Interviews: Ask Security Expert Mikko Hypponen A Question 133
Even if you pay only a fraction of your time on security news, you probably already know Mikko Hypponen (Twitter, Wikipedia). He is the Chief Research Officer at F-Secure, a security firm he joined over two decades ago. Hypponen has assisted law enforcement in the United States, Europe and Asia on cybercrime cases, and has also made several appearances on BBC, TED talks, TEDx, DLD, SXSW, Black Hat, DEF CON, and Google Zeitgeist among others. He has also written for CNN, The New York Times, Wired, and BetaNews.
Hypponen has closely watched computers, networks, and security spaces grow over the years. In 2011, Hypponen tracked down the authors of the first PC virus in history -- Brain.A. Whether you want to know about the early days of malware -- when they were mostly created by hobbyists, or get an inside view of the challenges security firms face today, or how exactly does one keep himself or herself safe in the increasingly terrifying world, use the comments section to leave your question.
Editor's note: We will be collecting some of the best questions and sending them to Mikko at 22:00 GMT, Monday.
Hypponen has closely watched computers, networks, and security spaces grow over the years. In 2011, Hypponen tracked down the authors of the first PC virus in history -- Brain.A. Whether you want to know about the early days of malware -- when they were mostly created by hobbyists, or get an inside view of the challenges security firms face today, or how exactly does one keep himself or herself safe in the increasingly terrifying world, use the comments section to leave your question.
Editor's note: We will be collecting some of the best questions and sending them to Mikko at 22:00 GMT, Monday.
Wording... (Score:2)
Security awareness training (Score:1)
Do you have any suggestions on how to create a successful security awareness program in a tech company? Some like Bruce Schneier prefer the time and money is spent on better security engineering. Any experts or articles or books you can recommend?
Re: (Score:2)
Congratulations of receiving so many responses on your post about a pet issue of yours - all from different users too - all of which have exactly the same style of grammar, spelling and punctuation as you do. Isn't that a weird coincidence :)
Anti-virus software (Score:5, Interesting)
With the recent [slashdot.org] reports [slashdot.org] of anti-virus software sometimes actually adding security vulnerabilities to the systems, and the fact that windows ships with its own bundled anti-virus, what advantages do commercial third party anti-virus solutions these days offer?
I'm wondering specifically about the windows desktop, because this is the platform usually targeted by attackers.
Re: (Score:1)
windows defender is already useless.
they all test for passing it.
it doesn't see shadow hidden files. it doesn't protect against uefi drops. it doesn't protect against attacks done by using windows services(the group policy remote managemnt, rmi etc are most powerful attack tools ever).
are Smartphones spyware we pay for? (Score:4, Interesting)
CPU (Score:1)
What are the pre-2008 intel and pre-2013 AMD processors that you consider the most secure?
What are the ones with the most vulnerable erratas? In short What are the fastest AND safest one?
https://libreboot.org/faq/#intel
https://libreboot.org/faq/#amd
Internet of things (Score:5, Interesting)
One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.
This issue affects all places where the hardware vendor also supplies the software, and will become more and more important, as internet connected software gets its way into more and more things around us.
How can this problem be solved?
Re: (Score:2, Informative)
One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.
This is not true. My Android Nexus phone receives MONTHLY security updates direct from Google, along with any OS updates, beta versions if I want to try them, and so. Google did not make or manufacture this device. The FCC registration lists Huawei as the maker but Huawei has no say in updates or anything else to do with this phone. Neither does any cell carrier. . Nobody has any control over this device except Google, and me. And Google has been extremely proactive in pushing updates when needed.
So
Re: (Score:1)
One division of my employer is in the business of testing cell phones for compatibility with the various cell switches, prior to the phone's release to the market. Part of my paycheck is funded by the work we do for these companies. NotInHere's comments are true: the consumer is at the mercy of the manufacturer (and probably the cell phone provider too) in terms of receiving updates.
The question should stand, imho.
