AWS上でのウェブサーバーのセットアップ - CS50 on Twitch, EP.18 (SETTING UP A WEB SERVER ON AWS - CS50 on Twitch, EP. 18)

字幕表動画を再生する

COLTON OGDEN: All right, everybody.
This is CS50 on Twitch.
My name is Colton Ogden.
I'm joined today by.
NICK WONG: Nick Wong.
Hello, I'm back.
COLTON OGDEN: He's been here several times last.
Time we talked about Linux commands.
NICK WONG: Yes.
COLTON OGDEN: Which was awesome.
NICK WONG: We tried to talk about Linux commands.
COLTON OGDEN: [INAUDIBLE] because if we go to this screen,
we have the screensaver that you showed us how you set up, which is awesome.
The very first stream that you talked with us about was--
what was the first one?
NICK WONG: Machine learning, I think.
Yes.
COLTON OGDEN: Machine learning.
[INAUDIBLE] you did showcase this as well.
NICK WONG: Also showed this off.
I really like this one.
I think it's super cool.
Whoever made C matrix should really--
this and advertisement for your program.
You did a great job.
COLTON OGDEN: What are you going to talk about today on the stream?
NICK WONG: Yeah, so today we're going to talk
about AWS, which is Amazon Web Services, in case you
have not heard of everyone's favorite kind of infrastructural support.
And we're going to build some web servers on it.
That's a very vague term.
All sorts of things are web servers, like mail servers and stuff like that.
But we're going to talk about kind of everyone's
kind of mental conception of it'll deliver a web page to us in some shape
or form.
COLTON OGDEN: So Amazon Web Services is being
kind of our ability to have a server in the cloud as opposed to just somewhere
in a building somewhere, basically.
NICK WONG: I don't have to lug the giant rack server around.
Amazon does that for us.
COLTON OGDEN: Amazon does all the hard work for us.
Let's go ahead and look at all the chat here.
We have quite a bit of people.
So [INAUDIBLE] earlier testing.
So bhavik_knight, [? Iso TV. ?] We have a lot of regulars here.
So bella_kirs. [? Iso-TV ?] was, I believe, followed us last time,
last stream, which was yesterday.
I apologize if it was before that.
Yesterday I think I had seen the follow notification.
He or she is saying, yeah, yesterday was awesome.
They're talking about pizza party where everybody offered to have a pizza party
yesterday if I chose the right spaceship.
They had a debate which spaceship we should choose.
NICK WONG: That's kind of cool.
COLTON OGDEN: [INAUDIBLE] All kinds of fun stuff. [? Asley's ?] in the chat.
Hello, [? Asley. ?] Nuwanda3333.
Jabkochason, who was a new person yesterday.
[? mclopenberg. ?] Robert Springer.
Hello, Robert Springer.
Brian Rodriguez.
Good to see you.
And GregDoesThat.
First timer.
Be gentle, please.
NICK WONG: Wow, all right.
COLTON OGDEN: I think [INAUDIBLE].
NICK WONG: Yeah, it's going to be pretty non-technical.
COLTON OGDEN: Yeah, it's kind of a nice beginning introduction to if you have
a website you want to set up somewhere.
NICK WONG: Yeah, exactly.
COLTON OGDEN: Much easier to do it now than it was probably
20 years ago, right?
NICK WONG: I think it's a lot easier than the days of manual web pages
and web directories kind of just being exposed willy nilly and PHP.
COLTON OGDEN: Oh yeah.
NICK WONG: Although I guess we'll actually probably talk about PHP.
COLTON OGDEN: CS50 used to teach in PHP, and we
convinced David to switch to Python.
NICK WONG: Thank God.
COLTON OGDEN: That was a fine shining moment, I think, for all of us.
NICK WONG: Yeah, I'm very grateful for that switch.
I think what I took CS50, we had switched to Python by then.
Thank God.
COLTON OGDEN: I think it was 2016.
NICK WONG: Yeah, that was the first year.
COLTON OGDEN: First year.
NICK WONG: Dang.
COLTON OGDEN: It was a good year.
[LAUGHS]
NICK WONG: Yeah, no more PHP.
Actually just to be clear, there's nothing inherently wrong with PHP.
I just think it's a lot less elegant and a lot less clean than Python.
COLTON OGDEN: [INAUDIBLE] I just think it's
a lot more terrible than [INAUDIBLE].
NICK WONG: Yeah, I just don't like it.
COLTON OGDEN: [INAUDIBLE] To David's point,
they do have pretty good docs, pretty good documentation.
NICK WONG: If you look at Laravel, it's a beautiful framework written in PHP.
They do a great job.
I just don't use it.
COLTON OGDEN: It's super easy, I think when it first came out,
for people to integrate their HTML with logic,
which was hard to do at that point.
NICK WONG: It was I think impossible up until that point,
because JavaScript wasn't even really a thing.
Dang.
COLTON OGDEN: Got some other people.
So Andre's in the chat.
Hello Andre.
Thank you very much for joining.
Please do the stream like we are a bunch of John Snow's.
NICK WONG: Oh, like we know nothing.
COLTON OGDEN: Oh, got it.
Yeah, yeah, yeah.
NICK WONG: Man, when is that next--
sorry, not to sidetrack.
But we do that constantly.
It's fine.
When's that next season of Game of Thrones coming out?
COLTON OGDEN: Let's find out.
NICK WONG: Is that next year maybe?
COLTON OGDEN: Game of Thrones.
I've seen advertisements for it.
Game of Thrones season eight.
I think it's season eight, right?
Eighth and final season was announced in July 2016, but [INAUDIBLE]..
NICK WONG: Not helpful.
COLTON OGDEN: Premiere April 2019.
NICK WONG: Oh wow.
COLTON OGDEN: So April 2019, tune in for Game of Thrones.
[INAUDIBLE]
NICK WONG: We're getting there.
The end of the school year.
That's perfect.
OK.
Sweet.
And people, I don't know if you guys just have faster Google than we do
or if you're just smarter.
You always manage-- because I know the stream lags a little bit, right?
COLTON OGDEN: [INAUDIBLE]
NICK WONG: So the fact that y'all get that at around the same time as we do
is impressive.
COLTON OGDEN: Maybe they knew already.
They're fast.
Lightning fast.
[INAUDIBLE] can't wait.
NICK WONG: That's awesome.
Yeah, me neither.
Cool.
COLTON OGDEN: All right.
NICK WONG: All right.
So then we're going to get started.
As always, we don't have a whole lot prepped.
We're just going to kind of literally sign in in front of you.
And by that, I'm not going to type everything.
Sorry, this is--
I'll go back.
COLTON OGDEN: Zoom in just a little, because I think it's a little bit tiny.
NICK WONG: Oh, we can--
oh, nice.
Go Amazon for making that responsive design.
So this is aws.amazon.com.
It stands for Amazon Web Services.
COLTON OGDEN: Let me toss that in the chat as well. aws.amazon.com.
NICK WONG: Make sure there's no hidden parts.
Yep.
There you go.
And so we can log in there.
If you're a student, then you actually get a bunch of free credits
and all sorts of perks that I probably don't take full advantage of.
If you're not, then there's all sorts of free tier things associated
with the Amazon accounts.
So you can do all of what we're about to do totally for free.
AWS is really cool in that it basically gives you access
to kind of, as Colton said, just any sort of server resource,
really, that you could possibly desire.
Now, I think there are a bunch of articles,
and we'll talk about this a little bit later, but there are a ton of articles
online about how to mine Bitcoin with Amazon Web Services servers.
And I would argue that they're almost all not worth it.
It's cool as an exercise.
Totally not worth the resources.
You do have to pay above some certain resource usage on Amazon.
COLTON OGDEN: I feel like it would be really expensive.
NICK WONG: It gets pretty expensive, yeah.
And I don't think that anyone has formally studied this,
but I would imagine just kind of by intuition
there is no service on Amazon that is powerful enough
to make you more Bitcoin than you are losing for paying for the service.
So just as an FYI, don't get scammed that.
We're going to be working with EC2 instances.
And they are basically your own personal versions of instances that run servers.
And when I say instance, I basically mean
that there is some server physically located somewhere.
And they actually have different regions.
So I'm in the Oregon region because it's closer to my hometown.
They didn't have the North California region for a while.
So I would have otherwise chosen that.
But they have these physical kind of just data
centers of just racks and racks of servers,
and there's all sorts of resources there.
And what this does is it kind of gives you a high level
interface over those resources.
You can specifically request to have your own hardware.
It is more expensive.
That one is not free tier.
But for the free tier stuff that we're going to be doing today,
you actually kind of just get given a virtual machine within a server.
So any one physical server is probably hosting hundreds of virtual machines
on it.
I think that would be a lot more cost effective
than giving every single person their own server without request.
COLTON OGDEN: You can imagine millions of machines.
NICK WONG: Yeah.
And it would be awful.
Very difficult to maintain.
Although Amazon has-- for a company that makes, what, 230 million--
or sorry, billion.
200 billion, I think, per year.
Apple's the one at 230 billion, which is absurd.
[LAUGHS] Cool.
So we're going to go into--
I have a couple of running instances for just varying things I do on here.
But we can also now see the interface that is what's going on up here.
You'll see the instance type.
So most of these are micros.
The only one that is not is the one that I run for an organization here.
And we just happen to need the extra resources for what's going on there.
Everything else, there's a bunch of resources here.
There's all sorts of cool things that AWS lets you do.
Like these status checks I don't really use a whole lot,
but you can set up all sorts of things for if you
have some sort of integration testing or some sort of the servers up or down
or certain services on a server up or down.
Then that can notify you.
There's these alarms that do very similar things.
They basically implement the notification part of that.
The key name is the key--
whatever-- we'll talk about this in a second,
because you use SSH to access your server once
you have created it, with very few caveats.
And this is the name of the key file that was handed back
to you when you tried to set it up.
There is all sorts monitoring you can do,
and then there's some other data over here.
The thing with AWS that can make it a little bit difficult for people
beginning, and we will definitely talk about this
and just kind of experience it when we go and set stuff up, is AWS sets
things up very modularly and very extensively.
It's actually a really good feature, not a bug.
But it can be very buggy feeling when you are just getting started
and you're like, what's a security group?
What's a user group?
What are these access things?
Why do I need all of this?
And a lot of times, for a lot of simple use cases,
you don't need all of those things.
But for kind of business and enterprise use cases, you really do.
And so what we're going to do is we're going
to just kind of launch a new instance.
And what that means for us is we're going
to ask Amazon to allocate to us some sort of new surveyer resource for us.
We're going to open up a micro instance.
And sorry, because we're doing live, we will have the spinny ball of death
basically a couple of times.
And we're going to spin up some Linux instances.
You'll see that they usually point out if they are free tier eligible.
And that's what we're going to try and stick to, because we don't really
want to spend too much money.
I'm a student.
I don't make a whole lot of money.
So we're basically just trying to keep everything as cheap as possible.
You can even select the type of architecture
over on the right hand side.
It's not super visible in the chat, but I'll move that right there.
It's over on the right hand side.
It's between Colton and myself.
COLTON OGDEN: [INAUDIBLE] might be a little bit [INAUDIBLE]..
NICK WONG: So basically, what you can do here is you can select architecture.
We're going to leave it in 64-bit x86 64.
And I'm going to pick an Ubuntu server.
I happen to really like Ubuntu.
I think it's super versatile and very clean.
It's a really nice version of Linux.
So I'm going to use that.
And we can go ahead and click Select.
And then it brings up a bunch of options.
We don't have to really deal with too many of these.
Our server is not really going to have too much load
unless you guys all hit it at once.
Please don't.
Or go for it, I don't know.
We'll get there when we do.
That might crash it.
But otherwise, I don't really have to deal too much with this.
You can scroll down.
There are quite a few different kinds of server,
and there's all sorts of options and parameters to them.
They'll tell you if they have solid state drives, which
are going to be a little bit--
there's certain reasons you might use a solid state drive
over an actual spinning hard drive.
Hard drive space is a little bit cheaper.
Solid state drive is a lot more expensive to use,
but it has all sorts of benefits as far as robustness and speed
and things like that.
And then you also have the number of they say vCPUs.
Depending on whether or not you ask Amazon
to allocate an actual server, like physical hardware for you,
that might be a real CPU.
It kind of depends on how it's being allocated for you.
COLTON OGDEN: It's like an abstraction.
NICK WONG: Yeah, it's an abstraction away from the actual hardware CPU
so that they're promising what they actually are giving you
rather than something a little bit more.
This is the memory.
So RAM.
Something to keep in mind for people beginning
with some sort of CS experience or career is memory does not mean storage.
It is literally the active memory of your computer.
You can kind of think of what you can keep in your head at any one time.
It's RAM.
So Random Access Memory.
Your actual storage, I don't remember what EBS stands for,
but this basically just means that we're not getting
any sort of fancy caveated storage.
This will probably be some sort of hard disk space that's
shared with a bunch of other people.
COLTON OGDEN: Is it Elastic Beanstalk?
NICK WONG: Yes, there we go.
It's the other service that Amazon has.
But this one is not particularly--
we're not getting anything special.
It will be the minimum storage that they can hand to us.
COLTON OGDEN: David was just talking to me about Elastic Beanstalk yesterday.
And I still don't know too much in detail.
NICK WONG: That's all right.
COLTON OGDEN: Brenda in the chat did say she's never seen Game of Thrones.
Shout out to Brenda for joining us.
NICK WONG: Wow.
And for being brave enough to say you've never seen Game of Thrones.
COLTON OGDEN: I know.
[INAUDIBLE] brave thing to say. iamakostik says, hello, CS50.
Can I host a website on AWS?
NICK WONG: Yes, you can totally host a website on AWS.
In fact, that's what we're going to do.
This is the hosting part of it.
In fact, domain names and hosting are pretty much entirely separate,
although a lot of domain name providers, like GoDaddy or domain.com
actually allow you to purchase hosting on top of the domain name itself.
But you can purchase just a domain name for like $3 depending on the domain.
But you can purchase just the domain and have it do nothing.
I happen to have a bunch of domains that do nothing.
COLTON OGDEN: So that when you do have that killer website.
NICK WONG: Exactly.
Then I can just throw it behind that domain.
And so then hosting is something that you can do on Heroku.
You can do it here.
You could do it on Microsoft Azure.
You can do it on I think Google has hosting services
that would also be really good.
You can do it any way you'd like and then
just kind of throw that hosting service behind the domain name.
COLTON OGDEN: Looks like Robert Springer said, did you
say we can follow along for free?
NICK WONG: Yes.
Yeah, you can totally follow along for free.
All that we're going to do here is going to be entirely free,
open access, open source.
Even the kernel is open source, if you wanted to be really precise about that.
So yeah, just all it requires is that you have an account with AWS,
and that's it.
If you're a student, you can do even more things
that technically wouldn't have been free but are free for you.
COLTON OGDEN: Why do you choose AWS over Azure or Google Cloud?
Is it more cheap or more functional?
Just curious.
NICK WONG: Sure.
So that's actually a really cool question,
because up until a little while ago, that wasn't a question.
People just chose AWS.
There was no other real alternative.
COLTON OGDEN: Didn't they have pure market share for like seven years?
NICK WONG: Yeah, for a very long time.
I think seven years is about right, which is insane.
I mean, that's a monopoly.
And the United States actually has a couple
of interesting court cases against tech companies
where they don't know how to define a monopoly as it
applies to tech companies.
They struggle with it, actually, quite a bit.
There is a famous case in 1995, I believe,
or in '98, one of the two, where the United States went
against Microsoft for being a monopoly because they had packaged
Internet Explorer into Windows.
And that was a really cool court case, because Microsoft lost.
They lost that court case and paid a hefty fine for it.
And then they made a commercial, I believe,
or some sort of advertisement of Bill Gates
dancing and basically not caring that they had lost this court case.
Because I think that was one of the last major ones against a tech company.
So yeah, sorry, it's kind of a tangent, I just think it's really cool.
The reason I choose AWS over Azure or over Cloud
is because I started using it, actually, first.
It was just kind of the only service at the time.
Google Cloud I do use for a couple of things,
particularly if I'm using very Google heavy sources or resources.
So if I'm using a bunch of Google APIs is and I'm using Firebase
and I'm using a bunch of other stuff that's all related to Google,
then I'm going to switch over to Google because it's just a little bit more
convenient.
They have more tutorials that just naturally
are going to integrate with their own services.
AWS does a lot of the same thing where if you are trying to set something up
and you're using AWS's domain names and you're using,
I think they call it route 53.
And so AWS's domain names, you're using Beanstalk, you're using EC2,
you're using S3 buckets, then it's a little bit more convenient for me
to just kind of follow the whole tutorial by using AWS.
And so for this, I'm going to recommend AWS
because I know they have all sorts of free tier stuff that
can be easily scaled, and they're really good for an enterprise solution.
So if you happen to want to go to a--
what do you call it?
Like some sort of commercial solution, then this
is actually a really good service for that.
It scales really well.
It scales at low cost.
But Microsoft Azure is also a great service.
I think it's a little bit less developed than Amazon Web Services.
And then Google Cloud is quite well developed.
They do all sorts of cool things.
I just happen to use AWS for this.
And looking in the chat at the bottom, I just
happened to notice that Bill Gates was pissed off.
I'm sure he was.
But then they responded to it in a very kind of comical way.
I think the response to the loss of that court case was pretty hilarious.
And very, I think, emblematic of how tech companies view the United States
court system at the moment.
Cool.
So Brian Rodriguez says, gotta run.
Have to catch the rest of the stream later.
Love to know your thoughts on when it might be better
to use this over something like Heroku.
And actually, that is a great thought that
will help us lead into the next thing that we're going to do.
So we'll talk about that right after we read through the rest of the comments.
COLTON OGDEN: Staypeaceful89, hello Colton, hey everyone.
