I have worked in infosec for 30 years and have seen it all. Ask me anything about malware, hackers, organized online crime gangs, privacy, or cyberwar. Also feel free to ask me about my new book, «If It’s Smart, It’s Vulnerable». We can also discuss pinball playing techniques.


EDIT: Thanks all! Gotta go, have a nice weekend everyone. As a takeaway, here's a video of a recent talk I gave about the cyberwar in Ukraine.

PS. For those who are into podcasts, here's an episode of the Cyber Security Sauna podcast where I discuss my new book.

Comments: 785 • Responses: 70  • Date: 

bland_meatballs280 karma

What are some methods we should be teaching our kids to ensure they use the internet safely and reduce their risk of getting hacked or getting their accounts stolen?

mikkohypponen512 karma

The same advice applies to everyone really, not just to kids:
- Keep your systems updated, apply all updates and patches right away
- Use a password manager so you have a unique password everywhere
- Enable multifactor authentication wherever possible
- Use different email addresses to different services
- Make backups and make sure they work and are accessible even in disasters
- If something seems too good to be true, it's not. Especially on the internet.
- Use more secure devices. iPads and Chromebooks are harder to hack than laptops.

Superbead52 karma

Use more secure devices. iPads and Chromebooks are harder to hack than laptops.

Do you really think the hacking risk here is worth pushing people into walled gardens and away from devices on which they can learn how things work?

mikkohypponen53 karma

It's a trade-off, like everything in security. You can have both. Have a secure limited device as your daily driver, then go crazy with a linux laptop for writing code.

HappyHighwayman258 karma

Does changing passwords regularly really help with security ?

mikkohypponen485 karma

No, and you should stop doing it.

I think the most important lesson about password security for home users is to make sure your email address is long and unique. Most many home users, this is the Gmail password.

Gmail has become a key hub for logins, a single sign-on service for the entire Internet. When user passwords leak from an online game or discussion forum, using them to steal Gmail accounts is one of the most popular ways of profiting from the situation. In other words, if usernames and passwords are stolen from, say, an online gaming service, the attackers try them in Gmail. Sadly, this often works, as users tend to pick the same nickname for different services and use the same password almost everywhere, even on Gmail.

Once your Gmail account has been compromised, the game is over, as the attackers now have access to your message history. This allows them to search for information on online stores where you have set up accounts with the same Gmail address. Whenever you set up an account at an online store, it will send you a welcome email. Gmail keeps all welcome messages in your message history, making them easy for the attacker to find. As Gmail does not delete old messages, even welcome messages from 10 years ago are easy to find. The attacker now knows that you have accounts with certain online stores and that your user ID for them is your Gmail address.

The password you use for online stores is still secure, but that is of no concern: there is a magic button on the login page of each store for bypassing the password prompt. This magic button is labeled “I forgot my password.” When the attacker enters your Gmail address on the login page and click the button, the store will send a new password—to the very same Gmail address the attacker has cracked. That is why Gmail has become a single sign-on service for the entire Internet. By gaining access to your Gmail, the attacker can get everything else.

So, what can you do? Being well aware of its role as a network hub, Google has introduced Google 2-step Verification for Gmail users. Users install the Google Authenticator app on their smartphone and use its one-time passcodes to verify each device on which they read their Gmail. When a device has been authorized once, no further action is needed. However, should you want to read your email on a new device—or if an intruder tries to access your account—it will work only with the code from the Authenticator app.

Securing your email is important, as it often opens the way to many other places. Always choose a long email password, do not use it anywhere else, and use Google 2-step Verification.

Quoted from page 164 of https://www.ifitssmartitsvulnerable.com

OrangeIcing119 karma

What is your mother's maiden name?

mikkohypponen319 karma

Ah, my dear mum Hunter2.

Hokily109 karma

What is the best way to break into this field? Certs? School? Just jump into easier tech jobs?

Edit: tech not yech

mikkohypponen205 karma

There's no best way. Some of the best technical experts at our company never finished high school, others have PhDs.

Here's a good Twitter thread on breaking into the field: https://twitter.com/cyberkatelyn/status/1366221638879113217 and a good blog post (from 2016 though): https://medium.com/free-code-camp/so-you-want-to-work-in-security-bc6c10157d23

bethorthanyou101 karma

What is Zero Trust?

mikkohypponen399 karma

In 2010, Google was subjected to an exceptional security breach. Chinese spies had penetrated Google’s internal network and had been gathering data there for a long time. While similar cases of espionage had occurred before, Google was the first company to communicate openly on the matter.

