 That's okay Did Well, good evening welcome to computer science e1 my name and his name is David Maylan This is lecture 9 security continued And this is as you've heard the video iPod Apple was kind enough to send us a video iPod with which to develop the remaining Lectures on the course and surprisingly it works pretty well Right, so I've sort of moved up in the world from the sketchy guy in the Apple store who's doing this In the Cambridge side gallery. I can now do this in more private venues But I brought this tonight and I installed on it a number of the videos from our podcast so that you could all take a Look so what I'll do in a moment is pass the iPod around for the moment I will lock it on play mode just so that everyone can see it actually working and not And say some broken form But then we'll pass it around again I'll unlock it so that you can play touch all the buttons You want pull up a game and just generally pass it around through lecture tonight And there's a little set of headphones too if you want to actually hear the sound so here We have Ray's part of that particular introductory video the things you should note is besides the the brilliance imagery That's coming across is also some of the more technological things of course the splotchiness that ray seems to be eventing here And he doesn't events in person the splotchiness that I seem to events to so think about some of the issues We've talked about in our multimedia lecture like Compression interframe Because on a medium like this which we've tried particularly hard to compress so that you can fit these videos into small devices and have them Download quickly we really did have to sacrifice some amount of quality in order to have the videos be a reasonable size and recall from last week I think I said that we got two-hour lectures to be just 200 megabytes Which is actually pretty remarkable considering that it's two hours of content But you'll notice that even though we've sacrificed some quality with some lossy compression You can still and I'll queue it up for one of the actual lectures actually read quite legibly What was on the blackboard at night? And I think that's sort of our yardstick if you can read what's on the board on a screen this small Then I think we've done a pretty good job with the compression even though we've saved a good amount of space So once you if you've never how many of you have never used an iPod before Okay, so this will be a fun experience It's actually wonderfully simple the essence of the interface for the iPod is that you can hit the menu button to go back Or to go to the main menu and then pretty much left or right and then you can hit play and pause But the cool thing with these newest iPods is that to scroll up and down What you do is roll your finger to the left or to the right and it's touch sensitive like a laptop's touchpad The only buttons on this device are the four different buttons top bottom left right of this scroll wheel And the scroll wheel itself in addition to this center button and then there's this lock button on top But otherwise, it's a wonderfully simple device and I will go ahead and queue up. Let's say lecture one Which was hardware. I'll plug in the micro the headphones here Do the headphones have to be attached to continuous play? Okay, so if you disconnect the headphones what happens It does by design tend to pause the presumption being if something comes loose while you're carrying this thing in your pocket You don't want it to keep on playing so if you notice that if you pull it out. It won't it will pause in this case So actually it looks like that's a good point. What I'm going to do is Just make sure you leave the headphones attached So the video does not pause and if you have any questions or concerns about having just broken our 60 gigabyte iPod Just cats raise attention or the Romans attention and one of them will run over and hopefully reboot it for you for the next Person so feel free to poke around and for now go ahead and just leave the settings alone So everyone can see it live and then we'll pass it around again, and you can play to your heart's content over the course of tonight Couple of exciting things coming up as always we have in this week sections a focus on Disinfecting a PC so you'll actually get your hands dirty with a discussion and some hands-on activities with spyware and Viruses and worms and we'll again whip out some of our own equipment And also we've invited a number of students to bring in their own laptops if they wish for more of a Even scarier hands-on demonstration coming up this Saturday is a fun workshop that we've we're offering this semester for the first time The title of which is digital photography. So there is a huge movement in the world now toward digital Photography and I mean I even saw in CVS just today Disposable video cameras which I think is sort of a an offense on some level in the first place But for $29.99 you can buy some sort of digital disposable camera that you use once and then presumably you connect to your PC Or you mail it somewhere to get a CD back something like that But I think the takeaway besides the disposable nature of these things which is perhaps somewhat distinctly American is the fact that the technology has gotten so cheap and So fast that you can actually do these unfairly inexpensive devices. So Coming up this Saturday, then is a workshop on digital photography among the things you will do with Dan at the helm Dan is quite an aspiring photographer and if you go to his personal website You'll see many more photos than I'm about to show you but he's quite the fan of both optical and digital Photography and what I asked his permission to do tonight is just to show you a few photos that he has Taken over the years what you'll do in this workshop this Saturday is pretty much learn all there is to know about digital Photography what the cameras are all about what you might want to look for when choosing a camera how you could go about printing Photos how you would go about transferring photos from a digital camera to your own PC or to a CD Really much just a crash course and everything you might want to know about digital photography and what it might be able to do For you and some of these photos they won't look as good on this projector But if you look at them on a sharp LCD or CRT they really are beautiful And this projector doesn't do them justice and all of these are Dan's particular work And I'll defer to him for the URL of his own personal website but the beauty of digital photos is that even if you do end up spending say $300 or $200 up front for the digital camera the marginal cost of taking a photo is Pretty much zero and these days The greatest advantage to someone like me frankly of digital cameras is that the things are so small Small to the point where you can actually fit these things as you've probably seen in your pocket Which for me as a tourist is by far the most compelling feature of a camera the fact that I don't have to lug those things Around on your neck anymore and granted my camera is of much lower quality than Dan's and if he brings it in You'll see that Dan has a somewhat large camera But with size do you get even more power and capabilities? But that's certainly not necessary today, but inside of digital cameras. There's a type of memory these days What kind of memory do most digital cameras store photographs on? Yeah Memory stick is one sort of marketing oriented term for it a memory card sort of a synonym These are sort of just the buzzwords that surround the general type of memory known as flash memory We've talked about USB flash drives aka jump drives aka USB sticks those little devices One of which I brought last week that you can plug into the side of your computer and then immediately have access to 256 megabytes or even a gigabyte or more these days well in digital cameras today There are flash memory cards of some sort sometimes. They're long rectangles. Sometimes they're square like Square like cards that you slip into the computer That's perhaps the only nuisance today is that a lot of different vendors use different types of Flash media as it's called, but for only 15 20 bucks You can buy what are called flash card or flash media readers Which are just inexpensive devices that have several different slots on them on the other end You have a cable that goes into your USB port and essentially what you then get with these devices is Compatibility with sometimes 9 or 12 or even 15 different types of flash memory So these days it's not even such a big deal if the camera you get Doesn't have the same kind of memory support that another camera has because it's so easy to nonetheless get the data off and Onto your own typical memory size and cameras these days or what how much flash memory does a typical digital camera have do you think? 