1 00:00:00,000 --> 00:00:02,952 [MUSIC PLAYING] 2 00:00:02,952 --> 00:00:04,428 SPEAKER: This is CS50. 3 00:00:04,428 --> 00:00:08,087 4 00:00:08,087 --> 00:00:09,170 DAVID MALAN: Hello, world. 5 00:00:09,170 --> 00:00:11,740 This is the CS50 podcast, episode 3. 6 00:00:11,740 --> 00:00:15,250 My name is David Malan, and I'm here with CS50's own Colton Ogden. 7 00:00:15,250 --> 00:00:16,300 COLTON OGDEN: Indeed. 8 00:00:16,300 --> 00:00:19,600 Last time-- sort of to segue into what we've talked about recently, 9 00:00:19,600 --> 00:00:22,030 we were talking a lot about facial recognition. 10 00:00:22,030 --> 00:00:23,490 That's an emerging thing-- 11 00:00:23,490 --> 00:00:25,323 we've gotten better at it-- machine learning 12 00:00:25,323 --> 00:00:27,490 has gotten better at detecting people's faces. 13 00:00:27,490 --> 00:00:29,617 And with that, there are a lot of security issues. 14 00:00:29,617 --> 00:00:32,950 And this week, it seems like there are a couple of incidents in the news related 15 00:00:32,950 --> 00:00:36,880 to facial recognition, first on the list being the New York City subway 16 00:00:36,880 --> 00:00:37,697 system actually. 17 00:00:37,697 --> 00:00:38,530 DAVID MALAN: Indeed. 18 00:00:38,530 --> 00:00:44,350 I saw some articles pop up where there were LCD screens of sorts and cameras, 19 00:00:44,350 --> 00:00:47,368 there supposedly to capture fare jumpers-- 20 00:00:47,368 --> 00:00:50,410 people who are trying to sneak through the gates without actually paying. 21 00:00:50,410 --> 00:00:53,800 But the interesting thing about the screens was it wasn't just CCTV 22 00:00:53,800 --> 00:00:55,870 or closed circuit television, like in the UK 23 00:00:55,870 --> 00:00:58,810 where you see yourself on the screen or in a convenience store here, 24 00:00:58,810 --> 00:01:02,620 but rather there were little rectangles appearing around all of the faces 25 00:01:02,620 --> 00:01:05,440 in the image which suggested, indeed, they were actually 26 00:01:05,440 --> 00:01:07,510 detecting faces which was worrisome. 27 00:01:07,510 --> 00:01:10,135 COLTON OGDEN: Right, and the company featured on the video feed 28 00:01:10,135 --> 00:01:13,430 was Wisenet which has been known for its facial recognition software. 29 00:01:13,430 --> 00:01:15,310 So presumably, the folks-- 30 00:01:15,310 --> 00:01:19,210 specifically, New York Times analyst Alice Fung was concerned at seeing this 31 00:01:19,210 --> 00:01:20,627 and that it sort of raises issues. 32 00:01:20,627 --> 00:01:22,460 How many companies are out there, you think, 33 00:01:22,460 --> 00:01:25,540 gathering people's facial information and using it to make decisions? 34 00:01:25,540 --> 00:01:27,790 DAVID MALAN: Well, it's probably increasingly present. 35 00:01:27,790 --> 00:01:30,310 And the funny thing is, here, they to their credit, 36 00:01:30,310 --> 00:01:34,505 graciously showed you the fact that there was facial recognition going on, 37 00:01:34,505 --> 00:01:36,130 which was probably part of the purpose. 38 00:01:36,130 --> 00:01:38,770 Because I recall that recording in progress 39 00:01:38,770 --> 00:01:41,740 and please pay your fare were among the messages on the screen, 40 00:01:41,740 --> 00:01:44,470 so there's probably a bit of psychological feedback 41 00:01:44,470 --> 00:01:47,560 there such that you realize, oh, not only are they filming me, 42 00:01:47,560 --> 00:01:50,557 they recognize me in some sense, even if purportedly they 43 00:01:50,557 --> 00:01:52,390 weren't doing anything with that information 44 00:01:52,390 --> 00:01:54,250 or tying it to an actual identity. 45 00:01:54,250 --> 00:01:57,340 But you gotta imagine that this probably does happen in other contexts 46 00:01:57,340 --> 00:02:00,520 when there isn't an LCD screen and certainly 47 00:02:00,520 --> 00:02:02,740 when there aren't little rectangles around your face, 48 00:02:02,740 --> 00:02:05,390 you can still do it in real time or in post-production even. 49 00:02:05,390 --> 00:02:07,180 COLTON OGDEN: And to your point previously, computers 50 00:02:07,180 --> 00:02:08,830 are only getting faster and smaller. 51 00:02:08,830 --> 00:02:11,080 People are going to be able to implement this technology everywhere 52 00:02:11,080 --> 00:02:12,250 and we won't even notice it's there. 53 00:02:12,250 --> 00:02:12,820 DAVID MALAN: Yeah. 54 00:02:12,820 --> 00:02:14,820 And I've been thinking about this for some years 55 00:02:14,820 --> 00:02:18,377 now-- as have privacy experts certainly-- all of us, myself included, 56 00:02:18,377 --> 00:02:21,460 like a bunch of dummies, have been uploading for years photos of ourselves 57 00:02:21,460 --> 00:02:24,190 to social media and tagging ourselves, essentially 58 00:02:24,190 --> 00:02:27,970 training these machine learning models to better detect us. 59 00:02:27,970 --> 00:02:31,000 I mean, my god, we're sort of accidentally, or unknowingly, 60 00:02:31,000 --> 00:02:33,460 or unwittingly opting into all of this. 61 00:02:33,460 --> 00:02:36,800 COLTON OGDEN: I wonder how much of Facebook has sold to other people. 62 00:02:36,800 --> 00:02:36,940 DAVID MALAN: Yeah. 63 00:02:36,940 --> 00:02:38,050 Well, I mean, what a powerhouse-- 64 00:02:38,050 --> 00:02:38,332 COLTON OGDEN: They probably have the biggest-- 65 00:02:38,332 --> 00:02:40,450 DAVID MALAN: --they, and Google, and Apple, and others. 66 00:02:40,450 --> 00:02:43,090 I mean, my iPhone can detect faces and that's in real time certainly. 67 00:02:43,090 --> 00:02:44,800 If I were to take a photo of you right now, 68 00:02:44,800 --> 00:02:46,900 I'm going to see a little rectangle on your face. 69 00:02:46,900 --> 00:02:48,108 COLTON OGDEN: Right, exactly. 70 00:02:48,108 --> 00:02:52,720 And I mean, the New York City subway isn't the only in the news 71 00:02:52,720 --> 00:02:56,200 sort of organization that's been using this sort of technology. 72 00:02:56,200 --> 00:03:00,900 Also JetBlue recently has had sort of a recent scandal in that. 73 00:03:00,900 --> 00:03:03,490 MacKenzie Fegan actually posted on social media-- 74 00:03:03,490 --> 00:03:07,235 she was allowed to get into her flight just by not even having 75 00:03:07,235 --> 00:03:10,360 to use her boarding pass or the like, but actually getting her face scanned 76 00:03:10,360 --> 00:03:13,060 and that proved to be enough credentials to get access to her flight. 77 00:03:13,060 --> 00:03:13,330 DAVID MALAN: Yeah. 78 00:03:13,330 --> 00:03:15,080 I think it completely caught her off guard 79 00:03:15,080 --> 00:03:17,590 as it would have me if it were I in her situation, 80 00:03:17,590 --> 00:03:22,630 because apparently they had grabbed data from the US State Department. 81 00:03:22,630 --> 00:03:25,033 And this was supposedly a legitimate usage, 82 00:03:25,033 --> 00:03:26,950 but it was not something that was particularly 83 00:03:26,950 --> 00:03:30,370 well-disclosed or documented, certainly as far as this passenger goes. 84 00:03:30,370 --> 00:03:32,600 And frankly, that would make me uncomfortable, 85 00:03:32,600 --> 00:03:35,590 especially if a private business now-- which JetBlue is-- 86 00:03:35,590 --> 00:03:39,500 is using data that was collected, it sounds like, for governmental purposes, 87 00:03:39,500 --> 00:03:42,730 whether it was for passport, or for some clearance purposes, or the like. 88 00:03:42,730 --> 00:03:45,460 I mean, all it takes is for one person to overshare 89 00:03:45,460 --> 00:03:47,350 and then that information too is potentially 90 00:03:47,350 --> 00:03:48,870 in hands you don't want it to be in. 91 00:03:48,870 --> 00:03:49,060 COLTON OGDEN: Yeah. 92 00:03:49,060 --> 00:03:51,580 Based on what I read, it seemed like JetBlue actually wasn't 93 00:03:51,580 --> 00:03:54,070 storing the information themselves. 