The event had far-reaching consequences. Google exited the Mainland China market and has not really returned since. However, the change in how Google approached its network development was even more profound. Google’s engineers received support and funding from senior management for a project now known as BeyondCorp.

The BeyondCorp model is Google’s version of a zero-trust network. In this model, the company no longer has an external or internal network; it just has a network. The organization’s resources and services are available regardless of time and place. To the user, it no longer matters whether they are in a conference room at company headquarters or an airport café. The BeyondCorp model is built around identity and device management. Access control decisions are now at individual user and device level—access to information is provided according to what the user needs. The traditional all-seeing administrator role no longer exists. The BeyondCorp model also makes use of cloud services that are as seamless as in-house services.

While the BeyondCorp model eliminates many traditional problems, it is not easy to deploy. Even Google needed several years. On the other hand, we know of no successful hacks at Google during the BeyondCorp era. This is quite an achievement, as Google must be one of the key targets for foreign intelligence services almost everywhere.

(page 108 of If It's Smart, It's Vulnerable)

s-mores97 karma

What was a time (infosec related) where you thought "f this, I'm out" and took the rest of the day off to calm down?

mikkohypponen228 karma

When someone took a leaked patient database of a psychotherapy center and made a website that enabled anyone to easily search the data (by name, city, employer, age...).

It was bad enough that information like this was leaked in the first place. But it just boggles that mind that someone else took the extra effort to make sure people can search the data it even if they have no technical skills was...awful.

Longjumping_Proof_4387 karma

What is the number 1 organized crime group on the web?

mikkohypponen170 karma

Right now it's probably Lockbit. And if not them, in any case it's one of the big Russian ransomware groups. We call groups like these cybercrime unicorns.

elbrianle64 karma

What cybersecurity products do you feel actually fulfill the protection they sell?

mikkohypponen83 karma

Canaries. Honeypots. Most password managers. Many endpoint products. Some VPNs.

shempmalone36 karma

Which VPNs? It seems like many of the major ones are data mining operations or show clear signs of penetration by intelligence agencies.

mikkohypponen60 karma

I've been working with F-Secure forever. Our VPN is called Freedome.

evcad1162 karma

You often talk about how secure modern smartphones are and it cost a lot of money to hack them. Of course, normal people shouldn't be worried but what if you're a journalist or a politician? Is there solution for them or is the only solution to just not use smartphone at all?

mikkohypponen264 karma

Smartphones are a security success story. Buying tools to hack your Windows laptop costs like $5. Buying tools to hack your iPhone costs like $100,000: big difference.

Yes, some targets are worth $100,000. So make sure you're hard to find. Have a public identity and a phone number that can be found, but don't use this for confidential stuff. Then have a set of variable identities and phone numbers for the real stuff. Rotate your devices. Also, have your devices regularily run out of battery. Rebooting your device manually can be faked and the malware on the phone would survive that. Surviving through a cold reboot is substantially more difficult. As you can't remove the batter from modern smartphones, drain it instead.

noozd59 karma

We have small companies that we offer variety of IT services. Any advice you would give, how to make these small companies really understand the need for proper cybersecurity? "MFA is too painfull for our users." "Cybersecurity products cost too much." "We are am smart, no one can trick me." etc. these lines just go on and on. btw. could you sign my copy of your book?

mikkohypponen134 karma

Ok, go to Tor network and open up a leak site for some of the larger ransomware groups. For example:
Alpha alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion
Lockbit lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

Then let them scroll through the long, long list of victims: Companies, just like them. From all walks of like, all business areas, all around the world. None of them thought they would get hit either.

izvr55 karma

Are you still carrying floppy disks in your pockets?

mikkohypponen147 karma

I actually ask my tailor to make my suits inner pockets big enough for 5.25" floppies. Not a joke.

Swizzlers55 karma

How aggressively should I be rejecting website cookies? Those fuckers keep asking.

mikkohypponen152 karma

Just click ok to make the box go away. Cookies are not nearly as big of a privacy problem as the website prompts would make you believe. There's tons of other ways of tracking you.

