DAVID MALAN: This is CS50. Hello, world. This is the CS50 podcast, episode 5, 0 indexed. My name is David Malan, and I'm here with CS50's own Colton Ogden. COLTON OGDEN: Glad to be here-- interesting thing to start us off-- so, we've talked about robocalls a lot in the recent past, multiple episodes. And I think we touched briefly upon the prospect of finding a solution to this problem. You know, people are getting robocalls all the time, even though, in the last couple of weeks, I have noticed the numbers sort of dropping, at least for me, personally. I still get the occasional call from a presumed spoofed caller. DAVID MALAN: Yeah, sorry about that. COLTON OGDEN: But, apparently, the FCC-- Ajit Pai has proposed a ruling that would actually allow phone companies to block these unwanted calls, these spoofed calls, before they even get to potential customers. DAVID MALAN: Yeah, no, this is a nice initiative. It's perhaps a little belated at this point, certainly. Because, as we've discussed, these robocalls, these automated calls, have really been proliferating, in large part because of the software via what you can do this, and the API access which you can do this. But I think the fundamental problem, frankly, is that the phone system that we have today really is not all that fundamentally different from what we've had for decades now, which is to say that there's no authentication of these calls in the first place. The systems generally just trust that the number being presented in caller ID is, in fact, the number from which a call came. And that's, of course, not always the case. COLTON OGDEN: Right, and the-- I guess the proposed sort of authentication system that they're going to roll out is called Shaken Stir, which is very akin to what James Bond's says when he orders a martini. But the acronym is a-- basically, the shaken part of it is signature based handling of asserted information using tokens. And then the stir part would be secure telephone identity revisited. DAVID MALAN: Indeed, it's a wonderful acronym if you allow yourself to use arbitrary letters from some of the words. COLTON OGDEN: Yeah, and it's a bit of a mouthful. But this is cool, because this suggests that we'll actually get what you just alluded to, a way of actually signing calls and making sure that people who present themselves as xyz are in fact xyz and not, you know, sort of proxying themselves or presenting themselves as some other entity. DAVID MALAN: Yeah, I mean, much like the web-- thankfully we got that right, presumably because of lessons learned from things like telephony over the years. Of course, the phone system has been around for so long now that it's certainly hard, I imagine, to shoehorn in some of these more technological features without breaking some of the intermediate points or some of the last miles, some of the folks who are on the other end of the line that might not necessarily have access, in their municipality, to the latest hardware. So, I'll be curious to see how this evolves. I mean, to be honest, this might all become moot over time if phones themselves, or phone numbers, are perhaps replaced by more data based services. I mean, right now, we're very much in the phase of commercial services like WhatsApp, and iMessage, and so forth. I mean, but those have started to supplant already things like SMS, so, frankly, maybe the solution is ultimately just going to be too late in coming if the world moves to something else, anyway. COLTON OGDEN: Yeah, I imagine, when folks were developing the phone system we have in place, they weren't expecting the ability for somebody to arbitrarily code and script, en masse, the sort of behavior that we're experiencing now. DAVID MALAN: Yeah-- hey, back in the day, it used to be based-- at least pay phones-- on actual sounds, right? There are so many documented cases, and I think Steve Jobs and Steve Wozniak were among the folks involved in this back in the day, where you could have a little box that would generate the appropriate sounds that mimicked what the sound was if you put a quarter or a dime into a phone. So, you could effectively make free long distance phone calls by spoofing those sounds. So there, too-- there was a sort of an assumption of trust that was quickly broken. COLTON OGDEN: I think the theme is always that, if there is a system, humans will find a way to abuse and break it. DAVID MALAN: Indeed, but there are some really real world implications of this. In fact, just the other day did I see an article online about what have been called virtual kidnappings which, frankly, is literally ripped out of a "Law and Order" episode that I'm pretty sure I've seen, which is ironic, because usually it's "Law and Order" ripping things out of the actual headlines. But this, I think, predates this, whereby folks have started to get, terrifyingly, what appear to be actual phone calls from their child's phone number, or relative's phone number, or a co-worker's phone