00:01:33,990 --> 00:01:36,823 And that's not very much, most machines have much more than that now 31 00:01:36,823 --> 00:01:39,210 unless you have a low powered Chromebook, 32 00:01:39,210 --> 00:01:41,220 for example, that you use for travel. 33 00:01:41,220 --> 00:01:45,240 Memory on the RAM scale might go as high as 32 gigabytes of RAM, 34 00:01:45,240 --> 00:01:47,640 which is quite a bit more than that. 35 00:01:47,640 --> 00:01:49,825 That's generally for really high end computers. 36 00:01:49,825 --> 00:01:52,200 Computers, in particular, that process a lot of graphics. 37 00:01:52,200 --> 00:01:56,648 So sometimes computers that are specifically dedicated for gaming 38 00:01:56,648 --> 00:01:57,690 might have that much RAM. 39 00:01:57,690 --> 00:02:02,765 But typically the range is somewhere between four and 16 nowadays. 40 00:02:02,765 --> 00:02:05,640 When we're talking about hard drive space, that number is quite a bit 41 00:02:05,640 --> 00:02:06,190 bigger. 42 00:02:06,190 --> 00:02:10,620 So the typical hard drive nowadays might be as low as 128 gigabytes, 43 00:02:10,620 --> 00:02:14,580 if the drive is a solid state drive, versus a hard disk drive. 44 00:02:14,580 --> 00:02:17,580 We won't go into too much detail about the distinction between those two 45 00:02:17,580 --> 00:02:20,070 things, other than right now to say those are just two 46 00:02:20,070 --> 00:02:22,162 different ways to store data long term. 47 00:02:22,162 --> 00:02:23,370 So that might be the low end. 48 00:02:23,370 --> 00:02:26,940 The high end is probably somewhere on two terabytes of information. 49 00:02:26,940 --> 00:02:30,060 One terabyte is 1000 gigabytes, give or take. 50 00:02:30,060 --> 00:02:33,120 So two terabytes would be about 2000, give or take, gigabytes. 51 00:02:33,120 --> 00:02:34,120 So quite a bit. 52 00:02:34,120 --> 00:02:36,050 Maybe even as high as four terabytes. 53 00:02:36,050 --> 00:02:37,800 That's quite a bit of storage information. 54 00:02:37,800 --> 00:02:43,440 That's enough to store several hundred HD, high quality films. 55 00:02:43,440 --> 00:02:48,150 But there's much more to memory than just RAM and hard disk space. 56 00:02:48,150 --> 00:02:51,660 There's actually kind of a hierarchy of memory that exists within your machine. 57 00:02:51,660 --> 00:02:54,360 Most of these numbers, though, aren't usually quoted 58 00:02:54,360 --> 00:02:56,170 in the specs of a device. 59 00:02:56,170 --> 00:02:59,310 So there's RAM, random access memory, and then 60 00:02:59,310 --> 00:03:02,397 there's a series of caches, each of which gets successively smaller. 61 00:03:02,397 --> 00:03:04,980 So they're going to be quite a bit smaller than the four gigs, 62 00:03:04,980 --> 00:03:06,902 say, of RAM that your device has. 63 00:03:06,902 --> 00:03:10,110 But they're also a little bit faster, and the reason these things get faster, 64 00:03:10,110 --> 00:03:13,110 these caches get faster, is they are getting closer and closer 65 00:03:13,110 --> 00:03:17,070 to the computer's processor, which is really the only part of the device that 66 00:03:17,070 --> 00:03:19,350 is able to manipulate information. 67 00:03:19,350 --> 00:03:21,780 It's the only part that can process information. 68 00:03:21,780 --> 00:03:24,450 So the memory that we're feeding to that processor 69 00:03:24,450 --> 00:03:26,490 needs to get faster and faster, such that it 70 00:03:26,490 --> 00:03:28,300 can continue to swap things in and out. 71 00:03:28,300 --> 00:03:32,790 So we have the RAM, maybe an L3 cache, a Level 3 cache, Level 2, Level 1, 72 00:03:32,790 --> 00:03:36,300 and then finally CPU memory, which is the processor memory itself. 73 00:03:36,300 --> 00:03:38,940 Plus some small bits of memory called registers, 74 00:03:38,940 --> 00:03:43,350 which are used to be the final sort of pass of information from RAM 75 00:03:43,350 --> 00:03:47,520 or this hierarchy of memory into the CPU. 76 00:03:47,520 --> 00:03:51,120 But again, every file on your machine lives somewhere permanently 77 00:03:51,120 --> 00:03:52,200 on a disk drive. 78 00:03:52,200 --> 00:03:54,575 And there are, again, two different kinds of disk drives. 79 00:03:54,575 --> 00:03:57,420 We have solid state drives and hard disk drives. 80 00:03:57,420 --> 00:03:59,610 We should treat them as effectively identical 81 00:03:59,610 --> 00:04:01,950 for purposes of our discussion today. 82 00:04:01,950 --> 00:04:05,310 They-- solid state drives tend to behave a bit differently than hard disk 83 00:04:05,310 --> 00:04:09,260 drives, they tend to be a bit more secure than some of the vulnerabilities 84 00:04:09,260 --> 00:04:11,010 that hard disk drives present, which we're 85 00:04:11,010 --> 00:04:13,740 going to talk about a little bit later in today's lecture. 86 00:04:13,740 --> 00:04:16,769 But in general, when we talk about hard disks or storage space 87 00:04:16,769 --> 00:04:19,060 for the rest of today's lecture, we're going 88 00:04:19,060 --> 00:04:21,147 to be mostly focusing on hard disk drives. 89 00:04:21,147 --> 00:04:22,980 They're also just much more prevalent still. 90 00:04:22,980 --> 00:04:27,120 Solid state drives are coming into their own and becoming more and more frequent 91 00:04:27,120 --> 00:04:29,250 as they appear in devices, but hard disk drives 92 00:04:29,250 --> 00:04:33,390 are still far and away more and more prevalent within devices 93 00:04:33,390 --> 00:04:34,530 that exist now. 94 00:04:34,530 --> 00:04:36,990 They are just storage space, though, we can't do anything 95 00:04:36,990 --> 00:04:38,970 with data that is stored on disk. 96 00:04:38,970 --> 00:04:41,550 We have to first move it to RAM and then have 97 00:04:41,550 --> 00:04:45,540 it sort of go up and down that chain of RAM, the different caches to the CPU, 98 00:04:45,540 --> 00:04:47,460 in order to actually manipulate the data. 99 00:04:47,460 --> 00:04:49,500 Once we're done manipulating it, and maybe we're 100 00:04:49,500 --> 00:04:51,330 turning our computer off for the evening, 101 00:04:51,330 --> 00:04:55,980 then all of the data that is in RAM will be stored back into the hard disk space 102 00:04:55,980 --> 00:04:59,313 so that we're able to access it at another time. 103 00:04:59,313 --> 00:05:01,980 One thing to keep in mind as we begin this discussion of memory, 104 00:05:01,980 --> 00:05:04,320 though, is that memory is really just an array. 105 00:05:04,320 --> 00:05:08,520 And we've talked about arrays already, where each cell of that array 106 00:05:08,520 --> 00:05:10,770 basically is one byte wide. 107 00:05:10,770 --> 00:05:12,990 And recall that one byte is eight bits. 108 00:05:12,990 --> 00:05:16,790 We may have anywhere between 512 megabytes of memory, 109 00:05:16,790 --> 00:05:21,810 so about 512 million of those little one byte 110 00:05:21,810 --> 00:05:26,060 sized cells, maybe as high as four, 8, 16, and so on gigabytes. 111 00:05:26,060 --> 00:05:30,030 And we have quite a few of those items in our array. 112 00:05:30,030 --> 00:05:32,100 But it really is just an array, which means 113 00:05:32,100 --> 00:05:34,050 we can jump to different addresses. 114 00:05:34,050 --> 00:05:36,780 It has the same properties as any other random access 115 00:05:36,780 --> 00:05:39,240 array that we've already discussed. 116 00:05:39,240 --> 00:05:43,230 Different types of data take up different amounts of memory 117 00:05:43,230 --> 00:05:44,050 on our systems. 118 00:05:44,050 --> 00:05:46,800 So if we think about a very low level programming language like C, 119 00:05:46,800 --> 00:05:48,175 which is this is just an example. 120 00:05:48,175 --> 00:05:51,630 Different programming languages may store different types of data 121 00:05:51,630 --> 00:05:53,250 using different amounts of space. 122 00:05:53,250 --> 00:05:58,090 But if we look to just the most base level of data 123 00:05:58,090 --> 00:06:01,470 and think about the smallest individual pieces into which we can break it, 124 00:06:01,470 --> 00:06:04,300 we may be able to store an integer, for example, in four byte. 125 00:06:04,300 --> 00:06:08,550 Which means we have exactly 32 bits worth of space to store an integer. 126 00:06:08,550 --> 00:06:12,330 Characters will take up one byte, so we have only eight bits worth of memory 127 00:06:12,330 --> 00:06:14,470 required to store a single character. 128 00:06:14,470 --> 00:06:18,600 So capital or lowercase letters, digits, punctuation marks, and so on. 129 00:06:18,600 --> 00:06:21,210 Not a huge variety of options there. 130 00:06:21,210 --> 00:06:23,882 Floats are-- you may recall are real numbers, 131 00:06:23,882 --> 00:06:25,590 numbers that have decimal points in them. 132 00:06:25,590 --> 00:06:26,580 Doubles are, as well. 133 00:06:26,580 --> 00:06:28,650 They're double precision floating point values 134 00:06:28,650 --> 00:06:30,300 and they take up four or eight bytes. 135 00:06:30,300 --> 00:06:34,020 So basically the idea here is different types of memory 136 00:06:34,020 --> 00:06:36,030 will take up different amount of space and then 137 00:06:36,030 --> 00:06:40,590 we eventually can construct these things into pixels, and images, and films, 138 00:06:40,590 --> 00:06:43,650 each of which will also take up different amounts of space and memory 139 00:06:43,650 --> 00:06:47,750 if we are manipulating or working with that data. 140 00:06:47,750 --> 00:06:52,890 So again, let's think of memory as a big array of individual byte-sized cells. 141 00:06:52,890 --> 00:06:56,370 Because it is an array, that means we have random accessability. 142 00:06:56,370 --> 00:07:00,360 We can say, I want to go to memory address x and see what is there. 143 00:07:00,360 --> 00:07:03,208 I want to go to memory address y and change what is there. 144 00:07:03,208 --> 00:07:04,500 We have the ability to do that. 145 00:07:04,500 --> 00:07:08,700 We don't have to iterate through step by step by step in order to make changes. 146 00:07:08,700 --> 00:07:12,840 If we did, the processor would be quite a bit slower having to perform this, 147 00:07:12,840 --> 00:07:15,960 we might term linear search as we try to iterate through memory 148 00:07:15,960 --> 00:07:18,130 to find the one byte we're looking for. 149 00:07:18,130 --> 00:07:21,900 It's very helpful to be able to jump to a particular byte. 150 00:07:21,900 --> 00:07:26,100 And that means that every location in memory must have an address. 151 00:07:26,100 --> 00:07:29,790 We must have a way to refer to that individual byte 152 00:07:29,790 --> 00:07:31,390 in order to randomly access it. 153 00:07:31,390 --> 00:07:34,920 We can't just look at this grid of cells and say, I want to go to this one 154 00:07:34,920 --> 00:07:37,680 and sort of, you know, imagine particular spot. 155 00:07:37,680 --> 00:07:41,940 We need to say, I want to go to exactly this memory address. 156 00:07:41,940 --> 00:07:43,560 OK? 157 00:07:43,560 --> 00:07:47,880 So s-- the fact that memory cells have an address 158 00:07:47,880 --> 00:07:50,130 is what comes into play when you think about this idea 159 00:07:50,130 --> 00:07:53,480 of a 32-bit system or a 64-bit system, and this 160 00:07:53,480 --> 00:07:55,290 may be a term that you've heard before. 161 00:07:55,290 --> 00:07:59,590 It refers to the ability to process an address. 162 00:07:59,590 --> 00:08:03,540 So for example, a 32-bit computer, a 32-bit system, 163 00:08:03,540 --> 00:08:06,950 can process memory addresses up to 32 bits in length. 164 00:08:06,950 --> 00:08:11,400 Which means it understands memory address zero through memory address 165 00:08:11,400 --> 00:08:14,100 right up to four billion, a little over four billion. 166 00:08:14,100 --> 00:08:17,250 But it doesn't understand memory past that. 167 00:08:17,250 --> 00:08:20,130 Now interestingly, this doesn't mean that a 32-bit system 168 00:08:20,130 --> 00:08:22,240 is limited to four gigabytes of RAM. 169 00:08:22,240 --> 00:08:25,638 There are some software tricks that we can pull using something called virtual 170 00:08:25,638 --> 00:08:28,680 memory, which we're not going to get into in any more depth than to refer 171 00:08:28,680 --> 00:08:32,730 to it as virtual memory today, that allow you to use more than four 172 00:08:32,730 --> 00:08:35,870 gigabytes of RAM on a 32-bit system by doing-- sort of, you know, 173 00:08:35,870 --> 00:08:39,135 pretending that things live somewhere where they don't. 174 00:08:39,135 --> 00:08:41,010 But when you talk about a 64-bit system, that 175 00:08:41,010 --> 00:08:43,320 means we have many more memory cells that we 176 00:08:43,320 --> 00:08:47,550 can refer to without running into our sort of artificial limit of how high we 177 00:08:47,550 --> 00:08:48,450 can count. 178 00:08:48,450 --> 00:08:51,120 Now granted, there are no memory banks out there 179 00:08:51,120 --> 00:08:55,350 that have all of the memory addresses from zero to 64 bits worth of memory. 180 00:08:55,350 --> 00:08:57,270 That's somewhere in the quintillion or higher. 181 00:08:57,270 --> 00:08:59,640 It's a very, very large number and we don't yet 182 00:08:59,640 --> 00:09:03,090 have the storage capacity to store that much data on our machines. 