 Hello, everyone. Welcome to Computer Science E1. This is Security Continued. So last week some of the things that we were talking about involved some data security, some of the things that we should do to make sure that our data, not only within our computer, but also as we transfer that data online, is actually kept secure. And of course the the world of online security is not without its problems like we had discussed before. And in fact even the big companies can suffer from security problems as well. And it's sort of an interesting thing because perhaps the bigger the company is, sure the large protections they may also have, but also the bigger the target they might actually happen to me, they might happen to be. And so there happens to be few emails that people have been getting. Probably you have received something like this as well, something from a variety of companies, including Best Buy, a variety of credit card companies, a whole bunch of reward points companies, all of these sorts of things have actually been sending out emails over the weekend and today, telling people that a company that they use for marketing, so basically a company that they use that they outsource their their mass emails to, has been compromised. And what has happened apparently is that and there's not a lot of a lot of details out quite yet, but basically this company has a whole bunch of email lists, which includes your name and your email address if you happen to be on one of these corporations lists. They give this list to this company and this company is responsible for sending out all of the emails on behalf of this company. So there's probably some additional details that we are not quite sure yet, but it seems to be a pretty big breach since this is one company that has lots and lots and lots of information on people, or rather not a lot of information on an individual person, but they have lots of people in their database. They have lots of names, lots of email addresses, and a lot of these have actually been compromised. So here's one from Best Buy saying, yeah, yada, yada, yada, yada, we're so sorry, it's not going to happen again, you know, stuff like that, all the stuff that they're going to say, but basically the end result is that your name, if you've gotten an email like this, your name and your email address is probably now out for the highest bidder, maybe not even for the highest bidder, just whoever is willing to download or even pay a couple of bucks to download such a large database of emails and associated names. So why does this matter? Well, it matters because now people that want to send you spam actually have valid email addresses. One of the things about spammers is that they want to be able to send email to as many people as possible, because if you have, say, if you're trying to sell something, it doesn't matter what you're trying to sell, and you are a spammer and you decide to email millions and millions of people, it's not that expensive to email millions of people, right? Just because it's something that's electronic, it can be done relatively cheaply, you email probably every day, and even if they get just a fraction of a percent of the people to respond to one of their spam emails, then that's pretty lucrative. If they send out millions of these emails and even just 0.1 percent respond, that's actually a good quantity. That's like a thousand or so people, and that's a good number of transactions that can occur. So all of our email addresses now are potentially out on the open, and to be honest though, this isn't anything that's too concerning. Most of the time, I'm sure, you probably are pretty freely input your email address into a variety of websites, and your email address is probably relatively well known to a number of spammers anyway. So if you receive an email that happens to be spam, one of the tricks that spammers will tend to use is that they will have a link at the very bottom that says, unsubscribe from this email newsletter. And it's sort of a nasty trick, because what can you imagine might happen if you actually decide to click on that link? Right, they can start spamming you even more, because now they know just by you having clicked on that link, they could embed some information into the URL in that link, for example, associating that click with your email address. And then they can say, oh hey look, somebody actually looked at this email and clicked on this link, and so now they know that that email address that they had sent that message to does actually exist, that is actually valid, and so they can then even double their efforts. And so it's sort of a double-edged sword. Having this mandate, I believe the government has said, if you're running a legitimate newsletter, you have to have a link at the bottom that allows people to unsubscribe. It's sort of a catch-22 in a sense, because these small newsletters have the potential of just verifying your email address, and then making it easier for people to spam you. So generally, I only use that unsubscribe link if it's sort of a big, well-known company, just because then that's the only real way that you can kind of guarantee that they will actually abide by those particular rules. Now, paying attention to some of these emails, I actually got a whole bunch of them, but one of them was from a credit card company, and they say a whole bunch of stuff, you know, and only your name and email address was given out, and this probably is true since it was only this company that does these mass emails that hopefully all of these companies are not sharing more personal information than necessary with the companies that they happen to do business with. But anyway, one of the things that they say is this. They say, okay, well, if you start getting some emails that look like it's from us and they say to click on a link, we are actually going to ensure that this email is from us by having this box at the top of the email. Email security zone, and it's going to have, like, your name on it, it's going to have the account number. Now, obviously, this is not my information. They sanitize it just for the purposes of the email, and they also say, like, when, how long have you been a member? But this might actually be relatively useful in the fact that, okay, well, assuming that the rest of their data is actually intact, sure, only this company will know this particular information. So if you look at it, then you can be reasonably sure that that company is the one that has sent you the email. But the problem is not this. The problem is that how many of you see something like this in an email and just outright ignore it? I mean, you might get a number of emails from this particular company, and you might look to see if it sort of looks the same, right? It sort of has the same style as the other emails that you've received from this company, but you're not necessarily going to look at each of the characters in this email security zone box to verify that it is actually correct. And this is sort of a laziness thing. It's not that we are, I mean, it's not even that. It's not that we are lazy, too lazy to be able to look at it. It's just that we become accustomed to it, and just by nature we pay less attention to it. Even if we try our hardest not to, you might let one or two slip by. And so I don't think this is really all that effective, just because then they're relying on people to make sure that this data is actually correct when a person who is sending an email from this company can mimic the look of this email and even include a security zone box of their own. But maybe it's so long as that information, because they do have, of course, your name, so the card member information will actually match what this company has as well. They can just add some similar looking enough information to the rest of this security zone box, like this card member, let's see, here we go, this account ending in, and member sense, as long as it looks sort of like decently real, as long as it's not something completely ridiculous, then all chances by, you know, by all intents and purposes, that spammer or this fisher, and we'll discuss more what fishing is in just a moment, can actually potentially have a relatively successful email in sending this to you, just because now you're not going to pay quite as much attention to this. So better, I think some of the things that I've seen from companies that are a little bit better are, if it's a legitimate email, they in fact do not put any links inside of that email. And this is actually a pretty useful thing because it forces you to go outside of the context of email and visit that website directly or call this company directly to be able to perform some actions. You might say, well, that was terribly inconvenient. Why on earth would I want to do that? This sort of brings us to the concept of fishing. And so fishing is basically the same sort of idea. It's a step away from spamming in the sense that it is still sort of a mass email out to people, but whereas spam is usually something where they're trying to sell something to you, perhaps a quasi-legitimate business that are using spammy processes to try to get business from customers, people that are using fishing are instead using it to just harvest information. So they might, for example, know that the vast majority of people in the world, perhaps not the vast majority of people, but a lot of people that are on the Internet in the world have, say, a Facebook account. And so they'll use this to their advantage. And if they have a long list of email addresses, they will send out an email to everybody and they will say, okay, well, this email is from Facebook and there's a problem with your account. We need you to reset your password or something like that. And what they will do is include a link to their website and allow you to change your password. And when you click on this link, it loads up a website that looks surprisingly like Facebook because they just happen to have copied their design exactly and all of the little details are exactly correct. But then as soon as you enter your username and your password, what do you think is going to happen? They get your username and password. And so now they have a little bit more information about you. Now they could perhaps