After this video I can't help but imagine each of the computerfile guys are kept seated in a different corner of that room and the camera just swivels around when he needs to make a new video
It worked out well for Lenovo at the end. They got a bit of extra data and are still selling computers today, most likely with an even better way at ad targeting thier customers.
This seems so easy when Tom Scott explains it. Everything seems easy when Tom Scott explains it. Tom Scott, would you mind becomming a teacher at my school?
Dan Kelly In Germany you can basically start all over again when going from grammar school to university. Nearly everything you learn before university and after elementary school is for the final exams at grammar school or middle school. You need to pass your final exams at grammar school (it's called Abitur or Matura) for going to university. It's hard to compare the North American school systems with the European ones.
Depending on when you got your laptop you may be safe. They stopped doing it after they were caught, and I imagine that if they ever do it again they'd go out of business.
@@nmotschidontwannagivemyrea8932 Didn't they publicly come out and apologize and promise to never do it again? Definitely would go out of business if they tried something.
+OmegaPaladin Companies or schools often do this so they can monitor what you do on the Internet and block you from accessing things. Yes it is a man in the middle attack
The private key is not shared with the certificate authority either. Simply because they don't need it. Regarding the possibility that NSA have keys to do MITM attacks: it's basically the same problem Turing faced when he broke Enigma. If they can do that, they can use it only as a very last resort and only when the message is extremely important because as soon as someone will find out which authority they use (and when you use it, it's only a matter of time), everyone will dump the authority and they would need to start from scratch again.
+Jan Sten Adámek While that's true I think there is definitely scope for the NSA (and co.) to make limited use of MITM attacks without being found out - the example given was detected because they used a different CA and it was country wide, if you pick your targets and only MITM sites whose keys would normally be signed by the CA you've compromised (and if you compromise one of the big ones that gives you a lot of site you can attack) it would be a lot more difficult to detect (you'd have to notice the change in the certificate fingerprint and how many people keep track of that?) and potentially worth the risk for high value targets even without it being a "last resort".
gnutrino The thing is, it needs only one guy having an extension in his browser checking certificate fingerprints to reveal this. And then you are without this tool even when it would be really the very last resort.
+Jan Sten Adámek There's a reasonable amount of evidence that the NSA can decrypt most "secure" connections by breaking the Diffie-Hellman exchange, without needing a fake key, and without running a MITM attack. Which is great for the NSA, they don't want their methods exposed.
Jeremy Lakeman That's a possibility. On the other hand, if NSA can, others can as well, and because even the US military uses DH exchange, it's not really probable they can break it.
I just looked up some other famous hacks of the year and I found out that just about _a month_ after this video was uploaded, it was revealed that Dell _basically did the same damn thing_! It was the _exact_ same principle and even after the Superfish debacle, Dell _still_ didn't react and kept quiet until the vulnerability was made public.
Unfortunately, this is one of the misplaced trust aspects of networking which is carried forward into IPv6. Router advertisements carry no validation; anything attached to the network can claim to be a router and set a prefix for the network. It's the same sad story for NDP. Yes, there is SEND, but it's an addon afterthought which is by no means mandatory to implement. wow...not just echo, but ringing echo as well. There has to be a happy medium between this and dragging everyone into a studio.
+rchandraonline The thing is, how COULD a random user connecting to a network tell which box is supposed to be the router? Short of some expensive situation where organisations are given certificates once it's proved they own a /64 (which, I suspect, is probably harder to automate than proving you own a domain), I'm not sure how the validation could be done. And, besides, that's not an issue with v6 then, since that setup will still work on v6. IMHO the much better solution is to just encrypt all traffic over a network so this sort of attack, while possible, is pointless beyond being a DoS.
+Simon WoodburyForget ...what? How is a random client connecting to a network and using DHCP supposed to know who is supposed to be the router? It's completely non-obvious *from a computer's perspective*. If you see a computer advertising a network prefix and gateway then you'd assume it's a router. But it might not be. It's the same type of identity validation problem as in most other security problems (like the one mentioned in the video).
+Monsieur Africain But IMHO the solution is to use SSL everywhere. Then the network inherently *doesn't need* to be secure. The main issue is who to trust. I know that there have been a lot of advancements in the SSL trust situation recently, with (for example) browsers being less likely than in the past to trust an out-of-the-blue change of CA.
Yeah because that's usually a sign that a malware is attempting to sniff your traffic, because an average Joe never hosts a server, let alone on his machine.
Just a heads up, the NSA is cracking encryption based on 1024 bit primes, at a rate of roughly 1 per year including RSA and subsequent iterations. sooo we should have switched to 2048 bit by now, but at this point 4096 should be being prepped.
+therealquade That is what they tell you. They might have cracked 4096 by now. But this is made out to be a much bigger problem than it actually is. There are far greater issues facing the first world today, including our whacked out economies where were either spending not enough, or way too much, and out unsustainable growth in population. What we really need is to drop our reliance on planet Earth, and leave the solar system.