Re: (Score:2)
A related question: Is this a big issue for Android devices at all? We don't see vast botnets of Android phones and the only viruses that appear all seem to be trojans, i.e. they requite the user to enable installing apps from outside the Play Store and click through numerous warnings, and now on Android 6 click through yet more permission requests.
Is Android proof that the "defence in depth" technique is effective?
OKKAY (Score:1)
What's with the double-Ks in your name, man? What does spell check do when you try to type it? Is it some sort of Finnish thing? Because if it is, that's cool. Finns are OK in my book because they love tango.
Re: (Score:2)
I've seen some Finns I'd like the geminate with.
Re: (Score:1)
The name should be Hyppönen, by the way.
It's called vowel harmony, and mixing the front vowels (y, ä, ö) with back vowels (a, o, u) in a single word is forbidden, except in compound words.
https://en.wikipedia.org/wiki/... [wikipedia.org]
I love how slashdot cuts off raw wikipedia links just before the article name.
Re: (Score:2)
Why do you want a Bluetooth toothbrush anyway,
I like my teeth white rather than blue, thanks.
Re: (Score:2)
You're right, I'm so ashamed. Let me try again:
Mikko Hypponen (if that is your real name), it seems like the internet has never been less secure. Can you explain how and why security experts have failed so miserably?
Re: (Score:2)
Wait, you mean Finland is a real place? Who knew? I thought it was out of Tolkien or something.
My bad.
Capability based security (Score:4, Interesting)
Have you looked into Capability based Security Operating Systems such as Genode? (Genode.org) They seem to offer a way for users to decide what to trust, instead of being forced to blindly trust everything every app does.
What do you think about this approach to security?
notability hole (Score:2)
Nope. It was only recently (about a year ago) that I started to keep a formal list of prominent people in the security sector and, until five minutes ago, he was not there. It was the mosh pit of DNS and SSL security that finally drove me to it. To be honest, it was also the somewhat volatile Thomas H. Ptacek who drove me to it. Here's Colin Percival's rather decisive rebuttal to an ill-considered pos
PHK criticizes HTTP/2; do you buy it? (Score:4, Interesting)
As it happens, I read the following article by Poul-Henning Kamp just the other day and had mixed feelings.
HTTP/2.0 — The IETF is Phoning It In [acm.org] (January 2016)
Mikko, what's your take on HTTP/2.0 in light of PHK's declared position?
—
For context, here are the two points that raised my own eyebrows.
First, PHK implies that HTTP/2.0 could have done something substantial to address the cookie problem.
Second, PHK implies that encryption is enough of a burden in certain circumstances to make exceptions to the privacy by default revolution. My own gut instinct is that SSL is already cheap enough to simply write off across the board as the cost of doing business, almost always.
Isn't it a rather crappy security profile to leave your "innocent" activities in clear text and only encrypt what is conventionally considered "sensitive"?
I did read a valid complaint the other day, where people writing servers trying to maintain 100,000 persistent SSL connections (average connection time measured in hours) become hot and bothered about the 20 kB per connection memory cost, enough to throw away a Go implementation (heavier in memory overhead) and go back to Ruby.
What say you about the technical/political HTTP/2 tango?
Re: (Score:2)
> To the point that EU cookie notice popups have become more annoying than ads and I need an adblocker to get rid of them. Thanks a lot, EU.
The point is, that companies try to ignore the law that way.
"You're agreeing to cookies by visiting this page [OK]".
Hey, you set a cookie, before i could even read your message. I expect to get NO cookie at all before clicking ok.
There just needs to be prosecution for this practice and a requirement for real informed consent. "We do not really need cookies, but our u
Obvious question: Clinton (Score:1)
What is your opinion on the Hillary Clinton email scandal, specifically with respect to the security of her personal server and Guccifer's claims re hacking the server.
