My TED Talk has just been published. AMA.
I did a TED Talk on computer viruses last week at TEDGlobal.
It has today been published on TED.COM: http://on.ted.com/Hypponen
Ask me anything about speaking at TED or anything else.
Added: This video might be interesting as well. Reddit is mentioned.
I've been watching TED talks since the very beginning, and I can honestly say, your talk is in my top ten.
Your laptop has a 5.25 inch floppy drive?
Of course it doesn't, I was just shitting you!
I'm just opening the DVD-ROM drive and closing it, inserting the floppy to go below my laptop.
that was so masterful. You are a wizard and sound like a nordic Sean Connery. And the entire culture of early viruses and malware writers today is so fascinating, I'd read the book if you wrote it.
Yeah, I should write a book. I really should. Oh well.
How much does it cost to attend a TED Talk and what's the demographic of the audience? How were you approached into giving a TED Talk?
Obviously speakers get in for free, so I didn't have to pay anything for TEDGlobal this year. They don't pay speaker fees either - but they did cover my flights (economy class) and hotel.
I did attend TED 2009 in Long Beach. There was an application process to attend and you needed people to recommend you. Entry fee was $6000 (which my company paid).
I was approached about six months ago from TEDGlobal organizers, asking me to speak. Obviously, I was thrilled.
They don't pay you to talk, and earn $6k per ticket?
TEDs are organized by a non-profit organization.
The production quality of TED Talks is excellent and they post all the videos online for free. Streaming millions of views of about a 1000 TED Talks is not cheap I guess.
Kiitos! Very interesting speak. I hope that people take this seriously and understand that a few downloaded films are not so horrifying compared to an emptied bank account and a stolen identity! Keep up the good work
PS. You look younger than 42!
I do? Best comment ever.
How did they decide to approach you?
When I attended TED in 2009, I spoke with Chris Anderson about talking at TED.
However, when I got contacted in early 2011, it was by Bruno Giussani, the guy who's in charge of TEDGlobal.
One of the best talks ever.
There actually used to be a list of my talks in Wikipedia but then somebody deleted the page.
They had a professional groomer do my hair before I went on stage. Make-up, too.
Is that a logo of the pirate bay on the projector? The internet is indeed a beautiful place.
In HD: http://i.imgur.com/XtCq7.png
.. yes it is - nice catch.
You all should watch TED Talks in HD.
Hey, I was one of the millions of people watching it live through TED Global from Romania. Your talk was one of the best of the week. I'm a young computer science student and considering they easiness you can make money through cracking I have always been at the cross between hacking and cracking. Whether to use my skills for good or for bad and I can truly say your talk made me realize that it's much more rewarding and interesting to be the the one catching the bad guys rather than to be a bad guy myself. You are a great man. Thank you for inspiring me to do more good on the web. Also I want to apologize for my country having a big role in the cracking and phishing community. We are relatively poor people so some of us tend to look for easy ways to make money. I wish you and your colleagues don't think less of my country because of them. Is there any place on the web where I can find guides and tips on how I can become one of you "cyberheroes"? Thank you and good luck!
Thank you very much and keep it up. We need more good guys; we have enough bad guys already.
There are some pointers in our blog at http://www.f-secure.com/weblog
Another good resource is the Naked Security blog run by Sophos.
I'm reading all your comments in your voice. this is awesome.
I'm reading your comments in the voice of Professor Emmett Brown.
What legal authority do you think should be responsible for pursuing and prosecuting digital criminals? Also, how would a trial-by-jury work without very technologically knowledgeable jurors?
I've been promoting an idea of creating an international collective of law enforcement to fight online crime.
All member countries would be required to assist in an investigation if another member country requests it (even if the case wouldn't seem big enough from their own point of view to warrant investigation).
This would bypass the problem traditional law international enforcment has with online crime: they've been built to fight huge multi-million dollar crimes like drug trafficking. In online crime, one victim typically only looses a few hundred or thousands of dollars. But there might be tens of thousands of victims, all around the world.
