Sie sind auf Seite 1von 82

[MUSIC PLAYING]

DAVID MALAN: Security.

Let's start off with some scary stories

about how your data and your devices

are under constant threat,

even if you don't necessarily

realize as much yourself, and then

consider how we might defend ourselves

against some of these threats.

Let's start, for instance,

with privacy, keeping folks

from seeing data or things that you

don't want them necessarily to see.

And specifically, let's consider this.

If you've got some desktop

computer, or some laptop computer,

those devices alone are the most

insecure thing you might have,

and maybe even the device in your

pocket that you even leave lying around,

because at the end of the day, whether

it's a laptop or desktop or phone,

these are computers, and

computers have on them data,

and data is just a fancy

way of saying, like, files.

So files, of course, are just

collections of zeros and ones,

and in those zeros and ones, odds are,

are numbers like financial information,


or photographs that

you've taken on vacation,

or maybe it's financial documents

that you've typed up on your computer.

So suppose that you're

already in the habit

of trying to keep your data

secure, because anything

you don't want someone to see, you

maybe are in the habit of deleting it.

But let's consider first

what it means to be deleted.

Recall, after all, that files are

generally stored on hard drives,

or SSDs.

And in fact, a hard drive is just a

physical device, something like this.

And there's magnetic particles

on this particular device

that represent our data.

So what does it mean,

though, to delete a file?

On Macs and PCs and the

like, when you delete a file,

it simply disappears, typically,

from your desktop or folder.

But what's really happening,

especially when at the end of the day,

those files are on a


physical device like this?

Well, turns out the files are stored

on a computer, and on a platter,

if it's a hard disk,

that might look something

like this, although ideally

it would be a perfect circle

so that it can spin properly.

And anytime you store a file, you

might allocate some part of this disk,

maybe that part of the

disk, or the platter,

so to speak, for all

of your zeros and ones.

And I'll just go ahead and draw

some random zeros and ones up here.

And what those zeros and ones are

completely depend on the file.

Maybe it's a Word document.

Maybe it's an image.

Maybe it's a sound file or a movie.

Who knows?

And then elsewhere on the platter--

and recall that there might

be multiple platters--

will there be any number of other files.

And even if it's not a platter, if

it's instead a solid-state disk,

electronically, are there

still these zeros and ones,


thanks to the tiny little devices

that store those binary values for us.

But what does it mean, now, if a

file exists in your operating system,

and your operating system

is storing it, ultimately,

on a physical device, whether

a platter here in a hard drive,

or electronically in an SSD?

Well, somehow, your computer,

specifically your operating system,

needs to keep track of

where these files are.

And so an operating

system typically has kind

of the equivalent of,

like, a little cheatsheet,

or an Excel file, that keeps

track of where files are.

So for instance, one column

might be the name of the file,

and another column

might be its location.

But location, in this sense, is

the physical location on disk.

So if I've stored, for

instance, my resume somewhere,

and that might be at

location 123, where this


happens to be location

123 on the hard drive,

specifically, byte number 123,

because operating systems are

going to store my data either

at specific byte addresses,

or maybe in certain cluster sizes.

You might actually take collections of

bytes and write files to those clusters

all at once.

But this table, then, of

course, has other values

as well, one value for every

file that I have on my computer.

So what does it mean,

then, to delete a file?

Well, graphically, it tends

to disappear from my screen.

And I know what you might be thinking.

Wait a minute, it goes into the

so-called recycle bin or trash can.

But the funny thing about the

recycle bin or trash can is what?

Especially if you have maybe a

nosy roommate or family member.

It's not really sufficient to leave

deleted files in the trash bin

or recycle bin, because

what can they do?

They can, of course, just


double click on the thing,

drag the file out, and then hang onto

it and actually see what was there.

So oh, no, no.

You're more

security-conscious than that.

You're in the habit of emptying your

recycle bin, or emptying the trash.

And it maybe makes a cute little sound,

and then the little icon of trash

disappears from the lid of the can.

And you might think, whew!

Got rid of that file.

No one can now see it.

But consider what might be happening

underneath the hood, so to speak.

Well, it turns out what

a computer typically

does, whether it's Windows or Mac

OS or some other operating system,

is it does nothing to the

physical device over here.

Instead, it just forgets

that entry from this table.

It just forgets where my resume is.

And therefore, it knows

implicitly, and thereafter it

can continue using location 123.

Sure, there are still zeros and


ones from my old resume there.

But no big deal, because

the computer can just

rearrange those zeros

and ones into other ones

and zeros in some other pattern

and store some other file,

so long as that new file

is added to this table.

But the implication, then,

is that even though you've

deleted a file by dragging it

to the recycle bin or trash can,

and you've had the wherewithal to

empty the recycle bin or trash can,

the computer really is just

forgetting where that file is.

It's not actually physically

destroying the data.

And so if you have the

right software, or you

have a sophisticated enough

adversary who can write software,

you can theoretically recover

data from a hard drive or SSD

just by looking for

familiar patterns of bits

that might represent a Word document

or a JPEG photograph or something else

altogether.
So what's the implication?

If this is the threat, and if

you've got some really sensitive tax

information on your

computer and you really

don't want other people to be able

to see that, because it's personal,

it's not sufficient, it seems, just

to even empty your recycle bin.

You need to somehow

securely erase this file, so

that programs like Norton

Utilities and other tools

can't recover the data subsequently.

So what could you do?

What would the approach be?

Well, you might think that

you maybe open up the file

and then just start typing random

numbers or letters into the file,

resave it, and that might overwrite

some of those same zeros and ones.

But the operating system,

frankly, might just

use a different part of the

disk to save that new data,

especially if there's some kind

of auto-recovery feature built

into the file format itself.


So that might not be secure.

Really, you need to scrub--

or wipe, as people say--

these zeros and ones.

Maybe they should be

changed all to ones, or all

to zeros, or maybe just random zeros and

ones, so that no matter what was there

is absolutely now no longer there.

And for that, frankly,

you need special software.

And there do exist both commercial

and free tools to do that,

either to securely

delete individual files

or to do it to an entire

hard drive, especially

if you're selling it or simply

recycling it, getting rid of it,

and you don't want all of

that data to remain around.

Why do computers seem to have what seems

to be this sort of fatal privacy flaw?

Well, it's actually kind

of a good thing, right,

because if you're like me, odds are

you probably accidentally deleted

something before, or maybe you--

or someone else has deleted it on you.

And so it's actually


kind of a nice thing

that computers don't actually,

by default, necessarily scrub

the information altogether, because

that means we can recover files as well,

if that's indeed a good thing.

And frankly, years ago,

for efficiency, it just

made sense for computers to

forget where the file is,

rather than bother with

this, because if you ever

do try to securely delete

a file or wipe a drive,

you'll find that it actually

takes quite a while, because you

have to touch so many of the

locations on that physical disk.

But it's not just your files, and it's

not just your computers themselves

that are vulnerable to disclosures

of private information.

There's also your browser.

And odds are you spend a lot of

time on the worldwide web using

Chrome or Edge or Firefox or Safari

or some other browser altogether.

And odds are you've heard

of a little something that


might be a little scary-sounding,

as you've heard it,

but cookies, pictured here

adorably with Cookie Monster

being a little surprised that his

computer wants to delete cookies.