use your Facebook account or if they are using something a bit more malicious like a bank account website, for example, then they perhaps have your bank credentials that they can log in and see how much money you have and perhaps go a little bit further than that. And so phishing is perhaps a very dangerous thing in terms of protecting our own privacy. And this is the reason why I mentioned before that you shouldn't use or as better perhaps for companies not to include links within their emails at all. And the reason for that is that you also should get into the habit of not clicking on links in emails just because you are not necessarily guaranteed. Even if it really looks like that email is from this company, you're not guaranteed that that email is in fact legitimate. Even if they're not asking you to do something that could be kind of sketchy like they might not be as blatant and say, oh, we need you to change your password or something like that. They might in fact just ask you to log in and that would be sufficient. If you actually click on that link and just log in, realize that some things are right after the fact, that is then sufficient for them to have your information. So rather than click on a link in an email, what's usually safest is to visit that website directly and go to that website and do whatever action that you think is necessary per the email based on the contents of that email. And spammers and fissures have actually become quite sophisticated at this same sort of idea. In fact, there was a few years ago a fissure who wanted to get information from some customers of a particular bank at the time it was Bank of the West. And so they had a website, of course, bankofthewest.com. And in fact, this is the URL that the person would send out in all of the emails. They would say, click on this link or don't even click on it. Just copy this link and paste it into a browser and use that. And so a person that was well versed in fishing or at least is familiar with the concepts of fishing would say, okay, actually they're not asking me to click on a link and even if they are, it looks to be legitimate and so you might even copy, paste this URL. But the problem is that this URL in fact did not go to bankofthewest.com. What it went to was bankofthewest.com. This is two Vs right here just close enough together that it looked like to a person that was just sort of reading it through at a even a somewhat decent pace that it looked like this was in fact a W just by chance with the font that it happened to use. It was close enough space together that it actually looked like it was a W instead of a V. And so all of these are sort of forms of social engineering, of getting you to do something that you might not otherwise do just by tricking you just based on your own habits because you might be familiar with clicking on a link in an email and that might be something that you have done in the past and you have found to be relatively safe but realize that there are in fact these problems. Now there are ways if you really need to click on a link in email for some reason because for whatever reason you can't type in the URL of the website directly or perhaps it is in fact quite a lengthy URL and you just want to be sure that it is in fact safe. One of the things that many email providers or many email clients will actually do is that if there is a link like this you can actually hover your mouse over it for just a few seconds and it will tell you what the actual link is. And we talked about this before, or have we? I'm not quite sure if we've talked about this before but if you have a link that says something like click here we talked about how the text might actually have embedded within it or sort of behind the scenes this might actually link to a website, might actually link to URL but just by the text you're not sure of what that URL might in fact be. And so you can hover your mouse over this link for just a few seconds and usually a little pop-up will appear that tells you the URL that it actually is and so you can then look at the domain and if the domain looks legitimate like if it's actually from the bank that claims to be or if it's actually from Facebook or Amazon or what have you then you can be reasonably sure that the URL is correct except that you still might be prone to this sort of problem right here where if they have a clever enough URL they can still sort of trick you into clicking on that link and so this is the reason why I say it's best not to click on any links at all in an email and just go directly to the website and perform your actions there and in fact even just going directly to the website can be dangerous as well because what if you happen to have a typo in your URL as you type it in so instead of going to Facebook.com you might do something that is very common and you replace say the C with the D for example so now it's Facebook.com or something like that it's just some silly relatively trivial typo in the domain that you're entering if somebody buys that domain and then they actually put a copy of that website's page on their own domain you wouldn't know you wouldn't catch the typo necessarily at first unless somehow you were able to know that you had mistyped the URL and you were able to correct it or that you noticed that something is arrived between the two websites but most likely a good implementation of this could mean that you are going to some other person's website just through a typo and giving them information that you normally would not give them so a number of companies in order to battle this are in fact buying up a whole bunch of domains everything very common typos for example they will buy up domains in other TLDs so that if you go to Facebook.net for example instead of Facebook.com they might actually own that domain as well in addition to the .com and they just do all of this so that when you actually visit one of these websites perhaps by accident they can then forward you over to the correct one so it's in fact a good way for companies to try to secure their own users from themselves basically save you from yourselves just through relatively simple, relatively innocuous things now again the costs to the attacker for each of these attacks like using phishing or for spamming is very very low it does not cost very much at all in order for somebody to send out mass emails to everybody and just hope that somebody bites even if a few people bite this can actually be very lucrative for the spammers and the phishers now of course this is not the only way that attackers can get passwords this is in fact one of the easiest ways perhaps because a lot of people fall for phishing it's very easy attack for people to succumb to but there's a variety of other ways as well like people databases can be hacked like in that SQL injection method that we talked about last week that's a very common attack method for people to try to obtain passwords on a database there could be a man in the middle attack which basically means that somebody is between you and the server and as that data is transferred between you and the server if it's unencrypted then that person in the middle will actually be able to look at all of this data and similar to this is the same idea that we talked about now for many weeks where if you're sitting in a coffee shop using your laptop and it's unencrypted and now you're just broadcasting out this data to everyone somebody could in fact capture this data and use it to read it so there's a variety of ways that people can obtain your passwords this is not the only way just by using phishing methods so it's not exactly the case that if you are in a coffee shop and somebody just happens to be collecting the bytes that you're sending that's not exactly middle man attack just because what a middle man attack happens to imply is that they're directly between you and the server such that if you are sending data to the server it goes through this intermediate step first and that person in the middle then is responsible for relaying all of that information over to the server they can position themselves physically so if they happen to have say physical access to a coffee shop's wireless access so let's say that you're doing everything right and you have a secure network that you're connecting to and now this data is no longer sent out in the clear but is rather encrypted but if somebody happens to have physical access to the router for example where this coffee shop happens to be they could plug in directly into that router and perhaps reconfigure it in a way or it really depends on how it's set up such that all the traffic then goes through their computer and that would be a middle man generally it has to be physical yes though it doesn't necessarily just the concept is sort of best defined in a physical infrastructure way it's just that it happens to be different when we're talking about somebody sitting next to you in the coffee shop that's different because you're still communicating directly to the server it just so happens that they're in the right place at the right time where they're capturing the bits that are sent unencrypted from your computer but it's a subtle but important distinction between each of these so again if you want to resolve this situation you can go directly to the website or perhaps with sometimes well there's no super safe way there's no truly safe way but sometimes what might also be a good thing is just to Google the website if you don't happen to know the domain off hand just Google for the website and you will be able to find it but also I mean even Google's results are not completely free of problems it is in fact possible though not very likely it does happen every so often that somebody else instead of the actual company can in fact bubble up to the top of the Google search results and I think there was a big hoopla a few weeks ago about JC Penney doing something not necessarily malicious but they had just sort of named the system in a way such that their search results bubbled up sooner in for a variety of product searches and that's just sort of an example of how somebody might be able to bump up their own website to a higher status and make you click on that thereby making this sort of an unsafe proposition or an unsafe