Hey, staypeaceful.
Glad you're joining us.
Is this AWS S3 says twitchhelloworld.
NICK WONG: Right.
So AWS has-- that's one of the few things I
think is super annoying about how you try and figure things out.
Their naming system is not the most conventional.
Like Elastic Beanstalk, I don't necessarily inherently intuitively
know what that means.
And I don't necessarily know what EC2 means.
It's the way that we host things.
S3 is the way that you store stuff.
It's a storage bucket system.
We probably won't touch on that today, but if we
do a livestream about Heroku and hosting there,
then we will certainly talk about it.
COLTON OGDEN: Makes sense.
And [INAUDIBLE] posting, please explain step by step
how to host a website on AWS, says iamakostik.
NICK WONG: And that is our video.
So that will happen.
COLTON OGDEN: Frameofref, I believe they then moved the Microsoft campus
to Canada right across the border.
NICK WONG: Yes.
COLTON OGDEN: I think that Bill Gates was pissed off.
NICK WONG: They did a bunch of stuff that was kind of fun.
COLTON OGDEN: AWS requires a credit card if that's an issue, says [INAUDIBLE]..
NICK WONG: Good to know.
COLTON OGDEN: But do they charge the credit card?
NICK WONG: I do not believe so.
They just require it in case you go over your hosting limits, which
is pretty hard to do.
You'd have to be basically mining Bitcoin.
COLTON OGDEN: Which you might have a little bit of experience with.
NICK WONG: Which I might have done that.
COLTON OGDEN: [INAUDIBLE] since you use Google a little bit,
if Google and Microsoft Azure also a free tier or free tier for students?
NICK WONG: Yes.
So they certainly have all sorts of, I would say,
above free tier things for students that are free to students.
Actually, as pointed out in the chat, Google offers $300 in free credit
to students.
I believe Azure offers 150.
Don't quote me on that.
They do offer money for students.
There's basically a whole student developer bundle
and you get all sorts of stuff for free.
And if you're not a student, then they do also have free tier things.
I know you can use Azure for free being not a student.
But I think that their access is a little limited.
They do have a little bit less resources available than AWS does.
Cool.
COLTON OGDEN: That was good.
Think we're all caught up on the chat.
NICK WONG: Awesome.
And so answering the question above as to why
you would use this as opposed to something like Heroku,
let's say that I want to control everything about the server environment
itself.
So I want to configure some sort of parameters.
If you are maybe leading a cybersecurity club
and you need to be really sure about how everything is hosted independently
and I need to actually setup some sort of interface on top of a docker
container spin up and spin down, then I'm
going to want to use AWS as opposed to Heroku.
Because Heroku is not going to let me do that.
Excuse me.
Heroku is really, really good for hosting sorts of websites,
having them integrate with things through APIs
and web hooks and stuff like that, but not
necessarily all that great if you want to control everything
about the environment that is kind of the server itself.
Whereas AWS, you just get handed a server.
Whatever you do with that is up to you.
They have all sorts of policies and things
on not hacking the government through their servers.
But you can do all sorts of cool stuff on your own.
So what we're doing here is we picked an entire server.
We picked a general purpose T2 Micro.
And again, their naming system, it's out there.
But it basically just means that we're going to be able to use it for free.
It doesn't have a whole lot of resources.
It has one CPU.
Well, one virtual CPU and one gigabyte of memory.
And it has they say low to moderate network performance.
I would classify that as actually pretty good network performance.
For most purposes, that's actually really cool.
And then we're going to go ahead and review and launch.
And you'll notice there was a button I kind of ignored which
was configure all sorts of details.
I'm going to not configure any details so that we run into some problems
that people run into all the time so that we can fix them
in front of you guys instead of just pretending that we didn't have them.
Because there are some problems that will
arise by just kind of ignoring security groups and stuff like that.
Now, you get asked to like create a pair.
I'm going to create a new key pair so you can see what this might look like.
We're going to call this AWS Twitch.
Live coding or live typing is just the worst.
Wow, was Twitch Demo.
You gotta love that auto correct.
And I'm going to download that key pair.
And what this basically means and what this is talking about is SSH keys.
Oh, right, so you can actually now see my private key.
Doesn't really matter.
I'm not going to keep this up for too long.
And if you want to go and hit my device, that's fine.
Technically, if you were to sit down and type this all out,
you could actually have access to my server as well.
However, it's not going to outlive the length of the stream,
and I don't know, if any of you wants to really type
that quickly, knock yourselves out.
It's not worth it.
Do it yourself.
COLTON OGDEN: OCR.
NICK WONG: Yeah, actually.
Don't give them ideas.
That would actually probably work.
So yeah, this is my private key, which you should show anyone, by the way.
Don't ever do this.
This is a terrible idea.
COLTON OGDEN: The first thing you showed try not to do.
NICK WONG: Yeah.
So don't do this.
This is bad.
And the reason for that is it gives you access to my AWS instance
if you would like.
So yes, in the chat, they point out no need to type it out.
Use Google Lens.
Great.
I'm really glad that we all have so many suggestions on how to do that.
Yeah, so actually, I guess as a pathway to it, you could take a screenshot,
throw it to Google Lens, it would tell you the patterns, and you could try it.
Yeah, awesome.
So if I see a bunch of you on my machine,
I'm going to try my best to kick you all out.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: It'd be kind of cool.
Actually that's a good challenge.
We'll kind of keep that as a side path for what's going on here.
So what I'm going to do is I have a directory
in my home directory called SSH.
It's a hidden directory.
So it starts with a dot.
And I'm going to just copy--
I think it's under Downloads.
And I called it AWS Twitch Demo.
And I'm going to copy that to here.
I'm going to move that to just dot pem.
You also have to chmod.
COLTON OGDEN: Oh, sorry.
NICK WONG: Oh, sorry.
COLTON OGDEN: I was gonna say kaloiiii, thanks for following.
And Robert Springer followed just as we started.
So thank you very much for following as well.
Sorry, didn't mean to interrupt you.
NICK WONG: No, it's all good.
And so I'm going to do what's called a change modification or chmod.
COLTON OGDEN: They're also saying your terminal is kind of hard to see.
NICK WONG: Oh, right.
No, you are absolutely right on that.
That should be much better.
COLTON OGDEN: Yeah, that is.
Thank you.
NICK WONG: Sweet.
So what I have in here is a bunch of other PMs and stuff
and I will do my very best not to cat any of them.
Oh God.
And then I also have a subdirectory called keys.
And what I'm going to do is I'm going to CH mod this.
600 will work.
I actually prefer 400.
Doesn't really matter.
It's slightly tougher restrictions.
That makes it so that SSH doesn't freak out when I try to use that.
And then what I can do is move that into my keys subdirectory.
Whoops.
And I just like to keep everything really organized.
So then what I can do is I can SSH using that authentication file.
AWS-- or sorry, that's in keys.
Keys slash AWS Twitch.
Wow, do I have multiple keys starting with AWS?
Cool.
And then the default user for an Ubuntu machine is Ubuntu.
And oops, that's the other direction.
Now that I've done that, I can actually launch this instance.
So none of you could have possibly gotten onto the instance,
because it didn't exist yet, which is good.
I am a fan.
And so we will wait while that launches.
The only thing that I had a problem with with the AWS
console, and they've been slowly fixing this as they-- or not slowly,
but they've been fixing it as they go.
Is it is a little slow and it feels a little clunky to use.
So if there's any AWS reps watching this,
I do kind of get annoyed by how kind of weirdly clunky it feels.
Feel a little 2005.
So we're going to go back into EC2.
And it will hopefully be up.
It's getting there.
It's not named, but I'm going to call it AWS Twitch Demo.
I don't know why I did that in all caps, but it sounds cool and aggressive.
So we're going to go with that.
You'll get the spinning blue ball of not death but we'll say patience.
COLTON OGDEN: Relaxation.
NICK WONG: Yeah, relaxation.
I've never been in a position where that's relaxing.
I'm always like, all right, let's go.
I'm running late to a class.
It's never fun.
And I'll reload the page too because I'm not fully trusting in there.
Yeah, see.
I don't always trust the way they do that.
If you're colorblind, these green--
I don't actually know what other colors these turn.
For me they're all green.
But I imagine that they change color.
Is this one different than this one in color?
Stop versus run?
COLTON OGDEN: Are you colorblind?
NICK WONG: I am, yeah.
COLTON OGDEN: Oh wow, OK.
TIL.
So this one right here, that's like an orange color, and that one's green.
NICK WONG: Nice.
Yeah, so another thing for AWS if they want to add that to their development
docket, not that it would matter, but kind of for use cases and things
would be to allow colorblind people to be able to see what's going on there.
So I pulled up the AWS Twitch demos kind of stats
and all sorts of things in specifics here
by clicking it or just selecting it.
And it has this public IP address.
And so I copy that.
And they actually have this cool little widget.
Copy it to clipboard.
That's what I do.
And now I can SSH into that.
I'm going to paste that into my terminal.
Which it did get cut off a little bit, but no worries.
And when I run this, it'll tell me, hey, it has a fingerprint you don't know.
And that says yes, so it's going to add it to our known hosts.
And now I'm logged in, which is great.
Now, none of you guys are logged in.
I appreciate that.
W as a kind of throwback to last week is the who command.
It tests who's on the machine.
It hasn't been up for very long, so that would make sense.
If I [? CD ?] into dot SSH, I am actually able to do sudo su.
So I can take full control over this computer
and I can remove authorized keys.
And you guys would all be like, no, wait.
Because now you can't log back in, which is great.
So the SSH key that you guys all saw is no longer useful.
However, if I get logged out by some sort of network time out
or breaking a pipe or something, I am actually screwed.
I can't log myself back in, which means that I
would have to spin up another instance.
But I'm totally OK with that, because spinning up these instances
or spinning down, taking snapshots, all sorts of things, actually very easy.
And Amazon makes that super convenient.
So yes, just verifying that there's no one else logged in.
That's just me.
So cool.
Now you guys are not able to log in.
Nothing against you.
I'm just, I guess, showing a little bit [INAUDIBLE]..
COLTON OGDEN: You're part of the cyber security club.
You gotta be--
NICK WONG: Should really not get hacked live.
That would really suck.
COLTON OGDEN: Although, I mean, that'd be a great test of skill, though.
NICK WONG: Yes.
COLTON OGDEN: How can you--
NICK WONG: That'd be very fun.
COLTON OGDEN: How effectively can you deter [INAUDIBLE]..
NICK WONG: It is something we do in our club, actually.
And I guess we'll do a kind of play run of this coming
up on one of our streams.
COLTON OGDEN: [? Cali, ?] what it was called?
NICK WONG: Yeah, [? Cali. ?] And we will we will kind of
throw Colton kind of against myself.
But I mean, that's not super great.
It's a little unfair.
I've just seen it before.
Colton's definitely capable of it.
COLTON OGDEN: An infant against a very strong grown man.
I don't know about that.
NICK WONG: It's not super fair, actually.
Cool.
COLTON OGDEN: They were saying Nick can't
see how awesome the screensaver is.
Actually, how much of your screensaver can you see?
Are you just red green colorblind?
NICK WONG: So I'm deuteranopic.
So red, green, blue, purple and a couple other colors in there.
According to my eye doctor, it's like 20% of colors.
I don't really notice it in my daily life.
I still think my screensaver is really cool.
I just imagine you guys think it's even cooler, because you
can see even more colors than I can.
COLTON OGDEN: That's fascinating.
Somebody else also mentioned something up here.
NICK WONG: I think someone said that they are also--
COLTON OGDEN: Yes, somebody did.
Yeah, [? Fatma, ?] by the way, thanks [? Fatma ?] for joining Forsunlight,
same here, Nick.
NICK WONG: Appreciate it.
COLTON OGDEN: And Imran Ahmedh said Colton and Nick, nice combo.
NICK WONG: I agree.
COLTON OGDEN: I have to agree.
I think that's-- oh, can you lock the EC2 instance,
only accept connections from your IP?
NICK WONG: Great question.
Love it.
So stooshbatis asks, can you lock the EC2 instance to only accept connections
from your IP?
Yes.
Actually, that deals with security groups.
So actually, that doesn't really matter now.
You guys can look at that all you'd like.
But yes, it is a really good question, and it's
something that causes a lot of bugs when people
go to set up their first website on an EC2 instance
is they get these security groups.
You can see it here and here.
Launch Wizard 1 is the incredibly creative name
for the first security group.
COLTON OGDEN: stooshbatis, by the way, thank you for following.
NICK WONG: We appreciate that.
And so it has all of these inbound outbound rules.
And if you're not super familiar with kind of ports and IPs
and networking rules in general, then don't worry.
We're going to kind of talk about this as if it was at your house,
except with weird rules that don't exist in real life.
You'll notice that the inbound rule, like if I was in my house,
this basically means the only thing that I allow coming into me
or coming in to talk to me is SSH through TCP or through port 22.
So what this basically does is it says you can only SSH into me.
Any sort of web requests, like a port 80 or a port 443,
is not going to go through.
I'm going to just drop it.
And actually AWS is going to drop it kind of before it even
gets to your computer, before it even gets to that server.
So basically, what I did, which is where I SSHed in on my own,
that was totally valid.
However, any other sort of operation, if I tried to Telnet 80,
not going to work.
And then you notice that there's the source 0000/0,
which means from any sort of range within just anybody.
And just kind of the blank.
I would think of it was as the wild card for IP addresses.
Total valid.
All of them are totally OK.
Now, outbound my guess or my intuition should be that anything out is OK.
And that is true.
That's totally fine.
And actually, a lot of network administrators make the same mistake.
They say that all outbound traffic should be totally valid.
However, if you have a mail server, why should it ever
be requesting port 80 is a good question and it's a question
we ask in cybersecurity all the time.
In fact, a lot of network administrators set up their servers.
They have an internal mail server.
They have an internal data storage server.
And those servers have the outbound rules set to just anything goes.
And the reason that that's kind of dangerous
is let's say that I manage to get a shell that reaches out but does not
really reach back in or do anything.
I don't have to attack directly.
I just kind of get a shell somewhere onto your database server.
If your database server allows connections back out through port 443,
then you might not notice because that looks like normal traffic
otherwise that that database server is actually opened up a shell
and it's paying back outward, reaching out to me.
And I know that a lot of administrators use that sort of configuration.
So this is a really dangerous setup as far as an intuition.
However, in our case, that works perfectly fine.
I'm not downloading anything off of this server, which is good.
So it's something to keep in mind, and it's something that we'll come back to.
You might intuitively say, oh, well, I should edit these inbound rules
so that I can allow for HTTP.
And that would be a great suggestion.
So we're going to kind of add that as a rule.
And now we've allowed--
sorry, the colon colon is the wild card for IPv6, just as an FYI.
That allows HTTP traffic to also ping our server.
Now, our server doesn't have anything set up to deal with that.
So it's going to just kind of go, oops, and drop those.
Or actually, I don't think the default is to drop.
I think the default is you kind of look around and see if anything's listening
and then drop it.
And we're actually going to also add HTTPS,
which is just the secure version.
It uses SSL to encrypt packets.
It should be on.
There we go.
That's another thing where any time you're looking in a list live,
it disappears.
The item you're looking for is gone.
It's not there.
But everyone else can see it.
There's no way that they can't see it.
Actually, it's the only thing they can see.
Yeah, one of the perks of doing things like.
I'm going to leave my outbound rules as is,
but if I wanted to be really strict about it, then I might modify SSH
or I might make it just very specific.
And a good network practice is to only do things as needed,
because it basically helps you restrict what's going on to actual use cases
that you're thinking of.
Otherwise you get these kind of unknown use cases or undefined behavior,
give or take, kind of with an asterisk, that you might not have expected.
And that's usually where things kind of cause problems.
So just kind of the more you know.
And there's all these tags and things.
And you can do all sorts of stuff with these security groups.
So cool.
Now that we've kind of configured our security group,
we know that it's going to be a web server.
So this allows web servers to work totally fine.
We can go back to our Instances tab.
And as that loads, we will see what's going on in our instance.
Now, we have access to our server.
Out of paranoia, I constantly type W, just as an FYI.
And we know that we basically just have a fresh Ubuntu installation.
So and sudo is actually not needed here, because I am root.
Generally I would advise not doing things as root,
but I'll exit out of root in a second.
Just because kind of keeping in mind which permissions you have
and which ones you don't, that's a good kind of safeguard and mental check
to keep.
And people are always like, oh, it's annoying.
But it's a good annoying.
You should kind of sit there and be like, well,
I'm really glad I'm annoyed about this today,
because it prevented you from CH modding an entire, well, the entire machine,
actually.
That would suck.
COLTON OGDEN: That would be rough, yeah.
NICK WONG: Yeah.
I've done that before.
I did that, actually, I did that I think a year and a half ago.
I CH mod I think I did this.
I think with the R?
COLTON OGDEN: Dash R, yeah, right.
NICK WONG: Yeah.
And then I was wondering why nothing worked.
Because a lot of Ubuntu's stuff and a lot of Linux
stuff is actually based on the whole permissions restriction stuff.
So don't do that.
That command will screw things up.
And it was because I had that same thought process.
So then we're also going to install some stuff.
I think UFW is installed by default, but we're going to just make sure.
Gonna also install Git just in case we want to pull it.
And then anything else that I really would like to have on here?
I think that's it for now.
We are going to install some other stuff later.
But that's OK.
So I pulled Git onto our Ubuntu server.
You'll notice that this is fairly fast.
And there's no real evidence for that.
It's kind of an empirical observation.
On Harvard WiFi, I'm about the same speed or a little slower.
So I like this speed.
I think it runs pretty well.
And so then what I'm going to do is exit out of being root.
And we are now back into being Ubuntu user, which is good.
And if you wanted to really verify that, who am I also kind of works.
So then we're going to [? CD ?] into our home directory.