What are these cookies, and how do they

too threaten privacy in some sense?

Well, it turns out, when

you visit a website,

these days, most every website frankly

that is dynamic and interactive uses

something called cookies.

Cookies are a features supported by

HTTP, hypertext transfer protocol--

that's the protocol that web

browsers and servers speak--

and cookies are used to remember

a little something about you.

Often, they're used to remember

that you've already logged in.

Right, consider that when you

log in to Gmail or Facebook

or outlook.com or something

else, generally you

just type in your username

and/or password once,

then you see your inbox or your

homepage or your news feed,

and you don't have to log in


on every subsequent click.

Indeed, it would be infuriating

and downright unusable

if every time you

followed a link, you had

to reprove to Google or

Microsoft or Facebook

who you are by logging in again.

And so cookies are these little files--

or really values, numbers or letters--

that a web server puts on your

browser, saves inside of your browser,

to remember that you've

been there before.

So if I log in with my username to some

website, and I log in with my password,

and then hit Enter,

essentially the web server,

upon responding to my authentication, is

going to plant a cookie on my computer,

either in RAM temporarily or maybe

even on disk, on my hard drive or SSD,

to remember that David

is somehow authenticated.

And that cookie hopefully

doesn't actually

contain my name or password or anything

else that's personally identifying.

Instead, it probably just contains a


really big number, a really big value,

that's also stored on a database,

because the way HTTP works is every

time I visit that website again,

unbeknownst to me, at least until now,

the browser is supposed to present

that so-called cookie-- that value,

big numbers, big letters--

to the web server to

remind the server who I am.

So if I log in to Gmail today, check my

mail and maybe even close the window,

and then tomorrow I come

back and open up Gmail,

odds are my browser is not

going to make me log in again.

The browser, or really

the website, is going

to remember that I logged

in reasonably recently,

and it's not going to

pester me to log in again.

And that's because my browser

is, unbeknownst to me, sending

that same cookie value that

was planted there a day

before to remind the

server, this is David.

You know him.

He's already logged in once before.


So how do the mechanics

of this actually work?

Well, consider this.

This is a very simple HTTP request that

might go from a browser to a server.

Get slash, so get me the

homepage using HTTP version 1.1.

The host I'm visiting, in this case,

is just example.com, some website.

Now, typically, a web server is going

to reply, hopefully with a HTTP 200,

OK, all is well.

But it can also reply with some other

values in those so-called HTTP headers.

For instance, a web server can reply

not only with that 200, OK, all is well,

it can also reply with another

header below it called set-cookie.

And then inside of that is a value, a

key-value pair-- the name of the key,

which in this case is Session, which is

commonly used, but could be anything,

equals, and then some big value.

So when I said earlier that a big

random value, numbers or letters,

are planted on your computer, it

looks a little something like this.

This is just a really long, sort of

standardized format for generating


big random values that happen

to contain numbers and letters,

and also, it turns out, some hyphens.

But that number, theoretically,

uniquely identifies me.

The server is not going to send that

cookie to any other customers or users.

It's just going to me.

And my browser, by nature

of understanding HTTP,

knows how to look at that,

knows what to do with it,

and knows on every subsequent

webpage I visit on example.com

to send that value back to the server.

So on every subsequent

HTTP request, my browser

is going to send a little something

like this-- not just get slash

or whatever the page is,

not just host example.com,

it's also going to send cookie.

No Set, because Set came

from server to browser,

but just cookie colon, and

then that same exact value.

So if you've ever been to

a club or an amusement park

where you kind of want to come

and go during the day or evening,


those places might sometimes put

a little ink-based hand stamp

on your hand, so that they

don't have to check your ticket

or who you are every time you go in

and out of the park or in and out

of the club.

You simply show your hand

stamp, thereby reminding

the bouncer, whoever is taking

tickets, that you've actually

gone through this process before, and

don't have to be re-authenticated,

so to speak.

So that's all that's going

on underneath the hood,

and cookies make this possible

because they've planted these values

on your computer, thanks to the server.

But where's the threat to privacy, then?

Well, we're here looking at

these HTTP headers on the screen,

and you can't really see, like,

Wi-Fi things going across the air.

But if you have the technical

savvy, you could certainly

sniff all of the wireless traffic

going between computers and phones

and other devices in this general area.


And that's a little

worrisome, because if you

have the technology and the

technical know-how to do that,

what if an adversary, a hacker,

could actually see values like this,

and could essentially see my hand

stamp as I'm presenting it to a server?

That hacker could,

theoretically, if he or she

knows how, pretend to be me by

duplicating my cookie value, sort

of doing this, like you

might have tried at a club,

and then presenting that stamp as

his or her own to the same server.

And indeed, this is what would be

called a session hijacking attack.

It is a way for a hacker to have

access to a value like this,

steal it as his or her own, and then

send it, using the right software,

to the same server, so

that if you have already

logged in to Google or Facebook

or Outlook or some other site,

you've essentially given this

hacker keys to that same account,

because he or she can just pretend

to be you by sending the same value.


So how do we protect against that?

Well, there is a mechanism, thankfully.

And most websites, including all

three that I keep mentioning--

Facebook and Google and Outlook--

are just three of many, many websites

that these days, thankfully, encrypt

this information, scramble it,

so that even someone sniffing

wireless traffic wherever you are

can't actually see this.

It looks completely scrambled.

But more on that in just a bit.

There is, of course, with your browser,

though, other some privacy concerns.

Right, if you walk up to Edge, or you

walk up to Chrome or Firefox or Safari

or Opera or whatever, odds are, if

you start typing in the URL bar,

what do you see?

You see maybe some search results.

But for convenience, you

also see your own what?

Browser history.

So there aren't just

cookies on your computer

that effectively are little

breadcrumbs as to where

you've been on the internet,


like things like this,

that do have to be saved

somewhere in the computer's memory

or on the computer's disk.

But there's also the very

websites you've visited.

And so another threat to

your privacy, frankly,

is just walking away from

your laptop or desktop,

letting a roommate or a

classmate or a family member just

walk up to that same computer

and just start poking around

your so-called browser history.

And browsers today are pretty powerful.

I mean, they'll remember everything

you've done, everywhere you've gone.

And this is a good thing in

some sense, because it means

it's easier to get you back there.

If you start typing

the first few letters,

your browser might

remember where you've been.

You can search your history.

So if you're like, oh

my god, where did I

see that widget I wanted

to buy online yesterday?


You might be able to search

your own history and find,

among the websites you visited,

what it is you're looking for.

But the counterpoint here, of

course, is that so can anyone else.

So how do you defend against

those threats to privacy?

How do you defend against those threats

to places you've been and breadcrumbs

you've left lying around?

Well, you could clear your cookies.

Any browser, typically under the

Preferences or Settings menu somewhere,

has a way of clearing

your browser history,

and often clearing with

it the cookies that

have been planted on your computer.

So what's the upside and

what's the downside of that?

Well, the upside, of course, is that

all that information is thrown away,

though, frankly, maybe not securely.

To our point earlier about

how files are deleted,

odds are, even your history

is not securely scrubbed.

It just makes it harder


for a bad guy to actually

get at it, if he or she knows

how to actually look at bits

that were once on the computer's disk.

