I am Mikko Hypponen, a computer security expert. Ask me anything!

People say you should not use the name of your pet as your password. But what if your pet has very difficult, unique name with numbers and special characters, and you also change the name of the pet frequently - is it still unsafe to use it as password?

If your pet has a good passphrase as a name: sure why not :)

I do recommend using phrases instead of words. That way it's easier to create long enough passwords.

Or, in fact, I recommend using a password manager.

Which one? There are so many.

I like password managers which store your passwords strongly encrypted on your own devices and then just sync them (encrypted) between your devices. This is the way our own password manager works.

Yupp sounds like a good one. I'm already looking into your VPN product, so I might also get your PWManager.

If I understand right, the VPN account would be for PC and Android, right?

Freedome is right now available for Android and iOS. We will release versions for Windows and OS X desktop this month.

What is name of your first pet?

What is name of your mother?

What school did you attend as a kid?

Edit: What is your mother's maiden name?

Please speak up, I can't hear you.

If you ever met Snowden what would be the first question you would ask him?

'What would you like to drink? It's on me.'

What is something you find people do all the time that they really shouldn't when it comes to their computers security?

People run IE 6 all the time. What the hell.

Who is this 4chan?

I believe I met him once at DEF CON. But we were both drunk.

hey Mikko , which of the many viruses/malwares you analysed was the most sophisticated and complex you ever encountered and from technical point of view why is it the "one" ?

Most complex malware ever? Stuxnet. Regin. Turla. Flame.

Incidently, these are all examples of malware that have been developed by governments. They have much better resources than criminal gangs or random hackers.

How safe are current smart phones and how secure are their connections? Are special phones used by politicians really safe, or do they get hacked as well?

The operating systems on our current phones (and tablets) are clearly more secure than the operating systems on our computers. That's mostly because they are much more restricted.

Windows Phones and iOS devices don't have a real malware problem (they still have to worry about things like phishing though). Android is the only smartphone platform that has real-world malware for it (but most of that is found in China and is coming from 3rd party app stores).

It is interesting the Android is the first Linux distribution to have a real-world malware problem.

Is Google doing a good job?

Yes, Google is doing a great job! Their products are excellent!

I just wish I could pay for them with money. Instead of paying for them with my data.

Greetings from Funland...

Lot's of people are afraid of the viruses and malware only simply because they are all over the news and realtively easy to explain to. I am personally more afraid of the silently allowed data mining (i.e. the amount of info Google can get their hands on) and social engineering style of "hacking".

How would you compare these two different threats and their threat levels on Average Joes point of view - which of them is more likely to cause some harm. Or is there something else to be more afraid of even more (govermental level hacks/attacks)?

There are different problems: problems with security and problems with privacy.

Companies like Google and Facebook make money by trying to gather as much information about you as they can. But Google and Facebook are not criminals and they are not breaking the law.

Security problems come from criminals who do break the law and who directly try to steal from you with attacks like banking trojans or credit card keyloggers.

Normal, everyday people do regularily run into both problems. I guess getting hit by a criminal attack is worse, but getting your privacy eroded is not a laughing matter either.

Blanket surveillance of the internet also affects us all. But comparing these threats to each other is hard.

Europol's cybercrime taskforce recently took down over a hundred darknet servers. Did the news shake your faith in TOR?

People use Tor for surfing the normal web anonymized, and they use Tor Hidden Service for running websites that are only accessible for Tor users.

Both Tor use cases can be targeted by various kinds of attacks. Just like anywhere else, there is no absolute security in Tor either.

I guess the takedown showed more about capabilities of current law enforcement than anything else.

I use Tor regularily to gain access to sites in the Tor Hidden Service, but for proteting my own privacy, I don't rely on Tor. I use VPNs instead. In addition to providing you an exit node from another location, VPNs also encrypt your traffic. However, Tor is free and it's open source. Most VPNs are closed source, and you have to pay for them. And you have to rely on the VPN provider, so choose carefully. We have a VPN product of our own, which is what I use.