We've got nothing there, which is great.
So we are back into color, you'll notice.
The color prompt is disabled for root.
And if you go into that comment right above in your bashrc script
where it says the focus should not be the terminal's pretty colors,
it should be the commands you're running,
who was written by someone who hated fun,
they actually have a very good point there where root actually
gets rid of all color so that you're kind of in a more serious mindset I
think is the motivation.
So cool.
We are now here.
And we can set up all sorts of kind of very basic servers.
Now, I'm trying to keep in mind that y'all also know the IP of the server,
which means you can all connect to it.
So I'm trying not to accidentally expose any sort of major security flaws,
at least not for very long.
But a kind of very basic check that you can
do to make sure that you're actually online is you can ping something.
Although updating and pulling stuff also--
whoops.
Also guaranteed that we were online.
But just in case, we now know we are connected
to some portion of the internet, which is really cool.
I guess, I don't know, if that makes you really happy, good.
If it doesn't, that's OK.
So we're keeping all of our stuff set up here.
I keep wanting to go, what questions might we have?
I'm in lecture mode at the moment.
What questions might we have about what's going on here?
So that's a very basic setup of just the server that's going on in AWS.
So the next thing that--
oh, that was the thing I needed.
Python.
I knew I was missing something.
We're going to install Python 3.
And that's going to pull Python 3 for us.
We're also going to install Python 3's pip.
I should have run that in the same command.
That's OK.
And what we're going to do is Python 3 has this really cool simple
HTT-- oh, there it is.
Yeah.
Simple HTTP server.
And that is-- love going on Stack Overflow.
Simple HTTP server is something that is really, really convenient for just
checking and doing all sorts of very basic things with Python and for web
servers.
So we're going to just also grab Python 3's pip.
And that's all we really need.
Bhavik_knight in the chat pointed out that we also would like setup tools.
Totally valid.
I believe pip pulls setup tools.
It might not.
It might end up grabbing them as a result of being run the first time,
if you don't have them already.
If not, then totally valid.
You can grab a set of tools as well.
COLTON OGDEN: We do have a few other comments
too if you want to read some of those.
And also thanks to Imran Ahmedh for following us.
Appreciate it.
He says, Colton, a few days ago I sent you a mail about outreach inquiry.
Would you please check that mail up?
Did you send it to outreach@cs50.harvard.edu?
Because I don't get those emails directly.
So if you want to specify that in the chat.
GDE 1984.
Thank you very much for following.
[? PresidentMars, ?] you should create a CS decathlon.
[INAUDIBLE] attack a machine, 50 push ups, et cetera.
NICK WONG: That'd be kind of awesome.
I'd be much more in shape.
Much more buff.
COLTON OGDEN: And then I guess some of the people in the chat [INAUDIBLE]
and [? PresidentMars ?] are sending each other postcards.
[INAUDIBLE]
NICK WONG: That's awesome.
COLTON OGDEN: Twitchhelloworld has a question for you.
Have any thoughts about the news stories today?
I think it's about malware and open source libraries such as node.js
and earlier [? pie.pie. ?] Haven't used open source libraries.
Though of using those in the streams.
How does one protect against this?
NICK WONG: Right.
So there is a really--
I was listening to a cyber security guy from Rapid7
give a speech at a cyber defense competition
that I went to a couple of years--
or two years ago.
A year ago.
Something like that.
And he had a really good example of why you should be really scared
of using open source software, which was directly related to your question.
Basically being that people, let's take node.js for example.
Pretty large system.
It's at least a couple hundred megabytes, I think, give or take.
It's on the order of megabytes.
And there's a lot of data in there.
There's a lot of people who have contributed to it.
And it's we'd say logistically impossible to manually check
every single thing.
And even if you could, let's say it's not logistically impossible, that you
could actually check every single line of code that
comes into that repository.
It's very difficult for you as a single person
or even as a group of people to predict all possible behaviors of that code.
In fact, it's uncomputable.
You cannot compute the behavior of code.
Now, that is given with the kind of generalist principle.
In general, that's not true.
Sorry, that is true.
That is mathematically true.
But if I do a certain piece of code, you could
argue that it will do some things with reasonable highly probability.
I could argue that typing out LS is going
to do something that I can predict with almost 100% certainty.
However, given something like node.js, you
couldn't necessarily look through its entire repository
and know every single line of codes or every single functions
is probably an easier way to look at this behavior and all
the possible behaviors.
So what ends up happening there is you don't necessarily
have any one surefire protection against someone including malicious code.
Upon running this certain combination of commands, open up a shell to the world.
That'd be really bad.
Let's say that you are some major news network
and you host something through node.js and you
happen to run that combination of commands
just by virtue of running many, many commands all at once.
And you've now opened up a web shell to the world,
and the web shell is such that it's persistent
and it continues coming back even if you've never
typed those commands again.
Well, that's a huge problem, because then your attacker only
has to wait until you run them.
And then you run them, sees the web shell's open, and connects to you
and then takes over, steals information.
If they're smart, then they hide themselves really, really well
and they never get detected and they're constantly siphoning information.
And maybe the Wall Street Journal or something.
So that would be really, really, awful.
And there's not necessarily a surefire protection against that, actually.
There are a lot of really good iterative coding practices that can help.
There is a difference between dealing with bugs versus dealing
with malicious inclusions.
And that is another kind of subtle problem
is how do you detect which one's which?
Let's say I submit a update to your code repository,
a pull request, if you will, and you include it in your code repository
and say, yep, looks good.
And then you discover a couple of days later that it opens you up
to a certain security vulnerability.
Was that intentional or did I just happen to overlook it and you did too?
I mean, that's kind of the argument would basically be, well,
you reviewed my code, and you thought it was good too.
So we're at equal blame here.
And I think that a lot of people will generally
give you the benefit of the doubt.
Now, if your user name is hackerman2017, I
might not give you the benefit of the doubt.
But it is something to really--
COLTON OGDEN: [INAUDIBLE]
NICK WONG: I've totally never used that, I swear.
There's all sorts of ways to talk about this and deal with it.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Right.
[INAUDIBLE] Personal experience [INAUDIBLE]..
And so it is a great question, and there's not a super satisfying answer
to it.
It's actually one of the reasons that cybersecurity professionals
are so needed.
There's not a whole lot that I can really tell you unlike,
you're safe, don't worry.
Use open source software.
That is one of the problems.
That is one of the concerns.
Now, a lot of very, very smart people are working on open source software
and are monitoring it and trying to prevent this.
And you have the kind of the thought is there are way more good people
than there are malicious people on the development teams
and uses of open source software.
So if I'm someone who's using the Linux kernel, for example, which
is open source, then there are enough of us
that want it to work well and secure that if we discover someone is not
doing that, we will try to fix it.
We kind of as a community, we will try and help.
Excuse me.
So there are some kind of protections, and good coding practices definitely
help.
Simpler code is generally harder to create
this sort of unexpected behavior.
If you can pinpoint out all of its possible use cases,
technically you could secure that.
But something that I heard from that cyber security professional
was nothing is really secure unless you have built it yourself
and thoroughly checked every possible use case.
And that would make for a pretty boring computer.
Your computer probably would be able to do much.
So we don't actually have a computer or machine--
the government might, but I would doubt it--
that's something that is purely built, I guess, in a way.
COLTON OGDEN: Yeah, because even the compiler,
you can trust the compiler [INAUDIBLE].
NICK WONG: Compiler can do all sorts of nasty things.
You could build a compiler that just appends a shell to the end every--
I always rely on like the shell, because it's
one of my favorite very simple attacks.
But could just append something that tags every piece of code.
Every piece of code that comes out of a compiler,
actually they do have compiler signatures.
So that's literally what it does.
If that was malicious, then that would be awful.
So yeah, there's all sorts of nasty things you can do.
Even the kernel could be malicious.
So kernel, compiler, these are all low level things,
and most people wouldn't be able to really detect that.
I wouldn't be able to detect that.
COLTON OGDEN: Mosman820, thank you very much for following.
Imran says included in the CC, [INAUDIBLE]..
All right, I'll take a look at that, Imran.
I don't recall offhand, but I'll definitely check that out.
Ignorance isn't a defense in the court of law.
LOL, GDE1984.
NICK WONG: That is a great point.
And I think it's something that a lot of the older--
sorry, not too kind of tangentially go on this, but I do love cyber security,
and we are talking about building web servers.
Ignorance not being a defense in a court of law,
at least not in America, that is a really good point.
And it's something-- it's a kind of assumption
that a lot of our current lawmakers and a lot of our current politicians
rely on, actually.
The problem is that if you're losing billions of dollars,
doesn't really matter if they're playing ignorance or not.
You're losing billions of dollars.
And so a lot of people and a lot of hackers
are aware of that fact, which is much--
it takes a lot of precedence over the whether or not
I can defend myself six months from now in a court of law.
If I have taken down your company, well, OK.
There's nothing you can do to me that is so bad that I will not
get the satisfaction of tearing down something awful.
And so I think those kinds of people very clearly do not understand
just kind of the sake of society.
I would count myself as a white hat hacker
who is trying to educate people on why we should be
very aware of these sorts of problems.
But it is a good point that the bad guys, in this case,
have a really good winning strategy or they have a really good
not losing strategy.
And American lawmakers have a really robust, very decent winning strategy.
But they're not playing not to lose, whereas hackers are.
So you have a very different--
I think their goals don't align, and you see that in of these weird corner
cases where you see a hospital get ransomwared
and then they pay the ransom.
What are you going to do?
You can't let patients die.
So it gets really interesting.
I think this is a very interesting field.
We'll talk about it a lot more in our cyber security discussion.
COLTON OGDEN: Yeah, the [INAUDIBLE] cyber security streams.
Is it safe if it isn't absolutely necessary
and just involves more work on my end to just not include open source software?
NICK WONG: So when you say safe, yes.
If you fully trust everyone who is building
all of the software and the software.
I mean, to a degree, there's only so much
that you can be logistically paranoid.
I use this computer and I don't know anyone who built it, really,
and there's all sorts of things that can be done against me through it.
If Apple were a malicious, evil corporation, they might be, who knows,
they could steal all of my information.
They would own all my bank accounts.
There's not much I could do.
And so to a degree, you do have to surrender yourself
to that, unless you are willing and capable of building something entirely
yourself.
However, even that is only half the battle.
Let's say I go and I write my own kernel, I write my own compiler,
I build everything, I build it all in machine code.
So it's as low level as it gets.
I don't have to rely on anyone else's coding.
I could even write my code in computer language
and then build everything on that.
That in no way guarantees that it's all safe.
I might not have kind of built something using the institutional knowledge
that the developers of Python had.
They might be aware of some very niche, very minor bug
that occurs only every once in a while and never
really has to be dealt with except in very particular cases.
And those people can hack my computer now.
I'm not safe.
So there's this sort of problem with even if you built it all yourself,
you are not necessarily any safer.
So I guess no, there's not necessarily any way to be perfectly safe.
But generally speaking, you can kind of bank
on a lot of these forces working really well together.
COLTON OGDEN: Makes sense.
I mean, even Apple sometimes has bugs that come out with their terminal app
after it's been out for years and for a long time, right?
Had to step away for a moment, so apologies if you already answered this,
but what's the difference between using EC2 and AWS Lightsail [INAUDIBLE]
websites, says GregDoesThat.
NICK WONG: That is a great question.
I don't know enough about Lightsail to tell you definitively.
My guesstimate would be that one of them gives you full control and one of them
is more similar to general hosting providers.
And since I know what EC2 does, my guess is
that Lightsail is more similar to usual hosting providers.
However, I'm not entirely sure on that, and you'll want to double check that.
COLTON OGDEN: [INAUDIBLE] like GoDaddy or whatever.
stooshbatis, this is why I write all my compilers from scratch and machine
code for all my applications.
You get good at it after doing it a bunch.
NICK WONG: Yeah, I'd imagine you're probably pretty solid on that.
Have you ever thought about teaching a course?
COLTON OGDEN: Yeah, that would be pretty good.
Are you going to start something like [INAUDIBLE] society
or any anti of that?
[INAUDIBLE]
NICK WONG: Not that I know of at the time.
I feel like no comment is the way that a president would respond on that.
Just I cannot say.
Not that I know of.
All right, so after telling you that nothing is safe,
nothing will ever work, and you should trust no one,
we're going to go ahead and trust this device and these things.
I'm going to implicitly trust you guys and not just DDOS everything.
And we're going to build a simple web server.
So we have Python 3.
Oh my God.
M I believe is for Module.
HTTP dot server?
COLTON OGDEN: That was easy.
NICK WONG: I'm really glad when I get the syntax right.
I'm out.
That's the end of that.
Cool.
I was just shocked that that worked, because I don't usually
get syntax right on the first go.
Although I guess I had it open a little while ago, so I was intuiting.
So we're going to copy that in, and we're
going to go ahead and just go and see what happens.
Now, I mean, if you're familiar with what goes on in the web
and if you're familiar with what this should do,
you should kind of intuit what's happening here
and what will happen here.
I apologize for the web traffic there.
There we go.
Nothing.
And you're kind of like, well, that's strange.
And then you look back at here and you're like, oh, port 8000.
And you're like, oh, of course.
Now, if you're really kind of hopping along,
you'll be like, this won't work either, Nick.
You're an idiot.
And I'll be like, yes, you're so right.
Except this is the bug that people run into constantly.
And if you look on an online forum, they're like, my AWS does not connect.
I don't understand.
And that's a really--
I mean, I mocked the question, but it's a very reasonable question given
that we've talked for a little while, you
might have been reading a tutorial for a little while.
You might have forgotten that in your security group,
you actually only allowed certain IPs in.
And you'll notice 8000 is not amongst them.
So when I try to go to 8000, that didn't work.
Now, if that sounds contrived, then you are a god who's
never encountered that sort of bug.
[LAUGHS] I have encountered it frequently.
And this is being someone who's aware of that bug.
Now, we have the kind of we'll say required wait
time as we cruise along through.
We'll have to give that a second.
We'll fill that with funny banter.
There we go.
There's only so many ways that you can be--
no, there's, I think, many, many ways that you can be humorous on the web.
Let's see.
We're going to add just our own custom TCP rule.
COLTON OGDEN: Would you say it's not computable,
the number of ways that you can be humorous on the web?
NICK WONG: I love it.
Yes.
Our professors here would, I think, either cringe or think
that was hilarious.
Or maybe both.
Who knows?
All right, so we now allowed it.
And AWS does a really good job of making that instant.
Now, you might then go, wait a second.
This is terrible.
And I would thoroughly agree with you.
In fact, you all can go here right now and check this.
COLTON OGDEN: [INAUDIBLE] successful.
NICK WONG: Right, so that just tells you--
oh, [INAUDIBLE] my default. Love that.
If they're a file, it'll download them by default. If they're a directory,
you can actually navigate through them.
So the Python simple server just kind of serves your current directory.
COLTON OGDEN: So you're serving your SSH directory right now?
NICK WONG: So if I had on this server, if I had a bunch of SSH keys
and I had my own private keys that were linked to other things,
this would have immediately invalidated the security of all of those instantly.
Thank you for copying that IP into the chat
so that everyone can insta click on it.
Really appreciate that.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: And if you're really kind of thinking about this, I don't know.
And so we're going to test this in a second.
But this is technically a web server.
We have technically fulfilled all of the chat.
We have built a web server.
It works, I can get to it, and it even displays the worst possible things
for me to be displaying to you.
So technically speaking, we have accomplished
what we said in the Twitch stream.
Now, we're going to move on and do other things.
But something that might be kind of interesting
would be if the relative pathing works.
I believe Python simple server doesn't let you do that,
unless you have a specific file in mind, which they might do.
Yeah, it doesn't [? map. ?] So it doesn't just
take you to that directory.
This is considered the root directory of the web server.
And it is something that you want to keep
in mind for web servers is they have their own kind of root directory
structure.
And so if you're, I guess, clever, if you're just
doing kind of basic good practices, that root structure should be pretty far
away from your actual server.
And it should only be owned by people like www dash data.
And if none of that made sense, don't worry,
we're going to talk about it in a second.
But basically, you don't want a general web server, which is a process,
runs on your computer like any other, or on the server like any other.
You do not want that process to be able to access anything else.
Only that small sliver of your server should be accessible to that thing.
Alternatively, so that is kind of the old mindset.
I guess I should have clarified that.
That is the mindset of, I guess, the 2000s
and before is that you should just kind of carve out this chunk,
and that's for the web server.
And anything that accesses the web server
should only be able to touch there.
So thus the danger of a web shell.
A PHP web shell is horrifyingly dangerous,
because it doesn't necessarily only access that chunk.
However, there are other paradigms that exist now.
So one of them is kind of the container paradigm
or the docker styled paradigm, which basically
says you should have your own separate kind of containerized service
that is the web server.
So then even if they took control over the whole thing,
you just shut it down, spin up a new one.
Problem solved I actually really like that one.
I think it's super clean.
It's really easy to use.
The other one is you should have a web server that has a dedicated web server.
Excuse me.
And what that means, and you might be like, well yeah, duh.
And it sounds intuitive.
It's actually a little less intuitive than it seems in
that that web server should have almost nothing else on it.
No data, no images, barely even its own code.
And it might not even really have its own code.
There are some people who are really modular about this where the code lives
somewhere else and the server just looks at the code
and then kind of pulls it into memory and runs it from there.
And so for some web servers, that's actually a really good paradigm.
And so this paradigm means that you have one device,
and all it does is web server stuff.
It's always funny when something happens.
Did someone hack into Nick's computer?
I was going to say no, but very possible.
I don't know.
Possibly.
If they did, they wouldn't see much.
If they want my homework, they can do it.
COLTON OGDEN: This happened yesterday.
I might have to look at the script to figure out--
NICK WONG: Oh, it could be [INAUDIBLE].