183 00:09:03,090 --> 00:09:06,360 But theoretically, it is possible that with a 64-bit system 184 00:09:06,360 --> 00:09:11,220 we could have very, very large amounts of RAM and again, the more RAM we have, 185 00:09:11,220 --> 00:09:14,490 generally the more quickly our computer is 186 00:09:14,490 --> 00:09:17,510 going to operate because there's more space for it to store information. 187 00:09:17,510 --> 00:09:20,010 It doesn't have to keep sending stuff back to the hard drive 188 00:09:20,010 --> 00:09:22,920 when the RAM is full because there's so much information 189 00:09:22,920 --> 00:09:24,360 being processed at once. 190 00:09:24,360 --> 00:09:29,940 More of it is available in that quicker, more accessible bit of memory. 191 00:09:29,940 --> 00:09:34,140 So recall that with each bit, remember a bit can only take on one of two states. 192 00:09:34,140 --> 00:09:36,403 Zero or one, off or on. 193 00:09:36,403 --> 00:09:39,570 Or you can think about it in terms of electricity, which is how RAM actually 194 00:09:39,570 --> 00:09:42,930 works, as being unpowered or powered. 195 00:09:42,930 --> 00:09:44,790 That again means that we have 32-- 196 00:09:44,790 --> 00:09:48,510 two to the 32nd power, excuse me, possible memory addresses. 197 00:09:48,510 --> 00:09:52,360 So about four billion memory addresses. 198 00:09:52,360 --> 00:09:56,760 Now it is sometimes the case that programmers, and subsequently, 199 00:09:56,760 --> 00:10:00,120 those who may need to read their code, may need a way 200 00:10:00,120 --> 00:10:03,600 to refer to specific memory addresses. 201 00:10:03,600 --> 00:10:06,750 But a memory address like this, which is a memory address. 202 00:10:06,750 --> 00:10:08,730 There are zeros and ones in this address. 203 00:10:08,730 --> 00:10:13,410 This is exactly how we would refer to an address in memory. 204 00:10:13,410 --> 00:10:14,520 This is rather cumbersome. 205 00:10:14,520 --> 00:10:17,562 No programmer wants to talk to another programmer and no programmer wants 206 00:10:17,562 --> 00:10:23,340 to talk to an advisor by saying the code that lives at 00101 and so on. 207 00:10:23,340 --> 00:10:25,390 That's just not-- that doesn't make any sense. 208 00:10:25,390 --> 00:10:28,410 That's just not how we would talk and it would take forever just 209 00:10:28,410 --> 00:10:30,480 to say the name of the memory before you even get 210 00:10:30,480 --> 00:10:32,580 to the point of what is in that memory. 211 00:10:32,580 --> 00:10:37,140 And so rather than using binary notation to refer to a memory address, 212 00:10:37,140 --> 00:10:42,030 computer scientists will oftentimes use something called hexadecimal notation. 213 00:10:42,030 --> 00:10:47,040 Hexadecimal is 16 hexadecimal, 6 and 10. 214 00:10:47,040 --> 00:10:50,310 And so this is the base 16 number system. 215 00:10:50,310 --> 00:10:53,190 It's a different number system than the decimal system, base 10, 216 00:10:53,190 --> 00:10:57,120 that we have used since childhood to count and understand 217 00:10:57,120 --> 00:10:59,230 place values of numbers and so on. 218 00:10:59,230 --> 00:11:01,050 What's convenient about hexadecimal being 219 00:11:01,050 --> 00:11:07,890 base 16 versus binary being base two is that four binary digits or four bits 220 00:11:07,890 --> 00:11:11,970 can be represented using a single what is often called hex digit. 221 00:11:11,970 --> 00:11:14,670 So for every group of four binary digits that we have, 222 00:11:14,670 --> 00:11:18,698 we can represent that more succinctly using just one hexadecimal digit. 223 00:11:18,698 --> 00:11:20,490 And because there are four bits, that means 224 00:11:20,490 --> 00:11:23,740 we have two to the fourth, or 16 different combinations. 225 00:11:23,740 --> 00:11:26,700 So we can account for every single possible on off 226 00:11:26,700 --> 00:11:32,310 combination of all of the four bits in that cluster using a single hex digit. 227 00:11:32,310 --> 00:11:35,433 So we might instead refer to this memory address looking like this. 228 00:11:35,433 --> 00:11:37,350 And there are some letter characters in there, 229 00:11:37,350 --> 00:11:41,160 and that's because in order to represent a single digit in hexadecimal, 230 00:11:41,160 --> 00:11:43,800 we need to be on the count higher than 10 231 00:11:43,800 --> 00:11:46,860 using two digits, as we are confined to in decimal. 232 00:11:46,860 --> 00:11:48,870 In order to represent the number 10, we need 233 00:11:48,870 --> 00:11:54,630 a one and zero, a one being in the tens place and a zero in the ones place. 234 00:11:54,630 --> 00:11:58,380 But in hexadecimal, we need 16 possible digits 235 00:11:58,380 --> 00:12:03,670 to represent all of the 16 possible values at any given place value. 236 00:12:03,670 --> 00:12:08,370 So here's an example of something that a programmer might see. 237 00:12:08,370 --> 00:12:11,490 This is using a tool called GDB, which is 238 00:12:11,490 --> 00:12:16,560 a debugging tool that is used to debug or root out problems in some low level 239 00:12:16,560 --> 00:12:17,940 code. 240 00:12:17,940 --> 00:12:20,983 And all we're seeing here is a bunch of memory addresses. 241 00:12:20,983 --> 00:12:22,650 So I've highlighted them here in yellow. 242 00:12:22,650 --> 00:12:25,560 We don't need to worry too much about the context around this, what these all 243 00:12:25,560 --> 00:12:26,060 refer to. 244 00:12:26,060 --> 00:12:31,415 But basically, these things on the left, EAX, ECX and so on are registers. 245 00:12:31,415 --> 00:12:33,540 Those are things that are very close to the memory. 246 00:12:33,540 --> 00:12:36,688 And they are storing the memory address of something else. 247 00:12:36,688 --> 00:12:39,480 And so all these things on the left here are just memory addresses, 248 00:12:39,480 --> 00:12:42,870 and the things on the right are translations of those memory addresses 249 00:12:42,870 --> 00:12:45,630 in some cases into decimal numbers that make 250 00:12:45,630 --> 00:12:51,490 more sense to us having used the base 10 or decimal system for quite some time. 251 00:12:51,490 --> 00:12:55,290 So we can map all of the different possible values in hexadecimal 252 00:12:55,290 --> 00:12:59,058 to their binary equivalents as well as to decimal numbers 253 00:12:59,058 --> 00:13:00,100 that we're familiar with. 254 00:13:00,100 --> 00:13:04,710 So again, here we have all of the possible combinations of four bits 255 00:13:04,710 --> 00:13:08,550 or zeros and ones showing you what they translate to in decimal, 256 00:13:08,550 --> 00:13:12,210 recalling that for every set of four bits here we see, the one on the right 257 00:13:12,210 --> 00:13:15,450 is the ones place, the one to its left is the twos place. 258 00:13:15,450 --> 00:13:18,705 Then we have the fours place and the eights place. 259 00:13:18,705 --> 00:13:20,160 Because again, our base is two. 260 00:13:20,160 --> 00:13:24,510 Every place value is a power of two as opposed to a power of 10 261 00:13:24,510 --> 00:13:25,638 like we would in decimal. 262 00:13:25,638 --> 00:13:27,180 And then it's hexadecimal equivalent. 263 00:13:27,180 --> 00:13:29,850 So again, for every single one of those combinations, 264 00:13:29,850 --> 00:13:34,503 we have one distinct way to represent it using a single hex digit. 265 00:13:34,503 --> 00:13:36,420 And sometimes you'll see the hex digits for 10 266 00:13:36,420 --> 00:13:39,290 through 15, which are a through f, presented in capital letters. 267 00:13:39,290 --> 00:13:41,040 I like to present them in capital letters, 268 00:13:41,040 --> 00:13:43,373 but sometimes you see them in lowercase letters as well. 269 00:13:43,373 --> 00:13:45,960 That is immaterial to it. 270 00:13:45,960 --> 00:13:48,900 And this zero x at the beginning of it, I should mention that as well. 271 00:13:48,900 --> 00:13:51,310 Zero x means absolutely nothing. 272 00:13:51,310 --> 00:13:54,300 It is purely a note for us as human beings 273 00:13:54,300 --> 00:13:57,690 when we are seeing something like this that we should interpret it 274 00:13:57,690 --> 00:14:01,800 as hexadecimal numbers as opposed to as decimal, for example. 275 00:14:01,800 --> 00:14:05,450 Because we could have a valid hexadecimal string that is-- 276 00:14:05,450 --> 00:14:07,920 I'm going to use the zero x here just for second-- 277 00:14:07,920 --> 00:14:10,200 0x, five, zero. 278 00:14:10,200 --> 00:14:13,860 If we saw that, we might read it if we didn't have a 0x in front of it, 279 00:14:13,860 --> 00:14:17,820 we might read that as 50, which would be not actually accurate, because 0x, 280 00:14:17,820 --> 00:14:21,180 five, zero is actually 80 in decimal notation. 281 00:14:21,180 --> 00:14:23,970 So that 0x is really just a guide for us as human beings 282 00:14:23,970 --> 00:14:29,190 to say, OK, what I'm about to read here is a hexadecimal number. 283 00:14:29,190 --> 00:14:31,710 Let's just do a quick exercise where we translate 284 00:14:31,710 --> 00:14:36,870 some binary into hexadecimal and then subsequently into decimal as well. 285 00:14:36,870 --> 00:14:41,550 And so here, we have eight bits, each of which again is a zero or a one, 286 00:14:41,550 --> 00:14:45,030 and our goal is to translate this into ultimately decimal, 287 00:14:45,030 --> 00:14:47,490 but let's start by translating it into hexadecimal. 288 00:14:47,490 --> 00:14:50,040 The first approach is counting from right to left, 289 00:14:50,040 --> 00:14:52,080 we want to split these into groups of four. 290 00:14:52,080 --> 00:14:54,270 It so happens that we have eight bits here, 291 00:14:54,270 --> 00:14:58,770 and so this splits pretty cleanly into two groups of four. 292 00:14:58,770 --> 00:15:01,680 But if we, for example, had seven bits, like if this wasn't here, 293 00:15:01,680 --> 00:15:03,900 we would start by having one zero one zero, 294 00:15:03,900 --> 00:15:06,750 and then whatever we had left over, we would just 295 00:15:06,750 --> 00:15:11,850 pad with extra zeros at the front so we always had a cluster of four bits 296 00:15:11,850 --> 00:15:13,320 at a time to work with. 297 00:15:13,320 --> 00:15:16,828 Each of these maps directly to a single hexadecimal digit. 298 00:15:16,828 --> 00:15:19,620 And sometimes you may be able to just quickly do this in your head, 299 00:15:19,620 --> 00:15:21,710 or you can jump back to the table that we had here 300 00:15:21,710 --> 00:15:23,460 to see when I see this particular pattern, 301 00:15:23,460 --> 00:15:26,160 I want to plug in this hexadecimal digit. 302 00:15:26,160 --> 00:15:29,980 And so if we do that here, we see that the one on the left, 0010, 303 00:15:29,980 --> 00:15:31,660 this is in binary again. 304 00:15:31,660 --> 00:15:34,230 A zero in the ones place, a one in the twos place, 305 00:15:34,230 --> 00:15:36,540 and nothing else, which means we have one times two. 306 00:15:36,540 --> 00:15:39,090 And so this would be a two. 307 00:15:39,090 --> 00:15:42,870 And 1010, well, that's a one in the eights place and a one 308 00:15:42,870 --> 00:15:45,330 in the twos place, which is 10. 309 00:15:45,330 --> 00:15:48,600 But in hexadecimal, we would represent that as a, because again, 310 00:15:48,600 --> 00:15:53,160 we need to confine this idea of 10 to a single place value. 311 00:15:53,160 --> 00:15:57,150 We can't have two digits to represent it using hexadecimal notation. 312 00:15:57,150 --> 00:16:03,030 And so this binary value, 001010, is 0x-- 313 00:16:03,030 --> 00:16:07,170 again, human convention to prepend a 0x in front of anything 314 00:16:07,170 --> 00:16:09,070 that is a hexadecimal number-- 315 00:16:09,070 --> 00:16:09,570 0x2a. 316 00:16:09,570 --> 00:16:12,270 317 00:16:12,270 --> 00:16:15,950 Now, how do we translate this to decimal? 318 00:16:15,950 --> 00:16:19,500 Well, it may help to think about how we translate this or understand 319 00:16:19,500 --> 00:16:22,590 this number, 123. 320 00:16:22,590 --> 00:16:25,230 When we see it, one two three just written out, 321 00:16:25,230 --> 00:16:28,440 we are really doing something like this in our head where we're saying, 322 00:16:28,440 --> 00:16:33,330 there's a one in the one hundreds place, there's a two in the tens place, 323 00:16:33,330 --> 00:16:35,490 and there's a three in the ones place. 324 00:16:35,490 --> 00:16:37,470 And we've just over time internalized that 325 00:16:37,470 --> 00:16:39,345 and have been able to very quickly understand 326 00:16:39,345 --> 00:16:42,485 that the number I'm talking about here is 123. 327 00:16:42,485 --> 00:16:44,610 Well, another way to think about these labels here, 328 00:16:44,610 --> 00:16:48,870 one hundreds place, tens place, and ones place, might be to say, 329 00:16:48,870 --> 00:16:52,950 we have the 10 squareds place or the 10 to the second powers place, 330 00:16:52,950 --> 00:16:56,550 the 10 to the first powers place, and the ten to the zero powers place. 331 00:16:56,550 --> 00:16:58,560 Any number to the zero power is always one, 332 00:16:58,560 --> 00:17:02,370 and so this is really the ones place, the tens place, and the hundreds place. 333 00:17:02,370 --> 00:17:06,540 With hexadecimal, we don't have 10 as the base of the exponent here. 334 00:17:06,540 --> 00:17:10,140 Instead, we have 16 as the base of the exponent. 