Maybe this is a dumb question, but how is it that these guys aren't given away by their banking information? For example if you've got some virus which is using people's credit cards to send a ton of money to an account, wouldn't it be easy for the bank to make the connection that all of these transactions are being disputed, then contact the law enforcement in the jurisdiction of the account to go arrest whoever opened it?
No. Indeed, that would be too simple.
For example; stolen credit card details are used to create new gaming accounts in online poker games.
Then the criminal goes online to play with the new account. But he will go into a virtual poker table where all the other players ARE HIS OWN ACCOUNTS. And when he plays with the new account, HE PLAYS BADLY on purpose. Loosing money, and thus moving it from the stolen card to his own gaming account. These accounts can now cash the money back to the real world and it all looks normal. "Where did this money come from?" "I got lucky and won it in poker. See, here's the logs, here's the receipts..."
That really makes a lot of sense... thanks for sharing that. Are there any other ways that you can think of for them to launder their money and not have it be directly tracked? Just curious.
Sure. For example quickswapping.
Quickswapping works like this:
- The criminal. We call him Chuck.
- First victim. We call her Alice. Alice's computer got infected and a keylogger stole her credit card number. Which was sent to Chuck, the criminal.
- Second victim. We call him Bob.
Chuck uses keyloggers to gather credit card info. He has tons of card numbers and associated data, but he does not want to get caught cashing the cards. So he does Quickswapping on eBay.
Chuck goes online and posts lucrative deals with popular items, specifically brand new items. Typical choices would be "Sony Playstation, new in box". Dell Studio 17 laptop, new, unopened" etc. The trick is, Chuck DOES NOT HAVE these items. Yet he posts them for sale.
Victim Bob is browsing eBay, looking for a good deal on a Playstation 3. He sees Chuck's auction and bids on it.
Few days later, the auction closes and Bob is the winning bidder for, say, $200 where the price in shop would be $399.
Chuck now emails Bob and congratulates him on the great deal he made. "It's brand new. I'll ship it to you right away. Check it out and only once you're completely happy with the device, then you pay me". Bob sees no possible downside in this so he agrees.
Now the tricky part. Since Chuck does not have a Playstation to send, he instead goes to an online store like Amazon.com. Using Alice's stolen credit card he makes a GIFT PURCHASE of a brand new Playstation and has it shipped to Bob's address.
A day later, DHL delivers the Playstation to Bob. He can't believe his luck. Indeed, it is a brand new Playstation. The next day, Chuck emails him again, asking if the game arrived.
And now Chuck will ask for payment. Via Western Union. Or Webmoney. Or Fethard Finance. Or any anonymous one-way online money transfer mechanism.
Bob pays him. So far this is a win-win situation. Bob got a killer deal and Chuck got some cash.
But we have a looser: Alice.
When Alice receives her next credit card bill, she's going to notice an extra Playstation purchase. Alice will call her bank and refuse to pay it. Bank will call Amazon.com and reverse the charges. Amazon will call the cops. The cops WILL NOT go to Chuck. Nobody knows where Chuck is or even who he is. Instead, the cops will go to Bob. They will take away the Playstation and possible even charge him for having stolen property.
Bottom line is that when everyday users go to online auctions and look for good value, scenarios like this NEVER occur to them. They'd never imagine that the item they are bidding on might not exist at all and instead they are laundering money for online criminals
To piggyback on Mikk
Prosecuting crimes like this are a bureaucratic nightmare. Mapping all the user accounts in Mikko's example back to the same person is probably only trivially difficult from a technical standpoint, but the law involved in getting access to the necessary data is quite another thing. How are you going to build a case against someone if you have to subpena the logs/records of online companies all over the world? To say that it is neither cost or time effective would be a drastic understatement.
This issue is as much about laws and governments as it is technology.
Mikka? Mikka? Are you talking to me? Or are you typing with a ham sandwich?
Is it possible to verify?
Would this do? https://twitter.com/mikkohypponen/status/93351417640787968
Note that @TEDNews has retweeted it.