94 00:03:54,070 --> 00:03:58,090 They were using the United States Department of Homeland Security 95 00:03:58,090 --> 00:04:00,400 and sort of almost like an API on their part, 96 00:04:00,400 --> 00:04:02,650 and actually authenticating the information with them. 97 00:04:02,650 --> 00:04:04,733 And there wasn't actually any storing of the data, 98 00:04:04,733 --> 00:04:07,690 but it does make you wonder whether companies are, one, telling 99 00:04:07,690 --> 00:04:11,140 the truth about this, and two, if they're using this sort of technology 100 00:04:11,140 --> 00:04:14,060 and not disclosing it, how much is getting stored, where and when? 101 00:04:14,060 --> 00:04:14,470 DAVID MALAN: Yeah. 102 00:04:14,470 --> 00:04:15,845 And this is happening so quickly. 103 00:04:15,845 --> 00:04:16,810 I mean, it wasn't-- 104 00:04:16,810 --> 00:04:19,360 actually, maybe it was all that long ago that I was in graduate school, 105 00:04:19,360 --> 00:04:21,519 but I'm thinking back as though it was yesterday-- 106 00:04:21,519 --> 00:04:24,725 when I was in graduate school and I remember one of my fellow graduate 107 00:04:24,725 --> 00:04:25,600 students gave a talk. 108 00:04:25,600 --> 00:04:27,642 I think it might have been his thesis defense, so 109 00:04:27,642 --> 00:04:31,450 at the end of his grad program, where he actually turned a webcam or some camera 110 00:04:31,450 --> 00:04:34,810 on the whole audience who was there to see his talk, and in real time, 111 00:04:34,810 --> 00:04:38,560 he blew everyone's minds by actually showing in real time little rectangles 112 00:04:38,560 --> 00:04:40,180 or whatnot on top of everyone's faces. 113 00:04:40,180 --> 00:04:42,100 And that was bleeding edge at the time. 114 00:04:42,100 --> 00:04:44,530 And now I think we're all rather desensitized to the fact 115 00:04:44,530 --> 00:04:45,670 that computers can do this. 116 00:04:45,670 --> 00:04:47,860 And now we seem to be entering the phase where 117 00:04:47,860 --> 00:04:51,230 people are starting to realize what the information can be used for. 118 00:04:51,230 --> 00:04:53,950 It's not just to playfully tag friends and family in photos, 119 00:04:53,950 --> 00:04:56,920 or to find photos among your iPhone or Android photos. 120 00:04:56,920 --> 00:05:01,510 Now it can be used to really identify you as a biometric detail. 121 00:05:01,510 --> 00:05:02,968 COLTON OGDEN: It's kind of scary. 122 00:05:02,968 --> 00:05:05,260 I mean, there are pros and cons of thing to having this 123 00:05:05,260 --> 00:05:08,370 be more widespread, easily available. 124 00:05:08,370 --> 00:05:11,970 Pros potentially being-- depending on where you are, 125 00:05:11,970 --> 00:05:14,447 whether or not you want your face visible, 126 00:05:14,447 --> 00:05:15,780 whether you want to be tracked-- 127 00:05:15,780 --> 00:05:18,572 this could be good for law enforcement, certainly in certain cases. 128 00:05:18,572 --> 00:05:22,230 But as a an innocent citizen this might not necessarily 129 00:05:22,230 --> 00:05:26,700 be great knowing that the government and potentially a lot of private entities 130 00:05:26,700 --> 00:05:28,870 know where you are at any given moment's notice. 131 00:05:28,870 --> 00:05:29,050 DAVID MALAN: Yeah. 132 00:05:29,050 --> 00:05:31,925 I mean, you could imagine there's nest cameras for instance in the US 133 00:05:31,925 --> 00:05:35,070 are pretty popular just in home for security devices. 134 00:05:35,070 --> 00:05:40,170 You could presumably start logging every passerby who strolls by your house 135 00:05:40,170 --> 00:05:42,900 just by patching your own hardware into some API 136 00:05:42,900 --> 00:05:46,680 or to some website that can actually do the facial recognition for you. 137 00:05:46,680 --> 00:05:48,100 And it's amazing how good it is. 138 00:05:48,100 --> 00:05:51,870 Like, even on Facebook when we post photos from CS50 from the class, 139 00:05:51,870 --> 00:05:56,700 I'm astonished sometimes when it notices even in the smallest of photos, 140 00:05:56,700 --> 00:05:59,130 the smallest of faces are actually picked up 141 00:05:59,130 --> 00:06:00,840 as an actual recognizable human. 142 00:06:00,840 --> 00:06:03,590 So you don't even need all that good of an image. 143 00:06:03,590 --> 00:06:06,120 COLTON OGDEN: Or even like profile shots too, or side-- 144 00:06:06,120 --> 00:06:07,860 I think that's the right term-- 145 00:06:07,860 --> 00:06:10,750 the side of the face-- that's a profile shot. 146 00:06:10,750 --> 00:06:12,360 Yeah, it's pretty frightening. 147 00:06:12,360 --> 00:06:19,515 Also frightening, [LAUGHS] the UK Cyber Survey recently talked about some 148 00:06:19,515 --> 00:06:21,390 of the information they've gathered recently. 149 00:06:21,390 --> 00:06:22,770 It's a little bit disconcerting. 150 00:06:22,770 --> 00:06:25,020 Certainly you've talked about this before a lot-- 151 00:06:25,020 --> 00:06:29,855 insecure passwords and some of the most common insecure passwords. 152 00:06:29,855 --> 00:06:31,980 DAVID MALAN: Yeah, this is sadly a recurring topic. 153 00:06:31,980 --> 00:06:37,410 I think the number one password yet again was "1, 2, 3, 4, 5, 154 00:06:37,410 --> 00:06:39,690 6" I think was the number one password. 155 00:06:39,690 --> 00:06:42,630 COLTON OGDEN: 23.2 million victim accounts worldwide. 156 00:06:42,630 --> 00:06:46,290 DAVID MALAN: [SIGHS] And so let's flesh this out a bit. 157 00:06:46,290 --> 00:06:48,210 Why "1, 2, 3, 4, 5, 6?" 158 00:06:48,210 --> 00:06:51,482 Like, how did 23 million people all decide on that one would you think? 159 00:06:51,482 --> 00:06:53,440 COLTON OGDEN: It's incredibly easy to remember. 160 00:06:53,440 --> 00:06:54,660 It's right there on the keyboard. 161 00:06:54,660 --> 00:06:56,493 DAVID MALAN: Granted, and something tells me 162 00:06:56,493 --> 00:06:59,610 that the systems all of these 23 million people are using probably 163 00:06:59,610 --> 00:07:01,657 has a minimum password length of-- 164 00:07:01,657 --> 00:07:02,490 surprise, surprise-- 165 00:07:02,490 --> 00:07:03,120 COLTON OGDEN: Six digits. 166 00:07:03,120 --> 00:07:04,370 DAVID MALAN: --six characters. 167 00:07:04,370 --> 00:07:05,280 Yeah, exactly. 168 00:07:05,280 --> 00:07:09,090 COLTON OGDEN: Another very popular password located right below 1, 2, 3, 169 00:07:09,090 --> 00:07:11,073 4, 5, 6 on the keyboard is QWERTY. 170 00:07:11,073 --> 00:07:13,740 DAVID MALAN: "QWERTY"-- [LAUGHS] because on a typical keyboard-- 171 00:07:13,740 --> 00:07:15,390 a QWERTY as it's called-- 172 00:07:15,390 --> 00:07:17,340 that's the top row of keys on the top left. 173 00:07:17,340 --> 00:07:20,273 COLTON OGDEN: They released the top 100,000 passwords that they found, 174 00:07:20,273 --> 00:07:23,190 and I believe that was number three on the list below "1, 2, 4, 5, 6," 175 00:07:23,190 --> 00:07:25,112 and I think "password." 176 00:07:25,112 --> 00:07:27,570 And it's disconcerting just how many people are doing this, 177 00:07:27,570 --> 00:07:31,320 but we preach this all day long and it doesn't 178 00:07:31,320 --> 00:07:32,903 seem to necessarily work all the time. 179 00:07:32,903 --> 00:07:34,862 DAVID MALAN: We can't change the world perhaps, 180 00:07:34,862 --> 00:07:36,870 but I would like to think and hope-- and I'm 181 00:07:36,870 --> 00:07:39,162 sure there have been studies that could quantify this-- 182 00:07:39,162 --> 00:07:42,960 that at least the rate of people are being educated hopefully, 183 00:07:42,960 --> 00:07:45,930 and as the software is getting better, as the corporate policies are 184 00:07:45,930 --> 00:07:49,950 getting better, people's habits are hopefully changing. 185 00:07:49,950 --> 00:07:53,460 But, no, I'm sure both of us know people who have pretty weak passwords. 186 00:07:53,460 --> 00:07:55,422 In fact, am I looking at one right now? 187 00:07:55,422 --> 00:07:56,130 COLTON OGDEN: No. 188 00:07:56,130 --> 00:07:57,040 DAVID MALAN: Can you think of one account 189 00:07:57,040 --> 00:07:58,470 that is just kind of a throwaway? 