3750
I am Mikko Hypponen, a computer security expert. Ask me anything!
Hi all! This is Mikko Hypponen.
I've been working with computer security since 1991 and I've tracked down various online attacks over the years. I've written about security, privacy and online warfare for magazines like Scientific American and Foreign Policy. I work as the CRO of F-Secure in Finland.
I guess my talks are fairly well known. I've done the most watched computer security talk on the net. It's the first one of my three TED Talks:
Here's a talk from two weeks ago at Slush: https://www.youtube.com/watch?v=u93kdtAUn7g
Here's a video where I tracked down the authors of the first PC virus: https://www.youtube.com/watch?v=lnedOWfPKT0
I spoke yesterday at TEDxBrussels and I was pretty happy on how the talk turned out. The video will be out this week.
Proof: https://twitter.com/mikko/status/539473111708872704
Ask away!
Edit:
I gotta go and catch a plane, thanks for all the questions! With over 3000 comments in this thread, I'm sorry I could only answer a small part of the questions.
See you on Twitter!
Edit 2:
Brand new video of my talk at TEDxBrussels has just been released: http://youtu.be/QKe-aO44R7k
mikkohypponen907 karma
If your pet has a good passphrase as a name: sure why not :)
I do recommend using phrases instead of words. That way it's easier to create long enough passwords.
Or, in fact, I recommend using a password manager.
mikkohypponen161 karma
I like password managers which store your passwords strongly encrypted on your own devices and then just sync them (encrypted) between your devices. This is the way our own password manager works.
DB626 karma
Yupp sounds like a good one. I'm already looking into your VPN product, so I might also get your PWManager.
If I understand right, the VPN account would be for PC and Android, right?
mikkohypponen63 karma
Freedome is right now available for Android and iOS. We will release versions for Windows and OS X desktop this month.
grrrwoofwoof1212 karma
What is name of your first pet?
What is name of your mother?
What school did you attend as a kid?
Edit: What is your mother's maiden name?
SaPro19872 karma
If you ever met Snowden what would be the first question you would ask him?
hedges747742 karma
What is something you find people do all the time that they really shouldn't when it comes to their computers security?
In7rud3R608 karma
hey Mikko , which of the many viruses/malwares you analysed was the most sophisticated and complex you ever encountered and from technical point of view why is it the "one" ?
mikkohypponen1167 karma
Most complex malware ever? Stuxnet. Regin. Turla. Flame.
Incidently, these are all examples of malware that have been developed by governments. They have much better resources than criminal gangs or random hackers.
Jadeyard420 karma
How safe are current smart phones and how secure are their connections? Are special phones used by politicians really safe, or do they get hacked as well?
mikkohypponen828 karma
The operating systems on our current phones (and tablets) are clearly more secure than the operating systems on our computers. That's mostly because they are much more restricted.
Windows Phones and iOS devices don't have a real malware problem (they still have to worry about things like phishing though). Android is the only smartphone platform that has real-world malware for it (but most of that is found in China and is coming from 3rd party app stores).
It is interesting the Android is the first Linux distribution to have a real-world malware problem.
mikkohypponen1655 karma
Yes, Google is doing a great job! Their products are excellent!
I just wish I could pay for them with money. Instead of paying for them with my data.
BadTaster306 karma
Greetings from Funland...
Lot's of people are afraid of the viruses and malware only simply because they are all over the news and realtively easy to explain to. I am personally more afraid of the silently allowed data mining (i.e. the amount of info Google can get their hands on) and social engineering style of "hacking".
How would you compare these two different threats and their threat levels on Average Joes point of view - which of them is more likely to cause some harm. Or is there something else to be more afraid of even more (govermental level hacks/attacks)?
mikkohypponen376 karma
There are different problems: problems with security and problems with privacy.
Companies like Google and Facebook make money by trying to gather as much information about you as they can. But Google and Facebook are not criminals and they are not breaking the law.
Security problems come from criminals who do break the law and who directly try to steal from you with attacks like banking trojans or credit card keyloggers.
Normal, everyday people do regularily run into both problems. I guess getting hit by a criminal attack is worse, but getting your privacy eroded is not a laughing matter either.
Blanket surveillance of the internet also affects us all. But comparing these threats to each other is hard.
brain4narchy292 karma
Europol's cybercrime taskforce recently took down over a hundred darknet servers. Did the news shake your faith in TOR?
mikkohypponen454 karma
People use Tor for surfing the normal web anonymized, and they use Tor Hidden Service for running websites that are only accessible for Tor users.