Also, F-Secure's blog and TED's Chris Anderson link to my @mikkohypponen account.
A picture of you with a wok lid on your head, is also acceptable identification.
What does it take to get on TED? Were you invited or do you send in a request? Does a peer nominate you perhaps? Is the honor of being on TED the only reciprocity or do you receive a certificate or something? Did you meet anyone interesting? Did you have to present your talk to executives before you were allowed to present it to the public? What in your opinion was (or currently is) the most devastating virus created? Stuxnet perhaps? (note: im havent watched the talk yet, im about to)
EDIT: watched the talk! Brilliant!
No certificate, but none needed. I'm sure linking to your own TED Talk from your bio is reward enough.
I met tons of fascinating people. There weren't as many celebrities (movie stars, big CEOs) in TEDGlobal as in TED Long Beach. Then again, Long Beach is in California.
Each speaker is supposed to do a full reherseal which is viewed by Chris Anderson or Bruno Giussani of TED. They give you feedback and coach you before doing the real thing. Due to clashes of reherseal schedules and my use of an over-head projector, I actually did not get to do this. What you see on the video is my first real run of the talk.
The most devastating virus? Depends on how you define it. Stuxnet is scary, but it didn't affect the masses at all. Some of the destructive viruses in 1990s caused tons of damage.
What happened to the guy you tracked down in Russia with the Mercedes Benz?
Nothing. He's still there. Although now he's driving around in a Toyota LandCruiser V8.
will you do another TED Talk?
I'd love to.
But very few speakers do. Bill Gates has done multiple TED Talks, so has Al Gore, and Malcolm Gladwell....
Don't forget Hans Rosling. Brilliant guy.
Absolutely! Agreed...although we Finns hate the Swedes (it's a hockey thing).
My question is not concerning your talk, but rather I'm curious as to what motivated you to do an AMA. Are you an active redditor? Was it suggested to you by someone else? Thanks!
I'm an active Redditor.
You should have put the reddit alien on the spreadsheet.
I know! I realised much too late that the transparency with the company logos was missing Reddit Alien! What a wasted opportunity...
You mentioned, in your talk, that you wanted to find the people in the world who have the skills to become part of organized crime, but don't yet have the opportunity. What can you, as a security activist and professional, do to identify these persons and how would you go about reaching out to them?
We would need to talk to the generation that's growing up now.
I believe events like Imagine Cup, Campus Party and Assembly are excellent examples of showing kids productive ways of using their skills.
What do you think about online competitions specifically geared towards computer security? (For example, things such as Defcon?)
CTFs and Reverse Engineering Challenges? Great stuff.
where's your accent from?
were Basit * Amjad nice? were they able to capitalize on their "invention?"
where do you think stuxnet came from?
Basit and Amjad were very nice. See the full video here.
Stuxnet was developed by the Government of United States.
Ok, I believe Stuxnet was developed by the Government of United States.
In fact, I believe that after George W. Bush signed a cyber attack program against Iran in 2008, Stuxnet was the end result of that signature.
Hi Mikko, Finnish IT student (IT-tradenomi) here. What was your path in entering the antivirus software development back in the 1990s and what path would you recommend now?
I did Lukio --> ATK-instituutti (graduated) --> Helsinki University / Computer Science (never graduated) --> F-Secure.
Nowadays I would recommend Aalto University / Computer Science dep.
Unless five million dollars are transferred to the following numbered account in seven days, I will capsize five tankers in the Ellingson fleet.
Fantastic speech, Mikko! One of the best TED Talks I have ever seen.. I love all your points and the amount of knowledge you seem to have on the subject is so amazing!
May I ask who you work for?
I work for F-Secure. I've been there 20 years now.
Good talk! I am a reverse engineer/malware researcher. I'd love to work for F-Secure, and am planning on moving to the wonderful Suomi. You guys have a great company!
Welcome! Watch out for the snow.
This is probably an oft-asked question, but what kind of studies inside computer science are good for working in the IT security field?