Gellis12 no such thing as overkill? all encrypted data converted to print media and purged from drives, stored under lock and key, scanned on demand to decrypt when needed. maintained by robots with no wireless connection. with guns. and a self destruct in case of un-authorized access. Pretty sure that'd be overkill. Honestly though, server rooms with plug and play drives sitting on shelves and robots that load the drives on demand, to prevent un-authorized access to the data. that's pretty tight security, and with the exception of maybe CERN, or nuclear launch codes. maybe global banking, that's pretty much overkill.
Bungis Albondigas the thing about earth, every planet has a sell-by-date, it's going to be millions of years before the earth gets torched by the sun I believe, unless we get a freak solar flare. but that's true of literally 100% of planets. Order of operations. fix the earth, then go to mars, then go to other star systems, once we're living on multiple planets and multiple star systems, I'm pretty sure by that time, the sun won't have killed the earth yet. As for the NSA and CIA and their trustworthyness Check out the school of the americas MK Ultra MK NAOMI CIA Involvement in the drug cartels GLADIO There's also a fair amount of speculation that his intent to Defund the CIA is why JFK was assassinated. Just some food for thought. read some stuff, and come to your conclusions about them as you will.
+Andreas Björkman only a couple hundred hours on a couple hundred CPUs? A typical data center have computing capability way bigger than that. And nowadays you can easily build a CPU cluster with a hundred CPUs fairly cheaply by renting computing clusters on public cloud providers like Amazon EC2 or Google Compute Engine.
Bloatware like superfish is the reason that whenever I get a new laptop the first thing I do is format the disk and install windows directly from Microsoft. Most stuff business pre-load on your computer is totally useless, but at least once it has been legitimately dangerous.
I love seeing +Tom Scott on this channel but every time I do he reminds how much of my internet life is built on ignoring the security holes everywhere in it.
We had fun in Rwanda a couple of years back. The tax department forced everyone who runs a business to install electronic billing machine (EBM) software onto their computer in order to issue electronic receipts for every sale, no matter what size business you had. Many foreigners sensibly bought second laptops to install it, because they didnt' trust installing government software onto their personal computers. I kind of assumed that I was probably already monitored, and didn't have the money for a new laptop just for taxes, so I installed it on my personal laptop which was already pretty old. In fact, it was so old that it promptly crashed about a month later. It was illegal to remove the software from your computer without government permission, but it was late on a Friday night. My options were to go without a computer all weekend until the offices opened on Monday and I could tell them what happened, or go ahead and reinstall Windows. I opted for the latter and sent an e-mail explainig what I was doing and why. I was promptly issued with a $200 fine! I kicked up a storm on Twitter, shouting about how unethical it was to be forced to install government software in the first place, and they backed down, but wow was I angry about it. They've since relented and now offer people the ability to create EBMs online, but it did very little for the country's image or trust among business owners. I don't think there's any method on earth that can protect you when the government says you have to install their software by law. 😏
4:25 No, Mr. Scott, the reason it's called a PRIVATE key is that it's private; you don't send it anywhere but your own server. The CA only needs your public key to apply its signature.
+rchandraonline Yes, thats what Certificate Signing Requests (CSRs) are for. To not have to send your private key out EVER. You generate one on your machine and it stays there forever.
I can't get over Superfish not even having the foresight to generate a new private/public keypair for each installation. They just hardcoded the same private key in every single installation. I can't believe nobody working on Superfish at the time saw this coming.
Got my Master's in CS 5 years ago, but I wish that back then I had some lectures that were explained this well, as for most of your video's Tom. You are such a clear speaker, (as goes for the speakers in most computerphile video's). I mean, even though I know about most topics; refreshing my knowledge via these video's doesn't hurt a bit, it feels great! Keep'em coming.
Also the way superfish was written you never got the red warning, even if a website had a wrong certificate. The superfish in the middle always inserted its "valid" certificate.
It'd be great if you'd make a video on the rootkit they installed on all of their laptops too: Lenovo Service Engine (LSE). Apparently, even if you wiped the harddrive and installed Windows from a disk they didn't provide, it'd still install their crapware, because it's hidden in the BIOS. I've heard it was even updating itself over an unsecured connection, so anyone could man-in-the-middle it to install their own rootkit without users knowing.
I would think that both of the two vulnerabilities (the CA and device) could potentially be resolved by a sort of an 'odd man out' protocol that would periodically ask all of your CAs for a list of the CAs that they trust, and if only very few or none of them trust a CA you have, that CA is removed.
You know whats also rather strange ? Google not noticing a massive amount of multi-user traffic coming from a single attacker ip ... usually there is fair usage policy where this kind of activity (an entire DNS provider had to fall as well I presume) from a single/small amount of ip address should definitely raise a flag
Tom Scott, how is it that I've been watching you on UA-cam for over a decade and you didn't look a day over 20 when I first saw you. You still look the same 10 years later. It's uncanny mate, the way you hold your age. How ' you do it?