number, and on the other end of the line is some adversary, some human who is pretending to have actually kidnapped the person whose phone they're purporting to be calling from when, in reality, they're just spoofing that number and tricking someone into thinking that they've actually physically hijacked their phone number and kidnapped that person. COLTON OGDEN: Yeah, presumably, I mean, with this new ruling, hopefully, you know, this sort of horrendous situation doesn't end up becoming common at all, or at least it gets completely remediated. DAVID MALAN: Yeah. COLTON OGDEN: Because this is one of the more terrifying examples of how to abuse spoofing. DAVID MALAN: No, absolutely. And it's horrifying that it's gotten to this point but, you know, what you might think is kind of a cool hack, the ability to spoof your phone number, really does have some non-trivial implications. And especially, for most folks out there, you know-- myself, before I even thought about this the other day after reading the article-- you might not even realize that this is possible and what the implications, therefore, are of these sort of bugs at best or-- bugs at worst, or missing features at best. COLTON OGDEN: Yeah, I mean I think if this even happened to me, I think my initial inclination would be to believe it. I mean, certainly it would be terrifying, and you wouldn't want to take any risks and assume that whoever's on the other end of the line is actually bluffing you or telling the truth. Now, speaking of ransoms, unfortunately, I think these have cropped up in other contexts in the news of late and for the past couple of years, in fact. DAVID MALAN: Yeah, no. I mean, there have been multiple cases, WannaCry being very prominent in 2017, of these sort of worms that infect people's systems and, you know, potentially encrypt the hard drive, or do other things, and request that, in order to have this fixed, the end user end up paying some amount of money, either bitcoin or actual money, to decrypt their hard drive or do whatever needs to be done to unlock their system. COLTON OGDEN: Yeah, no, and that's the problem with worms, and viruses, and just malware, malicious software in general, is that, if it has the same privileges that you, the user, who accidentally installed it, somehow do-- or worse, it has administrative or root access to the computer-- it can do anything with your system and the data. You know, it almost makes exploits like sending spam automatically, unbeknownst to you, from your computer seem like completely delightful in comparison because, now, these most recent forms of ransomware are indeed doing exactly that. They're actually running algorithms to encrypt the files on your own hard drive and then not telling you, the owner of those files, what the key is, the sort of secret with which they were encrypted. And, so, in this way can the bad guys literally say, hey, pay us some number of dollars or, in practice, some number of bitcoins in order to get access to the key via which you can unlock your data. Who knows if you're even going to get the key. I mean, frankly, an even more compelling ransomware would be to just encrypt the data and throw the key away. Then you don't even have to communicate further with the person once you get that fund. DAVID MALAN: Yeah, and, in light of this sort of horrible new trend of ransomware that we've observed over the last few years, there are companies that do try and take advantage of this and will say, you know, we will help you decrypt your system. We will use high tech, quote unquote, solutions to reverse this ransomware. But it turns out that some companies, instead of actually having the algorithms and the technology to do this, are paying the actual people responsible for the ransomware directly and then charging you a premium. COLTON OGDEN: Yeah, no, this is really kind of a tricky thing, and I'm reminded of most any Hollywood movie, where someone is taken hostage. And, at least the US, in these movies, is always-- takes the position officially-- the US does not negotiate with terrorists. Well, that may very well or not very well be the case, because the closer you get to home, and the closer you get to it involving people you know, or files you own, or information you need, do these decisions become a little less obvious. And it's a little harder to take that sort of moral stance, if you will. And, in fact, in one of the articles on ProPublica was this wonderful quote. It is easy to take the position that no one should pay a ransom in a ransomware attack, because such payments encourage future ransomware attacks. It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It's a classic moral dilemma. And that really does put it into perspective, right? It's one thing to sort of argue-- no, we should not pay this ransom, because it's only going to happen to us or perhaps other people with greater frequency. But, if you really need the data on that hard drive, the financial