Peaky_f00kin_blinder49 karma

  1. What would be the most secure digital method to store passwords?

  2. What are some good cyber hygiene practices that you would recommend while browsing the internet?

mikkohypponen91 karma

While it's not a password, fooling the current version of Apple's Face ID is quite hard. More importantly, systems like Face ID and Touch ID have the ease-of-use which enables users to have their devices always locked. If you need to type in a long password or PIN, users set the locking timeout to 5 minutes or 10 minutes - which is a risk.

lietu63 karma

Using Biometric ID is incredibly risky due to the lack of legal protection they have and that they don't require your consent. You may always refuse to share your password, you often can't refuse to share your face or fingerprint.

mikkohypponen73 karma

There's a funny story about cops opening up a phone in my book:

A quote from the Parliamentary Ombudsman’s decision of 2017 tells us how a suspect’s smartphone was unlocked:

The suspect was told that a requisite amount of force would be used to place the suspect’s finger on the mobile phone’s fingerprint sensor. The suspect stated that the police “can go fuck themselves” and did not agree to this procedure.

At the start of the procedure, the suspect was sitting on a bed in the holding cell, and was carefully pushed back onto the mattress and held still. The suspect forcefully resisted the procedure by squirming and keeping their hands in a fist. The fists were nevertheless opened enough to try using the thumb and index finger to unlock the phone.

Five police officers took part in using force; two twisted the suspect’s hands behind their back, one pressed the back of their head, and two held onto their feet.

robemtnez48 karma

Hi Mikko! Why are you so awesome?

In 2017, I listened to your keynote speech at the International One conference in the Netherlands. There you said that IKEA was very good at securing their IOT devices. Is that still the case?

mikkohypponen109 karma

IKEA spends money in IoT security, because their business model requires it.

They make money buy building a product and then selling the same product all over the world with thin margins. The biggest risk they face is a product recall. So the first rule for them is: make 100% sure we never need to do a recall. That's why it's cheaper for them to spend the money to build IoT systems that are designed right.

YourFinestPotions41 karma

How vulnerable are our nuclear arsenal to cyber attack?

mikkohypponen133 karma

Of all the things that could be hacked, nuclear weapons are thankfully among the hardest of them. Most of the computer systems that control nuclear weapons are truly legacy systems. According to public reports, U.S. Army is using 8 inch floppy disks in these systems. That's Security by Antiquity.

How big are 8" floppies? This big: https://imgur.com/a/Orkvhbh

probablyonmobile40 karma

Would you say there’s much mathematics in this sort of thing? What are some of the mindsets/skills this field requires, and how does a person practice them?

mikkohypponen109 karma

In general, working in security requires the hacker mindset: problem-solving in unusual ways. If you need to get in, you might not need to pick the lock; making a hole in the wall might be easier.

But then again, security is a huge field, and mathematics is a core skill in areas like encryption and certificates.

SenorSnuts40 karma

Why are phishing attempts always so obvious? It seems like a better way to get people to click links in an email would be an otherwise normal looking but annoying email with a malicious unsubscribe link.

Is the damage done simply by clicking the link, or are they targeting people perceived as having less "internet intelligence" in order to get more out of them at a later time?

mikkohypponen235 karma

Have you considered that you only spot the obvious ones?

The best phishing attack I saw recently was an email with sexually explicit images and a message along the lines of 'Thank You for subscribing to our DAILY PORN EMAIL'. This was mailed to corporate email addresses and when the employees clicked on the 'Unsubscribe / Cancel' link, they got a prompt which said something along the lines of 'Corporate firewall has blocked your access to this x-rated website. Please re-authenticate to confirm you want to continue', and then prompted for the network username and password.

Godmodex239 karma

Wouldn't it be pretty ironic if someone hacked your account to make this post? I'm just here to say hi

mikkohypponen78 karma

I am legit and this is me honest. Now, send me your private key.

DoctorBlazes39 karma

How often should one be changing their passwords?

mikkohypponen172 karma

There's no need to change your password unless it's been compromised or these reason to believe it could have been compromised. Forcing users to change passwords for the sake of changing them is not going to improve your security, in fact it makes users create easily guessable passwords.

FearMarbhAgSiul36 karma

What are some useful online resources for those interested in learning more about infosec with a future career/hobby in mind?

thatohgi86 karma


Try hack me,

Hack the box,

Republic of hackers,

Microsoft has a lot of their certification courses online for free.

