Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Privacy Security

Interviews: Ask Security Expert Mikko Hypponen A Question 133

Even if you pay only a fraction of your time on security news, you probably already know Mikko Hypponen (Twitter, Wikipedia). He is the Chief Research Officer at F-Secure, a security firm he joined over two decades ago. Hypponen has assisted law enforcement in the United States, Europe and Asia on cybercrime cases, and has also made several appearances on BBC, TED talks, TEDx, DLD, SXSW, Black Hat, DEF CON, and Google Zeitgeist among others. He has also written for CNN, The New York Times, Wired, and BetaNews.

Hypponen has closely watched computers, networks, and security spaces grow over the years. In 2011, Hypponen tracked down the authors of the first PC virus in history -- Brain.A. Whether you want to know about the early days of malware -- when they were mostly created by hobbyists, or get an inside view of the challenges security firms face today, or how exactly does one keep himself or herself safe in the increasingly terrifying world, use the comments section to leave your question.

Editor's note: We will be collecting some of the best questions and sending them to Mikko at 22:00 GMT, Monday.
This discussion has been archived. No new comments can be posted.

Interviews: Ask Security Expert Mikko Hypponen A Question

Comments Filter:
  • Brain.A was the first MS-DOS it was first IBM PC-compatible virus but not the first "personal computer" virus.
  • by Anonymous Coward

    Do you have any suggestions on how to create a successful security awareness program in a tech company? Some like Bruce Schneier prefer the time and money is spent on better security engineering. Any experts or articles or books you can recommend?

  • Anti-virus software (Score:5, Interesting)

    by NotInHere ( 3654617 ) on Saturday June 18, 2016 @06:43PM (#52344799)

    With the recent [] reports [] of anti-virus software sometimes actually adding security vulnerabilities to the systems, and the fact that windows ships with its own bundled anti-virus, what advantages do commercial third party anti-virus solutions these days offer?

    I'm wondering specifically about the windows desktop, because this is the platform usually targeted by attackers.

    • by Anonymous Coward

      windows defender is already useless.

      they all test for passing it.

      it doesn't see shadow hidden files. it doesn't protect against uefi drops. it doesn't protect against attacks done by using windows services(the group policy remote managemnt, rmi etc are most powerful attack tools ever).

  • by turkeydance ( 1266624 ) on Saturday June 18, 2016 @06:47PM (#52344803)
    "Edward Snowden has warned that no smartphone is safe..." Is he correct? []
  • by Anonymous Coward

    What are the pre-2008 intel and pre-2013 AMD processors that you consider the most secure?
    What are the ones with the most vulnerable erratas? In short What are the fastest AND safest one?

  • Internet of things (Score:5, Interesting)

    by NotInHere ( 3654617 ) on Saturday June 18, 2016 @06:54PM (#52344813)

    One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.

    This issue affects all places where the hardware vendor also supplies the software, and will become more and more important, as internet connected software gets its way into more and more things around us.

    How can this problem be solved?

    • Re: (Score:2, Informative)

      One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.

      This is not true. My Android Nexus phone receives MONTHLY security updates direct from Google, along with any OS updates, beta versions if I want to try them, and so. Google did not make or manufacture this device. The FCC registration lists Huawei as the maker but Huawei has no say in updates or anything else to do with this phone. Neither does any cell carrier. . Nobody has any control over this device except Google, and me. And Google has been extremely proactive in pushing updates when needed.


      • One division of my employer is in the business of testing cell phones for compatibility with the various cell switches, prior to the phone's release to the market. Part of my paycheck is funded by the work we do for these companies. NotInHere's comments are true: the consumer is at the mercy of the manufacturer (and probably the cell phone provider too) in terms of receiving updates.

        The question should stand, imho.

    • by AmiMoJo ( 196126 )

      A related question: Is this a big issue for Android devices at all? We don't see vast botnets of Android phones and the only viruses that appear all seem to be trojans, i.e. they requite the user to enable installing apps from outside the Play Store and click through numerous warnings, and now on Android 6 click through yet more permission requests.

      Is Android proof that the "defence in depth" technique is effective?

  • What's with the double-Ks in your name, man? What does spell check do when you try to type it? Is it some sort of Finnish thing? Because if it is, that's cool. Finns are OK in my book because they love tango.

    • by Anonymous Coward

      The name should be Hyppönen, by the way.

      It's called vowel harmony, and mixing the front vowels (y, ä, ö) with back vowels (a, o, u) in a single word is forbidden, except in compound words. []

      I love how slashdot cuts off raw wikipedia links just before the article name.