But if we're really not worried

about those kinds of threats,

we're really just worried about

people walking up to our computer

and being a little too nosy,

clearing your browser's history will

address that.

But it will also clear

all of your cookies.

And so what's going to happen

if suddenly all of your cookies

are deleted?

Well, somewhat annoyingly, any

website you've recently logged in

to, or maybe even ever

logged in to, is effectively

going to forget that you have.

And all of those cookies that were

temporarily stored on your computer

are just going to be thrown away.

So the next time you visit

Google or Facebook or Microsoft,

they're going to prompt

you again to log in.

Not a huge deal, and

it's better than just


letting anyone see your own

account, but that is an implication.

And so if you're one of

these people who opens

lots of tabs, uses lots of websites,

doesn't even quit your browser very

often, let alone shut

down your computer,

odds are it might actually be annoying

to have to delete all of your cookies

in this way, because effectively,

it's like washing your hand

so that any hand stamps you had on

your hands are completely washed off.

So what's an alternative?

Well, Chrome and Firefox

and other browsers

often have a sort of private mode, or

incognito mode, as Google calls it.

And this is simply a mode in your

browser where you can open up,

typically, a different-colored

browser window, and in Chrome's case

it's actually kind of a creepy

guy with a little creepy hat on.

We can kind of pull this up here.

If I open up Chrome, for instance,

and I decide I don't really

want any of this ending up


in my browser's history,

I want my history to be

automatically thrown away

without affecting all of

the other places I've been,

I can actually go up to File, New

Incognito Window, and ooh, spooky.

I've gone incognito.

"Pages you view in incognito

tabs won't stick around

in your browser's history,

cookie store, or search history

after you've closed all

your incognito tabs.

Any files you download or

bookmarks you create will be kept."

So essentially, this is

just automating the process

of letting you do your thing online

and then automatically deleting it

once you've deleted--

or once you've closed this and any

other such private or incognito windows.

So that's an alternative when

you know you don't want something

to end up in your browser history.

And frankly, technical

people also use this a lot,

not so much for privacy's

sake, but for technical sake.


When you're building

a website, or you're

writing software that uses

the web, sometimes you

don't want the browser to remember past

pages that your software has generated.

So using incognito mode too is

just a handy technical thing,

because it means the browser

is going to remember less,

and therefore you won't accidentally

see some of your oldest handiwork.

But all of these scenarios rather assume

that I've logged in to my computer

first.

Right, it should kind of go

without saying these days

that if you don't have a password

on your laptop or desktop,

or you don't have a password

or passcode on your phone,

or a fingerprint sensor

these days on your phone,

probably aren't practicing

best security practices.

Right, it's all too easy, then, for

a nosy family member or a roommate

or whoever to just walk right up

to your laptop or desktop or phone


and start poking around, which

may not be a very good thing.

But also, even if you're not really

worried about the people around you

you trust, you know, that laptop might

leave your home or apartment pretty

often.

And certainly that

phone is going with you,

most likely, when you step out

of the house or home as well.

And so what if you just

lose a device like this?

If you don't have a password

or passcode on your phone,

and therefore you never authenticate,

prove to the device who you are

and that you know that password, let

alone username, well, then anyone

off the street, literally,

can pick up that device

and start going through your

emails or your text messages

or really pretend to be you, if

you're logged in to various things.

In fact, if you've ever seen friends

of yours post sort of obnoxious posts

on Facebook, might very

well be your friends.

But it could also be


friends of your friends

who have intentionally walked up

to their phone or laptop or desktop

and posted something on their news

feed, so to speak, without them actually

knowing.

And that's just because they

weren't requiring authentication.

So it should go without saying that

on your Mac or PC or iPhone or Android

phone, you should have some

form of authentication,

some kind of prompt that

challenges you to know something

before you can proceed.

And what you know is typically

a password or passcode.

On a phone, it might

simply be a few digits.

Unfortunately, using

something like a few digits

isn't necessarily the best idea, because

if you only have a four-digit passcode,

as was the default on iOS

for iPhones for some time,

it's not all that secure, right?

Because if you think about a four-digit

passcode, there's four possible values,

and each of these values is 0 to 9.


So this has 10 possible values--

0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, so 10 possible values there.

Another 10 here, another

10 here, another 10 here.

So the total number of possibilities

here is only 10,000 passcodes total,

specifically passcode

number 0000 through 9999.

Now, that's indeed a lot.

And frankly, it's going

to be pretty damn tedious

for a hacker or a nosy family

member to guess your passcode

if he or she has to try as many as

10,000, or at least half of that many,

on average, to just guess

what your passcode is.

Plus, a lot of devices today,

iPhones included, will insert delays.

So if you guess your

password wrong, even

if it's you who've forgotten it

temporarily, maybe three times

or five or 10 times or

some small number of times,

the phone is actually

going to say, slow down.

You're going to have to wait a minute

or so before you can try again.


And this is a good defense mechanism,

because if the search space is

relatively small, the

number of possibilities

is relatively few, you can at

least increase the cost of hacking

into the device through

this brute force method,

where you just try all possible codes,

by just slowing down the bad guy.

Make every code take a full second,

or five seconds, to type in.

Make him or her wait maybe a

minute before they can try again,

because by then, hopefully,

you'll have realized, oh,

shoot, where did I leave my phone?

And you can go chase

it down and chase away

the person who's trying to access it.

Or, you're going to come home before

that nosy neighbor or roommate has

actually finished guessing all

possible values to get into the device.

Of course, there's a more effective way.

Don't use four-digit passcodes.

Maybe use a fifth or

a sixth or a seventh.

Or don't use numeric codes at all.


What if, for instance, we

introduce letters of the alphabet?

If we introduce letters of

the alphabet, even if we just

have a four-digit passcode, that means,

if this can be not just 0 through 9,

but A through Z, and better yet,

how about capital A through Z,

and lowercase a through

lowercase z, that gives me, what?

52 letters and 10 numbers, 0 through 9.

So that's 62 possibilities.

So that's 62 times 62 times 62 times 62,

and already this is starting to add up.

If I pull up a fancy black-and-white

calculator here and go ahead

and just run the math, we know from

before, it was 10 times 10 times

10 times 10, which

is, of course, 10,000.

And 62 times 62 times 62 times 62,

meanwhile, is much, much bigger.

In fact, that's 14,776,336.

So just by using more possible digits--

not just numbers, but letters,

capital and lowercase--

we've really increased

the cost for an adversary.

And as such, we've effectively

increased the security of my device,


because now it's a lot

harder to get into.

And better yet, don't

use four characters.

Use five.

Use six.

Use 12.

Use 20.

There's just a price,

ultimately, you pay.

Right, if you were trying

to be really secure,

and you know therefore you shouldn't

use four-digit codes, maybe even five

or six, so you have a 20-digit

passcode or password, why might

that actually not be a good thing?

Right, because according

to that logic, why not

have a 50-character password

or 100-character password?

No one is ever going

to guess that, surely.

Well, one, nor might you remember

it, if it's that long or that arcane.

Two, it's just going to be damn annoying

to type in again and again and again.

And so that alone is sort

of downward social pressure


on having passwords that long.

So what's the best rule of thumb?

There's not necessarily one fits all.