information, the medical information, anything, the business information, you're only recourse might actually be to pay the ransom and then hopefully lock your systems down much more effectively the next time around. DAVID MALAN: Yeah, it's difficult when you're so-- when you're far removed from the problem, it's easy to say, oh, just don't negotiate. But, when you're actually there, when it's your data, your information, your loved ones, it gets a little bit trickier. It's a little bit greyer. COLTON OGDEN: And, if you do pay that one time to get your data back, man, you've just presented yourself to the bad guys as being someone they can clearly fleece again. So, it really boils down to-- try to avoid putting yourself in that situation at all, and have all of the defenses you can think of in place in terms of your systems, in terms of your personnel. I mean, frankly, too often are these exploits the result of social engineering, actually tricking people into revealing their passwords by typing it into a website, or tricking them into opening a link, or click on some attachment, or the like. And then the whole setup-- your whole system can perhaps be compromised. So, getting ahead of that and instituting better principles, some of which we've discussed on the podcast, password length and so forth-- password managers can be just a step toward avoiding the problem altogether. DAVID MALAN: Yeah, it's so tricky. I mean, we have-- like we've talked about before multiple times, the good guys have it the hardest. The bad guys just need to find one way in. COLTON OGDEN: Yeah, they just need to find one employee who accidentally clicks on that link or discloses that password. DAVID MALAN: One open window, so to speak-- [SIGH] It's unfortunate. It's unfortunate, because there are vulnerabilities that ship, not only just-- there are vulnerabilities that don't arise just out of the negligence of individuals but the negligence of companies themselves. COLTON OGDEN: Speaking of-- DAVID MALAN: And, in the news recently, some folks might know already-- WhatsApp actually had a vulnerability that was revealed. There was a company that was releasing spyware. It was actually shipping spyware through calls made through the WhatsApp application, which is a incredibly commonly used application in the United States and abroad. COLTON OGDEN: Absolutely. I mean, it is, ironically, an alternative to SMS or texting that I alluded to earlier. It's data based, in which-- a case that uses TCP/IP and network protocols to actually transmit the messages. And, as best I could tell from actually reading Facebook's own disclosure-- Facebook, of course, being the owners of WhatsApp-- it seemed to be some low level code that actually rendered the application vulnerable to a so-called buffer overflow exploit, whereby they must be allocating some amount of memory inside of the source code for WhatsApp. And, unfortunately, at some point in their code, they weren't checking to make sure that they were confining their use of memory to that footprint. So, if they allocated 100 bytes, they weren't actually checking to make sure that they didn't accidentally write more than 100 bytes to that location in memory. And, if you're using a language like Objective C, or other lower level code that's involved with networking, you might very well not have the language to protect you from yourself. And, in this case, it seemed to allow an adversary to actually install malicious software on your own phone. And, in this case, it seems to have been spyware of some form, which is to say that you might have some software running on your phone unbeknownst to you, somehow listening to you or your data. DAVID MALAN: It's interesting, because CS50-- in your lectures, you even talk about buffer overflow attacks and how to mitigate them. COLTON OGDEN: Yeah, I mean that depends on how complex your code is. It can be easy still using languages-- perhaps Objective C, in this case. Although, they weren't very forthcoming with the particular implementation details of the hack. It's certainly still possible. There are good tools out there that can help you detect these things. Whether or not those tools were in use in this context is also not clear, but it's sort of a fundamental flaw, at worst, or missing feature, at best, to borrow our terminology earlier, that this is even possible in these languages. So, this is why there's been trends toward languages like Java, and Python, and the like that actually don't even let you do this in this case. DAVID MALAN: Yeah, with great power comes great responsibility and a lot of weight on your shoulders if you're a low level developer. COLTON OGDEN: Yeah, no. And just think, to your point earlier, all it takes is for one adversary out there with a little too much free time to find the one bug that's in WhatsApp, though surely there's many more than that. And then he or she can have access, potentially, to a whole system if the bug is bad