Also, I'm a student at TKK - or whatever Aalto School of Science it should be called nowadays - and I sure hope the special course in information security will be there next spring too? :)
(Edited to separate the two questions better.)
Coding, reverse engineering, networking, crypto.
As far as I know, we'll run our University course ("Malware Analysis and Antivirus Technologies") next year as well, both in Aalto University and the Technical University of Malaysia.
Also, thanks to kind person who got me Reddit Gold. Much appreciated!
Where did you get the idea to use an overhead projector at the end?
At some stage I got the idea of doing the whole talk with transparencies. Sort of 'the most technical talk in the conference didn't use powerpoint but an overhead projector'.
That idea later morphed into what you actually saw in the video.
Fascinating talk, thanks so much for your wisdom. You tweeted that you'd answer questions on ANYTHING, well here goes...
If you are developing Intellectual Property you want to keep absolutely confidential and you worry about industrial espionage, how can you best protect yourself?
Parmy Olson / Forbes described super cyber security used by hackers here: http://blogs.forbes.com/parmyolson/2011/03/16/is-this-the-girl-that-hacked-hbgary/ in this way:
She has no physical hard drive and boots her computer from a microSD card. “I could hide this card anywhere or chew into a million pieces in a few seconds,” she says by e-mail. She keeps her operating system on a USB stick and uses a virtual machine (VM) to carry out her online shenanigans.
Are there simple instructions somewhere for learning how to do this?
We are especially interested in identifying the source of the industrial espionage, would simple programs like TCPView or Wireshark allow us to pinpoint where keylogger data is being sent?
Maybe all this doesn't really come under the category of ANYTHING but I thought I'd give it a try.
You are WONDERFUL!!! I really admire your work and enjoy your Twitter feed.
These questions would interest others in the corporate world who are concerned about security intellectual property development.
If you want to be sure, the basic idea would be to make sure the data you're trying to protect never touches a network of any kind.
Once you accomplish that, then it's all about operational security and physical screening.
How do you think it will be possible for the industry to attract potential cyber criminals away from the massive amounts of money that they would make through cyber crime, and take a legitimate job instead?
The first thing many of the caught online criminals say is along the lines of "just give me a chance to do this on the side of the good guys". Obviously many people would prefer not breaking the law if they don't have to.
Does that then say that there is some sort of problem with the recruitment processes of legitimate companies? Or that these people just aren't looking hard enough for a job?
Even if you are a good programmer, it might be hard to find a job in rural China. Or in Northern Siberia. Or in the slums of Sao Paolo. But if you have connectivity, you can go to the line of internet crime and make money.
Any concerns with displaying the credit card info in a video which is now on the Internet? I assume the data had been sanitized before being displayed?
I had reported the cards as stolen.
Then I did a global search & replace and changed all "9" in the file to "8" or something like that. So yeah, more or less sanitized.
I can confirm that none of them work at the moment.
Nice, thanks :)
Just wanted to say thanks, thanks. Awesome talk. Upvoted.
I find it really strange that the stuxnet drama has never caught on here on reddit.
Edit: Question: What was it like with the count-down timer? Looks intimidating.
And the timer was intimidating. I finished with 25 seconds to spare.
If you go overtime, you get a series of more and more serious warnings on a monitor.
One of them is "Stop now. If you continue, we won't post your video to ted.com".
Great talk! What new policies or support system do you think would be needed to meaningfully curb organized criminal activity via viruses. ?
I like your idea of giving young hackers legitimate outlets for their technical and creative energy. I can guarantee yo that Microsoft, Google, and maybe even your own company employees more than a few people who were crackers in their teens, but are now legit once they now make a pretty good salary.
I also agree with you that in the limited cases where you know the author of the viruses, there ought to be cooporation between authorities to prosecute. But your talk gives me the impression that it is very rare to actually find the perpretrator.
My worries then are twofold: 1) As you mention in the talk, it's pretty damn hard to find the culprits. So I don't see how new laws, policies can help you track them in the first place.
