I am Mikko Hypponen, a global infosec expert! Ask me anything.

What are some methods we should be teaching our kids to ensure they use the internet safely and reduce their risk of getting hacked or getting their accounts stolen?

The same advice applies to everyone really, not just to kids:
- Keep your systems updated, apply all updates and patches right away
- Use a password manager so you have a unique password everywhere
- Enable multifactor authentication wherever possible
- Use different email addresses to different services
- Make backups and make sure they work and are accessible even in disasters
- If something seems too good to be true, it's not. Especially on the internet.
- Use more secure devices. iPads and Chromebooks are harder to hack than laptops.

Use more secure devices. iPads and Chromebooks are harder to hack than laptops.

Do you really think the hacking risk here is worth pushing people into walled gardens and away from devices on which they can learn how things work?

It's a trade-off, like everything in security. You can have both. Have a secure limited device as your daily driver, then go crazy with a linux laptop for writing code.

Does changing passwords regularly really help with security ?

No, and you should stop doing it.

I think the most important lesson about password security for home users is to make sure your email address is long and unique. Most many home users, this is the Gmail password.

Gmail has become a key hub for logins, a single sign-on service for the entire Internet. When user passwords leak from an online game or discussion forum, using them to steal Gmail accounts is one of the most popular ways of profiting from the situation. In other words, if usernames and passwords are stolen from, say, an online gaming service, the attackers try them in Gmail. Sadly, this often works, as users tend to pick the same nickname for different services and use the same password almost everywhere, even on Gmail.

Once your Gmail account has been compromised, the game is over, as the attackers now have access to your message history. This allows them to search for information on online stores where you have set up accounts with the same Gmail address. Whenever you set up an account at an online store, it will send you a welcome email. Gmail keeps all welcome messages in your message history, making them easy for the attacker to find. As Gmail does not delete old messages, even welcome messages from 10 years ago are easy to find. The attacker now knows that you have accounts with certain online stores and that your user ID for them is your Gmail address.

The password you use for online stores is still secure, but that is of no concern: there is a magic button on the login page of each store for bypassing the password prompt. This magic button is labeled “I forgot my password.” When the attacker enters your Gmail address on the login page and click the button, the store will send a new password—to the very same Gmail address the attacker has cracked. That is why Gmail has become a single sign-on service for the entire Internet. By gaining access to your Gmail, the attacker can get everything else.

So, what can you do? Being well aware of its role as a network hub, Google has introduced Google 2-step Verification for Gmail users. Users install the Google Authenticator app on their smartphone and use its one-time passcodes to verify each device on which they read their Gmail. When a device has been authorized once, no further action is needed. However, should you want to read your email on a new device—or if an intruder tries to access your account—it will work only with the code from the Authenticator app.

Securing your email is important, as it often opens the way to many other places. Always choose a long email password, do not use it anywhere else, and use Google 2-step Verification.

Quoted from page 164 of https://www.ifitssmartitsvulnerable.com

What is your mother's maiden name?

Ah, my dear mum Hunter2.

What is the best way to break into this field? Certs? School? Just jump into easier tech jobs?

Edit: tech not yech

There's no best way. Some of the best technical experts at our company never finished high school, others have PhDs.

Here's a good Twitter thread on breaking into the field: https://twitter.com/cyberkatelyn/status/1366221638879113217 and a good blog post (from 2016 though): https://medium.com/free-code-camp/so-you-want-to-work-in-security-bc6c10157d23

What is Zero Trust?

In 2010, Google was subjected to an exceptional security breach. Chinese spies had penetrated Google’s internal network and had been gathering data there for a long time. While similar cases of espionage had occurred before, Google was the first company to communicate openly on the matter.

The event had far-reaching consequences. Google exited the Mainland China market and has not really returned since. However, the change in how Google approached its network development was even more profound. Google’s engineers received support and funding from senior management for a project now known as BeyondCorp.

The BeyondCorp model is Google’s version of a zero-trust network. In this model, the company no longer has an external or internal network; it just has a network. The organization’s resources and services are available regardless of time and place. To the user, it no longer matters whether they are in a conference room at company headquarters or an airport café. The BeyondCorp model is built around identity and device management. Access control decisions are now at individual user and device level—access to information is provided according to what the user needs. The traditional all-seeing administrator role no longer exists. The BeyondCorp model also makes use of cloud services that are as seamless as in-house services.

While the BeyondCorp model eliminates many traditional problems, it is not easy to deploy. Even Google needed several years. On the other hand, we know of no successful hacks at Google during the BeyondCorp era. This is quite an achievement, as Google must be one of the key targets for foreign intelligence services almost everywhere.

(page 108 of If It's Smart, It's Vulnerable)

What was a time (infosec related) where you thought "f this, I'm out" and took the rest of the day off to calm down?