enough. DAVID MALAN: Yeah and, in this case, I mean, they were even able to transmit the data if they didn't answer the call. So they could get a call, not answer it, still get infected. And it was the case that some of the calls actually could be removed from folks' logs, too. So, they wouldn't even be all the more privy to the fact that they got a call and were potentially infected in the first place. COLTON OGDEN: Yeah, you know, it reminds me of an incident a few years ago now when Sony had some software-- DRM software-- for digital rights management whereby, if you put, I think, a CD into your computer, it would actually install what was effectively a route exploit, somehow taking advantage of the ability to install software, run it behind the scenes, but then cover its tracks, and not even show up in the Windows Task Manager, for instance, as I recall. So these are particularly malicious, and that was done by a company, not even just by an adversary on the internet. It's scary that this is still possible in systems. DAVID MALAN: I remember hearing about that. I'm not sure if it was us that talked about it, but I remember thinking, wow, I can't believe a company that big is doing something like that. And who else might be doing something like that, unbeknownst to the rest of us? COLTON OGDEN: Yes, that did not end well for Sony, if you take a look at the articles online or the Wikipedia article. DAVID MALAN: I vaguely do remember people being a little bit upset about that. COLTON OGDEN: Yeah, but companies do make mistakes. I mean, also in the news this past week was a zombie load exploits affecting some of Intel's hardware. That I find particularly scary. And, in short, in this case, with the zombie load attack, is it possible to essentially convince the CPU, the brains of your computer, to leak information in ways that you didn't intend? And this is problematic if one application is able to see information from another application. And, in fact, in this case here, thankfully, it seems to have been the good guys, the security researchers, who uncovered this first and reported it to Intel. It's not known if it was actually exploited, but they actually had a compelling proof of concept, for which there's a nice video online. If you Google zombie load Intel, you should find at any number of articles which showed them visiting various websites in a browser. And then, in a little command line interface, where they had written a program that was just running behind the scenes, they were able to log all of the host names that were being used by the browser to access those web pages, effectively leaking information across processes, which should not be possible on a system. DAVID MALAN: Yeah, it's pretty chilling. I mean, in that same article they talked about-- this might be host names now, but this could be your security-- this could be your tokens. This could be your passwords. This could be any bit of-- your card numbers, what have you, any bit of information that is going to potentially lead to a massive security vulnerability for you. And it's scary when it's hardware, too. I mean, hardware is supposed to be the stuff that doesn't need to be updated, but that's just silly and naive. I mean, running on today's hardware is essentially embedded software or firmware, as it's typically called. And most people, frankly, probably aren't really in the habits of updating their bios in the PC world, or that low level software. Apple, thankfully, takes care of this for users. And, so, who knows how often these things are actually discovered? But, when it's baked into hardware, that even puts it a little more out of most people's reach. COLTON OGDEN: Yeah, no, this is pretty frightening, because, I mean, this transcends just what might be one person's physical machine. This could easily apply-- and CS50's own infrastructure is a big part of this-- to virtual machines hosted in the Cloud, because these all eventually run on physical machines. But, you know, one physical machine that might be running since CS50's code with x other company's code-- x company might find a way to get access to all of our credentials, or whoever other company, right? Because it's all, you know, at the hardware level. DAVID MALAN: Absolutely, it's frightening. COLTON OGDEN: There was something interesting that I saw, which was-- and this is one of the coolest, cleverest ways I've seen of, again, abusing a system, finding a way into a system that you shouldn't have, and that's with Google Drive. So, somebody released, on GitHub, a program that actually allows folks-- because here's the thing with Google Drive. You can store, in your Google Drive, unlimited Google Docs. There's no quota cap on Google Docs. But this is only for Google Docs format. But somebody found a way to encode arbitrary information, arbitrary binaries, as Google Docs. And, well, that essentially led to them having unlimited disk space in Google Drive. DAVID MALAN: Yeah, and I would