Both Tor use cases can be targeted by various kinds of attacks. Just like anywhere else, there is no absolute security in Tor either.
I guess the takedown showed more about capabilities of current law enforcement than anything else.
I use Tor regularily to gain access to sites in the Tor Hidden Service, but for proteting my own privacy, I don't rely on Tor. I use VPNs instead. In addition to providing you an exit node from another location, VPNs also encrypt your traffic. However, Tor is free and it's open source. Most VPNs are closed source, and you have to pay for them. And you have to rely on the VPN provider, so choose carefully. We have a VPN product of our own, which is what I use.
miggset113 karma
I use a VPN regularly from work to bypass filters, and at home to avoid those pesky cease-and-desists. Although I'm not a infosec professional I've always heard that how secure you are using a VPN is directly related to whether or not their logs of your traffic can be traced back to you.
How secure in your opinion are VPN providers (such as PIA which I personally use)? And in wake of the prevalence of government surveillance now can VPN providers claims of 'not keeping logs' be trusted to protect privacy?
mikkohypponen179 karma
Use a VPN provider you trust. Someone who's been in the security business for a long while. Also, aim for a vendor who doesn't store logs of user activity.
matti80265 karma
Hi, Mikko! Do you subscribe to Elon Musk's statements and conceptions of AI being the single biggest threat to humans?
mikkohypponen907 karma
Elon is the man. I've always thought of Tony Stark as my role model and Elon is the closest thing we have in the real world.
And he's right. Artificial Intelligence is scary.
I believe introducing an entity with superior intelligence into your own biosphere is a basic evolutionary mistake.
mikkohypponen313 karma
Bitcoin is interesting, in many different ways.
I do believe in cryptocurrencies. It might not be Bitcoin that changes the world, but something built on that will.
We see Bitcoin in our line of work all the time. Wallet theft. Ransomware where Bitcoin are used to pay the ransoms. Mining trojans.
However, that's just like blaming cash for being too handy for drug dealers.
Bitcoin is just a tool. Can be used for good or bad.
Jadeyard180 karma
Is it true that it isn't a huge challenge to modify malware in a way that it is not detected by any current anti virus program, so that people building bot nets or infiltrating computers with Trojans usually smuggle them past virus scanners?
mikkohypponen526 karma
It's trivial to modify existing malware so that traditional antivirus programs won't detect it any more. It only takes couple of minutes.
That's why antivirus programs have been moving towards behaviour-based detection models as well as towards reputation-based detection models.
Do note that testing behaviour-based blocking is hard. That's why it's misleading when people post links to sites such as Virustotal as evidence that particular file is 'not detected by AVs'. There's no way to know if a particular antivirus would have blocked the file, unless you would try to run it.
I especially like reputation-based detection models. Virus writers go to great lengths to try to create unique, never-before-seen files against every victim, believing that this makes it harder for antivirus to block those files. Reputation-based blocking turns that on it's head: they will block files which are very rare. So, a program would be blocked on your system with a warning like:
"As far as we can see, this program has never been executed by anyone else anywhere. You are the first person on the planet to run this file. This is highly unusual. We will block this file, even though we can't find any known malware from the file"
The only problem with this scenario are software developers, who compile their own programs. They obviously are the first persons on the planet to run a particular program - as they made it themselves! They can easily whitelist their output folder to avoid this problem though.
ZoFreX69 karma
Can you recommend any behaviour-based or reputation-based blocking software in particular (for Windows and/or OS X)?
x0n16 karma
I'm curious Mikko -- when Frans Veldman released the TBAV/TBCLEAN suite, which almost overnight made every other AV vendor's software look antiquated, how did this affect F-secure? And what happened that guy? He sold off to Norman and TBAV just fell away. The heuristics and the emulation in that suite made writing evasive code a ton of fun as a VX'er (apparently ;))
mikkohypponen17 karma
TBAV was very nice. It was SO fast...even the user interface was written in assembler.
Frans sold his part of the company. I haven't met him since 1997 or so.
tamraj_kilvish171 karma
The NSA is listed as the primary developer of SELinux. (Given the fact the source code is free available). Do you suspect them to have backdoors to modify the kernel or do something malicious?
mikkohypponen307 karma
The consensus seems to be that the Security Enhanced kernel modules are coming from the IA (information assurance) wing of the NSA and are ok.