Download and learn to use Linux, I recommend Mint or Ubuntu for your first time it. Kali can be fun but isn’t designed to be a daily driver.

Network Chuck and David Bombal on YouTube

mikkohypponen74 karma

Great list, thank you thatohgi! Let me add https://beginners.re

Diriv35 karma

What's the most common problem, other than people (hah), that you've seen systems have?

mikkohypponen67 karma

All the security problems we’ve seen can be split into two groups: technical problems or human errors. Fixing technical problems can be hard, slow, and difficult, but fixing human errors might be impossible.

Most common technical problem? Bad coding.

There is no magic to security holes or vulnerabilities. They are code, just like any other. Software has security holes because programmers are human and make mistakes.

Programming errors, or bugs, have not always created vulnerabilities. Above all, this involves bugs in systems that are connected to networks, that is, the Internet. Before systems went online, security problems barely mattered, since the only way to exploit vulnerabilities was to sit at a computer. If a malicious attacker gains access to a physical device, they have many ways of accessing its data.

A bug is easy to create. It can be a small typo or additional character among thousands of lines of code. The end result is an application that appears to work but will crash under certain conditions—or create a hole that an outsider can use to access the system.

Designer-Chip-773534 karma

What do online crime gangs do exactly? Is it just scams?

mikkohypponen90 karma

Online crime gangs make money. The 3 biggest techniques are:
1. Ransomware ("pay us and you'll get your data back and we won't leak it")
2. BEC ("This is the CEO. Please pay this totally legit bill right away")
3. DDoS extortion ("pay us and we'll let your online store run again")

HotCase_Daddio28 karma

What are the weirdest / most significant devices you've seen being compromised?

mikkohypponen91 karma

I remember a forest tractor getting pwned while it was in the middle of a forest. As an end result, it couldn't move, so another tractor with geeks onboard was dispatched to get it out.

claudandus_felidae27 karma

I'm very curious about the cases of smarthome "hacking" we see in the wild today. From what I've read, most cases of someone evesdropping or broadcasting obscene messages is actually a case of someone getting access to an existing account, and not, for instance, creating a tool which relies on a exploit in the device. Obviously it's still hacking, but do you think things like smart speakers and thermostats are likely targets for hackers? Are there potential exploits or possible use cases for these kinds of devices that you're worried about?

mikkohypponen51 karma

Some of the largest DDoS botnets on the planet are not built from infected computers. For years already, they've been built from IoT devices: home routers, air conditioning systems, security cameras...

Matisaro27 karma

If we wanted could we cut Russia out of the entire internet?

mikkohypponen115 karma

If we wanted to, there's plenty of things we could do:

- remove '.ru', '.рф' and '.su' from the root DNS

- kill reverse DNS for all Russian IP blocks

- set all Russian ASNs to false

- disable roaming for all Russian mobile phone operators

But I don't think we want to. I live close to Russia myself. My home country of Finland has had a long and problematic history with a very unpredictable neighbour. Still, internet is one of the few ways the Russian people can get real information about what's going on Ukraine.

TheGreatMuffin26 karma

What do you think of bitcoin? I read you did a give away of one 1btc casascius coin ages ago (worth $90 at that time). Fun times :)

mikkohypponen48 karma

Yup, I gave away 1 bitcoin to my 50,000th follower on Twitter years ago. I hope he still has it!

About valuation of Bitcoins:

"Bitcoin is sometimes compared to precious metals such as gold, as its mining terminology implies. Both are valuable, at least in part because they are expensive to come by. Gold must be dug up from the bowels of the earth, while bitcoin mining requires expensive, powerful, and power-guzzling computers. However, although the amount of gold is limited, we are not sure exactly how much is left—we may continue finding large gold deposits for many years to come. We may even be able to set up gold mines on the Moon or the surfaces of asteroids. The final amount of gold is therefore impossible to estimate. However, we do know exactly how many bitcoins are left.

Bitcoins are valuable because they are expensive to make, impossible to forge, and strictly limited in number. Investors want to buy bitcoins for precisely these characteristics. It’s less about how bitcoins will replace dollars in everyday purchases and more about very high demand for a very limited number of bitcoins.