512 what? Units are always important, right? Megabytes. Yeah 512 megabytes even a gigabyte or 256 megabytes when I go away. I think I have a You know, it's so it's so sufficiently big. I don't even really know how big it is I think it's 256 megabytes maybe 512 megabytes and I come home usually with from a trip with 400 photographs, you know from just a few days of being away now granted about 398 of those will never see the light of day But it cost me nothing to take them and so in short I think you'll have a lot of fun particularly if you've never delved into this world of digital photography before With Dan's workshop this weekend or even if you're not local or not available to simply dive into some of the notes That he will be putting online Yeah What is that a Flash card reader a card reader many different names for and sometimes you don't even need such devices You can just plug your camera into your computer directly with a fire wire or a USB cable All right any questions before we dive back into the somewhat scary world of security Dan's a great person to talk about I can give you a quick two sentence answer part of most digital cameras is the ability to zoom Most of them can zoom up to 2x or 3x factors Beyond that most cameras also offer digital zoom up to 20x or 30x Frankly, I don't even understand why they use it digital zoom essentially creates Sorry, this is more than two sentences Digital zoom creates that effect that you see in TV and movies where the police are trying to zoom in on a License plate and all they have is some cheap camera that photographed a guy going through a light for instance That a red light and they zoom in and it gets very splotchy splotchy splotchy Well in the movies and TV all of a sudden they just push a button and it becomes crystal clear Well in the world of digital photography there is no such button So you can zoom in 20 times, but all it does is get splotcher and splotcher So looking for a good optical zoom is what's key and I'll defer to Dan for perhaps a more expert opinion Digital zoom is not useful at all. It's just a marketing thing But a good question Any other I'm sorry It's a good question. What my file format are digital photos stored JPEG is quite common Tiff is another common format a raw is another file format altogether We're pretty much you just store raw bits many of them for each pixel saying what color that pixel should be Similar in spirit to a bitmap, but JPEG is quite popular these days So all the innards of these things are quite familiar to you already All right Well while last week's lecture was meant to be a bit frightful and scary as to all of the threats to your privacy and security We just spent ten minutes talking about you With that said we spent in last week talking about the threats to your privacy and security Well tonight is about some of the defenses that exist and we'll Interleave into this lecture discussion of some of the topics from last week But generally please consider this lecture in particular an opportunity to ask any and all questions that come to mind particularly as this is one of the most Important or there's a interesting topics that we explore in the course because it's so Personally important to so many people keeping their data and personal information intact and secure Well scrubbing Scrubbing or wiping is sort of the counterpart to a topic We spent a good amount of time on last week and you even walked home with an article about what does it mean to scrub? Your data or your hard drive To go over it clean it out good, but be a bit more technical Yeah, that's pretty good to overwrite your existing data with random data of zeros and ones So that's exactly right to scrub your data or to wipe data Means to literally overwrite it because we've heard many times in this class that when you delete quote-unquote a file That's sort of a misnomer because you're not actually deleting the file. What are you only deleting usually? Right the reference in the file allocation table or the equivalent so you're simply unlinking the file You're losing track of it But the bits that comprise that file are still very much on the hard disk and we saw last week with our little forensic Demonstration that it takes just seconds with the right software and the right hardware to recover for instance The course of syllabus which you saw me delete and then empty the recycle bin on Well scrubbing means to go one step further Not only do you erase the entry from the file allocation table? But you also overwrite the data itself now for the most part for most people and for most Security purposes it probably suffices to just overwrite those bits with all zeros or just random data However, there exist standards today Perhaps the most popular of which is a Department of Defense standard which says to write data seven times over Previously existing data where you have a known pattern of zeros and ones that is to overwrite your original data Six times and then on the seventh time you actually overwrite the data with truly random data and Using different options and different programs You can go one step further and then for instance zero as they say the whole hard drive or the file So that you see in the end the example like last week when I showed you one hard drive Which I had pre-wiped before class recall that it was all zeros and that is truly a drive that's been wiped in the most Robust sense and it is pretty much folklore Supposition that folks like the NSA with enough time and enough money can actually recover data when it's been overwritten Seven times it's even conjecture that you can probably not without great difficulty and cost recover data That's been overwritten just once in short if you took some time to read through that article by Simpson Garfinkel last week And perhaps download some of the software with which you can wipe files and scrub your own hard drives You'll see lots of different options and among them will be what level of security do you want the trade-offs for? Most people like us is that the more times you wipe the data the higher the level of security you choose the longer It's going to take for your data to be scrubbed or wiped So it's really a trade-off between security and convenience But for typical usage most any one of those products that is not buggy is More than adequate and that was the catch recall not all of these products are perfect Which means you don't really want to put your trust in any such software unless you've read some reviews and done some research Say on the internet as to which of those programs are really recommended by experts and professionals questions Yeah, okay good question Okay, when is scrubbing useful for a layman? I would say that if you ever get rid of a computer whether you sell it or bequeath it to someone else as a hand me down It's probably in your interest if you have data that you just don't care for anyone else to ever come across Even if it's fairly innocuous data like old essays To scrub the entire hard drive and the software I would recommend for erasing an entire hard drive is a freely available product as Most of our linked software is in this course It's linked on the software page as of last week under security and it's called somewhat Intriguingly Derek's boot and nuke with that said be careful with software like this because do read over the directions on a web page like This what the page will allow you to do is Download either a floppy disk image or a CD-ROM image that you can then burn to a floppy disk or to a CD But thereafter you really have a very dangerous piece of software sitting on that floppy disk or that CD-ROM Because the design of the software if you then boot your PC with that floppy or that CD-ROM is to wipe The entire hard drive it doesn't do selective wipes it wipes the whole hard drive So even I you know savvy as I like to think I am with things like this Even I am paranoid when it comes to wiping disks in my computers at work or at home And so even I for instance will open up my whole computer And if I have multiple drives in there multiple hard drives I will physically unplug the ones that I don't want to wipe just so that I don't goof late at night and make a Day an expensive mistake So in short don't leave floppies and CDs with wiping software lying around the home If you don't want them accidentally booting in your computer, but this is a wonderfully Solid program with which to wipe whole data if you are I mean frankly a lot of people install software like it's a program called window washer Other programs that that article last week mentioned those are not for wiping whole hard disks by contrast They're meant for wiping certain Subsets of your data your cookies your temporary internet files even at the district attorney's office will often see folks who don't really know anything about Computer security, but new enough to go spend 1995 on some program like window washer to install it on their computer so that you essentially cover your tracks pretty Automatically when it comes to what websites you're visiting maybe what else you're doing with the computer, but again, you know I caveat and for Sometimes those programs are buggy, which is good for us in the DA's office, but not so good for the person doing the scrubbing So do your homework and research products like that before you use them and put your trust in them Does it remove your drive recognition? What do you mean? excellent question When you wipe a hard disk like this you're pretty much not only zeroing all the data But you're restoring it to its original factory condition small white light, but that's essentially the case Which means that there is no longer any partition on it There is no C drive. There is no D drive if you had multiple partitions So if you want to now use this hard drive with most operating systems It's actually as simple as just putting your Windows XP installation CD in the computer Booting it up with that hard drive that wiped hard drive in the computer Windows XP's installer will realize Oh, you have an unformatted hard drive here. Would you like to create a partition? Would you like to format that partition? So it's not a problem But when you wipe a disk you do get rid of all such structures like the C drive and so forth. It all goes away Good question. Yeah Okay Yes So I haven't followed this thread too closely But the story essentially is that Sony was caught recently Red-handed as they say with having installed what's called DRM software on people's computers where DRM is the jargon these days for digital rights management It you might also see this described in the articles as a root kit Essentially with some software that many people were installing with Sony products They were installing this software that essentially gave them unfettered access to your