Password Security, Incognito Mode – CS50 Podcast, Ep. 3

Password Security, Incognito Mode – CS50 Podcast, Ep. 3

[MUSIC PLAYING] SPEAKER: This is CS50. DAVID MALAN: Hello, world. This is the CS50 podcast, episode 3. My name is David Malan, and I’m
here with CS50’s own Colton Ogden. COLTON OGDEN: Indeed. Last time– sort of to segue into
what we’ve talked about recently, we were talking a lot
about facial recognition. That’s an emerging thing– we’ve gotten better at
it– machine learning has gotten better at
detecting people’s faces. And with that, there are
a lot of security issues. And this week, it seems like there are a
couple of incidents in the news related to facial recognition, first on the
list being the New York City subway system actually. DAVID MALAN: Indeed. I saw some articles pop up where there
were LCD screens of sorts and cameras, there supposedly to
capture fare jumpers– people who are trying to sneak through
the gates without actually paying. But the interesting thing about
the screens was it wasn’t just CCTV or closed circuit
television, like in the UK where you see yourself on the screen
or in a convenience store here, but rather there were little rectangles
appearing around all of the faces in the image which suggested,
indeed, they were actually detecting faces which was worrisome. COLTON OGDEN: Right, and the
company featured on the video feed was Wisenet which has been known
for its facial recognition software. So presumably, the folks– specifically, New York Times analyst
Alice Fung was concerned at seeing this and that it sort of raises issues. How many companies are
out there, you think, gathering people’s facial information
and using it to make decisions? DAVID MALAN: Well, it’s
probably increasingly present. And the funny thing is,
here, they to their credit, graciously showed you the fact that
there was facial recognition going on, which was probably part of the purpose. Because I recall that
recording in progress and please pay your fare were
among the messages on the screen, so there’s probably a bit
of psychological feedback there such that you realize, oh,
not only are they filming me, they recognize me in some
sense, even if purportedly they weren’t doing anything
with that information or tying it to an actual identity. But you gotta imagine that this
probably does happen in other contexts when there isn’t an LCD
screen and certainly when there aren’t little
rectangles around your face, you can still do it in real
time or in post-production even. COLTON OGDEN: And to your
point previously, computers are only getting faster and smaller. People are going to be able to
implement this technology everywhere and we won’t even notice it’s there. DAVID MALAN: Yeah. And I’ve been thinking
about this for some years now– as have privacy experts
certainly– all of us, myself included, like a bunch of dummies, have been
uploading for years photos of ourselves to social media and tagging
ourselves, essentially training these machine learning
models to better detect us. I mean, my god, we’re sort of
accidentally, or unknowingly, or unwittingly opting into all of this. COLTON OGDEN: I wonder how much of
Facebook has sold to other people. DAVID MALAN: Yeah. Well, I mean, what a powerhouse– COLTON OGDEN: They
probably have the biggest– DAVID MALAN: –they, and
Google, and Apple, and others. I mean, my iPhone can detect faces
and that’s in real time certainly. If I were to take a
photo of you right now, I’m going to see a little
rectangle on your face. COLTON OGDEN: Right, exactly. And I mean, the New York City
subway isn’t the only in the news sort of organization that’s been
using this sort of technology. Also JetBlue recently has had
sort of a recent scandal in that. MacKenzie Fegan actually
posted on social media– she was allowed to get into her
flight just by not even having to use her boarding pass or the like,
but actually getting her face scanned and that proved to be enough
credentials to get access to her flight. DAVID MALAN: Yeah. I think it completely
caught her off guard as it would have me if it
were I in her situation, because apparently they had grabbed
data from the US State Department. And this was supposedly
a legitimate usage, but it was not something
that was particularly well-disclosed or documented, certainly
as far as this passenger goes. And frankly, that would
make me uncomfortable, especially if a private business
now– which JetBlue is– is using data that was collected, it
sounds like, for governmental purposes, whether it was for passport, or for
some clearance purposes, or the like. I mean, all it takes is
for one person to overshare and then that information
too is potentially in hands you don’t want it to be in. COLTON OGDEN: Yeah. Based on what I read, it seemed
like JetBlue actually wasn’t storing the information themselves. They were using the United States