190 00:07:58,470 --> 00:08:01,797 COLTON OGDEN: In the past, I think I was guiltier of this growing up. 191 00:08:01,797 --> 00:08:04,380 But I think especially the last five years, I've grown to be-- 192 00:08:04,380 --> 00:08:07,830 not only avoiding using the same password on multiple accounts, 193 00:08:07,830 --> 00:08:10,350 but making sure the passwords I do use are long-- 194 00:08:10,350 --> 00:08:14,280 10 characters plus-- have mixed characters, special symbols, numbers, 195 00:08:14,280 --> 00:08:16,650 that sort of thing, which I think websites nowadays 196 00:08:16,650 --> 00:08:19,290 are doing an excellent job of detecting this in advance. 197 00:08:19,290 --> 00:08:21,373 I've noticed when I've been registering for sites, 198 00:08:21,373 --> 00:08:24,180 they'll typically say, ensure your password is x characters long, 199 00:08:24,180 --> 00:08:27,980 has a special character-- dollar sign, exclamation point, what have you. 200 00:08:27,980 --> 00:08:31,230 Even things like parentheses-- these are nice because people don't often think 201 00:08:31,230 --> 00:08:34,919 to include these in their passwords, and it adds yet another character-- 202 00:08:34,919 --> 00:08:37,220 some program used to brute force passwords 203 00:08:37,220 --> 00:08:41,520 has to add to the list of digits it needs to exponentially account 204 00:08:41,520 --> 00:08:42,937 for in each digit of the password. 205 00:08:42,937 --> 00:08:43,937 DAVID MALAN: Absolutely. 206 00:08:43,937 --> 00:08:46,860 But some sites frankly are annoying because they will explicitly 207 00:08:46,860 --> 00:08:48,870 enumerate what symbols you can use. 208 00:08:48,870 --> 00:08:52,020 And at that point, my level of interest in choosing the password according 209 00:08:52,020 --> 00:08:54,300 to rules really starts to fade quickly. 210 00:08:54,300 --> 00:08:59,367 They should not be confining me to type only a subset of printable characters. 211 00:08:59,367 --> 00:09:01,200 Frankly, there's a couple hundred characters 212 00:09:01,200 --> 00:09:03,570 that I should be able to express on my typical keyboard. 213 00:09:03,570 --> 00:09:06,420 And frankly, I think it's often that people 214 00:09:06,420 --> 00:09:11,250 misunderstand what dangerous characters are in the context of a SQL database. 215 00:09:11,250 --> 00:09:13,923 We talk in CS50 about SQL injection attacks and the like, 216 00:09:13,923 --> 00:09:16,090 and so people put these artificial constraints when, 217 00:09:16,090 --> 00:09:18,030 frankly, just sanitizing the user's input 218 00:09:18,030 --> 00:09:22,140 and escaping potentially dangerous characters like semicolons or quotation 219 00:09:22,140 --> 00:09:24,960 marks in SQL or other languages is really the solution. 220 00:09:24,960 --> 00:09:28,050 So some people, I think, just aren't really getting the message. 221 00:09:28,050 --> 00:09:30,450 They're hearing that I need to make it-- 222 00:09:30,450 --> 00:09:33,390 I need to insist on difficult to guess passwords, 223 00:09:33,390 --> 00:09:35,820 but they don't necessarily appreciate the implications 224 00:09:35,820 --> 00:09:38,640 for UX or user experience, which is what's 225 00:09:38,640 --> 00:09:41,760 nudging people in the first place to choosing weak passwords so that they 226 00:09:41,760 --> 00:09:42,960 can simply remember them. 227 00:09:42,960 --> 00:09:43,420 COLTON OGDEN: Sure. 228 00:09:43,420 --> 00:09:44,378 That makes total sense. 229 00:09:44,378 --> 00:09:48,640 I'm guessing people might, as a precaution to your point, 230 00:09:48,640 --> 00:09:50,640 avoid using things like parentheses because they 231 00:09:50,640 --> 00:09:52,560 fear getting a SQL injection attack. 232 00:09:52,560 --> 00:09:55,320 I mean, if you're using a password manager like we do in CS50, 233 00:09:55,320 --> 00:09:58,318 which we've talked about in prior podcast episodes, 234 00:09:58,318 --> 00:10:01,110 often you'll see characters like that-- things like curly brackets, 235 00:10:01,110 --> 00:10:03,255 parentheses, dashes, what have you-- 236 00:10:03,255 --> 00:10:05,130 everything's fair game knowing you could win. 237 00:10:05,130 --> 00:10:05,227 DAVID MALAN: Yeah. 238 00:10:05,227 --> 00:10:07,310 And you can just let software generate it for you. 239 00:10:07,310 --> 00:10:09,930 And I've been such a fanboy for so long of password managers 240 00:10:09,930 --> 00:10:12,180 that all of us, of course, here on the team use. 241 00:10:12,180 --> 00:10:17,110 But I gotta admit, I've heard now in the wild of the one corner case 242 00:10:17,110 --> 00:10:18,360 that you don't want to happen. 243 00:10:18,360 --> 00:10:19,720 And this comes from-- 244 00:10:19,720 --> 00:10:21,360 he or she shall not be named-- 245 00:10:21,360 --> 00:10:26,610 but one of our most amazing colleagues actually conveyed to me recently 246 00:10:26,610 --> 00:10:30,030 that they forgot the one thing you can't forget 247 00:10:30,030 --> 00:10:33,360 when using a password manager which is your so-called master password! 248 00:10:33,360 --> 00:10:36,630 The most important-- the only password that you have to remember. 249 00:10:36,630 --> 00:10:39,390 And gosh, I can only imagine the stress then 250 00:10:39,390 --> 00:10:41,140 of having to go through and change dozens, 251 00:10:41,140 --> 00:10:42,510 hundreds of accounts' passwords. 252 00:10:42,510 --> 00:10:47,460 So this is sort of a multi-tier problem where you probably want to have, 253 00:10:47,460 --> 00:10:49,650 frankly, a printout of that master password. 254 00:10:49,650 --> 00:10:52,560 Maybe tuck it away into a bank vault or something like that. 255 00:10:52,560 --> 00:10:55,810 Tuck away under the mattress so at least no one can, with some probability, 256 00:10:55,810 --> 00:10:56,310 find it. 257 00:10:56,310 --> 00:10:58,470 But it's a tricky thing to navigate because it's probably 258 00:10:58,470 --> 00:11:00,762 not the most secure thing to keep it only in your head, 259 00:11:00,762 --> 00:11:02,820 because God forbid you do forget it, or lose it, 260 00:11:02,820 --> 00:11:05,470 or you don't use it for so long that it just fades away. 261 00:11:05,470 --> 00:11:06,570 Now you got a problem. 262 00:11:06,570 --> 00:11:09,510 COLTON OGDEN: And heaven forbid your master password is "1, 2, 3, 4, 5, 6." 263 00:11:09,510 --> 00:11:11,343 DAVID MALAN: [LAUGHS] Hopefully the software 264 00:11:11,343 --> 00:11:13,828 is good enough to defend against that. 265 00:11:13,828 --> 00:11:15,870 COLTON OGDEN: On the heels of terrible passwords, 266 00:11:15,870 --> 00:11:21,600 turns out that there was a terrible password exploitation event at a tech 267 00:11:21,600 --> 00:11:23,480 company called Citrix actually. 268 00:11:23,480 --> 00:11:24,360 DAVID MALAN: Yeah. 269 00:11:24,360 --> 00:11:27,150 So we actually used years ago Citrix, but they were very well 270 00:11:27,150 --> 00:11:29,753 known at the time for load balancing hardware. 271 00:11:29,753 --> 00:11:32,670 Nowadays, it's so much easier to do this in software and in the cloud, 272 00:11:32,670 --> 00:11:34,740 but Citrix made load balancers-- hardware 273 00:11:34,740 --> 00:11:38,890 that lets you have multiple servers and spread lots of users' load across them. 274 00:11:38,890 --> 00:11:40,830 And I think what was hypothesized here was 275 00:11:40,830 --> 00:11:43,800 that one of their internal, very important accounts 276 00:11:43,800 --> 00:11:48,330 was compromised by just a brute force attack trying a whole bunch 277 00:11:48,330 --> 00:11:50,688 of random or non-random passwords. 278 00:11:50,688 --> 00:11:53,730 Case in point, you can just grab these list of the most popular passwords 279 00:11:53,730 --> 00:11:54,270 out there-- 280 00:11:54,270 --> 00:11:57,510 start with those before you even do start to brute force things. 