computer And this was not disclosed as my understanding in the little agreement that people signed or didn't sign When installing the software I'll have to look into the specifics of this particular case But they got slammed in the media because particularly by privacy enthusiasts because My understanding is that they did not inform people of what they were doing and we're simply giving themselves too much access to a User's machine, but I'll follow up perhaps via email on that so I can give you more technical detail But it is germane to this topic at hand Other questions or comments No, all right The iPods making its way around so it's almost time to play on round two Another defense well this topic came up last week, and I said we'd spend more time on at this firewall is A term that most of you probably even heard before coming into this course Even if you didn't quite know what it meant in the context of information technology So this picture kind of gets the point of a firewall across right in the real world 20 years ago Before computers had firewalls buildings had firewalls particularly in strip malls or in buildings where at least good Developers had the foresight to install firewalls between units So that if you had a restaurant next to a little boutique and that restaurant had a grease fire and the whole restaurant went up in flames Ideally the neighboring units in that same building would not go up in flames So a firewall in the conventional senses leave fire retarded wall that simply blocks ideally the passage of flames from one unit to another Well in the world of computers a firewall is sort of similar in spirit in that it's meant to prevent passage from one side of it to another But it's clearly more technical more technological more advanced technique than just mere bricks in the bricks and mortar world Well in more technical jargon. What is a firewall in the world of computing as you understand it good? Good it prevents information from flowing from one network to another So typically companies today will have a firewall protecting their land or their whan Essentially a firewall is usually installed between the whole internet and some smaller network those of you with home routers A few weeks ago. I said that these router it's tough to slap one label on those devices the link six devices the netgear devices Because they are routers slash firewalls slash proxy servers slash DHCP servers slash kitchen sink Like they literally have all this functionality wrapped into one and usually on the shrink threat box The company will just call it a router or a home router or an access point, but they do so much more these days well one of those Pieces of functionality is this act of Firewalling and as Peter said it does prevent essentially flow of information from one side to another But a more interesting query for tonight is What does that allow you to do? Well with a firewall a company could for instance prohibit users? from using instant messaging in Other words you might have sitting at your desk in your office building the ability to send email to anyone in the world Thus going outside your own network with your emails You might have the ability to access any website you wish But if you pull up a alone instant messenger or MSN or yahoo messenger You might get some error message saying could not connect and that's because many companies do in fact block Such services as instant messaging the question for us though is how a firewall is a device that sits between your LAN and The rest of the internet how do you think technologically companies are prohibiting you from using certain internet services, but permitting others Yeah They know the port so we've known for a while now that all internet services have associated with them some port So HTTP is the language that web browsers and servers use to communicate and that's Known more numerically by what port number? 80 So these are essentially synonyms. This is the human readable form of this number This is just a convention that HTTP is associated with port 80 It's simply a number that a bunch of folks a while ago decided would be the standard number for HTTP But it was arbitrary. What about something like? SSH what port does that use? Bit more of a trivia question 20 not 16 higher than that 22 is in fact the case What about SMTP for mail? 25 25 and we'll do one more HTTPS, which recall is the secure equivalent of HTTP This one's a bit trickier Anyone 443 That is in fact the answer now every internet service including FTP including instant messaging including Skype including Napster and peer-to-peer file sharing programs almost all of them have one or more standard ports associated with them at the end of this course if you can remember 80 Let's just say if you can remember 80 you're in good shape Which means as of tonight sounds like we're already in quite good shape And I say that because it's not so important to know these numbers unless you are the administrator that needs to be savvy With these kinds of detail so as you suggested to block traffic from leaving a network say that on the left And entering the internet all you have to do in the so-called firewall is watch all of the TCP IP packets That are going from one side to the other and if you ever see a packet that's destined for port number 123 if port one two three is the AOL instant messenger protocol all you simply say is nope This packet may not go any farther than the firewall and the packet is quote-unquote dropped or Nord Well similarly can data be restricted coming in in fact if you have Verizon DSL in some areas You cannot for instance connect from say Harvard to your own computer Even if your own computer is running a web server or your own computer has like a Tivo behind it that you want to access or your own computer has Windows Remote desktop installed for those of you have seen it Windows XP allows you to connect to a Windows XP computer from another and control it Well, you can't do this on a lot of Verizon Verizon DSL connections because they essentially firewall incoming traffic, so you can't connect This is true even of Comcast and of Harvard and of a lot of universities and companies They pretty much restrict most incoming traffic the reason being they don't want home users for instance or Harvard undergraduates Running servers in their dorm rooms or in their homes trying to initiate connections outwardly But they don't want connections coming in because if you're running a server They don't want to charge you 1995 a month. They want you paying for a host or some level of service That's more than that essentially They also don't want the bandwidth to be eaten up by someone's server in a local neighborhood So in short firewalls can restrict data coming in as well as Going out and for the most part it's all done based on these rather arcane port numbers But you can do this even with your home routers if you've ever Connected to your home router odds are those of you at home with one of these home routers You simply want to visit an address of the form HTTP is a little small I realize You want to visit it an address of the form HTTP colon slash slash most likely 192 dot 168 dot 1 dot 1 that is most likely The address that you can control your own home routers with if you go home tonight And if you or someone in your household were at least a little bit paranoid Hopefully when you are you will be prompted for a password and Hopefully that password will not be quote-unquote Password that password will not be one two three four and that password will not be admin a D. M. I. N. Which are perhaps the three most popular? default passwords that a lot of home routers ship with and most people do not think or do not know how To change those values so part of tonight's discussion of course is how to secure your own household It's not enough to have a password if it's the default password that every other links this owner has But with this interface if you get in to your own home router and start poking around the menu options You'll start to see mentions of things like these protocols You'll start to see mention of these port numbers and the means by which you can even in your home network Restrict your own kids use of the internet by for instance prohibiting them from using instant messaging Just as though you were the sysadmin at your company, but I'll defer to your specific Documentation for your own hardware on how to do that, but it's not too hard Question over here. Yeah An excellent point because these home routers are interposed between you and the internet They essentially can act as a server among all other things So in addition to being a router and a firewall and an access point most home routers are also web servers And that tends to be their default address And so if in your computer you connect to that address assuming you're connected to your home router Even if you don't even own a Comcast or Verizon connection yet You'll still be able to access that address, but no other because you're essentially are accessing the only machine in your world That's running an active web server, which is your own home router And the reason that it's accessed via URLs is just that link sys and these companies decided that it would be easier If they didn't write special software with which to control these devices But just leverage the presence of a web browser on everyone's computer and just made a web interface It's just meant to be simpler other questions Yeah Indeed a firewall ultimately is a piece of software though as is the case with almost all of the services We've talked about in this course you can often describe Software as hardware so I can point to a computer on my desk and say that's my firewall But if I want to be really correct I want to say that is a PC running my firewall or that is a piece of hardware made