Department of Homeland Security and sort of almost like
an API on their part, and actually authenticating
the information with them. And there wasn’t actually
any storing of the data, but it does make you wonder
whether companies are, one, telling the truth about this, and two, if
they’re using this sort of technology and not disclosing it, how much
is getting stored, where and when? DAVID MALAN: Yeah. And this is happening so quickly. I mean, it wasn’t– actually, maybe it was all that long
ago that I was in graduate school, but I’m thinking back as
though it was yesterday– when I was in graduate school and I
remember one of my fellow graduate students gave a talk. I think it might have been
his thesis defense, so at the end of his grad program, where he
actually turned a webcam or some camera on the whole audience who was there
to see his talk, and in real time, he blew everyone’s minds by actually
showing in real time little rectangles or whatnot on top of everyone’s faces. And that was bleeding edge at the time. And now I think we’re all
rather desensitized to the fact that computers can do this. And now we seem to be
entering the phase where people are starting to realize what
the information can be used for. It’s not just to playfully tag
friends and family in photos, or to find photos among your
iPhone or Android photos. Now it can be used to really
identify you as a biometric detail. COLTON OGDEN: It’s kind of scary. I mean, there are pros and
cons of thing to having this be more widespread, easily available. Pros potentially being–
depending on where you are, whether or not you
want your face visible, whether you want to be tracked– this could be good for law enforcement,
certainly in certain cases. But as a an innocent citizen
this might not necessarily be great knowing that the government and
potentially a lot of private entities know where you are at any
given moment’s notice. DAVID MALAN: Yeah. I mean, you could imagine there’s
nest cameras for instance in the US are pretty popular just in
home for security devices. You could presumably start logging
every passerby who strolls by your house just by patching your own
hardware into some API or to some website that can actually
do the facial recognition for you. And it’s amazing how good it is. Like, even on Facebook when we post
photos from CS50 from the class, I’m astonished sometimes when it
notices even in the smallest of photos, the smallest of faces
are actually picked up as an actual recognizable human. So you don’t even need
all that good of an image. COLTON OGDEN: Or even like
profile shots too, or side– I think that’s the right term– the side of the face–
that’s a profile shot. Yeah, it’s pretty frightening. Also frightening, [LAUGHS] the UK
Cyber Survey recently talked about some of the information
they’ve gathered recently. It’s a little bit disconcerting. Certainly you’ve talked
about this before a lot– insecure passwords and some of the
most common insecure passwords. DAVID MALAN: Yeah, this is
sadly a recurring topic. I think the number one password
yet again was “1, 2, 3, 4, 5, 6” I think was the number one password. COLTON OGDEN: 23.2 million
victim accounts worldwide. DAVID MALAN: [SIGHS] And so
let’s flesh this out a bit. Why “1, 2, 3, 4, 5, 6?” Like, how did 23 million people all
decide on that one would you think? COLTON OGDEN: It’s
incredibly easy to remember. It’s right there on the keyboard. DAVID MALAN: Granted,
and something tells me that the systems all of these 23
million people are using probably has a minimum password length of– surprise, surprise– COLTON OGDEN: Six digits. DAVID MALAN: –six characters. Yeah, exactly. COLTON OGDEN: Another very popular
password located right below 1, 2, 3, 4, 5, 6 on the keyboard is QWERTY. DAVID MALAN: “QWERTY”– [LAUGHS]
because on a typical keyboard– a QWERTY as it’s called– that’s the top row of
keys on the top left. COLTON OGDEN: They released the top
100,000 passwords that they found, and I believe that was number three
on the list below “1, 2, 4, 5, 6,” and I think “password.” And it’s disconcerting just
how many people are doing this, but we preach this all
day long and it doesn’t seem to necessarily work all the time. DAVID MALAN: We can’t
change the world perhaps, but I would like to
think and hope– and I’m sure there have been studies
that could quantify this– that at least the rate of people
are being educated hopefully, and as the software is getting
better, as the corporate policies are getting better, people’s
habits are hopefully changing. But, no, I’m sure both of us know
people who have pretty weak passwords. In fact, am I looking at one right now? COLTON OGDEN: No. DAVID MALAN: Can you
think of one account that is just kind of a throwaway? COLTON OGDEN: In the past, I think
I was guiltier of this growing up. But I think especially the last
five years, I’ve grown to be– not only avoiding using the same