COLTON OGDEN: It's a Facebook thing.
NICK WONG: [? Killing ?] every once in a while.
COLTON OGDEN: I'm gonna see what's up with the live event.
I don't think the live event ended.
NICK WONG: Hopefully not.
COLTON OGDEN: No, the live event's still going, so it wasn't that.
But it was a Facebook bug it showed in the shell.
NICK WONG: Interesting.
Mortal Engines ad.
Love it.
All right, cool, so we are back.
COLTON OGDEN: [INAUDIBLE] says frozen.
Hopefully we're not frozen.
I don't think we are.
NICK WONG: Yeah, I think on the livestream that you pulled up,
we were not frozen.
COLTON OGDEN: Yeah, that might have been playing video back from before.
Let's just make sure.
It's going to play.
There you go.
OK, we're still going.
NICK WONG: Cool.
All right.
Sweet.
So yeah, you guys may have gotten some advertisements.
You're welcome.
[LAUGHS] We planned that.
What I was told as a kid is if you fall on your face, just be like,
I was just checking.
You're all good now.
Gravity is still good.
You're welcome.
COLTON OGDEN: There you go.
NICK WONG: My apologies.
Yeah, so yeah, we're all back hopefully.
A little bit ironic that we're talking about web servers and one of ours
crashed, kind of.
But yeah.
So what we were talking about was different ways
of kind of setting up a web server.
And the way that we're dealing with is kind of the old style.
We're going to carve out a chunk and have it do that.
It is a little bit of the new style in that it's
going to be-- it's only going to host a web server.
But it's not technically the new style in that we didn't really
provision it that way.
So just as an FYI.
Cool.
We are technically serving web servers.
I think I can see all of your guys' requests, which is kind of cool.
That's way more than the four requests that I put there.
So yeah, your web server will put up requests.
I can do Control C and kill that.
Cool.
And so our web server no longer works.
If you try to go back to it, doesn't connect.
Which is good.
That's the idea.
Now, a lot of times this happens in network administration.
You forget that you were serving on a particular port.
And you actually need to go back and do stuff
and then you change the port and things like that.
It is also really important to in EC2's security group console, edit that rule
and either remove it or disable it, whatever
you'd like to do, just so that you don't leave extra ports open
when you don't think they're opened.
I realize that it looked like I was making a hand gesture,
and then my hand just went whoop.
That's just where this ends.
Cool.
So now 8000 is no longer an accessible port to our stream.
Cool.
So now this one by default will work eventually.
What we're going to do is we're going to install some other stuff to go on.
If I tried to run this Python script and that
was the only way I did web services, you would hate me as a website.
It would suck.
Just having five people on it would kill it.
Now, this server is not super powerful anyway.
So even when I put kind of production level things onto it,
it's not going to service all of us very well.
But that's OK.
In concept, it is the right idea.
So with Python, actually Waitress is a really common server that is used.
But in Ubuntu, when you have full control over everything,
then we can design our own little thing going on here.
And so what we're going to build is called a LAMP stack.
We already have the L part of it.
That's Linux.
The A is Apache.
So we're going to do sudo apt get.
Oops.
Install.
I add the dash y, because I know I want to include it, and that's fine.
I don't really care about the size.
Apache 2.
So that is the actual web server itself.
Now, it's weird because we're going to talk about this device as a web server
and other things as a web server, and there's not much I can do about that.
We're also going to grab I believe PHP 7.
I don't remember if they include the dot 0, but it'll give me an error,
and I'll fix it.
So I'll put that at the end actually.
And that's the P. And then M is the MySQL.
And I always forget the flags that are required for this.
It's one combination of those.
Possibly.
COLTON OGDEN: Move this chat over here so they can see what you typed.
NICK WONG: Oh, sorry.
There we go.
I have been reminded of what--
COLTON OGDEN: And it's a little bit of something like that, right?
So MySQL Server.
Just MySQL Server.
Oh, MySQL Dev as well up above.
NICK WONG: I tried to grab dev.
Dev apparently doesn't exist.
I know it's like seven point something.
There we go.
I'll pull that command back up after it runs.
I was like, you build enough things that eventually
all of their weird little numbers kind of combine together.
On some things, I want the dash dev version.
On some things I want 7.2, point three.
Some things I just want 7.1.
Eventually it all blends together.
That's what Google is for.
But the intuition is the right idea.
So I know that I want Apache.
I know that I want MySQL.
I know that I want PHP.
And those are going to be the three kind of essential back end parts to what's
going on in our web server.
COLTON OGDEN: [INAUDIBLE] smaller.
I'll shrink it down a little bit.
NICK WONG: It's funny, because that chat window being in the screen
doesn't really help you guys necessarily.
You guys are like, it's redundant.
But for people watching later, it's super helpful.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Because otherwise we're just talking to voices.
We could have just made up people and then we're talking to them.
COLTON OGDEN: We'd be pretty talented at it at this point.
NICK WONG: We're very good at it.
COLTON OGDEN: All the ones that are complimenting us too.
NICK WONG: It's a weird arrogance.
We keep making up people.
Thank you for joining.
COLTON OGDEN: Nick is such a talented hacker.
Talented white hat hacker.
NICK WONG: Yeah.
We would belong in an insane asylum.
I'm fairly certain.
So yeah, the command I ran was up here.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Yeah, you don't want that going on down in history.
You become a politician, they'll bring it up.
Just to kind of point it out, iamakostik says, but you hate PHP.
And you're right, I still hate it, but we're going to use it.
[LAUGHS] Because we're going to build a WordPress website.
COLTON OGDEN: You love it or hate it.
NICK WONG: Yeah, I think people either just adore it and that's all they do
or they abhor it and they've never used it.
I'm kind of in the weird state where I don't like it, but I have used it many,
many times.
I don't know.
I can't really get away from it.
So that's OK.
bhavik_knight also asks, why do you use apt get?
I think if you don't use dash get, it still works.
You are correct.
There are a couple instances where that is not true.
You can use apt without the dash get with an install
to install just normal binaries on your actual device.
So if you're on a graphic version of Ubuntu,
then if you pull the Google Chrome binary,
then you can install it using the apt with no get and the install.
But apt yet is not going to work for that.
And the reason for that is basically the get
means that you're reaching out to some sort of repository
somewhere or mirrors, actually, and you're pulling stuff from them.
That's what it's supposed to mean.
There is a little bit of blending between those two in that apt
will also do it if it can't find it locally.
So just kind of things to know.
You can configure that all over the place if you like.
But that's the kind of standard idea of it.
COLTON OGDEN: [INAUDIBLE] what if I don't know PHP well?
NICK WONG: Well, good for you.
We don't have to build anything in PHP.
We're just going to include it because other stuff that we're
going to use later relies on it.
COLTON OGDEN: And what is it that you like about WordPress
to choose to build a WordPress website over options out of curiosity,
says twitchhelloworld.
NICK WONG: Twitchhelloworld, that's a great question.
I actually don't really like WordPress either.
So I say that I don't like these things and you guys are like, well,
then why are we building them?
And that's a great question.
Very good intuition on it.
I do actually like them as teaching tools.
They do a really good job of showing you what
exactly is going on behind the scenes.
And they're just extremely well established.
So people have used them for almost decades in some cases,
and at least a decade in this case.
And so you have a bunch of support and community
and things for what we're trying to build.
The other reason is a little bit more comical and a little less
of a really good reason in that I don't have a whole lot of time.
And I forget how much time it takes to walk through any one of these things.
And I mean, I'm not particularly pressed for time.
I'm not concerned like, oh man, I got to get through these things.
So I basically set a series of five or so goals for any one livestream,
and we usually get through around two to three.
And the goal for that basically being is first goal,
can we get a WordPress-- or a AWS server up?
We got that one.
COLTON OGDEN: Goal established.
NICK WONG: Goal complete.
Second goal, can I show that a simple Python script, a one liner,
can actually run a web server that is really dangerous?
Got that one.
COLTON OGDEN: [INAUDIBLE].
NICK WONG: Yeah.
I don't think the really dangerous was originally part of the goal,
but I'm just reemphasizing that's dangerous.
Don't do it.
And so we've done that.
The third goal is to build a WordPress website.
Now, if we get all the way through that and my yammering doesn't--
I guess Colton and I's bantering doesn't carry us over kind of our time limit,
then we will actually get to the fourth goal, which
would be to build a Django website and put that on here.
Because I think basically what we're going for
is kind of simplicity in learning to something
that works and is used in production.
It's a commercially built thing.
All the way over to something that is commercial and super heavily
customizable and really kind of new agey.
It feels very young and hip to use it.
And then if we get all the way to the fifth one, the fifth goal
basically being can we build and customize
a fully functional version of a CS50 [? piece ?] finance and put it online?
And that would just be kind of a cool last goal.
It builds off of Django really well in kind of you downgrade to Flask
and that's what we do.
So nothing against the Flask developers.
You guys did a great job.
It's just, I like Django is kind of wrapping it all in one.
So there we go.
We have now covered the goals that are set out in a Twitch livestream,
and we're going to see how far we can get.
COLTON OGDEN: And also WordPress is fairly--
you can get [INAUDIBLE].
NICK WONG: It does all sorts of things.
COLTON OGDEN: WordPress website.
NICK WONG: Yeah, there's all sorts of jobs for WordPress people
like developing stuff ranging from filling it
with content to customizing the whole thing to maintaining it to securing it.
There's all sorts of reasons that you might want to do stuff with WordPress.
WordPress is used by a bunch of enterprise level people too.
Now I'm going to Google this, because I don't want to be incorrect.
Major WordPress users.
I believe Fox News is built on WordPress.
COLTON OGDEN: And also [INAUDIBLE],, Jesus Christ, that haircut [INAUDIBLE]
little bit.
NICK WONG: My haircut?
COLTON OGDEN: No, my hair.
Jimmy Neutron.
He's calling me Jimmy Neutron.
It is a little bit messed up today.
There's a little funkiness going on on the side here.
NICK WONG: I like the sharpness to it.
It's very clean.
COLTON OGDEN: [INAUDIBLE] It's a little bit screwed up,
but I did my best to make it work today.
NICK WONG: That's awesome.
Yeah, no, I am a big fan of this clean cut haircut.
I'm actually going to get a haircut soon to kind of match a little bit.
COLTON OGDEN: You did yours similar to that recently.
NICK WONG: Yeah, where I had this down.
COLTON OGDEN: [INAUDIBLE] and the shaved sides.
Yours comes down a little bit, as opposed to mine.
It's kind of more vertical.
NICK WONG: Do you use product?
Not at all related to [INAUDIBLE].
That's OK.
COLTON OGDEN: [INAUDIBLE] We talked about [INAUDIBLE] hairspray
and big sexy hair volumizers.
All this stuff.
[INAUDIBLE]
NICK WONG: Welcome to our stream.
COLTON OGDEN: Fashion tips from CS.
NICK WONG: Colton and Nick.
Yeah.
Oh man.
Yeah, and we do cover CS from time to time.
We do get there eventually.
Yeah, so I don't know why I clicked the link.
That was going to be much slower.
Yeah, there is a bunch of actually major organizations.
If you haven't heard of any of these--
OK, I don't know why the official Star Wars blog is a major organization.
But Bloomberg's on there.
BBC America, The New Yorker, things like that.
TechCrunch is a great one.
So they all use WordPress.
And if you ever go look at their websites,
you might have your own opinion on them, but they are definitely well built,
and they're definitely major companies.
So WordPress is a totally valid thing to build and get good at.
At least it will be for the next, I'd say, two to five years.
And it teaches a bunch of practices that you'll use later anyway.
Cool.
So we've installed all of our stuff plus or minus.
I say plus or minus, because have we really?
But we have technically installed stuff.
And so taking that statement out of context,
I would criticize a student for being so vague.
So if I run status all on my services and if you are a fan of using unit d,
stop.
But also if you're a fan of using system CTL, things like that, totally fine.
I just use service as my favorite command of choice
to check on what's going on.
And so we have Apache 2 running now, which is great.
It means that things are going.
I just looked up.
It's funny, because we look up to make sure
that things are on the screen where we intend them to be.
But every once in a while, I kind of skim the chat.
And I saw that--
is that Salty Eric?
COLTON OGDEN: [INAUDIBLE] Wait, this stream was about tech?
NICK WONG: Yeah.
Yes.
I hope that didn't shock you too much.
Cool.
And we get Apache 2's Ubuntu default page, which is great.
And I say great because if we didn't get that, we messed up.
It didn't work.
And I would be like, well, debugging live.
COLTON OGDEN: Time to debug live.
NICK WONG: Never my favorite.
COLTON OGDEN: Always my favorite time.
NICK WONG: Oh man.
So they give you a little bit about the directory structure
and a bunch of other stuff.
And you're like, cool.
If you read through all of that, and I'm sure you're all pinging that now,
there's like stuff there that's really cool.
But I happen to know var www HTML is where Ubuntu stores
web stuff by default. And so what we can do here is we can [? LL ?] that,
and we have index.html.
If we cat index.html, unsurprisingly, you're
going to get roughly the page that you just saw.
So that's all really cool, handy dandy, blah, blah, blah.
But we're also going to copy over a PHP page.
And we're going to make sure that it loads PHP home pages as opposed
to HTML home pages first.
So let's go into etc Apache 2.
COLTON OGDEN: And also Madkingvala, thanks for following.
And mosman.
I think got mosman820.
But if I didn't.
NICK WONG: I love that it has the little-- did you pull that sprite?
COLTON OGDEN: It's one of the default theme,
like the widget themes you can get through the alert box.
And we just integrated the alert box last week.
It's super cool.
It has a lot of cool stuff.
NICK WONG: That's kind of awesome.
Because I saw that and I was like, yeah, that's cute.
COLTON OGDEN: Context.
Context is everything.
NICK WONG: Context is everything.
If you read through these comps, this can tell you
all sorts of things about how you define where certain users can go.
And it's a really useful file.
I'm just not going to touch it a whole lot.
We will edit something in it somewhere, because I
believe we need an option for WordPress in particular.
I'll have to check Google out to check it.
But what we are going to test is in mods enabled.
Oh, and they might have moved this.
It might not be in mods enabled anymore.
I think it's under [? DirConf. ?] There we are.
Love it.
I think these are sym links.
So unwritable.
Yeah, you're right.
COLTON OGDEN: Colton, when will we do the part two of Space Invaders?
Probably next week.
This week is going to be a bit busy with the hackathon going on Thursday.
We have another stream tomorrow.
So Thursday and Friday and in the weekend.
So probably not this week, but probably next week, most likely.
Is Windows dead?
NICK WONG: Is Windows dead.
No, certainly not.
All sorts of enterprise level things are built on Windows.
And I used to be one of those people who thought it was just really cool to mess
with Windows.
But they built all sorts of--
OK, I should really remember the name of that.
Built all sorts of just awesome things and are
responsible for a lot of the world.
Why is that not writable?
Sudo write.
So to answer your question about Windows,
no they are not dead in the sense that they are still
responsible for a lot of major enterprise structure in the world.
However, in tech right now, it is really cool to rag on Windows.
And I mean, I don't blame them.
I don't like their interface.
I don't really like the way that their shell is built.
I don't like the way that their kernel works.
I don't like a lot of things about Windows.
However, because they are used in all sorts of enterprise level solutions
and things, and if you're doing something on a big finance network's IT
department, you really should understand how to set up a domain controller,
how do you deal with having certain people on your domain
versus not on a domain, how do you deal with the different kind
of hierarchical structures for a Windows, like a proper windows domain?
How do you build all of that?
It scales really, really well.
And so if you're at a school system-- there's
a reason that schools use Windows for almost everything.
I think Harvard uses kind of this weird blend of Windows and Mac.
yeah, Apple Computer.
But they do generally have the kind of Windows configuration for the domain
setup.
And the reason for that is it scales brilliantly well.
It was built brilliantly well for enterprise solutions.
So as an individual user, I don't like it.
I would never use it.
Well, I would never use it.
I use it for some things like gaming.
But other than that, I don't really touch it.
But if I was building a business, I would probably avoid Apple.
They're not super cost effective, and I can scale a Windows machine.
There's already services and tutorials and community
built around scaling windows machines to enterprise level solutions
on the order of thousands of employees.
So as a business owner, as a young business owner,
and I would say the caveat being an inexperienced business
owner and non-business owner, it would seem to me
that that would be a really obvious solution.
And the reason that I think that's super important is Windows machines,
a lot of viruses and things are still written for Windows.
People used to think, oh, well, a Mac is unhackable.
That's not true.
That's just because why would I hack Johnny Appleseed when
I could go hack JP Morgan?
And they're built on Windows and you're running a Mac.
So that's kind of one of the main reasons
that a lot of viruses and malware is written for Windows machines
in particular.
Also a lot of hospitals trying to be cost effective,
they did the same set of choices.
So they are also on Windows.
And hospitals are a awful and kind of unfortunately somewhat frequent
attack target for ransomware attacks, because they have such a high priority
on their tech working all the time.
COLTON OGDEN: And [INAUDIBLE] thank you very much for following.
NICK WONG: Yeah, we appreciate it.
COLTON OGDEN: Hello.
See you in the chat there.
Windows is the WordPress operating systems.
[INAUDIBLE] And is this the real life or is this just fantasy?
With the Queen references from Imran.
Imran Ahmedh, I'm not sure what that's in reference to again.
What's the time limit again?
I don't know if he's referring to the stream,
but generally we go for about two hours.
NICK WONG: Two hours or so.
Yeah.
At some point, I like to eat dinner.
Which is roughly the marking limit there.
COLTON OGDEN: I went for hours yesterday.
That was the longest one that I've done.
Because Space Invader is kind of long.
NICK WONG: Yeah.
That's a very long stream.
COLTON OGDEN: We wanted to end on a relatively robust note,
so we [INAUDIBLE].