This is a great source for conspiracy theories though.
234throw131 karma
I just got a mental image of an NSA TAO team, all decked in black, tiptoeing across the hall to the NSA IA office to install hardware backdoors.
mikkohypponen127 karma
Nice pic. Also see http://www.pinterest.com/mikkohypponen/hackers-with-hoodies/
Chouma167 karma
At this point, what do you personally feel about security and mass surveillance in a post-Snowden world where still not much has changed?
mikkohypponen599 karma
I've learned that many, many people just don't care. Which is depressing.
If you don't care about mass surveillance for your own case, how about caring on behalf of the future generations?
We were the first generation that got online. What kind of an internet are we going to leave behind?
NomNinja156 karma
With the rise of the Internet of Things, what measures can we take to better secure ourselves in regards to home devices (laptops, smart-tvs, etc)?
mikkohypponen266 karma
Well, you won't be running an antivirus on your washing machine or toaster, that's for sure.
The real-world attacks against IoT devices are still limited - mostly because the ways of making money by hacking washing machines and so are limited.
As a result, the IoT security solutions aren't really widely available yet. They will be in the future though.
Fna1135 karma
Is it unethical to release viruses that kill viruses? Or would it be hard to tell the good buys from the bad guys (eventually)?
mikkohypponen299 karma
The idea of a 'good virus' has been discussed to death already years ago. The consensus is that anything good that could be done with self-replicating code could be done better without the replication.
See Dr. Vesselin Bontchev's seminal paper on this: https://www.virusbtn.com/files/old_papers/goodvir.txt
Jonri135 karma
Hello Mikko,
Last year in your talk at ACM CCS at Berlin you said that you wanted to believe in Snowden but you just weren't sure. Did your opinion change until now? Do you think there has been some progress in the privacy area?
Thanks
mikkohypponen300 karma
Yes, I do believe Snowden is the real deal and that he did what he did because of his principles.
Our privacy has improved directly of what Snowden did. A good practical example would be that Google is now encrypting the traffic in the leased fiber-optic cables they run between Google data centers. Good call.
Fennmarker133 karma
What do you think about rooting android-os devices or jailbreaking iOS-devices? Sincerelly, a rooted droid user
mikkohypponen279 karma
Rooting or jailbreaking is great fun. But you do have to take your security in your own hands. You are breaking the built-in security model of your system on purpose.
Don't root your device if you don't understand what you're doing.
Horgh111 karma
Hi Mikko !
Do you still do malware analysis as a part of your day job ?
Do you have some advices for someone searching a job in the field ?
mikkohypponen327 karma
I do try to keep my "hands dirty". So I try to follow the technical developments in the field closely. I work within the F-Secure labs and I sit all day surrounded by our analysts, so I have a pretty good understanding of where we are.
I don't do binary code reversing any more. It's just becoming a bit much nowadays. I do reverse the occasional Javascript exploit though. Doing binary reverse engineering daily for a decade was enough I guess.
About working in infosec:
You need to pick your focus area. What do you want to do? Penetration testing? Encryption? Malware analysis? Forensics? Underground intelligence? Counter-espionage?
Then you need to find mentors and coaches. The easiest way to do this is via online forums dedicated to your focus area. For example, check forum.infosecmentors.com
SANS has some great online resources for people starting up in this area: check them out.
For a great malware backgrounder, read Peter Szor's book "Art of Computer virus research" (getting dated) and "Practical Malware Analysis" by Michael Sikorski and Andrew Honig (much newer).
Follow the news. Follow the leaders on Twitter. Read /r/netsec. Read Hacker News. Read Krebs.
Don't waste your commute to listening to pop music. Listen to infosec lectures and podcasts.
I wish I could give more guidance, but it's a fast-moving career. Nothing's constant for very long.
Also see http://krebsonsecurity.com/category/how-to-break-into-security/
Mikko
Jimmybullard26 karma
Hi!
Do you see malware analysis as a growth field for careers? Why?
Thanks.
mikkohypponen55 karma
Good malware analysts will always get a job. And malware isn't going to go away any time soon.