One thing to keep in mind, the 'Trusted' Certifying authorities are subject to the will of the domain in which they reside. What happens if an official of the regime comes to them and put a bag of cash and a gun on the table and tells them to choose? The man in the middle gets an official stamp of approval.
It's cool looking back at this video and seeing him comment on a free certificate authority being in the works and today... We have that with Let's Encrypt!
This is a good case for Microsoft demanding that OEM manufacturers providing untouched installation media for Windows and clean installations without any 3rd party software for new OEM machines. Having worked for Microsoft Support I can tell you that most problems people have with Windows, especially when new versions are launched (Vista is a good example), are caused by OEMs that don't know what they are doing. Pre-installing lots of craplets, incompatible drivers, bungling up the installation of language packs or straight up changing/removing parts of Windows. I'm not sure if that is still the case but the only major OEM manufacturer that provided clean Windows installation media was Dell. All the others only had "recovery discs" which contained all the crap pre-installed software.
Ant OfThy Oh yeah they totally ship their computers full of pre-installed craplets and they have recovery media that includes all that pre-installed garbage just like all the other OEMs. But they also provide an untouched Windows installation media that is identical to what you would get if you go to a store and buy a copy of Windows so that you have the option to re-install a clean installation of Windows.
Please make a video about self driving cars. There are a lot of conflicting opinions about whether or not we should allow computers to operate a motorized vehicle on public roads, and there has been some news of cars being hacked. As a student of Computer Science, it seems to me that if done correctly it should be safe, all the same I'd like to know the opinions of others as well.
+Matthew Harris Nobody developing self-driving cars is concerned about the possibility of people trying to hack into them and so nobody is even looking into tampering prevention methods but we're still going to put them on the roads anyways (cough :P)
+Vulcapyro for some reason, I get the feeling google wouldn't just not think to make their self driving cars secure. they are one of the biggest tech companies and their entire reputation hinges on their cars not getting hacked.
I dropped my Lenovo by accident a couple years ago, which broke the hard drive and rendered that version of Windows unrecoverable. It's so strange, but I guess that was a really good thing; I switched out the hard drive and just installed linux, since I didn't know about the OEM key under the battery and didn't feel like torrenting, and haven't gone back since.
And this is why you NEVER EVER EVER EVER EVER EVER, use the factory image for ANYTHING! And Certificate authorities need to be above governments not tied down to one country , a bit like that building in France where the keep the kilo.
+Andrew Joy The problem is that most computer manufacturers no longer include the Windows install disk with the computer. You either have to pay for a new disk from Microsoft or you use the factory image. Even those manufacturers that do include the install disk are including a altered copy that will install Windows AND their software. Basically, you build the computer yourself or live with the bloatware the manufacturer installs. :/
+Mark Speir That's why illegal copies of Windows is good. 1. microsoft survives without me buying their crap, I get to use an OS that works, and as it's almost impossible to get your hands on an install disk...
icedragon769 I'm talking about legally obtained copies of Windows. Prior to Windows 10 you had to buy it on CD/DVD. Truthfully, you'll need more than a downloaded OS update to wipe the crap off of a hard drive. The manufacturers partion the drives and install their crap on the smaller partion. In some cases, this partion is unreachable. You have to use special software to get rid of this crap and reclaim the drive.
ARP spoofing still works just fine on a sadly large number of devices. Quite useful when you need to sniff the network traffic from a closed device and you have a crappy consumer router.
i would have never thought of doing this, but i actually have to defend the fax machine: i work in a small company where we mill and turn metal parts, and we work with a lot of small companies that install handrails ond so on. for us its a lot easier to just get the technical drawing per fax, than having them send it per email, downloading it and then printing it, especially since we are ol three people, so we only occasionally can check our mails, and then only have a little ut of time. but i9f we get the drawing per fax, we once in a while take a look into the office, see the new fax and take it to our workstaton to programm the maschine
"Yeah, this is the bit of software that was installed on rpetty much every consumer Lenovo laptop." Yeah, so I was gripped by fear for a minute, there, because I had definitely been using a ThinkPad for over a year when this video came out. Luckily, I looked up Superfish, and apparently Lenovo began to bundle Superfish adware with their computers in September of 2014, which was a few months after I got mine. Thinking back, I'm pretty sure that I still ended up dealing with Superfish at some point, but it wasn't because Lenovo put it there, it was because I was eighteen and consequently a huge dumbass.
I remember this mess. Didn't Lenovo get sued over this? And all this just so they could show you more ads. I mean, I'm not exactly a fan of AdBlock, but jeez, this stuff is not helping the conversation.