But short, bad, longer, good.

But it's only good so far as

you can remember that password.

And it's not, say, a very popular

word or phrase or sentence,

because the other thing bad guys will do

is they're not just going to guess all

possible values, like 0000, and

0001, and 0002, and so forth.

Soon as you introduce

letters of the alphabet,

they're not just going to

try AAAA, and AAAB, and AAAC.

Odds are, they're going

to start trying words.

So in fact, if your

password is "password,"

that's probably not a very

good password, because it

was the first thing I thought of, too.

Or if your password is

123456, odds are, that's

not too smart either, because it's also

the bad guy's first thought as well.

And now, tragically, while tongue in

cheek with these kinds of examples,

it turns out that these


kinds of passwords

are more common than you might think.

So in fact, let me go ahead and pull

up a list, as of 2017, some of the most

common passwords in the world.

The number-one password, according

to one study online, was 123456.

And odds are, the

website's requiring this,

or required at least

six-character passwords.

The number-two password

this year thus far

has been 123456789, so more

secure in that it's longer,

and that then you have to

kind of guess more tries.

But it's not all that

hard to guess 123456789.

"Qwerty," brilliant.

That is literally the first

five or six characters

on top of the keyboard on the first row.

12345678 came in a close fourth.

So that's brilliant.

111111 is coming in fifth.

1234567890, 1234567, you

can see the pattern here.

"Password" came in,


surprisingly, at number eight.

123123, someone's thinking

they're a little clever.

And then the reverse, 987654321.

And if you go online and just google

"most common passwords of 2000

whatever," you can see

the most common passwords

from any of the most recent years,

thanks to security studies and websites

like this one here that

have been done online.

So pro-tip-- if you see your

password anywhere on this list,

let alone in the top 20

or the top 100 or more,

time to start changing your password.

Because if you're using

it, odds are a bad guy

is going to know to try

that password as well.

And even though most of these

aren't even actually words,

it turns out that adversaries, hackers,

certainly have access to dictionaries,

like a Merriam-Webster dictionary,

and so he or she could certainly

write software that tries

not only these common ones,

but tries all the words


in the dictionary.

So if you think that, you

know, you're being clever

by putting "umbrella" as your password,

because that's a pretty random word.

Why would anyone use it as a password?

Well, the problem is

it's in a dictionary.

And if it's in a

dictionary, an adversary

can write a program to try all

possible words in the dictionary,

and it will eventually get

to "umbrella," at which point

he or she now knows how

to log in to your account.

So not so good as well.

So what's the takeaway,

then, here, for the security

of your accounts and your computers?

Well, maybe you should use

completely random passwords.

Right, if words are bad, and patterns of

numbers are bad, let's just go random.

So bang, bang, bang, bang, bang on

the keyboard, and see what comes out.

Now, unfortunately, when you register

for websites or set a password,

you're going to have to


bang, bang, bang, bang, bang

out the same exact thing multiple

times to confirm you actually know it.

And frankly, if it is a really

weird-looking random set

of characters and numbers

and punctuation symbols,

honestly, I don't know if I'm

going to remember it as well.

So sometimes people think

they're being clever.

So instead of saying an L in a

password, they might use a number 1.

Or instead of an A in a password,

they might use the number 4,

because they all kind of look the same.

But again, any heuristic like that,

even if you think you're being clever,

well, the adversary,

the hacker out there,

can also be just as clever as

you, and try those things first

before he or she even bothers

trying the completely random ones.

So generally, thinking of

some nonsensical phrase,

introducing some disparate

capitalization, some upper case,

some lower case, toss

in some numbers there,


some letters, so it's

not entirely random,

there is still some

implicit mnemonic that

allows you to remember what it is, is a

better approach than choosing patterns

of numbers like this,

or words that you might

think of off the top of your

head, or even actual words.

Introducing deliberate misspellings,

or weird punctuation or capitalization,

all lends itself to that.

Of course, none of this matters

if you're one of these people,

and odds are you could walk around

a lot of offices in the world

and see a whole bunch of

monitors on people's desks

with one of these on the display.

So if you're also one

of these people, you're

not a good person if you're

putting your own passwords

on a post-it note on your monitor.

Or frankly, we don't have to

put the entire blame on you.

Maybe your company or your

university's security policies


are such that they're not

really that reasonable.

Maybe your company makes you change

your password every three months,

or every six months, which

frankly, might be a net negative.

Indeed, increasingly are people

challenging this practice, which

feels very intuitively reasonable.

Like, make people change their

passwords once in a while,

just in case they've been compromised.

This way, at least the

bad guys out there only

have a limited amount

of time-- three months,

six months, whatever-- to

actually use that exploit.

But the problem is, if you make

me change my password every three

months, or every six months,

especially for websites or tools

that I might not even

use that often, thereby

making it harder, and in some

sense, more cognitively expensive,

for me to remember your

password, well, frankly, I'm

going to probably start choosing easier

and easier to remember passwords,


or repeating some

pattern in the past, so

that it's not as hard for me to

remember these ever-changing passwords.

So in that sense, it might

actually be a net negative.

If you're accidentally

conditioning your team members

to lower their threshold for security

by choosing easier passwords,

maybe they should just pick one really

good, really hard-to-guess password

at the get-go, and never

change it, or change it

years later, not so frequently.

So if you're doing

this, though, minimally,

take these down and address the crux

of the issue, not just the symptom.

But there's also other issues that

arise with passwords and authentication.

Now, odds are, you

have, if you're like me,

forgotten your password

to at least one website.

And that's often not such a

dealbreaker, because what can you do?

You've forgotten your password.

You haven't logged in to some site in


a while, or you're using a new computer

and you don't really remember it.

So you can reset most passwords.

You can click a link on most

websites that's literally called,

like, Reset Password, or Forgot

Password, or something like that.

And what do they do?

Well, they typically ask you, then,

to type in, if you haven't already,

your username or your email address.

And then what do they do?

Well, typically, you'll get an email,

hopefully within seconds, maybe

a few minutes, maybe it

ends up in your spam folder,

so you should check there too.

And it contains a link.

And that link is like

your password reset link.

And generally, if you

look close at the URL,

it hopefully goes back to the same

website, so example.com or whatever.

And then odds are it has a really

big, seemingly random value,

not unlike the cookie we saw earlier.

So using random values in

computing, especially for security,

is generally a good practice.


So it has a big, seemingly random value.

You click that link.

You're led back to the same

website, but a different screen,

and it asks you to

choose a new password.

And you type it in once,

probably twice, hit Save,

and your account is now updated.

So what just happened?

Well, when you clicked I Forgot My

Password, or Please Reset My Password,

the website probably has a database.

It generated some big random

code, stored that in a database,

and made essentially a mental note for a

computer, let David reset his password.

How does it know that I'm David

if I don't know my password?

You almost have a sort of

catch-22 situation there.

Well, if David still has access to the

email account with which he registered

for this website, which is pretty

much the assumption being made,

well, let's send him a special link

containing that really big code that we

also stored in the

database, and let's assume


that anyone who can log in to David's

email account is probably David.

So let's let that same

person choose a new password

for this website, example.com.

So you're trusting, to

be fair, that I am indeed

the David who's supposed to have

access to that email account.