Is it too late? Have we lost the battle? (Score:3, Interesting)
Re: (Score:3)
Doug, there are many non-technical networks in the world which are very complex, have threats against them, yet manage to persist in spite of those threats. For example, consider the world of banking prior to computing. Every branch was subject to attack, but at worst, the financial losses in any theft were limited to those on hand in the vault. There was no way to leverage an activity in one branch against the whole of the banking system.
However, in modern operating systems, there is no practical way to s
Re: (Score:2)
IMHO, the future doesn't look good. Less because security is hard and more because technology business has become so focused on data collection that it almost supersedes the product, even when the product is physical (and in Google's case it is the product).
With corporate business focus on data collection, you have a built-in incentive for the kinds of backdoors, lack of user control and monitoring that helps enable security problems, not prevent them. As long as the technology business is in a data-is-th
Predators [Re:Is it too late? Have we lost...] (Score:2)
Defenders have to get it right, every single time while the bad guys only need to be right once
That is the typical predator/prey asymmetry.
The lion has to only win the chase every now and then. The antelope has to win the chase every time.
Re: (Score:2)
Up until you trying to make me use bing I was with you.
Why do people claim security... (Score:2)
... while they're using untested and not standardized (hell, not even Version 1) protocols? Example, Discord using WebRTC and claiming it's secure.
Re: (Score:2)
Re: (Score:2)
You do know WebRTC leaves the fucking data channel wide open once you accept Video and Audio channels, never once asking for authorization? You do know WebRTC has a nasty habit of allowing IP addresses to be revealed?
You keep talking shit when you don't know shit.
Re: (Score:2)
some wisdom on the future... (Score:2, Interesting)
We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum? How do you see the capabilities of our civilization evolving over the next 100-200 years? As a budding PhD student, should I take security as a primary focus? What would be your best advice?
three questions (Score:2)
Hello Col. Hypponen,
I have three questions for you:
1. Do you think it is still possible to secure embedded systems (aka the Internet of Things), or is that an impossibility now, practically speaking?
2. If there was one thing you could every average computer user to do to improve their security, what would it be?
3. If you were a person of interest in the murder of your neighbor in a tiny Central American country, what would your strategy be for clearing your name?
Thank you for taking the time to read this
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Application white-listing for Network Access (Score:1)
Re: (Score:2)
Maybe you just have a look at cgroups and iptables.
But it's bullshit. If you run untrusted software, you're fucked. Linux users just know it and tell it straight forward, many windows users believe in claims of so called firewall apps.
Easy example for windows: There is an api to fetch urls using IE dlls. This means, a program wanting to communicate even when the firewall blocks all ports, just uses this api and can talk to its server using a operation system process. One, the firewall probably cannot block
Re: (Score:1)
Yeah I've heard this argument before many times, and believe me, i don't go looking for un-trusted code to run! But we now live in a world where NO code can be trusted. The corporations would seek rent in perpetuity, and bad actors can exert their will on open source projects in a number of profound ways; if not through outright deception, then through controlling payroll and funding for developers.
However, i also know that there are things called process tr
Re: (Score:2)
So, easy route, which might be secure:
- Install some linux
- add a user "restrictednet"
- add a firewall router -A OUTPUT -m owner --uid restrictednet -j DROP
- run stuff as this user
you will still leak anything triggered by setuid programs as ping, dns requests made by the system, etc.
more secure:
- run a vm as this user. Then everything the program can generate is owned by the restricted user.
more flexible:
use firewall rules matching a cgroup, put programs / vm-instances in the cgroup. This allows you to swit
Intel ME (& AMD equivalent): risks & mitig (Score:5, Interesting)
Dear Mr. Hypponen,
As a security expert, what would you consider to be the real risks from Intel ME (& AMD equivalent) technologies for the average business? Is there a particular mitigation strategy you would recommend?
By average business I mean a company that engages in financial transactions with its vendors and customers. I'm also assuming that at least some of these companies have trade secrets they want to protect from their competitors.
Many thanks for taking the time to answer our questions.