password on multiple accounts, but making sure the
passwords I do use are long– 10 characters plus– have mixed
characters, special symbols, numbers, that sort of thing, which
I think websites nowadays are doing an excellent job
of detecting this in advance. I’ve noticed when I’ve
been registering for sites, they’ll typically say, ensure your
password is x characters long, has a special character– dollar sign,
exclamation point, what have you. Even things like parentheses– these are
nice because people don’t often think to include these in their passwords,
and it adds yet another character– some program used to
brute force passwords has to add to the list of digits
it needs to exponentially account for in each digit of the password. DAVID MALAN: Absolutely. But some sites frankly are annoying
because they will explicitly enumerate what symbols you can use. And at that point, my level of interest
in choosing the password according to rules really starts to fade quickly. They should not be confining me to type
only a subset of printable characters. Frankly, there’s a
couple hundred characters that I should be able to
express on my typical keyboard. And frankly, I think
it’s often that people misunderstand what dangerous characters
are in the context of a SQL database. We talk in CS50 about SQL
injection attacks and the like, and so people put these
artificial constraints when, frankly, just sanitizing
the user’s input and escaping potentially dangerous
characters like semicolons or quotation marks in SQL or other languages
is really the solution. So some people, I think, just
aren’t really getting the message. They’re hearing that I need to make it– I need to insist on
difficult to guess passwords, but they don’t necessarily
appreciate the implications for UX or user experience,
which is what’s nudging people in the first place to
choosing weak passwords so that they can simply remember them. COLTON OGDEN: Sure. That makes total sense. I’m guessing people might, as
a precaution to your point, avoid using things like
parentheses because they fear getting a SQL injection attack. I mean, if you’re using a password
manager like we do in CS50, which we’ve talked about
in prior podcast episodes, often you’ll see characters like
that– things like curly brackets, parentheses, dashes, what have you– everything’s fair game
knowing you could win. DAVID MALAN: Yeah. And you can just let
software generate it for you. And I’ve been such a fanboy for
so long of password managers that all of us, of course,
here on the team use. But I gotta admit, I’ve heard now
in the wild of the one corner case that you don’t want to happen. And this comes from– he or she shall not be named– but one of our most amazing colleagues
actually conveyed to me recently that they forgot the one
thing you can’t forget when using a password manager which
is your so-called master password! The most important– the only
password that you have to remember. And gosh, I can only
imagine the stress then of having to go through
and change dozens, hundreds of accounts’ passwords. So this is sort of a multi-tier problem
where you probably want to have, frankly, a printout of
that master password. Maybe tuck it away into a bank
vault or something like that. Tuck away under the mattress so at
least no one can, with some probability, find it. But it’s a tricky thing to
navigate because it’s probably not the most secure thing to
keep it only in your head, because God forbid you
do forget it, or lose it, or you don’t use it for so
long that it just fades away. Now you got a problem. COLTON OGDEN: And heaven forbid your
master password is “1, 2, 3, 4, 5, 6.” DAVID MALAN: [LAUGHS]
Hopefully the software is good enough to defend against that. COLTON OGDEN: On the heels
of terrible passwords, turns out that there was a terrible
password exploitation event at a tech company called Citrix actually. DAVID MALAN: Yeah. So we actually used years ago
Citrix, but they were very well known at the time for
load balancing hardware. Nowadays, it’s so much easier to do
this in software and in the cloud, but Citrix made load
balancers– hardware that lets you have multiple servers and
spread lots of users’ load across them. And I think what was
hypothesized here was that one of their internal,
very important accounts was compromised by just a brute
force attack trying a whole bunch of random or non-random passwords. Case in point, you can just grab these
list of the most popular passwords out there– start with those before you even
do start to brute force things. And I think they noted that
because the accounts in question, or account in question, didn’t
have two factor authentication, like a key fob or a unique
code associated with it, that they ultimately found an
important account to access. COLTON OGDEN: Yeah. This is huge. Two factor authentication– I