by link sys That is running a firewall But in common terms, I mean even I would just describe things as physical pieces of hardware even if they do multiple things It's quite reasonable a proxy server now This picture is a little scarier because there's much more going on but in addition to being a firewall most of these home routers and if you have or having trouble putting that into perspective recall if you attended our networking sections we actually had a Or is it made by Belkin? I think this year a Belkin home router That's all we're talking about those little devices that have a switch and so forth built in well among the things They do is they allow a user to share one IP address among multiple computers That is why your router's IP address tends to be of this form That is why most of the other computers on your network would have addresses like dot-two or dot-ten or dot-one 100 that is because even though all of the IP addresses in the world Even though the world has standardized The format in which IP addresses can be the folks in charge of crafting the IP address standard Reserved certain ranges of IP addresses to be only in private networks and to never appear on the internet Which is to say that is not a valid IP address For any server in the world that is only a valid local IP address a fake Internal only IP address and so almost all of us these days have been home networks whose IP addresses look like this And this can be problematic because even if you at home are wondering what your IP address is because you need to tell Comcast what it is maybe well if you pull up as we've done many times in class You are a little command prompt and type IP config Well, you'll get data like this which we saw on exam one But many of you will see an IP address of one nine two dot one six eight dot one dot something That is not helpful for Comcast or most tech support people trying to help you because that is an address That's internal to your network the rest of the world sees your IP address as something very different The IP address that Comcast gave to you or Verizon gave to you so This is an example of what we call a proxy server Just as in the world of say voting where some you might vote by proxy Which means you might mail in a piece of paper with your vote on it or in some context You might tell someone what how to vote and then they go vote in your stead Well, that person is acting as a proxy for you Similarly in the world of IT does a proxy server do something on your behalf? In so far as these devices are designed to share one IP address Among multiple computers the role for a proxy seems quite clear that home router is Serving for your computer and any other computer in your home is a proxy when you request a web page From your inside your home You are essentially sending that request to your home router Then your home router is making that request of say CNN CNN replies not to you But to your home router and your home router then forwards the answer to you Thereby truly acting in the most literal sense as a proxy doing something on your behalf This picture here, and I'll let you dissect it visually at your leisure It's just sort of a complicated example of how this computer here this Windows 2000 server running NAT network address Translation is serving as a proxy for all of these other computers these days You no longer need to have a separate PC serving as your proxy You simply buy these twenty dollar or zero dollar after rebate boxes that do proxying as well as other services But just a few years ago. This was the picture and even my first home network with some Friends of mine after college. We had a Linux PC sitting upstairs in our apartment with a hub connected to it Right an old-school hub and that Linux box was configured manually to be a firewall a proxy server and more But all of that hardware all of that functionality has now been subsumed by these individual cheap devices But the scenario is in spirit the same Yeah, a router would replace these days these two devices a Router because you most routers have the quote-unquote four-port switch built in that's as though your router has these ports inside of it So what happens these days is that this device merges with that one, but the rest of the picture remains the same VPNs oh question Correct So if IP config is only telling you your internal IP address How do you find out your actual IP address so far as the external network is concerned well one way is you could Connect to your router and most routers have a screen that will tell you what your actual IP address is barring that Frankly, it's Google to the rescue these days. I will go to Google.com and type in what is my IP address Now this is not going to be stored on some website statically right because there's not a webpage for every one of the billions of users in the world But recall that anytime you visit a site on the internet what information are you revealing? Your IP address so all it's all that's necessary is that some guy has made up a website that allows us to look up What our IP address is dynamically and I'll go to this website My IP address is 14024744.144 because I'm on Harvard's network and not using a Home router notice that that is in fact consistent with what IP config told me All right today's lesson of the day is if ever in doubt just type your question into Google and usually you can actually get responses these days Good question other questions Well, yeah, is the private IP address limited to what? Okay, good question. The question is and you've sort of noticed though. I didn't say it that IP addresses of this form 192.168.1. something Effectively limits you to a range of IP addresses from dot zero to dot 255 which means your home network and have no more than 256 nodes Which is fine for most of us right even the dorkiest among us do not have 256 computers in our home But companies might want to firewall their network and use network address translation and by that I mean if we haven't used the term before Nat or network address translation is just one of the features of most proxy servers It translates your phony IP address into your real IP address and back Well, how do we have more than say 256 addresses? Well, it actually is the case that 192.168 is just one example of private IP addresses There are others in the world that are reserved for these purposes and I just googled for this answer too Just so we could have a nice little table that I did not create myself 192.168 is one of the ranges, but there exist other ranges as well 172.16 allows you ultimately to have networks with 16 65,000 nodes and then if you have a class a network which most people do not have in reality Though MIT is one of the few entities in the world that happened their own class a not even Harvard has that Harvard has two or three Class B's in short there are other options that allow you many more computers even on a private network But for most of us that simply is not Not a useful detail that we'll need to use ever Okay, so now VPNs so a VPN is a virtual private network Well, how many of you have heard this acronym before a VPN? All right of the five of you. What is it? Can we get any kind of answer? Sure It's like a tunnel So a virtual private network as you've said is a tunnel essentially between one network or one computer and another network This is quite in vogue for instance for with companies these days that have Sales of Salesforce that travels a lot you want to be able to keep all of your servers obviously secure You want to keep all of your printers networked, but only isolated to local individuals in the land, but when Your sales people are on the road They want to be able to access for instance your file server or your internal database system or your internal HR system Anything internal to your company, but you don't want to just have them visit like everyone else in the world www.mycompany.com and have it glaring there for the whole world to access rather you would like to ensure that if one of your sales people has a Laptop they're using somewhere and they want to connect to your Revisiting some pictures we've used before if they are somewhere in the world with a connection to the internet and your company Meanwhile is connected to the internet what a VPN allows you to do is essentially to have a secure tunnel Through the internet to your company that is quote-unquote encrypted We've used this term briefly before to encrypt the data means to scramble it means to secure it so that no one who Intercepts the data can figure out what you mean and we'll come back to this tonight So what a VPN does allow you to do effectively is to tunnel across the internet with a secure channel So that you now create the illusion for the sales person's laptop that they are directly connected to your land Consider after all the scenarios. We've just discussed even in your home network You have phony IP addresses internal only IP addresses But suppose you do want to run a server for instance I've showed you in class my sling box that device that streams TV out on the internet well to control that I need To be able to connect to a box that's in my apartment and behind my firewall If I want to connect to my TVO which is similarly operating these days as a server unto itself I can't just go to David mainland calm and then hope that my TVO is going to show up because my TVO too is Behind my firewall, but I would nonetheless like to be able to get into my apartment Which we could now for instance depict as something much smaller than this and To do that even I you know one little person can establish with my own laptop of VPN into my apartment because another one of the features that many home routers offer today is that they act as VPN servers Which means you can connect from your laptop to your own home router in a secure