say this is more of a theoretical convenience than a practical one, because there's some overhead in running the software. But, yeah, it's kind of a brilliant sort of hack, if you will, or exploit, or work around, when really it's just kind of taking advantage of the design of the system. Like, normally, you're supposed to use Google Drive, and Dropbox, and iCloud, and those other kinds of file based services by dragging and dropping your files, whether it's a text file, or binary file, or video file, or program, or whatever, into the drive or up through the browser, and it gets saved. But, of course, it takes up some number of bytes, or megabytes, or gigabytes, and that counts against your finite quota. But, for reasons that maybe the staff of Google who wrote Google Docs didn't think about this, or didn't think anyone would be crazy enough to try this, it's really kind of cool. You can take any binary file, convert it to text using something like Base64 encoding, which is similar in spirit to Bas10, or Base2, or Base16, which are decimal, or binary, or hexadecimal, respectively. But just turn it into text, and then automatically paste it into one or more Google documents, and then reconstitute it later when you actually want to download the data. I mean, frankly, this is probably more annoying than anything, and Google could clamp down on this pretty quickly. They could probably say, you know, if you have a million Google Docs, you're probably not using them for Google Docs purposes. So, they could put some thresholds in there, but it would be fascinating to be privy to the chats going on at Google, if someone was like, oh, we knew this was possible, but we just didn't worry about it, because it's not that useful, or if minds were blown and, wow, that's such a clever sort of exploit. COLTON OGDEN: Yeah, no, if folks are interested, they can go to GitHub.com/StuartMcGowan/UDS and see exactly what's going on. I imagine, probably very soon, it will no longer be a relevant codebase. I have to imagine Google's going to find a way around it. DAVID MALAN: No, this is one of those this is why we can't have nice things situations. COLTON OGDEN: Yeah, no, but it's a very fascinating experiment. Another company-- another big company is Microsoft. That's a little bit of a segue there. They released a series of patches recently for some vulnerabilities that apparently exist on older versions of Windows, for operating systems such as XP and Windows 2003, among many others. DAVID MALAN: Yeah, so, for those of you still running Windows XP from like 20 years ago, this is for you. COLTON OGDEN: Yeah, 16 updates targeting at least 79 security holes in Windows and related software, which is awesome that they're actually being proactive about doing this, and they're not doing this on the heels of an exploit that comes out from some nefarious actor-- DAVID MALAN: Granted, but it's also terrifying that, since the last update, there have been 79 security related bugs fixed. And those are the ones that have been fixed. Let's just imagine how many have not yet been discovered, let alone fixed. COLTON OGDEN: Right, there was one I remember reading that was a day 0 vulnerability that they had just fixed. And there was another fix for remote desktop services, which is built into various versions of Windows, including 7, Windows Server 2008, R2, and Windows Server 2008. So, pretty crazy that-- and all of these computers may have been compromised, may not have been compromised, at least to folks' knowledge. But, at the very least, now, people are running this software. They can rest assured that a small chunk of potential vulnerabilities are at least taken care of now. DAVID MALAN: Yeah, well, and for those unfamiliar, worms are among the most scary of malware attacks, whereas a virus, for instance, is the kind of thing that you have to sort of accidentally or foolishly click on a link that opens some software and runs it, or you have to open an attachment that actually is infected with software. A worm is, by definition, self propagating. So, once that process or that program is running, perhaps unbeknownst to you on your computer, it can spread, via a network connection, to another computer, or another computer, or another computer, if all of those computers are themselves vulnerable. And, in this case, too, if your system's not already patched, you are in fact vulnerable. And, so, this frankly really got me thinking about a trend, which is a good thing in recent years, especially in the Apple ecosystem, which is essentially compelling people to automatically update. Auto update, dare say, used to be more of an opt in thing, not on by default. And, to be fair, you do in some contexts still have to opt into it on Apple's platforms. But it's getting more and more in companies' interest to sort of compel users to update, and this is helping to narrow the number of systems that are actually vulnerable. Because, if you're auto updating on a