But if that's really the

only way, because odds

are you don't want to incur

the expense or the complexity

of, like, having David call

up and say, hi, I'm David,

and then prove this by giving

you personal details about me

or values or information

that I might only know,

you can at least trust

with some probability

that only I have access

to my email account.

And that big random value,

meanwhile, is checked

on the website when I follow that link.

And then you realize, oh, we know that

the person who just followed this link

is David, with high probability, because

the only one in the world to whom we


sent this big random value via email

a moment ago was malan@harvard.edu,

or whatever your actual

email address is.

And so you reset your password

and you're back in business.

Now, sometimes, you've wanted

to know what your password is.

But most websites don't do this.

And if you call customer service--

not that most websites even allow this--

typically, the technical staff can't

even tell you what your password is.

Even if you prove by telling them

who you are, where you were born,

and everything about yourself,

they cannot tell you, technically,

what your password is.

And that's a good

thing, because odds are

that means there's certainly

good security practices in place.

But odds are it means

too that your password,

even the old one you don't remember,

is encrypted in some form-- or hashed,

more technically--

somewhere in their database,

so that even the IT staff cannot see it.


All they see is some seemingly

random value in their database.

And that's not your actual password.

It's a hash thereof, a

scrambled version thereof.

But some websites are really bad.

And in fact, I can think of

several times over the years

when I've gotten a password reset

email, and oh my god, in the email,

is my password.

And so that's fine.

At that point I remember, oh, yeah,

of course, that's the password I used.

And I can just copy and paste

it and go about my business.

But what does that mean?

If the company was able

to email me my password,

odds are it means it is not

encrypted, or hashed, or scrambled,

on their database, which means

any one of their employees,

or a hacker who steals their

database, could see my password,

log in to, and pretend to be me,

whatever the website actually is.

Moreover, they just emailed

out on the internet,

and odds are, partly wirelessly,


if I'm on my laptop or phone,

what my password actually is.

And if my email server is not using

encryption, as is not always the case,

they might have just let anyone in the

local Starbucks or airport or lecture

hall that I'm in actually

see what my password is.

So bad, bad, bad, bad

practice to not actually

scramble passwords on a server.

And yet this happens, tragically,

more often than you might like.

So keep an eye out for this.

And frankly, there's not much you

can do, other than really decide,

I am not using this website

anymore, because they don't really

seem to have their act together

when it comes to security.

So what's one last threat when

it comes to authentication?

You know, odds are, if you're like me

back in the day, though not so much

anymore, you might get a little lazy.

You might have kind of a

favorite go-to password

that maybe you use on your email, maybe

your social media accounts, maybe,


god forbid, your bank account, or more.

This too is bad.

If you are in the habit--

and it's understandable, but still bad--

of using the same password on

different websites, what's the threat?

And what's the upside?

Well, the upside is just

it's convenient, right?

Why remember 10 different

passwords for 10 websites

if I can use one password

on all of these websites?

It's just convenient for us humans.

But what if one of those

websites is hacked?

Or what if a bad guy figures out, by

guessing, maybe your child's birth

date, which happens to be your password,

what your password is on one website?

Well, he or she might get a

little curious, a little greedy,

and try using that same

password on all other websites

that they know you visit to

see if you're also lazily

and insecurely using the same there.

So this is alone a good reason to use

a different password on every website.

But here too there's


this theme of trade-offs.

Right, it's now becoming

more expensive cognitively

for you, just in terms of remembering

all this darn stuff, if we're making

you then have one password

for every website.

And we visit, we humans

these days, probably

way more than just 10 websites.

It might be dozens, if

not hundreds, over time,

that we actually have accounts on.

So surely you can't expect me to

remember 100 different passwords.

Well, there are tools.

There's software, free and commercial

alike, that you can install,

that are generally

called password managers.

And these are tools that store, on your

own phone or hard drive or SSD, all

of your usernames and

all of your passwords.

But, if they're good software,

they encrypt it on your hard drive.

So you choose, when you

install this software,

one main master password, something


that's ideally really big, really

pretty random, still memorable.

And maybe here, just to be super

safe, you write it down somewhere

and tuck it away somewhere super secure,

like, physically in a safe deposit box

or into a vault, somewhere that's

not a post-it note on your monitor.

And then, you store all of

your usernames and passwords

in that software, and protect

all of them with just this

one master password.

So in this way, you can literally

have a completely different

and even a completely random

password for every website you

visit, because these password managers

not just let you copy and paste

your password from them into a

website when logging in, you can often

use keyboard shortcuts,

so you don't even have

to remember your username or password.

You just hit a keyboard

shortcut, and voila,

the password manager logs

you into websites for you,

so long as you have

logged in to the software


itself, as you would

typically do once a day

or every time you wake up your computer.

So this is amazing,

because now it means I

can have 20-character, 100-character

passwords, if websites allow it,

on any website.

And frankly, these days, I

don't know most of my passwords,

because I let the software generate

something big and random and therefore

more secure, theoretically.

But there is a big,

big, big gotcha here.

If, god forbid, I forget or

lose that master password,

I have very, very securely

encrypted all of my accounts, none

of which I can now access.

So that's that one password

you just cannot forget.

And so I literally mean it when I say

you should probably write it down, tuck

it in a bank vault, tell

it to someone you really,

really trust who needs to have access,

because you've just kind of moved

the threat to a different location,


to your own recollection thereof.

So trade-offs to be

sure, but on the whole,

probably much more secure than the

passwords you're currently using.

Now, there are some better defenses.

Not all websites support

this, but increasingly

are they doing so, even

apps on phones as well.

So not too long ago,

this was the primary form

of something called two-factor

authentication, where

two-factor authentication

refers to having not just one

factor, but, surprise, two factors.

So what does this mean?

Well, the first factor, and the

factor we keep talking about,

is a password or a passcode.

It's something you know.

And historically, we

have used something you

know to authenticate you to a device

or a piece of software or to a website.

I am malan@harvard.edu, and

here is my 123456 password,

something theoretically only I know,

at least if it were a better password.


But that's not that

great, because, of course,

passwords can be stolen or guessed

or posted on post-it notes.

So slightly better than

one factor is two factors.

And that second factor

should be something

that's fundamentally different.

Not something you know,

like a second password,

which is at risk for the same exact

threats, but something you have.

So this thing here is

literally something

you would carry around on your

keychain, made by a company called RSA,

and it's got a battery and a

little computational device,

that shows on the screen a number,

six-digit number in this case.

And that number changes

every minute or so.

And it does so on a schedule.

So theoretically, it stays

synchronized with a server.

Indeed, there's a server

somewhere else that knows

what the unique ID of the


device is, and you can usually

read that off of a sticker on

the back or something like that.

And it knows that that sticker, that

device, is currently showing 159759.

And a minute later,

it knows, the server,

what new number this device is showing.

So theoretically, they

should stay synced,

and there's ways to help

them stay synced over time.

But what's nice now is that

if I have an account that's

protected with two-factor

authentication,

or two-step authentication,

then it's not just something

I know that I have to use

and type into the screen.

I also have to pull out my keys, in

this case, read off the number 159759,

and type that in as well.