way And I could theoretically even for my laptop here tonight Print to my laser printer in my apartment here wirelessly no less No one else in the world could do that unless they knew how to connect what to this VPN with my username and password But it creates the illusion once connected that I do in fact have a virtual private network One that's between my laptop and my home network So companies to be clear then we'll often use this for traveling Staff members so that they can securely access Company resources and for the user it's useful because you can securely access your own resources at home If you are so savvy or so determined to Is a VPN different from SFTP? Yes very much so SFTP is just a service in effect a program that allows you to transfer files from one computer To another a VPN does much more than that It creates the illusion of connecting a network cable directly from my computer to My LAN what that means is that I can do anything now over this connection I could drag files as though we're using Windows or using Mac OS as though I were simply copying them from one folder to another The VPN creates the illusion that I'm on the same network I could again print to a printer in my apartment which I grant is sort of a contrived example But it sort of speaks to the fact that we are in fact creating an actual connection with the network So SFTP is a program that lets you transfer files of VPN is a connection That lets you do anything that you could do if you were actually physically in my home Yes, and I grant you it's a little strange to be printing from Harvard Hall to my apartment And I question the usefulness of that feature But again it speaks to the fact that we're creating the illusion of my physically being connected to my own computers in my apartment For the typical user This is not necessarily a useful feature because it's rare that most of you probably need to connect to computers within your home But again for companies in particular and even Harvard University and MIT Offer their own VPN servers so that if you need to connect to for instance servers that are on campus Or you need to have a Harvard IP address to access certain websites case in point Harvard and MIT subscribe to a lot of online encyclopedias and journals and magazines and the means by which those Publications authenticate you and show you resources of most of these Publications, let's say an encyclopedia will say oh if this user has a Harvard IP address one that starts with 147 they may access this encyclopedia But now suppose you're off campus or you're traveling some semester you're still a Harvard affiliate You want to and you're entitled to access to those resources by VPNing to use it as a verb into Harvard's network What you also get when you have a VPN connection is an IP address from the local network So my laptop once connected to my apartment not only has whatever its actual IP addresses But it gets a second IP address, which is one of those 192.168 So if instead I were connecting via VPN from my laptop to Harvard University Even if I'm well off campus even in another country I will then get an IP address like one four oh dot two four seven dot something Which means if I then proceed to visit websites those websites will think I'm actually sitting at Harvard As opposed to sitting in my apartment and that too is a useful feature to create the illusion that you're somewhere that you're not Questions yeah Okay firewalls This is like an essay question Okay Yes So as of Windows XP and maybe Windows me, but I don't remember Windows comes with its own firewall So as I said earlier just as we can call firewalls pieces of hardware They're really at the end of the day pieces of software and so you can even have on your own local computer a firewall Norton Norton firewall or Norton security something like that is a product made by Semantic the folks who make Norton disk doctor and Antivirus they make their own version of a firewall. So a firewall is not only something you can buy in the form of a home router It's also something you can buy in a shrink-thwrap box and install on your own computer What it does if you use the built-in Windows one is that Windows by default if the firewall is on will not let any Programs on your computer access the internet unless you approve them So the first time you fire up Skype or a long instant messenger if your Windows firewall is on Windows will say You're trying to use Skype Do you want to permit this action and you then have to say yes or no? What's really happening is that Windows sees oh someone's trying to use port one two three four Do you want to allow port one two three four traffic through the firewall? But they sort of dumb it down to something that's a little more intelligible to most humans Do you want to let this program use the network for the most part software-based firewalls are fine? However, I think there is in principle an added comfort and an added Layer of security by actually isolating your firewall to a separate box that is physically distinct from the machines You're trying to protect the reason being if there's in fact a bug in the software in the windows firewall It's not good enough that the software is there if it's nonetheless by some bug Allowing traffic through and the problem with running to be a little more technical a Software-based firewall on your own computer is that if you have spyware if you have a worm or some virus installed? Almost all you Windows users log in as what's called an administrator Which means you have full unfettered access to your computer You can install software remove software and so forth with that said if you have some piece of spyware installed Or some worm or virus installed Theoretically that virus or worm or spyware is running as though you the administrator double-clicked it Which means theoretically you could be infected by software that disables your firewall without you knowing it That is arguably much less likely to happen if you're running one of these hardware-oriented firewalls like a link sysbox Because those are running Linux and rather than Windows and just there tends to be less fewer threats on such devices in short Use this but also use something else is the best. I think so that is the design I've taken with every one of my networks having a separate device It's worth noting too before we take a little little fun break here that those of you with wireless routers at home Clearly there is a potential issue for security leakage there because if your data is just zooming through the air anyone can just Read it. Well most home routers these days offer Encryption which means if you choose your wireless network, which I'll try doing here This is what Windows interface looks like unfortunately There's no other access points wireless routers in proximity to this building except Harvard universities and notice nowhere in that listing Is there a mention of a padlock well if I were actually back home where I live in the city And there's many different people with home routers all in close proximity I will see many different access points or home routers nearby me and with those little green bands It'll windows will tell me just how close I am just how strong the signal is It's been a funny thing to watch over the past two years that two years ago I might have eight neighbors with wireless Access points and thus internet service I could use and all of us probably know at least one person who hasn't paid for internet Service in a few years because they live so close to someone else who is and someone else who's sharing that Unknowingly or otherwise, but over the past couple of years It's been interesting to watch is all of these unsecured networks have gradually had those padlock icons Turned on which just means that people have turned on security or encryption Which means that if you secure your home network wirelessly You must type in a password on your laptop before you can access your wireless network Usually windows and macOS will remember that password But the point is that new people strangers off the street or nosy neighbors unless they know that password They cannot connect to your home network And this is important because those of you with home wireless networks if you have not enabled encryption It is quite possible that anyone nearby the so-called war drivers who drive by with way too much free time with laptops trying to figure Out whose access points are exposed could theoretically sniff All of the data on your home network might be pretty innocuous But they could theoretically see files you're transferring among computers emails that you're sending instant message Conversations because all of that is just out there. It was just a couple years ago that some guys were caught Sniffing wireless traffic outside of a Lowe's hardware store stealing credit card numbers and so forth because even Lowe's hardware Their sys admins were not actually sys admin But were guys who had set up a wireless network for the store, but had completely failed to security and with no security It's quite easy to access someone's network Including your own and I think the most popular offense these days of unsecured wireless networks Is just for people to use other people's internet service and not pay for their own useful Perhaps when you're traveling and you don't have a connection, but you turn on your laptop and you see one nearby Internet cafes like Starbucks and so forth will have unsecured connections But you'll often have to enter a different type of password to use them But Harvard has no such password here because they use another form of authentication, which we will come back to in Just a bit but in short and this was the lesson Even if you do secure your wireless network by turning on one of two protocols one of which is called web One of which is called