Hermès, a French luxury brand, makes scarves, perfumes, and hand bags. It is known for its Birkin handbags in particular, which are beautiful, very well made, extremely rare—and very expensive. A new bag costs at least $10,000, while some models may cost more than $100,000. However, even if you have the money, you cannot simply buy a bag. Birkins are so desirable that there is a long waiting list for them, causing the prices of second-hand bags to skyrocket.

How did Hermès make its bags so desirable and expensive? By limiting their numbers: despite high demand, Hermès makes only tens of thousands of new bags per year. The price of bitcoins follows the same logic. Genuine bitcoins are expensive because so few are made, whereas knock-offs are cheap, as are pirate copies of Birkin handbags."

(page 194)

Ajo10123 karma

Considering trying to get into this field, what are some of the best and worst moments you have had in your time?

mikkohypponen103 karma

Best moments? Working in our lab during some of the largest malware outbreaks.

"When a malware epidemic started, we investigated it, even in the middle of the night. Our phones rang, and our team got to work. We obtained a sample of the new virus, decompiled its code, and determined how it was spread. We then developed a detection algorithm, named the malware, built an update package, and sent it to our customers over the Internet. These sessions were intense. Our team was highly experienced and professional. Everyone knew what they needed to do—it was like watching top surgeons in an emergency room. During a major malware outbreak, our ears buzzed as our bodies pumped adrenalin—as if we were in physical danger. The outer world melted away as we became hyper-focused on the case. If a phone rang in the middle of a big case, effort was required just to comprehend a caller who wanted to talk about something else. Once done, we truly felt that we had completed a labor of Hercules." (page 57)

Worst moments? Trying to convince a client they shouldn't pay money to an online extortionist. They did it anyway. And the extortionist didn't keep their promise.

bythisriver22 karma

When was the last time you had short hair? Do you ever rock your hair loose at work?

mikkohypponen44 karma

I've had a ponytail ever since I got out from my military service in 1989. It's been cut twice since, but I've grown it back. I hope to take it to the grave.

epiquinnz21 karma

Any progress on the Vastaamo case?

mikkohypponen43 karma

The hunt for the hacker who breached the Vastaamo network is still on. I write about this particular case in detail in my book.

tape-eater20 karma

Are apprenticeships a feasible entry point for infosec?

mikkohypponen35 karma

Yes. Choose an internship that's paid. Or find a corporate training program that offers a permanent position to all who pass the training. Here's one example: https://twitter.com/mikko/status/1339494886484144129

brett3520 karma

Hej Mikko! Big fan. What’s your favorite Finnish food?

mikkohypponen86 karma

Is this a password reset question somewhere?

brett3518 karma

I really wanted to know :(

mikkohypponen35 karma

Okay then. It's mämmi. With cream. Not a joke. It looks awful though. https://i.imgur.com/a/BA0F8xq.jpg

talldean18 karma

If you could change one thing about Meta, what would it be?

mikkohypponen80 karma

I'd like to pay for their services with money, instead of paying with my data.

-S7evin-16 karma

Will it be possible to have your book in other languages? I hope in Italian ...

mikkohypponen32 karma

My agent is currently discussing several translations (I'm most excited about the possibility of an Ukrainian version). However, I don't believe Italian translation has been mentioned yet. If you have contacts with local publishers, my DMs are open!

Santafio15 karma

C64 or VIC-20?

Spy Hunter or Uuno muuttaa maalle?

In your opinion, what has been the most beautiful homecomputer that you've ever seen?

My favourite is the Sol-20, an absolute beaut!

mikkohypponen27 karma

I started with a Commodore 64. I still have it, I even have the original receipt. I was 14. I was selling my first programs when I was 17.

Yes, I know that VIC-20 has a faster CPU than Commodore 64. But in all other respects Commodore is the king. And Spy Hunter has nothing on my favorite C64 game: Shamus Case ][.

likeastar2013 karma

What do you think about F-Secure Antivirus, for Home users?

mikkohypponen38 karma

It's one of the best ones and I would recommend it. Then again, I would, wouldn't I? (I've been working at Data Fellows / F-Secure / WithSecure all my life).

seanhalihan12 karma

What’s the difference between an global infosec expert and a infosec expert?

mikkohypponen28 karma

Welp, I’ve traveled more than I’d like to admit; the glamour of travel starts to wear off when you sustain a level of 140 flights a year. At least the pandemic stopped this madness. And I'm glad my employer carbon offsets my travels.

tamtamdanseren11 karma

Why the renaming to WithSecure? Does the product no longer deserve to carry the F-Secure name?

mikkohypponen28 karma

The company split into two. In effect, the largest cybersecurity company in the nordics split into the largest and the second largest cybersecurity company in the nordics.