proposition also so basically is there anything that's exactly you know super safe no there's not there is in fact a bit of trust that has to be placed into all of these systems and using your own sort of intuition and your own knowledge now about each of these you can sort of overcome the vast majority hopefully of these problems so if you've seen this but oh and I suppose one of the most common types of phishing emails that people get especially a couple of years ago was the one where they would email you and say this is from the mit.edu or harvard.edu or gmail.com security team and we have detected that there is unauthorized access to your account we require you to change your password immediately so please send us your password right now or something like that and lots of people would actually fall for this and reply to the email send their password in it and that is just an altogether bad idea never ever send your password in an email first of all because you're not sure who will be able to intercept that or read who's going to be reading that on the other end but also because emails are not in fact encrypted there's nothing that is going to stop somebody from perhaps reading from reading a message as it bounces from one mail server to the next and I'm talking about even beyond the fact even if you have an encrypted connection between your computer and the the web server so for example perhaps you're using gmail and they have enabled HTTPS and you have HTTPS enabled for your connection to gmail or if you happen to be using a mail client and you're using a secure connection between your mail client and the mail server only that first step only that first connection between your computer and the mail server is in fact encrypted and so while that may protect you from a lot of the low hanging fruit attacks the ones you know the person in the coffee shop that are right next to you that are gathering all of the bits of information it doesn't secure it beyond that first mail server that first mail server has to send it to other mail servers on its way to its final destination and each of those connections are not going to be encrypted so emails are not encrypted and you should not consider them to be a safe way to send personal information especially and I've noticed that a lot of companies happen to be really lax with their rules if you happen to work for a company and you know HR sends an email to you and says you need your social security number don't send stuff like that over an email you have to be absolutely sure even when you're on your own sort of company network it's not a good thing it's not a secure thing to send any personally identifying information over an email or even I suppose any sensitive information over email just because there is no guarantee that any step along the way is going to be completely secure so it's better instead to push back a little bit and say I'm not comfortable sending this to you over email can I call you instead many people will in fact say that's okay and that's a much better and much more secure way of transmitting this vital or this sensitive information did I see a question before? okay so switching gears a little bit phishing is not the only way that bad things can happen to you in fact one of the biggest categories is perhaps malware which is just a general term that's meant to include a variety of things like viruses and worms and a lot of people use a lot of these terms interchangeably but they are in fact distinct so malware like I said is just a sort of blanket term that's meant to describe software that is malicious in some way that includes these other terms like viruses and worms each of those could be considered malware but malware could even be a variety of other things as well but a virus is different from a worm a virus is something that does something bad to your computer but it requires human interaction to propagate so this might be something that is propagated say because you at piggybacks for example on a program and you decide to share this program with somebody else so you actually send this program to somebody else on say a USB drive or by email or something like that then this virus will then be propagated in that manner just because you have then sent it perhaps in addition to some other content to somebody else but a worm on the other hand does not require human interaction it can self propagate from computer to computer based on however many computers can be affected by the worm and so as a result worms can actually be some of the most dangerous types of malware that's out there just because it can exploit some common security flaw in a large number of computers and spread rapidly to a whole bunch of computers and there's a whole bunch of worms that have sort of grown up and become more conspicuous and more problematic in recent times but one of the more interesting ones in recent times is the so-called Stuxnet worm and this one actually seems to have been created it's supposedly been created by some state by some large body by some government and has actually been is actually meant to infect a whole variety of machines but it's really only going to be dangerous to machines that happen to be connected to some when I say machines I mean computers in that case so it's actually going to mostly impact computers that are directly connected to machines that perhaps do some important work on nuclear some sort of like nuclear creation of nuclear materials or something like that and so this actually then didn't really harm many people's computers in the sense that once it was installed on your computer if your computer happened to be susceptible to the attack that this worm happened to use may not have done very much but once it finally propagated to machines that were actually connected to these actual devices that were actually performing useful important tasks involving the creation of nuclear materials then these machines were actually caused to break down they were actually causing these and I forget exactly what the device was but it was actually causing the device to break down in some way effectively closing out all of the creation of this nuclear material it's a very advanced attack and a variety of people had said that there's no way that this could be created by sort of a singular person or group and it was in fact funded by the state it's all sort of interesting and it depends on how far you want to go with the conspiracy theories in that regard yes so that could be the same thing yeah so it was infecting controllers that were being used in some machinery to enrich uranium so that does sound in fact like it is the same thing yeah it's pretty recent it did come out last year there's other worms as well like the conficker worm and it really depends on what the payload of each of these for each of these malware applications actually might do so in this case the payload was meant to damage these machines like we had talked about that perhaps enriched uranium but some other ones are actually just meant to infect machines and self update download some new additional software and continue to propagate just sort of wait and lie dormant for just a little while and eventually what can happen is that when enough machines are in fact infected with this particular worm what can happen is that now the controller the person who actually had designed this worm and is going to use it for malicious purposes can actually enable all of these machines they can actually take over these machines perhaps without even the person knowing about it the owner of this machine without even allowing them to know about it they could use that machine for a variety of purposes so they could for example use that machine to just send out a lot of emails for example they could use that machine to contact one website thousands of times a minute and when this happens from you know thousands or millions of machines from around the world it causes what's called what's known as a denial of service attack or a distributed denial of service attack and what happens there is that you're just trying to contact one website from so many different locations at once that the website can't keep up and basically the web server crashes and then the website goes down and this is in fact a very common type of attack that a number of websites have fallen prey to but each of these things has to happen from these machines that have been taken over by a worm and these machines are actually called zombies when these machines are owned by somebody but has been infected by some malware like a worm for example and is now part of a larger net some sort of larger infrastructure that a person can actually control remotely to do these sorts of malicious things like contacting a website thousand times a second or perhaps sending out thousands of spam emails or even millions of spam emails at each machine would you know if your computer happens to be a zombie it depends I think on the payload and how much the I think it depends frankly on how well designed the worm is and I use well designed in terms of malicious intent here if it's done really well it's possible that you may not know about it at all and that your computer is in fact a zombie and it's being used for malicious purposes and you have no idea whatsoever but if you start noticing that it's perhaps slowing down a bit or that it's internet access is a bit more sluggish than usual among other things I mean there could be a variety of reasons that provide these symptoms to you there could be an indication that you have some software that you know you did not activate on your computer that is actually being run and causing a whole bunch of bad things to happen so is there an easy way to know I would say not really you just have to be sure that I mean running of course anti-malware applications on your computer is probably going to be one of the best ways of combating this particular thing but also protecting yourself against worms in general is going to be one of the best ways of preventing this and how do we do that we'll talk about in just a second but when we're talking about each of these things we talked also about viruses before where if you have a virus and it's something that's human propagated such that you might have it on a flash drive and