字幕表 動画を再生する 英語字幕をプリント DAVID MALAN: This is CS50. Hello, world. This is the CS50 podcast, episode 5, 0 indexed. My name is David Malan, and I'm here with CS50's own Colton Ogden. COLTON OGDEN: Glad to be here-- interesting thing to start us off-- so, we've talked about robocalls a lot in the recent past, multiple episodes. And I think we touched briefly upon the prospect of finding a solution to this problem. You know, people are getting robocalls all the time, even though, in the last couple of weeks, I have noticed the numbers sort of dropping, at least for me, personally. I still get the occasional call from a presumed spoofed caller. DAVID MALAN: Yeah, sorry about that. COLTON OGDEN: But, apparently, the FCC-- Ajit Pai has proposed a ruling that would actually allow phone companies to block these unwanted calls, these spoofed calls, before they even get to potential customers. DAVID MALAN: Yeah, no, this is a nice initiative. It's perhaps a little belated at this point, certainly. Because, as we've discussed, these robocalls, these automated calls, have really been proliferating, in large part because of the software via what you can do this, and the API access which you can do this. But I think the fundamental problem, frankly, is that the phone system that we have today really is not all that fundamentally different from what we've had for decades now, which is to say that there's no authentication of these calls in the first place. The systems generally just trust that the number being presented in caller ID is, in fact, the number from which a call came. And that's, of course, not always the case. COLTON OGDEN: Right, and the-- I guess the proposed sort of authentication system that they're going to roll out is called Shaken Stir, which is very akin to what James Bond's says when he orders a martini. But the acronym is a-- basically, the shaken part of it is signature based handling of asserted information using tokens. And then the stir part would be secure telephone identity revisited. DAVID MALAN: Indeed, it's a wonderful acronym if you allow yourself to use arbitrary letters from some of the words. COLTON OGDEN: Yeah, and it's a bit of a mouthful. But this is cool, because this suggests that we'll actually get what you just alluded to, a way of actually signing calls and making sure that people who present themselves as xyz are in fact xyz and not, you know, sort of proxying themselves or presenting themselves as some other entity. DAVID MALAN: Yeah, I mean, much like the web-- thankfully we got that right, presumably because of lessons learned from things like telephony over the years. Of course, the phone system has been around for so long now that it's certainly hard, I imagine, to shoehorn in some of these more technological features without breaking some of the intermediate points or some of the last miles, some of the folks who are on the other end of the line that might not necessarily have access, in their municipality, to the latest hardware. So, I'll be curious to see how this evolves. I mean, to be honest, this might all become moot over time if phones themselves, or phone numbers, are perhaps replaced by more data based services. I mean, right now, we're very much in the phase of commercial services like WhatsApp, and iMessage, and so forth. I mean, but those have started to supplant already things like SMS, so, frankly, maybe the solution is ultimately just going to be too late in coming if the world moves to something else, anyway. COLTON OGDEN: Yeah, I imagine, when folks were developing the phone system we have in place, they weren't expecting the ability for somebody to arbitrarily code and script, en masse, the sort of behavior that we're experiencing now. DAVID MALAN: Yeah-- hey, back in the day, it used to be based-- at least pay phones-- on actual sounds, right? There are so many documented cases, and I think Steve Jobs and Steve Wozniak were among the folks involved in this back in the day, where you could have a little box that would generate the appropriate sounds that mimicked what the sound was if you put a quarter or a dime into a phone. So, you could effectively make free long distance phone calls by spoofing those sounds. So there, too-- there was a sort of an assumption of trust that was quickly broken. COLTON OGDEN: I think the theme is always that, if there is a system, humans will find a way to abuse and break it. DAVID MALAN: Indeed, but there are some really real world implications of this. In fact, just the other day did I see an article online about what have been called virtual kidnappings which, frankly, is literally ripped out of a "Law and Order" episode that I'm pretty sure I've seen, which is ironic, because usually it's "Law and Order" ripping things out of the actual headlines. But this, I think, predates this, whereby folks have started to get, terrifyingly, what appear to be actual phone calls from their child's phone number, or relative's phone number, or a co-worker's phone number, and on the other end of the line is some adversary, some human who is pretending to have actually kidnapped the person whose phone they're purporting to be calling from when, in reality, they're just spoofing that number and tricking someone into thinking that they've actually physically hijacked their phone number and kidnapped that person. COLTON OGDEN: Yeah, presumably, I mean, with this new ruling, hopefully, you know, this sort of horrendous situation doesn't end up becoming common at all, or at least it gets completely remediated. DAVID MALAN: Yeah. COLTON OGDEN: Because this is one of the more terrifying examples of how to abuse spoofing. DAVID MALAN: No, absolutely. And it's horrifying that it's gotten to this point but, you know, what you might think is kind of a cool hack, the ability to spoof your phone number, really does have some non-trivial implications. And especially, for most folks out there, you know-- myself, before I even thought about this the other day after reading the article-- you might not even realize that this is possible and what the implications, therefore, are of these sort of bugs at best or-- bugs at worst, or missing