Placeholder Image

字幕表 動画を再生する

  • DAVID MALAN: This is CS50.

  • Hello, world.

  • This is the CS50 podcast, episode 5, 0 indexed.

  • My name is David Malan, and I'm here with CS50's own Colton Ogden.

  • COLTON OGDEN: Glad to be here--

  • interesting thing to start us off-- so, we've talked about robocalls a lot

  • in the recent past, multiple episodes.

  • And I think we touched briefly upon the prospect

  • of finding a solution to this problem.

  • You know, people are getting robocalls all the time,

  • even though, in the last couple of weeks,

  • I have noticed the numbers sort of dropping, at least for me, personally.

  • I still get the occasional call from a presumed spoofed caller.

  • DAVID MALAN: Yeah, sorry about that.

  • COLTON OGDEN: But, apparently, the FCC--

  • Ajit Pai has proposed a ruling that would actually

  • allow phone companies to block these unwanted calls, these spoofed calls,

  • before they even get to potential customers.

  • DAVID MALAN: Yeah, no, this is a nice initiative.

  • It's perhaps a little belated at this point, certainly.

  • Because, as we've discussed, these robocalls, these automated calls,

  • have really been proliferating, in large part

  • because of the software via what you can do this,

  • and the API access which you can do this.

  • But I think the fundamental problem, frankly,

  • is that the phone system that we have today

  • really is not all that fundamentally different from what we've

  • had for decades now, which is to say that there's

  • no authentication of these calls in the first place.

  • The systems generally just trust that the number being presented in caller ID

  • is, in fact, the number from which a call came.

  • And that's, of course, not always the case.

  • COLTON OGDEN: Right, and the--

  • I guess the proposed sort of authentication system that they're

  • going to roll out is called Shaken Stir, which is very akin to what James Bond's

  • says when he orders a martini.

  • But the acronym is a--

  • basically, the shaken part of it is signature

  • based handling of asserted information using tokens.

  • And then the stir part would be secure telephone identity revisited.

  • DAVID MALAN: Indeed, it's a wonderful acronym

  • if you allow yourself to use arbitrary letters from some of the words.

  • COLTON OGDEN: Yeah, and it's a bit of a mouthful.

  • But this is cool, because this suggests that we'll actually

  • get what you just alluded to, a way of actually signing calls and making sure

  • that people who present themselves as xyz are in fact xyz and not,

  • you know, sort of proxying themselves or presenting themselves

  • as some other entity.

  • DAVID MALAN: Yeah, I mean, much like the web-- thankfully

  • we got that right, presumably because of lessons learned from things

  • like telephony over the years.

  • Of course, the phone system has been around for so long now

  • that it's certainly hard, I imagine, to shoehorn

  • in some of these more technological features

  • without breaking some of the intermediate points

  • or some of the last miles, some of the folks

  • who are on the other end of the line that might not necessarily have access,

  • in their municipality, to the latest hardware.

  • So, I'll be curious to see how this evolves.

  • I mean, to be honest, this might all become moot over time

  • if phones themselves, or phone numbers, are perhaps

  • replaced by more data based services.

  • I mean, right now, we're very much in the phase

  • of commercial services like WhatsApp, and iMessage, and so forth.

  • I mean, but those have started to supplant already things like SMS,

  • so, frankly, maybe the solution is ultimately

  • just going to be too late in coming if the world moves to something else,

  • anyway.

  • COLTON OGDEN: Yeah, I imagine, when folks were developing the phone system

  • we have in place, they weren't expecting the ability for somebody

  • to arbitrarily code and script, en masse, the sort of behavior

  • that we're experiencing now.

  • DAVID MALAN: Yeah-- hey, back in the day, it used to be based--

  • at least pay phones-- on actual sounds, right?

  • There are so many documented cases, and I

  • think Steve Jobs and Steve Wozniak were among the folks involved

  • in this back in the day, where you could have a little box that would generate

  • the appropriate sounds that mimicked what the sound was if you

  • put a quarter or a dime into a phone.