Kind regards,
A
Analog off-switch for microphones etc (Score:1)
Do you think there should be more practical laws protecting people's privacy?
For example, I believe it should be mandatory for the manufacturers of any electronic devices that possess a microphone (primarily smart phones, tablets, laptops, and smart TVs) to provide physical analog controls to switch them (the microphones) off when desired, without having to power off the device itself. Moreover, the cables leading to the microphone and the switches that cut off the power to them should be easy to inspect by
Protect from intruders, not the legitimate user? (Score:3)
Here is something often conflated: A device may be secure because a user can't get any access to it, but it may be easily compromised from remote. How would one make a device that the user can easily flash, and do what they please with, even flashing a custom OS or firmware, while still making it resistant from remote, and perhaps local attacks? The closest I've seen is Android, which when rooted loses none of its security (other than a user hitting "allow this app to run as root") by accident. Other ecosystems, like iOS, have their entire security model destroyed by jailbreaking.
Supe? (Score:2)
Didn't I see this yesterday?
Question (Score:3, Interesting)
My question is fairly simple and to the point: Do you have favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?
IoT (Score:2)
Computer health class (Score:4, Interesting)
What would you like to see in a computer 'health' class? After cleaning up several of my son's friend's computers from rampant spyware/malware/etc, it's clear that kids are given computers without any real training or discipline in how to protect themselves.
With all the sharing done on social media today, including lists and 'here's how to generate your porn/potter/star trek/etc name based on street address/birthday/etc', what alternate security questions should (if any) a website use to verify identity?
Security vs Insecurity Experts (Score:3)
What are your thoughts on the computer security industry's current trend of staffing computer security professionals who look at industry best practices and security products to run down a checklist of actions? I often point out that many (approximately *all* that I've met) computer security professionals are big on password policy, anti-virus, patching, and the like, and *never* sit down to develop operational risk and threat models. In essence: what's going on in the industry with security as simple compliance (executing a prefabricated list of tactics) versus security as an organizational strategy (studying the field and selecting what tactics to apply, and where and how)?
Re: (Score:3)
Re: (Score:2)
I've dealt with a lot of people who argue that the checklist is the only thing important. I've brought up the concept of identifying our assets, determining their importance, and creating trust zones and access controls based on that; people just roll their eyes and point out that the general NAS only allows finance to access the high-sensitivity finance share, and marketing to access marketing shares, etc. Put the finance NAS behind an ASA that does subnet and domain logon checking so that only certain
What do you think of "stunt hacking" (Score:2)
Security industry quiet (Score:1)
Why has the security industry never came out and unequivocally stated that locking owners out of their devices, regardless of what that device is, is a security risk? Malware is broadly defined as any software that makes a device act outside of what is allowed by the owner of the device. Whether that is locking an owner out of their own device or limiting where they can use it or making it surreptitiously communicate with people/companies not explicitly allowed by the owner of the device. By all definitions
Ob (Score:2)
Do you enjoy being a security expert more than driving a racing car?
Will e-voting ever be secure enough (Score:2)
Ubuntu Guest User (Score:1)
The default ubuntu installation has a guest user without password. This feature can be turned off but I noticed that every once in a while the configuration changes (move from /etc/lightdm to /usr/share/lightdm without removing /etc/lightdm for example) so that if you don't pay attention the guest user is back. In my opinion the guest user removes one barrier for an attacker and is a bad idea.
Which as-yet un-asked question.... (Score:1)
...would you most like to answer?
Which is more important: edge or app? (Score:2)
Huge efforts and money are spent protecting the edges of the network - whether it be firewalls and other router configurations, OS level configurations, and other filtering tools (such as virus detection and scanning, and log and packet inspection and analysis tools). There are also plenty of security companies willing to sell you a magical black box that will solve all of your security problems.
The opposite seems to be the case when it comes to spending time and money on the security of applications use
Re: (Score:1)
Hi!
Mikko here... to better answer your question, could you please provide your social security number? Thanks.