I use a VPN regularly from work to bypass filters, and at home to avoid those pesky cease-and-desists. Although I'm not a infosec professional I've always heard that how secure you are using a VPN is directly related to whether or not their logs of your traffic can be traced back to you.

How secure in your opinion are VPN providers (such as PIA which I personally use)? And in wake of the prevalence of government surveillance now can VPN providers claims of 'not keeping logs' be trusted to protect privacy?

Use a VPN provider you trust. Someone who's been in the security business for a long while. Also, aim for a vendor who doesn't store logs of user activity.

Do you keep logs on the VPN?

Freedome stores no logs.

Hi, Mikko! Do you subscribe to Elon Musk's statements and conceptions of AI being the single biggest threat to humans?

http://www.theguardian.com/technology/2014/oct/27/elon-musk-artificial-intelligence-ai-biggest-existential-threat

Elon is the man. I've always thought of Tony Stark as my role model and Elon is the closest thing we have in the real world.

And he's right. Artificial Intelligence is scary.

I believe introducing an entity with superior intelligence into your own biosphere is a basic evolutionary mistake.

Thoughts on bitcoin from a security standpoint?

Bitcoin is interesting, in many different ways.

I do believe in cryptocurrencies. It might not be Bitcoin that changes the world, but something built on that will.

We see Bitcoin in our line of work all the time. Wallet theft. Ransomware where Bitcoin are used to pay the ransoms. Mining trojans.

However, that's just like blaming cash for being too handy for drug dealers.

Bitcoin is just a tool. Can be used for good or bad.

Is it true that it isn't a huge challenge to modify malware in a way that it is not detected by any current anti virus program, so that people building bot nets or infiltrating computers with Trojans usually smuggle them past virus scanners?

It's trivial to modify existing malware so that traditional antivirus programs won't detect it any more. It only takes couple of minutes.

That's why antivirus programs have been moving towards behaviour-based detection models as well as towards reputation-based detection models.

Do note that testing behaviour-based blocking is hard. That's why it's misleading when people post links to sites such as Virustotal as evidence that particular file is 'not detected by AVs'. There's no way to know if a particular antivirus would have blocked the file, unless you would try to run it.

I especially like reputation-based detection models. Virus writers go to great lengths to try to create unique, never-before-seen files against every victim, believing that this makes it harder for antivirus to block those files. Reputation-based blocking turns that on it's head: they will block files which are very rare. So, a program would be blocked on your system with a warning like:

"As far as we can see, this program has never been executed by anyone else anywhere. You are the first person on the planet to run this file. This is highly unusual. We will block this file, even though we can't find any known malware from the file"

The only problem with this scenario are software developers, who compile their own programs. They obviously are the first persons on the planet to run a particular program - as they made it themselves! They can easily whitelist their output folder to avoid this problem though.

Can you recommend any behaviour-based or reputation-based blocking software in particular (for Windows and/or OS X)?

Well, our own antivirus has these built in.

I'm curious Mikko -- when Frans Veldman released the TBAV/TBCLEAN suite, which almost overnight made every other AV vendor's software look antiquated, how did this affect F-secure? And what happened that guy? He sold off to Norman and TBAV just fell away. The heuristics and the emulation in that suite made writing evasive code a ton of fun as a VX'er (apparently ;))

TBAV was very nice. It was SO fast...even the user interface was written in assembler.

Frans sold his part of the company. I haven't met him since 1997 or so.

The NSA is listed as the primary developer of SELinux. (Given the fact the source code is free available). Do you suspect them to have backdoors to modify the kernel or do something malicious?

The consensus seems to be that the Security Enhanced kernel modules are coming from the IA (information assurance) wing of the NSA and are ok.

This is a great source for conspiracy theories though.

I just got a mental image of an NSA TAO team, all decked in black, tiptoeing across the hall to the NSA IA office to install hardware backdoors.