  • So, you could effectively make free long distance phone calls

  • by spoofing those sounds.

  • So there, too-- there was a sort of an assumption of trust

  • that was quickly broken.

  • COLTON OGDEN: I think the theme is always that, if there is a system,

  • humans will find a way to abuse and break it.

  • DAVID MALAN: Indeed, but there are some really real world implications of this.

  • In fact, just the other day did I see an article

  • online about what have been called virtual kidnappings which, frankly,

  • is literally ripped out of a "Law and Order" episode

  • that I'm pretty sure I've seen, which is ironic,

  • because usually it's "Law and Order" ripping

  • things out of the actual headlines.

  • But this, I think, predates this, whereby

  • folks have started to get, terrifyingly, what

  • appear to be actual phone calls from their child's phone

  • number, or relative's phone number, or a co-worker's phone number,

  • and on the other end of the line is some adversary, some human who

  • is pretending to have actually kidnapped the person whose phone they're

  • purporting to be calling from when, in reality, they're just spoofing

  • that number and tricking someone into thinking that they've actually

  • physically hijacked their phone number and kidnapped that person.

  • COLTON OGDEN: Yeah, presumably, I mean, with this new ruling, hopefully,

  • you know, this sort of horrendous situation

  • doesn't end up becoming common at all, or at least it

  • gets completely remediated.

  • DAVID MALAN: Yeah.

  • COLTON OGDEN: Because this is one of the more terrifying examples of how

  • to abuse spoofing.

  • DAVID MALAN: No, absolutely.

  • And it's horrifying that it's gotten to this point

  • but, you know, what you might think is kind of a cool hack,

  • the ability to spoof your phone number, really

  • does have some non-trivial implications.

  • And especially, for most folks out there, you know-- myself,

  • before I even thought about this the other day after reading the article--

  • you might not even realize that this is possible

  • and what the implications, therefore, are of these sort of bugs at best or--

  • bugs at worst, or missing features at best.

  • COLTON OGDEN: Yeah, I mean I think if this even happened to me,

  • I think my initial inclination would be to believe it.

  • I mean, certainly it would be terrifying,

  • and you wouldn't want to take any risks and assume

  • that whoever's on the other end of the line

  • is actually bluffing you or telling the truth.

  • Now, speaking of ransoms, unfortunately, I

  • think these have cropped up in other contexts in the news of late

  • and for the past couple of years, in fact.

  • DAVID MALAN: Yeah, no.

  • I mean, there have been multiple cases, WannaCry being very prominent in 2017,

  • of these sort of worms that infect people's systems

  • and, you know, potentially encrypt the hard drive, or do other things,

  • and request that, in order to have this fixed,

  • the end user end up paying some amount of money,

  • either bitcoin or actual money, to decrypt their hard drive

  • or do whatever needs to be done to unlock their system.

  • COLTON OGDEN: Yeah, no, and that's the problem with worms, and viruses,

  • and just malware, malicious software in general,

  • is that, if it has the same privileges that you, the user, who accidentally

  • installed it, somehow do--

  • or worse, it has administrative or root access

  • to the computer-- it can do anything with your system and the data.

  • You know, it almost makes exploits like sending spam automatically,

  • unbeknownst to you, from your computer seem like completely delightful

  • in comparison because, now, these most recent forms of ransomware

  • are indeed doing exactly that.

  • They're actually running algorithms to encrypt the files

  • on your own hard drive and then not telling you,

  • the owner of those files, what the key is, the sort of secret

  • with which they were encrypted.

  • And, so, in this way can the bad guys literally say,

  • hey, pay us some number of dollars or, in practice, some number of bitcoins

  • in order to get access to the key via which you can unlock your data.

  • Who knows if you're even going to get the key.

  • I mean, frankly, an even more compelling ransomware

  • would be to just encrypt the data and throw the key away.