features at best. COLTON OGDEN: Yeah, I mean I think if this even happened to me, I think my initial inclination would be to believe it. I mean, certainly it would be terrifying, and you wouldn't want to take any risks and assume that whoever's on the other end of the line is actually bluffing you or telling the truth. Now, speaking of ransoms, unfortunately, I think these have cropped up in other contexts in the news of late and for the past couple of years, in fact. DAVID MALAN: Yeah, no. I mean, there have been multiple cases, WannaCry being very prominent in 2017, of these sort of worms that infect people's systems and, you know, potentially encrypt the hard drive, or do other things, and request that, in order to have this fixed, the end user end up paying some amount of money, either bitcoin or actual money, to decrypt their hard drive or do whatever needs to be done to unlock their system. COLTON OGDEN: Yeah, no, and that's the problem with worms, and viruses, and just malware, malicious software in general, is that, if it has the same privileges that you, the user, who accidentally installed it, somehow do-- or worse, it has administrative or root access to the computer-- it can do anything with your system and the data. You know, it almost makes exploits like sending spam automatically, unbeknownst to you, from your computer seem like completely delightful in comparison because, now, these most recent forms of ransomware are indeed doing exactly that. They're actually running algorithms to encrypt the files on your own hard drive and then not telling you, the owner of those files, what the key is, the sort of secret with which they were encrypted. And, so, in this way can the bad guys literally say, hey, pay us some number of dollars or, in practice, some number of bitcoins in order to get access to the key via which you can unlock your data. Who knows if you're even going to get the key. I mean, frankly, an even more compelling ransomware would be to just encrypt the data and throw the key away. Then you don't even have to communicate further with the person once you get that fund. DAVID MALAN: Yeah, and, in light of this sort of horrible new trend of ransomware that we've observed over the last few years, there are companies that do try and take advantage of this and will say, you know, we will help you decrypt your system. We will use high tech, quote unquote, solutions to reverse this ransomware. But it turns out that some companies, instead of actually having the algorithms and the technology to do this, are paying the actual people responsible for the ransomware directly and then charging you a premium. COLTON OGDEN: Yeah, no, this is really kind of a tricky thing, and I'm reminded of most any Hollywood movie, where someone is taken hostage. And, at least the US, in these movies, is always-- takes the position officially-- the US does not negotiate with terrorists. Well, that may very well or not very well be the case, because the closer you get to home, and the closer you get to it involving people you know, or files you own, or information you need, do these decisions become a little less obvious. And it's a little harder to take that sort of moral stance, if you will. And, in fact, in one of the articles on ProPublica was this wonderful quote. It is easy to take the position that no one should pay a ransom in a ransomware attack, because such payments encourage future ransomware attacks. It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It's a classic moral dilemma. And that really does put it into perspective, right? It's one thing to sort of argue-- no, we should not pay this ransom, because it's only going to happen to us or perhaps other people with greater frequency. But, if you really need the data on that hard drive, the financial information, the medical information, anything, the business information, you're only recourse might actually be to pay the ransom and then hopefully lock your systems down much more effectively the next time around. DAVID MALAN: Yeah, it's difficult when you're so-- when you're far removed from the problem, it's easy to say, oh, just don't negotiate. But, when you're actually there, when it's your data, your information, your loved ones, it gets a little bit trickier. It's a little bit greyer. COLTON OGDEN: And, if you do pay that one time to get your data back, man, you've just presented yourself to the bad guys as being someone they can clearly fleece again. So, it really boils down to-- try to avoid putting yourself in that situation at all, and have all of the defenses you can think of in place in terms of your systems, in terms of your personnel. I mean, frankly, too often are these exploits the result of social engineering, actually tricking people into revealing their passwords by typing it into a website, or tricking them into opening a link, or click on some attachment, or the like. And then the whole setup-- your whole system can perhaps be compromised. So, getting ahead of that and instituting better principles, some of which we've discussed on the podcast, password length and so forth-- password managers can be just a step toward avoiding the problem altogether. DAVID MALAN: Yeah, it's so tricky. I mean, we have-- like we've talked about before multiple times, the good guys have it the hardest. The bad guys just need to find one way in. COLTON OGDEN: Yeah, they just need to find one employee who accidentally clicks on that link or discloses that password. DAVID MALAN: One open window, so to speak-- [SIGH] It's unfortunate. It's unfortunate, because there are vulnerabilities that ship, not only just-- there are vulnerabilities that don't arise just out of the negligence of individuals but the negligence of companies themselves. COLTON OGDEN: Speaking of-- DAVID MALAN: And, in the news recently, some folks might know already-- WhatsApp actually had a vulnerability that was revealed. There was a company that was releasing spyware. It was actually shipping spyware through calls made through the WhatsApp application, which is a incredibly commonly used application in the United States and abroad. COLTON OGDEN: Absolutely.