schedule, at least you're with a lower probability of running the older, more vulnerable stuff. So, it's a good thing, generally speaking, to have auto updates on. COLTON OGDEN: I know Windows 10 is the particular offender in this realm, because they are hyper-aggressive about making you automatically update, and they make it really difficult for you to actually get out of that behavior. DAVID MALAN: Yeah, no, this is very true. And it backfires in terms of UX or user experience. I remember years ago, when the Xbox One first came out, we had one here in the office for students to use. And the first thing we tried to do was set it up around the holidays, and everyone was so excited that we had the brand new Xbox One and wanted to play some game, maybe a soccer game or something like that, on it. And, so, everyone plugged it in and, just like Christmas morning, everyone's ready to start, and then-- downloading, downloading. And then, like, no joke, an hour or more later, was the Xbox finally ready to let us play a game, by which point Christmas was over, or whatever the day was. And, so, it really kind of got in the way of a good user experience. But, maybe that protected our system from being compromised. So, it really is a trade-off, which is thematic in computing. COLTON OGDEN: Yeah, trust and trade-offs, if we had to boil down CS into two words-- DAVID MALAN: Yeah, I think that's pretty apt. COLTON OGDEN: Well, somebody actually requested we talk about this, which is kind of a cool thing. Careers and technology would be the topic here. DAVID MALAN: Yeah, so we got this question from one of our listeners. I like these. Can you talk about careers in tech in a future podcast, maybe what areas have more job openings in the next few years, what skills are in demand, and what areas may decline in the future, also maybe the interview process? So, a bit of a loaded question-- I think we can touch on this a little bit here and certainly welcome other such questions. I mean, it's hard to go wrong nowadays, certainly, in bolstering your technical comforts and your technical skill expertise. It's so much easier these days to find access to high quality educational content for free on the internet. You don't need to necessarily go through formal schooling or pay for these actual programs. With that said, it's tough to predict these trends. I mean, there's certainly things that are in vogue these days. Python, for instance, is a language that's very much in vogue these days for web programming, for data science applications, for interactivity. JavaScript is another one that's perhaps even more popular and trending these days, both on the client side and the server side. And then there's the whole, like, operations world, technologies like Docker, and virtual machines, and so forth, that are really transforming how systems are hosted in the Cloud and elsewhere. So, there's a lot of exciting trends. But, frankly, I think, rather than even chasing these trends, I think you can't really go wrong in studying, really first and foremost, the fundamentals and focusing on having a strong software background with procedural programming, with classes like CS50, functional programming, object oriented programming, as by taking other classes, and then keeping an eye-- that really opens doors, I think, to all sorts of entry level and higher level software jobs. COLTON OGDEN: Yeah, problem solving I think ultimately-- DAVID MALAN: Absolutely. COLTON OGDEN: That's probably the number one skill that I would say people should focus on. DAVID MALAN: Yeah, and then certainly, at a lot of the bigger tech companies, certainly in the software context, are-- the interview process really focused on problem solving. Generally the types of questions you might have are generally language agnostic, or the interviewers often don't care what language it is you're using to solve a problem. Frankly, your syntax doesn't necessarily have to be 100% correct if it's more of a Whiteboard kind of conversation, or even just like a Google shared document on a telephone call or video conference that you might have. The goal really is to get a sense of how people think and how they approach programming. I mean, frankly, I, when we've interviewed folks even for part time or full time roles here on CS50's team, for software oriented roles, what I really want to do is get a sense of what it would be like to work with that person in a room, in front of a whiteboard, with his or her laptop off to the side, where we're just designing the solution to a problem, even independent of code. And, so, I think, being able to have really robust design conversations, being able to understand, as you know, the trade-offs between doing something or something else when it comes to designing a system-- that's, I think, one of the best ways to prepare yourself for this. COLTON OGDEN: Yeah, I think, given our experience here at CS50, and based on just what I've read, it seems like the model