It's actually worse than that. SSL is near to useless on any site that carries third party advertising. The advertiser doesn't need Superfish, they can run Javascript in your browser that logs your keystrokes or scans for password fields. The advertising is served via a different certificate than the one covering the site you visit, yet there is no mention of this in the browser's SSL info. It is as if the connection from your browser to the advertiser doesn't exist. Yet, using a wiretrace you can see that it does. . Not a lot of end users know that.
Correction: Your private key is *not* shared with CAs. This would be a terrible security issue if that were the case. The private key should never be shared with anyone.
After this video I can't help but imagine each of the computerfile guys are kept seated in a different corner of that room and the camera just swivels around when he needs to make a new video
Sky C. That 70's Show style~
Confirmed
NOOOO YOOOOOO
WHENE I READ THIS HE TURNED THE CAM TO MY OTHER PC GUYY
“Computerfile”
@@sinpi314 like a .wmv or a .wav
There was so much potential at 4:46 to fix the drawing by attaching a circle to the end of the factory and making it look like a giant key.
Indeed
You know something's bad when you hear Tom Scott say "never ever"
"Which it should NEVER EVER EVER EVER EVER have been.."
2:21 - "And they can only be unlocked by that server, because maths."
10/10 best explanation of public and private key crypto. XD
NoriMori Q
Q
Q?
Q????
Q.
even if superfish had been secure its still a super sketchy thing that lenovo was shipping their computers with adware
It's fishy someone named their program superfish and no one in lenovo found it fishy
It worked out well for Lenovo at the end. They got a bit of extra data and are still selling computers today, most likely with an even better way at ad targeting thier customers.
This seems so easy when Tom Scott explains it. Everything seems easy when Tom Scott explains it.
Tom Scott, would you mind becomming a teacher at my school?
+derLPMaxe Keep in mind he's skipping the details. In school you have to learn the details ;)
Dan Kelly Actually not. On for example universities you go into detail - at least this is what our teachers tell us.
+derLPMaxe I could be wrong. I have seen that today's high school students possess a diploma but little else that is going to help them in university.
Dan Kelly In Germany you can basically start all over again when going from grammar school to university. Nearly everything you learn before university and after elementary school is for the final exams at grammar school or middle school. You need to pass your final exams at grammar school (it's called Abitur or Matura) for going to university.
It's hard to compare the North American school systems with the European ones.
+derLPMaxe True, in North America the so-called high school grads can barely add 2+2 let alone do much else.
So good to see Tom Scott on Computerphile again.
+nrviognjiocfmbkirdom I have yet to see a video with Tom in it anywhere that made me disappointed.
@@RealCadde I saw one where people were disappointed.
@@MRJMXHD wut?
@@therisenphoenix6113 a video Tom made that had a huge dislike ratio and people were not very nice in the comments.
@@MRJMXHD just gimme the link
*sees intro*
*NOTICES I'M ON A LENOVO LAPTOP*
hope you uninstalled superfish
I don't have it luckily, I think it was a business laptop I got it second hand and upgraded to Windows 10.
I was terrified when he said lenovo
Depending on when you got your laptop you may be safe. They stopped doing it after they were caught, and I imagine that if they ever do it again they'd go out of business.
@@nmotschidontwannagivemyrea8932 Didn't they publicly come out and apologize and promise to never do it again? Definitely would go out of business if they tried something.
That golden moment of pure sadness and dissappointment of Tom at 6:35
+Azivegu And they do try and make people understand that that thing is bad. But people have trained themselves to ignore it.
+Azivegu My company told me to disregard that screen on their Wi-Fi. Cheap bastards probably wouldn't pay the certifying authority...
+OmegaPaladin No, it means that they are performing a man-in-the-middle attack on all your traffic going over their wifi.
+OmegaPaladin Companies or schools often do this so they can monitor what you do on the Internet and block you from accessing things. Yes it is a man in the middle attack
Azivegu I
The private key is not shared with the certificate authority either. Simply because they don't need it.
Regarding the possibility that NSA have keys to do MITM attacks: it's basically the same problem Turing faced when he broke Enigma. If they can do that, they can use it only as a very last resort and only when the message is extremely important because as soon as someone will find out which authority they use (and when you use it, it's only a matter of time), everyone will dump the authority and they would need to start from scratch again.
+Jan Sten Adámek While that's true I think there is definitely scope for the NSA (and co.) to make limited use of MITM attacks without being found out - the example given was detected because they used a different CA and it was country wide, if you pick your targets and only MITM sites whose keys would normally be signed by the CA you've compromised (and if you compromise one of the big ones that gives you a lot of site you can attack) it would be a lot more difficult to detect (you'd have to notice the change in the certificate fingerprint and how many people keep track of that?) and potentially worth the risk for high value targets even without it being a "last resort".
gnutrino The thing is, it needs only one guy having an extension in his browser checking certificate fingerprints to reveal this. And then you are without this tool even when it would be really the very last resort.
+Jan Sten Adámek There's a reasonable amount of evidence that the NSA can decrypt most "secure" connections by breaking the Diffie-Hellman exchange, without needing a fake key, and without running a MITM attack. Which is great for the NSA, they don't want their methods exposed.