When someone took a leaked patient database of a psychotherapy center and made a website that enabled anyone to easily search the data (by name, city, employer, age...).

It was bad enough that information like this was leaked in the first place. But it just boggles that mind that someone else took the extra effort to make sure people can search the data it even if they have no technical skills was...awful.

What is the number 1 organized crime group on the web?

Right now it's probably Lockbit. And if not them, in any case it's one of the big Russian ransomware groups. We call groups like these cybercrime unicorns.

What cybersecurity products do you feel actually fulfill the protection they sell?

Canaries. Honeypots. Most password managers. Many endpoint products. Some VPNs.

Which VPNs? It seems like many of the major ones are data mining operations or show clear signs of penetration by intelligence agencies.

I've been working with F-Secure forever. Our VPN is called Freedome.

You often talk about how secure modern smartphones are and it cost a lot of money to hack them. Of course, normal people shouldn't be worried but what if you're a journalist or a politician? Is there solution for them or is the only solution to just not use smartphone at all?

Smartphones are a security success story. Buying tools to hack your Windows laptop costs like $5. Buying tools to hack your iPhone costs like $100,000: big difference.

Yes, some targets are worth $100,000. So make sure you're hard to find. Have a public identity and a phone number that can be found, but don't use this for confidential stuff. Then have a set of variable identities and phone numbers for the real stuff. Rotate your devices. Also, have your devices regularily run out of battery. Rebooting your device manually can be faked and the malware on the phone would survive that. Surviving through a cold reboot is substantially more difficult. As you can't remove the batter from modern smartphones, drain it instead.

We have small companies that we offer variety of IT services. Any advice you would give, how to make these small companies really understand the need for proper cybersecurity? "MFA is too painfull for our users." "Cybersecurity products cost too much." "We are am smart, no one can trick me." etc. these lines just go on and on. btw. could you sign my copy of your book?

Ok, go to Tor network and open up a leak site for some of the larger ransomware groups. For example:
Alpha alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion
Lockbit lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

Then let them scroll through the long, long list of victims: Companies, just like them. From all walks of like, all business areas, all around the world. None of them thought they would get hit either.

Are you still carrying floppy disks in your pockets?

I actually ask my tailor to make my suits inner pockets big enough for 5.25" floppies. Not a joke.

How aggressively should I be rejecting website cookies? Those fuckers keep asking.

Just click ok to make the box go away. Cookies are not nearly as big of a privacy problem as the website prompts would make you believe. There's tons of other ways of tracking you.

1. What would be the most secure digital method to store passwords?

2. What are some good cyber hygiene practices that you would recommend while browsing the internet?

While it's not a password, fooling the current version of Apple's Face ID is quite hard. More importantly, systems like Face ID and Touch ID have the ease-of-use which enables users to have their devices always locked. If you need to type in a long password or PIN, users set the locking timeout to 5 minutes or 10 minutes - which is a risk.

Using Biometric ID is incredibly risky due to the lack of legal protection they have and that they don't require your consent. You may always refuse to share your password, you often can't refuse to share your face or fingerprint.

There's a funny story about cops opening up a phone in my book:

A quote from the Parliamentary Ombudsman’s decision of 2017 tells us how a suspect’s smartphone was unlocked:

The suspect was told that a requisite amount of force would be used to place the suspect’s finger on the mobile phone’s fingerprint sensor. The suspect stated that the police “can go fuck themselves” and did not agree to this procedure.

At the start of the procedure, the suspect was sitting on a bed in the holding cell, and was carefully pushed back onto the mattress and held still. The suspect forcefully resisted the procedure by squirming and keeping their hands in a fist. The fists were nevertheless opened enough to try using the thumb and index finger to unlock the phone.

Five police officers took part in using force; two twisted the suspect’s hands behind their back, one pressed the back of their head, and two held onto their feet.

Hi Mikko! Why are you so awesome?

In 2017, I listened to your keynote speech at the International One conference in the Netherlands. There you said that IKEA was very good at securing their IOT devices. Is that still the case?

IKEA spends money in IoT security, because their business model requires it.

They make money buy building a product and then selling the same product all over the world with thin margins. The biggest risk they face is a product recall. So the first rule for them is: make 100% sure we never need to do a recall. That's why it's cheaper for them to spend the money to build IoT systems that are designed right.

How vulnerable are our nuclear arsenal to cyber attack?

Of all the things that could be hacked, nuclear weapons are thankfully among the hardest of them. Most of the computer systems that control nuclear weapons are truly legacy systems. According to public reports, U.S. Army is using 8 inch floppy disks in these systems. That's Security by Antiquity.