281 00:11:57,510 --> 00:12:00,630 And I think they noted that because the accounts in question, 282 00:12:00,630 --> 00:12:03,900 or account in question, didn't have two factor authentication, 283 00:12:03,900 --> 00:12:07,590 like a key fob or a unique code associated with it, 284 00:12:07,590 --> 00:12:10,288 that they ultimately found an important account to access. 285 00:12:10,288 --> 00:12:11,080 COLTON OGDEN: Yeah. 286 00:12:11,080 --> 00:12:11,610 This is huge. 287 00:12:11,610 --> 00:12:14,235 Two factor authentication-- I mean, we use that for everything. 288 00:12:14,235 --> 00:12:15,270 It just really sort of-- 289 00:12:15,270 --> 00:12:16,980 I mean, this is an old idea too. 290 00:12:16,980 --> 00:12:20,040 From what I understand, this is done with, like you're saying, 291 00:12:20,040 --> 00:12:22,200 literal physical devices back in the day-- 292 00:12:22,200 --> 00:12:23,192 pre-iPhone era. 293 00:12:23,192 --> 00:12:25,775 DAVID MALAN: Yeah, it's gotten easier with software certainly. 294 00:12:25,775 --> 00:12:28,980 COLTON OGDEN: And yeah, that was really the main thing. 295 00:12:28,980 --> 00:12:33,210 Password spraying is the term-- literally just throw this 100k list 296 00:12:33,210 --> 00:12:36,690 that the UK Cyber Council released. 297 00:12:36,690 --> 00:12:38,580 Just use those passwords and then-- 298 00:12:38,580 --> 00:12:40,230 how many companies do you think? 299 00:12:40,230 --> 00:12:41,813 It's a goldmine for hackers out there. 300 00:12:41,813 --> 00:12:42,980 DAVID MALAN: Oh, absolutely. 301 00:12:42,980 --> 00:12:44,110 COLTON OGDEN: 23.2 million. 302 00:12:44,110 --> 00:12:46,180 DAVID MALAN: It's kind of fun to joke about what the top passwords are, 303 00:12:46,180 --> 00:12:47,930 but these are actually real attack vectors 304 00:12:47,930 --> 00:12:51,450 to actually use that data not for good, but for evil. 305 00:12:51,450 --> 00:12:53,820 COLTON OGDEN: Yeah, it's unfortunate. 306 00:12:53,820 --> 00:12:55,530 But in better news, have you heard-- 307 00:12:55,530 --> 00:12:56,840 DAVID MALAN: Happy thoughts. 308 00:12:56,840 --> 00:12:59,520 COLTON OGDEN: --Apache is migrating to GitHub or has migrated to GitHub? 309 00:12:59,520 --> 00:12:59,640 DAVID MALAN: I did. 310 00:12:59,640 --> 00:13:01,800 CS50's own Colton Ogden told me about this, in fact. 311 00:13:01,800 --> 00:13:03,210 COLTON OGDEN: It's pretty cool, right? 312 00:13:03,210 --> 00:13:03,960 DAVID MALAN: Yeah. 313 00:13:03,960 --> 00:13:07,988 I mean, Apache Foundation has so much open source software that we ourselves 314 00:13:07,988 --> 00:13:10,530 have used for years, like Apache, the web server for instance 315 00:13:10,530 --> 00:13:12,270 is one of the biggest and the most popular. 316 00:13:12,270 --> 00:13:14,520 And I gather they've migrated a lot of their code base 317 00:13:14,520 --> 00:13:18,090 that's already open source, but to a new platform, GitHub, which 318 00:13:18,090 --> 00:13:19,980 is kind of where it's at certainly. 319 00:13:19,980 --> 00:13:22,288 Not the only such service, but certainly a popular one. 320 00:13:22,288 --> 00:13:23,080 COLTON OGDEN: Yeah. 321 00:13:23,080 --> 00:13:26,250 And making their code, I mean, really, accessible to millions and millions 322 00:13:26,250 --> 00:13:27,150 of developers. 323 00:13:27,150 --> 00:13:30,120 DAVID MALAN: Yeah, but to be fair, their source code, to my knowledge, 324 00:13:30,120 --> 00:13:32,880 was always open source, just in different places. 325 00:13:32,880 --> 00:13:35,400 I mean, for many years, SourceForge was quite the thing 326 00:13:35,400 --> 00:13:38,430 and it still exists, although it doesn't have nearly the same cachet 327 00:13:38,430 --> 00:13:42,180 or feature set as your GitHubs, your GitLabs, your Bitbuckets do. 328 00:13:42,180 --> 00:13:45,150 And even among those last three, I mean GitHub probably still 329 00:13:45,150 --> 00:13:46,830 has the highest profile. 330 00:13:46,830 --> 00:13:48,480 And it's kind of an interesting signal. 331 00:13:48,480 --> 00:13:52,440 Even I, rightly or wrongly, when I'm sort of Googling around looking 332 00:13:52,440 --> 00:13:54,990 for open source solutions to problems we have-- 333 00:13:54,990 --> 00:13:57,840 libraries or packages that I kind of want-- 334 00:13:57,840 --> 00:14:01,290 I'll see something on one of these older platforms like SourceForge 335 00:14:01,290 --> 00:14:04,410 and think, oh, I wonder if it's actually still actively maintained. 336 00:14:04,410 --> 00:14:06,990 Whereas if I see it on GitHub and I also see 337 00:14:06,990 --> 00:14:10,668 some commit history in recent days or months, that's a pretty useful signal. 338 00:14:10,668 --> 00:14:11,460 COLTON OGDEN: Yeah. 339 00:14:11,460 --> 00:14:13,585 And I mean, I wonder how much of that is a function 340 00:14:13,585 --> 00:14:17,370 of being on another kind of source control platform, like Mercurial. 341 00:14:17,370 --> 00:14:19,660 Maybe people just don't want to go through the issue 342 00:14:19,660 --> 00:14:23,290 of losing all of that history that they would have to inevitably transfer. 343 00:14:23,290 --> 00:14:26,552 I don't know if maybe there's a way to actually migrate that to Git somehow. 344 00:14:26,552 --> 00:14:28,260 DAVID MALAN: You can, and GitHub actually 345 00:14:28,260 --> 00:14:31,680 supports multiple protocols-- just Git is the de facto, perhaps most popular, 346 00:14:31,680 --> 00:14:32,490 nowadays. 347 00:14:32,490 --> 00:14:36,420 But I can totally appreciate how folks who sort of are very comfortable using 348 00:14:36,420 --> 00:14:38,610 one platform, or think SVN, or Mercurial, 349 00:14:38,610 --> 00:14:40,410 or whatever is just better than Git. 350 00:14:40,410 --> 00:14:41,070 That's fine. 351 00:14:41,070 --> 00:14:45,030 So I think it's important not to become a hater just because one service is 352 00:14:45,030 --> 00:14:47,850 more in vogue or one technology is more in vogue than the others. 353 00:14:47,850 --> 00:14:50,850 I mean, it doesn't necessarily solve any more problems putting your code 354 00:14:50,850 --> 00:14:54,000 on GitHub than putting it anywhere else, but it's 355 00:14:54,000 --> 00:14:56,730 just certainly consistent with trend these days, perhaps. 356 00:14:56,730 --> 00:14:57,000 COLTON OGDEN: Yeah. 357 00:14:57,000 --> 00:14:59,250 I mean, to your point, I think GitHub is just the nicest user 358 00:14:59,250 --> 00:15:00,530 experience for source control. 359 00:15:00,530 --> 00:15:03,523 DAVID MALAN: I do think the UI is terrific-- yes, I do think they' 360 00:15:03,523 --> 00:15:05,190 got a lot of those details really right. 361 00:15:05,190 --> 00:15:06,898 COLTON OGDEN: And that's really, I think, 362 00:15:06,898 --> 00:15:09,150 why so many people are using it so much now. 363 00:15:09,150 --> 00:15:11,790 It's just a pleasant environment for the millions of developers out there. 364 00:15:11,790 --> 00:15:14,790 You're going to want to spend your time enjoying your workflow, presumably. 365 00:15:14,790 --> 00:15:15,530 DAVID MALAN: Yeah, it works well. 366 00:15:15,530 --> 00:15:17,520 I mean, we internally certainly use it all the time. 367 00:15:17,520 --> 00:15:19,350 And actually, we just started last night-- 368 00:15:19,350 --> 00:15:23,370 as recently as last night playing with a feature that GitHub rolled out some 369 00:15:23,370 --> 00:15:25,410 months ago, I think, now called "code owners"-- 370 00:15:25,410 --> 00:15:26,793 maybe even a year or more now-- 371 00:15:26,793 --> 00:15:29,460 where you can actually specify in a special config file-- which, 372 00:15:29,460 --> 00:15:31,140 to be fair, is specific to GitHub. 373 00:15:31,140 --> 00:15:32,820 It's not a Git thing, per se. 374 00:15:32,820 --> 00:15:35,370 So we're starting to get a little proprietary in that sense, 375 00:15:35,370 --> 00:15:38,040 or a bit of lock in with certain platforms. 