335 00:17:10,140 --> 00:17:11,520 But the rules are the same. 336 00:17:11,520 --> 00:17:14,630 We have a 16 to the zero place which is one. 337 00:17:14,630 --> 00:17:17,720 We have 16 to the first power or 16s place, 338 00:17:17,720 --> 00:17:21,270 and we have a 16 squared or 256s place. 339 00:17:21,270 --> 00:17:23,609 In our example number here, we didn't go that high. 340 00:17:23,609 --> 00:17:24,900 We had 0x2a. 341 00:17:24,900 --> 00:17:27,300 We only had two digits, which means we really 342 00:17:27,300 --> 00:17:31,740 only needed these two place values, the 16 to the zero power and the 16 343 00:17:31,740 --> 00:17:33,030 to the one power. 344 00:17:33,030 --> 00:17:36,660 Now, we just translate this in exactly the same way that we would intuitively 345 00:17:36,660 --> 00:17:40,740 do it in when we're counting in decimal or reading a decimal number. 346 00:17:40,740 --> 00:17:44,640 This is zero times 16 squared plus two times 16 347 00:17:44,640 --> 00:17:49,830 to the first power plus a times one, or 16 to the zero power. 348 00:17:49,830 --> 00:17:55,170 Two times 16 is 32, and a, which again is hexadecimal's way of representing 349 00:17:55,170 --> 00:17:57,870 10, 10 times one is ten, so what we're really saying 350 00:17:57,870 --> 00:18:00,840 is that we have 32 plus 10. 351 00:18:00,840 --> 00:18:05,310 And so to translate this hexadecimal number, 0x2a, into decimal, 352 00:18:05,310 --> 00:18:11,240 we end up with 42, because 42 is 32 plus 10. 353 00:18:11,240 --> 00:18:13,740 So hopefully, that gives you a bit of a better understanding 354 00:18:13,740 --> 00:18:18,330 of what these cryptic number strings that you might have seen before mean. 355 00:18:18,330 --> 00:18:21,790 And if you're working with programmers or you're ever analyzing source code 356 00:18:21,790 --> 00:18:23,790 and you see references like this, hopefully this 357 00:18:23,790 --> 00:18:26,460 gives you a better understanding of what they mean 358 00:18:26,460 --> 00:18:28,740 and what they likely refer to on the system 359 00:18:28,740 --> 00:18:30,660 and how that might affect things. 360 00:18:30,660 --> 00:18:34,080 Let's talk a little bit more about the function, how memory actually 361 00:18:34,080 --> 00:18:38,128 works now that we know how to access individual parts of it. 362 00:18:38,128 --> 00:18:40,170 With the exception of hard disk space-- so again, 363 00:18:40,170 --> 00:18:42,210 the permanent storage space on your device-- 364 00:18:42,210 --> 00:18:45,425 memory on your computer is termed volatile, 365 00:18:45,425 --> 00:18:46,800 which means two different things. 366 00:18:46,800 --> 00:18:50,340 One, that the memory is constantly changing. 367 00:18:50,340 --> 00:18:52,470 Things are cycling in and out of it. 368 00:18:52,470 --> 00:18:55,650 It's very dynamic in terms of the values that are being stored there, 369 00:18:55,650 --> 00:18:58,290 again because the RAM is sort of this holding ground for everything that's 370 00:18:58,290 --> 00:19:00,290 going to eventually need to go to the processor, 371 00:19:00,290 --> 00:19:02,890 and things are getting swapped in and out pretty frequently. 372 00:19:02,890 --> 00:19:05,190 But the other really key detail about volatile memory 373 00:19:05,190 --> 00:19:07,110 is that it requires power. 374 00:19:07,110 --> 00:19:09,630 If it is unpowered, if there is not electricity literally 375 00:19:09,630 --> 00:19:14,280 flowing to the RAM at any given time, that is a problem 376 00:19:14,280 --> 00:19:16,140 and that memory will no longer work. 377 00:19:16,140 --> 00:19:19,540 In fact, after some amount of time, a pretty small amount time 378 00:19:19,540 --> 00:19:24,180 like 30 seconds to a minute perhaps, without power, the electrical charge 379 00:19:24,180 --> 00:19:28,630 which is used to maintain each of those individual cells of memory-- 380 00:19:28,630 --> 00:19:31,060 remember, a little bit of electricity being one, 381 00:19:31,060 --> 00:19:33,150 and the absence of electricity being zero 382 00:19:33,150 --> 00:19:35,940 is how the computer can store this idea of zeros and ones 383 00:19:35,940 --> 00:19:38,400 on a physical manifestation thereof. 384 00:19:38,400 --> 00:19:41,310 Without power, that electrical charge eventually dissipates. 385 00:19:41,310 --> 00:19:42,630 It does not just stay. 386 00:19:42,630 --> 00:19:44,730 it goes away. 387 00:19:44,730 --> 00:19:48,060 And the state is eventually lost such that unpowered for about a minute 388 00:19:48,060 --> 00:19:52,970 or so, all the data in RAM has effectively turned into zeros. 389 00:19:52,970 --> 00:19:55,800 It has completely become completely unpowered. 390 00:19:55,800 --> 00:19:58,260 Now obviously, that would be very bad if our entire system 391 00:19:58,260 --> 00:20:00,190 relied on this technology. 392 00:20:00,190 --> 00:20:06,690 But it's only RAM and the caches from RAM going forward that rely on this. 393 00:20:06,690 --> 00:20:09,900 Processing can only happen in the processor. 394 00:20:09,900 --> 00:20:11,710 This probably makes a little bit of sense. 395 00:20:11,710 --> 00:20:14,310 And again, recall that a 32-bit processor 396 00:20:14,310 --> 00:20:16,750 can understand 32-bit addresses. 397 00:20:16,750 --> 00:20:21,850 That also means that it only has 32 bits of space in which to do anything. 398 00:20:21,850 --> 00:20:25,180 So it only can work with four bytes of information at a time. 399 00:20:25,180 --> 00:20:27,880 And maybe if you have a computer that has multiple cores, 400 00:20:27,880 --> 00:20:30,580 maybe you've heard that term before, multicore processors, 401 00:20:30,580 --> 00:20:35,550 you might have a few of these processors that can do four bytes at a time. 402 00:20:35,550 --> 00:20:38,950 But either way, we're still talking about a very, very small amount 403 00:20:38,950 --> 00:20:43,030 of information, maybe four to 16 or 32 bytes. 404 00:20:43,030 --> 00:20:44,950 That's not very much at all when you consider 405 00:20:44,950 --> 00:20:48,220 that a basic document perhaps using Microsoft Word 406 00:20:48,220 --> 00:20:51,670 will contain enough metadata to be about 15,000 bytes before you even 407 00:20:51,670 --> 00:20:53,920 type a single character into it. 408 00:20:53,920 --> 00:20:59,680 So a lot of metadata there, and that amount of empty files 409 00:20:59,680 --> 00:21:02,080 gets pretty big pretty quickly. 410 00:21:02,080 --> 00:21:06,550 Because the process can only process 32 bits worth of information 411 00:21:06,550 --> 00:21:11,590 at a time, any given processor, we need to move data to it frequently. 412 00:21:11,590 --> 00:21:14,040 And that's what the caches are for, and that's 413 00:21:14,040 --> 00:21:17,080 why each one needs to be faster and be able to get information 414 00:21:17,080 --> 00:21:18,670 to the processor pretty quickly. 415 00:21:18,670 --> 00:21:20,500 Because even though the processor can only 416 00:21:20,500 --> 00:21:27,100 process four bytes or 32 bits worth of information at any given time, 417 00:21:27,100 --> 00:21:31,250 it can do two to three billion operations per second, 418 00:21:31,250 --> 00:21:32,560 so that's what a gigahertz is. 419 00:21:32,560 --> 00:21:35,755 And in terms of when a processor's speed is quoted, 420 00:21:35,755 --> 00:21:39,950 it's sometimes said it's like 2.4 gigahertz or 2.6 gigahertz or so on. 421 00:21:39,950 --> 00:21:45,640 That means that the computer can do 2.4 to $2.6 billion things per second. 422 00:21:45,640 --> 00:21:50,860 So again, 32 bits, not a lot of information at any instant, 423 00:21:50,860 --> 00:21:55,480 but there's a lot of those instants within a second. 424 00:21:55,480 --> 00:21:59,230 It can do two to three billion things per second, each one of those things 425 00:21:59,230 --> 00:22:03,490 operating on exactly four bytes at a time, 32 bits at a time, 426 00:22:03,490 --> 00:22:06,190 on a 32-bit processor, as opposed to a 64-bit processor which 427 00:22:06,190 --> 00:22:09,260 can process a little bit more data. 428 00:22:09,260 --> 00:22:12,340 Let's take a look now at what we determine 429 00:22:12,340 --> 00:22:15,760 on your computer as the motherboard, or sort of the control 430 00:22:15,760 --> 00:22:17,980 processor for everything that your computer does, 431 00:22:17,980 --> 00:22:20,830 and highlight some of the different pieces of where 432 00:22:20,830 --> 00:22:25,400 things live on your physical device. 433 00:22:25,400 --> 00:22:28,360 So right here are some slots for RAM, so these are 434 00:22:28,360 --> 00:22:30,430 basically sticks that get plugged in. 435 00:22:30,430 --> 00:22:33,250 A RAM stick is just a green chip. 436 00:22:33,250 --> 00:22:34,750 It looks similar to the motherboard. 437 00:22:34,750 --> 00:22:35,667 They're usually green. 438 00:22:35,667 --> 00:22:38,042 They have some gold connector pins at the bottom of them, 439 00:22:38,042 --> 00:22:39,610 and they plug into the motherboard. 440 00:22:39,610 --> 00:22:43,270 And information can then be stored there and flow to and from when 441 00:22:43,270 --> 00:22:45,018 needed by the processor and so on. 442 00:22:45,018 --> 00:22:46,060 So that's where these go. 443 00:22:46,060 --> 00:22:48,250 This particular motherboard, which is from a computer that's 444 00:22:48,250 --> 00:22:49,330 about 15 years old. 445 00:22:49,330 --> 00:22:51,080 For example, I don't think most of us have 446 00:22:51,080 --> 00:22:56,770 floppy drive connectors on our computers anymore, but this one still does. 447 00:22:56,770 --> 00:22:58,660 Here is where the CPU would live, so this 448 00:22:58,660 --> 00:23:01,120 is where the actual processor goes. 449 00:23:01,120 --> 00:23:05,380 And that processor again can only do 32 or 64 bits worth of information 450 00:23:05,380 --> 00:23:06,910 at any given time. 451 00:23:06,910 --> 00:23:11,200 And on top of the CPU, it's not pictured here, but typically on top of the CPU 452 00:23:11,200 --> 00:23:16,565 there's a giant fan, literally like mounted or screwed right above it. 453 00:23:16,565 --> 00:23:19,690 And again, that's because the computer is doing two to three billion things 454 00:23:19,690 --> 00:23:21,910 a second, so it gets quite hot. 455 00:23:21,910 --> 00:23:25,600 And to prevent a CPU meltdown or a core meltdown, 456 00:23:25,600 --> 00:23:28,450 you want to make sure to have air constantly flowing 457 00:23:28,450 --> 00:23:31,030 across the top of the device as well as a heat 458 00:23:31,030 --> 00:23:35,200 sink to pull all the heat away from the CPU such that it doesn't overheat, 459 00:23:35,200 --> 00:23:37,900 which would create quite a big problem and eventually might 460 00:23:37,900 --> 00:23:40,690 result in computer breakage if left to overheat 461 00:23:40,690 --> 00:23:43,540 for a prolonged period of time. 462 00:23:43,540 --> 00:23:45,520 Over here is a graphics processor. 463 00:23:45,520 --> 00:23:48,280 Graphics processors are really just CPUs that 464 00:23:48,280 --> 00:23:52,330 are specialized to do certain operations that make interpreting graphics 465 00:23:52,330 --> 00:23:54,070 on your monitor much easier. 466 00:23:54,070 --> 00:23:56,450 The math for those is usually a bit more complicated, 467 00:23:56,450 --> 00:24:01,030 and so modern devices may have both a CPU and a GPU, a Graphical Processor 468 00:24:01,030 --> 00:24:03,930 Unit, as opposed to relying on just the CPU you to handle 469 00:24:03,930 --> 00:24:05,180 all of those different things. 470 00:24:05,180 --> 00:24:09,818 And it similarly would have a heat sink and a fan mounted with it as well. 471 00:24:09,818 --> 00:24:11,860 And then over here at the top, it's pretty small. 472 00:24:11,860 --> 00:24:13,527 There are things called SATA connectors. 473 00:24:13,527 --> 00:24:17,980 SATA connectors are what you might use to connect hard drives to your machine 474 00:24:17,980 --> 00:24:21,850 so that you can extend the storage capacity of the device. 475 00:24:21,850 --> 00:24:24,770 But all of these things might live on your computer, 476 00:24:24,770 --> 00:24:28,960 and also all of these things in shrunk down form will live on your laptop 477 00:24:28,960 --> 00:24:31,120 and even in your mobile phone. 478 00:24:31,120 --> 00:24:34,270 This basic idea exists just in smaller and smaller scales 479 00:24:34,270 --> 00:24:38,240 with all of the parts being similarly scaled down. 480 00:24:38,240 --> 00:24:41,950 So again, CPU memory, what actually lives in the CPU as well 481 00:24:41,950 --> 00:24:46,480 as the registers, those really fast things right around the CPU memory, 482 00:24:46,480 --> 00:24:49,010 is the fastest memory on your machine. 483 00:24:49,010 --> 00:24:50,420 But there's the least of it. 484 00:24:50,420 --> 00:24:53,020 And the reason for this is that it's very, very expensive. 485 00:24:53,020 --> 00:24:56,740 It is the most expensive stuff in your computer. 486 00:24:56,740 --> 00:24:58,750 That is basically the price that you are paying 487 00:24:58,750 --> 00:25:01,530 when you buy the computer is for that processor 488 00:25:01,530 --> 00:25:05,050 and the materials that are used to allow electricity 489 00:25:05,050 --> 00:25:06,910 to conduct through it very quickly really 490 00:25:06,910 --> 00:25:09,830 determines the cost of the device. 