Jeremy Lakeman That's a possibility. On the other hand, if NSA can, others can as well, and because even the US military uses DH exchange, it's not really probable they can break it.
+Jan Sten Adámek You don't always need to MITM, you could steal a cert from some company and make a Windows driver.
2:46 he meant "Here's my Public Key". I'd advise that you add an annotation just so no one gets confused.
No more annotations anymore
Pieces'O'Cake Malek begone annotations
@瑞安卡特里尔 ur dad
the computerphile thumbnails look like those old goosebump book covers that were around ages ago
8:58 - Anyone else go up and click the green padlock in the URL at this point in the video?
+veggiet2009 I did actually. I think it's okay...
+veggiet2009 i never saw google there so id be suspicous if i saw a google
+veggiet2009 yes, and now i know that Google released Google's certificate
+veggiet2009 should it be by google inc or not? that's what mine says...
+TheCicciello If you go to details:
CN = Google Internet Authority G2
O = Google Inc
C = US
Computerphile videos involving Mr. Scott are by far my favorite. Theyre all great, but I really enjoy how he talks about things.
I just looked up some other famous hacks of the year and I found out that just about _a month_ after this video was uploaded, it was revealed that Dell _basically did the same damn thing_! It was the _exact_ same principle and even after the Superfish debacle, Dell _still_ didn't react and kept quiet until the vulnerability was made public.
Internet Factory would make a great album name.
...I actually have an EP called "Internet Theatre" that was released within the last year. I wonder if this was the inspiration?
Is there a link to this EP?
false.
"Extremely illegal, so DON'T do that!"
You'd think that the people doing that honestly don't care about that.
He is of the hook if the police comes
false.
Unfortunately, this is one of the misplaced trust aspects of networking which is carried forward into IPv6. Router advertisements carry no validation; anything attached to the network can claim to be a router and set a prefix for the network. It's the same sad story for NDP. Yes, there is SEND, but it's an addon afterthought which is by no means mandatory to implement.
wow...not just echo, but ringing echo as well. There has to be a happy medium between this and dragging everyone into a studio.
+rchandraonline Yes, sadly when I visit Tom in London I have to hire a room - acoustically we get what we get... >Sean
+rchandraonline The thing is, how COULD a random user connecting to a network tell which box is supposed to be the router? Short of some expensive situation where organisations are given certificates once it's proved they own a /64 (which, I suspect, is probably harder to automate than proving you own a domain), I'm not sure how the validation could be done. And, besides, that's not an issue with v6 then, since that setup will still work on v6.
IMHO the much better solution is to just encrypt all traffic over a network so this sort of attack, while possible, is pointless beyond being a DoS.
+Simon WoodburyForget ...what? How is a random client connecting to a network and using DHCP supposed to know who is supposed to be the router? It's completely non-obvious *from a computer's perspective*. If you see a computer advertising a network prefix and gateway then you'd assume it's a router. But it might not be. It's the same type of identity validation problem as in most other security problems (like the one mentioned in the video).
+Redmond Quigley MAC Filtering doesn't work, Mac addresses can be spoofed unfortunately. We really need to do something about this lack of security.
+Monsieur Africain But IMHO the solution is to use SSL everywhere. Then the network inherently *doesn't need* to be secure.
The main issue is who to trust. I know that there have been a lot of advancements in the SSL trust situation recently, with (for example) browsers being less likely than in the past to trust an out-of-the-blue change of CA.
I love that the advert that was shown before this video started, at least for me, was for Lenovo.
4:26: I'm quite sure you mean to say public key. Do not ever send your private key to your CA people :-).
In the subtitles he has corrected it
Ahh, so that's why the red _"Insecure connection"_ screen pops up when I'm running a local server and I goto a domain which points to localhost.
So your computer doesn’t trust itself?
... kinda reminds me of myself.
*Trust no one not even yourself*
@@Operational117 😂😂
Yeah because that's usually a sign that a malware is attempting to sniff your traffic, because an average Joe never hosts a server, let alone on his machine.
Just a heads up, the NSA is cracking encryption based on 1024 bit primes, at a rate of roughly 1 per year including RSA and subsequent iterations. sooo we should have switched to 2048 bit by now, but at this point 4096 should be being prepped.
+therealquade That is what they tell you. They might have cracked 4096 by now. But this is made out to be a much bigger problem than it actually is. There are far greater issues facing the first world today, including our whacked out economies where were either spending not enough, or way too much, and out unsustainable growth in population. What we really need is to drop our reliance on planet Earth, and leave the solar system.
Gellis12 no such thing as overkill? all encrypted data converted to print media and purged from drives, stored under lock and key, scanned on demand to decrypt when needed. maintained by robots with no wireless connection. with guns. and a self destruct in case of un-authorized access. Pretty sure that'd be overkill.