that big companies have taken in recent years, or maybe even not recent for a lot of the larger ones, the whiteboard sort of model, and the problem solving based model, I think even smaller companies are probably adopting this a bit more than they used to now. Because people are getting a lot more of an influx of software developers looking for work. And, so, I think we see this thing pretty commonly. DAVID MALAN: Absolutely. COLTON OGDEN: And it does ultimately boil down to, not what language you might be comfortable with, but, you know, the ultimate the core problem at hand, which is what CS50 tries to teach. It's not-- we advertise ourselves-- you advertise the course as not a course on programming, per se, but ultimately on problem solving. DAVID MALAN: Yeah, absolutely. And, speaking a little more practically here, at Harvard we have a tradition, thanks to some former teaching fellows, of holding a prep and practice for tech interviews every year. So, if you actually Google or go on YouTube and search for CS50 prep and practice for technical interviews, odds are one of the recent years' videos should pop up where CS50's own Tommy MacWilliam, a former head teaching fellow, actually leads folks through a discussion of how to and not to format your resume, how to prepare for an interview, how to conduct an interview. So, you might want to check that out. A very popular book here on campus, too, is one called "Cracking the Coding Interview," or Cracking the PM, product management, interview. Those, on Amazon or other websites, might be of interest as well, just as a nice, thick reference book as to where you could begin. Frankly, it could take you weeks, months to go through everything in those texts, but it'll give you a sense of how you might go about preparing. But, in short, in terms of the opportunities themselves, I would say hard to go wrong in the DevOps world, knowing one or more programming languages, knowing a little something about how you can run an application using Cloud services of any sort, certainly version control, and GitHub, and GitLab, and other such products. And then also security, just being one who can help companies understand and analyze threats to their system, who can chase those things down, who can help secure systems-- I mean, there's no lack for need in the security space as well. COLTON OGDEN: Yeah, having technical literacy in this day and age-- I think that is incredibly useful. We're only getting more automated. DAVID MALAN: Yeah, absolutely-- so, a lot of exciting opportunities out there. And I think, if you just get to first base with some of the fundamentals, and taking one or a few classes, or experiences, or boot camps, or the like, can you really then bootstrap yourself there onward until you really feel like you're hitting home runs. COLTON OGDEN: Awesome. I like how that ended, some solid advice there. DAVID MALAN: Thanks, I don't know if that metaphor works. But it sounded kind of poetic. COLTON OGDEN: Well, thank you for coming here to do this podcast with me. DAVID MALAN: Oh, well thanks so much for having me. COLTON OGDEN: Episode 5, zero index of the CS50 podcast-- what are some takeaways that you would recommend from the discussion here, since we like to end with a few takeaways? DAVID MALAN: I know. I worry the theme too often is be afraid, be very afraid. But I think, hopefully more constructively this time, are there things you can be mindful about. And, honestly, thinking about technologies from first principles, even in the context of virtual kidnappings, god forbid, understanding-- well, wait a minute. How is this happening to me? Don't necessarily take things that you see on a system at face value. Consider what sequence of steps might have led you to see this symptom and then decide for yourself, in an informed way, yes, this is a threat, or no it isn't. And I think just knowing how to defend yourself as well-- don't get yourself into the situation of things like ransomware attacks or vulnerable WhatsApp applications on your phone. Make sure your auto updates are on, which is probably a net positive in general, even though updates can be rolled out that are themselves buggy. That's probably the lesser evil-- so, staying on top of your system and not just using things out of the box the way you receive them. In fact, a certain someone comes to mind as to whose iOS is not always up to date. COLTON OGDEN: I was going to make a comment about that when we got to auto updating. Yeah, I have a bad habit of not updating my stuff as often as I should. DAVID MALAN: Yeah, so I'm going to send you a link to episode 5 of the CS50 podcast and see what happens there. COLTON OGDEN: All the talks that we've had in here have convinced me that maybe it's time to start taking that a little more seriously. DAVID MALAN: All right, well, thanks so much for tuning into the CS50 podcast. Looking forward to chatting with folks further. COLTON OGDEN: Likewise-- thanks for tuning in.