It's not just security companies who are hiring people in this field. Many large companies and telcos have their own CERT teams which hire malware analysts.
zorrotor102 karma
Many people I talk to about this privacy thingy say "I have nothing to hide, so why bother". Do you think this will ever change, that people would start caring about this? Have you already seen the general opinion sifting...?
mikkohypponen372 karma
Some people will always say this. But they are always the people who haven't really thought it through.
If you have nothing to hide, you can't keep a secret. If you have nothing to hide, show me your search history. If you have nothing to hide, give me your password. If you have nothing to hide, I can't trust you.
KittenWhispersnCandy86 karma
How do I keep my 11 year old from hacking all of the parental controls I put up?
kautium79 karma
People are often told that they should use strong cryptic passwords. Why use password managers or try to learn difficult passwords for all different sites/systems, when you can just do it like this: http://imgs.xkcd.com/comics/password_strength.png
You can also expand that one memorized sentence with some words or letters about that particular system, so that one password is only for that one site etc.
Password Managers might not be available on all platforms and at all times and there might also be some security issues with some of them that we just don't know yet.
Do you think there is something wrong about this approach?
mikkohypponen120 karma
Passphrases are the way to go. They are much easier to remember and much harder to crack with brute force. However, guessing your passphrase might be easier, especially if you use a simple system to create them ("This is where I buy my books" for Amazon - "This is where I buy my shoes" for Zappos - "This is where I buy my electronics" for Fry's etc.)
Snowfoo78 karma
As a first year student going through into networking and network security, are there any valuables tips/tricks you'd wish you had known when you started in the field and could pass on to others?
mikkohypponen192 karma
Start a blog. Start tweeting about your work and expertese. Write articles. Start building a brand of yourself. It will come handy when you need to find a job.
Revelation_Now65 karma
Hi Mikko!
As an IT worker, it seems that Cryptolocker style infections are on the rise. In my experience, these are far more devastating than your run of the mill virus. Whats worse, leading AV products like Kaspersky and ESET offer absolutely no protection against them.
Whats worse, is when they infect business networks, they have the ability to go back to the network drives and start encrypting data right on the servers.
Any time a business is hit with one of their emails, we rebroadcast the email to all of our clients... then, typically, a few days later a user at another company will open a copy of the email that they have received.
So, clearly virus warnings are not working to defeat these. The technology these businesses are paying good money for aren't doing anything. The infection goes straight though advanced firewalls. Do you have any recommendations on how to thwart these infections beyond restoring a backup and severing business continuity?
mikkohypponen116 karma
Ransom trojans are a major problem indeed. What to do? Well, don't get infected - or have good backups. Easier said than done.
Some of the ransom trojans are distributed via web exploits. So make sure all the browsers and plugins are up to date across your user base. Others are sent via infected email attachments. Fight these with tight rules on your email gateway.
Don't rely on users. Users will always doubleclick on anything.
mikkohypponen140 karma
I've always had a soft spot for the old DEBUG.EXE that shipped with MS-DOS...
n Yeah.com
e0100 B0 13 CD 10 68 00 A0 07 31 FF B1 C8 E8 20 00 51
e0110 B9 40 01 E8 19 00 D8 C3 DF 1C D8 E3 8A 04 DF 1C
e0120 32 04 24 1F AA E2 EC 59 E2 E2 83 07 10 EB D9 89
e0130 0C DF 04 D9 C0 DE 07 DE 74 04 D9 FE DE 4C 14 C3
RCX
40
W
Q
delinquentme61 karma
Perhaps more of a pedantic question, but was there a defining moment at which you felt comfortable branding yourself as an 'expert' ? Could you give us details on that event / happening / certification ?
mikkohypponen80 karma
Oh, great question. When did I become an expert? I don't know. Hmm. I guess after I wrote my first articles for international trade press and spoke in my first international conferences. For me, going international was a key part.
tuubzorz59 karma
Linux distributions generally don't need antivirus, but apart from the fact that most malware is written for Windows, why do you think this is? If linux became the popular choice on desktops, do you think it would be as prone to malware as Windows is? How about OS X?
mikkohypponen131 karma
Most mobile malware IS written for Linux, since most smartphones run Linux.
So first and foremost, it's a question of market shares.
After that it's a question of attacker skillsets. If the attackers have been writing Windows malware since Windows XP, they aren't likely to stop and switch easily to OS X or Linux unless they have to. And they don't have to.
ahbleza41 karma
Are the products developed by the KGB-trained Kaspersky seriously compromised malware through his close association with the FSB?
