Placeholder Image

Subtitles section Play video

  • DAVID MALAN: This is CS50.

  • Hello, world.

  • This is the CS50 podcast, episode 5, 0 indexed.

  • My name is David Malan, and I'm here with CS50's own Colton Ogden.

  • COLTON OGDEN: Glad to be here--

  • interesting thing to start us off-- so, we've talked about robocalls a lot

  • in the recent past, multiple episodes.

  • And I think we touched briefly upon the prospect

  • of finding a solution to this problem.

  • You know, people are getting robocalls all the time,

  • even though, in the last couple of weeks,

  • I have noticed the numbers sort of dropping, at least for me, personally.

  • I still get the occasional call from a presumed spoofed caller.

  • DAVID MALAN: Yeah, sorry about that.

  • COLTON OGDEN: But, apparently, the FCC--

  • Ajit Pai has proposed a ruling that would actually

  • allow phone companies to block these unwanted calls, these spoofed calls,

  • before they even get to potential customers.

  • DAVID MALAN: Yeah, no, this is a nice initiative.

  • It's perhaps a little belated at this point, certainly.

  • Because, as we've discussed, these robocalls, these automated calls,

  • have really been proliferating, in large part

  • because of the software via what you can do this,

  • and the API access which you can do this.

  • But I think the fundamental problem, frankly,

  • is that the phone system that we have today

  • really is not all that fundamentally different from what we've

  • had for decades now, which is to say that there's

  • no authentication of these calls in the first place.

  • The systems generally just trust that the number being presented in caller ID

  • is, in fact, the number from which a call came.

  • And that's, of course, not always the case.

  • COLTON OGDEN: Right, and the--

  • I guess the proposed sort of authentication system that they're

  • going to roll out is called Shaken Stir, which is very akin to what James Bond's

  • says when he orders a martini.

  • But the acronym is a--

  • basically, the shaken part of it is signature

  • based handling of asserted information using tokens.

  • And then the stir part would be secure telephone identity revisited.

  • DAVID MALAN: Indeed, it's a wonderful acronym

  • if you allow yourself to use arbitrary letters from some of the words.

  • COLTON OGDEN: Yeah, and it's a bit of a mouthful.

  • But this is cool, because this suggests that we'll actually

  • get what you just alluded to, a way of actually signing calls and making sure

  • that people who present themselves as xyz are in fact xyz and not,

  • you know, sort of proxying themselves or presenting themselves

  • as some other entity.

  • DAVID MALAN: Yeah, I mean, much like the web-- thankfully

  • we got that right, presumably because of lessons learned from things

  • like telephony over the years.

  • Of course, the phone system has been around for so long now

  • that it's certainly hard, I imagine, to shoehorn

  • in some of these more technological features

  • without breaking some of the intermediate points

  • or some of the last miles, some of the folks

  • who are on the other end of the line that might not necessarily have access,

  • in their municipality, to the latest hardware.

  • So, I'll be curious to see how this evolves.

  • I mean, to be honest, this might all become moot over time

  • if phones themselves, or phone numbers, are perhaps

  • replaced by more data based services.

  • I mean, right now, we're very much in the phase

  • of commercial services like WhatsApp, and iMessage, and so forth.

  • I mean, but those have started to supplant already things like SMS,

  • so, frankly, maybe the solution is ultimately

  • just going to be too late in coming if the world moves to something else,

  • anyway.

  • COLTON OGDEN: Yeah, I imagine, when folks were developing the phone system

  • we have in place, they weren't expecting the ability for somebody

  • to arbitrarily code and script, en masse, the sort of behavior

  • that we're experiencing now.

  • DAVID MALAN: Yeah-- hey, back in the day, it used to be based--

  • at least pay phones-- on actual sounds, right?

  • There are so many documented cases, and I

  • think Steve Jobs and Steve Wozniak were among the folks involved

  • in this back in the day, where you could have a little box that would generate

  • the appropriate sounds that mimicked what the sound was if you

  • put a quarter or a dime into a phone.

  • So, you could effectively make free long distance phone calls

  • by spoofing those sounds.

  • So there, too-- there was a sort of an assumption of trust

  • that was quickly broken.

  • COLTON OGDEN: I think the theme is always that, if there is a system,

  • humans will find a way to abuse and break it.