you plug in the flash drive and now all of a sudden your computer is infected in fact there is a virus that does use this mechanism because when you connect a flash drive into a Windows computer you can even put in a CD or DVD into a Windows computer it's actually programmed to run some software at the very beginning and if this software happens to be bad it can install something on your machine that you do not intend for it to install and so this is one this is yet another way that your machine could be infected by something and this is one of the main reasons why people say do not just open any attachments and emails that you receive don't just plug in any old flash drive into your computer you're absolutely sure that each of these things does not contain a virus or that by you being on the internet that your computer will not be attacked and by some malware like a worm and so with all of this said though there's sort of a fine line between what is an application that could be considered a virus and an application that is actually considered to be useful so let's say for just a moment that you have some software that downloads some software that whose purpose in life is to analyze all of the files on your computer it shows you the size of all of these files and it tells you what files are using the majority of your computer space and you're using this application to try to figure out what if anything you should delete off of your hard drive to make additional room to install more applications, to download more photos do whatever you want so this is actually something that's useful that the application could know it could tell you you're using 30 gigabytes for your old photos you're using 20 gigabytes for your home movies something like that then you could actually make a more informed decision about what you're actually going to delete now let's say that this software also gives you the option to delete these files and you can actually select which files you want to delete this is arguably some relatively useful application but let's say that there's perhaps a bug that deletes more files than it should or perhaps it deletes all of the files without you even knowing about it and of course intent is sort of a factor in this equation but if this was just a bug now all of a sudden this useful application that did some service for you that was actually going to be useful for your your time on the computer can now actually become malware just because now it's deleting more files than you've wanted like I said it's this fine line between software that's actually useful and malware or even if it was designed maliciously and it looks like it is going to work as intended but in fact does delete more files than it should now this has of course gone well into the realm of malware but this is why this is not an easy thing for people to solve it's not known necessarily when you download some application if it's doing something like it looks like it's going to be deleting some files maybe it actually does intend to delete files in a useful way so there's no way that we can just sort of mass block out all of the applications that delete files just because we might then be blocking some applications that could actually be doing something that is useful for us now so there's been some some ways that we can counteract this in fact Microsoft has embedded some of these counterattacks into their own software into windows so if you have one of the later versions of windows and you've tried to download some software how many times have you gotten that window that says are you sure you want to install this software it might be dangerous so on and so forth right it happens a lot and so this eventually gets to the point where you start to ignore this very thing this very dialogue that's meant to help you just so that what it's intended to do is to make you step back and think okay where did I get this from is this going to be legitimate I actually want to install this software because it's going to require these permissions it's actually going to do these things potentially to my computer but after a while you just start to get annoyed with this message and you just eventually just click through it so how many times do you install software and no matter what it says you just click I agree or click finish or continue just so that it gets installed it gets to the end this is part of the problem is that there's no easy way to do it and that's because we are we just it's and this is another aspect of that social engineering we just start to ignore these these messages that are supposed to help us just because they become intrusive and they block the thing that we're trying to finally get to and so the whole point of this is that this is not an easy thing for people to fix there's no there's no really easy way for software engineers to design some software that can truly get all of the malware and protect you from it just because of all of these sort of added combinations of things so what are some of the ways that we can then protect ourselves from being infected from viruses or from worms or from malware in general one of the ways of course is to use common sense know where you're downloading this application is this application actually coming from a reliable known a trustworthy source do you actually know that this application is going to be worthwhile for you to download and so that's that by itself will help you protect against a wide variety of viruses if you just go to any old and this is this happened especially in the back in the 90s when shareware was a lot more popular you download an application and you'd be able to try it out for some number of days and so people would just go to any old download shareware site just download a whole bunch of stuff just to try it out and see what would happen that was in fact perhaps dangerous just because you weren't absolutely sure what it is that you're downloading of course like I mentioned before don't in fact open up anything that is sent to you in an email so if it's an attachment in an email even if it looks like it's going to be an image and even if it looks like that it's from somebody that you know unless you are waiting for that attachment from that person then you're not guaranteed that that attachment is in fact going to be safe because images in fact can cause malware to be installed even if it looks like it is a JPEG image so you're not necessarily safe even if it looks like it's not an application file that's installed that's embedded within that email now to protect yourself from worms for those of you that are using windows you're kind of in trouble a little bit just because there's a lot of worms that are available that are out there today that will attack your machine within seconds of you connecting it to the internet for the first time the best way to protect yourself is to enable the firewall on your computer yes probably your router also has a firewall as well but that is not sufficient in this day and age many of us have laptops we're taking our laptops from place to place that means that you're going to be on an insecure network you're going to be on a network with other computers that is behind another firewall itself so you have to be sure to enable the firewall on your own machine just to make sure and that's going to ensure that worms that try to self-propagate by connecting from one computer to the next on some port number for example will not be allowed access to that port on your computer yes is the firewall only as good as the most recent worms so I would say not necessarily a firewall is in fact very good protection assuming that you have a very restrictive firewall enabled the reason for that is that firewalls do not allow servers or outside computers to connect at all at a specific port but it is a very good point that there's a lot of software that's available today that protects only against whatever current vulnerabilities exist today so the reason that you might have a firewall enabled and still be at risk is if your computer is a server also so you might be serving a website for example on port 80 or you might in fact be doing like windows or apple file sharing and those services require that of port on the firewall is in fact open allowing a connection to that port now that then is a very good is is something that's very apt in this case just because then even if that software even if that server that's running on that port happens to be the latest version there may have patched all of the vulnerabilities known to that point but there may be a new vulnerability that it's exposed to but this is the counter argument you're having a firewall that basically just ensures that no inbound connections are allowed is in fact relatively safe just because it's not allowing any connections but if you have in fact a number of services running that is when you are going to be at risk and especially windows file sharing that was one of the ones that was really hit hard by number of worms there was just a whole variety of attack methods that were found in windows file sharing and even though it was I think part of the problem was that it was enabled by default on some of the older windows machines and firewalls weren't enabled by default on these same machines so they just spread like wildfire just because there was no protections and the newer windows machines in fact do I believe have firewalls enabled by default but it is still possible sort of poke holes in that firewall so you might have a firewall that protects you know every port except say port 80 or port 45 or something like that and it's that one port that has open access that could then be at risk to or susceptible at least to these worms so there's some other ways that we might be able to protect against some of these things but frankly there's things that we really can't do ourselves we're sort of at the at the mercy of the people who create these operating systems because one of the things that they could do is to create something called a software sandbox what that basically means is that every time you open an application it is only allowed to manipulate you know what that application you know the contents of that application it's not allowed to manipulate other files on your computer it's not