491 00:25:09,830 --> 00:25:13,510 So there's the least amount of it, but it is the most important memory 492 00:25:13,510 --> 00:25:14,540 on your machine. 493 00:25:14,540 --> 00:25:19,500 The caches, one two and three, are each successively slower than CPU memory 494 00:25:19,500 --> 00:25:21,000 but also successively cheaper. 495 00:25:21,000 --> 00:25:24,550 So your l1 cache is going to be a little bit slower than your CPU, 496 00:25:24,550 --> 00:25:26,300 but there will be a little bit more of it. 497 00:25:26,300 --> 00:25:31,978 And your l1 cache will be a little bit larger than the CPU space 498 00:25:31,978 --> 00:25:34,020 that you have, but it'll be a little bit cheaper. 499 00:25:34,020 --> 00:25:36,418 The l2 cache may be a little bit larger than the l1 cache 500 00:25:36,418 --> 00:25:37,460 but a little bit cheaper. 501 00:25:37,460 --> 00:25:40,140 Again, this is really just referring to the materials that are 502 00:25:40,140 --> 00:25:42,840 used to make the memory operational. 503 00:25:42,840 --> 00:25:45,330 RAM is slower but cheaper. 504 00:25:45,330 --> 00:25:47,880 RAM typically used to be the most expensive 505 00:25:47,880 --> 00:25:49,482 or be considered the driving cost. 506 00:25:49,482 --> 00:25:52,190 If you had more RAM in your computer, that made it more powerful. 507 00:25:52,190 --> 00:25:53,413 That was the cost driver. 508 00:25:53,413 --> 00:25:55,080 This is becoming less and less the case. 509 00:25:55,080 --> 00:25:57,360 It's still more expensive than hard disk space, which 510 00:25:57,360 --> 00:25:59,490 is effectively free at this point. 511 00:25:59,490 --> 00:26:02,070 It's really just how much stuff we can literally 512 00:26:02,070 --> 00:26:07,290 fit into the container for the hard disk itself, which is just pure storage. 513 00:26:07,290 --> 00:26:10,390 But RAM is slower memory than any of the caches, 514 00:26:10,390 --> 00:26:14,670 but you're able to have more of it because it is less expensive. 515 00:26:14,670 --> 00:26:16,260 So that's memory. 516 00:26:16,260 --> 00:26:20,490 But in terms of hard disk space, that does not work in the same way 517 00:26:20,490 --> 00:26:24,630 that RAM and the other volatile memories work, 518 00:26:24,630 --> 00:26:27,600 and hard disk space is non-volatile. 519 00:26:27,600 --> 00:26:30,480 Information in the hard disk is not changed terribly often, 520 00:26:30,480 --> 00:26:34,168 only when we're certain that we're done working with it in RAM. 521 00:26:34,168 --> 00:26:36,210 And the data there is also persistent, and that's 522 00:26:36,210 --> 00:26:41,580 because it does not rely on electricity to store state. 523 00:26:41,580 --> 00:26:44,700 Instead, and we're talking again specifically now about hard disk drive, 524 00:26:44,700 --> 00:26:46,825 solid state drives behave a little bit differently. 525 00:26:46,825 --> 00:26:49,450 They use microchips that do some different things. 526 00:26:49,450 --> 00:26:53,310 But we're talking about hard disk space, HDDs, traditional hard disks. 527 00:26:53,310 --> 00:26:58,620 Each cell of a hard disk is instead controlled by magnetism, 528 00:26:58,620 --> 00:27:01,200 so data is stored magnetically. 529 00:27:01,200 --> 00:27:02,550 If there is a-- 530 00:27:02,550 --> 00:27:05,130 we'll just say for purposes of this discussion 531 00:27:05,130 --> 00:27:10,590 here that if the magnetism is in a down position, so south for example, 532 00:27:10,590 --> 00:27:13,710 it's oriented south, that would be zero. 533 00:27:13,710 --> 00:27:15,150 That's a way to represent zero. 534 00:27:15,150 --> 00:27:17,910 And any magnet that is in the up position 535 00:27:17,910 --> 00:27:24,330 is one, so we can have these flip states of the polarity is pointing up or north 536 00:27:24,330 --> 00:27:28,470 and the polarity is pointing down or south to represent zero and one as 537 00:27:28,470 --> 00:27:33,040 opposed to using powered versus unpowered to represent one and zero, 538 00:27:33,040 --> 00:27:38,340 respectively in a RAM or volatile memory situation. 539 00:27:38,340 --> 00:27:41,850 Because these magnets, though, don't require power 540 00:27:41,850 --> 00:27:45,480 in order to work long term, that means that when the computer shuts off 541 00:27:45,480 --> 00:27:48,355 and they become unpowered, the data remains. 542 00:27:48,355 --> 00:27:49,980 And this is a really good thing, right? 543 00:27:49,980 --> 00:27:52,170 Because if every time we shut off our computer 544 00:27:52,170 --> 00:27:55,410 we lost literally all of the files we'd ever saved on it, 545 00:27:55,410 --> 00:27:57,930 that would not be very effective. 546 00:27:57,930 --> 00:28:03,210 We would lose a lot of the utility that we rely on computers for. 547 00:28:03,210 --> 00:28:07,350 And so the way that hard disks work is specifically designed such that memory 548 00:28:07,350 --> 00:28:11,280 can persist after the computer is shut off. 549 00:28:11,280 --> 00:28:15,090 But again, that memory can not be processed directly in the hard disk. 550 00:28:15,090 --> 00:28:17,580 We have to move it to the processor eventually. 551 00:28:17,580 --> 00:28:21,240 So if our system detects that we need a chunk of memory 552 00:28:21,240 --> 00:28:25,260 from the hard disk, that's all going to be moved from the hard disk 553 00:28:25,260 --> 00:28:28,200 to RAM using something called a bus. 554 00:28:28,200 --> 00:28:30,990 Much like a bus is used to move human beings from one place 555 00:28:30,990 --> 00:28:33,630 to another in large quantities, a bus is used 556 00:28:33,630 --> 00:28:38,400 to move data from one part of your machine to another in large quantities. 557 00:28:38,400 --> 00:28:43,230 And in fact, if you ever see a SATA connection from a hard drive to RAM 558 00:28:43,230 --> 00:28:46,110 using one of the SATA connectors we saw a moment ago on the slide, 559 00:28:46,110 --> 00:28:50,610 there's usually a long, thin strip that connects them together. 560 00:28:50,610 --> 00:28:52,590 That strip also forms part of the bus that 561 00:28:52,590 --> 00:28:55,740 is used to transfer data from the hard drive 562 00:28:55,740 --> 00:29:01,260 to the RAM in fairly large quantities. 563 00:29:01,260 --> 00:29:03,570 In general, when we're working on a program, 564 00:29:03,570 --> 00:29:07,140 the data for that program including the code that actually is running 565 00:29:07,140 --> 00:29:09,720 is moved from hard disk to RAM. 566 00:29:09,720 --> 00:29:12,405 And it stays in RAM, assuming there's no space constraint that 567 00:29:12,405 --> 00:29:15,030 forces it to have to leave which sometimes can happen if you're 568 00:29:15,030 --> 00:29:16,823 running a lot of programs at once. 569 00:29:16,823 --> 00:29:18,990 You may notice your computer slows down quite a lot. 570 00:29:18,990 --> 00:29:22,140 That's because the computer is going to have 571 00:29:22,140 --> 00:29:23,850 to keep swapping things in and out of RAM 572 00:29:23,850 --> 00:29:25,350 in order to process multiple things. 573 00:29:25,350 --> 00:29:28,420 That's why you don't want to leave several hundred tabs open, 574 00:29:28,420 --> 00:29:31,590 for example in your browser, or have 20 or 30 programs running 575 00:29:31,590 --> 00:29:33,497 at once on your computer if you can avoid it, 576 00:29:33,497 --> 00:29:35,580 because it's going to slow down and require things 577 00:29:35,580 --> 00:29:37,890 to be swapped in and out of RAM such that it can 578 00:29:37,890 --> 00:29:39,640 be moved to the processor quite a bit. 579 00:29:39,640 --> 00:29:41,790 That's really going to slow things down. 580 00:29:41,790 --> 00:29:45,303 While the program is running or being used by the computer, 581 00:29:45,303 --> 00:29:46,470 everything will stay in RAM. 582 00:29:46,470 --> 00:29:49,440 All the data will keep being manipulated there, 583 00:29:49,440 --> 00:29:51,340 and then ultimately when we close the program 584 00:29:51,340 --> 00:29:53,970 or once we otherwise indicate we haven't used it for some time 585 00:29:53,970 --> 00:29:56,845 and the computer realizes it needs that space for something else, all 586 00:29:56,845 --> 00:29:59,515 of those bits and bytes have been manipulated in RAM 587 00:29:59,515 --> 00:30:03,512 will be sort of picked up and moved back on the bus back to a hard disk 588 00:30:03,512 --> 00:30:06,720 where they will be resaved with the new state, such that any changes that you 589 00:30:06,720 --> 00:30:10,230 make in a program will ultimately be saved back to hard disk, 590 00:30:10,230 --> 00:30:13,792 but only once the program is completely done being used by the computer 591 00:30:13,792 --> 00:30:15,750 and it realizes it can free up that information 592 00:30:15,750 --> 00:30:19,290 and save it for long term storage. 593 00:30:19,290 --> 00:30:22,020 Hard drives, though, are not unbreakable. 594 00:30:22,020 --> 00:30:25,050 They have a lot of moving pieces. 595 00:30:25,050 --> 00:30:27,820 A typical hard disk drive consists of several platters, 596 00:30:27,820 --> 00:30:33,840 some thin metal circles spinning around a central axis very rapidly, 597 00:30:33,840 --> 00:30:36,310 about 4,000 to 5,000 revolutions per minute. 598 00:30:36,310 --> 00:30:39,240 So very, very quickly, with a magnetic read 599 00:30:39,240 --> 00:30:46,190 write arm that extends over across the diameter of the disk, basically. 600 00:30:46,190 --> 00:30:47,940 And each one of the little rings that gets 601 00:30:47,940 --> 00:30:51,990 formed as you do this, as is the read write arm moves in and out, 602 00:30:51,990 --> 00:30:53,992 it can access different sectors on the disk, 603 00:30:53,992 --> 00:30:55,950 and those different sectors are the things that 604 00:30:55,950 --> 00:30:59,340 get zeroed and oned over time. 605 00:30:59,340 --> 00:31:02,020 So it is possible for hard drives to fail. 606 00:31:02,020 --> 00:31:04,020 There's usually a couple ways that this happens. 607 00:31:04,020 --> 00:31:09,210 If the read write arm jams, because it is on some sort of track that 608 00:31:09,210 --> 00:31:12,920 moves in and out, if it jams without collapsing, 609 00:31:12,920 --> 00:31:15,120 your hard drive will just stop working, basically, 610 00:31:15,120 --> 00:31:18,930 because you can't read or write information anymore using that arm. 611 00:31:18,930 --> 00:31:22,950 But it is also possible for the hard disk arm to break and fall. 612 00:31:22,950 --> 00:31:29,282 That arm spins just above the top of these disks, and if it crashes into it, 613 00:31:29,282 --> 00:31:30,240 you'll hear that sound. 614 00:31:30,240 --> 00:31:32,910 That'll be a very unique and interesting sound to hear. 615 00:31:32,910 --> 00:31:34,910 Suffice it to say, your hard drive at that point 616 00:31:34,910 --> 00:31:37,438 is destroyed, because the collapse will crash everything, 617 00:31:37,438 --> 00:31:39,480 and these things are spinning very, very quickly, 618 00:31:39,480 --> 00:31:42,832 and so they're going to shred themselves from the inside. 619 00:31:42,832 --> 00:31:45,540 And you will no longer be able to get any data off of that drive. 620 00:31:45,540 --> 00:31:48,790 But if it's just the arm that gets stuck moving in and out but it doesn't fall 621 00:31:48,790 --> 00:31:52,260 down, you will still be able to recover data from that hard drive, 622 00:31:52,260 --> 00:31:54,048 and we'll talk about that shortly. 623 00:31:54,048 --> 00:31:57,090 Because a hard drive failure does not mean that the data is unrecoverable 624 00:31:57,090 --> 00:32:01,575 if the hard drive hasn't literally suffered this catastrophic shredding 625 00:32:01,575 --> 00:32:02,700 sort of thing that happens. 626 00:32:02,700 --> 00:32:04,410 That's going to render it unusable. 627 00:32:04,410 --> 00:32:08,460 But if it's just the arm that gets stuck, it is still usable. 628 00:32:08,460 --> 00:32:14,730 So what happens when we actually delete something on our machine? 629 00:32:14,730 --> 00:32:17,190 It turns out that overwriting hard disk space 630 00:32:17,190 --> 00:32:20,360 is actually a very, very time consuming and what 631 00:32:20,360 --> 00:32:24,270 we might consider computationally expensive operation for the machine. 632 00:32:24,270 --> 00:32:28,370 633 00:32:28,370 --> 00:32:33,660 You could think about it as it has to pull all of the data from the hard disk 634 00:32:33,660 --> 00:32:38,250 into RAM, change all of those bytes to delete what was there before, 635 00:32:38,250 --> 00:32:40,200 and then put all of that data back. 636 00:32:40,200 --> 00:32:42,090 The computer for some large files, say you 637 00:32:42,090 --> 00:32:44,400 want to delete a video file like a movie, that 638 00:32:44,400 --> 00:32:48,420 might be several gigabytes, so several billion bytes worth of data 639 00:32:48,420 --> 00:32:50,280 that we have to delete. 640 00:32:50,280 --> 00:32:53,520 The computer does not want to incur that sort of cost. 641 00:32:53,520 --> 00:32:57,900 Deleting a file if it actually had to do it that way would be very, very slow. 642 00:32:57,900 --> 00:33:02,070 It would compromise any other program that you had running on your machine. 643 00:33:02,070 --> 00:33:05,430 And so that's not how computers actually delete information. 