Honestly though, server rooms with plug and play drives sitting on shelves and robots that load the drives on demand, to prevent un-authorized access to the data. that's pretty tight security, and with the exception of maybe CERN, or nuclear launch codes. maybe global banking, that's pretty much overkill.
Bungis Albondigas the thing about earth, every planet has a sell-by-date, it's going to be millions of years before the earth gets torched by the sun I believe, unless we get a freak solar flare. but that's true of literally 100% of planets. Order of operations. fix the earth, then go to mars, then go to other star systems, once we're living on multiple planets and multiple star systems, I'm pretty sure by that time, the sun won't have killed the earth yet.
As for the NSA and CIA and their trustworthyness Check out
the school of the americas
MK Ultra
MK NAOMI
CIA Involvement in the drug cartels
GLADIO
There's also a fair amount of speculation that his intent to Defund the CIA is why JFK was assassinated.
Just some food for thought. read some stuff, and come to your conclusions about them as you will.
+Andreas Björkman only a couple hundred hours on a couple hundred CPUs?
A typical data center have computing capability way bigger than that. And nowadays you can easily build a CPU cluster with a hundred CPUs fairly cheaply by renting computing clusters on public cloud providers like Amazon EC2 or Google Compute Engine.
Tom Scott's videos on Computerphile are my favorite videos!
"lenovo promised not to do it again" *the fact that they did it in the first place is mind-boggling*
they did it many times after that
false.
Great work, you guys go into more depth than the average tutorials and the information is strong.
1:58 - Why is Robert Miles just randomly sitting in the room with them? XD Just to have a listen?
I was there to record another AI video after Tom recorded his, but we ended up not using that footage.
Robert Miles Oooh. So you were just sitting in since you'd need to be in that room soon, anyway? :)
@@RobertMilesAI so it's confirmed that computerphile just swivels to the next professor and starts recording another video.
Bloatware like superfish is the reason that whenever I get a new laptop the first thing I do is format the disk and install windows directly from Microsoft. Most stuff business pre-load on your computer is totally useless, but at least once it has been legitimately dangerous.
Tom's face when he asks 'how do I draw a certificate authority?'
*listens to the start*
*looks at computer*
well crap...
I love Tom Scott and his massive simplifications. Keep on doing what you're doing Tom!
ok?
I love seeing +Tom Scott on this channel but every time I do he reminds how much of my internet life is built on ignoring the security holes everywhere in it.
Which each episode of computerphile I watch I get more and more paranoid about my online safety, eh I won't change anything though.
Please Tom Scott on more often, He's amazing at explaining concepts and is just generally entertaining.
Wooo! Tom Scott!
Tom is the whole reason why I subscribed to this channel
22Titus22 You know, he has his own channel?
We had fun in Rwanda a couple of years back. The tax department forced everyone who runs a business to install electronic billing machine (EBM) software onto their computer in order to issue electronic receipts for every sale, no matter what size business you had. Many foreigners sensibly bought second laptops to install it, because they didnt' trust installing government software onto their personal computers. I kind of assumed that I was probably already monitored, and didn't have the money for a new laptop just for taxes, so I installed it on my personal laptop which was already pretty old. In fact, it was so old that it promptly crashed about a month later. It was illegal to remove the software from your computer without government permission, but it was late on a Friday night. My options were to go without a computer all weekend until the offices opened on Monday and I could tell them what happened, or go ahead and reinstall Windows. I opted for the latter and sent an e-mail explainig what I was doing and why. I was promptly issued with a $200 fine! I kicked up a storm on Twitter, shouting about how unethical it was to be forced to install government software in the first place, and they backed down, but wow was I angry about it. They've since relented and now offer people the ability to create EBMs online, but it did very little for the country's image or trust among business owners. I don't think there's any method on earth that can protect you when the government says you have to install their software by law. 😏
Interesting, thanks.
why is youtube certificate signed from mars
4:25 No, Mr. Scott, the reason it's called a PRIVATE key is that it's private; you don't send it anywhere but your own server. The CA only needs your public key to apply its signature.
+rchandraonline Yes, thats what Certificate Signing Requests (CSRs) are for. To not have to send your private key out EVER. You generate one on your machine and it stays there forever.
+Art of the Problem has a great series on the language of coins and public key encryption.
There should be zero debate over whether the NSA should or not.
+Owen Prescott I think some people just don't want to get involved, which is understandable.
Tom Scott on Computerphile, what a day to be alive!
This channel is a godsend for anyone studying for Security +
This was such a great thorough explanation and build-up. I would probably send this video to people just to teach them about SSL.
(3:45) This video was published on October 2015.
Last time I checked, you still have to pay for this security.
letsencrypt is free
I can't get over Superfish not even having the foresight to generate a new private/public keypair for each installation. They just hardcoded the same private key in every single installation. I can't believe nobody working on Superfish at the time saw this coming.