[deleted]

Nice pic. Also see http://www.pinterest.com/mikkohypponen/hackers-with-hoodies/

At this point, what do you personally feel about security and mass surveillance in a post-Snowden world where still not much has changed?

I've learned that many, many people just don't care. Which is depressing.

If you don't care about mass surveillance for your own case, how about caring on behalf of the future generations?

We were the first generation that got online. What kind of an internet are we going to leave behind?

With the rise of the Internet of Things, what measures can we take to better secure ourselves in regards to home devices (laptops, smart-tvs, etc)?

Well, you won't be running an antivirus on your washing machine or toaster, that's for sure.

The real-world attacks against IoT devices are still limited - mostly because the ways of making money by hacking washing machines and so are limited.

As a result, the IoT security solutions aren't really widely available yet. They will be in the future though.

Is it unethical to release viruses that kill viruses? Or would it be hard to tell the good buys from the bad guys (eventually)?

The idea of a 'good virus' has been discussed to death already years ago. The consensus is that anything good that could be done with self-replicating code could be done better without the replication.

See Dr. Vesselin Bontchev's seminal paper on this: https://www.virusbtn.com/files/old_papers/goodvir.txt

Antivirus software does exactly what you're talking about already.

Antivirus programs do not self-replicate.

Hello Mikko,

Last year in your talk at ACM CCS at Berlin you said that you wanted to believe in Snowden but you just weren't sure. Did your opinion change until now? Do you think there has been some progress in the privacy area?

Thanks

Yes, I do believe Snowden is the real deal and that he did what he did because of his principles.

Our privacy has improved directly of what Snowden did. A good practical example would be that Google is now encrypting the traffic in the leased fiber-optic cables they run between Google data centers. Good call.

What do you think about rooting android-os devices or jailbreaking iOS-devices? Sincerelly, a rooted droid user

Rooting or jailbreaking is great fun. But you do have to take your security in your own hands. You are breaking the built-in security model of your system on purpose.

Don't root your device if you don't understand what you're doing.

Hi Mikko !

Do you still do malware analysis as a part of your day job ?

Do you have some advices for someone searching a job in the field ?

I do try to keep my "hands dirty". So I try to follow the technical developments in the field closely. I work within the F-Secure labs and I sit all day surrounded by our analysts, so I have a pretty good understanding of where we are.

I don't do binary code reversing any more. It's just becoming a bit much nowadays. I do reverse the occasional Javascript exploit though. Doing binary reverse engineering daily for a decade was enough I guess.

About working in infosec:

You need to pick your focus area. What do you want to do? Penetration testing? Encryption? Malware analysis? Forensics? Underground intelligence? Counter-espionage?

Then you need to find mentors and coaches. The easiest way to do this is via online forums dedicated to your focus area. For example, check forum.infosecmentors.com

SANS has some great online resources for people starting up in this area: check them out.

For a great malware backgrounder, read Peter Szor's book "Art of Computer virus research" (getting dated) and "Practical Malware Analysis" by Michael Sikorski and Andrew Honig (much newer).

Follow the news. Follow the leaders on Twitter. Read /r/netsec. Read Hacker News. Read Krebs.

Don't waste your commute to listening to pop music. Listen to infosec lectures and podcasts.

I wish I could give more guidance, but it's a fast-moving career. Nothing's constant for very long.

Also see http://krebsonsecurity.com/category/how-to-break-into-security/

Mikko

Hi!

Do you see malware analysis as a growth field for careers? Why?

Thanks.

Good malware analysts will always get a job. And malware isn't going to go away any time soon.

It's not just security companies who are hiring people in this field. Many large companies and telcos have their own CERT teams which hire malware analysts.

Many people I talk to about this privacy thingy say "I have nothing to hide, so why bother". Do you think this will ever change, that people would start caring about this? Have you already seen the general opinion sifting...?

Some people will always say this. But they are always the people who haven't really thought it through.

If you have nothing to hide, you can't keep a secret. If you have nothing to hide, show me your search history. If you have nothing to hide, give me your password. If you have nothing to hide, I can't trust you.

what is your favorite gnu/linux distro?