So if an adversary gains

access to my password,

or just guesses what my

password is, it's not

a huge deal, because he or she is then

going to be prompted for something

they have.
And so long as they also haven't stolen

my keychain, they don't have this.

They therefore don't know

the number to type in,

and they don't have the second factor.

And they can't get

past that second gate.

So it really raises the bar.

It does not stop a hacker from

taking or guessing my password.

And it certainly doesn't

stop them from physically

going after the device I have on me.

But it does raise the bar.

And at least I'm a little less

worried about the people in this room

than I am about millions of random

potential hackers on the internet.

And thankfully, this technology,

two-factor, is getting even easier.

You don't need a physical

device like a company

like RSA used to have to send you.

You don't need your bank, for instance,

to send one of these dedicated devices.

You can actually use software.

So Google Authenticator exists.

There's something called Duo Mobile,

that's a commercial alternative there


too, that allows you, on

your phone, Android or iOS,

to just hit a software-based button,

see what the code is, and type it in.

So Gmail supports something like

this, as do many other websites

these days, increasingly

so, especially banks.

Right, and there, too,

I would encourage you

to consider these various trade-offs,

and to consider which accounts

are really the most vulnerable.

Which accounts do you

worry the most about?

Maybe you don't really

care all that much

about one of your social media accounts.

But maybe you care a lot more about

your bank and your savings amounts

and so forth.

And so maybe you should

be thinking about which

websites to enable two-factor

on, if it supports it.

And frankly, maybe you should

even be choosing websites or banks

based on which of them support

these kinds of defenses,

because it only raises the bar.


And they don't even

require special software.

You can actually use the SMS app on

your own iPhone or Android device.

And what companies

can increasingly do is

they'll send you a text message with

a code that you then have to type in.

So now those two factors

are something you know

and also something you have already,

something physical, like this.

All right.

So what about the network itself?

We've talked really about physical,

proximal threats thus far.

But what about the security of

the networks we actually use,

especially when so

many of the networks we

use these days are wireless-- my phone,

my laptop, other devices in my home

too, all somehow use

wireless especially.

So typically, you can pull up

a little menu on your computer,

whether it's Windows

or Mac OS, and see all

of the wireless networks in proximity.


And odds are, by now, you've been

conditioned to look for free Wi-Fi

in some form.

Right, one of the icons that

does not have a padlock on it.

And you choose that one, whether it's

Harvard University or some other SSID,

as it's called, the identifier

for a wireless network.

You connect to it.

And then usually a little icon

kind of blinks and pulses.

And then hopefully, within a couple

seconds, you're connected to Wi-Fi.

Now, sometimes it doesn't work.

And sometimes, even though a

network doesn't have a padlock

and it seems to be free, just doesn't

work for any number of reasons.

One, it might not be working properly.

Two, it might require that

you pre-register the device

on that network.

So there's different reasons

that it might not work.

But sometimes it does, especially at

Starbucks and airports and hotels.

Sometimes you have to pay for it.

And indeed, sometimes the

first time you visit a site,


you're prompted to pay, or at least

tell them your room number, in a hotel.

But otherwise, it just works.

But the problem is, in

all of those scenarios,

even if you pay for

that Wi-Fi, if there's

no padlock on the wireless

network to which you've connected,

it's insecure by definition.

It's not encrypted, at least not by

the network in the room that you're in.

Now, you might still visit

websites that start with https://,

that are using secure connections

and encrypted connection.

And that's a good thing.

And that mitigates this issue.

But maybe your email

doesn't use encryption.

Maybe a lot of websites you visit

don't use encryption either.

They start with http://,

and so that means,

on insecure wireless networks that have

no padlock and therefore no built-in

encryption, everything you do on

the internet can in fact be seen,

or sniffed, so to speak, by
someone else in the nearby area,

let alone elsewhere on the internet.

So if you see some creepy

person on their laptop,

you know, Mr. Robot there

in the corner, he or she

might actually be on

their laptop sniffing

all of the wireless

traffic in that Starbucks,

and anyone who is not

using HTTPS-based websites,

for instance, he or she might see

everything that's actually happening.

And what can you do then?

Well, one, don't use

that particular network.

Or two, maybe use something like

a VPN, a virtual private network.

Now, not all people

have access to these.

Sometimes, if you work for a

company, or go to a university,

you can actually install software

that allows you to connect

to a VPN, a virtual private network.

And what this means is that

your connection to the internet

is indeed encrypted.

So for instance, if this


is you here on your laptop,

and here we have the

internet, and here we

have some websites inside

some company's building

that you're trying to connect

to, typically, if you're

using insecure Wi-Fi,

your zeros and ones

might go here through the

internet onto that company

and then back in the other

direction, completely insecurely,

which means anyone in

Starbucks near you over here,

anyone theoretically with

physical access to the wires

and such on the internet

itself could access that data,

if it's all unencrypted from the get-go.

But what you could do, especially

if you're worried about Mr.

Robot in the cafe in

which you're sitting,

if you do have a VPN at your company

or university, like this one here--

we'll call it Acme--

where you work or go to school, you can

first establish an encrypted connection


here, where "encrypted" is going

to mean scrambled in some way.

It's not just text and

numbers that you see.

It's sort of random

permutations thereof,

because of an algorithm

that's being used.

And now you can let your

company or university

do all of the talking with

the rest of the internet.

So you're essentially tunneling, so

to speak, all of your internet traffic

through your own company or university

by way of this thing called a VPN.

There's still a flaw here, though, and

you can kind of see it in the picture.

VPN is between you and, like,

your company, or university,

or frankly, there's

third parties you can

pay these days some

number of dollars a month

so you can actually have a VPN

connection somewhere else in the world,

even.

But there's still an insecurity here.

Where?

Well, I've only labeled this


channel of communication

back and forth as encrypted.

And that's because odds are, if you're

just visiting an insecure website

that's just http://, well, it might

actually still be insecure once it

leaves your company.

So here, too, there's a trade-off.

You've increased the

security around you,

but you've really just

pushed the threat away.

There's still a threat.

It's just now random

people on the internet.

It's not Mr. Robot in the

very same cafe that you're in.

So maybe that's OK, because maybe you're

really only worried about nosy people

here, and not random

people on the internet.

Or-- but, rather, you've

paid another price.

Turns out that any time you do something

more to a process, as we're doing here,

odds are you're increasing

the cost involved.

Right, I don't know much about

encryption right now in the story.


But I do know it's something

I wasn't doing earlier.

So surely, doing something must

take more time than doing nothing,

to put it simply.

And so by encrypting my data,

by doing whatever algorithm

is necessary to scramble

my zeros and ones,

must be taking some amount of time.

And indeed, it might somewhat

slow down your connection,

to use a VPN, which might be a

trade-off, especially if you're

on a plane or something like that, where

your network connectivity is really

quite limited.

So a trade-off there.

Now, fortunately, companies,

and even personal computers,

have special devices, or special

software, called firewalls,

that I'll depict there.

And even your own laptop,

in some sense, has

turned on, or most likely has

turned on, its own firewall.

And I'm drawing it as a physical

line, as though it's a physical wall.

It's not.
It's just software.

A firewall is just, in the

physical world, an actual wall.