WPA They are Protocols that encrypt your data, but both of them are broken The world has been quite irresponsible when it comes to encrypting wireless networks and someone with enough time and savvy can Hack your network so to speak by simply monitoring it long enough That is to say even though with weapon WPA you can encrypt all traffic between your laptop in your home and your wireless router Someone with the right skills and enough time can actually Decrypt that data and that is because both of these protocols have been shown to be flawed When the world will get around to shipping out better standards remains to be seen, but realize that at this point in the world Wireless networks remain less secure than wired networks at least within the confines of one's home With that said let's take a five-minute break and for those of you who would like to sit in the lecture hall I will queue up a little something fun that will Last those five minutes in the meantime the iPod is hopefully still in the room. I Will queue up another clip on it and please feel free now to play around with the menu options and the games that might be on it Alright the task at hand for you before we resume with our chat about security is Decrypt this for me This is a sentence that has been encrypted scrambled with some cypher What is the message actually trying to say? I'll give you a ten minutes how about the O is a B the first R Is an E who would like to play meanwhile? One person gets out of the exercise look closely. There's a clue on this little discus there little orphan Annie is cited Coming up on Christmas and at Christmas at least one channel plays a movie every hour on the hour called a Christmas story And the Christmas story is a little boy named Ralphie Well, all he wants is a red rider BB gun Hey, you want that hints I'm telling you the story At least one of you must have Little Ralphie throughout the course of this movie, which is in fact a classic and I do recommend it if you haven't seen it yet Little Ralphie is collecting little box tops or cereal box tops in hopes of Finally decoding the weekly message that little orphan Annie has on these cereal boxes finally little Ralphie Accumulates enough of these box tops or the equivalent sends in for his captain midnight secret decoder ring and Decodes one of the most recent messages which is printed on that product is that as the incredibly disappointing most devastating message from little orphan Annie which is Be sure To drink your oval teen excellent, how did you discover that? Excellent, I well I wish I in a better world you would win this iPod for that But for now you just get to play how about excellent This doesn't fact say be sure to drink your oval teen the more interesting question of course is why? Well, I already told you that the O is a B and the R is an E Can you bootstrap yourselves from there and figure out what the pattern is? 13 places so the cipher the encryption Mechanism that I have used here is something that's generally known as rock 13 or rotate 13 Which is a specific example of a seat of a cipher generally known as a Caesar cipher Which as history tells it was used by Julius Caesar many years ago to encrypt albeit relatively weekly Messages between his military personnel the rot 13 cipher is quite simple in that you take Every letter in your plain text message as it's called and rotate it 13 places and if you walk off the end of the English alphabet going from y to z you then go back around to a So you pretty much shift this 26 letter English alphabet by 13 places there by rotating the text and creating Ciphertext as it's called an encrypted message. How do you then decrypt something that has been encrypted with rock 13? Right unrotate or just rotate 13 more because 13 plus 13 is 26 So it's symmetric. So you just rotate 13 more places So if you do this at home the only thing we haven't rotated is the exclamation point We have rotated all the actual alphabetical characters my question now is this is clearly a weak mechanism, right? Even if you didn't know that we were using rock 13, but you had a suspicion We're using something fairly naive like a Caesar cipher the Caesar cipher in general is exactly this rotational process But you can have a Caesar cipher with a key of 13 or 12 or 11 or 25 any value from 0 from 1 to 26 That many places rot 13 is a specific instance of the Caesar cipher, but clearly not so Secure because if you knew I were using a Caesar cipher How much work would you have to do to break this encryption to figure out? What the message is What do you do? Right try them all right try the key for One try the key for two three four finally you'll try the key for 13 and realize aha I have recovered what appears to be what was probably the plain text an English message be sure to drink your oval teen well We want to make this more secure Well, what if we? Double the cipher and so we apply rot 13 twice how much more secure does that make our cipher text? We encrypt our plain text twice with rot 13 Does it double your security? Encrypting something twice with rot 13 okay, good, so I Think of this only because a truly geeky friend of mine years ago used to have as his signature as some people have these cheesy quotes and what not in their Signatures well this guy's a security expert and for a while He thought it was quite funny to include at the bottom of every email quote-unquote this email has been doubly encrypted with rot 13 for your security which to most people's like what? To those who understand it you emit quite the groan as hopefully you would now too for a gag like that Well, cryptography is the art of concealing data So the Caesar cipher and rot 13 are specific Techniques by which you can in cipher or encrypt data. This is what? SSL does for instance recall a while ago. We talked about websites whose URL started with HTTPS We discussed tonight that that really means that the websites are being connected to over port 4443 good Port 443, but what does that mean to be secure? Well, this means if you are connecting with your computer to some web server say Let's say bank of the Vest.com and you're using SSL which means you're connecting via URL of the form HTTPS Well, we've said for a while now that that means that the connection to the web server is encrypted Well, hopefully the encryption being used is a little more advanced than this and it is in fact the technology usually used these days is something called RSA among others RSA is essentially a fairly powerful Encryption technique that allows you to encrypt data from one point to another that's a bit of a simplification But it's much more mathematically advanced than something like rot 13 And the reason for that is that RSA and other encryption techniques that are actually used in the world are based on the hard problem of Factoring large numbers if you've ever heard that a lot of cryptography today is based on prime numbers The reason is is that when you use algorithms like RSA the key The secret number that you're using is much bigger than 13 Not uncommon today is to use keys that are for instance It's 1024 bits large What that means if you are using an encryption technique whose keys are 100 1,024 bits long that means you can have any number of keys from 0 to 2 to the 1,024th power now it's sort of tough to put that into perspective So let's relate this to something we've already discussed in the course. What is the value 2 to the 32? No, not 256 much bigger Remember I say you don't have to remember the exact value, but you should know that it's roughly Not the 65,536 Roughly 4 billion right billion 4 billion is 2 to the 32 All right The only big numbers you should remember coming out of any computer science class is that this is roughly 4 billion 2 to the 24 is in the millions 2 to the 16 is 65,536 and then finally to the 8th is 256 and these kinds of numbers have occurred all over the place the number of colors your monitor displays now the number of bits used in Cryptography well the point here is quite simply this if you use 32 bit keys For an encryption algorithm that means your secret number could be any number from 0 to roughly 4 billion Contrast this with Caesar cipher the number of keys that the Caesar cipher or lot 13 allows is any number from 0 to 25 or 1 to 26 so 26 different keys exist in this world Well, if we used a more complicated cipher that used 32 bit keys now we have four billion keys possible What does this mean? That means if you're using some encryption standard that uses 32 bit keys That someone to crack your code would have to try up to four billion possible keys Same spirit as you would have done here, but you only had to try up to 26 different keys Now if 2 to the 32 is 4 billion Words cannot express really how big a number like this is because 2 to the 1024 is 2 to the 32 times 2 times 2 times 2 times 2 almost a thousand times as really big Which is to say that even with the fastest computers today? You are pretty secure using something like RSA or other algorithms that use keys that use many bits 1024 is increasingly common, but even 128 bit keys are quite common with web browsers today So suffice it to say that when you are inputting your credit card information into a website Assuming per last week's conversation You're connecting not the Bank of the vest but Bank of the West comm and therefore the correct website No one is really going to be deciphering your data between your laptop or desktop and that server with some caveats But for the most part it's not going to be the encryption that breaks This is the same kind of encryption that's used in the world of ATM machines right the ATM network is necessarily quite secure But the encryption being used is pretty similar to what your own PCs are using with Amazon and so forth and so the Mathematics behind this kind of cryptography