allowed to manipulate other programs directly and and we're working our way on each successive version of the operating of each of these operating systems now have better sandbox for each of these applications but it's still something that is probably could be worked on a little bit more by each of these companies and so in fact now that we can install applications on mobile devices so these mobile devices like iPhones and Android phones are getting sophisticated enough that we can actually create very complicated very well versed software for them it becomes a problem to install malware excuse me on each of these devices as well and in fact there is something to be said about yes Apple has their app store and they have relatively tight restrictions for people to create an application and put it on the app store so that people can download it and arguably one of the benefits of this strict this tight these tight restrictions that Apple might have against putting applications on their app store is that they would then be able to check to see if that application happens to be malware if it might be some software that tries to obtain information about your phone and send it to some centralized server so that somebody could use it against your will you know any number of things but still this does mean that at the same time we now have more restrictions in place when downloading and installing these applications now on the other hand we have the Android devices where pretty much anybody can upload and create an Android application uploaded to the so called Android Marketplace and it's possible to download it onto your phone and in fact you don't even need to have that it is in fact possible to download an Android application just from the internet or have it attached to an email and install it from there and we have the same sorts of problems that we have on the computer now on these mobile devices as well so I'm just the whole point of this is that yes we have these mobile devices that are great they can do a whole bunch of things we have great applications for them but you should still now be careful and you should especially be careful now that they're gaining a lot more popularity and gaining a lot more traction and in fact there's been a lot of talk and there's always a lot of talk about how Max tend not to get quite so many viruses and worms and that certainly seems to be the case and if you look at breakdowns and attacks for Max versus PCs Max simply do not get quite as many attacks as windows machines happen to get and I don't think this happens to be because they are necessarily more secure it just happens to be a matter of numbers if somebody wants to write software that's going to hit a lot of people there are right now a lot more windows machines out in the world right now so that if they were to write some software they'll get sort of the best hit out of impacting windows machines and so there's really now security through obscurity in terms of Max if Max happen to gain a huge percentage of market share for some reason we might actually see a reversal of that just like we are now seeing iPhone is being attacked quite a bit people are doing these things like jailbreaking so called so that you can gain additional access to this to the phone which is good for perhaps the consumer if you want to have more freedom over the phone itself but it also means that more attacks can be exploited on this device on this device directly now when we're talking about also protecting ourselves from viruses worms and from each of these things again remember that when we have passwords on these machines don't save them on a post note don't save them on an unencrypted file it's best if you have either commit them to memory but in that case you're probably prone to having only a couple of passwords memorized what might be better is to have some sort of password manager that you trust in and that can store a whole bunch of passwords in an encrypted way and it's very useful to have passwords in a variety of for a variety of websites be different you don't want them to actually be the same so for all of these things we have this concept now of hackers or hacking and it's gotten to the point now where hackers have become a term that's used to imply something that somebody's doing a bad thing but it wasn't always this way hackers didn't always have this sort of sense that if you are a hacker you are doing something wrong in fact generally the word hacker refers to someone that just happens to be really really savvy with computers like to an extreme just really knowledgeable about them can use that knowledge to their advantage perhaps but didn't necessarily use it to attack people or to attack websites or to do malicious things nowadays we of course use this term it's a very loaded term so using it depending on context can mean a variety of different things but it does in fact say that if we have a hacker then it's not necessarily the case that that person is in fact malicious and there's a variety of reasons why a person might in fact hack a machine it might not be necessarily for purely malicious intent sure of course they might do it so that they can then wreak havoc on this system that would be an example of a bad hacker but there are people who try to perform some hacking just to see if perhaps it can be done just to see if there's any security holes in a system and then alert the owner of that system to that perhaps that security hole and then leave it at that and that's sort of a good thing that I think people might be trying to do not a lot of companies are in fact responsive to this idea where people just try to hack into their machines to find out if it's possible to do and then actually inform the companies not a lot of people actually are given awards or pat it on the back for that sort of thing but it is an important step I think in the evolution of our security for the computers that people that want to do hacking that and to do it not in the malicious sense are allowed to do so I don't think it's useful for us to block out all hackers just because then we don't know what the vulnerabilities might be in our systems but of course this does bring up this whole issue of well are we then hacking for good purposes or for bad purposes but I mean hacking might even be even a broader issue than this somebody might use hacking to be able to for financial gain for example so this example that we talked about just recently about using worms to create a whole bunch of zombies and the aggregate of all of these zombies you have a whole bunch of zombies in your network that's called the botnets if you have a whole bunch of these zombies then you can actually use that to send out spam emails somebody then might be a hacker in the sense in the bad sense of the word but using it so that they can then you know gain financially in some way and so this then is another example of why we might use hacking in a bad way and so hacking though doesn't necessarily have to be something that's limited to networks as well or to the internet at large it can in fact be something that's done on your own machine so many I'm sure many of you have seen software that when you install the software on your computer it asks you for a code of some kind like a serial number or something that you then enter in and allows you to complete installing the application or to actually open the application and use it for whatever purposes it actually has and so a hacker then might try to bypass that serial number activation all together and of course this is if you don't happen to have a legal serial number for this application this is then in a legal act but some this is something that people in fact do so people that are very savvy with computers they might know how this program is put together or they might be able to figure out how this program is put together if this is sort of a oversimplified three step process such that you open the application in the first step then that application asks you for the serial number and it checks that serial number in the next step then assuming that all checks out in the serial number then it opens this application there's perhaps a hacker who might be able to look at the code that makes up this software and be able to skip from step one to step three bypassing this activation or bypassing the serial number all together or another hacker might be able to look at the same code and look specifically at the algorithm that was used to generate the serial number and be able to crack that and be able to figure out ok well now I have figured out this algorithm that generates these serial numbers and use them to generate thousands of them or even just a couple hundred of them or even just one of them that is then valid that that check step will actually approve of that cracked serial number and use that to install the application or to use it and so there's then this concept as well where we might then have we might try to crack this software to open it up so that we can see if we are able to use it and some people use this maliciously and put this this cracked serial number online or even be able to create another application that is then able to generate a valid serial number and so there's this big underground scene that I think perhaps still exists nowadays but it was I think it was even much bigger perhaps a few years ago or perhaps now this is my losing touch a bit with all of this this scene in a certain way but there existed this scene that was called Juarez where it was basically just these organization of people and it was not a good organization perhaps but it was just this organization of people of hackers that would crack software and figure out how they could bypass these check mechanisms and then publish their results online so that people would then be able to download expensive pieces of software like Photoshop for free and install and use it without requiring the use of one of these software serial numbers so again this is not something that we recommend or even condone but just to show that this in fact does exist out there out there today and so Microsoft has come up with sort of a new a more interesting way of trying to verify that a computer has not been activated or rather that their Windows operating system has