  • Then you don't even have to communicate further with the person

  • once you get that fund.

  • DAVID MALAN: Yeah, and, in light of this sort of horrible new trend

  • of ransomware that we've observed over the last few years,

  • there are companies that do try and take advantage of this and will say,

  • you know, we will help you decrypt your system.

  • We will use high tech, quote unquote, solutions to reverse this ransomware.

  • But it turns out that some companies, instead

  • of actually having the algorithms and the technology to do this,

  • are paying the actual people responsible for the ransomware

  • directly and then charging you a premium.

  • COLTON OGDEN: Yeah, no, this is really kind of a tricky thing,

  • and I'm reminded of most any Hollywood movie, where someone is taken hostage.

  • And, at least the US, in these movies, is always--

  • takes the position officially-- the US does not negotiate with terrorists.

  • Well, that may very well or not very well

  • be the case, because the closer you get to home,

  • and the closer you get to it involving people you know, or files you own,

  • or information you need, do these decisions become a little less obvious.

  • And it's a little harder to take that sort of moral stance, if you will.

  • And, in fact, in one of the articles on ProPublica was this wonderful quote.

  • It is easy to take the position that no one should

  • pay a ransom in a ransomware attack, because such payments

  • encourage future ransomware attacks.

  • It is much harder, however, to take that position

  • when it is your data that has been encrypted

  • and the future of your company and all of the jobs of your employees

  • are in peril.

  • It's a classic moral dilemma.

  • And that really does put it into perspective, right?

  • It's one thing to sort of argue-- no, we should not pay this ransom,

  • because it's only going to happen to us or perhaps other people

  • with greater frequency.

  • But, if you really need the data on that hard drive, the financial information,

  • the medical information, anything, the business information,

  • you're only recourse might actually be to pay the ransom

  • and then hopefully lock your systems down much more

  • effectively the next time around.

  • DAVID MALAN: Yeah, it's difficult when you're so--

  • when you're far removed from the problem,

  • it's easy to say, oh, just don't negotiate.

  • But, when you're actually there, when it's

  • your data, your information, your loved ones, it gets a little bit trickier.

  • It's a little bit greyer.

  • COLTON OGDEN: And, if you do pay that one time to get your data back,

  • man, you've just presented yourself to the bad guys as being someone

  • they can clearly fleece again.

  • So, it really boils down to--

  • try to avoid putting yourself in that situation at all,

  • and have all of the defenses you can think

  • of in place in terms of your systems, in terms of your personnel.

  • I mean, frankly, too often are these exploits

  • the result of social engineering, actually tricking people

  • into revealing their passwords by typing it into a website,

  • or tricking them into opening a link, or click on some attachment, or the like.

  • And then the whole setup--

  • your whole system can perhaps be compromised.

  • So, getting ahead of that and instituting better principles,

  • some of which we've discussed on the podcast, password length and so forth--

  • password managers can be just a step toward avoiding the problem altogether.

  • DAVID MALAN: Yeah, it's so tricky.

  • I mean, we have--

  • like we've talked about before multiple times,

  • the good guys have it the hardest.

  • The bad guys just need to find one way in.

  • COLTON OGDEN: Yeah, they just need to find

  • one employee who accidentally clicks on that link or discloses that password.

  • DAVID MALAN: One open window, so to speak--

  • [SIGH]

  • It's unfortunate.

  • It's unfortunate, because there are vulnerabilities

  • that ship, not only just--

  • there are vulnerabilities that don't arise just

  • out of the negligence of individuals but the negligence of companies themselves.

  • COLTON OGDEN: Speaking of--

  • DAVID MALAN: And, in the news recently, some folks might know already--

  • WhatsApp actually had a vulnerability that was revealed.

  • There was a company that was releasing spyware.

  • It was actually shipping spyware through calls

  • made through the WhatsApp application, which

  • is a incredibly commonly used application in the United States

  • and abroad.

  • COLTON OGDEN: Absolutely.