So if you've got, like, a strip mall

with lots of little companies and lots

of stores, one of which might

catch fire for some reason,

historically, a lot of

these kind of setups

would have physical walls, special

layers of bricks or other material,

in between the stores, so that

if there's a fire in one store,

it might still get hot,

but hopefully it does not

pass through into the

next-door store, because

of that additional insulation

between them, firewall.

Now, in the software world, it's kind

of the same idea, but it's all digital.

You might have software running on

your Mac or PC over here at left,

or your company is going to have

some kind of special software running

on the periphery of their network, where

the routers typically hand off data

to other networks

altogether, or other ISPs.


And those firewalls look at

things like the IP addresses

to which you're sending, or from

which you're receiving data, the TCP

port numbers that are being used.

And these firewalls can

help keep bad guys out

and help keep internal data inside.

So there's that additional

defense as well,

which is just yet another

piece of the puzzle.

Now, if you're running

Mac OS or Windows,

odds are you just want to

check if you're actually

enabling that on your

computer, so that when

you are on a public, especially insecure

network, unencrypted, to be sure

that no one can really be

hacking into your computer

with this high probability,

because at least

your computer is kind

of keeping them at bay.

But what does it mean to encrypt data?

Right, I've just kind of

been taking for granted

that you can encrypt


information in this way.

Well, what does that actually mean?

Well, suppose that I want to

send a message to someone,

like, the message, "Hi."

But I don't want anyone else in

the room, anyone else in the cafe,

to know whom I'm saying hi

to, or that I'm saying hi.

I might want to scramble this message.

So how might I scramble it?

Well, you know what?

Rather than send "H-I,"

I'm going to send "I-J,"

because that is not English, and

that makes no apparent sense.

So I'm going to send that in

a message, or that in an email

or a text message or some other digital

medium, from me to some other person.

Now, why did I choose "I-J"?

It's deliberate.

It's a little stupid.

It's not very secure.

But it's an attempt to be more secure.

"H-I" is the message I want to send.

"I-J" is what I'm actually sending.

But I've just used a

simple algorithm here.


I took a letter that I want to

send, and I changed it by one.

So H became I, and I, coincidentally,

became J. So I send "I-J,"

and I send that message to someone else

in the cafe, or across the internet.

What does he or she have to now do?

Well, he or she has to know that

the secret algorithm I'm using

is to not only rotate letters

by some number of places,

but they need to know the key.

The key to this algorithm is the number

of places that I'm shifting letters by.

So he or she has to know

that it was just one.

And that's why I say it's kind

of dumb, because one is not

that hard to just guess.

I could just try one,

and oops, there it is.

Hello.

But they have to know to unrotate

these letters by one place.

So I now becomes H

again, and J becomes I.

So this, then, was my plain text.

This, then, is my so-called cipher text.

And once decrypted, becomes

my plain text as well.


Now, it turns out this is

an example of something

called a Caesar cipher,

a rotational cipher.

We could make it a little more

interesting by rotating by two

places, or three, or 13, or even more.

But it's not all that secure if

it's pretty easy to just guess.

Right, even a bad guy who intercepts

this message could just try rotating

by one, rotating by two,

rotating by 25, and figure out,

just intuitively, and a little

methodically, what it is I'm

actually sending.

So rotational ciphers, not really

used on the actual internet.

There's more sophisticated means.

But there's also another

glaring flaw here to encryption,

which is, my friend to whom I'm

sending this message apparently

needs to know what that key is.

He or she has to know that the

secret was, in this case, one.

Now, that's kind of a

chicken and the egg problem.

Right, because for him or her to know


what key we're going to be using,

we have to agree upon it in advance.

So how do we agree upon it in advance?

I can't just send them a message

and write the number one on it

and send it, because it

would be unencrypted.

And if I even wanted

to encrypt it, I can't,

because he or she doesn't know how many

numbers of places to rotate it yet.

So maybe I pick up the phone.

I use a different technology, and

I say, hey, let's use a key of one!

But at that point, the story is kind

of stupid for a different reason.

Why don't I just tell them

"hi" at that same time?

Right, so if I'm already talking

to them via some other channel,

just give them the message.

Don't worry about a key.

And this is absolutely the

case when you visit a website.

Like, I don't really

know anyone personally

at amazon.com who can sell me a book.

I don't really personally know anyone

at Gmail who can send me my emails.

I know the website gmail.com.


I know the website amazon.com.

And my computer certainly doesn't

know another computer there.

It just knows its domain name and

maybe its IP address, eventually.

So it turns out, what we just described,

rotating characters one place,

is what's called secret

key cryptography.

So secret key cryptography

is predicated, of course,

on keeping that key, the number one

or 13 or 25 or something else, secret.

But there's also something called

public key cryptography that

satisfies this issue of chicken

and egg, where you need a secret,

but you can't establish a

secret before you have a secret.

Public key cryptography

addresses this as follows.

Whereas in the secret key

scenario, you have just one key,

in the public key scenario,

every person has two keys.

One key is private,

and one key is public.

And it turns out, there's a mathematical

relationship between these two values,


public and private, so that you use

the public key to encrypt information,

but you use the private

key to decrypt it,

which is to say that if I have two

people here, let's say Alice and Bob,

Alice has her private

key, we'll call it A,

and her public key, public

A. And Bob, meanwhile,

has his private key,

B, and public key, B.

And so when Alice wants to send Bob

a message, she sends it from A to B.

And she uses Bob's public key.

Bob, upon receipt of

that message, uses what?

His private key to decrypt it.

And again, for now, let's

just stipulate there's

a mathematical relationship

such that algorithmically,

Bob's private key can undo the

effects of Bob's public key.

Meanwhile, if Bob wants to reply,

let's consider what Bob uses.

Bob wants to send a reply to Alice.

So Bob uses Alice's public key.

Alice receives the message

and uses what to decrypt it?


Alice's private key.

And by nature of public,

these keys, A and B,

can literally be posted on the internet.

They can be read aloud on the phone.

They can be sent in an

email or a text message.

They are public because

mathematically, they

are meant to be divulged to anyone

who wants to know it, but especially

the person who's going to use it.

The private keys, though, meanwhile,

Alice and Bob have to keep private.

They can't reveal that.

They can't email it out.

And all of this happens

automatically in today's browsers.

In fact, when your browser,

Chrome or Edge or whatever,

uses the internet to connect

to amazon.com or gmail.com,

your browser has its own public and

private key, as does Amazon's server,

as does Google and Facebook

and any other website.

And unbeknownst to you, just

underneath the hood, so to speak,

is your browser using this crypto


system, this public key cryptography

mechanism, to exchange a secure message

with Amazon or Google or Facebook,

even though your laptop has never

met anyone at those companies before.

And so turns out, for efficiency,

what's ultimately used later

is very often secret key cryptography.

In other words, you use

this whole public key system

to just exchange a secret, like

the number one, but much bigger

number than number one, and

much bigger than 13 and 25.

You just use it to exchange a secret

that you probably dynamically randomly

generate.

But this public key system is what

solves, ultimately, that chicken

and the egg problem.

So even then, within the

world of our network,

do we have not only constant threats,

especially these days wirelessly, we

do have a number of

protections-- software,

but also algorithms-- that help

keep some of those threats at bay,

and also help us avoid some

of those threats altogether.


So what remains?

Well, going around this campus lately

are actually posters like this--

Report Phishing.