644 00:33:05,430 --> 00:33:07,980 Rather, they just forget where the data live. 645 00:33:07,980 --> 00:33:10,710 It turns out there's also something called a page file that 646 00:33:10,710 --> 00:33:14,190 exists on your machine that is basically the home 647 00:33:14,190 --> 00:33:16,590 address of the first byte of every single file 648 00:33:16,590 --> 00:33:18,780 that you have on your machine. 649 00:33:18,780 --> 00:33:24,778 And when you delete a file typically in your computer, 650 00:33:24,778 --> 00:33:26,070 it just forgets where it lives. 651 00:33:26,070 --> 00:33:28,470 The bytes that made it up are still there. 652 00:33:28,470 --> 00:33:31,860 The zeros and ones that comprise that file don't go anywhere. 653 00:33:31,860 --> 00:33:34,803 They may eventually be overwritten by some other file that 654 00:33:34,803 --> 00:33:37,470 happens to be stored in that same spot, because the computer now 655 00:33:37,470 --> 00:33:41,160 thinks it's open because it forgot that you live there. 656 00:33:41,160 --> 00:33:46,080 And even then, this only happens when you empty your recycle bin or trash 657 00:33:46,080 --> 00:33:47,640 if you're using a Mac. 658 00:33:47,640 --> 00:33:49,770 If you just put something in the recycle bin, 659 00:33:49,770 --> 00:33:52,740 that's not actually deleting it in any meaningful way at all. 660 00:33:52,740 --> 00:33:53,610 It hides the icon. 661 00:33:53,610 --> 00:33:56,100 You can't really click on that icon anymore, 662 00:33:56,100 --> 00:33:58,320 but you haven't deleted that file, and you probably 663 00:33:58,320 --> 00:34:03,480 know this because you can restore things from the recycle bin. 664 00:34:03,480 --> 00:34:09,420 But even when you empty the recycle bin or empty the trash on your machine, 665 00:34:09,420 --> 00:34:12,690 you're still not actually deleting anything in the sense 666 00:34:12,690 --> 00:34:15,300 that you might be thinking is how we delete things. 667 00:34:15,300 --> 00:34:18,900 Instead, your computer's just forgetting what was there before. 668 00:34:18,900 --> 00:34:23,250 But those bits and bytes that comprise those files that you have deleted 669 00:34:23,250 --> 00:34:26,580 are still there, and that creates a couple of really interesting security 670 00:34:26,580 --> 00:34:28,949 implications. 671 00:34:28,949 --> 00:34:32,110 So files that get deleted aren't really deleted, 672 00:34:32,110 --> 00:34:35,969 which means that we can recover the information from them if we need to. 673 00:34:35,969 --> 00:34:37,447 How exactly might we do that? 674 00:34:37,447 --> 00:34:40,530 Well, there's definitely some tools out there that can be used to do this. 675 00:34:40,530 --> 00:34:42,697 And again, this requires that the hard drive was not 676 00:34:42,697 --> 00:34:46,409 physically destroyed in some way by the collapse of the read write arm. 677 00:34:46,409 --> 00:34:49,530 But we can literally just connect the hard drive to something and have 678 00:34:49,530 --> 00:34:53,159 a specialized tool that reads over all of those individual sectors 679 00:34:53,159 --> 00:34:56,370 on the disk-- and this is a very slow operation for sure-- 680 00:34:56,370 --> 00:34:58,970 read over all of the individual sectors on that disk and just 681 00:34:58,970 --> 00:35:01,553 say, well, this is a zero and this is a one and this is a zero 682 00:35:01,553 --> 00:35:05,040 and this is a one until we end up with this huge file that 683 00:35:05,040 --> 00:35:08,820 is all the zeros and ones that comprised what was originally 684 00:35:08,820 --> 00:35:10,830 the state of that hard drive. 685 00:35:10,830 --> 00:35:13,290 And we usually refer to this file that gets created, 686 00:35:13,290 --> 00:35:17,250 this clone of the hard drive, as a for forensic image. 687 00:35:17,250 --> 00:35:21,150 It's really just a huge file that is a complete replication 688 00:35:21,150 --> 00:35:23,850 of the bit by bit content as well as any metadata that 689 00:35:23,850 --> 00:35:28,050 might be associated with it that can be then created 690 00:35:28,050 --> 00:35:32,940 and read on a different computer so that even though the hard drive this was 691 00:35:32,940 --> 00:35:35,030 plugged into, maybe the computer got destroyed, 692 00:35:35,030 --> 00:35:39,750 where we can make a copy of it and read it on a different machine instead. 693 00:35:39,750 --> 00:35:43,950 So we go from this to how do people pick out what those files were? 694 00:35:43,950 --> 00:35:46,830 Again, computers only understand zeros and ones 695 00:35:46,830 --> 00:35:49,050 and at the end of the day, all of the stuff that 696 00:35:49,050 --> 00:35:51,720 is stored in your hard drive, all those files, 697 00:35:51,720 --> 00:35:55,020 anything that was stored in RAM when it was powered, 698 00:35:55,020 --> 00:35:56,580 is still just zeros and ones. 699 00:35:56,580 --> 00:35:59,490 They don't have icons like we see on our desktop. 700 00:35:59,490 --> 00:36:01,590 They don't mean anything intuitively. 701 00:36:01,590 --> 00:36:05,390 So how do we figure out what those files are? 702 00:36:05,390 --> 00:36:08,820 Well, it turns out that many of them have what is called a signature 703 00:36:08,820 --> 00:36:11,610 or a magic number associated with them. 704 00:36:11,610 --> 00:36:15,720 A magic number is just a way to refer to the first few bytes of a file 705 00:36:15,720 --> 00:36:20,850 where many file types, for examples, PDFs, most image files, most music file 706 00:36:20,850 --> 00:36:23,820 types and so on, happen to start in a particular way. 707 00:36:23,820 --> 00:36:27,360 This isn't a way that we ever see when we open one of these files. 708 00:36:27,360 --> 00:36:29,730 But in the metadata at the beginning of those files, 709 00:36:29,730 --> 00:36:34,080 there's usually a sequence of bytes that represent 710 00:36:34,080 --> 00:36:38,092 a signature in effect of saying, the file that I'm about to open is a PDF, 711 00:36:38,092 --> 00:36:40,800 and you can generally rely on that because these first four bytes 712 00:36:40,800 --> 00:36:43,700 or whatever are these values. 713 00:36:43,700 --> 00:36:45,450 Now again, it's four to eight bytes, which 714 00:36:45,450 --> 00:36:51,420 means there are two to the 32 to two to the 256ish possibilities for what 715 00:36:51,420 --> 00:36:53,525 these first bits are. 716 00:36:53,525 --> 00:36:55,150 That's a lot of different combinations. 717 00:36:55,150 --> 00:37:01,120 And so if we see a magic number randomly appear in some forensic image 718 00:37:01,120 --> 00:37:04,170 or on some hard drive, the odds are pretty 719 00:37:04,170 --> 00:37:07,950 good that if we see that pattern, we know that that pattern generally 720 00:37:07,950 --> 00:37:11,130 refers to a file of that type, that what we have found 721 00:37:11,130 --> 00:37:14,687 is the beginning of a file of exactly that type. 722 00:37:14,687 --> 00:37:16,520 And we can start to interpret it in that way 723 00:37:16,520 --> 00:37:19,170 maybe and maybe be able to reconstruct something from it. 724 00:37:19,170 --> 00:37:23,340 So for example, it turns out that most PDFs have in their metadata-- 725 00:37:23,340 --> 00:37:25,140 and we never really see this-- 726 00:37:25,140 --> 00:37:29,370 the characters percent PDF at the beginning of them. 727 00:37:29,370 --> 00:37:32,010 And that translates into this sequence of bits using the Ascii 728 00:37:32,010 --> 00:37:33,130 table that we've talked about before, and we 729 00:37:33,130 --> 00:37:35,505 don't need to get into a lot of detail, and it translates 730 00:37:35,505 --> 00:37:37,470 into these hexadecimal values. 731 00:37:37,470 --> 00:37:44,130 And so generally, if we happen to encounter exactly this pattern of 32 732 00:37:44,130 --> 00:37:48,390 bits, which we should only expect to see at the beginning of a PDF 733 00:37:48,390 --> 00:37:52,410 or otherwise once every one in two to the 32nd times-- 734 00:37:52,410 --> 00:37:54,820 like it's pretty uncommon to see exactly this pattern 735 00:37:54,820 --> 00:37:58,810 and we're looking for exactly that pattern. 736 00:37:58,810 --> 00:38:01,470 If we see those bits, generally what we can do 737 00:38:01,470 --> 00:38:05,010 is start to interpret the rest of this file as a PDF 738 00:38:05,010 --> 00:38:07,988 until we encounter some signature that we've reached the end of that. 739 00:38:07,988 --> 00:38:10,780 Whether that's a whole bunch of zeros or whether that's a signature 740 00:38:10,780 --> 00:38:14,453 that is again perhaps the start of another PDF. 741 00:38:14,453 --> 00:38:17,370 Now, of course it's possible that you'll end up with a false positive. 742 00:38:17,370 --> 00:38:19,640 For example, anybody who's examining these slides 743 00:38:19,640 --> 00:38:22,140 at some point in the future-- say that my hard drive crashed 744 00:38:22,140 --> 00:38:24,348 and I happen to literally have the characters percent 745 00:38:24,348 --> 00:38:27,060 PDF typed on to this slide. 746 00:38:27,060 --> 00:38:30,660 If you were to forensically recover my hard drive and analyze it 747 00:38:30,660 --> 00:38:35,670 and you found this PowerPoint file that is where I'm presenting the slides from 748 00:38:35,670 --> 00:38:39,810 and you saw literally the characters percent PDF in it as zeros and ones, 749 00:38:39,810 --> 00:38:43,192 you might mistakenly think, this happens to be a PDF 750 00:38:43,192 --> 00:38:45,150 and start to interpret from this point forward, 751 00:38:45,150 --> 00:38:46,745 this yellow point forward as a PDF. 752 00:38:46,745 --> 00:38:49,950 753 00:38:49,950 --> 00:38:51,660 But it wouldn't work. 754 00:38:51,660 --> 00:38:52,260 And that's OK. 755 00:38:52,260 --> 00:38:53,968 You might get a false positive sometimes, 756 00:38:53,968 --> 00:38:56,550 and then you just kind of disregard it and you keep looking. 757 00:38:56,550 --> 00:38:57,810 You look for a different type of file. 758 00:38:57,810 --> 00:38:59,630 You look for a different file signature and so on. 759 00:38:59,630 --> 00:39:02,047 But it can happen that you have a false positive like this 760 00:39:02,047 --> 00:39:04,543 in situations where you're trying to sort it out, 761 00:39:04,543 --> 00:39:06,210 because you have no other context clues. 762 00:39:06,210 --> 00:39:09,270 All you have are the bits and the information 763 00:39:09,270 --> 00:39:11,950 that you know about file signatures. 764 00:39:11,950 --> 00:39:16,490 OK, so we have this empty trash or empty recycle bin icon or menu 765 00:39:16,490 --> 00:39:17,490 option on our computers. 766 00:39:17,490 --> 00:39:21,810 But now we know it doesn't actually empty the trash at all. 767 00:39:21,810 --> 00:39:24,840 So how do we actually delete files from our hard drives 768 00:39:24,840 --> 00:39:26,940 as opposed to just having our hard drives forget 769 00:39:26,940 --> 00:39:30,420 or our systems forget where on the hard drive that file lived? 770 00:39:30,420 --> 00:39:34,140 We probably want to do that at some point, get rid of the data 771 00:39:34,140 --> 00:39:35,430 on our machines. 772 00:39:35,430 --> 00:39:36,880 How exactly can we go about that? 773 00:39:36,880 --> 00:39:41,705 Well, there's actually relatively few ways to actually delete this data. 774 00:39:41,705 --> 00:39:43,830 The first of which we've already kind of discussed, 775 00:39:43,830 --> 00:39:46,170 which is physically destroying the hard drive. 776 00:39:46,170 --> 00:39:49,230 There are services out there that will shred your hard drives for you. 777 00:39:49,230 --> 00:39:52,020 If your read write arm breaks in a catastrophic way, 778 00:39:52,020 --> 00:39:55,590 your read write arm will shred the device for you itself. 779 00:39:55,590 --> 00:39:58,950 That's one way to ensure that your data is protected or deleted 780 00:39:58,950 --> 00:40:02,070 is to make it absolutely impossible to recover information 781 00:40:02,070 --> 00:40:04,320 from it by physical destruction. 782 00:40:04,320 --> 00:40:07,050 You can use a tool called a degausser A degausser is really 783 00:40:07,050 --> 00:40:12,300 just a very strong magnet that you hold over the device for a period of time. 784 00:40:12,300 --> 00:40:15,180 It will also usually cause some sort of physical damage, 785 00:40:15,180 --> 00:40:18,720 because it's also going to mess up some of the metal that 786 00:40:18,720 --> 00:40:21,730 is inside the machine that is not storing data 787 00:40:21,730 --> 00:40:23,850 but is just structural metal. 788 00:40:23,850 --> 00:40:27,000 So usually a degausser will not only wipe out information 789 00:40:27,000 --> 00:40:30,390 by setting all of the bits, flipping the polarity of all the bits from south 790 00:40:30,390 --> 00:40:32,490 to north or something like that, but it will also 791 00:40:32,490 --> 00:40:34,698 usually cause some sort of mechanical wear just based 792 00:40:34,698 --> 00:40:37,350 on the strength of that magnet. 793 00:40:37,350 --> 00:40:39,420 But then we have this thing Secure Empty Trash. 794 00:40:39,420 --> 00:40:40,962 We saw this in the menu a second ago. 795 00:40:40,962 --> 00:40:43,770 What do you think Secure Empty Trash might do? 796 00:40:43,770 --> 00:40:45,810 Well, one thing that you might think is that it 797 00:40:45,810 --> 00:40:48,670 would overwrite the data with random bits, and you would be correct. 