mean, we use that for everything. It just really sort of– I mean, this is an old idea too. From what I understand, this is
done with, like you’re saying, literal physical devices
back in the day– pre-iPhone era. DAVID MALAN: Yeah, it’s gotten
easier with software certainly. COLTON OGDEN: And yeah, that
was really the main thing. Password spraying is the term–
literally just throw this 100k list that the UK Cyber Council released. Just use those passwords and then– how many companies do you think? It’s a goldmine for hackers out there. DAVID MALAN: Oh, absolutely. COLTON OGDEN: 23.2 million. DAVID MALAN: It’s kind of fun to joke
about what the top passwords are, but these are actually
real attack vectors to actually use that data
not for good, but for evil. COLTON OGDEN: Yeah, it’s unfortunate. But in better news, have you heard– DAVID MALAN: Happy thoughts. COLTON OGDEN: –Apache is migrating
to GitHub or has migrated to GitHub? DAVID MALAN: I did. CS50’s own Colton Ogden
told me about this, in fact. COLTON OGDEN: It’s pretty cool, right? DAVID MALAN: Yeah. I mean, Apache Foundation has so much
open source software that we ourselves have used for years, like Apache,
the web server for instance is one of the biggest
and the most popular. And I gather they’ve migrated
a lot of their code base that’s already open source, but
to a new platform, GitHub, which is kind of where it’s at certainly. Not the only such service,
but certainly a popular one. COLTON OGDEN: Yeah. And making their code, I mean, really,
accessible to millions and millions of developers. DAVID MALAN: Yeah, but to be fair,
their source code, to my knowledge, was always open source,
just in different places. I mean, for many years,
SourceForge was quite the thing and it still exists, although it
doesn’t have nearly the same cachet or feature set as your GitHubs,
your GitLabs, your Bitbuckets do. And even among those last three,
I mean GitHub probably still has the highest profile. And it’s kind of an interesting signal. Even I, rightly or wrongly, when
I’m sort of Googling around looking for open source solutions
to problems we have– libraries or packages
that I kind of want– I’ll see something on one of these
older platforms like SourceForge and think, oh, I wonder if it’s
actually still actively maintained. Whereas if I see it on
GitHub and I also see some commit history in recent days or
months, that’s a pretty useful signal. COLTON OGDEN: Yeah. And I mean, I wonder how
much of that is a function of being on another kind of source
control platform, like Mercurial. Maybe people just don’t
want to go through the issue of losing all of that history that
they would have to inevitably transfer. I don’t know if maybe there’s a way to
actually migrate that to Git somehow. DAVID MALAN: You can,
and GitHub actually supports multiple protocols– just Git
is the de facto, perhaps most popular, nowadays. But I can totally appreciate how folks
who sort of are very comfortable using one platform, or think
SVN, or Mercurial, or whatever is just better than Git. That’s fine. So I think it’s important not to become
a hater just because one service is more in vogue or one technology
is more in vogue than the others. I mean, it doesn’t necessarily solve
any more problems putting your code on GitHub than putting it
anywhere else, but it’s just certainly consistent with
trend these days, perhaps. COLTON OGDEN: Yeah. I mean, to your point, I think
GitHub is just the nicest user experience for source control. DAVID MALAN: I do think the UI is
terrific– yes, I do think they’ got a lot of those details really right. COLTON OGDEN: And
that’s really, I think, why so many people are
using it so much now. It’s just a pleasant environment for
the millions of developers out there. You’re going to want to spend your time
enjoying your workflow, presumably. DAVID MALAN: Yeah, it works well. I mean, we internally
certainly use it all the time. And actually, we just
started last night– as recently as last night playing with
a feature that GitHub rolled out some months ago, I think, now
called “code owners”– maybe even a year or more now– where you can actually specify
in a special config file– which, to be fair, is specific to GitHub. It’s not a Git thing, per se. So we’re starting to get a
little proprietary in that sense, or a bit of lock in
with certain platforms. But we use this config
file called “code owners” to specify which of our CS50 staff,
quote unquote, own a particular file, or a subset of the file,
so that now I know– and you and I were talking
about this last night– if someone wants to make a change to
a particularly important config file, I will be automatically notified
and I need to approve it. And it’s just kind of a nice
comfort that we can’t accidentally break each other’s work. We’re going to notify each other