NICK WONG: I mean, if we were--
maybe if we do a livestream during reading period or right after all
my finals, I could go for a long time.
COLTON OGDEN: Like a hacking tutorial [INAUDIBLE]..
NICK WONG: Yeah, or if we came in and played games or something.
COLTON OGDEN: That could be [INAUDIBLE].
NICK WONG: What do you think about it?
OK, so what we did here was this is an Apache specific web server conf.
But the LAMP stack is one of the most common and prolific stacks
across the internet.
So we're going to talk about it somewhat in depth.
So we basically just said that when you're
looking for the index page, what do you serve up by default?
Look for index.php first, then look for index.html.
And originally index.html is the first one,
and then it goes CGI, PL, and then PHP.
I don't know the reason for making that choice,
but it is a choice that was made.
So we have now flipped those two so that it will now
serve PHP by default instead of HTML.
Now, if we wanted to test that, and this is where you will get to see my--
oh no-- terrible typing and lack of knowledge of PHP all in one
go, actually.
Oh, this is a root own directory.
Index.php.
You will get to see my complete lack of knowledge on what PHP actually does.
Well, how to actually properly use PHP.
I don't know if you wrap that in tag.
We'll find out.
That looks roughly correct to me.
COLTON OGDEN: It's been a while since I've done PHP,
but I think that is correct.
NICK WONG: I hope it's roughly [INAUDIBLE]..
COLTON OGDEN: We'll find it.
NICK WONG: Oh no.
OK, well, [INAUDIBLE].
Oh, wait, also I always forget this.
[INAUDIBLE] see that live.
We should restart the server to make those changes take effect.
And when we pull this, we get nothing.
I don't remember the PHP info page syntax.
That's OK.
We will Google that really quick to--
actually, we can just PHP info page.
PHP info dot PHP page.
Thank you.
Oh, it's literally PHP info, not dot info.
I was so close.
COLTON OGDEN: That makes sense.
OK.
NICK WONG: That makes a lot of sense.
I'm going to just double check the rest of my-- oh yeah, so close.
COLTON OGDEN: Yeah, they have a very functional--
NICK WONG: Very, very functional paradigm.
COLTON OGDEN: Yeah, API.
NICK WONG: I was thinking about object oriented programming.
COLTON OGDEN: You should say procedural, not functional.
NICK WONG: Yeah.
There we go.
Beautiful.
Love PHP.
I don't.
I really dislike it.
[LAUGHS] Cool, so we have now validated to ourselves.
COLTON OGDEN: It's a very opinionated stream.
NICK WONG: Yes.
We're getting close to politics.
Hair.
There's some Jimmy Neutron coming out.
We're really going for it here.
And I hate PHP.
There's some developer of PHP that might come across this one day
and just be like, really, man?
Why?
COLTON OGDEN: Teardrops into the keyboard.
NICK WONG: Or he's probably more realistically like, well, you
don't understand anything.
And it's like, yes, I don't understand a lot about it, and here we are.
So I have both index.html and index.php in the same directory,
and yet we're serving the PHP one, which means we're good.
We have configured Apache correctly to host our WordPress stuff.
Now, the next thing we need to really configure
is a MySQL database to fit with WordPress.
Now, I will, I guess, perpetually forget how to do this properly.
So that's lovely.
I don't actually know if that starts up by default. Let's double check that.
Any time you can't connect to something but you
feel like you should be able to.
Oh, of course it's up.
Awesome.
I believe it's something like this.
Dash P might be good.
Except I never set up a password.
Hm.
That is a great question.
You know what we're going to do?
We're going to-- oh, apparently you can't exit out of that.
We're going to sudo access that and see what happens there.
Boom, MySQL.
[INAUDIBLE]
COLTON OGDEN: Fantastic.
NICK WONG: That was terrifying.
Cool.
So I don't remember the exact syntax for what I'm going to try and do.
So what we're going to do is pull up the WordPress tutorial LAMP stack Ubuntu.
I like to just throw a bunch of keywords at Google
and see how good it is at filling it.
And it's really surprisingly good.
I throw in all sorts of random crap.
COLTON OGDEN: If you write the right keywords,
you might even get a job offer.
NICK WONG: That's crazy.
I've never thought of that.
COLTON OGDEN: Have you seen that?
NICK WONG: Oh, right.
Yes, no, I know exactly what you're talking about.
That is a very good point.
COLTON OGDEN: I haven't gotten lucky enough to get that.
NICK WONG: I have not.
COLTON OGDEN: I've tried.
No, I'm just kidding.
NICK WONG: If you type in a high enough prime number,
I think, you can get Google to--
don't quote me on that.
There is something where you can kind of keep
doing enough mathy things that eventually Google's like, hey, send
us your resume.
Or you get a coding challenge and there's like six levels or something.
COLTON OGDEN: That's true.
I saw the coding challenge part.
NICK WONG: Yeah, that's kind of cool.
COLTON OGDEN: I thought that was a cool way to seek out potential employees.
NICK WONG: Gotta love, I mean, when you control the search engine,
you might as well.
All right, so what we did here was we created the database called WordPress.
Shocking.
And we then said some stuff about its character stuff.
We're going to create a user.
Now, they highlight very nicely of them in red, I think, or green.
May highlight for you not to leave those by default.
We're going to type this in plain text, and you're all
going to see this and possibly hack my WordPress website.
If I were 12 years old, that would make me really upset.
COLTON OGDEN: Speaking of 12, actually, who was it? mosman20.
Where's the message at?
NICK WONG: Oh, right there.
COLTON OGDEN: It says, I'm 12 and I'd like
to learn more about internet security.
NICK WONG: That is awesome.
COLTON OGDEN: I still don't understand how you
installed Apache server on a server.
NICK WONG: Right.
So that is a great question.
Apache is actually just a set of processes
that we call a server, which is kind of strange,
because we call the hardware system that it's on also a server.
It's one of those things where you're actually using the same term
to describe two very different things.
So I could actually run a bunch of different servers on one hardware
device, one hardware server or machine or box
is another term frequently used for it.
And so what that basically means is I can run--
I mean, the only limiting caveat is which ports go where.
So I can only have one service attached to or bound to port 80 at a time.
With a caveat.
But generally speaking, that's true.
So what ends up happening here is I could actually
run NGINX server and an Apache server and a Django server all
in the same box, totally fine.
Assuming you have the resources for it.
And I could just have them listed on different ports.
I could have my Apache server on port 80.
I could have my NGINX server on 443.
And I could have my Django server only listening to--
maybe it's a mail server?
I don't know why we built it in Django, but sure.
We built it in Django, and it only listens on port 21.
So totally valid, and it definitely causes some sort of confusion
with what's going on as far as terminology goes.
So great question.
COLTON OGDEN: JPGuy, thank you for joining us.
Hey, everyone, how are you doing?
And [? Asley ?] was saying that she was upset about his betrayal over--
they were talking about choosing the spaceship,
and I think he betrayed [INAUDIBLE].
NICK WONG: That's rough.
That's real rough.
COLTON OGDEN: Offering pineapple pizza as a crime to humanity.
I don't know, but Dan [? Coffey ?] would disagree.
Dan [? Coffey ?] is a huge fan of pineapple on pizza.
Pepperoni pineapple.
NICK WONG: I am also a huge fan.
COLTON OGDEN: Yeah?
I think it's good.
A little sweet and savory mixed together.
NICK WONG: I like that.
I'm a big fan.
COLTON OGDEN: For refined palates only, right?
NICK WONG: Yeah, that's true.
You gotta be fashionable.
COLTON OGDEN: Is there a way I can include a binary into my security?
NICK WONG: I'm not entirely sure what you mean by that.
Yes and no.
It depends on what exactly you mean.
So if you wouldn't mind specifying, then we can clarify that for you.
COLTON OGDEN: Not the installation part says jabkochason.
NICK WONG: I think talking about how you install the server on a server.
That'd be my guess.
COLTON OGDEN: Oh yeah, that might be it.
I think I'm gonna stick with Namecheap for now.
This AWS seems too difficult, says iamakostik.
NICK WONG: Right.
So it does require that you go in and build some actual parts to the server
yourself.
So if you want to use some sort of actual hosting, AWS I believe
does have hosting services.
We're kind of just dealing with the low level hosting where we build all of it.
But yeah, you're totally welcome to use whatever you're comfortable with.
This gives you a lot more power and control over what you actually build.
COLTON OGDEN: Yeah, I think for a lot of people making a blog
or something, something very simple--
NICK WONG: Yeah, probably unnecessary.
COLTON OGDEN: --like Namecheap.
But this would be like if you're building
a business that has a bunch of services and other stuff like that.
A lot more complicated.
CS50, for example, uses AWS for all of its online services.
Well, not everything.
GitHub pages we do use for--
NICK WONG: Right, for some like our docs, I think.
COLTON OGDEN: Some of our more static documentation and websites.
Like the course website that you and I did, that was a GitHub page.
But yeah, definitely for more sophisticated, I think,
business [INAUDIBLE].
Food is the only subject we haven't covered yet.
That's true.
NICK WONG: Wow, yeah.
COLTON OGDEN: Covered literally everything else [INAUDIBLE]..
NICK WONG: Yeah, we've hit at least [INAUDIBLE]..
Wow, we are the sum total [INAUDIBLE].
There we go.
Now people really think we're crazy.
COLTON OGDEN: What you learn at Harvard Business School
and what you don't learn at Harvard Business School.
NICK WONG: I love that.
I love when they put them next to each other and they're like,
this is everything.
This is it.
COLTON OGDEN: Literally everything in the world.
I can't watch the stream anymore, says JP, because we [INAUDIBLE]..
NICK WONG: Ah, pineapple pizza.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Losing subscribers.
COLTON OGDEN: AWS S3 is good for something simple.
NICK WONG: So AWS S3 is their storage buckets.
It is really useful if you want to store static assets somewhere.
So let's say you want to combine the power of Heroku and the power of AWS.
Then maybe what you would do is, let's say, I built a Django server.
I'm hosting it on Heroku, and I want all of my static assets
to not be running from the Heroku server.
Heroku is not actually really built that well
for throwing static assets back out to you.
Let's say you're rebuilding Flickr.
So you're displaying pictures all over the place.
Then it's actually really problematic for Heroku
to try and serve each of those images to your users, especially if you scale up
and maybe you become a little bit more popular.
Then that becomes really difficult. Whereas AWS, they're a workhorse.
They are really well optimized for just delivering content
no matter where you are in the world.
And that's a really cool infrastructure to be able to leverage.
And S3 does exactly that.
So if I wanted to-- it basically serves as a content delivery network or CDN.
And if I wanted to take some sort of images
and just store them on my bucket, my S3 bucket,
then I can have a Heroku website that just pulls from that bucket anytime
I want content delivered to some user.
And that's a really great thing to use.
COLTON OGDEN: Alexmlw and [? NeonZenKnight, ?]
thank you very much, both of you.
NICK WONG: We appreciate that.
COLTON OGDEN: Mosman says, I have practiced HTML5 for a long time.
Can I use my computer security?
NICK WONG: And then it is pointed out by Jacob--
oh, how did you say it?
COLTON OGDEN: I'm not sure.
I think it's-- yesterday we talked in the the chat.
his name is J like Java.
I'm not sure if it's "kochasen" or "kochosan" or any possible permutation
of syllables.
NICK WONG: We'll get your name right eventually.
COLTON OGDEN: Jabkochason says HTML is a markup language.
NICK WONG: Yes, HTML is a markup language.
However, it does have some implications for security,
especially when dealing with browser security.
So HTML5 is really nice.
It has all sorts of things dealing with caching and whether or not
certain scripted attacks actually really work well or not.
It also deals in how it interacts with the browser itself.
So there are certain practices that Safari
has that they deal with HTML5 better than they do with just HTML.
Actually, I think in general, browsers are
going to handle HTML5's practices better than HTML.
A lot of it deals with caching and whether or not certain things are
stored and where they're stored.
So it is a markup language.
But basically anything that is delivered along the pipeline from you
to your client does have some impact in security.
And it is something that the more of that
you overlook, the more opportunities, basically,
the bigger the attack surfaces.
So the less of it you overlook, the smaller the attack services.
Well, in concept.
And then noonboard.
Yeah.
Yeah noonboard or nonboard says S3 can be used to work with big data.
They have scripts to help you manage data.
Yeah.
AWS, they go the full 10 yards when it comes to managing data with you
or for you.
For you scares me.
I don't want people touching my data unless I ask them to.
But AWS does a really good job of providing you with a bunch of tools
to deal with your data as it comes in, how it's dealt with, how it goes out,
latency things like that.
They give you all sorts of metrics and things.
They probably give you way too many things for the average user.
But it is certainly better to have that than too few things.
So yeah, they do all sorts of great things.
Cool.
So we are granting in the web server that we are building,
in the WordPress website we are building, we are granting all.
So grant all permissions for read write and there's probably
a couple other operations you can do on WordPress dot star.
So WordPress is the database.
Dot star means all tables within that WordPress database.
And we're giving them to the user admin at local host identified by--
cool, my character stopped--
oh, that was nifty.
We're going to bring all our characters back.
Look at that.
COLTON OGDEN: Advanced Linux.
NICK WONG: The best Linux command you'll ever see
is the left arrow key and the right arrow key.
Identified by a password, which you can all see, which is great.
COLTON OGDEN: Invisible ink.
NICK WONG: Yeah, that was kind of cool.
I wish I could control that.
Maybe you can.
So we have now done.
COLTON OGDEN: [INAUDIBLE] password.
NICK WONG: Yeah.
That would be perfect.
There's all sorts of ways to put in passwords in hidden text.
I'm just not using them and I don't know if WordPress
or if MySQL does them by default. Obviously it doesn't need to.
So we've now created the database and we have created a user.
Well, I don't know if we created a user.
We might want to create a user.
No, we're good.
So we have now also created a user for what's going on here.
And we have a database.
We have stuff behind here.
We're all good.
So now what we're going to do is flush--
oh, there's-- man, I always forget how to spell is another one.
Cool.
That worked.
And then we're going to quit.
So we have now left MySQL to its own devices.
And we're going to move on.
We now basically just have to grab WordPress.
We don't actually have it on our site.
So now, I know in that digital ocean blog,
they recommend doing something different than what I'm about to do.
But we're going to do it this way, because it works the same,
and the security concerns that they're dealing with
or kind of the modularity they're dealing with is not necessary.
And I actually argue this being a little bit cleaner as far as where you go.
Oh, right, there's a million PHP extensions
that you can grab for WordPress.
And we'll grab them in the background.
I always forget about them, and they're not
all useful at all times, which is the annoying part.
And I don't remember if you append this.
Oh, OK, that works.
So we're going to do this.
I don't actually know.
We're going to find out what this does on its own.
And we'll see.
So while that's installing, we're going to go to WordPress's website.
And we're going to grab WordPress.
That's shockingly what we need to do.
So WordPress does this really cool thing where
they call it their 15 second install.
Or maybe it's their five minute install.
It's this very short time frame, and they intend it to be really impressive.
I don't know I typed in there.
I could have typed elsewhere.
That's fine.
So let's go to wordpress.com.
And we're going to go to--
they also let you host through them too, which is cool.
But we want to download.
Maybe they put that under developers.
Howdy, developers.
Cool.
COLTON OGDEN: Howdy, developers.
NICK WONG: Yeah, all two of us.
COLTON OGDEN: Imran says, who's your girlfriend?
Leave the relations to the databases.
NICK WONG: Love that.
I don't know exactly where they put their actual code base.
OK, wait.
We can just do WordPress.
Gotta love the power of Google.
WordPress download.
COLTON OGDEN: I think he's saying his name is pronounced jabkochason.
He or she.
I think that's a male name.
Jabkochason.
I think that's how you're supposed to say it.
NICK WONG: OK.
Good to know.
Thank you.
Yeah, we always try to get your usernames right.
I do a noticeably worse job compared to Colton.
Colton gets them pretty well.
COLTON OGDEN: I try.
I do a lot of practice over 18 episodes.
[INAUDIBLE]
NICK WONG: That's awesome.
So we're going to copy the link to that.
If you're like, wait, why didn't you just download it?
It's because it wouldn't have worked.
Oh, right, they use the latest tar.gz.
That's one of the greatest practices ever, by the way,
is you just keep the URL the same and you just update underneath.
That's super helpful, because then they don't
have to update to pull the newest one, which is really cool.
So we now have that tar.gz in here.
So we can do tar.
I think there's a bunch of other commands
that would have also worked here, but we're going to do that.
And that's going to unpack it for us.
If you didn't see that command--
I always forget the flags to this.
Well, I know them by memory now.
COLTON OGDEN: xvzf, yeah.
NICK WONG: Yeah, xvzf.
X for extract, V is for verbose, I don't remember
what Z is, and F I also don't remember.
So they do things.
There's letters.
Hey, yeah, couldn't have said it better myself.
So then we can go into WordPress, and we have a whole WordPress directory
structure in here, which is great.
So what we can do is--
and if you were being pretty cyber conscious,
then what you can actually do is say check the--
I was saying something, and I completely forgot what I was saying as I said it.
COLTON OGDEN: I know how that feels.
[INAUDIBLE]
NICK WONG: Ah, there we go.
You can check the hash.
So generally speaking, if you're downloading some sort of major package
from some sort of repository or website, they'll
give you a hash to kind of guarantee or make
you feel slightly more secure about the fact
that you got what they intended you to get.
Now, that relies on them having not been hacked,
which means that it only really truly protects
against man in the middle attacks.
And what I mean by that is the only way that that's actually
a secure way of validating what you've got handed
is if the attacker is in between you and the person, the provider, CDN.
Because if they got control of your CDN, they could change the product
and then rewrite the hash, redisplay a new hash to you,
and you would confirm the product with the malware in it,
and you'd have no way of checking that.