798 00:40:48,670 --> 00:40:50,340 That's what Secure Empty Trash does. 799 00:40:50,340 --> 00:40:53,850 So instead of just deleting information from the hard drive 800 00:40:53,850 --> 00:40:57,000 by forgetting where it lives, instead we actually go to that spot. 801 00:40:57,000 --> 00:41:00,600 And instead of writing all zeros or all ones, 802 00:41:00,600 --> 00:41:04,970 we just write random bits over it. 803 00:41:04,970 --> 00:41:08,880 But it turns out that this is actually not good enough 804 00:41:08,880 --> 00:41:10,802 to delete information on a single pass. 805 00:41:10,802 --> 00:41:13,260 But a single pass is actually what Secure Empty Trash does. 806 00:41:13,260 --> 00:41:17,040 It only makes one pass through, randomly setting each bit of that file 807 00:41:17,040 --> 00:41:18,647 to a one or a zero. 808 00:41:18,647 --> 00:41:21,480 But it turns out, and the physics of this is a little bit beyond me, 809 00:41:21,480 --> 00:41:25,470 but it turns out that when the polarity of a magnet on a hard drive 810 00:41:25,470 --> 00:41:29,880 is flipped from zero to one, there's actually sort of this lingering halo 811 00:41:29,880 --> 00:41:35,740 effect that it leaves behind so that you can tell that this bit is a one now, 812 00:41:35,740 --> 00:41:37,350 but it used to be a zero. 813 00:41:37,350 --> 00:41:40,120 And that effect lingers for a little while. 814 00:41:40,120 --> 00:41:42,900 But if you keep changing it multiple times over and over, 815 00:41:42,900 --> 00:41:44,950 eventually that effect gets lost. 816 00:41:44,950 --> 00:41:46,380 So you can tell what bits-- 817 00:41:46,380 --> 00:41:49,695 imagine every bit was a one after you make one pass through it. 818 00:41:49,695 --> 00:41:52,680 All of those things that were ones before, their polarity didn't flip. 819 00:41:52,680 --> 00:41:54,210 There's no halo effect. 820 00:41:54,210 --> 00:41:57,390 But everything that used to be zero and is now a one 821 00:41:57,390 --> 00:42:02,730 has this slight signature left behind that says, this used to be a zero. 822 00:42:02,730 --> 00:42:06,630 And a good forensic analyst is able to take a look at that. 823 00:42:06,630 --> 00:42:09,760 As it reads, it can read the polarity of the magnet 824 00:42:09,760 --> 00:42:14,400 and see that it's slightly not exactly zero and not exactly one and say, OK. 825 00:42:14,400 --> 00:42:18,730 Well this bit probably used to be the opposite. 826 00:42:18,730 --> 00:42:22,020 And so even making one random pass across a hard drive 827 00:42:22,020 --> 00:42:26,162 is not enough to definitely securely erase the data on it. 828 00:42:26,162 --> 00:42:27,870 You actually have to make it's considered 829 00:42:27,870 --> 00:42:30,960 to be seven passes is the industry standard 830 00:42:30,960 --> 00:42:36,810 to make sure that enough randomness has affected each of the individual magnets 831 00:42:36,810 --> 00:42:39,570 such that you can't tell what was there before. 832 00:42:39,570 --> 00:42:42,720 So to truly securely erase the hard drive and preserve it in a state where 833 00:42:42,720 --> 00:42:44,635 you can actually use it, you need to use-- 834 00:42:44,635 --> 00:42:46,560 and there are software tools that do this-- 835 00:42:46,560 --> 00:42:49,470 a tool that will overwrite the drive randomly 836 00:42:49,470 --> 00:42:53,473 multiple times to eliminate any of that lingering halo effect. 837 00:42:53,473 --> 00:42:55,140 But Secure Empty Trash does not do that. 838 00:42:55,140 --> 00:42:57,450 It only makes a single pass over the drive. 839 00:42:57,450 --> 00:43:03,270 So enough to cover it up for undescerning 840 00:43:03,270 --> 00:43:08,010 eyes, but experts who study this and work with this kind of data 841 00:43:08,010 --> 00:43:11,520 regularly might still be able to figure out what the original data was 842 00:43:11,520 --> 00:43:14,490 if just a single pass is made. 843 00:43:14,490 --> 00:43:16,267 So why is this important? 844 00:43:16,267 --> 00:43:17,350 Well, there's two reasons. 845 00:43:17,350 --> 00:43:20,280 One, as attorneys, we want to make sure that we are doing everything 846 00:43:20,280 --> 00:43:23,250 we can to protect our clients' data. 847 00:43:23,250 --> 00:43:27,990 And also as we're working with those who may be less technically inclined, it's 848 00:43:27,990 --> 00:43:32,370 important for us as part of our competent representation of clients 849 00:43:32,370 --> 00:43:36,870 to inform them about what we can about the technology implications of some 850 00:43:36,870 --> 00:43:40,150 of the things they do from a legal perspective. 851 00:43:40,150 --> 00:43:43,680 And so if you're working in a large firm environment or as an in-house counsel, 852 00:43:43,680 --> 00:43:47,460 it's probably not going to fall to you as an attorney 853 00:43:47,460 --> 00:43:53,550 to develop some sort of protocol for establishing the best 854 00:43:53,550 --> 00:43:56,250 practices for working with client data. 855 00:43:56,250 --> 00:43:59,515 But it is really useful to understand what these protocols are 856 00:43:59,515 --> 00:44:01,890 and how you might be able to contribute to a conversation 857 00:44:01,890 --> 00:44:05,010 about making these protocols more robust. 858 00:44:05,010 --> 00:44:07,830 Here are some basic strategies that you can use as an attorney 859 00:44:07,830 --> 00:44:11,640 to protect your own client data but also to advise clients 860 00:44:11,640 --> 00:44:16,090 so that they can protect their data for their clients and so on. 861 00:44:16,090 --> 00:44:20,280 So the first one is quite easy, and that is to encrypt your hard drive. 862 00:44:20,280 --> 00:44:22,650 So we talked about encryption previously, 863 00:44:22,650 --> 00:44:25,020 but you can also encrypt your own hard drive such 864 00:44:25,020 --> 00:44:30,420 that when your computer turns on, you need to enter a password. 865 00:44:30,420 --> 00:44:32,610 It's again similar to this public private key idea 866 00:44:32,610 --> 00:44:34,410 that we've previously discussed. 867 00:44:34,410 --> 00:44:38,010 You need to type in this password in order for your entire hard drive 868 00:44:38,010 --> 00:44:41,880 to be unencrypted such that you can then read the data on it. 869 00:44:41,880 --> 00:44:45,120 Most operating systems now provide tools that 870 00:44:45,120 --> 00:44:48,780 are built into the operating system itself so that you can do this. 871 00:44:48,780 --> 00:44:50,850 So there's really no excuse not to do it. 872 00:44:50,850 --> 00:44:53,730 It is a very easy, straightforward and simple way 873 00:44:53,730 --> 00:44:58,250 to take a pretty strong step at protecting the data on your machine 874 00:44:58,250 --> 00:44:59,520 easily. 875 00:44:59,520 --> 00:45:01,830 Again, this usually requires a password. 876 00:45:01,830 --> 00:45:04,957 Typically it'll be after you turn your computer on before the operating 877 00:45:04,957 --> 00:45:08,040 system itself loads, the operating system being one of the few things that 878 00:45:08,040 --> 00:45:11,550 is not encrypted such that it can then open the files 879 00:45:11,550 --> 00:45:14,670 and unencrypt everything and so on. 880 00:45:14,670 --> 00:45:18,120 But it will not proceed past the operating system load point 881 00:45:18,120 --> 00:45:19,810 until that password is provided. 882 00:45:19,810 --> 00:45:23,050 But do be careful, because some of these systems, 883 00:45:23,050 --> 00:45:25,920 particularly the more advanced ones, after a certain number 884 00:45:25,920 --> 00:45:31,950 of incorrect guesses will begin to securely wipe your hard drive using 885 00:45:31,950 --> 00:45:34,030 multiple passes of zeros and ones. 886 00:45:34,030 --> 00:45:39,420 And so if you think there's a danger that you might forget your master 887 00:45:39,420 --> 00:45:43,890 password so to speak for this hard drive encryption, 888 00:45:43,890 --> 00:45:46,265 you might want to keep something somewhere to remind you. 889 00:45:46,265 --> 00:45:48,890 I wouldn't recommend like sticking a sticky note on the monitor 890 00:45:48,890 --> 00:45:51,243 or anything like that, but have some sort of way 891 00:45:51,243 --> 00:45:53,910 to remember that password in the event that you might forget it, 892 00:45:53,910 --> 00:45:58,230 because you might lose data if you guess wrong too many times depending 893 00:45:58,230 --> 00:46:02,220 on which hard drive encryption tool you are using. 894 00:46:02,220 --> 00:46:05,460 Another relatively easy thing to do is to avoid 895 00:46:05,460 --> 00:46:07,950 using insecure wireless networks. 896 00:46:07,950 --> 00:46:10,600 These are generally not as common anymore. 897 00:46:10,600 --> 00:46:14,970 Most people have wireless networks that require a password, 898 00:46:14,970 --> 00:46:18,540 and usually wireless networks that require a password will then 899 00:46:18,540 --> 00:46:21,570 have encryption for that individual making the connection 900 00:46:21,570 --> 00:46:24,150 on the system on the network. 901 00:46:24,150 --> 00:46:26,640 But unsecured networks do provide opportunities 902 00:46:26,640 --> 00:46:31,140 for those listening using tools that are called packet sniffers, which 903 00:46:31,140 --> 00:46:32,940 are literally just listening and gathering 904 00:46:32,940 --> 00:46:36,450 data on all of the packets of information 905 00:46:36,450 --> 00:46:39,960 that are being transmitted over the internet in the vicinity 906 00:46:39,960 --> 00:46:42,900 of the unsecured wireless network. 907 00:46:42,900 --> 00:46:46,710 And so you might see-- this as a screenshot of a tool called Wireshark, 908 00:46:46,710 --> 00:46:48,150 and it's a little blurry. 909 00:46:48,150 --> 00:46:51,180 There's not a lot of relevant information here. 910 00:46:51,180 --> 00:46:54,750 But on an unsecured network, it is possible to read 911 00:46:54,750 --> 00:46:57,390 all of the bytes and bits that are flowing through, 912 00:46:57,390 --> 00:47:00,420 translate them into their Ascii equivalence, 913 00:47:00,420 --> 00:47:02,970 and realize that this person is providing a username 914 00:47:02,970 --> 00:47:05,910 and password and an action logging in. 915 00:47:05,910 --> 00:47:09,060 And so anybody who is able to then take this information and see what IP 916 00:47:09,060 --> 00:47:12,525 address it came from-- and we'll talk about IP addresses shortly as well-- 917 00:47:12,525 --> 00:47:14,400 or where it was going to might be able to use 918 00:47:14,400 --> 00:47:17,580 that data to log in as that person, which would definitely not 919 00:47:17,580 --> 00:47:20,640 be a good thing at all. 920 00:47:20,640 --> 00:47:23,340 One way to get around this if you find yourself in a situation 921 00:47:23,340 --> 00:47:26,845 where you need to connect to the internet to do work 922 00:47:26,845 --> 00:47:29,470 or for whatever reason you need to be connected to the internet 923 00:47:29,470 --> 00:47:32,220 even if you're not sure about the quality of the network 924 00:47:32,220 --> 00:47:35,730 is to rely on private or work provided VPN services. 925 00:47:35,730 --> 00:47:39,090 VPN is a virtual private network, and it provides a way 926 00:47:39,090 --> 00:47:44,370 to connect to a trusted encrypted network, have that network act as you, 927 00:47:44,370 --> 00:47:48,960 effectively for providing encryption services for your web traffic 928 00:47:48,960 --> 00:47:53,550 even if you're not sure that your traffic itself is unencrypted. 929 00:47:53,550 --> 00:47:58,650 So VPNs are available at most businesses or also available online. 930 00:47:58,650 --> 00:48:00,870 Relatively inexpensively, you can buy tools 931 00:48:00,870 --> 00:48:05,880 that would allow you to make use of a virtual private network. 932 00:48:05,880 --> 00:48:07,380 Password managers. 933 00:48:07,380 --> 00:48:08,940 Password managers are great. 934 00:48:08,940 --> 00:48:11,880 Honestly, I can tell you that I don't know most of the passwords 935 00:48:11,880 --> 00:48:15,367 that I use on a daily basis because I rely on a password manager. 936 00:48:15,367 --> 00:48:16,950 There are several services out there-- 937 00:48:16,950 --> 00:48:19,530 Last Pass, One Password, and others. 938 00:48:19,530 --> 00:48:25,200 Basically, the idea is the tool will generate passwords for you. 939 00:48:25,200 --> 00:48:27,510 You only have to remember the master password, the one 940 00:48:27,510 --> 00:48:30,450 password that you can use to unlock everything 941 00:48:30,450 --> 00:48:33,660 to open the password manager itself. 942 00:48:33,660 --> 00:48:35,910 And then once you're logged into the password manager, 943 00:48:35,910 --> 00:48:39,450 you just direct it to log in on your behalf to different services. 944 00:48:39,450 --> 00:48:42,390 You usually tell it this is the URL I'd like you to go to, 945 00:48:42,390 --> 00:48:46,500 this is the username to use, and then the secretly generated password 946 00:48:46,500 --> 00:48:51,220 that you don't generally know is stored in the password manager itself. 947 00:48:51,220 --> 00:48:54,120 Some of these tools are local to your machine. 