  • DAVID MALAN: Indeed, but there are some really real world implications of this.

  • In fact, just the other day did I see an article

  • online about what have been called virtual kidnappings which, frankly,

  • is literally ripped out of a "Law and Order" episode

  • that I'm pretty sure I've seen, which is ironic,

  • because usually it's "Law and Order" ripping

  • things out of the actual headlines.

  • But this, I think, predates this, whereby

  • folks have started to get, terrifyingly, what

  • appear to be actual phone calls from their child's phone

  • number, or relative's phone number, or a co-worker's phone number,

  • and on the other end of the line is some adversary, some human who

  • is pretending to have actually kidnapped the person whose phone they're

  • purporting to be calling from when, in reality, they're just spoofing

  • that number and tricking someone into thinking that they've actually

  • physically hijacked their phone number and kidnapped that person.

  • COLTON OGDEN: Yeah, presumably, I mean, with this new ruling, hopefully,

  • you know, this sort of horrendous situation

  • doesn't end up becoming common at all, or at least it

  • gets completely remediated.

  • DAVID MALAN: Yeah.

  • COLTON OGDEN: Because this is one of the more terrifying examples of how

  • to abuse spoofing.

  • DAVID MALAN: No, absolutely.

  • And it's horrifying that it's gotten to this point

  • but, you know, what you might think is kind of a cool hack,

  • the ability to spoof your phone number, really

  • does have some non-trivial implications.

  • And especially, for most folks out there, you know-- myself,

  • before I even thought about this the other day after reading the article--

  • you might not even realize that this is possible

  • and what the implications, therefore, are of these sort of bugs at best or--

  • bugs at worst, or missing features at best.

  • COLTON OGDEN: Yeah, I mean I think if this even happened to me,

  • I think my initial inclination would be to believe it.

  • I mean, certainly it would be terrifying,

  • and you wouldn't want to take any risks and assume

  • that whoever's on the other end of the line

  • is actually bluffing you or telling the truth.

  • Now, speaking of ransoms, unfortunately, I

  • think these have cropped up in other contexts in the news of late

  • and for the past couple of years, in fact.

  • DAVID MALAN: Yeah, no.

  • I mean, there have been multiple cases, WannaCry being very prominent in 2017,

  • of these sort of worms that infect people's systems

  • and, you know, potentially encrypt the hard drive, or do other things,

  • and request that, in order to have this fixed,

  • the end user end up paying some amount of money,

  • either bitcoin or actual money, to decrypt their hard drive

  • or do whatever needs to be done to unlock their system.

  • COLTON OGDEN: Yeah, no, and that's the problem with worms, and viruses,

  • and just malware, malicious software in general,

  • is that, if it has the same privileges that you, the user, who accidentally

  • installed it, somehow do--

  • or worse, it has administrative or root access

  • to the computer-- it can do anything with your system and the data.

  • You know, it almost makes exploits like sending spam automatically,

  • unbeknownst to you, from your computer seem like completely delightful

  • in comparison because, now, these most recent forms of ransomware

  • are indeed doing exactly that.

  • They're actually running algorithms to encrypt the files

  • on your own hard drive and then not telling you,

  • the owner of those files, what the key is, the sort of secret

  • with which they were encrypted.

  • And, so, in this way can the bad guys literally say,

  • hey, pay us some number of dollars or, in practice, some number of bitcoins

  • in order to get access to the key via which you can unlock your data.

  • Who knows if you're even going to get the key.

  • I mean, frankly, an even more compelling ransomware

  • would be to just encrypt the data and throw the key away.

  • Then you don't even have to communicate further with the person

  • once you get that fund.

  • DAVID MALAN: Yeah, and, in light of this sort of horrible new trend

  • of ransomware that we've observed over the last few years,

  • there are companies that do try and take advantage of this and will say,

  • you know, we will help you decrypt your system.

  • We will use high tech, quote unquote, solutions to reverse this ransomware.

  • But it turns out that some companies, instead

  • of actually having the algorithms and the technology to do this,

  • are paying the actual people responsible for the ransomware

  • directly and then charging you a premium.

  • COLTON OGDEN: Yeah, no, this is really kind of a tricky thing,

  • and I'm reminded of most any Hollywood movie, where someone is taken hostage.