So we now have an entire WordPress directory.
And what we're going to do is copy dash R WordPress
and all of its delightful contents.
And what we're going to do.
That's var www HTML slash dot.
And we're going to just throw that all in there.
Of course we can't, because that requires sudo access.
Cool.
And then we're going to go car www HTML.
Now, we're going to do some interesting things here.
We're gonna chown dash R. I always forget how exactly chown works.
Oh, wow, that was dumb.
In my head, I was like, man, chown and then
I just typed man and expected it to work.
So we're gonna chown R, change the ownership of.
www dash data.
www dash data.
Oh, that's not gonna work, because that's not a good user.
Man, I always forget how this works.
Give me one sec to look up chown.
Doo, doo, doo, doo.
Owner group file.
Cool.
So we're going to chown dash R 755 w--
or sorry, Ubuntu.
And the group www dash data dot.
That sounds right.
Oh, and we have to use sudo to do that, because it's currently owned by us.
COLTON OGDEN: Abblepi, thank you for following.
Hope I didn't miss any of them.
NICK WONG: I don't exactly understand why that didn't work.
My apologies.
There's only so many commands I can keep in my head.
So chown directory syntax.
We'll find out.
Gotta love that.
That looks roughly right.
Oh, right, I'm a dummy.
I was mixing two commands.
So yeah, you don't actually need to change--
yeah, we were trying to do something real weird with that.
That worked.
There we go.
So what we were originally trying to do was mix CH mod,
which changes the modification and chown, which is something
that you do when you have not slept a whole lot in the past couple of days.
So there you go.
Live study in how that works.
So now if we do LL, we can see that these are all
owned by the user Ubuntu and www dash data, which is kind of just the data
group for the worldwide web.
Cool.
So something that has been pointed out a little bit earlier, and I
kind of ignored it by accident, was by twitchhelloworld, which said,
I thought you said in an earlier stream it is better
to avoid using sudo to gain access and instead rather to access directly.
Though said you do actually access using sudo a lot in practice.
Yes.
So what I'm doing here is I am saying, basically,
don't do this and stay as root.
That means that you're going to basically just have full control
and nothing will ever stop you.
No one will even really ask, which is terrible.
Keep yourself in some sort of sudo accessible user.
Now, what I also advise against is just arbitrarily typing sudo.
The reason I'm using sudo here is because we are actually
trying to access the root permissions.
Excuse me.
Because originally, this directory was owned by root.
So the only user who should really be able to modify it is root.
And so sudo gives me access to root, and then I'm
going to do something to what root actually owns.
And so I'm kind of doing by explicitly doing it that way is I'm saying,
I acknowledge this is owned by root.
I'm going to kind of temporarily run a command as root,
and that should all be congruent.
I'm running commands owned by the same person who owns this directory.
So yes, generally, as a rule of thumb, if you're using sudo,
you should think in your head, why am I using sudo?
That is a great question and a good intuition
that I would never get rid of.
Keep that.
It'll prevent you from running kind of willy nilly commands.
COLTON OGDEN: [? Ahmed Osman ?] said, can we
make a stream about building multitenant architecture, which
is the base for SaaS applications?
NICK WONG: I guess we probably could.
I don't know enough about them, I don't think, to do a stream.
But we could find someone who does.
COLTON OGDEN: We'd have to find somebody that could do it.
NICK WONG: Or we could educate ourselves on it and then do it.
COLTON OGDEN: True, true.
Over the winter break.
NICK WONG: Yeah, that could be a winter break project.
There's all sorts of things that are on my winter break docket.
Cool.
And do we have any other comments that we are missing?
COLTON OGDEN: They're talking about name pronunciations.
So jabkochason is talking about how there's no this letter.
I'm not exactly sure what that translates to.
And Jab, if you wouldn't mind tossing where
you're from again in the chat, if you haven't done that already.
I don't recall offhand.
JPGuy says his native tongue is Dutch.
So I'm guessing he's from the Netherlands, then.
Correct me if I'm wrong.
I apologize, JP, if I'm incorrect.
And seeing you guys have to Google syntax makes me feel so much better.
NICK WONG: Oh yeah.
Oh, we can do that more if you'd like.
I mean, sometimes I'm just guessing long intuitions
and hoping that I'm roughly correct.
I mean, syntax is generally something that I
think in a really kind of serious way, you shouldn't really
spend too much time memorizing.
I mean, a lot of this I've memorized just by doing it enough.
But I would recommend not memorizing it.
It's not worth your time.
The only times that I guess it might be time valuable
are if you, in a job environment or work environment,
are typing kind of the same set or set of parameters or set of codes
over and over again.
Then you don't want to have to Google it every single day.
That'd be kind of ridiculous.
But you'll memorize it by kind of just doing it over and over again.
I mean, that's how I generally memorize these.
I would generally say, generally speaking,
I would usually say that you shouldn't just sit down and memorize syntax
for the sake of memorizing syntax.
It is very rare that that is useful.
There are some languages, some functional languages,
that do help you teach and understand certain paradigms
and things about programming as kind of a meta concept.
But other than that, I would generally advocate
against memorizing just syntax.
I would usually try and motivate it through some sort of project.
Do a couple of those kinds of projects if you
want to really get that syntax down.
But otherwise, it's not necessarily super useful.
And Googling syntax is now a tool available to us.
COLTON OGDEN: Super easy, yeah.
NICK WONG: Why not?
COLTON OGDEN: [INAUDIBLE] was like 20 years ago.
NICK WONG: Yeah.
Before Google existed, it would definitely
be very difficult to Google things.
COLTON OGDEN: Books.
NICK WONG: Oh my god.
I can't imagine trying to just use a book for syntax.
COLTON OGDEN: [INAUDIBLE]
NICK WONG: Yeah, that would have hurt.
I have a lot of respect for the people who
were doing that and who were writing full programs in assembly.
That terrifies me.
Awesome.
There's some other stuff.
Isn't it useful in C, since the language is so small and so technical?
I thought maybe Python too, since it seems like it will be used so often.
This is asked by twitchhelloworld.
So in any language, it is useful to know syntax off the back of your hand.
Or off the top of your head.
Sorry.
Because it's going to make you code faster.
However, it has been pointed out by experienced developers to myself
and just kind of through my own experience, coding faster
does not always mean you're coding better.
Frequently people are coding really quickly and they write a bunch of code
and they write thousands of lines of code, and then you look at it,
and you ask them, well, where are your unit tests?
How have you sat down and debugged each part?
And they might tell you, oh, I haven't yet.
Haven't yet it's a very scary term in CS when you are building an enterprise
level project.
Because how do I know that when you add that into our code base
you don't crash the whole thing?
Now, hopefully we have continuous integration tests and things like that.
But in general, I would be very, very careful about how that actually works.
COLTON OGDEN: And thank you to [? WizAt23 ?] for the follow as well.
Make sure I got that name correct.
And then we have a couple of other questions.
[INAUDIBLE] future streams list.
That would be interesting, because [INAUDIBLE] multitenant
architecture most of debates.
I'll have to take a look and find somebody, probably.
I don't know if realistically we'll have time us necessarily over the break
to look at that specifically.
But if I know anybody that knows about that,
definitely we can take a look at that.
For security, you should have the web directory of your new WordPress
in your user folder and then deal with permissions,
then use virtual directories and Apache rules to override some permissions.
NICK WONG: Yes.
I thoroughly agree with that.
Also, you should certainly configure permissions
before you move stuff into a directory that's accessible to the web.
And the reason for that being that while it was in kind of this weird permission
state, there might be something that they could take advantage of there.
Now, in this case, I showed a private SSH key on the screen.
I don't know how concerned we are with really strict practices on security,
but that is a really good point that you don't want anything
to be available to the public until you are positive that it
is ready for the public.
COLTON OGDEN: That'll be for the next stream.
NICK WONG: Yeah, we will talk about it very rigorous-- well, much more
rigorously in the cyber security stream.
COLTON OGDEN: Which functional programming language should I
learn first?
[INAUDIBLE] comfortable JavaScript, least comfortable plus learning Java.
NICK WONG: Right.
So Java is another object oriented programming language,
and a very good one to know, at that.
I would count it as kind of--
well, actually, I don't want to say that, because it will upset everybody.
So yes, functional programming languages are worth learning.
However, I mean, imagine asking the same question
but with object oriented programming languages.
Which one should I learn first?
Some people will say Java.
Some will say C#.
Some will say C++.
Some will say Python.
COLTON OGDEN: C# for life, boy.
NICK WONG: C# for life.
Love that.
I actually don't develop too much in C#.
I do love C++.
And they have enough similarities that they're similar-ish.
I don't mind transitioning from one to the other.
Functional programming languages.
The first one I learned was OCaml, actually.
But I am a huge fan of closure.
I think it's really well done.
So as long as you're focusing on the paradigm
and why functional paradigms can be really, really useful,
I think you're fine.
I think you might want to also add in a practicality aspect to it
where OCaml's not used necessarily all that often.
Whereas something like closure, we'll probably
be seeing more and more use cases from that, especially because it can
[INAUDIBLE] to JavaScript.
So it's pretty portable.
Things like that are really important to a lot of people.
There's all sorts of languages.
I mean, F# is also functional, but I don't know if many people using it,
necessarily.
There's all sorts of reasons that you might use any one functional
programming language.
But I think as long as you're focusing on the paradigm, that'll help.
And technically, you could do some form of functional programming in a Java
or in even you could technically do it in any language.
Just whether or not they have kind of the syntactical sugar tools for it,
that depends a lot on the language.
COLTON OGDEN: C++ even has lambda expressions now.
NICK WONG: Right.
Yeah.
That's crazy.
And Python has a beautiful lambda expression syntax.
So yeah, you could do it in pretty much any language, I think.
COLTON OGDEN: Closure would be a cool stream.
I would love to do a closure stream.
NICK WONG: That'd be sweet.
COLTON OGDEN: I would need to deep dive a little bit deeper into it.
NICK WONG: Yeah, same.
I think it'd be fun.
And it's come up a couple of times now, I think.
[INAUDIBLE]
COLTON OGDEN: I think our fate is being drawn.
NICK WONG: We're going to closure.
Excellent.
COLTON OGDEN: Jabkochason, thank you for coming.
[INAUDIBLE]
NICK WONG: Ah yes, I appreciate it.
COLTON OGDEN: How many more streams will you guys do?
Well, you and I are probably going to do quite a few more.
NICK WONG: Quite a few, yeah.
Just kind of keep going.
COLTON OGDEN: [INAUDIBLE] We got one next week on C. You're doing one on C.
And then after the winter break, to someone else's question, which was--
who asked that question?
[INAUDIBLE] Winter break starts on the 12th for us, for me.
NICK WONG: I think for me it's the 20th.
COLTON OGDEN: Oh, OK.
And then we'll be back for the second of January.
And then that week we'll probably stream on the third and the fourth.
So we'll have a couple of weeks of a break in the winter
while we get CS50 on edX going for next year.
And then we're back.
We'll be back at full capacity.
But yeah, definitely tune in at that point.
And they're saying, you can do functional programming in Java.
It's ugly, but you can do it.
[INAUDIBLE] I definitely have seen that.
Functional programming from [INAUDIBLE] practical application.
NICK WONG: Right.
So I guess as far as learning new syntaxes,
eventually you should be at a point where learning new syntax
isn't too bad.
I mean, learning new syntax to the point of being a master
at that programming language I would argue is very difficult.
But learning new syntax to where you're comfortable enough
to code up something simple, that shouldn't be too bad.
I think that requires a couple hours of learning.
COLTON OGDEN: The basics like map filter reduce can all be learned.
You can learn that in Python and JavaScript.
You don't have to go too crazy and go to a functional language
to understand what those are.
NICK WONG: Yeah, exactly.
And those are, I think a lot of it.
Right?
If you understand that, tail left, tail right,
you're pretty set as far as a lot of functional programming things go.
It's then just can you start to see a lot of the applications for it?
Can you start to see how it applies to algorithms?
So take a common algorithm and do it in a functional
way instead of the object oriented way.
And actually being pure about this.
COLTON OGDEN: That's the hardest part is taking your procedural and object
oriented instincts and transferring that into the world
of functional programming.
NICK WONG: Put it into functional.
COLTON OGDEN: That's the hard part.
NICK WONG: That can be pretty hard.
COLTON OGDEN: And that's where it actually--
NICK WONG: I think that's the first piece, then,
for our functional programming course here
is literally take a bunch of stuff you've already done
and do it functionally.
And it's a hard struggle.
People are like, oh God, this hurts.
It's just not something you're used to.
And there's a lot of things where you're like,
this would be so convenient in object oriented.
All right, so we are almost there on our WordPress website.
Things have been configured to where they are roughly the right permissions.
Someone mentioned using an htaccess file to configure stuff.
htaccess has been-- there's a lot of the community on Apache
is moving away from htaccess just because it is not necessarily
something that is super robust.
And what I mean by that is it's easy to have a bunch of them
and then have them overwrite each other and you can control
permissions a little bit easier.
However, they are still used frequently and a lot of tutorials
still encourage them.
So I'm not going to touch on it too much, because it is kind of not
necessarily considered a best practice anymore,
though it is a totally valid practice.
So we're going to kind of ignore it in favor
of just setting our permissions to be relatively restricted, which
we actually are not really doing here.
But in concept, you could.
So with that in mind, we're going to deal with htaccess maybe
never in a stream.
But if we ever cover Apache explicitly, we will certainly deal with it then.
COLTON OGDEN: Mrc147, thank you very much for following.
NICK WONG: Yes, we appreciate that.
Every time someone follows, we appreciate it.
COLTON OGDEN: I love the sound, the "bring."
NICK WONG: Yeah, it's a really cool sound.
They don't hear that, right?
COLTON OGDEN: It'll be in the video, I think.
Yeah.
Everybody in the chat, confirm if you can hear the follow notifications
when it [INAUDIBLE].
NICK WONG: It's a cool sound.
COLTON OGDEN: [INAUDIBLE] They probably hear it through the microphone,
if anything.
But I'm pretty sure it's in the actual video.
NICK WONG: Yeah, that'd be kind of funny.
It's very interesting to me what you guys hear versus what we hear.
I don't know why I did status all.
I know exactly what status I'm trying to change.
COLTON OGDEN: Yeah, they're saying they hear it, yeah.
NICK WONG: Oh, sweet.
Yeah.
Oh joy.
Spelling.
There we go.
Forgot to restart the database.
COLTON OGDEN: Some people are saying they can't.
OK, I'm not sure.
NICK WONG: Oh, so it's like the dress.
Everyone's kind of like--
COLTON OGDEN: Yeah, exactly.
NICK WONG: We don't all agree.
[INAUDIBLE]
COLTON OGDEN: The yanny or whatever it was.
NICK WONG: Yeah, exactly.
COLTON OGDEN: Ahmedosman thank you very much for following.
NICK WONG: All right.
Now I might be missing a MySQL extension.
Bummer.
Let's go ahead and grab that from the tutorial that I so conveniently closed.
Love that.
There is all sorts of extensions.
There's a couple of minor things that I am certain I am forgetting.
We'll live.
I don't build with WordPress that often anymore,
so we're going on knowledge from a while ago.
COLTON OGDEN: It was laurel and yanny.
That was what it was.
NICK WONG: Oh, right.
There we are.
That is the name.
COLTON OGDEN: It was both names put together,
and that's why you could hear it.
Because the low frequency was Laurel.
NICK WONG: Oh, and they just had them at different frequencies.
COLTON OGDEN: It was the other way, but yeah, the lower frequency bands
were one name and the upper ones were the other one.
So if you filtered out either side, you would hear the other name.
NICK WONG: That is good to know.
Hm, maybe I am not missing a MySQL thing.
So let's go ahead and see if maybe we just messed up.
Oh, we are missing the PHP MySQL extension, I believe.
COLTON OGDEN: I signed up for edX, but I have been busy with work.
I haven't started.
Is it possible to catch up or re sign up for the next session?
I believe you can.
I'm not 100% sure of the--
I forget how the actual details work.
I think you certainly can sign up.
If you're taking it for free, you can sign up and do it whenever you want.
For the certificate, I do think you can just
turn in your work for the next course iteration and still get it.
I don't think you're locked in.
But the details should be on the website.
I think it'll tell you what the deadline is.
All of the new content from this year is going to go up around January.
It'll be up January 1.
So if you want to start taking CS50 with the lectures that we taught this year,
then that'll be an option to you.
And you can see the lectures on YouTube right now, actually, too.
NICK WONG: Sweet.
Yeah.
That one I wouldn't necessarily know a whole lot of an answer on.
Oh, I do know this.
Well, I don't know this one.
I have I guess as to this one.
You probably know this one.
Why isn't CS51 on edX?
I know they just recently kind of changed course staff,
so they were dealing with a bunch of stuff with that.
Just recently being the first year I took it.
I've had that happen to me all the time, actually.
Every single CS course I think I've taken except CS50
has had a change in professor every single time.
Go figure.
I don't know why that is.
COLTON OGDEN: Yeah, I don't know if they have the resources either,
or at least the production.
They definitely don't have the production CS50 has.
I've been telling David we should try to get a 51 of our own implementation done
at some point.
I think that'd be really cool.
How tall is David?
David I believe is 6' 2" 6' 3".
NICK WONG: Yeah, he's pretty tall.
COLTON OGDEN: If David's lurking in the chat,
then definitely let us know how tall you are, David.
NICK WONG: Yeah, throw that out in the chat.
COLTON OGDEN: People want to know.
NICK WONG: In case there aren't enough people obsessed with you.
I'm sure there's a compiled version of David somewhere on the internet.
Just like a compiled fan page of David.
There's got to be.
COLTON OGDEN: I think there probably is, yeah.
He has a Wikipedia page, but I don't know if that's fan driven
or how that works.