Tails.

How do I keep my 11 year old from hacking all of the parental controls I put up?

Move his computer to the living room.

People are often told that they should use strong cryptic passwords. Why use password managers or try to learn difficult passwords for all different sites/systems, when you can just do it like this: http://imgs.xkcd.com/comics/password_strength.png

You can also expand that one memorized sentence with some words or letters about that particular system, so that one password is only for that one site etc.

Password Managers might not be available on all platforms and at all times and there might also be some security issues with some of them that we just don't know yet.

Do you think there is something wrong about this approach?

Passphrases are the way to go. They are much easier to remember and much harder to crack with brute force. However, guessing your passphrase might be easier, especially if you use a simple system to create them ("This is where I buy my books" for Amazon - "This is where I buy my shoes" for Zappos - "This is where I buy my electronics" for Fry's etc.)

As a first year student going through into networking and network security, are there any valuables tips/tricks you'd wish you had known when you started in the field and could pass on to others?

Start a blog. Start tweeting about your work and expertese. Write articles. Start building a brand of yourself. It will come handy when you need to find a job.

Hi Mikko!

As an IT worker, it seems that Cryptolocker style infections are on the rise. In my experience, these are far more devastating than your run of the mill virus. Whats worse, leading AV products like Kaspersky and ESET offer absolutely no protection against them.

Whats worse, is when they infect business networks, they have the ability to go back to the network drives and start encrypting data right on the servers.

Any time a business is hit with one of their emails, we rebroadcast the email to all of our clients... then, typically, a few days later a user at another company will open a copy of the email that they have received.

So, clearly virus warnings are not working to defeat these. The technology these businesses are paying good money for aren't doing anything. The infection goes straight though advanced firewalls. Do you have any recommendations on how to thwart these infections beyond restoring a backup and severing business continuity?

Ransom trojans are a major problem indeed. What to do? Well, don't get infected - or have good backups. Easier said than done.

Some of the ransom trojans are distributed via web exploits. So make sure all the browsers and plugins are up to date across your user base. Others are sent via infected email attachments. Fight these with tight rules on your email gateway.

Don't rely on users. Users will always doubleclick on anything.

Will our kids still have a free Internet?

Oh man, I wish they will!

Perhaps more of a pedantic question, but was there a defining moment at which you felt comfortable branding yourself as an 'expert' ? Could you give us details on that event / happening / certification ?

Oh, great question. When did I become an expert? I don't know. Hmm. I guess after I wrote my first articles for international trade press and spoke in my first international conferences. For me, going international was a key part.

Favorite debugging tool?

I've always had a soft spot for the old DEBUG.EXE that shipped with MS-DOS...

n Yeah.com

e0100 B0 13 CD 10 68 00 A0 07 31 FF B1 C8 E8 20 00 51

e0110 B9 40 01 E8 19 00 D8 C3 DF 1C D8 E3 8A 04 DF 1C

e0120 32 04 24 1F AA E2 EC 59 E2 E2 83 07 10 EB D9 89

e0130 0C DF 04 D9 C0 DE 07 DE 74 04 D9 FE DE 4C 14 C3

RCX

40

W

Q

Linux distributions generally don't need antivirus, but apart from the fact that most malware is written for Windows, why do you think this is? If linux became the popular choice on desktops, do you think it would be as prone to malware as Windows is? How about OS X?

Most mobile malware IS written for Linux, since most smartphones run Linux.

So first and foremost, it's a question of market shares.

After that it's a question of attacker skillsets. If the attackers have been writing Windows malware since Windows XP, they aren't likely to stop and switch easily to OS X or Linux unless they have to. And they don't have to.

Have you ever tried growing a beard? If so, did it work out?

Nope, not yet.

Are the products developed by the KGB-trained Kaspersky seriously compromised malware through his close association with the FSB?