WithSecure does security for companies and F-Secure does security for home users. I work at WithSecure but I'm also an advisor at F-Secure.

da_peda10 karma

What's the best security-related advice you ever got?

mikkohypponen39 karma

It was about Schrödinger's backups. That your backups aren't really backups until you've tested that you can actually restore them.

CoregonusAlbula10 karma

Have you ever been to Hopeakuula Arcade in Kouvola?

mikkohypponen8 karma

Oh yes I have! Great place. Recommended. Other good places worth a visit include The Dutch Pinball Museum in Rotterdam and the Pinball Hall Of Fame in Nevada.

geofurb8 karma

The Silverball Museum in Asbury Park, NJ, USA is also a good venue, although they focus on older/historical machines.


mikkohypponen8 karma

Thanks! I've heard about Silverball, but I think I've only visited New Jersey on my trips twice. Another place I'd like to visit but I've never been even close is Funspot in Laconia, New Hampshire.

phil0359 karma

Totally off topic question here but I ask it as often as I cantch these AMAs.

Mash potato whats your recipe?

mikkohypponen15 karma

I'm more of a barbeque kinda guy. I mage veggies, no potatoes. Sorry man.

Arnoxthe19 karma

Putting aside enterprise use completely, Microsoft has been absolutely banging on constantly about updates for home computers, basically saying that if you don't constantly keep your home computer updated with the latest security updates, your computer is going to get super mega hacked. And yet I and many others have kept their completely non-updated computers malware-free for over a decade through just simply good security practices.

What would be your opinion then on Windows updates and even running out-of-support Windows versions like Windows 7? Completely overblown danger for home users, or are we missing something here and Microsoft still has a point?

mikkohypponen14 karma

It largely depends on what you do on the machine. Obviously it's more important to update corporate servers that are exposed to the internet than a home machine which is largely inaccesible to outside attackers. The most common way a home machine gets hit is by users installing something bad (like a browser extension), or opening a bad document and Enabling Content (ie. running macros). Things like drive-by exploits from bad websites are not that common any more as browsers are getting better. Still, running outdates systems on the internet is not something I can recommend.

killercurvesahead6 karma

What’s your favorite pinball machine, or top few if you can’t narrow it down?

Also thoughts on master password tools vs having a system in your head?

mikkohypponen10 karma

Favorite pinball of all time would be Metallica. Or Space Shuttle. Or Firepower. Or Black Knight 2000. Or Total Nuclear Annihilation.

Right now I have 4 pinballs: Judge Dredd (1993), Beatles (2018), Iron Maiden Premium (2018) and Godzilla Premium (2021). Beatles gets played the most!

Hankins446 karma

What new challenges/attack vectors do you see arising as LEO satellite internet constellation projects like Starlink become more ubiquitous?

mikkohypponen14 karma

I saw the Starlink Hack talk in DEF CON two weeks ago, and it was some of the most impressive research I've seen lately. https://i.blackhat.com/USA-22/Wednesday/US-22-Wouters-Glitched-On-Earth.pdf

Hacks like these allow outsiders to snoop in to the internals of the Starlink system and probably find all kinds of interesting stuff.

jonesjb6 karma

Nice. What is your favorite pinball machine? I have a Shadow and recently got a Jersey Jack GnR CE.

mikkohypponen5 karma

I listed my favorites in another answer, but man, I sure would like to spend some time with Jersey Jack Guns'n'roses!

laavu6 karma

Have you ever been approached by foreign agents (to your knowledge)?

mikkohypponen20 karma

Well yeah, but nothing spectacular really. Once I got notified by a friendly spook that the person I was about to go have lunch with is a foreign spy who might try to recruit me, and so.

casperrosewater5 karma

Why do some websites/providers limit the number of characters they will allow us to use to create passwords?

mikkohypponen8 karma

Beats me! Unless the character limit is 9,223,372,036,854,775,807.