2) My bigger worry is that any authority given to governments to track online criminal activity will be subverted for illegitimate uses. I worry that my emails, private online activity will be monitored (more than it already is) to give people a false sense of security.
I share your worry, and believe me, I'm not interested in increasing goverment monitoring and harassing of it's own, law-abiding citizens. We would need to find a balance.
Thank you for doing this AMA! I greatly enjoyed your talk.
1.What precautions can we take to prevent virus infection? 2. Other than F-Bot :), what software do you recommend for a home user of Windows?
Thanks so much!
Patch. Backup. Make sure your antivirus and firewall really are up and running and not just that you think they are (most malware silently disables security products if they get in).
And of course, I recommend our own F-Secure products. Not just because I work there, but because it beats everyone else.
Are you the first Finn to do a TED talk? Or does Linus still count?
I know Linus and I'm pretty sure he hasn't done a TED Talk.
Marko Ahtisaari from Nokia spoke in TEDGlobal 2005. However, I'm not sure if it was a full-length talk...in any case, it's not available online.
Otherwise, I don't think there are other Finns. Very few Finns even attend TED.
Awesome job! I really enjoyed your talk.
How long it took you to prepare your talk?
How many hours did you rehearsed it?
Mentally I started preparing six months ago, as soon as I got invited.
I had the basic idea of the talk ready a month before TED.
I had the final structure ready five days before the talk.
I rehearsed maybe an hour or two altogether.
I'm very happy how it turned out, especially that all the live demos went so well.
Congrats on the TED Talk, it's quite an honor. I'm curious about your ability to present and talk in front of such a large group, and also in front of such a well distinguished group. I think public speaking is a skill that not many people have. Have you always been able to talk in front of a group at ease? Have you ever taken a public speaking class or something of the sort? Were you nervous before you went on and how many times did you rehearse your talk? Thanks
I have been doing public speaking for years, so I've rehearsed over and over again. Although I had never done this talk before, it obviously helped. Speaking to a TED audience is nerve-wrecking, although in reality it's a really friendly audience. That doesn't help much when you know a million person might watch your video online later on.
I did do the talk by myself on front on my computer three times but this was my first run on stage for real. All the demos worked! Yay...
What would you say is the best way to keep a simple windows computer secure?
Dont run windows on an administrator account, get a decent firewall and a router, get a decent antivir, whatever is in your price-range or choose from some of the excellent free ones. However, the single most important thing to do; Dont be stupid, do not click on suspicious links, if your intuition says "Dont click that" or "Dont download that", then simply dont, also, install security updates as they are released for every program you regularly use, most programs today come with an auto-updater and a notification system, use it.
For a while you'll be pretty alert and vigilant if you are treating the internet like a pool full of aids, but after a while it becomes like second nature on what to avoid and what not. But remember, the possibility of getting a virus/trojan/adware/spyware/etc is still there, so reading up on good removal practices is a plus too. Learn from mistakes and try not to repeat them.
Stay strong, my friend.
Great talk, Hypponen! What does your 'personal' system, the one you use at home, look like?
Nice try, Mr. Hacker.
Are you against illegal downloading?
Not in particular...why?
Hi Mikko. Do you spec systems for their "durability" against viruses/attacks? How do you do it? I'm currently researching organizations and strategic risk, resistance against total business discontinuity, and what you said about continuity and backups really rang a bell.
Well, we don't spec systems, as F-Secure doesn't do any consulting or anything like that. I'm sure there are parties that do that though.
Some questions for you:
- How many malware samples does F-Secure process per day (roughly)?
- How many developers vs. analysts work for F-Secure?
- How cold does it get there in the winter?
- About 200,000 raw samples coming in every day
- I don't have that figure. Over 50% of our staff is in R&D. Global staff of F-Secure is close to 700 now.
- It gets cold enough. In Helsinki last winter maxed out at around -25C.
I don't have a question, but I just wanted to thank you for contributing by way of TED.
View HistoryShare Link