much more complicated than this obviously, but fundamentally based on mathematics ATMs if they're going to be compromised probably not going to be compromised in terms of their encryption Rather there are many other techniques with which you can compromise someone's ATM account most recently Discussed was and I'll try googling for the photos fake ATM Reader let's see if I can come up with it So this is on a site about urban legends But my understanding is that this is in fact true and not an urban legend since we've seen this Discussed in the DA's office It's a little The pictures here are a little small, but the top picture here you have a question ordinary looking ATM machine and these are actual photos of an instance of some illicit activity if I now scroll down notice that The police or whoever discovered this the bank associates actually found a fake debit card reader Fixed to the actual ATM machine and whoever designed this actually put you know a few dollars into the design because it's clearly Quite nicely matching the original So this is all to say that we can talk about and there are entire courses about Cryptography and the potential weaknesses of it things like web and WPA being broken But as I said before for most people even broken ciphers are probably fine Because the weakness in these systems is likely that you just don't have security turned on on your router in the first place Or your password is taped with a sticky note to your monitor or Someone is simply swiping your debit card number before the encryption even gets involved So even in the world of finance and banking you have the same kinds of Achilles heels that you might have in the world of computing So you really have to consider when it comes to security the big picture the many different venues in which you can come up With data you shouldn't have trashing like we discussed last week is an even easier Mechanism of obtaining private data that really requires no knowledge even of the complex ciphers that are actually encrypting that data elsewhere So with that said actual case apparently what we talked last week to not only about Viruses but also worms and spyware and we did a couple of live demonstrations of students machines Scanning for spyware and taking a look what was on there Well, these are just a couple of photographs of what you might buy off the shelf these days Shrinked wrapped boxes as it were containing antivirus software the means by which antivirus software works Of course is when a new virus is discovered the folks at semantic and AVG and McAfee will create what's called a new signature for that virus They will figure out exactly what pattern of zeros and ones uniquely identifies that new virus and then they will release via The internet the new so-called virus definitions that you can then download or your antivirus software should Automatically download every day or every night so that if your computer then sees that virus the new signature you have installed Will be will allow your software to detect the new virus and protect you from it The danger of course is that you're still vulnerable to viruses that you have not downloaded updates for So those of you who have nor in that came with your computer, but you get that message every time you turn your computer on about it Having expired it's not really doing so much anymore because you may be protected against thousands of viruses from yesterday year But you're not protected against today's or tomorrow's viruses without actually having those updates I put shrink wrapped boxes on the screen But as we discussed last week very little software do need to actually buy these days to get you know Good degree of protection AVG which we mentioned last week free free updates I see no reason not to use that as opposed to paying the 20 or 50 bucks that these things cost for most people today But it does exist Worms even worse there exist in the world worms that infect entire vulnerable populations in as few as 15 minutes When you have worms that travel so quickly that they infect every possible computer within 15 minutes There's no human who at any of these companies has the time or the ability to figure out how to uniquely identify that new worm Update everybody's computer in the world by a new virus definitions or worm definitions and protect you So this is one of the scary things these days that particularly with worms the window of time between which Viruses or worms and are released and the fixes come out is incredibly narrow And it's a scary thing when even if you do keep your computer up-to-date with the latest antivirus and warp software It all it takes is a smarter More skilled worm author to circumvent those defenses and this ultimately is the result of poor design in computers today That it's so easily They're so easily Compromised well this sort of begs the question if we look at for instance McAfee virus Glossary so you can take a look online At for instance the virus glasses. That's the that's not what I want virus information virus hoaxes Virus database Let's see if we can find the list here virus information Virus map. What is a virus? What is a worm? Come on All right, let's instead go to Symantec So cement here we go search for viruses alphabetically so just to help you appreciate what it means for there to be Hundreds or thousands of worms and viruses in existence today if I click on a You will see according to the folks who make Norton all of the viruses that begin with the letter a today if we go to be You will see obviously all of the viruses and worms that begin with the letter be today Many man hours have been spent writing these viruses and worms and many malin hours have been spent Writing protections against them But the short of it is that there are many many threats out there today. So where are they coming from? Young guys who don't know what else to do that statistically is actually writes on the money right these are your Overzealous 18 year olds in other countries or our own country or reclusive guys that Have too much time and I'm sure there have been many females who have written on viruses and worms alike But viruses and worms and spyware all comes from someplace unlike the world of biology where mutations can create Introduced to the world new threats Viruses and worms don't just happen in the world of computers someone took the time and made the effort to actually write That virus or worm and they took the time to figure out how that virus or worm could take advantage of some hole in say Windows or some other program and so these are very targeted attacks these days by folks who are intent on Writing malicious software. It does not just happen by chance every one of these Thousands of viruses and worms listed here has been created by some human being and some of them as you've seen in In the news media over the past few years do cost millions if not more dollars in lost productivity damaged hardware and so forth and though most Viruses and worms are stupid little things that maybe at most crash your computer a virus or worm could Absolutely format your entire hard drive before you realized it or corrupt your data before you had a chance to fix it It could theoretically break your computer by for instance Trying to overclock your CPU if there were some bug in place on someone's motherboard whereby you could change some of the bios settings via windows which is possible on some motherboards theoretically viruses and worms could even make you know the proverbial smoke come out of your computer and actually break hardware all it Takes is someone with the right savvy and the determination to do so and they don't mean to slip back into scare mode because for the most part What folks should be doing today is you should probably be running anti-virus software Even if you practice safe computing by avoiding attachments and so forth Just because there's a little harm in it and it runs so quickly in the background that it's not really an impediment To doing actual work, but you don't need to pay for it was my point last week It's a good question of fewer machines being compromised because people are protecting themselves with anti-virus software I would say that fewer infections from previous Threats are happening because these products only protect you against those products those viruses and worms the world has already Witnessed and thereby crafted defenses for even if you are running the latest version of Norton that AVG or McAfee You're not protected against the threat that comes out tomorrow Our moral viruses and worms being launched be fewer being launched Because more people are running anti-virus or worm software Possibly I don't know the statistics But I don't think the world has seen a notable drop in it such that it's less of a threat if anything it's more of a threat these days because you have on the internet what are typically called script kitties these are perhaps The bigger nuisance on a day-to-day basis on the internet because a script kitty is someone who knows how to Download a virus or worm and release it, but doesn't know how to write it him or herself So what you have available on the internet and a little bit of googling can find you the latest and greatest worms and viruses and Warm generators virus generators other smarter people have written the framework with which you can create viruses and worms Posted that to the internet thereby letting the so-called script kitties people without programming skills download those Wizards if you will and create their own viruses and release them So the bar has been lowered as to who can create such threats But really only the most clever of folks out there the ones with the most spare time are writing the ones that you end up reading about But it's a good question couple final notes on things related here to security