automatically for the right context. COLTON OGDEN: Yeah. It’s a beautiful thing. I mean, GitHub– at that point– DAVID MALAN: [LAUGHING] It’s just
a beautiful way of describing it. COLTON OGDEN: Oh, thanks. Well, what I was going
to say is that it sort of ventures out of the territory
of source control and more into project management in that sense. DAVID MALAN: Oh, absolutely. But I can see some
tensions here too when it comes to these open source platforms. We are starting to get a little
more locked in the more and more of these features you use. But I do think features
like this clearly were created to solve
some people’s problems, and frankly, I’m really glad
this particular one exists, though undoubtedly other source control
platforms provide similar features as well. COLTON OGDEN: Indeed. I need to go maybe do a little bit of
exploration if they’re still around. I don’t know– GitHub is
picking up a lot of steam. DAVID MALAN: Yeah, absolutely. Well, we for quite a while
used Bitbucket for past courses that I’ve taught. They were terrific early on
about providing free repositories for personal use, for educational
use when other platforms like GitHub weren’t. So there’s definitely
some options to consider– GitLab being another big one. COLTON OGDEN: Yeah, and
on that note, I mean, GitHub fairly recently has allowed– I don’t know if it’s unlimited
private repos– is it for accounts? DAVID MALAN: There’s some limits,
but they’re quite generous now. I think ever since the
Microsoft acquisition of GitHub, they’ve gotten a little more flexible,
it seems, with what they can offer. COLTON OGDEN: Yeah. Previously, you didn’t
get any– is that correct? DAVID MALAN: You would have
to pay unless you signed up for the educational plan, which they
were also very good about granting. But there was a process– you
had to scan your ID, or upload a photo, or the like. So there was an approval
process that could be a hang up for some folks
and some email addresses. COLTON OGDEN: Indeed. Interesting design
thing from Instagram– DAVID MALAN: Yeah, speaking of UX. COLTON OGDEN: –it turns
out that they have– in their Android code, there was
a little bit of a design change that they were I guess going
to roll out in the near future. DAVID MALAN: Or at least
it’s buried, it seems to be. At least it’s available,
maybe for A/B testing or such. COLTON OGDEN: Sure. Essentially, the feature is that
only somebody sharing a post will be able to see the total of
number of likes that a post gets. In other words, if
you’re looking at a post and you haven’t shared
it yourself, you actually have to like it or not like it on
just the merit of the post itself. DAVID MALAN: Yeah. It’s like those things that you
have to– those polls online you have to vote before you
can even see the results. COLTON OGDEN: Which is kind
of an interesting idea. How do you feel about this? DAVID MALAN: I don’t know. I’ve been thinking about that. I’m not qualified I think to
have an informed opinion on this, but I certainly have gleaned
from reading articles over the past few years that
social media has exacerbated certain tendencies, or
peoples’ sort of obsession with others’ behavior, or
certainly a time sink at best. And so there is this sort of
herd effect that you sometimes get, where people might be
upvoting based on past upvotes. They might be
internalizing what it means for people to be upvoting your posts. So frankly, this only seems
like a solution to one problem. Indeed, it seems to be
potentially unhealthy if too many people, especially maybe
adolescents who are just growing up with technology for the first
time, are a little too obsessed with others’ perceptions of each other. So, I mean, these are very powerful
knobs that the Instagrams of the world, and the Googles, and the
Facebooks more generally are starting to turn in interesting ways. And perhaps hopefully
rolling things back a bit so that we’re not all so fixated
on what each other are doing every minute of the day. COLTON OGDEN: Yeah. I mean, as an experiment– a social
experiment or what have you– I think it does have interesting
grounds in that sense. Gather some data, see how
that changes people’s trends. DAVID MALAN: Yeah. And even I’m guilty of this. When we’ve uploaded CS50 related
photos or photos of me that get tagged, I take this perverse
interest in seeing how many upvotes some particular photo of our
event or some aspect of the course has gotten. And at the end of the day, I’m not
sure that’s actionable information. Like, what am I going to do
with the information that suggests this was upvoted a lot
other than derive some weird sort of gratification perhaps,
or just sort of pride– [LAUGHS] I guess pride is OK. But I’m not sure it’s the best focus. I mean, I think it’s the communication
capabilities of these platforms and the shareability of maybe
moments that’s important. But the upvoting, the downvoting,
the smiling, the laughing– I don’t know. This certainly benefits the platforms,