NICK WONG: Yeah, I don't know.
Good question.
So many questions that we all don't really necessarily know about.
All right, so we have configured WordPress kind of.
Except we deliberately left out, we, I deliberately
left out copying over their config page.
And the reason for that is it can sometimes
cause bugs if you don't necessarily edit it correctly.
And I promise you, I was going to edit it entirely incorrectly.
So we're doing that through WordPress's interface, which is kind of nice.
And so what ends up happening here is they tell you
that, hey, you didn't actually create a wp dash config dot PHP file.
And you're like, I totally, and then when you list everything out,
you're like, didn't do that.
And the reason that we didn't is because they have a sample PHP file.
And in a lot of WordPress tutorials, the standard
is to copy that over and then fill in your parameters.
And they very clearly demarcate where you should fill in your parameters.
However, we're going to deal with things here.
And we're going to kind of actually go through
with WordPress's way of doing it and talk about why that's kind of cool.
Because it didn't necessarily exist before.
So the database name is WordPress.
Wow, we're so clever.
The username is admin.
The password is, shockingly, password123.
COLTON OGDEN: I love how they don't even give you a-- well,
I guess it doesn't matter usually that it's not hidden.
For the sake of this, if you actually had a legitimate password [INAUDIBLE]..
NICK WONG: Yeah, you really wouldn't want everyone seeing this.
But that's OK.
Here we are.
Table prefix.
We don't really care about this.
But if you were running a bunch of WordPress databases or servers
or things, like WordPress actually does in the real world,
then you might want to care about that.
And we're going to submit that, but I can't write the PHP file.
That's a huge bummer.
[INAUDIBLE] So what this basically does is it gives you the PHP file yourself.
You can copy all that.
I really hope I copied that.
And then we're going to nano wp dash.
COLTON OGDEN: Paste in your password on accident that you [INAUDIBLE]..
NICK WONG: Oh man.
That would suck.
COLTON OGDEN: If you did, that'd be hilarious.
NICK WONG: I would not put it past myself.
There you go.
And you'll notice that this all got set up.
Now, it also grabbed these hashes and salts for us,
which is super convenient.
It might have generated them for us.
I don't exactly remember how they do that.
I know that when you do it yourself, you can go to the api.wordpress.org over it
and get them yourself and manually copy them.
But we don't deal with any of the rest of these.
Everything else is set up.
There's my password again.
You want to hack my WordPress website, knock yourselves out.
COLTON OGDEN: It's a good password.
NICK WONG: Yeah, it's a very solid password.
COLTON OGDEN: It has numbers in it.
That's important.
NICK WONG: Exactly.
There are numbers.
No capital letters, but we could put one in there.
Cool.
So we have created it manually, pasted the following text into it.
WordPress promises me that I can run installation.
So I click that.
Hands off.
COLTON OGDEN: Samuta, thank you very much for following.
NICK WONG: And now we can go ahead and create stuff.
So site title, AWS Twitch Demo in aggressive caps.
There's a username, admin.
COLTON OGDEN: Becausetheworldisrou.
I'm guessing probably round, but it got cut off.
[INAUDIBLE] Thank you very much for following.
NICK WONG: And we're not going to confirm password.
Yeah, we're gonna confirm the use of a weak password.
There we go.
COLTON OGDEN: A very weak password.
NICK WONG: Very weak password.
WordPress is sitting there like, ha, ha, ha, you weakling.
Except WordPress gets hacked all the time.
I'm willing to accept that insult. And we're going to say admin.
Oh my God, what?
In two keystrokes, I deleted the URL for the page.
Go figure.
So admin@gmail.com.
That's going to suck.
Discourage search engines.
Well, that's up to them.
I don't know if Google actually follows that.
You appear to have already installed WordPress.
Well, that's kind of nifty.
I don't think I did, but OK.
And we log in.
And we're going to log in with admin password123.
COLTON OGDEN: Nonboard, thank you very much for following as well.
NICK WONG: That's not valid.
Bummer.
It should be valid.
COLTON OGDEN: Twitchhelloworld has been rooted out
as [? Jacque ?] in the Facebook group.
NICK WONG: Oh, you guys suck.
Just as an FYI, y'all are the worst.
COLTON OGDEN: What happened?
NICK WONG: Someone beat me to it, because y'all actually type faster than
I speak.
I've been locked out of my own WordPress website.
You literally took me up on the go knock yourselves out.
Now, if I had followed a user's suggestion at the very--
I'm still laughing at how hilariously funny that is.
COLTON OGDEN: They have Illuminati things.
NICK WONG: Yeah, there's a plant.
COLTON OGDEN: [INAUDIBLE] live demo.
NICK WONG: So I love doing live demos.
And actually this is one of the better parts,
because it's just unexpected and really funny.
COLTON OGDEN: [INAUDIBLE] might be here too.
It might be the culprit.
NICK WONG: Whoever is mocking us the most in the group chat I would imagine
is the person who did it.
And that's kind of awesome.
I did literally tell you to do it.
So I appreciate that you followed that.
And so out of curiosity-- well, maybe not out of curiosity,
but we are going to, since we have a little bit of extra time,
since I won't spend that building the WordPress website, it has been built.
And I cannot admin it at the moment.
We really appreciate that.
You guys are great.
And so what we're going to do is we're going
to actually run a small hack on it and see if we catch your password.
So if you weren't clever with your password, then this will catch it.
Don't change it.
It'll be kind of cool.
Or go ahead and change it, I don't know.
But if it was something simple like password123 or password1234
or something very entertaining, then we'll actually crack your password,
and that'll be kind of interesting.
The chat will enjoy it.
So it'll be kind of fun.
I didn't do it, though I saw this.
Paste link into chat.
I'm always scared of clicking links in chats.
But Colton is fearless.
And he got a picture of team Edward.
Edward from Twilight.
COLTON OGDEN: Some great contributions from the chat.
Appreciate that.
NICK WONG: The chat, you guys are hilarious.
So we do all sorts of crazy things here at, what is it, Twitch, CS50 on Twitch.
COLTON OGDEN: CS50 on Twitch.
NICK WONG: Cool.
So somebody has cheated into this.
I will say they could probably have been a little bit more creative
with the title of the website.
It could've been hacked or something like that.
Oh, they're commenting on the hair.
COLTON OGDEN: A little bit.
A little bit [INAUDIBLE].
NICK WONG: That's pretty funny.
All right.
So we have this kind of cool utility.
I have this kind of cool utility.
It was built by some people that do some cool stuff.
Also, I've changed my prompt a little bit.
I was inspired by talking about the prompts customization last time.
So I actually changed it.
COLTON OGDEN: [INAUDIBLE] happy face.
[INAUDIBLE]
NICK WONG: Yeah, so it changes if you run a command that doesn't exist
or it actually tells you the error code that prints from that command.
COLTON OGDEN: OK, that's cool.
That's cool too.
I like that.
NICK WONG: Yeah.
So I thought that was kind of cool and thought it was kind of nifty.
So if I run some sort of valid command, it goes back to happy face.
Thought that was kind of cute.
But what we're going to run is something called wp scan.
And what this does is it allows us to scan a WordPress website.
Ah, no.
Why did that copy with it?
Why does Nick forget how everything works?
Cool.
And this is going to tell us it's WordPress website.
And it's going to enumerate some kind of stuff that's going on there.
And I can actually also pass in a password list.
I don't remember if that's the keyword, but we'll find out.
I have this password list stored somewhere.
No.
I think it's under--
wow, I'm so glad that I called that something reasonable.
I don't know what's in passwords2.txt, but we'll find out.
COLTON OGDEN: hiimzackjones, thank you for following.
NICK WONG: Yes.
We really appreciate that.
I love the noise.
Yeah, that's fantastic.
[INAUDIBLE]
COLTON OGDEN: I see a lot of seller stuff in there.
NICK WONG: Yeah, there's some cool stuff in here.
Oh, so this is home brewed.
Where is the password list?
Ah, word list.
Every time.
There's only so many ways that you would think you could run this sort of thing.
And yet there are way more than you will ever imagine.
So we're going to throw a WordPress scanner at it.
And if you are thinking this is a script kiddie-- hey, we know who it was.
Really good on the name there.
So if you are thinking script kiddie, you would be entirely right.
This is a script kiddie sort of attack.
However, I can explain to you what's going on underneath it,
and I'm not going to use that as validation for me
not being a script kiddie.
But I think it is kind of funny.
So we did end up grabbing one of your logins.
I don't have a whole lot of passwords sitting on there.
If you want to tell us your password, you can see this tool work.
Otherwise it doesn't matter.
But we do know the username that is actually going on here,
and we know that you're the only user on this WordPress website.
So if I wanted to be really thorough, I would probably go onto--
oh, I'm not going to go on there, because I know some of the passwords
are not pleasant.
They use a lot of bad words for passwords.
People are naughty.
So if you type in--
COLTON OGDEN: Clearly.
NICK WONG: Y'all are case in point of that.
You guys are naughty.
And so if you go on GitHub, there's a [? SEC ?] list or [? SEC ?]
dev that does just thousands of different kinds
of passwords and where they got them from and all sorts of cool things.
And so if you go on there, you can just pull their password lists
and snag them and then throw them through WordPress scanner
and see if you can crack people's passwords.
It is a brute force attack.
There are all sorts of ways in which they can detect this sort of attack.
You'll notice I only threw 500 passwords at [? Maga's ?] way
of hacking our things.
Someone asked, wait, is this at CTF?
What CTF is this?
It is not a CTF, but it's pretty close in concept in the idea.
And we're kind of getting towards that.
Actually, a lot of the CTFs that I build are very, very similar to that.
This is not a CTF if you just happened to hop into the stream.
This is actually us building a [? word ?] web server.
We are building a web server.
This is not a CTF.
Do not worry.
We will, however, go through a live CTF later.
So yes, I have now been locked out of my WordPress
website, which is totally cool.
I own the WordPress website, which is great.
I can also shut everyone out using something like this.
Actually, ufw allow.
Let's do allow 22.
ufw allow 20.
Oh no.
That was the worst possible typo.
I'm always afraid of doing that.
I don't remember if it's disallow?
Where is it?
COLTON OGDEN: And thank you [INAUDIBLE].
You've been a regular for a long time.
Thank you for following us.
NICK WONG: So we'll deny port 80, which means you are no longer allowed--
well, you should be no longer allowed to connect through our--
oh wait.
Sudo ufw enable.
There we go.
So yes, it may disrupt existing SSH connections.
That would be normally very dangerous, because I deleted my SSH
key to literally prevent you guys from doing
what you did to the WordPress website.
Which let's make sure that that's still true.
Cool.
And now that should prevent us from connecting to the WordPress website.
So it's a decent burn all cut corners strategy
if you notice you've been hacked.
In this case, I noticed I've been hacked.
Now, my first technique was to hack back.
Don't do that.
That's a terrible first strategy.
However, a good first strategy would be for us to then disable all connections,
shut down all resources.
I've explicitly denied 80, but ufw will deny everything
else too that's not explicitly allowed.
So I am also just being extra secure in that.
But I also explicitly allowed 22 so I can connect myself.
And that makes sure that you guys are all shut out.
The world wide web is shut down with regard to my server.
If I wanted to be really thorough, then I might go back
into our management console and edit the inbound rules and say, you know what?
I wasn't even using 443, so get rid of that.
And I'm going to nuke port 80 as well.
And now I'm pretty sure that I have blocked myself out of the internet.
Now, that might be a dangerous first strategy.
I'll go on a very brief tangent, since we have now completed up
to stage three of our plans for today, and we've completed it roughly on time,
actually.
And it will give me a little bit of a moment
to talk about a better strategy, which is
you should actually kind of let your attacker go for a little bit
and watch them.
Once you've noticed it, it's a decent idea
to try and contain them, but let them not know they've been contained.
So if there is some sort of way of sandboxing them without them noticing,
that's fantastic.
And the reason for that being that I can design a beacon that
gets implanted on your server and goes out and pings back to me
and, I don't know, gives me information or lets me connect back to you
as a shell or something.
And that beacon might detect whether or not I have internet connectivity
or whether or not the beacon can reach out.
And if I shut everything out, I'd kind of just
pull my computer off of the internet and leave it in some sort of--
you could refer to it as an air gapped state of some sort.
Then that might actually not help you, because your attacker might disappear.
You might think your attacker is gone.
Then when you connect it to the internet again, you put a bunch of new protocols
in place, you change all of your passwords, all of your keys,
everything's been re encrypted.
That attacker is still there and they're now just as bad as they were before,
but you think you're safe.
And that's much worse.
So generally speaking, if you can kind of
play this kind of counter subterfuge game with your attacker,
that actually helps.
Nonboard points out honey pots.
Honey pots are a really good idea in concept,
especially if you can execute them really well.
However, I would advise being very, very careful
with that, because if your honey pot is sitting in the middle of a device
that you actually care about or even a network you actually care about,
it is no longer necessarily a honey pot.
It might be kind of a honey grenade.
It is really good most of the time and every once in a while
it explodes and ruins your entire network.
So be very careful in setting things up.
Try and take the right precautions.
There's not necessarily a centralized repository for how to do it.
But for example, if you set up a honey pot, I'm the attacker
and I get into your network but I go into your honey pot by default,
I notice everything is a little bit too easy
or maybe I just realize that I'm on a network that only has one node
and I think that's very strange.
Then I might say, hm, it's very possible I've been trapped,
but they don't realize that I realize that I have been trapped.
So I can play on that sort of assumption and start
trashing their system, which is what they would expect.
I can do all sorts of behaviors that you might also expect.
And then the second that there is some sort of vulnerability
that I have noticed or the second that I realize
I can go one step back in the network but not all the way out
of your network, then I will use that point to then branch back into it.
And I will make sure to not hit the honey pot again.
And so that sort of thing then buys me time.
So if your honey pot's not configured correctly,
or if it's configured in a way that you forget
that your router is a potential attack surface
or that a firewall can be a potential attack surface,
there are all sorts of attack surfaces.
You want to minimize those.
But there are reasons for having them.
There's a reason for a firewall, and there's certainly
a reason for a router.
So you have to be careful, and there's a lot of balancing that goes on there.
COLTON OGDEN: Yeah, very curious to see the cyber security stream.
NICK WONG: Yeah, it'll be very fun.
COLTON OGDEN: [INAUDIBLE] stream.
NICK WONG: I'm very excited for it.
COLTON OGDEN: I saw an [INAUDIBLE] article on outages on Microsoft Azure.
Do you have thoughts on going to cloud versus your own server?
The main motivation to me is the cyber security staying up to date constantly
there.
On the Azure I'm guessing they're talking about.
NICK WONG: Right.
So it is actually definitely good point to end on, since we've
been talking about web servers.
I'm going to kill mine while I answer that question.
But basically, the question being that if you host something
on some sort of remote provider like AWS, Azure, Google Cloud, they have
have more resources than me the individual.
I know that's true.
I have $5 in my wallet.
And they do not have just $5 in theirs.
So they are capable of doing all sorts of things
to update and maintain security practices.
They can update the hardware itself, which is really important.
They can do all sorts of really, really cool things that I can't.
And as my own personal user, if I'm hosting a server in my house,
it costs me electricity costs, which they are not really
necessarily charging directly to me, at least not in the same way.
It also might cost me in networking for my ISP.
It might cost me in terms of what if a hardware device breaks.
If I have a hard drive that just breaks, like they break from time to time,
that would be really bad.
I don't necessarily have data backing up and things like that.
There are a lot of really great advantages
to using a cloud service provider.
Now, that being said, that cloud service provider
has hardware access to your device.
So they could, in concept, if they were to ever turn out
to be a bad agent, they could mess with your device,
and that is something to be kind of paranoidly aware of.
Something else to kind of keep in mind is having a service on your own,
provisioning for it in your own in-house or in warehouse,
then you have to take care of every single part of it,
and there are a lot of security concerns that you might not be aware of.
Whereas Amazon has their own security team dedicated to doing just that.
So it's generally worthwhile if you're a business or enterprise solution.
Unless you're big enough that it is more cost effective to keep it in-house,
it's usually going to be more worthwhile to keep it on some sort of service.
Now, examples where that might not be true despite cost effectiveness
would be maybe hospitals, where data and sensitivity are really important,
of utmost security, confidential.
And I think AWS actually does follow enough safety parameters on that
that they are regulation approved as far as hospital documents go.
If you're a law firm, that might be of utmost priority to you.
And it's a selling point, even, to your clients
is that we protect your data because we own all of it
from the electricity that comes into the house to all of the data
that you gave to us.
If you are a government, for example.
If I am the foreign government of China, if I am the Chinese Communist Party,
I might not use AWS to host my things.
Because the US government, it is an American company,
and the US government might subpoena things off of that hardware.
And they might be totally within their rights
to do that if it is a matter of national security.
So that would be something to consider.
But I don't think any governments are really watching.
Or if they are, hello.
And that's all I have to say for that.
COLTON OGDEN: All 41.
NICK WONG: Yeah, all 41 of them.
Our foreign governments.
COLTON OGDEN: [INAUDIBLE] house server, in-house server [INAUDIBLE] running,
but we don't have any web facing stuff like a website or databases anything
big, just DNS, DHCP, and AD.
NICK WONG: Sure.
And so you're AD basically tells us that you're using some sort of Windows
environment, which is really cool.
Likely using some form of Windows Server if you have it all in-house.
And if you have just DNS, DHCP, and AD, then minimal services definitely helps.
And continuing along the kind of paranoid track
of this conversation, if I wanted to be extremely paranoid,
well, you can poison DNS.
You can mess with DHCP.
And I could actually override the security of your AD
using any number of man in the middle versus external attacks
versus whatever.
But generally speaking, that sounds like a good practice.
That seems very reasonable.
And within business, that seems like a pretty standard practice.