376 00:15:38,040 --> 00:15:40,560 But we use this config file called "code owners" 377 00:15:40,560 --> 00:15:45,960 to specify which of our CS50 staff, quote unquote, own a particular file, 378 00:15:45,960 --> 00:15:48,977 or a subset of the file, so that now I know-- 379 00:15:48,977 --> 00:15:51,060 and you and I were talking about this last night-- 380 00:15:51,060 --> 00:15:54,450 if someone wants to make a change to a particularly important config file, 381 00:15:54,450 --> 00:15:57,690 I will be automatically notified and I need to approve it. 382 00:15:57,690 --> 00:16:00,390 And it's just kind of a nice comfort that we can't accidentally 383 00:16:00,390 --> 00:16:01,620 break each other's work. 384 00:16:01,620 --> 00:16:04,610 We're going to notify each other automatically for the right context. 385 00:16:04,610 --> 00:16:04,800 COLTON OGDEN: Yeah. 386 00:16:04,800 --> 00:16:05,550 It's a beautiful thing. 387 00:16:05,550 --> 00:16:07,020 I mean, GitHub-- at that point-- 388 00:16:07,020 --> 00:16:09,812 DAVID MALAN: [LAUGHING] It's just a beautiful way of describing it. 389 00:16:09,812 --> 00:16:10,853 COLTON OGDEN: Oh, thanks. 390 00:16:10,853 --> 00:16:12,990 Well, what I was going to say is that it sort 391 00:16:12,990 --> 00:16:15,830 of ventures out of the territory of source control and more 392 00:16:15,830 --> 00:16:17,640 into project management in that sense. 393 00:16:17,640 --> 00:16:19,130 DAVID MALAN: Oh, absolutely. 394 00:16:19,130 --> 00:16:21,030 But I can see some tensions here too when it 395 00:16:21,030 --> 00:16:22,803 comes to these open source platforms. 396 00:16:22,803 --> 00:16:25,470 We are starting to get a little more locked in the more and more 397 00:16:25,470 --> 00:16:26,580 of these features you use. 398 00:16:26,580 --> 00:16:29,550 But I do think features like this clearly 399 00:16:29,550 --> 00:16:31,590 were created to solve some people's problems, 400 00:16:31,590 --> 00:16:34,460 and frankly, I'm really glad this particular one exists, 401 00:16:34,460 --> 00:16:37,950 though undoubtedly other source control platforms provide similar features as 402 00:16:37,950 --> 00:16:38,490 well. 403 00:16:38,490 --> 00:16:38,910 COLTON OGDEN: Indeed. 404 00:16:38,910 --> 00:16:41,400 I need to go maybe do a little bit of exploration if they're still around. 405 00:16:41,400 --> 00:16:43,020 I don't know-- GitHub is picking up a lot of steam. 406 00:16:43,020 --> 00:16:44,270 DAVID MALAN: Yeah, absolutely. 407 00:16:44,270 --> 00:16:46,692 Well, we for quite a while used Bitbucket for past courses 408 00:16:46,692 --> 00:16:47,400 that I've taught. 409 00:16:47,400 --> 00:16:50,400 They were terrific early on about providing free repositories 410 00:16:50,400 --> 00:16:53,710 for personal use, for educational use when other platforms like GitHub 411 00:16:53,710 --> 00:16:54,210 weren't. 412 00:16:54,210 --> 00:16:56,520 So there's definitely some options to consider-- 413 00:16:56,520 --> 00:16:57,850 GitLab being another big one. 414 00:16:57,850 --> 00:16:58,630 COLTON OGDEN: Yeah, and on that note, I mean, 415 00:16:58,630 --> 00:17:00,490 GitHub fairly recently has allowed-- 416 00:17:00,490 --> 00:17:03,340 I don't know if it's unlimited private repos-- is it for accounts? 417 00:17:03,340 --> 00:17:05,520 DAVID MALAN: There's some limits, but they're quite generous now. 418 00:17:05,520 --> 00:17:07,950 I think ever since the Microsoft acquisition of GitHub, 419 00:17:07,950 --> 00:17:10,880 they've gotten a little more flexible, it seems, with what they can offer. 420 00:17:10,880 --> 00:17:10,980 COLTON OGDEN: Yeah. 421 00:17:10,980 --> 00:17:13,109 Previously, you didn't get any-- is that correct? 422 00:17:13,109 --> 00:17:15,401 DAVID MALAN: You would have to pay unless you signed up 423 00:17:15,401 --> 00:17:19,099 for the educational plan, which they were also very good about granting. 424 00:17:19,099 --> 00:17:21,599 But there was a process-- you had to scan your ID, or upload 425 00:17:21,599 --> 00:17:22,750 a photo, or the like. 426 00:17:22,750 --> 00:17:24,599 So there was an approval process that could 427 00:17:24,599 --> 00:17:27,960 be a hang up for some folks and some email addresses. 428 00:17:27,960 --> 00:17:29,310 COLTON OGDEN: Indeed. 429 00:17:29,310 --> 00:17:31,030 Interesting design thing from Instagram-- 430 00:17:31,030 --> 00:17:32,535 DAVID MALAN: Yeah, speaking of UX. 431 00:17:32,535 --> 00:17:34,410 COLTON OGDEN: --it turns out that they have-- 432 00:17:34,410 --> 00:17:37,200 in their Android code, there was a little bit of a design change 433 00:17:37,200 --> 00:17:39,700 that they were I guess going to roll out in the near future. 434 00:17:39,700 --> 00:17:41,908 DAVID MALAN: Or at least it's buried, it seems to be. 435 00:17:41,908 --> 00:17:44,430 At least it's available, maybe for A/B testing or such. 436 00:17:44,430 --> 00:17:45,900 COLTON OGDEN: Sure. 437 00:17:45,900 --> 00:17:49,860 Essentially, the feature is that only somebody sharing a post 438 00:17:49,860 --> 00:17:53,168 will be able to see the total of number of likes that a post gets. 439 00:17:53,168 --> 00:17:54,960 In other words, if you're looking at a post 440 00:17:54,960 --> 00:17:57,600 and you haven't shared it yourself, you actually 441 00:17:57,600 --> 00:18:00,710 have to like it or not like it on just the merit of the post itself. 442 00:18:00,710 --> 00:18:01,460 DAVID MALAN: Yeah. 443 00:18:01,460 --> 00:18:03,750 It's like those things that you have to-- those polls online you 444 00:18:03,750 --> 00:18:05,850 have to vote before you can even see the results. 445 00:18:05,850 --> 00:18:06,960 COLTON OGDEN: Which is kind of an interesting idea. 446 00:18:06,960 --> 00:18:08,370 How do you feel about this? 447 00:18:08,370 --> 00:18:08,850 DAVID MALAN: I don't know. 448 00:18:08,850 --> 00:18:09,720 I've been thinking about that. 449 00:18:09,720 --> 00:18:12,540 I'm not qualified I think to have an informed opinion on this, 450 00:18:12,540 --> 00:18:14,700 but I certainly have gleaned from reading articles 451 00:18:14,700 --> 00:18:18,148 over the past few years that social media has exacerbated 452 00:18:18,148 --> 00:18:20,190 certain tendencies, or peoples' sort of obsession 453 00:18:20,190 --> 00:18:24,240 with others' behavior, or certainly a time sink at best. 454 00:18:24,240 --> 00:18:27,030 And so there is this sort of herd effect that you sometimes 455 00:18:27,030 --> 00:18:30,030 get, where people might be upvoting based on past upvotes. 456 00:18:30,030 --> 00:18:33,608 They might be internalizing what it means 457 00:18:33,608 --> 00:18:35,150 for people to be upvoting your posts. 458 00:18:35,150 --> 00:18:39,900 So frankly, this only seems like a solution to one problem. 459 00:18:39,900 --> 00:18:42,030 Indeed, it seems to be potentially unhealthy 460 00:18:42,030 --> 00:18:45,330 if too many people, especially maybe adolescents who are just growing up 461 00:18:45,330 --> 00:18:48,095 with technology for the first time, are a little too obsessed 462 00:18:48,095 --> 00:18:49,720 with others' perceptions of each other. 463 00:18:49,720 --> 00:18:53,490 So, I mean, these are very powerful knobs that the Instagrams of the world, 464 00:18:53,490 --> 00:18:55,980 and the Googles, and the Facebooks more generally are 465 00:18:55,980 --> 00:18:58,110 starting to turn in interesting ways. 466 00:18:58,110 --> 00:19:00,930 And perhaps hopefully rolling things back a bit so 467 00:19:00,930 --> 00:19:03,580 that we're not all so fixated on what each other are 468 00:19:03,580 --> 00:19:04,830 doing every minute of the day. 469 00:19:04,830 --> 00:19:05,622 COLTON OGDEN: Yeah. 470 00:19:05,622 --> 00:19:08,430 I mean, as an experiment-- a social experiment or what have you-- 471 00:19:08,430 --> 00:19:10,140 I think it does have interesting grounds in that sense. 472 00:19:10,140 --> 00:19:12,432 Gather some data, see how that changes people's trends. 