not been activated and that is to actually look at the hardware that's installed on this machine and to create using some mathematical algorithms to create a number that represents the sum basically of all of the hardware that exists within this machine so when you activate your copy of Windows it sends that product key over to Microsoft servers along with this hardware information that it's calculated and it will then say okay well you've already installed it on this exact same machine so sure we'll allow it again but perhaps you are now installing it on another machine altogether and so now this summation this addition of all the hardware in your machine no longer matches and so we're not going to allow you to install this software on your machines this is kind of an interesting thing but there's now the downside where if you actually upgrade your computer enough that this number actually changes like you perform some big upgrade to your CPU or to your motherboard or to any number of major devices now all of a sudden it's not going to let you install Windows on your hardware even though you are in the clear even though you're rightly allowed to do so just because now this mechanism has failed and so they did have a telephone number that you could call up and say hey look I'm trying to install Windows on this here's the product key they would then clear that product key and allow you to install it but a determined hacker might be able to perhaps do the same call them up and say yeah I have this product key and I just needed to be reset and then they might be able to gain access or rather to be able to install hardware or to install that operating system on entirely different hardware all together okay let's take a quick five minute break when we come back more security okay so hello everyone welcome back so before the break we talked about a number of things related to security and in fact we gave a whole bunch of these sort of buzzwords that are related and so we've gone over most of or all of these already but I thought I would just write them down just that they make a little bit more sense botnet like we said is basically a collection of zombies a zombie is some is your machine that might have been taken over by a worm for example and now somebody else is using it for their own malicious intent combination of all of those like I said as a botnet whereas like I said is basically this is cracked software so someone had performed some cracking against an application so that you no longer have to enter in a serial number for that and usually this is associated with some organizations such that you go to a website or you know of some group of crackers and you and you have available there some downloaded software that's already been cracked and so that's what whereas is malware is basically just a blanket term that's used to include a variety of things including war worm and virus is basically just malicious software and worm like we said is some code that's designed to self propagate and can perform some bad things on your machine like make a zombie out of it or delete a variety of files a virus is more traditional in that it can do these things as well but it requires human propagation you actually have to walk over to somebody's computer perhaps and plug in a USB drive or even just send them in an email some virus or some application that's used that and phishing like we said is the act of somebody sending an email to pretending to be somebody else with the attempt to pull user names and passwords or any sort of user or any sort of identifying information in essence you are phishing for information from these people cracking like we said is basically modifying software so that it no longer requires serial number activation for it and hacking like we talked about before is pretty loaded term can be used in either bad or good connotations but traditionally is just meant to be someone that is perhaps doing some clever tricks and clever changes modifications on their own machine and nowadays is used to you know what hacking is nowadays right so how then might a hacker be able to do some of this stuff so we talked a little bit about stuff like SQL injection attacks last week and that is if you might recall it was a special text that we would enter into a username or into a password field in some website that we presume is using some software called MySQL or any SQL software Postgres SQL variety of other ones and just by entering in this specialized string if it is not sufficiently protected then what can happen is that we then can access perhaps to the entire database and be able to see usernames hopefully not passwords because hopefully they are encrypted on the company's website but we would then be able to do really bad things like clear out the database or input anything that we wanted or anything bad related to that but there is a variety of other things that a bad malicious hacker might actually be able to do so let's say just as an example that we visit a website and at the very end of that website is part of that get query that we had mentioned before that get query was the request that we placed to a website to get a website from them or to get a web page from them let's say that we just added a whole bunch of long string a whole bunch of characters after that and so this might actually cause a problem on the web service so normally we would see something like a 404 file not found error or a 403 error and this in and of itself is not very interesting because this is sort of the expected behavior for us to type in sort of random characters to a web server but instead let's assume for just a moment that instead of actually giving us a proper 403 or a proper 404 the server now actually crashes now this actually is possible it's possible in very you know in very contrived certain cases especially with older software but this is if a server crashes because we have just provided it with a string we are now able to do some interesting things and so let's make this perhaps a little bit more concrete let's say that I have a let's say that I design a program that's perhaps completely separate from the web and this program requires a username and password just as an example and so this is something that is familiar with the web but we require a username and also a password as part of this application it doesn't matter what this application does right and so we then are able to type in our username and we're able to type in our password and usually there's a limit a maximum limit to the length of characters the number of characters that you can have in either a username or a password and so let's just say for a moment that we have a maximum length for each at 32 bytes now recall that one character when we're using ASCII at least can be stored in one byte so basically we are just saying that with 32 bytes we have the capability to store 32 characters of information right now hopefully nothing too bad quite yet but basically what this means is that I can't type in more than 32 bytes of information into either the username field or the password field right that's basically the assumption that's going on here and so for the vast majority of usernames and for the vast majority of passwords this is fine this isn't a problem but let's say that somebody types in 33 characters just by chance and they notice that it doesn't actually tell them that there's anything wrong with this and it just goes with it and in fact what happens in memory recall that all of this stuff is stored in RAM in the RAM of the computer and so there's in fact somewhere in memory where there are 32 locations there's basically 32 locations in memory where each character is going to be stored and so I'm going to make an oversimplified diagram here pretend this is 32 blocks of information right and so we could have a whole bunch of characters in each or rather we could have one character in each but basically I ran out of information here but basically you can see that I would have one character in each of these bytes or in each of these blocks of information within RAM nothing new we're just storing this information in RAM but let's say that now I've entered a string that's longer than this and let's simplify this a little bit to go based on our diagram that's right here so we have one two three four five six seven seven bytes of information for the username and for the password so again this is contrived but we're just trying to show you sort of the point or what can actually happen in this case so let's say that now I've entered my seven digit username and this is all well and good but let's say that I type in an eighth character and that happens to go right here now what was in this block of memory right there do we know no we have no idea in fact we the programmer don't necessarily know we'd have to look at the contents of RAM directly but because we don't know what used to be here we're basically overriding something with now this character n now this doesn't seem like perhaps that bad of a thing if it's just one character but what if that one block of information held some critical piece of information for the computer or held some critical step the next step that this actual program was going to execute so if we have overwritten now some piece of memory in the computer with something arbitrary something that we have actually defined we could get all sorts of weird behavior we could get a crash we could perhaps overwrite some other information in some other program there's a whole bunch of things that could happen that are bad right just because this memory was supposed to be occupied this memory was not for our username it was not for our password but it was for something else and we've now overwritten that memory now let's say that instead of me typing in something innocuous like n I actually start typing in some well crafted sequence of characters that when the computer actually reads this memory it considers it in execution let's say that this memory right here that used to have some contents that I've now overwritten within actually had some some command within it some execution it was actually going to execute something within this contents of memory now rather than me writing it over with n I actually type in perhaps a program of my own