See: http://www.wired.com/2012/07/ff_kaspersky/all/

From the article: When a user installs Kaspersky software, it scans every application, file, and email on the computer for signs of malicious activity. If it finds a piece of known malware, it deletes it. If it encounters a suspicious program or a message it doesn’t recognize—and the user has opted to be part of the Kaspersky Security Network—it sends an encrypted sample of the virus to the company’s servers.

Comment: At the very least, we assume that the FSB has access to all information reported back to the KSN.

Yes, Kaspersky Lab seems to have some ties with the Russian government.

Which is not surprising. Because you know what? Symantec and McAfee have some ties with the US government too.

Does this mean that Russian users should not run American products? And vice versa? I don't know.

I have personally seen an increase in people using Password manager software like Lastpass / Keepass.

What are you thoughts on this software as a security expert?

Also do you see mobile apps such as Telegram or Red Phone being good to use as replacement applications ?

Password managers are obviously a good idea.

I especially like the ones where you don't store your passwords in the cloud of the manager vendor, but they are stored strongly encrypted on your own devices and just synced (encrypted) between your devices. This is the way our own password manager works.

Did you ever play Slicks'n'Slides?

http://www.turbosliders.com/forum/viewtopic.php?f=2&t=3084

Sure, I've played Slick'n'Slides.

But I do prefer Death Rally by fellow Finns at Remedy. They've even made a free version that works on current PCs. See http://remedygames.com/games/death-rally-2/

Here's the euros for your plugging, Sir.

€€€

Dammit, I told you to send a private message. Now delete these quickly.

Alright, what are the 3 most commonly used passwords?

• password
• 12345
• hunter2

Hi, Mikko!

I saw you talk at Paranoia in Oslo last spring, and it was by far the best talk there. Was sorry that you couldn't stick around so I could meet you later that day.

What would your advice be to someone still in university that's looking at a job in infosec? And what is your favourite virus/malware?

Hi! Sorry for missing you in Oslo. Look above for my answer on getting a job in the field.

My favourite malware? I'm not quite sure, but I'll go with Whale: http://wiw.org/~meta/vsum/view.php?vir=1545

Hello Mikko,

First, thanks for all your computer security work & writings over the years. My favorite is when you returned the "Brain" virus floppy disk back to the guy who wrote it!

I am old enough to remember when when computers were not connected to the internet, files were transferred by floppies, and you had to virus scan files you downloaded from BBSes.

Now to the questions:

*1. How do you keep from being discouraged in today's world when there are so many potential threats, vulnerabilities, and even nations trying to hack or monitor internet traffic? *

(Sometimes I feel that computing and technology has lost its own way and become another avenue for criminals and spying by "authorities")

2. How much more difficult is analyzing viruses/spyware nowadays than in the DOS days? Do you have better tools (disassemblers/sandboxed environments) that make life easier? Where do you think the future of threats will be headed?

3. What do you think the average person can do to ensure that the Internet remains free, unmonitored, and open while at the same time protected from threats?

Thank you.

Hi there!

1. Sometimes it's hard. Sometimes it feels like there's no point in fighting: we won't be able to win anyway. And this will never end. Maybe we're not stubborn.

2. Automation has changed the analysis work tremendously. We now receive around 250,000 raw sample submissions for analysis every day. About 7,000 of those are Android samples, by the way.

3. Stop the band. Grab the mic. Watch my 2014 TEDxBrussels talk, if that doesn't make sense. The video will be out this week.

are most antiviruses a scam? do antivirus products get tested by other companies?

Check AV-Test and AV-Comparatives for independent tests.

Running Linux as a casual user with basic root knowledge, am I better protected against viruses/malware than windows users with an updated antivirus ?

You're far better off, because there are much, much less attacks against Linux users.

citizenfour doc not coming to Finland. How pissed are you?

We're still trying to set up our own private screening.

Should the attack on Sony Pictures worry other U.S. companies? Do you believe it was a state-funded attack by North Korea or simply a group of hackers?

Well, it might indeed be North Korea.

And yes, other U.S. companies making comedy movies about assasinating Kim-Jong Un should be worried too.