because it keeps the users engaged, keeps them coming back, keeps
them sort of a sticky asset. But I’m not sure it’s doing
us humans all that much good. COLTON OGDEN: I would wonder in the
context of something like Amazon if you couldn’t necessarily see
the number of reviews on a product, or the number of stars on a product. In that case, it’s different
because you’re actually making a financial decision to purchase
a good and comparing it to other goods. DAVID MALAN: Even there, that’s a
whole can of worms with fake reviews too and sussing that out. But what is interesting
there too is when– frankly, this is useful when you want– when you need an
accessory for something. Like, you buy one of those Swiffers–
like the little brooms and you need the replacement parts– the little cloth. It’s really useful that
Amazon tells you people who bought this also bought that,
because you don’t have to go searching around looking for the related things. You can use that signal. So thank you, machine learning. COLTON OGDEN: It makes
Amazon more money. DAVID MALAN: That’s not even machine
learning, that’s just some loops. [LAUGHING] COLTON OGDEN: I mean, it’s good though. That stuff is important–
like, it saves Amazon– well, it makes Amazon money and it
saves us time trying to find that stuff. [INAUDIBLE] DAVID MALAN: I’m guessing they
prioritize it for the former reason. COLTON OGDEN: Probably, but
maybe the more time we have, the more money we can spend, I guess. DAVID MALAN: There we go. So it’ll be interesting to see what
apps like Instagram ultimately do. Because I mentioned this was kind of
buried in the code and it’s possible they might be using it experimentally. And for those unfamiliar,
an A/B test generally refers to the process of
trying out a new idea, but only on a subset of users. So group A gets the
feature, group B does not. And you sort of analyze the impact
of that feature on that userbase. COLTON OGDEN: Sure. Have you heard of this
thing called the 768K Day? DAVID MALAN: I hadn’t because I
actually missed 512K Day some years ago. COLTON OGDEN: Do you know what 512K is? DAVID MALAN: Well– so
kilobytes, I believe, and it refers to how much
memory a device might have. And my understanding of the situation
is that back in 2014, we missed– I missed– 512K Day which was when the
amount of memory that was being used by various routers’ routing tables– so essentially spreadsheets that have
some rows and columns that map IP addresses to the directions that they
should be routed to on the internet– at the risk of oversimplifying–
a.k.a. routing tables– was capped at 512 kilobytes. And one of the big router
manufacturers rolled out an update that added a few more thousand
rows to a typical routing table that put it over the edge, and
the whole internet broke is the oversimplification. COLTON OGDEN: So kind of like a Y2K. DAVID MALAN: In a sense,
where Y2K was more about humans made a conscious decision
to represent information using a finite number of
bits, whereas this is really like the hard drive ran out
of space or the RAM overflowed because it was all being used. So this was a solvable problem by
just throwing more memory at it. But some of these routers
were old enough and maybe passively enough maintained
that people didn’t realize that they were about to
overflow their memory bank, so to speak. Memory banks– I sound old. [LAUGHING] COLTON OGDEN: This is
sort of a function of just having a lot more networks come out
of the woodwork across the world than we anticipated. DAVID MALAN: Yeah, it was an interesting
litmus test of like, hey, raise your hand if you only
have 512 kilobytes of RAM, because you went down on that day. So 768K Day is nearly upon us, which is
apparently when those routers that were a little pricier back in the day–
had 768 kilobytes of memory– and that too is about to be filled up. COLTON OGDEN: It’s kind of crazy. I mean, presumably, this is a lot. I would assume of
routers– back in the day, people were thinking about this problem. DAVID MALAN: Oh, it’s
all about efficiency. I mean, yeah, you want to use
only as much memory as you need, and you want to keep
things super compact. So these are very low level
devices with very minimal overhead. COLTON OGDEN: Hopefully, we don’t
see as crazy of a shutdown at– from what I was reading
in the article, 768K shouldn’t be as disruptive as 512K Day. I think there were more routers
at the time that were suffering from that lower memory threshold. But we are getting very close– we’re
very close to this new sort of pseudo apocalyptic digital day. [LAUGHS] DAVID MALAN: But it’s interesting
seeing this trend in industry. Like, this certainly
happened with Y2K, and it’s going to happen again in,
what, 2038 when we run out of seconds since January 1st, 1970. COLTON OGDEN: Oh, for the Unix time– DAVID MALAN: It’s the Unix timestamp,