and so what this means is that when the computer goes to execute whatever was supposed to be in this portion of RAM it now executes no longer what used to be there the program that used to occupy that space or the operating system that used to occupy that space but rather my program that I the user have in fact entered in and this is called a buffer overflow exploits exploits so this is buffer overflow because the reason is that I have a buffer that's storing buffer overflow I have a buffer that's storing these characters and now I am causing it to overflow just by adding in some additional characters that now might be interpreted by the computer as a command it might actually perform some execution and so just even though I don't have access to this yet I now have caused the computer to run some code run some perhaps malicious code that the computer was not designed to run in the first place so again this is a pretty specific example you don't really have to know the details but just realize that there does exist just like we know that there's the SQL injection attack that exists there's also this buffer overflow attack that can exist as well so is there a way that we as programmers could perhaps fix this and it is hopefully it's not that hard to fix to be honest how can we perhaps fix this problem right here right exactly so we as programmers could actually enforce this limit if there's anything greater than 7 bytes we reject it we tell the user we won't accept something over 7 bytes or we just throw it out completely and that way this other memory is not actually overwritten now this sounds like a very obvious and a fix that's something that people would do but when programs become sufficiently complicated it's very easy to skip over a step like this and just to forget one check in some random piece of memory that somebody can now be able to use to their advantage to be able to run arbitrary pieces of code so a buffer overflow is actually one way that people are able to overcome the security measures that are put in place and execute their own code and be able to execute some piece of malware or be able to execute the payload in their virus just as an example can I see a question? Yes, for example the fast webmail makes us use a specific capital letter and some sort of symbol for our user name and passwords does that play into the same place does that code in the same way for security? So the question is when we have a user name and password some services like FAS actually actually enforces some security rules we have to have a combination of lower and uppercase characters and symbols and a variety of other things frankly that's not for the security of the system necessarily in this sense, in the sense of memory but what it is meant to be what it is meant to secure is your account in general because it's much more difficult to guess or to even generate a user name that looks, I'm going to erase this for now it's much more difficult to guess something that looks something like this and then 4, 3 I don't know, something like this then it would be to guess another user or another password that looks like this and so that's really all that that sort of enforcement boils down to is trying to make it more difficult for people to be able to guess a user name or a password compared to just some simple word or just compared to some simple string so that is in fact that is meant to enforce security but not in the same sense it is just to do it for the specific account more generally yes yes so if you have a problem like this could you get rid of, so do you mean if somebody is actually run has actually performed this exploit now they're running this code could you get rid of it by turning it off excuse me excuse me actually from yes and no it depends on how this program has been written this program could actually be written in such a way that it says okay now I'm actually running so now I am going to actually install myself in some important system file so just shutting down your computer to eliminate this program from running in RAM isn't necessarily going to solve that problem again it depends we've had to do a lot of hand waving say it depends but it really depends on how the code is written it could be written so that it does survive a force shutdown a forceable shutdown in fact you may not even realize that anything is wrong until it is too late just because there's no good way you don't have insight into each of the individual blocks of memory that are running your code and so you may not know when one block has been overwritten by something else all good questions though anything else okay so like we said before the defense to this is pretty simple and it's something though that the programmers have to implement themselves it's just a check to make sure that the sequence of characters fits within the amount of memory that they expect it to fit in but this is although it sounds very easy and in fact it is easy to implement it's something that's also easy to forget to do it's very easy to just completely forget to do that and allow to have this problem existing within some application now we talked a bit last week about SSL and we've talked for several weeks about SSL and how it relates to HTTPS and so to add this we have of course HTTPS and that uses this technology called SSL and SSL is basically just a practical representation of cryptography and so what is cryptography cryptography is basically just something that allows us to encrypt some text or some data into something else so that other people cannot read it so let's say that we want to do some very oversimplified set of cryptography just to show you an example of how this might work let's say that I have a text like this it says hello and I now want to encrypt this text using some cryptography I actually want to use some cipher against this particular text well I can do something that's called a Caesar cipher and I can rotate each of these things and so what I'm going to now encrypt it like this m m p so now this second set of letters is the encrypted form of hello but this is a very basic simplistic form of cryptography h from the word hello turn to i, e turn to f l turn to m, l turn to m, o turn to p does anybody know what's going on here how did I encrypt this I just went to the next letter so this is called more generally it's a Caesar cipher but it's called more specifically ROT1 or ROT1 or rotate each of these letters by one goes to the next one now there's sort of another version of this which perhaps looks a little bit better which is ROT13 and ROT13 will actually change this same string to something that looks altogether different U R Y Y B like this but again just because we're going based on the same scheme ROT13 means that all I have to do is rotate it by 13 characters so 13 characters away from H is U 13 characters away from E is R so on and so forth for each of these characters now this may seem like it's not a hopefully it seems like it's not a very good method of encryption and in fact it's not this is a very poor method of encryption it's something that people have been it's very easy to just sort of guess what might be going on because if you have some encrypted string like this and you want to try to decrypt it you only have 26 rotations to try to figure out what might be going on right you could first try rotating this same string once see if that helps try rotating the same string twice see if that helps and eventually you will get to ROT13 and you will notice that you get the same string in the result now let's say that I want to do something a bit more secure and I do this I encrypt from hello using ROT13 to this string and then I encrypt again using ROT13 is this more secure? that's right because it's because 13 is exactly half of the number of characters that we have 26 in fact it takes you right back to the original hello so ROT13 again is not something that's going to be very secure for all of your means so is there a way that we can make this a bit more secure in fact there is another cypher called the visionaire cypher that uses a similar concept but ups the ante it increases the complexity of this by a great deal so let's continue with our unencrypted text of hello in this case but now what we are going to do is we are going to add in the concept of a key and what the key does is it tells us how we are going to encrypt this text so this is our unencrypted text hello then we have a key that looks like this key key so now how do we in fact encrypt this text with this key but what we do is we give a number to each of the alphabet characters in the key and we give that number based on its location in the alphabet so K for example let's see is going to represent the number 10 and let's see it's going to represent the number 10 E is going to represent the number 4 sorry this chart sucks and Y is going to represent the number 24 now how did I arrive at these numbers well if A is 0 then B is 1, C is 2 so on and so forth and I am able to get each of these numbers here just by figuring out its placement in the alphabet so I have now 10, 4 and 24 for the key what I do is I apply those numbers I rotate the original sequence with those numbers so I rotate H by 10 I rotate E by 4 I rotate L by 24 I rotate L by 10 I have to go back to the beginning because I have run out of characters in my key and I rotate O with E so now the end result of this is going to be something different all together and in fact the answer for this rotation is going to be R I J B S and this now cannot be unencrypted quite so easily you can't just rotate the entire thing like we did with the Caesar cipher just because then it's going to still be sort of gibberish right because we've rotated each character by a different amount now once somebody else has obtained the key then they will know what they can do to rotate it back so basically they look at this key they say okay the first letter should be moved back by 10 the second letter should be moved back by 4 the third letter should be moved back by 24 so on and so forth until you get the original text so visionary cipher is much better it's a much better cipher because it's now encrypts this this text in a much stronger way however this is still not a very good encryption scheme it's still possible if the key