  • by ka9dgx ( 72702 ) on Saturday June 18, 2016 @08:06PM (#52345029) Homepage Journal

    Have you looked into Capability based Security Operating Systems such as Genode? ( They seem to offer a way for users to decide what to trust, instead of being forced to blindly trust everything every app does.

    What do you think about this approach to security?

  • Even if you pay only a fraction of your time on security news, you probably already know Mikko Hypponen.

    Nope. It was only recently (about a year ago) that I started to keep a formal list of prominent people in the security sector and, until five minutes ago, he was not there. It was the mosh pit of DNS and SSL security that finally drove me to it. To be honest, it was also the somewhat volatile Thomas H. Ptacek who drove me to it. Here's Colin Percival's rather decisive rebuttal to an ill-considered pos

  • by epine ( 68316 ) on Saturday June 18, 2016 @08:41PM (#52345137)

    As it happens, I read the following article by Poul-Henning Kamp just the other day and had mixed feelings.

    HTTP/2.0 — The IETF is Phoning It In [] (January 2016)

    Mikko, what's your take on HTTP/2.0 in light of PHK's declared position?

    For context, here are the two points that raised my own eyebrows.

    First, PHK implies that HTTP/2.0 could have done something substantial to address the cookie problem.

    This is almost triply ironic, because the major drags on HTTP are the cookies, which are such a major privacy problem, that the EU has legislated a notice requirement for them. HTTP/2.0 could have done away with cookies, replacing them instead with a client controlled session identifier. That would put users squarely in charge of when they want to be tracked and when they don't want to—a major improvement in privacy.

    The reason HTTP/2.0 does not improve privacy is that the big corporate backers have built their business model on top of the lack of privacy. They are very upset about NSA spying on just about everybody in the entire world, but they do not want to do anything that prevents them from doing the same thing.

    Second, PHK implies that encryption is enough of a burden in certain circumstances to make exceptions to the privacy by default revolution. My own gut instinct is that SSL is already cheap enough to simply write off across the board as the cost of doing business, almost always.

    Local governments have no desire to spend resources negotiating SSL/TLS with every single smartphone in their area when things explode, rivers flood, or people are poisoned. ... Yet, despite this, HTTP/2.0 will be SSL/TLS only, in at least three out of four of the major browsers, in order to force a particular political agenda.

    Isn't it a rather crappy security profile to leave your "innocent" activities in clear text and only encrypt what is conventionally considered "sensitive"?

    I did read a valid complaint the other day, where people writing servers trying to maintain 100,000 persistent SSL connections (average connection time measured in hours) become hot and bothered about the 20 kB per connection memory cost, enough to throw away a Go implementation (heavier in memory overhead) and go back to Ruby.

    What say you about the technical/political HTTP/2 tango?

  • by Anonymous Coward

    What is your opinion on the Hillary Clinton email scandal, specifically with respect to the security of her personal server and Guccifer's claims re hacking the server.

  • by dougTheRug ( 649069 ) on Saturday June 18, 2016 @09:56PM (#52345367) Homepage
    Hi Mikko, in my day job I am a security evangelist, carrying out developer education and design reviews. For 8 years previous to that I helped companies use static analysis to detect and eliminate security vulnerabilities at the implementation layer. I am becoming convinced that, with the poor state of software today and extreme complexity, there is simply no way the good guys can win. Defenders have to get it right, every single time while the bad guys only need to be right once, to establish an APT and destroy your company. If the bad guys were parasites I would say this would all simmer down to a balancing point where the parasites existed off a slow background noise of constant attacks, but never enough to kill civilization completely. But with a lack of collusion, attackers are more likely to race to the bottom and to not pay attention to the health of their host. So basically my prediction is: crime will eventually kill technology; it will become unusable. Do you have a more hopeful outcome for us?
    • by ka9dgx ( 72702 )

      Doug, there are many non-technical networks in the world which are very complex, have threats against them, yet manage to persist in spite of those threats. For example, consider the world of banking prior to computing. Every branch was subject to attack, but at worst, the financial losses in any theft were limited to those on hand in the vault. There was no way to leverage an activity in one branch against the whole of the banking system.

      However, in modern operating systems, there is no practical way to s

    • by swb ( 14022 )

      IMHO, the future doesn't look good. Less because security is hard and more because technology business has become so focused on data collection that it almost supersedes the product, even when the product is physical (and in Google's case it is the product).

      With corporate business focus on data collection, you have a built-in incentive for the kinds of backdoors, lack of user control and monitoring that helps enable security problems, not prevent them. As long as the technology business is in a data-is-th

    • Defenders have to get it right, every single time while the bad guys only need to be right once

      That is the typical predator/prey asymmetry.