Got my Master's in CS 5 years ago, but I wish that back then I had some lectures that were explained this well, as for most of your video's Tom. You are such a clear speaker, (as goes for the speakers in most computerphile video's).
I mean, even though I know about most topics; refreshing my knowledge via these video's doesn't hurt a bit, it feels great!
Keep'em coming.
Also the way superfish was written you never got the red warning, even if a website had a wrong certificate. The superfish in the middle always inserted its "valid" certificate.
It'd be great if you'd make a video on the rootkit they installed on all of their laptops too: Lenovo Service Engine (LSE). Apparently, even if you wiped the harddrive and installed Windows from a disk they didn't provide, it'd still install their crapware, because it's hidden in the BIOS. I've heard it was even updating itself over an unsecured connection, so anyone could man-in-the-middle it to install their own rootkit without users knowing.
I would think that both of the two vulnerabilities (the CA and device) could potentially be resolved by a sort of an 'odd man out' protocol that would periodically ask all of your CAs for a list of the CAs that they trust, and if only very few or none of them trust a CA you have, that CA is removed.
"All servers look like computers of 99s"
-Tom Scott
Yuri de Castro was this comment written by a bot
@@flowerperson581 why?
What does that mean?
Tom needs to be on this channel more often. Get right on that, Computerphile.
Tom Scott is an amazing teacher , perhaps the best teacher in computerphile
You know whats also rather strange ? Google not noticing a massive amount of multi-user traffic coming from a single attacker ip ... usually there is fair usage policy where this kind of activity (an entire DNS provider had to fall as well I presume) from a single/small amount of ip address should definitely raise a flag
quick clarification: superfish was the company that made the adware, the program was called visualdiscovery.
amazing video that touches upon one of the biggest security concerns with Internet usage
Good thing I bought a Lenovo in 2012. It shouldn't have anything on it, and I haven't noticed anything wrong.
Shutup
@@reeldino2729 go back to school kid
ok?
9:37 - RIP Tom Scott, died of NSA...
computerphile needs more tom scott
Lenovo promised to not do it again... but they did. :(
Wow. When/where?
Ivo Temelkov yeah
They did?
They did? How do you know?
Tom Scott, how is it that I've been watching you on UA-cam for over a decade and you didn't look a day over 20 when I first saw you. You still look the same 10 years later. It's uncanny mate, the way you hold your age. How ' you do it?
You should consider doing a segment on the thrust of the paper "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice".
One thing to keep in mind, the 'Trusted' Certifying authorities are subject to the will of the domain in which they reside. What happens if an official of the regime comes to them and put a bag of cash and a gun on the table and tells them to choose? The man in the middle gets an official stamp of approval.
That pen scratching on paper gave me goose bumps
Wwhhhhhhhhhhat?! They did _what_?!
I knew preinstalled OSes were unusable but that's playing in a totally different league there.
you really know how to simplify complex subjects, why I love computer/numberphile.
Funilly enough Superfish is also the name of a javascript library we use at my current work as well as the chippy down the road.
I love Tom's videos. :D
How are you verified? :D
It's cool looking back at this video and seeing him comment on a free certificate authority being in the works and today... We have that with Let's Encrypt!
Tom! You do NOT send the private key over for signing by the CA, only the public key.
This is a good case for Microsoft demanding that OEM manufacturers providing untouched installation media for Windows and clean installations without any 3rd party software for new OEM machines. Having worked for Microsoft Support I can tell you that most problems people have with Windows, especially when new versions are launched (Vista is a good example), are caused by OEMs that don't know what they are doing. Pre-installing lots of craplets, incompatible drivers, bungling up the installation of language packs or straight up changing/removing parts of Windows.
I'm not sure if that is still the case but the only major OEM manufacturer that provided clean Windows installation media was Dell. All the others only had "recovery discs" which contained all the crap pre-installed software.
Ant OfThy Oh yeah they totally ship their computers full of pre-installed craplets and they have recovery media that includes all that pre-installed garbage just like all the other OEMs. But they also provide an untouched Windows installation media that is identical to what you would get if you go to a store and buy a copy of Windows so that you have the option to re-install a clean installation of Windows.
Please make a video about self driving cars. There are a lot of conflicting opinions about whether or not we should allow computers to operate a motorized vehicle on public roads, and there has been some news of cars being hacked. As a student of Computer Science, it seems to me that if done correctly it should be safe, all the same I'd like to know the opinions of others as well.
+Matthew Harris Nobody developing self-driving cars is concerned about the possibility of people trying to hack into them and so nobody is even looking into tampering prevention methods but we're still going to put them on the roads anyways
(cough :P)
+Vulcapyro for some reason, I get the feeling google wouldn't just not think to make their self driving cars secure. they are one of the biggest tech companies and their entire reputation hinges on their cars not getting hacked.
+William Wold way2sarcasm
Yes! Finally another Tom Scott Computerphile episode!