the 32-bit timestamp if I’m getting the year and the math right. But it’s interesting because
humans seem to, in tech, have this tendency of
solving problems, let’s say, at the last minute or slightly
too late, because all of these are foreseeable problems. Even Y2K we could have
foreseen in the year 1970. But of course, folks
assume that, oh, we’re not going to still be running this hardware
or this software at that point. And at this point too, you might
just have human personnel changeover, so you might not realize that some of
your devices have these limitations. So it’s kind of interesting
how these very conscious design decisions at the time, that might have
been perfectly reasonable, especially when memory was scarce and
expensive, was the right call, but it comes back to
bite you decades later. And it’s not even you necessarily,
it’s like the people who succeeded you. COLTON OGDEN: So this
will probably be more applicable to maybe older, smaller
businesses that don’t have the latest routers, modems, that sort of thing. DAVID MALAN: Maybe, but if
you’re a small business, odds are you’re not running
necessarily your own routers. You’re simply connecting
your small local network to a bigger fish, so to speak. So I think it would– I’m not sure exactly who
should be most worried here. But I will– it has got me
thinking, even about things we teach for instance at the university
level– things like SQL databases and representation of integers. We talk in the class– CS50– about ints and bigints, or
32-bit choices or 64-bit choices. And this is one of these things
where there’s not necessarily– it’s not a big deal these days
to use 8 bytes instead of 4, but it’s an interesting opportunity to
kick a can even further down the road, so to speak. Because it’s going to be a lot
harder if business is booming, or we’re storing a crazy amount
of data some years from now, it could actually be really
time consuming and really expensive for humans to go through and
fix all of the database tables, all of the code that might actually be
writing one data type or the other. But then let’s just spend more
memory now if we can afford it and avoid this problem altogether. It’s a really interesting trade-off, I
think, as to just how far down the road you kick the can. COLTON OGDEN: Yeah. I mean, thankfully, 64-bit is a
lot– it’s a lot of information. DAVID MALAN: It is– well,
not in cryptography though. That’s tiny little– COLTON OGDEN: That’s true. You need at least 512 bits there. DAVID MALAN: For sure
these days, if not more. COLTON OGDEN: Yeah. Chrome– this is interesting. DAVID MALAN: Yeah. Those of you who are
like, incognito mode! COLTON OGDEN: Yeah,
they’re going to make it harder to block incognito browsing. So some companies can detect
whether you’re using incognito mode. DAVID MALAN: Yeah. This has gotten really
annoying in recent years, even for development purposes when
you’re trying to understand a website and it says, sorry, can’t do
that– you’re in incognito mode. COLTON OGDEN: Yeah. Apparently websites are able
to detect whether Chrome has its file system API open which, if
you’re in an incognito mode right now, you can’t actually use that. COLTON OGDEN: Yeah, the ability
to read and write files locally. And like, news sites have
increasingly been using this because they don’t want you– and understandably–
accessing the content for free if you’ve already exceeded your
free threshold, for instance, for the day or the month. But they’ve been using
this side effect by trying to use this file API in
browsers, and if it fails, they have up until now,
at least on Chrome, been able to infer, oh, you’re
probably using incognito mode and that’s why it failed. COLTON OGDEN: Right. And in order to get around
that, essentially Chrome cleverly plans on using a sort of
a temporary virtual file system– DAVID MALAN: Yeah, that’s very smart. COLTON OGDEN: –in RAM to trick the
server into thinking that it does have access. DAVID MALAN: Yeah. So you’ll be able to read and write
data– it just won’t be to the place that you think. But to the website
leveraging this technique, you won’t be able to distinguish
incognito from non-incognito. It feels like the right thing to do. Even if that is a
reasonable business decision to try to prevent people from just
throwing away their cookies constantly in order to access more
and more content for free, it certainly is not consistent
with the spirit of incognito if you’re leaking information. COLTON OGDEN: Indeed– yeah. And these websites I think are open to
certainly adopting a subscription model and making some of their content
premium if it really is a huge, I think, detriment. Although that gets,
I’m sure, complicated. Having free articles certainly
drives a business I have to imagine. DAVID MALAN: Yeah, but I do think
this is the right technical call. And frankly, props to