is especially if the key is small enough for you to be able to do some computation on it and try to figure out what that key might in fact be so nowadays we don't actually use either of these ciphers except for sort of examples and for fun you might see some puzzles that actually implements Caesar or visionary cipher just to try to get you to figure out what the encrypted text might be but nowadays we use something that is much much more complicated generally for things like SSL for a lot of the encryption that happens on the computers we use generally one of two types one is called public public key cryptography the other is called private key cryptography so private key cryptography is sort of similar to this idea right here that we had with the visionary cipher where there is a key and that key is the key if you will to being able to decrypt and encrypt the text that we had originally the reason that is called private key cryptography is because this key that's used in the encryption and decryption is actually private you can only have this key to the person that wants to encrypt the information and to the person that wants to decrypt this information if anybody else has access to this private key it's possible for your encrypted text to be unencrypted and to be able to be read so there is also another method as well called public key cryptography and that basically uses math of very very very very large prime numbers and basically what this allows us to do is we create two numbers we create a set of two numbers that are related together in some mathematical way both of them are very large prime numbers and one of them we call the private key one of them we call the public key now keep in mind we call all this stuff private key but throw all of that away for this particular discussion because the concept is entirely different it's entirely different than this idea here in this notion we have a private key that is private only to ourselves nobody else has access to this private key if anybody else does have access that's bad because now your data could be received in the clear but the public key is what it sounds like it is a very large prime number that can be given out to anybody anybody in the world can have your public key and what happens is when some data needs to be encrypted you look at this public key and you encrypt data in some way with this public key then you send that data to the intended recipient and because that person has the private key they are the only ones that are able to decrypt this information so it's a one way encryption people are able to encrypt information on one end and send it to the intended recipient and only that one person is going to be able to decrypt it now you might say and this certainly confused me a little bit at first too is that ok well this sounds now very one directional because it sounds like now people can only send me encrypted information and yes that is the case this is a one way encryption other people let's say I generate a private key and a private key and a public key I give out my public key to everybody in the world now somebody can encode can encrypt their message to me with this public key send it to me and only I have the ability to decrypt it with my private key now if I want to go the other direction then I have to do something similar I have to have the other person's public key and encrypt that information and send it to them and then only will be able to decrypt the same information with the private key so I realize that there's a bit of complexity here and we're going to into a little bit of detail but basically this is how these sorts of concepts work with modern cryptography is that we're able to do one way encryption and only you because only you have access to this private key are you able to decrypt the information and you're guaranteed that the person that has the private key only that person is going to be able to decrypt any information that you have stored with the public key yes couldn't work both ways so the math is much more complicated than what I am describing it is possible if you have two you know if you have some huge number that divides into two prime numbers that it could work both ways the math is in fact a bit more complicated than that so it is in fact the case that by just by virtue of you having the private key and holding that private it's not possible to decrypt the information that's been encrypted with the public key but again so again there's two major ways in modern sort of modern day computing that we can encrypt information one is the private key cryptography that we mentioned before where there's this notion of a key that's shared between people so it's this sort of shared secret in a sense then and those people that hold the secret are then able to encrypt and decrypt information at the same time with the same key but and this is different from public key cryptography where you have this one-way direction of encrypting these messages only people with public key can rather people only only people with this private key which is a different notion from this private key only people holding that key can decrypt information that have been encrypted by somebody else so all of this is just a fancy way of saying that we have much more much bigger ways much better ways rather than using caesar or vision air cipher of encrypting information nowadays in fact we use huge quantities of huge numbers huge quantities of information to be able to encrypt this information from one place to the next any questions on this okay so finally there is this concept if we have some if we actually want to start using some of this information yes we can can in fact use public key and private key cryptography to be able to send data in an encrypted way and in fact a lot of current computer services in fact use one of these two methods to be able to operate properly so SSL for example uses a combination of the two I believe it basically will use this public keys and private keys to be able to share a shared secret between two and then use that shared secret between those two machines to be able to encrypt and decrypt information but there's another thing as well that I think we might have mentioned briefly in our talk about the internet but really hadn't gone into much detail and that's this idea of SSH or secure shell and SSH is just another protocol like we would use HTTP to transfer webpages from a server to a client we might use FTP to transfer files from one machine to another we might use IMAP for email or a whole variety of other protocols this is just something else that operates on the internet that allows us to create a secure shell that's where the SSH comes from secure shell from one computer to the next and basically what it looks like is ridiculously arcane and it looks really very geeky but this is also one of the things that's this is also one of the most important things that we have on the internet today just because this is how a lot of people are actually able to administer machines and so basically how it works is you open up a terminal window sort of like this and when you SSH you actually SSH into a machine and you are given basically this same window and now you might say well there's not a whole lot that I might be able to do with this window but realize that this window allows you to execute commands and these commands basically are applications that are being run on a remote machine so you might then have for example you can run LS command and you can see the contents of a folder you can use CD to change directories you can continue using LS there's a whole bunch of stuff that you can actually do and of course these are some of the most basic examples of commands that you can run but basically all it is is the same concept of having a server and a client where there's an SSH server that you as a client would log into and you can execute commands on that remote machine and it uses these same concepts of public and private key cryptography to be able to send all of this information in fact in a secure way not all of this information that you send over SSH is in fact secure and so there's these spinoffs and if you are interested I mention this only for those that are interested in taking it at sort of a step further there's an additional there's some additional concepts that SSH actually provides that might allow you to secure your online access just a little bit more one of those is called port forwarding and another one is called dynamic port forwarding dynamic port forwarding and what these two things basically allow you to do is to piggyback off of this secure connection that you have with the remote server to be able to do a variety of things so this is basically you can using SSH's dynamic port forwarding create a proxy where you connect to a remote server in a secure way and you send all of your or you send most of your internet traffic through and so this is sort of a step away it's not exactly like but it's a step away from this concept of VPN that we had talked about for a long time because then what you can do is you can just set up this secure connection between your machine and a remote machine and you'll be able to use that to your advantage such that no longer will somebody sitting next to you in the coffee shop be able to look at your unencrypted packets because it is in fact being encrypted over the SSH protocol and sent in an encrypted manner so again these are sorts of details that I just want to the details are not very important but they are useful if you are very concerned about learning about the variety of ways that you can protect yourself on the internet port forwarding and dynamic port forwarding using it's basically a proxy through SSH is one of the best ways that or one of the certainly a very good way if perhaps not the best way of doing this sort of thing so with that we end the security lectures and that is it for me for E1 next week David Malin will come back and we he will talk to you will finish up the semester with HTTP or rather web development and programming and then we have some of the final goodies like the exam and the final movie as well so with that I thank you all very very much for all of your attention these past few weeks and I hope to see you all again very very soon