473 00:19:12,432 --> 00:19:13,182 DAVID MALAN: Yeah. 474 00:19:13,182 --> 00:19:14,460 And even I'm guilty of this. 475 00:19:14,460 --> 00:19:17,970 When we've uploaded CS50 related photos or photos of me that get tagged, 476 00:19:17,970 --> 00:19:21,060 I take this perverse interest in seeing how many 477 00:19:21,060 --> 00:19:25,480 upvotes some particular photo of our event or some aspect of the course 478 00:19:25,480 --> 00:19:25,980 has gotten. 479 00:19:25,980 --> 00:19:28,897 And at the end of the day, I'm not sure that's actionable information. 480 00:19:28,897 --> 00:19:31,105 Like, what am I going to do with the information that 481 00:19:31,105 --> 00:19:33,960 suggests this was upvoted a lot other than derive some weird sort 482 00:19:33,960 --> 00:19:37,265 of gratification perhaps, or just sort of pride-- 483 00:19:37,265 --> 00:19:39,810 [LAUGHS] I guess pride is OK. 484 00:19:39,810 --> 00:19:42,750 But I'm not sure it's the best focus. 485 00:19:42,750 --> 00:19:46,338 I mean, I think it's the communication capabilities of these platforms 486 00:19:46,338 --> 00:19:48,630 and the shareability of maybe moments that's important. 487 00:19:48,630 --> 00:19:52,290 But the upvoting, the downvoting, the smiling, the laughing-- 488 00:19:52,290 --> 00:19:52,920 I don't know. 489 00:19:52,920 --> 00:19:56,310 This certainly benefits the platforms, because it keeps the users engaged, 490 00:19:56,310 --> 00:20:00,030 keeps them coming back, keeps them sort of a sticky asset. 491 00:20:00,030 --> 00:20:03,587 But I'm not sure it's doing us humans all that much good. 492 00:20:03,587 --> 00:20:06,420 COLTON OGDEN: I would wonder in the context of something like Amazon 493 00:20:06,420 --> 00:20:10,290 if you couldn't necessarily see the number of reviews on a product, 494 00:20:10,290 --> 00:20:12,060 or the number of stars on a product. 495 00:20:12,060 --> 00:20:13,530 In that case, it's different because you're actually 496 00:20:13,530 --> 00:20:17,190 making a financial decision to purchase a good and comparing it to other goods. 497 00:20:17,190 --> 00:20:20,107 DAVID MALAN: Even there, that's a whole can of worms with fake reviews 498 00:20:20,107 --> 00:20:21,300 too and sussing that out. 499 00:20:21,300 --> 00:20:23,380 But what is interesting there too is when-- 500 00:20:23,380 --> 00:20:24,660 frankly, this is useful when you want-- 501 00:20:24,660 --> 00:20:26,368 when you need an accessory for something. 502 00:20:26,368 --> 00:20:29,820 Like, you buy one of those Swiffers-- like the little brooms and you need 503 00:20:29,820 --> 00:20:31,230 the replacement parts-- 504 00:20:31,230 --> 00:20:32,280 the little cloth. 505 00:20:32,280 --> 00:20:34,238 It's really useful that Amazon tells you people 506 00:20:34,238 --> 00:20:37,238 who bought this also bought that, because you don't have to go searching 507 00:20:37,238 --> 00:20:38,910 around looking for the related things. 508 00:20:38,910 --> 00:20:40,060 You can use that signal. 509 00:20:40,060 --> 00:20:41,190 So thank you, machine learning. 510 00:20:41,190 --> 00:20:42,250 COLTON OGDEN: It makes Amazon more money. 511 00:20:42,250 --> 00:20:45,167 DAVID MALAN: That's not even machine learning, that's just some loops. 512 00:20:45,167 --> 00:20:45,940 [LAUGHING] 513 00:20:45,940 --> 00:20:47,565 COLTON OGDEN: I mean, it's good though. 514 00:20:47,565 --> 00:20:50,100 That stuff is important-- like, it saves Amazon-- 515 00:20:50,100 --> 00:20:53,800 well, it makes Amazon money and it saves us time trying to find that stuff. 516 00:20:53,800 --> 00:20:54,300 [INAUDIBLE] 517 00:20:54,300 --> 00:20:56,523 DAVID MALAN: I'm guessing they prioritize it for the former reason. 518 00:20:56,523 --> 00:20:58,878 COLTON OGDEN: Probably, but maybe the more time we have, 519 00:20:58,878 --> 00:21:00,420 the more money we can spend, I guess. 520 00:21:00,420 --> 00:21:01,570 DAVID MALAN: There we go. 521 00:21:01,570 --> 00:21:04,487 So it'll be interesting to see what apps like Instagram ultimately do. 522 00:21:04,487 --> 00:21:07,528 Because I mentioned this was kind of buried in the code and it's possible 523 00:21:07,528 --> 00:21:09,660 they might be using it experimentally. 524 00:21:09,660 --> 00:21:11,850 And for those unfamiliar, an A/B test generally 525 00:21:11,850 --> 00:21:14,370 refers to the process of trying out a new idea, 526 00:21:14,370 --> 00:21:16,000 but only on a subset of users. 527 00:21:16,000 --> 00:21:18,580 So group A gets the feature, group B does not. 528 00:21:18,580 --> 00:21:23,090 And you sort of analyze the impact of that feature on that userbase. 529 00:21:23,090 --> 00:21:24,450 COLTON OGDEN: Sure. 530 00:21:24,450 --> 00:21:28,110 Have you heard of this thing called the 768K Day? 531 00:21:28,110 --> 00:21:31,670 DAVID MALAN: I hadn't because I actually missed 512K Day some years ago. 532 00:21:31,670 --> 00:21:33,750 COLTON OGDEN: Do you know what 512K is? 533 00:21:33,750 --> 00:21:35,640 DAVID MALAN: Well-- so kilobytes, I believe, 534 00:21:35,640 --> 00:21:37,860 and it refers to how much memory a device might have. 535 00:21:37,860 --> 00:21:42,930 And my understanding of the situation is that back in 2014, we missed-- 536 00:21:42,930 --> 00:21:49,530 I missed-- 512K Day which was when the amount of memory that was being used 537 00:21:49,530 --> 00:21:52,210 by various routers' routing tables-- 538 00:21:52,210 --> 00:21:57,060 so essentially spreadsheets that have some rows and columns that map IP 539 00:21:57,060 --> 00:22:01,860 addresses to the directions that they should be routed to on the internet-- 540 00:22:01,860 --> 00:22:04,560 at the risk of oversimplifying-- a.k.a. routing tables-- 541 00:22:04,560 --> 00:22:06,630 was capped at 512 kilobytes. 542 00:22:06,630 --> 00:22:10,380 And one of the big router manufacturers rolled out 543 00:22:10,380 --> 00:22:14,910 an update that added a few more thousand rows to a typical routing table that 544 00:22:14,910 --> 00:22:17,797 put it over the edge, and the whole internet broke 545 00:22:17,797 --> 00:22:18,880 is the oversimplification. 546 00:22:18,880 --> 00:22:20,488 COLTON OGDEN: So kind of like a Y2K. 547 00:22:20,488 --> 00:22:22,530 DAVID MALAN: In a sense, where Y2K was more about 548 00:22:22,530 --> 00:22:26,130 humans made a conscious decision to represent information 549 00:22:26,130 --> 00:22:28,470 using a finite number of bits, whereas this is really 550 00:22:28,470 --> 00:22:32,130 like the hard drive ran out of space or the RAM overflowed 551 00:22:32,130 --> 00:22:33,710 because it was all being used. 552 00:22:33,710 --> 00:22:37,380 So this was a solvable problem by just throwing more memory at it. 553 00:22:37,380 --> 00:22:40,710 But some of these routers were old enough and maybe 554 00:22:40,710 --> 00:22:43,260 passively enough maintained that people didn't 555 00:22:43,260 --> 00:22:46,770 realize that they were about to overflow their memory bank, so to speak. 556 00:22:46,770 --> 00:22:47,950 Memory banks-- I sound old. 557 00:22:47,950 --> 00:22:48,460 [LAUGHING] 558 00:22:48,460 --> 00:22:50,460 COLTON OGDEN: This is sort of a function of just 559 00:22:50,460 --> 00:22:54,330 having a lot more networks come out of the woodwork across the world 560 00:22:54,330 --> 00:22:55,420 than we anticipated. 561 00:22:55,420 --> 00:22:58,420 DAVID MALAN: Yeah, it was an interesting litmus test of like, hey, raise 562 00:22:58,420 --> 00:23:00,893 your hand if you only have 512 kilobytes of RAM, 563 00:23:00,893 --> 00:23:02,310 because you went down on that day. 564 00:23:02,310 --> 00:23:07,620 So 768K Day is nearly upon us, which is apparently when those routers that were 565 00:23:07,620 --> 00:23:12,090 a little pricier back in the day-- had 768 kilobytes of memory-- 566 00:23:12,090 --> 00:23:14,185 and that too is about to be filled up. 567 00:23:14,185 --> 00:23:15,560 COLTON OGDEN: It's kind of crazy. 