And this is a technique that's

actually been around for years now,

but it seems to kind of be gaining

even more momentum, frankly,

especially as email clients are

getting a little more sophisticated

and a little more featureful.

Phishing attacks are when

some adversary, some bad guy,

sends you an email, typically,

that looks legitimate,

looks like it's from paypal.com,

looks like it's from your own bank,

looks like it's from an actual website

on which you might have an account.

And it usually says something

stupid like, please click here to--

it's not even stupid.

It's just completely malicious.

"Click here to reset your password."

Or, "click here to

confirm your identity."

Or, "click here to confirm

your bank account details."

And sometimes it will start


with a preamble explaining

how they're doing this as

standard security practice,

or sometimes they're doing this--

they say that, oh,

something has been hacked

and we need you to change your password.

It doesn't even matter

what the story is.

The point is, they're sort of trying

to fish and reel you in and trick you

into giving them information

that they really shouldn't have.

And so this is so

rampant lately at Harvard

that there's posters all over

campus encouraging people

to report phishing attacks,

so then at the network

level and the email servers,

these kinds of attacks

can hopefully be filtered out.

Because what actually

happens in these attacks?

You get an email that might

look like it came from Gmail.

It might have Google's logo.

You get an email that looks like

it might have come from PayPal,

and it's got their logo, and


it's got a lot of fancy text,

and it has even a secure message on it.

But the link that's in it, odds

are, does not go to paypal.com,

and does not go to google.com,

or your own particular website.

Odds are it goes to a

completely random URL,

or maybe it goes to a slight

misspelling of that URL

that someone else has bought.

And it might even lead, once

clicked, to a website that

looks like identical to the

real PayPal or gmail.com,

but that's just because someone knows

HTML and copied PayPal's or Google's

or whoever's HTML.

All that's pretty darn easy.

They're just trying to socially

engineer you, trick you as a human,

into believing them, because it

looks like a legitimate email,

into behaving in a reasonable

way, but in the wrong place.

And the phishing attack

leads, generally,

to you accidentally or unknowingly

giving someone your identity, giving


them, god forbid, your bank

account details, your usernames,

your passwords, because you've been

duped by a social engineering attack.

So what's the giveaway there?

Well, one, distrust most

emails that you get.

Even when you do get an email

from your bank and it looks legit

and maybe it is legit, don't click the

link in the email, right, just in case.

You know you're a customer

at BankOfAmerica.com.

So you go to your browser and type in,

literally, BankOfAmerica.com, Enter.

Go there without using

the link in the email.

Log in, and then find

your way to whatever

it is that email was telling you to do.

Don't click on a link from Google.

Go to gmail.com, hit Enter,

log in in the usual way,

and don't trust the email.

But look at these emails

with a discerning eye, too.

Does it look like it came from

a sketchy-looking email address,

sort of a random Gmail address,

not an official-looking account?


But even that can be spoofed.

So it's not a tell.

But sometimes you'll see

typographical errors.

Hopefully, you think,

good marketing departments

don't send out emails

with typographical errors.

So that could be a tell.

These are not reliable tells, though,

because you can forge an email address,

and you can certainly

spellcheck a phishing attack.

But these are just things that

should raise red flags in your mind

and should set your radar off.

But in general, just

avoid clicking things

that themselves might not be

safe, because what might happen?

Well, you might indeed end up giving

away sort of the keys to the kingdom,

like your identity, your bank account,

your usernames, passwords, and more.

But your computer might

even get infected somehow.

Right, it's often the case that these

URLs lead you to websites that are

infected with something--


malware, malicious software--

that can do anything.

Especially in the Windows world,

where computers have historically

tended to be under

greater attack, you might

be led to a website that somehow

injects into your browser,

and in turn into your computer, a

piece of software that someone with way

too much free time and way

too many malicious intentions

has written in order to erase your hard

drive or send spam from your computer

or encrypt all of your files.

Indeed, some of the attacks these

days do something really draconian,

which is they'll encrypt data on

your hard drive, or for a company,

they'll encrypt a company's

database, and then send them

a nasty-written email saying,

pay us $500, pay us $5 million,

in order to get the key

to decrypt your data.

And maybe that key doesn't even work--

that's even unclear-- effectively

giving term to the word

"ransomware," where it's

software that effectively ransoms


your data, expecting some kind of

payout before it's given back to you,

or effectively, decrypted for you.

So malware can be anything.

At the end of the day,

any piece of software

can do anything on your computer

that it wants, especially

if it's been installed somehow

with administrative privileges,

or has taken advantage

of bugs in software,

to somehow get onto your computer

in ways that weren't intended,

but that are nonetheless possible.

And so this is even a

more worrisome threat,

because you might not

even realize thereafter

that you've been compromised,

and the software might just

keep running and running and running.

And that, at the end of the

day, is kind of the core issue

with all of these threats

to one's security,

privacy, your data,

your devices, and more.

It really boils down to trust.


Do you trust the people around you?

Do you trust the algorithms and

the software that you're using?

Do you trust the manufacturers of

the hardware that you're using?

Consider, after all, that

we've focused for the most

part on Mr. Robot in cafes,

random people on the internet,

and nosy neighbors and

roommates and family members.

But where did all of the

hardware and software

come from that's legitimately being

used by you on your phones and laptops

and desktops every day?

Well, a lot of it comes from

Apple, or Microsoft, or Google,

or other companies.

But odds are, all of us have installed

software from the so-called App Store

or Google Play, or from

random websites, or we've

bought software and

installed it on a computer,

or downloaded it in some form.

But who's to say that Microsoft Word

isn't logging every keystroke you type,

whether or not you're

inside the program itself?


Who's to say that Google is not watching

everything you do within Chrome, even

if you're not on google.com?

If they wrote the software,

Microsoft or Google,

they could be doing both, or

all of those things, or none.

Hopefully none.

But it's all about trust, because even

though we could audit our computers

and we could kind of use the

activity monitor or process

manager to see what it

is they're doing, there

have been cases where the

specially malicious software has

been written to cover its tracks.

So it doesn't even appear in the process

monitor or process manager or activity

monitor.

So it's still there and running, but

it's kind of hiding itself altogether.

And that makes it even harder for all

but the most sophisticated security

folks to actually find,

let alone little old

me or random users on the

internet who might be infected.

Right, so who's to say the


very software we're using

is actually doing what we say?

Who's to say that Snapchat

is actually deleting messages

after three seconds, or 10 seconds?

It's just what they say.

What if there's a bug?

What if there's a malicious intent?

What if there's a malicious

employee who simply programmed

those devices to do something else?

So at the end of the

day, it is very easy

to sort of curl up into a ball and

sort of tearfully worry about all

of these various threats.

But at the end of the day, what really

we need to do is decide whom to trust,

and how much to trust, and

what kind of risks to take.

At the end of the day, there

are no surefire answers

to any of these threats.

There are defenses, but they really

just raise the bar to the adversary.

They raise the cost to

him or her, and they

increase the probability of

your security and your privacy,

but they don't guarantee it.


You yourself have to decide

how much you're comfortable

doing on the internet,

how much data you're

comfortable storing on your computers,

and ultimately, whom to trust,

and just how much to trust them.

That, then, is security.