Subtitles section Play video Print subtitles [MUSIC PLAYING] DAVID MALAN: This is CS50. Hello, world. This is the CS50 podcast my name is David Malan, and this is Episode Zero, our very first, and I'm joined here by CS50's own Colt-- COLTON OGDEN: Yep. [LAUGHTER] Colton Odgen. This is an interesting new direction that we're going. DAVID MALAN: Yeah, it's one in which we clearly haven't rehearsed. COLTON OGDEN: Yeah. DAVID MALAN: So, but what we thought we'd do with the CS50 podcast is really focus on the week's current events as it relates to technology, use this as an opportunity to talk about the implications of various technologies, and really explain things as it comes up, but really in a non-visual way. And so, perhaps, I think the topics Colton and I'll hit on here will focus on things you, yourself, might have read in the news that maybe didn't register necessarily or maybe you didn't really understand how it pertains to technologies that you, yourself, use. COLTON OGDEN: Yeah, and I think that's ties as well to prior, when we did CS50 live, and this was kind of the same idea. DAVID MALAN: Yeah, absolutely. Whereas CS50 Live, when we did it on video, was much more visual-- we prepared slides, we actually looked at sample videos and such-- here, we thought we'd really try to focus on ideas. And it'll be up to you to decide if this works well or not well, but we come prepared with a look at some of the past week's news. And why don't we get right into it? COLTON OGDEN: Yeah, absolutely. One of the things I noticed, actually, is-- I put together this list of topics, but the one thing that I didn't put in here that you actually found and put in here, today, was something about Facebook passwords. DAVID MALAN: Yeah, so a website named Krebs on Security, the author of this, was contacted apparently by some employee-- presumably and a current employee of Facebook-- who revealed to him that during some recent audit of their security processes, they discovered that for like seven years, since 2012, had one or more processes inside of Facebook been storing passwords-- users' passwords, like yours and mine potentially, in the clear, so to speak, clear text, not cipher text, which means unencrypted-- in some database or some file somewhere. COLTON OGDEN: Typically, people will use some sort of hashing algorithm to store things cryptographically and much more securely? DAVID MALAN: Indeed, even like ROT13, like rotate every character 13 places, would have been arguably more secure. And there's not a huge amount of technical detail out there. If you go to krebsonsecurity.com, you can actually dig up the blog post itself. And then Facebook actually did respond, and I think there's a link in Krebs on Security to the Facebook announcement. But to be honest, the Facebook announcement which is on newsroom.fb.com, pretty, to be honest, it's pretty nondescript and really doesn't-- I mean, it's kind of disingenuous. They seem to use this as an opportunity to talk about best practices when it comes to passwords and all of the various other mechanisms that they have in place to help you secure your password. And yet, they really kind of didn't address the topic at hand, which is, well, despite all of those mechanisms, you were storing our passwords in the clear, or at least millions of Facebook users, particularly on Facebook Light, lighter-weight version of the app that's useful in low bandwidth locations or where bandwidth is very expensive or slow. COLTON OGDEN: So this strikes you sort of as an opportunity for them to, what, hand wave over the issue and sort of distract people? Is that sort of how it-- this rubs you? DAVID MALAN: Yeah, maybe. I think they, you know, acknowledged the issue, but then used this as an opportunity to emphasize all of the things that are being done well. And that's fine, but I think the world is done a disservice when companies aren't just candid with their mea culpas and what they got wrong. I think there's learning opportunities and, as I read this, there's really little for me as a technical person or as an aspiring program to really learn from, other than the high order bit which is, encrypt your passwords. But how did this happen? What are the processes that failed? I mean if companies like Facebook can't get this right, how can little old me, an aspiring programmer, get these kinds of details right? I wonder. COLTON OGDEN: So an article more about how they failed and how they could address it, and how other companies could address it, you think that would've been more productive? DAVID MALAN: I think so. I mean, postmortems, as they're called in many contexts, including in tech, and I've always really admired companies that when they do have some significant mistake or human error, where they own up to it and they explain in technical terms exactly what went wrong. They can still have a more layman's explanation of the problem too, where most people might only take an interest in that level of detail. But for the technophiles and for the students and the aspiring technophiles out there, I think it's just appreciated. And these are such teachable moments and all that-- but I would respect the persons, the company all the more if they really just explained what it is they failed so that we can all learn from it and not repeat those mistakes. COLTON OGDEN: If a large company like Facebook is doing something like this, how prevalent do you think this practice is in the real world? DAVID MALAN: Yeah. Oh my God. I mean, probably frighteningly common, and it's just if you have fewer users or fewer eyes on the company, you probably just notice these things less frequently. But I do think things are changing. I mean with laws like GDPR in the EU, the European Union, I think there's increased pressure on companies now, increased legal pressure, on them to disclose when these kinds of things happen, to impose penalties when it does, to therefore discourage this from even happening. And you know, I'm wondering why this audit detected this in 2019, and not in 2012 or 2013 or 2014 and so forth. COLTON OGDEN: GDPR, did that happened back in 2012? Oh no, that was-- DAVID MALAN: No, this was recent. COLTON OGDEN: That one Came onto force-- OK. DAVID MALAN: Recent months, actually, has this been rolled out. COLTON OGDEN: Was this-- is this related at all to the proliferation, now, of cookie messages that you see on websites? DAVID MALAN: That's US-specific, where I believe it's now being enforced. Because that actually has been around for quite some time in Europe. Anytime you took your laptop abroad, for instance, would you notice that almost every darn site asks you, hey, can we store cookies. And honestly, that's a very annoying and almost silly manifestation of it because the reality is, as you know, I mean the web doesn't work without cookies or at least dynamic applications don't work. And anyone who's taken CS50 or who's and a bit of web programming, really, in any language, know that the only way to maintain state in most HTTP-based applications is with cookies. So, I mean, we've created a culture where people just dismiss yet another message, and I don't think that's a net positive either. COLTON OGDEN: I think I see a lot, too, of the messages that say, by continuing to use this site, you acknowledge that we have access to whatever information, using cookies, and so on. So I almost think that they do it already and sort of legally can get away with it by having this message visible. DAVID MALAN: Yeah, I mean, it's like cigarette ads which, abroad, as well, there was-- before the US, there was much more of, I presume, law around having to have very scary warnings on packages. And companies somewhat cleverly, but somewhat tragically, kind of steered into that and really owned that and put the scariest of messages. And it-- you almost become desensitized to it because it's just so silly and it's so over the top, you know, smoking kills. And then, here's the price tag and here's the brand name. Like, you start to look past those kinds of details too, so I'm not sure even that is all that effective. But someone who's looked at this and studied it can perhaps attest quantitatively just how effective it's been. COLTON OGDEN: Yeah, indeed. Well, scary to know that our passwords may have been reflected visibly on somebody's server, a big website like Facebook. Related to that, another of the topics that I sort of dug into a little bit yesterday-- or not yesterday, a few days ago, was Gmail Confidential Mode, a new feature that they're starting to roll out. DAVID MALAN: Yeah.