CheesecakeMMXX5 karma

I know that you are active on twitter, and now obviously on reddit too. What are the less obvious risks related to being active on social (or antisocial) media? Do you have examples of what has happened?

mikkohypponen14 karma

I'm a 12-year club member on reddit.

On social media, it's important to keep opsec in mind: don't share information that you don't need to share. It might feel totally harmless now, but you might end up with enemies in the future. If someone wants to make your life miserable for whatever reason, it's much easier to do if they know where you live and if you have a family or not.

tesserakti4 karma

Pinball Dreams, Pinball Fantasies, or Pinball Illusions?

mikkohypponen8 karma

Stern Premiums or Limited Editions.

astrohnalle4 karma

What's the most memorable sauna you've ever been to?

mikkohypponen10 karma

There's plenty of great saunas here in Finland, of course. But the most memorable one? That would be the sauna in the Westin Hotel in Cape Town, South Africa. Amazing view! Runner-up would be the sauna world Finnair used to have at their premium lounge.

eveningsand3 karma

Infosec 30 years ago largely consisted of SIPRNet and maybe other government sponsored shenanigans, and seemed largely unheard of in the corporate world (from my experience).

Given my experience was VERY narrow from that timeframe, can you share notes on what you encountered during that timeframe, and how things have evolved?

mikkohypponen12 karma

Infosec 30 years ago was largely about OFFLINE security. Internet was inaccessible to almost all companies and most organizations did not even have a local network; we certainly didn't. Companies had stand-alone PCs and Macs and files were moved between computers on floppies. International data transfer happened when you took a floppy and boarded a plane.

It seems almost absurd that we would have seen big problems with such a restricted offline environment, but we did. Many of the large malware outbreaks of the early 1990s went truly global and managed to even infect computers in the research stations at Antarctica. Of course, spreading speeds were much slower than with network worms.

PootisMcPootsalot3 karma

You play fortnite?

mikkohypponen7 karma

I play Defender and Xevious,thank you very much!

BunRecruiter3 karma

Should people read ur book?

mikkohypponen7 karma


bakerzdosen3 karma

In 2022, how bad is it really to have one (or more) dictionary words in a password of otherwise decent complexity? (eg, say, 20+ character length, mixture of lower and upper case, numbers, symbols.)

mikkohypponen9 karma

20+ characters with mixture of lower and upper case, numbers, symbols is good enough. Just don't use the same one on every system.

Saint_Steve3 karma

Regarding the whe "Trump keeps classified info in his golf club scandal" and given the apparent lack of security for highly sensitive files at Mar-a-lago, what do you think the chances are that important info was actually compromised/ accessed?

mikkohypponen11 karma

I don't know Trump but he sure seems like a loose cannon, for a president.

Zorothustra3 karma

What are your fondest memories of Commodore 64?

mikkohypponen6 karma

Probably the long hours I spent building a 1541 turbo loader. It was such an elegant piece of code. However, my proudest moment is having one of my games archived in a museum. Check it: https://twitter.com/mikko/status/977287981911433217

goofymarket2 karma

Was Mcafee a skilled hacker?

mikkohypponen4 karma

I've been around forever and I've met pretty much everyone, including all the old school people like Peter Norton and Cliff Stoll. But I never did meet John. So, I don't know.

FetaMight2 karma

What does the S in IOT stand for?

Edit: The answer is "Security"

mikkohypponen3 karma


SnowyNW2 karma

How do you spot a catfish these days when Instagram and most private photo repositories cannot be reverse image searched?

mikkohypponen5 karma

GAN and DALL-E killed reverse searches; there's no need to steal profile images any more as you can just generate them.

geofurb1 karma

Hair care routine? Also, have you ever got your hair caught in a door as you closed it behind you, and how does a researcher go about getting information on how online crime gangs operate?

mikkohypponen2 karma

Wash daily. Finding information on organized crime gangs typically means undercover and infiltration work, ie. hanging around in the forums and chats as one of them.

kastatbortkonto-2 karma

Miksi kirjoitat sukunimesi väärin? Olet Hyppönen etkä Hypponen.

(Why do you misspell your surname? You are Hyppönen, not Hypponen.)

mikkohypponen3 karma

I've always used Hypponen for international use and Hyppönen in Nordic and German-speaking countries. Why do it? Well, just imagine U.S. people trying to search for my book in online bookstores.