948 00:48:54,120 --> 00:48:56,370 More often than not, they are starting to migrate 949 00:48:56,370 --> 00:49:00,060 to be cloud based services, which does introduce another interesting question 950 00:49:00,060 --> 00:49:04,500 of do you trust your data to be stored on the cloud as opposed 951 00:49:04,500 --> 00:49:06,150 to being stored on your device? 952 00:49:06,150 --> 00:49:08,250 And that's really a question that you should 953 00:49:08,250 --> 00:49:11,100 consider when you're thinking about using one of these tools. 954 00:49:11,100 --> 00:49:14,710 Most of these tools also have an excellent secondary effect, 955 00:49:14,710 --> 00:49:18,320 which is that they often provide two factor authentication support. 956 00:49:18,320 --> 00:49:20,070 And two factor authentication is something 957 00:49:20,070 --> 00:49:22,710 that we will talk about shortly as well, but it is usually something 958 00:49:22,710 --> 00:49:24,630 that you know, like a password or something 959 00:49:24,630 --> 00:49:28,460 that the password manager knows, and something you have like your cell 960 00:49:28,460 --> 00:49:32,055 phone, for example, that might be getting a text message with a code 961 00:49:32,055 --> 00:49:33,930 that you're you're supposed to enter as well. 962 00:49:33,930 --> 00:49:37,710 And the idea is that an adversary who is trying to hack into your account 963 00:49:37,710 --> 00:49:42,510 probably may know your password but won't have your phone, 964 00:49:42,510 --> 00:49:45,930 or may have your phone because they took it but won't know your password. 965 00:49:45,930 --> 00:49:51,430 And so these two factors are designed to preempt basic hacking attempts. 966 00:49:51,430 --> 00:49:54,358 But as I mentioned, these tools are great, 967 00:49:54,358 --> 00:49:56,400 but you should be skeptical of them, particularly 968 00:49:56,400 --> 00:50:01,020 if they are cloud based, because it is possible for bad things to happen. 969 00:50:01,020 --> 00:50:05,370 So for example, not too long ago, a few million users 970 00:50:05,370 --> 00:50:10,080 of the password manager Blur had information that was leaked online. 971 00:50:10,080 --> 00:50:12,330 None of this information was actually their passwords. 972 00:50:12,330 --> 00:50:15,790 It was more customer related information, sort of ancillary 973 00:50:15,790 --> 00:50:19,510 this is their email address and some other stuff. 974 00:50:19,510 --> 00:50:21,700 But it hits a little close to home. 975 00:50:21,700 --> 00:50:25,180 And so again, always be skeptical when thinking 976 00:50:25,180 --> 00:50:30,280 about your own data and your clients' data. 977 00:50:30,280 --> 00:50:35,550 But these tools are generally more good than bad. 978 00:50:35,550 --> 00:50:38,050 But again, the decision of whether to use these tools really 979 00:50:38,050 --> 00:50:41,890 does ultimately fall to you having done research into them, 980 00:50:41,890 --> 00:50:45,130 seeing whether or not they make sense for you, 981 00:50:45,130 --> 00:50:49,600 whether you want to take advantage of the advantages that they offer. 982 00:50:49,600 --> 00:50:52,990 If you're not going to use a password manager, 983 00:50:52,990 --> 00:50:56,650 you should at least be sure to use complex passwords 984 00:50:56,650 --> 00:51:01,098 and certainly make sure to avoid using the same password for multiple services 985 00:51:01,098 --> 00:51:03,640 unless it's like a throw away password that you use on things 986 00:51:03,640 --> 00:51:05,230 that you don't care about. 987 00:51:05,230 --> 00:51:09,790 But you want to definitely avoid using the same password 988 00:51:09,790 --> 00:51:11,470 on important services. 989 00:51:11,470 --> 00:51:16,960 So like your Gmail account or any client log in related information 990 00:51:16,960 --> 00:51:19,090 that you have, or anything banking. 991 00:51:19,090 --> 00:51:23,150 You want to use different passwords for all of those things. 992 00:51:23,150 --> 00:51:25,120 Passwords that have less than eight characters 993 00:51:25,120 --> 00:51:26,870 or less than or equal to eight characters, 994 00:51:26,870 --> 00:51:29,950 you should effectively consider have been broken and hacked already. 995 00:51:29,950 --> 00:51:30,880 Those are not secure. 996 00:51:30,880 --> 00:51:34,840 Computers are definitely powerful enough nowadays that it can be brute forced 997 00:51:34,840 --> 00:51:36,990 in a relatively short amount of time. 998 00:51:36,990 --> 00:51:40,570 We're still talking maybe days here for an eight character password, 999 00:51:40,570 --> 00:51:43,660 but that is not that much of an effort. 1000 00:51:43,660 --> 00:51:47,230 Passwords should be at least 12 characters now for sure. 1001 00:51:47,230 --> 00:51:51,560 You should definitely have a mix of uppercase, lowercase letters, numbers, 1002 00:51:51,560 --> 00:51:52,752 symbols, anything like that. 1003 00:51:52,752 --> 00:51:55,210 But anything that is less than or equal to eight characters 1004 00:51:55,210 --> 00:51:58,572 should definitely be considered to be effectively hacked already. 1005 00:51:58,572 --> 00:52:00,655 And if it hasn't been hacked already, certainly it 1006 00:52:00,655 --> 00:52:03,130 is capable of being hacked very easily by anybody who 1007 00:52:03,130 --> 00:52:06,220 wants to put in the effort to do so. 1008 00:52:06,220 --> 00:52:09,310 You should also change your passwords as frequently as you can. 1009 00:52:09,310 --> 00:52:14,053 For example, I have a bank that requires me to change my password every 90 days 1010 00:52:14,053 --> 00:52:16,470 in order to continue to use their online banking services. 1011 00:52:16,470 --> 00:52:19,030 And on the one hand, yes, you may find that kind of annoying. 1012 00:52:19,030 --> 00:52:23,410 But on the other hand, it's good to keep things changing so that you're never 1013 00:52:23,410 --> 00:52:26,888 having a password get stale and potentially then leaving it vulnerable, 1014 00:52:26,888 --> 00:52:28,930 especially if it's the password that you may have 1015 00:52:28,930 --> 00:52:31,270 used on multiple services in the past. 1016 00:52:31,270 --> 00:52:33,523 It's a good thing to keep in mind, especially 1017 00:52:33,523 --> 00:52:35,440 if you don't have that many passwords that you 1018 00:52:35,440 --> 00:52:41,110 need to maintain to change them as frequently as you're able to. 1019 00:52:41,110 --> 00:52:42,162 Creating backups. 1020 00:52:42,162 --> 00:52:43,870 Creating backups of information is really 1021 00:52:43,870 --> 00:52:47,200 important, because sometimes things will go wrong that you don't expect, 1022 00:52:47,200 --> 00:52:49,300 like maybe your hard drive will suffer some sort 1023 00:52:49,300 --> 00:52:52,480 of catastrophic mechanical failure and you wouldn't otherwise have a way 1024 00:52:52,480 --> 00:52:54,520 to get that information back. 1025 00:52:54,520 --> 00:52:57,280 So periodically backing your data up protects you 1026 00:52:57,280 --> 00:53:00,610 in the event of hardware failure or in the event 1027 00:53:00,610 --> 00:53:05,740 of some sort of ransomware attack where an adversary breaks 1028 00:53:05,740 --> 00:53:09,250 into your network, your office's network for example, 1029 00:53:09,250 --> 00:53:14,440 and doesn't take any data away but encrypts it using their own public 1030 00:53:14,440 --> 00:53:17,560 and private key such that there's no way for you 1031 00:53:17,560 --> 00:53:19,780 to read that information until you usually pay them 1032 00:53:19,780 --> 00:53:22,760 some ransom, which is usually money or something like that 1033 00:53:22,760 --> 00:53:24,668 or bitcoin or the like. 1034 00:53:24,668 --> 00:53:26,710 So you should back your data up pretty regularly. 1035 00:53:26,710 --> 00:53:31,450 You can back it up in the cloud using cloud based document storage services. 1036 00:53:31,450 --> 00:53:34,990 You can also just back it up on paper in certain situations as well. 1037 00:53:34,990 --> 00:53:38,080 But definitely back it up to non network connected machines, 1038 00:53:38,080 --> 00:53:41,110 so a computer that you have that is never connected to the internet 1039 00:53:41,110 --> 00:53:44,470 and is primarily used just for its hard drive space, basically. 1040 00:53:44,470 --> 00:53:48,670 Or to flash drives or CD ROMS if you're still using that technology. 1041 00:53:48,670 --> 00:53:53,200 Just have some offline way to access important data in the event 1042 00:53:53,200 --> 00:53:56,046 that something goes really, really wrong. 1043 00:53:56,046 --> 00:53:58,900 Also, have an archival plan for data. 1044 00:53:58,900 --> 00:54:00,910 You don't need to keep data around forever. 1045 00:54:00,910 --> 00:54:04,090 We oftentimes think that because we're living in this digital age 1046 00:54:04,090 --> 00:54:09,430 that everything we do persists forever and needs to persist forever 1047 00:54:09,430 --> 00:54:10,600 and is tracked. 1048 00:54:10,600 --> 00:54:12,430 But that's not entirely true, particularly 1049 00:54:12,430 --> 00:54:17,230 if we are proactive in doing our part to archive or delete data 1050 00:54:17,230 --> 00:54:19,090 when we no longer need it. 1051 00:54:19,090 --> 00:54:21,460 Particularly when you're considering client data, 1052 00:54:21,460 --> 00:54:25,180 it is important to develop a consistent plan for when 1053 00:54:25,180 --> 00:54:27,010 you are done working with that data. 1054 00:54:27,010 --> 00:54:33,190 So for example, it may be the case that in your firm after three years of no 1055 00:54:33,190 --> 00:54:35,920 longer having any matters related to that client, 1056 00:54:35,920 --> 00:54:40,490 it is just your office's policy to delete that client's data. 1057 00:54:40,490 --> 00:54:42,490 And that might mean transferring other data that 1058 00:54:42,490 --> 00:54:45,460 might be on a shared disk with them off of it 1059 00:54:45,460 --> 00:54:49,030 and literally going through the process of either destroying the drive 1060 00:54:49,030 --> 00:54:54,190 or doing the multiple passes over the drive using zeros and ones randomly 1061 00:54:54,190 --> 00:54:58,030 just to obscure that data, because having that policy of not keeping 1062 00:54:58,030 --> 00:55:03,160 things forever generally protects you, protect your clients if that data is 1063 00:55:03,160 --> 00:55:05,770 no longer needed. 1064 00:55:05,770 --> 00:55:08,198 Also, make talking about data security a priority. 1065 00:55:08,198 --> 00:55:10,240 I know it's not exactly the buzziest conversation 1066 00:55:10,240 --> 00:55:12,430 to have around the water cooler, but a lot of people 1067 00:55:12,430 --> 00:55:18,060 are not as thoughtful about technology as you may be taking this course. 1068 00:55:18,060 --> 00:55:22,050 And it may be a shock to them to realize that when 1069 00:55:22,050 --> 00:55:26,640 they delete a file on their machine, it doesn't actually do anything, 1070 00:55:26,640 --> 00:55:27,420 basically. 1071 00:55:27,420 --> 00:55:31,020 It just forgets that information, but that information still lives on. 1072 00:55:31,020 --> 00:55:34,990 You don't have to be a tech expert to educate others. 1073 00:55:34,990 --> 00:55:38,760 Particularly as someone who's coming into it with maybe a bit more of a leg 1074 00:55:38,760 --> 00:55:41,520 up in understanding technology, speaking to individuals 1075 00:55:41,520 --> 00:55:44,220 who may not know anything about what this technology is you 1076 00:55:44,220 --> 00:55:47,970 can really do yourself and your colleagues and your clients a service 1077 00:55:47,970 --> 00:55:50,320 by making this part of a typical conversation. 1078 00:55:50,320 --> 00:55:56,310 Share your knowledge with others in your office and in your field. 1079 00:55:56,310 --> 00:56:00,693 And finally, think about establishing a compliance protocol. 1080 00:56:00,693 --> 00:56:02,610 A lot of these things that I've just described 1081 00:56:02,610 --> 00:56:05,910 are very, very easy to set up at the outset. 1082 00:56:05,910 --> 00:56:08,730 It is not difficult to say, I'm going to change all my passwords, 1083 00:56:08,730 --> 00:56:10,950 and I'm going to use this password manager, 1084 00:56:10,950 --> 00:56:14,490 and I'm going to write this policy for deleting information and archiving 1085 00:56:14,490 --> 00:56:16,500 information periodically. 1086 00:56:16,500 --> 00:56:22,170 The problem is that it becomes over time something that we forget to do. 1087 00:56:22,170 --> 00:56:25,680 And having regular periods of having someone 1088 00:56:25,680 --> 00:56:29,700 designated to make sure that these policies are being followed 1089 00:56:29,700 --> 00:56:33,540 is really important, as we'll see shortly when we talk about some 1090 00:56:33,540 --> 00:56:37,560 of the ABA ethical requirements for lawyers dealing with technology. 1091 00:56:37,560 --> 00:56:40,920 You want to make sure that if you establish some of these ground rules 1092 00:56:40,920 --> 00:56:45,600 for working with data, that you continue to follow these rules as you work 1093 00:56:45,600 --> 00:56:50,310 with this data for the months and years and so on going forward 1094 00:56:50,310 --> 00:56:53,640 as opposed to just doing it once and forgetting about it. 1095 00:56:53,640 --> 00:56:56,620 Because technology is not static. 