So there's all sorts of ways of doing that sort of thing,
and I don't think that there's any realistic threat.
But it is something to keep in mind.
As a computer scientist, as a cybersecurity person, as a programmer
and as a person, it is definitely a good idea to be as thorough as possible
and have kind of these cases enumerated so that in the event that that happens,
even if it is a very unlikely probability or a very low probability
occurrence, you're still aware that it could have happened
and you might have some provision in case.
I believe a good example of that is the United States occasionally discusses
what happens if the zombies come and take over in the Senate.
That's a real discussion that occurs.
And it's such a low probability as to most people
saying that would never happen.
But it is very possible.
It's been considered in popular culture enough
that maybe something along those lines could happen.
And considering that case, still worthwhile.
COLTON OGDEN: Makes sense to me.
It looks like [INAUDIBLE] has asked about the Humble Bundle currently
running a sale on some cyber security books.
So these are them if you want to look.
Basically asking, are any of these worthwhile?
So these are the [INAUDIBLE].
NICK WONG: So things with books, and the reason
that I am somewhat wary of, though definitely a huge fan of getting books
on cyber security, block chain, C, programming, best practices, worst
practices, mediocre practices.
No one ever writes a book mediocre practices of C programming.
They always write the best practices and who knows where that came from.
But the reason that I'm wary of books and of buying information
on a monolithic standpoint is I am usually of the opinion
that people have some really good opinions and some really bad opinions.
And myself included.
I probably said something within the past three streams
that someone was like, that's either wrong,
that's probably happened many times maybe, or that's a terrible opinion,
here's why.
And they have real evidence for it.
Yeah, PHP is probably a great example.
I was like, I hate PHP.
And they're like, well, I have real evidence
backed up by metrics and standards that says you're wrong.
Sure.
And that's the reason that I advocate pulling as much information as you can.
Because as you start to make your own opinions on these sorts of things,
you are capable of actually looking at a book and reading--
one of these books is Mastering Kali Linux For Advanced Penetration Testing.
OK, well that's a lot of words that sound really cool.
And I'm not going to just criticize the book based on word mincing.
But they're not necessarily meaningful.
What do you mean to master something?
At what level are you a master of anything?
And if you're talking about advanced penetration testing, well
what differentiates that from intermediate penetration testing?
How did you define penetration testing?
Is that the standard?
Is that what the community and the world has decided on?
Is that a community within the United States?
Is that a government has decided on that?
There's a lot of decisions that are implicit in just the title.
And I might still read that.
I think that sounds like a great book.
That sounds cool.
I might learn some tricks that I never knew before.
But I would also want to read another book that claims it's better at it.
Because now I have some countering opinions.
I can make my own choices and decisions there.
A lot of programming, a lot of cyber security, a lot of life
is actually just making choices and weighing trade offs and benefits.
And that's generally what I would use as an approach
for learning things about CS.
COLTON OGDEN: Absorb more data.
More information.
NICK WONG: Pull in more and more information, as much as you
can, and try not to overwhelm yourself.
COLTON OGDEN: They said they're gonna call you Nick the spy from now on.
NICK WONG: Sure.
COLTON OGDEN: Intelligence agencies don't need spies
as long as data is already in the cloud.
NICK WONG: Well, their spies have just gotten upgraded.
All our data is already in the cloud.
There is all sorts of interesting things on that statement.
I think the FBI would like you to believe that that is not true.
They follow the law.
They go through courts and at least in the United States,
they are fully above board.
I think the CIA and NSA would like to agree with what you just said.
So there's all sorts of very interesting things.
There's all sorts of interesting political things on that.
As far as calling me Nick the spy, just don't tell the government.
And someone also pointed out there, and it'll
be probably one of the last comments that we read off,
is a cyber security programmer told me they try to avoid ever
even nesting one loop in code.
He says the lack of cyclicity, or something like that,
enables him to test more efficiently.
Thoughts?
So my first intuition on that is to say that that sounds absurd.
But it might have been very reasonable given their context.
I don't know exactly what they were saying,
and I don't know what they were exactly talking about.
But generally, the statement of this thing
should never be done is missing the nuance to make it correct.
And so saying never nest one loop in code, no loops.
COLTON OGDEN: Done.
NICK WONG: OK.
Sure.
I write everything with if statements.
That's not a loop.
And I can't a for loop.
No while loops.
So all of my loops are built through recursion.
OK, sure.
COLTON OGDEN: [INAUDIBLE] go to statements.
NICK WONG: Oh no.
Or go to statements.
So I use go to [INAUDIBLE].
COLTON OGDEN: [INAUDIBLE] assembly in a nutshell.
NICK WONG: Yeah, the assembly version of it.
So we end up just doing that.
And now I've avoided loops.
I've not helped my testing at all, because now all of my unit
tests that rely on using for loops and while loops are useless.
And so now I have to rebuild all those.
I would argue that--
I mean, I'm kind of openly mocking it.
But I would say that it sounds like a non-useful statement.
It sounds like the programmer that told you
that either didn't know what they were talking about,
or it was in a very particular scenario, very particular instance,
and they were right in what they were saying,
but in the general sense, that's not a hugely useful statement.
COLTON OGDEN: Maybe it was for [INAUDIBLE] test cases
or something and [INAUDIBLE] run these test cases fast so no looping.
[INAUDIBLE]
NICK WONG: I've seen--
COLTON OGDEN: Pink Panther.
NICK WONG: Yeah, I was gonna say.
Is Mr. Bean a spy?
COLTON OGDEN: Johnny English.
Those are the tropes.
That's where the joke comes from.
NICK WONG: Right, exactly.
COLTON OGDEN: [INAUDIBLE] That's the whole point of it.
NICK WONG: That's why they're funny.
There's a good comment on exploiting code
is more about sanitation and things like putting too much into an allocated
amount of space to break things.
Sure.
That is a very good example of a classic buffer overflow where I took--
I know that you wanted a certain amount of data somewhere.
And actually, that takes advantage of two things, a buffer overflow does.
But it does have half of what you're talking about, which is
and I just give it way too much stuff.
And so the things at the end, nobody knows what they do.
They might be a pointer somewhere.
They might overload your return address and then return you
to another piece of code that I loaded.
Things like that.
And that also relies on the fact that code is just data.
And data represented at any level could be anything.
It could be an image.
It could be a word.
It could be code.
It could be executable.
It could be your mother's maiden name.
No one really knows what it is.
And so you have to be able to deal with or force data to be a certain kind.
Or you should try to.
And generally, I'm of the minimalist approach.
Make everything as small and minimal as possible.
Only what is needed, like needed, needed, and then build from that.
COLTON OGDEN: Because no loops.
NICK WONG: Yes, no loops.
I don't advocate for that, just as an FYI.
I use loops.
They're useful.
They have a purpose.
COLTON OGDEN: All the time.
For loops, while loops.
NICK WONG: I use all of them.
It's like the weirdest-- the programmer's version of dabbling.
COLTON OGDEN: And they said, why is Nick so smart?
[INAUDIBLE] joke about there's no actual chat.
NICK WONG: We're just in our heads.
I appreciate it.
I think there's just a lot to learn.
Always lots and lots and lots to learn.
COLTON OGDEN: That's clear to me.
I'm excited for the [INAUDIBLE] for the hacking stuff.
That's stuff that I've never dived into.
NICK WONG: Nice, there we go.
COLTON OGDEN: I want to say dove in for some reason, which is not a word,
I don't think.
NICK WONG: No, but it sounds right.
It sounds like the thing you would say in English.
Who knows?
COLTON OGDEN: I've never dived into that.
So it'll be cool.
I think a lot of people would like that too.
NICK WONG: Yeah.
Yeah, I think that'd be awesome.
COLTON OGDEN: Let's go to your screen saver as the--
NICK WONG: Yeah, no, that's a great way to end.
Oh yeah, that closed because I killed it.
COLTON OGDEN: There we go.
NICK WONG: There we go.
COLTON OGDEN: So to bring it back to the color stuff, so which of those colors
can you differentiate?
NICK WONG: So I generally, looking at that, I see red, I see orange,
and I see blue.
I see a lighter version of blue from time to time
and lighter versions of those three colors.
But I don't really see anything in between.
So I would imagine there's also purple and pink, because I know
[? lolcat ?] generates those colors.
I would also imagine that there is some sort of green.
I don't notice it in here though.
COLTON OGDEN: There is a bit of green, yeah.
NICK WONG: OK.
So that would be a color that I don't end up actually seeing.
And I believe there's--
I see white, I think.
There are some colors that get light enough
that I think they become kind of white.
COLTON OGDEN: I think they're just cyan.
NICK WONG: Yeah, they might just be a really light blue.
And so I don't necessarily know which colors I'm missing.
But based on my guesses, those are the ones that would exist that I don't see.
Well, green is a good example.
COLTON OGDEN: Have you had that your whole life or is that a development
in your vision?
NICK WONG: Yeah, that's actually been there ever since I can remember.
Well, I guess I in first grade was notified about that.
And that was actually the first and only test I tried to cheat on.
It was a good lesson in why not to cheat, as just like an FYI.
I tried to cheat on this test.
Basically, the way it worked at our school was we were a very small school.
They handed out a bunch of cards.
They asked you to write down what you see in the cards.
And I was like, got it.
I can do that.
And then I looked in the cards and there's nothing there,
because I'm colorblind, so duh.
And so I looked over at the kid next to me and I was like, all right,
sailboat, seven, square.
Done.
Got it.
And just tried to look through the rest of cards, saw nothing.
And so then they came up to me and I thought they'd caught me.
I thought they'd noticed me cheating.
So I was like, oh man.
In first grade, you're what, eight or so?
My small brain was kind of just like, oh crap, I've gotten caught cheating.
And the teacher was like, yeah, so you're colorblind.
I was like, well, that's kind of a harsh punishment for cheating.
COLTON OGDEN: Yeah, they made you colorblind.
NICK WONG: Yeah.
I was like, Jesus, what the?
And then they were like, well, so none of those answers were remotely correct.
Because there were shapes and numbers and things.
All of mine were letters.
So I didn't write a single letter down.
I wrote a number, I wrote a shape, and another shape.
COLTON OGDEN: Well designed test too.
NICK WONG: Very well designed test.
Very easy test.
Simple and just beautifully well done.
And I was like, dang it.
Couldn't have gotten around that one.
And yeah, I couldn't cheat after that, because I was just
so traumatized by that.
I also then learned I was colorblind, which was cool.
Cool.
It was an interesting development.
I was kind of like, oh, nifty.
Because it doesn't really bother you that much.
COLTON OGDEN: Yeah, I can imagine it's probably not something that
impacts you too much.
Like this can here, do the red and green look similar to you?
NICK WONG: I actually didn't know there was red on there.
COLTON OGDEN: On the words, Canada Dry.
That's red.
What does it look like?
Does it look the same?
NICK WONG: It's green.
Yeah.
It's just the same as this.
COLTON OGDEN: Crazy.
NICK WONG: That's kind of cool.
Is any more red on there?
COLTON OGDEN: For anybody who doesn't know.
NICK WONG: Sorry, I have a soda.
COLTON OGDEN: Oh, the green screen.
NICK WONG: Oh, that's really funny.
COLTON OGDEN: Never mind.
We have a green can with red words on it.
NICK WONG: You guys are never gonna see.
Oh, well actually, I guess the letters are red, right?
So they would still show up on the green screen.
COLTON OGDEN: Yeah, they will.
NICK WONG: Yeah, so what you guys can see
and what I can see now on the screen must be red.
Huh.
That's really funny.
COLTON OGDEN: So actually this background is a yellow.
I don't know if you can tell that is yellow.
NICK WONG: I know it's, well, it looks greenish to me.
But OK, I can believe it.
COLTON OGDEN: That's interesting.
So anything that's red tinged is going to look the same as green for you.
NICK WONG: It tends to.
There are moments where I can distinguish.
Like that book, Colton has a book on his screen right now that is, I think,
red or pink.
And that one looks pretty clearly red and pink.
COLTON OGDEN: It's a very light red, yeah.
NICK WONG: Yeah.
But if they're kind of that same hue, they
seem to blend pretty easily for me.
COLTON OGDEN: So you can differentiate some shades of red.
NICK WONG: Yes.
Yeah, there are definitely some that I can pretty clearly get.
There's a lot that I can actually really get by just logic.
If I think about it for a second before I speak, then I know it's red.
Like I know what you're wearing right now is red,
but that's because I got one last year.
COLTON OGDEN: But this looks [INAUDIBLE]..
NICK WONG: It sometimes out of the corner of my eye looks pretty green.
COLTON OGDEN: Interesting.
That'd be so interesting to sort of see that.
I wonder if they-- do they make glasses that do that?
I think they do, right?
NICK WONG: I think so, yeah.
I think you can actually go online and see
what it would look like for a colorblind person versus a non-colorblind person,
but it's weird to me, because they don't look the same.
They don't look like how I see it, but I'd
imagine for someone who sees all the colors,
they do actually get pretty close.
COLTON OGDEN: That's such an interesting TIL.
That's very interesting to me.
NICK WONG: Yeah.
Cool.
You're actually probably colorblind a little bit too.
COLTON OGDEN: I might be, yeah.
My grandpa had a little bit of red green colorblind but not much.
My dad is not colorblind.
I don't know how to test if I am.
NICK WONG: It's pretty hard to notice.
COLTON OGDEN: Every test I've taken a test for that,
though, I've always been able to clearly see what they're testing for.
NICK WONG: OK, so you might actually not be.
COLTON OGDEN: Might be.
It'd be such a crazy thing to learn after 27 years of existing
and not knowing that.
But who knows?
I would love to find out if that's true.
Let's bring it-- actually we're on the screen.
This is a good place to sort of segue out.
Maybe we'll bring it to the number two shot, just because [INAUDIBLE]..
NICK WONG: Yeah, I think that's a nice shot.
We can get close.
COLTON OGDEN: It was an awesome stream.
So thank you very much for doing this.
NICK WONG: Thank you again for having me.
COLTON OGDEN: It's cool.
It always goes into the sort of hacking direction.
So we got hacked live.
NICK WONG: We seem to be, yeah, we've been hacked live, which is very cool.
I appreciate that.
COLTON OGDEN: YouTube title Nick gets hacked live on Twitch.
NICK WONG: That'd ruin my job here.
COLTON OGDEN: And we get the invisible can of Canada Dry here.
Very important.
NICK WONG: Yeah, I didn't even notice that it was on screen.
It's been on screen for most of-- oh, I guess it was right off screen.
COLTON OGDEN: It was over there.
Yeah.
It was a little bit off.
NICK WONG: Yeah, but if we turn it like this, it's pretty hard to see.
COLTON OGDEN: It's pretty interesting.
NICK WONG: Yeah, we have a lot of fun.
Thank you guys for, again, participating.
I love the livestream.
That's fantastic.
COLTON OGDEN: Yeah, it's so much fun.
The chat too.
Just all the directions we get to go.
So next week you'll be doing C.
NICK WONG: Yes, we'll be talking about low, low C.
COLTON OGDEN: But more of a deep dive into actually using it.
NICK WONG: We'll hop into C.
COLTON OGDEN: Pretty much assembly at that point.
NICK WONG: Yeah, we'll be pretty much one step above.
Just barely.
But we'll actually probably bring up some assembly and talk through it.
COLTON OGDEN: Doing some GDB.
NICK WONG: Yeah, GDB will be a couple of things.
COLTON OGDEN: That would be pretty cool, actually.
NICK WONG: Just some strace as well.
COLTON OGDEN: We'll talk about how that loop and go to are similar.
That's pretty cool, actually.
And I happen to know a little bit of assembly, which
is why we're talking about [INAUDIBLE].
Not as much as you.
NICK WONG: We might even build a buffer overflow example.
That actually, I think, would be cool.
[INAUDIBLE] off the top of our heads.
So we can do it.
COLTON OGDEN: You more than I do.
Yeah, this was awesome.
Thank you everybody who came today.
NICK WONG: Yeah, thank you guys.
COLTON OGDEN: Next week Nick will be here next Tuesday, same time.
NICK WONG: Yep, same time, same place.
COLTON OGDEN: And then after the winter break, we have a bunch of stuff.
NICK WONG: Oh, yeah, we'll have a whole docket of--
COLTON OGDEN: Toss us ideas, toss us ideas on either YouTube
or here or Facebook.
Tomorrow we have Andy [? Chen, ?] who's going to be talking about,
if somebody is new to the stream, has never streamed with us before, he'll
be talking about R. We'll talking about biostats,
and we'll be using a real world data set for us to look at
and to do some stuff with.
I've actually never used R before, so this will be a fun thing for me.
Getting all this information about all this stuff that I don't even know.
NICK WONG: Colton's learning all sorts of things.
COLTON OGDEN: This is all just about me learning new stuff.
Thank you everybody who came today.
Just making trade didn't miss any comments here.
It looks like everybody is talking about Canada Dry.
Do you still hate PHP is what they're asking.
NICK WONG: I do still hate PHP.
That I think will be forever.
I'll probably build something in Laravel over the winter break just to learn it,
but I don't like it.
COLTON OGDEN: Just to embrace [INAUDIBLE]..
NICK WONG: Just to embrace the things that I hate.
COLTON OGDEN: Thank you to mrdrcarbon for the follow.
That's a [INAUDIBLE] by the way.
But yeah, this was CS50 on Twitch.
I'm Colton Ogden.
This was Nick Wong.
This was AWS Web Server.
We talked about using it with WordPress.
Tune in tomorrow for R and biostats.
But until then, have a great rest of your evening.
And Nick, we'll see you next week.
NICK WONG: Yep.
So will Colton.
Well, he'll see you tomorrow.
COLTON OGDEN: [INAUDIBLE] But I'll see you tomorrow.
Have a good rest of your night.
Goodbye.
NICK WONG: Awesome.
See you guys.