the folks who figured out that you could infer incognito
mode from these side effects. I mean, that’s kind of a clever
hack or workaround, if you will. COLTON OGDEN: Yeah. I mean, that pretty much is all of the
topics that I brought to table today. I think what we should do is
end the episode on takeaways. DAVID MALAN: Takeaways– OK. Change your password if
it’s “1, 2, 3, 4, 5, 6.” COLTON OGDEN: That’s probably the
biggest one, I think, of today’s theme. I mean, there are a lot
of interesting things that people don’t necessarily
have as much control over. Facial recognition, we can’t obviously
tell people to cover themselves. DAVID MALAN: No, but we could stop
tagging ourselves on Facebook– COLTON OGDEN: Yeah, that’s true– DAVID MALAN: –to be fair. COLTON OGDEN: –but that’s
not going to happen. [LAUGHS] We take to take too many photos
that show our faces in them. DAVID MALAN: But the
password thing, I think, should start to sink in more for people. I mean, there’s going to be an annoying
amount of sort of activation energy to go find a password manager,
download it, get comfortable with it. But it’s worth spending those
minutes, or those couple hours, or just to kind of have an inconvenience
for the first couple of weeks until you get acclimated to it. But then once you’re into the
rhythm, it really is compelling. And for those who are unfamiliar,
LastPass is pretty popular, 1Password is pretty popular. There’s others, and you should do your
own due diligence and Google both, because undoubtedly both have had bugs– security related bugs, indeed. So they’re not fail-safe– so
they too are written by humans– but it’s probably better than your
current system if your current system involves Post-it notes on your monitor– COLTON OGDEN: Don’t do Post-it notes. DAVID MALAN: –or “1, 2, 3, 4, 5
6” or some other such password. Because it doesn’t even matter
if you don’t think that people care about your particular account. As in the case of Citrix’s
case, the adversaries didn’t care about getting into a
specific person’s account, I believe. They just wanted some
account that might have some potentially interesting access. So you’re really vulnerable
to just random attacks that your account might get
compromised as a result. COLTON OGDEN: They’re
going to brute force it. 23 million, that’s easy just
to spam everything you know– “password,” “1, 2, 3, 4, 5,
6” and hope that it works. DAVID MALAN: And that’s not
even 32 bits of address space. COLTON OGDEN: No, it’s not even close. And if you’re using the multiple– or
the same password in multiple locations and it’s “1, 2, 3, 4, 5, 6,” your
whole life can be ruined really fast. DAVID MALAN: Wow, I
thought we were ending this on a positive note in takeaways? COLTON OGDEN: Maybe not ruined,
but temporarily compromised if you’re fortunate. DAVID MALAN: If you’re– [LAUGHS] OK. I am scared now. COLTON OGDEN: Change your
password if it’s horrible. DAVID MALAN: There we go– quite fair. Well, thank you all
so much for tuning in. COLTON OGDEN: Yeah, thanks so much. It was an awesome episode. Thanks, David, for coming here
and doing this podcast with me. DAVID MALAN: Indeed. We’ll keep an eye on what’s in the news. And by all means, online, feel free
to chime in with topics of interest to you, things that might be helpful
to explain, to discuss, and explore. COLTON OGDEN: Absolutely. This was the CS50 Podcast,
episode 3 0 indexed. DAVID MALAN: Take care. COLTON OGDEN: Bye bye.

13 thoughts on “Password Security, Incognito Mode – CS50 Podcast, Ep. 3

  1. "put it somewhere safe like a bank or under your mattress"…. yeah they're basically the same right xD

    Apart from using input masks do you think developers should keep tabs on these common password lists and compare a users password hash on signup to make sure it doesn't appear on a list, and if it does ask them to change it?

    Essentially integrating tools that come with password managers like bitwarden into the signup process (health checks against known leaks).

  2. Does time have an effect on a passwords security? If I have a secure 10+ character, number, symbol password is there any reason to change it every once in a while?

    Can't wait for Ep. 4!

  3. I like these. Can you talk about careers in tech in a future podcast? Maybe what areas will have more job openings in the next few years, what skills are in demand, and some areas that may decline in the future? Also, maybe the interview process?

  4. Great work indeed! I love this series very much to keep us aware about what's going on in tech world đź‘Ťđź‘Ť

    PS. For next podcast if not recorded already. The WhataApp security breach discovered earlier today. Though you may already be aware about it, I am just pointing out.

    However, I personally don't use WhatsApp very much. I prefer telegram over WhatsApp.

Leave a Reply

Your email address will not be published. Required fields are marked *