Before I pose a question or two of the audience Um Defenses we talked about at the end of lecture last week the notion of cracking. What does it mean to crack software? Same context as wears which we also glance that very quickly No, I guess I should spend more than 10 seconds on topics next time So it's a crack software typically means to remove its copy protection So most software today has you enter like a CD key like a number that's printed on the CD case or the box In which you bought the software or you have to do what's called product activation where you enter some personal information click send it Uploads it to a server then your product is activated well to crack software typically means to just remove those kinds of protections So that Microsoft never knows that you install this product or the company that made the game doesn't know that you made multiple copies of it same folks that I The same folks who are doing things in the world of viruses and worms are probably Reasonably categorized as the folks who are cracking software as well How have companies tried to port this threat? Well, some companies have to try to create copy protection on the CDs themselves We discussed last week though the means by which you compromise certain Sony CDs by taking your 199 black Sharpie marker drawing it around the right ring of the disc no more copy protection So even the industry makes its mistakes a lot of software will ask that you activate Your software again to crack the software means that they get rid of the screen and they let you use the software Without entering such information. It's been a big issue particularly for Microsoft Because there are many companies Microsoft included that releases updates for software And one of the things Microsoft is threatened to do over the years, but is always backed away from it is for instance Stating or announcing that they will not allow Illegal versions of Windows to download the latest updates because if you have to connect to Microsoft in order to download the latest updates That would be the error opportunity to say is this a legitimate copy or have I seen that same serial number from someone else? If so, this must be an illegal copy Microsoft is typically back down from this for one Concerns over privacy the privacy Enthusiasts do not like the idea that you would be providing Microsoft with information only to get the updates back There's also an issue of security whereby and it's sort of a bit of a travesty It's in a sense in the world's best interest if even the illegal versions of Windows Be allowed to be updated because otherwise you have more vulnerable hosts on the internet a lot of the updates that come out of companies Like Microsoft and Apple and so forth are security updates that fix security holes in software Well, if Microsoft were to put its foot down and say the several hundred thousand millions Who knows copies of Windows that are illegal on the market cannot access Windows update and the security updates Well now you've left a very large vulnerable population and that in the aggregate might not be in society's best interest So it's unfortunate there and you can read all day long about Statistics on piracy and how many millions it costs the industry today how rampant it is in particular countries China for instance are just extraordinary statistics as to what percentage in the you know 80 I mean I've heard numbers that are in double digits over 50 percent of certain software products being illegally sold But this is the case too in the world of music in movies Even in the United States here So it's a serious problem from a commercialistic standpoint and most defenses that are in place including product activation and registration Simply are inadequate because you're always one step behind the smartest bad guy All it takes is one guy to figure out how to circumvent these kinds of protections and if he announces that that if he announces that Means by which to circumvent the security That's all it takes so it's sort of a losing battle in the end But one in which Microsoft in the likes that put much money into this one for instance when you install Windows for the first time Microsoft these days has you activate your copy of Windows which means that you do transmit to Microsoft information on your computer Essentially a summary of what CPU you have how much RAM you have what kinds of hardware you have inside of your computer Microsoft makes a note of that Associates it with whatever serial number or registration number you're using and if you try to install Windows on another computer using that same Serial number or registration number Microsoft will check that Computers hardware and if it's not close enough to your original hardware Windows will say sorry You cannot activate this hardbook this version of Windows on this computer because it seems like you're trying to install it multiple times This was a big deal for a while too because you're disclosing some degree of information to Microsoft It's a problem if for instance your motherboard gets fried And you need to install a new motherboard in your own computer Windows will often refuse to install on that computer If you've significantly changed your hardware for precisely this reason The recourse of course that you have is typically to call Microsoft and my understanding is they're pretty good about just via phone reactivating your software because most bad guys would not have the The guts or the boldness to call Microsoft and say hi Can you activate my piece of software for me? So for the most part the mere act of calling Filters out the bad guys and let's little old us who are trying to activate genuine software Through the phone lines, but it's a hurdle that's in place these days Yeah Well, it depends some software will say you can only install this software some number of times before it will no longer work usually the licensing restrictions will say that you Those three times should be on the same computer most licensing agreements say you may not install and use this software on multiple computers at Once but that sort of ticking time bomb is a way of at least discouraging people from even doing that because even yeah If they installed on three computers at least that's it they're cut off thereafter But it depends on the product as to what's allowed and I apologize incidentally It seems our beloved copy place has made this a flip packet whereby it's upside down this week But I turn my attention to problem set six security which is often cited by students is um I wish I could say the most fun problem sets But usually words like hard and challenging come to mind The reason for this is that this is meant to be a thought-oriented problem set There really are no right answers to any of the questions on problem set six take comfort in the fact that this isn't due until the second Week of December, but you'll see as you look this over tonight or in the days to come that each of these are scenario Oriented questions and that they ask that you don the proverbial black hat Which means take on the mentality of a bad guy put on your bad guys cap and see if you can propose Answers to questions that are ultimately geared around circumventing or ensuring one's privacy and Security for instance number three, which is a quick one to read suppose that some hacker wishes to access the internet on her laptop By way of Harvard's network However, she hasn't a Harvard ID and therefore cannot register her ethernet cards Mac address This is why I said earlier Harvard doesn't use web or WPA. They require that to use Harvard's network You tell Harvard what your ethernet address is Thereafter they will let you access the network only if they see that oh this ethernet address that they're seeing on the network Has been previously registered So the scenario continues accordingly She cannot simply plug her computer into the network or wander near an access point and obtain an IP address by a DHCP Since her ethernet card isn't authorized for DHCP lease How might this hacker access the internet on her laptop by way of Harvard's network without having a Harvard ID number? Hopefully the answer won't be immediately obvious and in fact there is no one Right answer but the point of this problem set ultimately is to get you to think like the bad guy for one It's fun to do that sometimes especially when you're encouraged to do so do note Of course that one question that asks about worms. We do a parenthetically note. Do not implement your worm But in thinking also from this more negative perspective It will hopefully give you an appreciation of the many different ways that even your own machine and your own networks can be Compromised because even in Harvard's network and even an MIT's network and probably even in your company's network There are ways to circumvent every protection that is in place if you have enough savvy or cleverness Determination time money whatever your resource happens to be Most security defenses can be circumvented and this is true in the world of information technology and these days This is absolutely true in reality when it comes to airports and so forth a lot of the times It's people's assumptions that keep things secure and it's the obscurity of the protections in place that keep things secure Or in the case of a university It's the fear of getting caught or getting expelled that is far more effective than any Technological solution and so for some of the questions we asked you to consider Don't necessarily think about the most technological solutions But consider and appreciate that even the most obvious if dirty approaches like trashing could very much be a viable Solution to some problem of security So with that said I leave you to tonight's section and I will see you not next week But in two weeks have a good Thanksgiving