See: http://www.wired.com/2012/07/ff_kaspersky/all/
From the article: When a user installs Kaspersky software, it scans every application, file, and email on the computer for signs of malicious activity. If it finds a piece of known malware, it deletes it. If it encounters a suspicious program or a message it doesn’t recognize—and the user has opted to be part of the Kaspersky Security Network—it sends an encrypted sample of the virus to the company’s servers.
Comment: At the very least, we assume that the FSB has access to all information reported back to the KSN.
mikkohypponen109 karma
Yes, Kaspersky Lab seems to have some ties with the Russian government.
Which is not surprising. Because you know what? Symantec and McAfee have some ties with the US government too.
Does this mean that Russian users should not run American products? And vice versa? I don't know.
Sxi13937 karma
I have personally seen an increase in people using Password manager software like Lastpass / Keepass.
What are you thoughts on this software as a security expert?
Also do you see mobile apps such as Telegram or Red Phone being good to use as replacement applications ?
mikkohypponen84 karma
Password managers are obviously a good idea.
I especially like the ones where you don't store your passwords in the cloud of the manager vendor, but they are stored strongly encrypted on your own devices and just synced (encrypted) between your devices. This is the way our own password manager works.
velmu3k29 karma
Did you ever play Slicks'n'Slides?
mikkohypponen76 karma
Sure, I've played Slick'n'Slides.
But I do prefer Death Rally by fellow Finns at Remedy. They've even made a free version that works on current PCs. See http://remedygames.com/games/death-rally-2/
mikkohypponen38 karma
Dammit, I told you to send a private message. Now delete these quickly.
calibwam25 karma
Hi, Mikko!
I saw you talk at Paranoia in Oslo last spring, and it was by far the best talk there. Was sorry that you couldn't stick around so I could meet you later that day.
What would your advice be to someone still in university that's looking at a job in infosec? And what is your favourite virus/malware?
mikkohypponen46 karma
Hi! Sorry for missing you in Oslo. Look above for my answer on getting a job in the field.
My favourite malware? I'm not quite sure, but I'll go with Whale: http://wiw.org/~meta/vsum/view.php?vir=1545
alwaysinvisible20 karma
Hello Mikko,
First, thanks for all your computer security work & writings over the years. My favorite is when you returned the "Brain" virus floppy disk back to the guy who wrote it!
I am old enough to remember when when computers were not connected to the internet, files were transferred by floppies, and you had to virus scan files you downloaded from BBSes.
Now to the questions:
*1. How do you keep from being discouraged in today's world when there are so many potential threats, vulnerabilities, and even nations trying to hack or monitor internet traffic? *
(Sometimes I feel that computing and technology has lost its own way and become another avenue for criminals and spying by "authorities")
2. How much more difficult is analyzing viruses/spyware nowadays than in the DOS days? Do you have better tools (disassemblers/sandboxed environments) that make life easier? Where do you think the future of threats will be headed?
3. What do you think the average person can do to ensure that the Internet remains free, unmonitored, and open while at the same time protected from threats?
Thank you.
mikkohypponen24 karma
Hi there!
Sometimes it's hard. Sometimes it feels like there's no point in fighting: we won't be able to win anyway. And this will never end. Maybe we're not stubborn.
Automation has changed the analysis work tremendously. We now receive around 250,000 raw sample submissions for analysis every day. About 7,000 of those are Android samples, by the way.
Stop the band. Grab the mic. Watch my 2014 TEDxBrussels talk, if that doesn't make sense. The video will be out this week.
AnonymityPower17 karma
are most antiviruses a scam? do antivirus products get tested by other companies?
mentatf11 karma
Running Linux as a casual user with basic root knowledge, am I better protected against viruses/malware than windows users with an updated antivirus ?
mikkohypponen16 karma
You're far better off, because there are much, much less attacks against Linux users.
Tweddlr10 karma
Should the attack on Sony Pictures worry other U.S. companies? Do you believe it was a state-funded attack by North Korea or simply a group of hackers?
mikkohypponen15 karma
Well, it might indeed be North Korea.
And yes, other U.S. companies making comedy movies about assasinating Kim-Jong Un should be worried too.
ossij1415 karma
People say you should not use the name of your pet as your password. But what if your pet has very difficult, unique name with numbers and special characters, and you also change the name of the pet frequently - is it still unsafe to use it as password?
View HistoryShare Link