      The lion has to only win the chase every now and then. The antelope has to win the chase every time.

  • ... while they're using untested and not standardized (hell, not even Version 1) protocols? Example, Discord using WebRTC and claiming it's secure.

    • by Ash-Fox ( 726320 )

      ... while they're using untested and not standardized (hell, not even Version 1) protocols? Example, Discord using WebRTC and claiming it's secure.

      WebRTC testing in Chrome []? There, some testing? Or did you want some security testing of WebRTC []? Seems tested to me?

      It's using DTLS [] to handle encryption which is fairly standardized and provided by every most multi-purpose encryption libraries out there.

      Is this another of your stories? All you have to do is call "TempDog", that's all it takes []!

      • by Khyber ( 864651 )

        You do know WebRTC leaves the fucking data channel wide open once you accept Video and Audio channels, never once asking for authorization? You do know WebRTC has a nasty habit of allowing IP addresses to be revealed?

        You keep talking shit when you don't know shit.

        • by Ash-Fox ( 726320 )

          You do know WebRTC leaves the fucking data channel wide open once you accept Video and Audio channels, never once asking for authorization?

          Yes, I did read the document I linked which mentioned session hijacking. As I said, it's been tested.

          You do know WebRTC has a nasty habit of allowing IP addresses to be revealed?

          If you were concerned about concealing your normal provider's IP address, why would you not be using a network wide VPN? You can practically discover someone's publicly routable IP address in so

  • by Anonymous Coward

    We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum? How do you see the capabilities of our civilization evolving over the next 100-200 years? As a budding PhD student, should I take security as a primary focus? What would be your best advice?

  • Hello Col. Hypponen,

    I have three questions for you:

    1. Do you think it is still possible to secure embedded systems (aka the Internet of Things), or is that an impossibility now, practically speaking?

    2. If there was one thing you could every average computer user to do to improve their security, what would it be?

    3. If you were a person of interest in the murder of your neighbor in a tiny Central American country, what would your strategy be for clearing your name?

    Thank you for taking the time to read this

  • Since moving to Linux about 8 years ago, there's been one thing I have missed, which i still feel is a regression: The ability to use 3rd party purchased programs to control what local processes may access the network. No operating system makes this default, but in Linux-Land, it seems guys like me get actively ridiculed for suggesting "blocking a port" != "blocking an app", which is a bit annoying. There are some promising projects like SELinux, but to date, they are not able to bring this capability in
    • by allo ( 1728082 )

      Maybe you just have a look at cgroups and iptables.

      But it's bullshit. If you run untrusted software, you're fucked. Linux users just know it and tell it straight forward, many windows users believe in claims of so called firewall apps.

      Easy example for windows: There is an api to fetch urls using IE dlls. This means, a program wanting to communicate even when the firewall blocks all ports, just uses this api and can talk to its server using a operation system process. One, the firewall probably cannot block

      • Hey allo, you are right of course. But....

        Yeah I've heard this argument before many times, and believe me, i don't go looking for un-trusted code to run! But we now live in a world where NO code can be trusted. The corporations would seek rent in perpetuity, and bad actors can exert their will on open source projects in a number of profound ways; if not through outright deception, then through controlling payroll and funding for developers.

        However, i also know that there are things called process tr
        • by allo ( 1728082 )

          So, easy route, which might be secure:

          - Install some linux
          - add a user "restrictednet"
          - add a firewall router -A OUTPUT -m owner --uid restrictednet -j DROP
          - run stuff as this user

          you will still leak anything triggered by setuid programs as ping, dns requests made by the system, etc.

          more secure:
          - run a vm as this user. Then everything the program can generate is owned by the restricted user.

          more flexible:
          use firewall rules matching a cgroup, put programs / vm-instances in the cgroup. This allows you to swit

  • by Anonymous Coward on Sunday June 19, 2016 @08:29AM (#52346541)

    Dear Mr. Hypponen,

    As a security expert, what would you consider to be the real risks from Intel ME (& AMD equivalent) technologies for the average business? Is there a particular mitigation strategy you would recommend?

    By average business I mean a company that engages in financial transactions with its vendors and customers. I'm also assuming that at least some of these companies have trade secrets they want to protect from their competitors.

    Many thanks for taking the time to answer our questions.

    Kind regards,

  • by Anonymous Coward

    Do you think there should be more practical laws protecting people's privacy?