568 00:23:15,560 --> 00:23:19,447 I mean, presumably, this is a lot. 569 00:23:19,447 --> 00:23:21,280 I would assume of routers-- back in the day, 570 00:23:21,280 --> 00:23:22,560 people were thinking about this problem. 571 00:23:22,560 --> 00:23:24,352 DAVID MALAN: Oh, it's all about efficiency. 572 00:23:24,352 --> 00:23:27,080 I mean, yeah, you want to use only as much memory as you need, 573 00:23:27,080 --> 00:23:28,830 and you want to keep things super compact. 574 00:23:28,830 --> 00:23:33,780 So these are very low level devices with very minimal overhead. 575 00:23:33,780 --> 00:23:37,170 COLTON OGDEN: Hopefully, we don't see as crazy of a shutdown at-- 576 00:23:37,170 --> 00:23:40,490 from what I was reading in the article, 768K 577 00:23:40,490 --> 00:23:44,160 shouldn't be as disruptive as 512K Day. 578 00:23:44,160 --> 00:23:47,070 I think there were more routers at the time that were suffering 579 00:23:47,070 --> 00:23:49,640 from that lower memory threshold. 580 00:23:49,640 --> 00:23:55,980 But we are getting very close-- we're very close to this new sort of pseudo 581 00:23:55,980 --> 00:23:57,330 apocalyptic digital day. 582 00:23:57,330 --> 00:23:57,840 [LAUGHS] 583 00:23:57,840 --> 00:23:59,580 DAVID MALAN: But it's interesting seeing this trend in industry. 584 00:23:59,580 --> 00:24:01,770 Like, this certainly happened with Y2K, and it's 585 00:24:01,770 --> 00:24:04,650 going to happen again in, what, 2038 when we run out 586 00:24:04,650 --> 00:24:07,380 of seconds since January 1st, 1970. 587 00:24:07,380 --> 00:24:09,060 COLTON OGDEN: Oh, for the Unix time-- 588 00:24:09,060 --> 00:24:12,390 DAVID MALAN: It's the Unix timestamp, the 32-bit timestamp if I'm 589 00:24:12,390 --> 00:24:14,850 getting the year and the math right. 590 00:24:14,850 --> 00:24:17,670 But it's interesting because humans seem to, in tech, 591 00:24:17,670 --> 00:24:20,580 have this tendency of solving problems, let's 592 00:24:20,580 --> 00:24:24,518 say, at the last minute or slightly too late, because all of these 593 00:24:24,518 --> 00:24:25,560 are foreseeable problems. 594 00:24:25,560 --> 00:24:29,392 Even Y2K we could have foreseen in the year 1970. 595 00:24:29,392 --> 00:24:31,350 But of course, folks assume that, oh, we're not 596 00:24:31,350 --> 00:24:34,050 going to still be running this hardware or this software at that point. 597 00:24:34,050 --> 00:24:37,087 And at this point too, you might just have human personnel changeover, 598 00:24:37,087 --> 00:24:40,170 so you might not realize that some of your devices have these limitations. 599 00:24:40,170 --> 00:24:43,063 So it's kind of interesting how these very conscious design 600 00:24:43,063 --> 00:24:46,230 decisions at the time, that might have been perfectly reasonable, especially 601 00:24:46,230 --> 00:24:49,620 when memory was scarce and expensive, was the right call, 602 00:24:49,620 --> 00:24:51,720 but it comes back to bite you decades later. 603 00:24:51,720 --> 00:24:54,968 And it's not even you necessarily, it's like the people who succeeded you. 604 00:24:54,968 --> 00:24:56,760 COLTON OGDEN: So this will probably be more 605 00:24:56,760 --> 00:25:01,710 applicable to maybe older, smaller businesses that don't have the latest 606 00:25:01,710 --> 00:25:03,300 routers, modems, that sort of thing. 607 00:25:03,300 --> 00:25:04,990 DAVID MALAN: Maybe, but if you're a small business, 608 00:25:04,990 --> 00:25:07,660 odds are you're not running necessarily your own routers. 609 00:25:07,660 --> 00:25:09,970 You're simply connecting your small local network 610 00:25:09,970 --> 00:25:11,870 to a bigger fish, so to speak. 611 00:25:11,870 --> 00:25:13,420 So I think it would-- 612 00:25:13,420 --> 00:25:17,365 I'm not sure exactly who should be most worried here. 613 00:25:17,365 --> 00:25:19,690 But I will-- it has got me thinking, even about things 614 00:25:19,690 --> 00:25:23,080 we teach for instance at the university level-- things like SQL databases 615 00:25:23,080 --> 00:25:24,880 and representation of integers. 616 00:25:24,880 --> 00:25:25,980 We talk in the class-- 617 00:25:25,980 --> 00:25:30,715 CS50-- about ints and bigints, or 32-bit choices or 64-bit choices. 618 00:25:30,715 --> 00:25:33,340 And this is one of these things where there's not necessarily-- 619 00:25:33,340 --> 00:25:37,450 it's not a big deal these days to use 8 bytes instead of 4, 620 00:25:37,450 --> 00:25:42,680 but it's an interesting opportunity to kick a can even further down the road, 621 00:25:42,680 --> 00:25:43,630 so to speak. 622 00:25:43,630 --> 00:25:46,510 Because it's going to be a lot harder if business is booming, 623 00:25:46,510 --> 00:25:49,132 or we're storing a crazy amount of data some years from now, 624 00:25:49,132 --> 00:25:51,340 it could actually be really time consuming and really 625 00:25:51,340 --> 00:25:56,230 expensive for humans to go through and fix all of the database tables, all 626 00:25:56,230 --> 00:25:59,830 of the code that might actually be writing one data type or the other. 627 00:25:59,830 --> 00:26:04,210 But then let's just spend more memory now if we can afford it 628 00:26:04,210 --> 00:26:05,700 and avoid this problem altogether. 629 00:26:05,700 --> 00:26:08,950 It's a really interesting trade-off, I think, as to just how far down the road 630 00:26:08,950 --> 00:26:09,760 you kick the can. 631 00:26:09,760 --> 00:26:10,552 COLTON OGDEN: Yeah. 632 00:26:10,552 --> 00:26:13,270 I mean, thankfully, 64-bit is a lot-- it's a lot of information. 633 00:26:13,270 --> 00:26:14,980 DAVID MALAN: It is-- well, not in cryptography though. 634 00:26:14,980 --> 00:26:16,180 That's tiny little-- 635 00:26:16,180 --> 00:26:17,263 COLTON OGDEN: That's true. 636 00:26:17,263 --> 00:26:18,823 You need at least 512 bits there. 637 00:26:18,823 --> 00:26:20,740 DAVID MALAN: For sure these days, if not more. 638 00:26:20,740 --> 00:26:22,090 COLTON OGDEN: Yeah. 639 00:26:22,090 --> 00:26:23,560 Chrome-- this is interesting. 640 00:26:23,560 --> 00:26:24,310 DAVID MALAN: Yeah. 641 00:26:24,310 --> 00:26:26,112 Those of you who are like, incognito mode! 642 00:26:26,112 --> 00:26:27,820 COLTON OGDEN: Yeah, they're going to make 643 00:26:27,820 --> 00:26:29,620 it harder to block incognito browsing. 644 00:26:29,620 --> 00:26:32,470 So some companies can detect whether you're using incognito mode. 645 00:26:32,470 --> 00:26:32,740 DAVID MALAN: Yeah. 646 00:26:32,740 --> 00:26:34,480 This has gotten really annoying in recent years, 647 00:26:34,480 --> 00:26:37,480 even for development purposes when you're trying to understand a website 648 00:26:37,480 --> 00:26:40,120 and it says, sorry, can't do that-- you're in incognito mode. 649 00:26:40,120 --> 00:26:41,500 COLTON OGDEN: Yeah. 650 00:26:41,500 --> 00:26:44,260 Apparently websites are able to detect whether Chrome 651 00:26:44,260 --> 00:26:49,460 has its file system API open which, if you're in an incognito mode right now, 652 00:26:49,460 --> 00:26:50,680 you can't actually use that. 653 00:26:50,680 --> 00:26:53,347 COLTON OGDEN: Yeah, the ability to read and write files locally. 654 00:26:53,347 --> 00:26:55,660 And like, news sites have increasingly been using this 655 00:26:55,660 --> 00:26:56,920 because they don't want you-- 656 00:26:56,920 --> 00:26:59,568 and understandably-- accessing the content for free 657 00:26:59,568 --> 00:27:02,110 if you've already exceeded your free threshold, for instance, 658 00:27:02,110 --> 00:27:03,700 for the day or the month. 659 00:27:03,700 --> 00:27:07,240 But they've been using this side effect by trying 660 00:27:07,240 --> 00:27:12,100 to use this file API in browsers, and if it fails, 661 00:27:12,100 --> 00:27:13,900 they have up until now, at least on Chrome, 662 00:27:13,900 --> 00:27:17,530 been able to infer, oh, you're probably using incognito mode 663 00:27:17,530 --> 00:27:18,617 and that's why it failed. 