I dropped my Lenovo by accident a couple years ago, which broke the hard drive and rendered that version of Windows unrecoverable. It's so strange, but I guess that was a really good thing; I switched out the hard drive and just installed linux, since I didn't know about the OEM key under the battery and didn't feel like torrenting, and haven't gone back since.
the thing is is that you can do an attack perfectly if you set up a hotspot then you are the server
That sound the marker makes on that sheet of paper gets my hairs on end !!!! Darn !!!
And this is why you NEVER EVER EVER EVER EVER EVER, use the factory image for ANYTHING!
And Certificate authorities need to be above governments not tied down to one country , a bit like that building in France where the keep the kilo.
+Andrew Joy The problem is that most computer manufacturers no longer include the Windows install disk with the computer. You either have to pay for a new disk from Microsoft or you use the factory image. Even those manufacturers that do include the install disk are including a altered copy that will install Windows AND their software.
Basically, you build the computer yourself or live with the bloatware the manufacturer installs. :/
+Mark Speir That's why illegal copies of Windows is good. 1. microsoft survives without me buying their crap, I get to use an OS that works, and as it's almost impossible to get your hands on an install disk...
Microsoft provide iso's now
+The Major Install disk? What is this, 2005? Nobody uses install disks anymore, you can make an installation USB for free
icedragon769 I'm talking about legally obtained copies of Windows. Prior to Windows 10 you had to buy it on CD/DVD.
Truthfully, you'll need more than a downloaded OS update to wipe the crap off of a hard drive. The manufacturers partion the drives and install their crap on the smaller partion. In some cases, this partion is unreachable. You have to use special software to get rid of this crap and reclaim the drive.
ARP spoofing still works just fine on a sadly large number of devices. Quite useful when you need to sniff the network traffic from a closed device and you have a crappy consumer router.
"Superfish." ... "Superphish" did no one else notice that? That's like calling your company "Knot Evil."
i would have never thought of doing this, but i actually have to defend the fax machine: i work in a small company where we mill and turn metal parts, and we work with a lot of small companies that install handrails ond so on. for us its a lot easier to just get the technical drawing per fax, than having them send it per email, downloading it and then printing it, especially since we are ol three people, so we only occasionally can check our mails, and then only have a little ut of time. but i9f we get the drawing per fax, we once in a while take a look into the office, see the new fax and take it to our workstaton to programm the maschine
'All routers have aerials' Airport Extreme: Nopeeeee
“Beacause maths”. This is the greatest thing in the world
I like the use of "maths" as a verb in this video.
Love the videos with Tom,just hopes he does more stuff similar to this in his channel.
i don't work in the tech field and never will, but i still love to learn about this stuff!
It’s essentially 2-factor authentication on the server-side which is pretty cool
The thumbnail made me think this was going to be about "Tom in the Middle of Toms" attacks so I was disappointed.
SSL Encryption: Exists
Quantum Computing: I'm about to end this man's whole career
Here's part of the reason that Adware is one of the worst things for an end user.
This man talking to the points, Thanks a lot man .
"Yeah, this is the bit of software that was installed on rpetty much every consumer Lenovo laptop." Yeah, so I was gripped by fear for a minute, there, because I had definitely been using a ThinkPad for over a year when this video came out. Luckily, I looked up Superfish, and apparently Lenovo began to bundle Superfish adware with their computers in September of 2014, which was a few months after I got mine.
Thinking back, I'm pretty sure that I still ended up dealing with Superfish at some point, but it wasn't because Lenovo put it there, it was because I was eighteen and consequently a huge dumbass.
ok?
Oh shit the guy who does the AI videos was there. Dope.
i prefer craygh
Kresten Sckerl
carykh
craygh
Just saw an advert before this video... For Lenovo laptops!
I got a Lenovo ad before this video, oh the dramatic irony
I remember this mess. Didn't Lenovo get sued over this?
And all this just so they could show you more ads. I mean, I'm not exactly a fan of AdBlock, but jeez, this stuff is not helping the conversation.
It's actually worse than that. SSL is near to useless on any site that carries third party advertising. The advertiser doesn't need Superfish, they can run Javascript in your browser that logs your keystrokes or scans for password fields.
The advertising is served via a different certificate than the one covering the site you visit, yet there is no mention of this in the browser's SSL info. It is as if the connection from your browser to the advertiser doesn't exist. Yet, using a wiretrace you can see that it does.
.
Not a lot of end users know that.
and this is why i use an adblocker
Correction: Your private key is *not* shared with CAs. This would be a terrible security issue if that were the case. The private key should never be shared with anyone.
I feel like this was just a casual computer nerd conversation that they just decided to film.
I beat Pokémon Emerald with a Mudkip named SuperFish as a kid. I was the first one to perform a SuperFish attack. My face when.
" they do maths to them." Real specific tom
It's always good when its Tom :)
How to stop a non trusted Middle man? Get a trusted Middle man!