    For example, I believe it should be mandatory for the manufacturers of any electronic devices that possess a microphone (primarily smart phones, tablets, laptops, and smart TVs) to provide physical analog controls to switch them (the microphones) off when desired, without having to power off the device itself. Moreover, the cables leading to the microphone and the switches that cut off the power to them should be easy to inspect by

  • by mlts ( 1038732 ) on Monday June 20, 2016 @10:18AM (#52351729)

    Here is something often conflated: A device may be secure because a user can't get any access to it, but it may be easily compromised from remote. How would one make a device that the user can easily flash, and do what they please with, even flashing a custom OS or firmware, while still making it resistant from remote, and perhaps local attacks? The closest I've seen is Android, which when rooted loses none of its security (other than a user hitting "allow this app to run as root") by accident. Other ecosystems, like iOS, have their entire security model destroyed by jailbreaking.

  • Didn't I see this yesterday?

  • Question (Score:3, Interesting)

    by Anonymous Coward on Monday June 20, 2016 @10:33AM (#52351831)

    My question is fairly simple and to the point: Do you have favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?

  • Do you feel security on IoT devices will ever get close to effective, or will the advent of the IoT become a security nightmare?
  • by hendric ( 30596 ) * on Monday June 20, 2016 @10:49AM (#52351937)

    What would you like to see in a computer 'health' class? After cleaning up several of my son's friend's computers from rampant spyware/malware/etc, it's clear that kids are given computers without any real training or discipline in how to protect themselves.

    With all the sharing done on social media today, including lists and 'here's how to generate your porn/potter/star trek/etc name based on street address/birthday/etc', what alternate security questions should (if any) a website use to verify identity?

  • by bluefoxlucid ( 723572 ) on Monday June 20, 2016 @10:56AM (#52351985) Homepage Journal

    What are your thoughts on the computer security industry's current trend of staffing computer security professionals who look at industry best practices and security products to run down a checklist of actions? I often point out that many (approximately *all* that I've met) computer security professionals are big on password policy, anti-virus, patching, and the like, and *never* sit down to develop operational risk and threat models. In essence: what's going on in the industry with security as simple compliance (executing a prefabricated list of tactics) versus security as an organizational strategy (studying the field and selecting what tactics to apply, and where and how)?

    • Sounds like I have been doing shit wrong and could have gotten things done quicker and slacked off. I do start with the lists of best [] practices [] and regulations []. Then I go and check their layout, settings, firewall rules, configuration, physical security, etc. seeing how they are running things. After that I go and do a proper vulnerability scan and system scan (outside looking in and inside looking out) to see if what they say their system is setup as is what is actually is. If the customer allows it I do s
      • I've dealt with a lot of people who argue that the checklist is the only thing important. I've brought up the concept of identifying our assets, determining their importance, and creating trust zones and access controls based on that; people just roll their eyes and point out that the general NAS only allows finance to access the high-sensitivity finance share, and marketing to access marketing shares, etc. Put the finance NAS behind an ASA that does subnet and domain logon checking so that only certain

  • What is your thoughts on companies that do public demonstrations of how to execute AV bypass? Are these companies providing a service to the public by doing webcasts that give a high level overview and show an AV bypass working on the latest version of a companies AV?
  • Why has the security industry never came out and unequivocally stated that locking owners out of their devices, regardless of what that device is, is a security risk? Malware is broadly defined as any software that makes a device act outside of what is allowed by the owner of the device. Whether that is locking an owner out of their own device or limiting where they can use it or making it surreptitiously communicate with people/companies not explicitly allowed by the owner of the device. By all definitions

  • Do you enjoy being a security expert more than driving a racing car?

  • A recent post from David Dill from Stanford University stated that "Online Voting Is a Danger to Democracy"[1]. Given that viruses and security breaches seem to be on the rise lately, do you see e-voting being established in our lifetime? [1]: https://engineering.stanford.e... []
  • The default ubuntu installation has a guest user without password. This feature can be turned off but I noticed that every once in a while the configuration changes (move from /etc/lightdm to /usr/share/lightdm without removing /etc/lightdm for example) so that if you don't pay attention the guest user is back. In my opinion the guest user removes one barrier for an attacker and is a bad idea.

  • ...would you most like to answer?

  • Huge efforts and money are spent protecting the edges of the network - whether it be firewalls and other router configurations, OS level configurations, and other filtering tools (such as virus detection and scanning, and log and packet inspection and analysis tools). There are also plenty of security companies willing to sell you a magical black box that will solve all of your security problems.

    The opposite seems to be the case when it comes to spending time and money on the security of applications use

I was playing poker the other night... with Tarot cards. I got a full house and 4 people died. -- Steven Wright