664 00:27:18,617 --> 00:27:19,450 COLTON OGDEN: Right. 665 00:27:19,450 --> 00:27:22,390 And in order to get around that, essentially Chrome 666 00:27:22,390 --> 00:27:26,023 cleverly plans on using a sort of a temporary virtual file system-- 667 00:27:26,023 --> 00:27:27,565 DAVID MALAN: Yeah, that's very smart. 668 00:27:27,565 --> 00:27:31,420 COLTON OGDEN: --in RAM to trick the server into thinking that it does 669 00:27:31,420 --> 00:27:31,920 have access. 670 00:27:31,920 --> 00:27:32,670 DAVID MALAN: Yeah. 671 00:27:32,670 --> 00:27:35,710 So you'll be able to read and write data-- it just won't be to the place 672 00:27:35,710 --> 00:27:36,820 that you think. 673 00:27:36,820 --> 00:27:39,640 But to the website leveraging this technique, 674 00:27:39,640 --> 00:27:43,460 you won't be able to distinguish incognito from non-incognito. 675 00:27:43,460 --> 00:27:44,960 It feels like the right thing to do. 676 00:27:44,960 --> 00:27:47,278 Even if that is a reasonable business decision 677 00:27:47,278 --> 00:27:50,320 to try to prevent people from just throwing away their cookies constantly 678 00:27:50,320 --> 00:27:52,600 in order to access more and more content for free, 679 00:27:52,600 --> 00:27:55,780 it certainly is not consistent with the spirit of incognito 680 00:27:55,780 --> 00:27:58,090 if you're leaking information. 681 00:27:58,090 --> 00:28:00,070 COLTON OGDEN: Indeed-- yeah. 682 00:28:00,070 --> 00:28:05,500 And these websites I think are open to certainly adopting a subscription model 683 00:28:05,500 --> 00:28:08,870 and making some of their content premium if it really is a huge, I think, 684 00:28:08,870 --> 00:28:09,370 detriment. 685 00:28:09,370 --> 00:28:12,310 Although that gets, I'm sure, complicated. 686 00:28:12,310 --> 00:28:15,908 Having free articles certainly drives a business I have to imagine. 687 00:28:15,908 --> 00:28:18,700 DAVID MALAN: Yeah, but I do think this is the right technical call. 688 00:28:18,700 --> 00:28:21,760 And frankly, props to the folks who figured out 689 00:28:21,760 --> 00:28:25,150 that you could infer incognito mode from these side effects. 690 00:28:25,150 --> 00:28:28,950 I mean, that's kind of a clever hack or workaround, if you will. 691 00:28:28,950 --> 00:28:30,100 COLTON OGDEN: Yeah. 692 00:28:30,100 --> 00:28:33,550 I mean, that pretty much is all of the topics that I brought to table today. 693 00:28:33,550 --> 00:28:36,420 I think what we should do is end the episode on takeaways. 694 00:28:36,420 --> 00:28:37,950 DAVID MALAN: Takeaways-- OK. 695 00:28:37,950 --> 00:28:39,988 Change your password if it's "1, 2, 3, 4, 5, 6." 696 00:28:39,988 --> 00:28:43,030 COLTON OGDEN: That's probably the biggest one, I think, of today's theme. 697 00:28:43,030 --> 00:28:44,905 I mean, there are a lot of interesting things 698 00:28:44,905 --> 00:28:47,260 that people don't necessarily have as much control over. 699 00:28:47,260 --> 00:28:50,390 Facial recognition, we can't obviously tell people to cover themselves. 700 00:28:50,390 --> 00:28:53,140 DAVID MALAN: No, but we could stop tagging ourselves on Facebook-- 701 00:28:53,140 --> 00:28:53,840 COLTON OGDEN: Yeah, that's true-- 702 00:28:53,840 --> 00:28:54,240 DAVID MALAN: --to be fair. 703 00:28:54,240 --> 00:28:55,390 COLTON OGDEN: --but that's not going to happen. 704 00:28:55,390 --> 00:28:55,890 [LAUGHS] 705 00:28:55,890 --> 00:28:58,920 We take to take too many photos that show our faces in them. 706 00:28:58,920 --> 00:29:00,160 DAVID MALAN: But the password thing, I think, 707 00:29:00,160 --> 00:29:01,827 should start to sink in more for people. 708 00:29:01,827 --> 00:29:05,110 I mean, there's going to be an annoying amount of sort of activation energy 709 00:29:05,110 --> 00:29:08,178 to go find a password manager, download it, get comfortable with it. 710 00:29:08,178 --> 00:29:10,720 But it's worth spending those minutes, or those couple hours, 711 00:29:10,720 --> 00:29:13,420 or just to kind of have an inconvenience for the first couple of weeks 712 00:29:13,420 --> 00:29:14,830 until you get acclimated to it. 713 00:29:14,830 --> 00:29:18,310 But then once you're into the rhythm, it really is compelling. 714 00:29:18,310 --> 00:29:21,340 And for those who are unfamiliar, LastPass is pretty popular, 715 00:29:21,340 --> 00:29:22,738 1Password is pretty popular. 716 00:29:22,738 --> 00:29:25,780 There's others, and you should do your own due diligence and Google both, 717 00:29:25,780 --> 00:29:27,520 because undoubtedly both have had bugs-- 718 00:29:27,520 --> 00:29:29,560 security related bugs, indeed. 719 00:29:29,560 --> 00:29:32,770 So they're not fail-safe-- so they too are written by humans-- 720 00:29:32,770 --> 00:29:36,160 but it's probably better than your current system if your current system 721 00:29:36,160 --> 00:29:37,840 involves Post-it notes on your monitor-- 722 00:29:37,840 --> 00:29:39,382 COLTON OGDEN: Don't do Post-it notes. 723 00:29:39,382 --> 00:29:42,070 DAVID MALAN: --or "1, 2, 3, 4, 5 6" or some other such password. 724 00:29:42,070 --> 00:29:44,920 Because it doesn't even matter if you don't think that people 725 00:29:44,920 --> 00:29:46,900 care about your particular account. 726 00:29:46,900 --> 00:29:50,253 As in the case of Citrix's case, the adversaries 727 00:29:50,253 --> 00:29:53,170 didn't care about getting into a specific person's account, I believe. 728 00:29:53,170 --> 00:29:55,300 They just wanted some account that might have 729 00:29:55,300 --> 00:29:57,140 some potentially interesting access. 730 00:29:57,140 --> 00:30:00,010 So you're really vulnerable to just random attacks 731 00:30:00,010 --> 00:30:02,830 that your account might get compromised as a result. 732 00:30:02,830 --> 00:30:04,747 COLTON OGDEN: They're going to brute force it. 733 00:30:04,747 --> 00:30:07,450 23 million, that's easy just to spam everything you know-- 734 00:30:07,450 --> 00:30:09,700 "password," "1, 2, 3, 4, 5, 6" and hope that it works. 735 00:30:09,700 --> 00:30:10,790 DAVID MALAN: And that's not even 32 bits of address space. 736 00:30:10,790 --> 00:30:12,373 COLTON OGDEN: No, it's not even close. 737 00:30:12,373 --> 00:30:16,070 And if you're using the multiple-- or the same password in multiple locations 738 00:30:16,070 --> 00:30:19,028 and it's "1, 2, 3, 4, 5, 6," your whole life can be ruined really fast. 739 00:30:19,028 --> 00:30:20,778 DAVID MALAN: Wow, I thought we were ending 740 00:30:20,778 --> 00:30:22,370 this on a positive note in takeaways? 741 00:30:22,370 --> 00:30:25,010 COLTON OGDEN: Maybe not ruined, but temporarily compromised 742 00:30:25,010 --> 00:30:26,150 if you're fortunate. 743 00:30:26,150 --> 00:30:27,150 DAVID MALAN: If you're-- 744 00:30:27,150 --> 00:30:28,550 [LAUGHS] OK. 745 00:30:28,550 --> 00:30:30,103 I am scared now. 746 00:30:30,103 --> 00:30:32,270 COLTON OGDEN: Change your password if it's horrible. 747 00:30:32,270 --> 00:30:33,140 DAVID MALAN: There we go-- 748 00:30:33,140 --> 00:30:33,800 quite fair. 749 00:30:33,800 --> 00:30:35,650 Well, thank you all so much for tuning in. 750 00:30:35,650 --> 00:30:36,290 COLTON OGDEN: Yeah, thanks so much. 751 00:30:36,290 --> 00:30:37,100 It was an awesome episode. 752 00:30:37,100 --> 00:30:39,830 Thanks, David, for coming here and doing this podcast with me. 753 00:30:39,830 --> 00:30:40,130 DAVID MALAN: Indeed. 754 00:30:40,130 --> 00:30:41,480 We'll keep an eye on what's in the news. 755 00:30:41,480 --> 00:30:43,880 And by all means, online, feel free to chime in with topics of interest 756 00:30:43,880 --> 00:30:46,760 to you, things that might be helpful to explain, to discuss, and explore. 757 00:30:46,760 --> 00:30:47,802 COLTON OGDEN: Absolutely. 758 00:30:47,802 --> 00:30:51,302 This was the CS50 Podcast, episode 3 0 indexed. 759 00:30:51,302 --> 00:30:52,260 DAVID MALAN: Take care. 760 00:30:52,260 --> 00:30:53,930 COLTON OGDEN: Bye bye.