1096 00:56:56,620 --> 00:56:58,770 It's going to continue to advance, and we need 1097 00:56:58,770 --> 00:57:00,240 to stay ahead of that as attorneys. 1098 00:57:00,240 --> 00:57:04,650 It's part of our obligation to really understand this technology, 1099 00:57:04,650 --> 00:57:08,820 stay current with any changes, and adapt and change our policies accordingly 1100 00:57:08,820 --> 00:57:13,230 so that we're always staying as close to the cutting edge as we possibly can. 1101 00:57:13,230 --> 00:57:15,847 I really encourage you to volunteer with the compliance team. 1102 00:57:15,847 --> 00:57:17,680 You may have a compliance team, particularly 1103 00:57:17,680 --> 00:57:19,980 if you are at a large office or in-house counsel 1104 00:57:19,980 --> 00:57:24,790 setting, who is tasked with developing these technological policies. 1105 00:57:24,790 --> 00:57:31,650 And even if you don't feel like you want to advise on new avenues to pursue 1106 00:57:31,650 --> 00:57:35,162 or new policies to initiate, you still should be part of that conversation. 1107 00:57:35,162 --> 00:57:38,370 You do bring something valuable to the conversation just having the knowledge 1108 00:57:38,370 --> 00:57:41,520 that you have from a course like this and should be part of this conversation 1109 00:57:41,520 --> 00:57:44,030 so that you can contribute to it more in the future as well. 1110 00:57:44,030 --> 00:57:46,937 1111 00:57:46,937 --> 00:57:49,270 I'd like to conclude our discussion today about security 1112 00:57:49,270 --> 00:57:52,810 by drawing your attention to two really important ABA ethical decisions 1113 00:57:52,810 --> 00:57:56,620 that relate to lawyers and technology and what 1114 00:57:56,620 --> 00:58:00,850 lawyers should do in the event of a data breach at their office. 1115 00:58:00,850 --> 00:58:04,420 And let's start by taking a look at formal opinion 477R which 1116 00:58:04,420 --> 00:58:08,380 was released by the ABA in May of 2017. 1117 00:58:08,380 --> 00:58:12,580 This opinion deals with attorneys' obligations with respect to technical 1118 00:58:12,580 --> 00:58:13,600 know how. 1119 00:58:13,600 --> 00:58:17,530 So it is now considered part of competent representation 1120 00:58:17,530 --> 00:58:24,370 for an attorney to be considerate of the technological implications of what 1121 00:58:24,370 --> 00:58:25,600 they do in their office. 1122 00:58:25,600 --> 00:58:27,310 What does it mean to store documents? 1123 00:58:27,310 --> 00:58:31,180 What does it mean to secure communications with clients? 1124 00:58:31,180 --> 00:58:35,197 It is incumbent upon us as lawyers to stay abreast of these developments 1125 00:58:35,197 --> 00:58:37,030 and really be informed about them and inform 1126 00:58:37,030 --> 00:58:39,580 our clients about the ramifications of some 1127 00:58:39,580 --> 00:58:42,760 of these new technological advancements. 1128 00:58:42,760 --> 00:58:46,330 It also formalizes the requirement of offices and firms 1129 00:58:46,330 --> 00:58:48,400 to have a compliance protocol. 1130 00:58:48,400 --> 00:58:52,150 What do you do when you receive client data? 1131 00:58:52,150 --> 00:58:53,950 Now, this opinion came out in 2017. 1132 00:58:53,950 --> 00:58:57,790 It replaced something from 1999, which at the time 1133 00:58:57,790 --> 00:59:02,590 the previous ABA opinion stated that all communications, including 1134 00:59:02,590 --> 00:59:05,320 unsecured unencrypted email, were generally 1135 00:59:05,320 --> 00:59:08,650 considered quote unquote secured. 1136 00:59:08,650 --> 00:59:11,283 Obviously, I think we can agree that is not the case anymore 1137 00:59:11,283 --> 00:59:13,700 and certainly the ABA agrees that is not the case anymore. 1138 00:59:13,700 --> 00:59:19,360 That's because we've transitioned from a time when a lot of lawyerly work 1139 00:59:19,360 --> 00:59:23,130 was done not using the internet, not using emails. 1140 00:59:23,130 --> 00:59:25,420 It was done using fax and paper and so on. 1141 00:59:25,420 --> 00:59:28,810 And now we've transitioned to a mostly electronic way 1142 00:59:28,810 --> 00:59:31,300 of providing legal services to our clients, 1143 00:59:31,300 --> 00:59:35,800 and so our technological rules of our self-governing ethics 1144 00:59:35,800 --> 00:59:40,180 need to evolve to account for that. 1145 00:59:40,180 --> 00:59:44,350 It also brings up a very interesting question which is something just 1146 00:59:44,350 --> 00:59:47,710 to think about going forward or discuss with others in your group of how 1147 00:59:47,710 --> 00:59:51,670 do you reconcile a situation where you have a client who doesn't want 1148 00:59:51,670 --> 00:59:55,390 to use secured communications or doesn't want 1149 00:59:55,390 --> 00:59:58,630 to secure their data in working with you? 1150 00:59:58,630 --> 01:00:01,930 How does that square with your job or your requirement 1151 01:00:01,930 --> 01:00:05,470 as an attorney to ethically abide by this opinion 1152 01:00:05,470 --> 01:00:12,340 and be mindful and guard clients against technological mistakes? 1153 01:00:12,340 --> 01:00:16,150 Is it possible to provide competent representation to a client 1154 01:00:16,150 --> 01:00:21,992 if they are unwilling to adhere to your firm's compliance protocol? 1155 01:00:21,992 --> 01:00:24,700 It's a really interesting question that I don't have an answer to 1156 01:00:24,700 --> 01:00:27,190 but provokes an interesting discussion about what does it 1157 01:00:27,190 --> 01:00:30,700 mean for us to have client intake and work with clients, 1158 01:00:30,700 --> 01:00:33,610 and what happens when the client's wishes run 1159 01:00:33,610 --> 01:00:35,960 against our ethical obligations? 1160 01:00:35,960 --> 01:00:38,080 That's not a novel question to lawyers. 1161 01:00:38,080 --> 01:00:41,470 That presents itself in different ways, but via technology, 1162 01:00:41,470 --> 01:00:47,710 do we have yet another way we might have to consider this dilemma? 1163 01:00:47,710 --> 01:00:52,900 Subsequent to 477R, a year and a half later in October of 2018, 1164 01:00:52,900 --> 01:00:56,440 the ABA issued formal opinion 483, which kind of 1165 01:00:56,440 --> 01:01:00,880 is the natural follow on to 477R, which deals with what 1166 01:01:00,880 --> 01:01:05,920 happens if a lawyer's information is breached? 1167 01:01:05,920 --> 01:01:10,150 If there is a data breach at the firm and client data is compromised, 1168 01:01:10,150 --> 01:01:11,680 what do you have to do? 1169 01:01:11,680 --> 01:01:16,090 One important thing to think about here is that this opinion formalizes 1170 01:01:16,090 --> 01:01:19,330 the notion that has sort have long been held in technological circles 1171 01:01:19,330 --> 01:01:24,010 that there are two kinds of businesses that exist-- 1172 01:01:24,010 --> 01:01:27,520 ones that have been hacked, and ones that will be. 1173 01:01:27,520 --> 01:01:30,460 Not ones that might be or not ones that could be. 1174 01:01:30,460 --> 01:01:33,830 And perhaps even these are ones that have been and they don't know it yet. 1175 01:01:33,830 --> 01:01:36,623 But it's just such a part of life nowadays 1176 01:01:36,623 --> 01:01:39,040 that businesses either have been hacked or will be hacked, 1177 01:01:39,040 --> 01:01:41,200 and that is the mindset that you should have 1178 01:01:41,200 --> 01:01:44,770 when you are thinking about protecting client data, bringing in consultants, 1179 01:01:44,770 --> 01:01:51,690 and hiring people to do their best work to defend your clients' data. 1180 01:01:51,690 --> 01:01:56,350 Now, it turns out that law firms tend to be excellent targets for hackers, 1181 01:01:56,350 --> 01:01:59,360 and the reason for that is that they have a lot of very valuable data. 1182 01:01:59,360 --> 01:02:05,230 And unfortunately, the history is such that it is not always as well protected 1183 01:02:05,230 --> 01:02:08,350 by law firms as it might have been by the clients themselves, 1184 01:02:08,350 --> 01:02:12,490 because we as lawyers have been as equipped 1185 01:02:12,490 --> 01:02:16,060 to have a conversation about technology and how that technology might 1186 01:02:16,060 --> 01:02:19,580 affect our representation of clients. 1187 01:02:19,580 --> 01:02:23,045 The opinion describes a bunch of different cyber episodes, so to speak, 1188 01:02:23,045 --> 01:02:26,170 that might comprise a data breach, which would rise to the level of needing 1189 01:02:26,170 --> 01:02:28,270 to report to a client. 1190 01:02:28,270 --> 01:02:30,310 These include things such as ransomware attacks, 1191 01:02:30,310 --> 01:02:32,790 as we've discussed a little bit earlier today, 1192 01:02:32,790 --> 01:02:37,330 systems attacks that might break or somehow damage 1193 01:02:37,330 --> 01:02:42,050 the infrastructure of the firm or workplace, 1194 01:02:42,050 --> 01:02:44,920 as well as exfiltrations, which are probably the worst 1195 01:02:44,920 --> 01:02:48,110 kind of breach, which is someone hacks into your system 1196 01:02:48,110 --> 01:02:52,700 and is able to remove data such that you may not even have a copy of that data 1197 01:02:52,700 --> 01:02:55,730 anymore, and that's why having backups is so important, but removes 1198 01:02:55,730 --> 01:03:02,150 that data from your servers, for example, to the adversary's servers. 1199 01:03:02,150 --> 01:03:05,090 There is no ethical violation in being hacked. 1200 01:03:05,090 --> 01:03:07,940 It's really important to make that very clear. 1201 01:03:07,940 --> 01:03:14,180 The ethical violation occurs when non reasonable efforts are made, 1202 01:03:14,180 --> 01:03:17,900 unreasonable efforts are made to protect that data. 1203 01:03:17,900 --> 01:03:21,590 If we as attorneys are making reasonable efforts to protect our clients' data 1204 01:03:21,590 --> 01:03:26,310 and we still get hacked, we have not necessarily done anything wrong 1205 01:03:26,310 --> 01:03:30,365 as long as we were doing our best to protect or prevent that 1206 01:03:30,365 --> 01:03:32,240 from happening in the first place and once we 1207 01:03:32,240 --> 01:03:37,880 detect that it has happened, to make every reasonable effort to stop 1208 01:03:37,880 --> 01:03:41,790 the attack if it is ongoing from continuing. 1209 01:03:41,790 --> 01:03:43,790 This also introduces a very interesting question 1210 01:03:43,790 --> 01:03:46,640 of what to do with former client data that has been hacked, 1211 01:03:46,640 --> 01:03:48,860 and that's why it's really important to establish 1212 01:03:48,860 --> 01:03:53,780 some sort of archival or deletion plan for working with that data. 1213 01:03:53,780 --> 01:03:55,640 The ABA proposes a couple of different ways 1214 01:03:55,640 --> 01:04:01,970 to resolve how to deal with informing a former client about information related 1215 01:04:01,970 --> 01:04:02,800 to a hack. 1216 01:04:02,800 --> 01:04:07,130 But one of the most important things to draw from this opinion, I would say, 1217 01:04:07,130 --> 01:04:11,600 is discussion about data retention needs to be 1218 01:04:11,600 --> 01:04:14,600 part of your firm's intake process or your intake 1219 01:04:14,600 --> 01:04:16,760 process for dealing with new clients. 1220 01:04:16,760 --> 01:04:21,260 Who owns what has always sort of been part of the conversation. 1221 01:04:21,260 --> 01:04:24,110 Generally as we know, we return client data to them 1222 01:04:24,110 --> 01:04:25,920 when we are done working with it. 1223 01:04:25,920 --> 01:04:28,700 How does this work in a digital context? 1224 01:04:28,700 --> 01:04:30,980 It is really important for your intake plan 1225 01:04:30,980 --> 01:04:37,550 at your firm to handle what happens to digital versions of client data 1226 01:04:37,550 --> 01:04:44,587 when the representation has concluded because the matter has concluded. 1227 01:04:44,587 --> 01:04:47,420 Speaking of concluded, that is going to wrap up our discussion today 1228 01:04:47,420 --> 01:04:48,215 on security. 1229 01:04:48,215 --> 01:04:50,090 This will be the first of our two discussions 1230 01:04:50,090 --> 01:04:53,902 generally at length about security in the legal context. 1231 01:04:53,902 --> 01:04:55,610 But hopefully you've come away from today 1232 01:04:55,610 --> 01:05:00,830 with a better understanding of how your system works, what memory is, 1233 01:05:00,830 --> 01:05:03,840 and why when we delete things on our hard drives, 1234 01:05:03,840 --> 01:05:06,590 it doesn't actually get deleted and what some of the ramifications 1235 01:05:06,590 --> 01:05:07,782 might be for that. 1236 01:05:07,782 --> 01:05:09,740 And hopefully you also have come away from this 1237 01:05:09,740 --> 01:05:13,040 with an understanding of what to do going forward establishing 1238 01:05:13,040 --> 01:05:16,340 best practices for working with client data 1239 01:05:16,340 --> 01:05:19,220 to stay within the ethical guidelines proposed by the ABA, 1240 01:05:19,220 --> 01:05:23,720 and just to generally have a more technical conversation with clients 1241 01:05:23,720 --> 01:05:27,170 about your representation of them and what happens to their data 1242 01:05:27,170 --> 01:05:30,160 when that representation has concluded. 1243 01:05:30,160 --> 01:05:31,276