How big are 8" floppies? This big: https://imgur.com/a/Orkvhbh

Why are phishing attempts always so obvious? It seems like a better way to get people to click links in an email would be an otherwise normal looking but annoying email with a malicious unsubscribe link.

Is the damage done simply by clicking the link, or are they targeting people perceived as having less "internet intelligence" in order to get more out of them at a later time?

Have you considered that you only spot the obvious ones?

The best phishing attack I saw recently was an email with sexually explicit images and a message along the lines of 'Thank You for subscribing to our DAILY PORN EMAIL'. This was mailed to corporate email addresses and when the employees clicked on the 'Unsubscribe / Cancel' link, they got a prompt which said something along the lines of 'Corporate firewall has blocked your access to this x-rated website. Please re-authenticate to confirm you want to continue', and then prompted for the network username and password.

Would you say there’s much mathematics in this sort of thing? What are some of the mindsets/skills this field requires, and how does a person practice them?

In general, working in security requires the hacker mindset: problem-solving in unusual ways. If you need to get in, you might not need to pick the lock; making a hole in the wall might be easier.

But then again, security is a huge field, and mathematics is a core skill in areas like encryption and certificates.

How often should one be changing their passwords?

There's no need to change your password unless it's been compromised or these reason to believe it could have been compromised. Forcing users to change passwords for the sake of changing them is not going to improve your security, in fact it makes users create easily guessable passwords.

Wouldn't it be pretty ironic if someone hacked your account to make this post? I'm just here to say hi

I am legit and this is me honest. Now, send me your private key.

What are some useful online resources for those interested in learning more about infosec with a future career/hobby in mind?

Letsdefend.io,

Try hack me,

Hack the box,

Republic of hackers,

Microsoft has a lot of their certification courses online for free.

Download and learn to use Linux, I recommend Mint or Ubuntu for your first time it. Kali can be fun but isn’t designed to be a daily driver.

Network Chuck and David Bombal on YouTube

Great list, thank you thatohgi! Let me add https://beginners.re

What's the most common problem, other than people (hah), that you've seen systems have?

All the security problems we’ve seen can be split into two groups: technical problems or human errors. Fixing technical problems can be hard, slow, and difficult, but fixing human errors might be impossible.

Most common technical problem? Bad coding.

There is no magic to security holes or vulnerabilities. They are code, just like any other. Software has security holes because programmers are human and make mistakes.

Programming errors, or bugs, have not always created vulnerabilities. Above all, this involves bugs in systems that are connected to networks, that is, the Internet. Before systems went online, security problems barely mattered, since the only way to exploit vulnerabilities was to sit at a computer. If a malicious attacker gains access to a physical device, they have many ways of accessing its data.

A bug is easy to create. It can be a small typo or additional character among thousands of lines of code. The end result is an application that appears to work but will crash under certain conditions—or create a hole that an outsider can use to access the system.

What do online crime gangs do exactly? Is it just scams?

Online crime gangs make money. The 3 biggest techniques are:
1. Ransomware ("pay us and you'll get your data back and we won't leak it")
2. BEC ("This is the CEO. Please pay this totally legit bill right away")
3. DDoS extortion ("pay us and we'll let your online store run again")

What are the weirdest / most significant devices you've seen being compromised?

I remember a forest tractor getting pwned while it was in the middle of a forest. As an end result, it couldn't move, so another tractor with geeks onboard was dispatched to get it out.

I'm very curious about the cases of smarthome "hacking" we see in the wild today. From what I've read, most cases of someone evesdropping or broadcasting obscene messages is actually a case of someone getting access to an existing account, and not, for instance, creating a tool which relies on a exploit in the device. Obviously it's still hacking, but do you think things like smart speakers and thermostats are likely targets for hackers? Are there potential exploits or possible use cases for these kinds of devices that you're worried about?

Some of the largest DDoS botnets on the planet are not built from infected computers. For years already, they've been built from IoT devices: home routers, air conditioning systems, security cameras...

If we wanted could we cut Russia out of the entire internet?

If we wanted to, there's plenty of things we could do:

- remove '.ru', '.рф' and '.su' from the root DNS

- kill reverse DNS for all Russian IP blocks

- set all Russian ASNs to false

- disable roaming for all Russian mobile phone operators

But I don't think we want to. I live close to Russia myself. My home country of Finland has had a long and problematic history with a very unpredictable neighbour. Still, internet is one of the few ways the Russian people can get real information about what's going on Ukraine.

What do you think of bitcoin? I read you did a give away of one 1btc casascius coin ages ago (worth $90 at that time). Fun times :)

Yup, I gave away 1 bitcoin to my 50,000th follower on Twitter years ago. I hope he still has it!

About valuation of Bitcoins:

"Bitcoin is sometimes compared to precious metals such as gold, as its mining terminology implies. Both are valuable, at least in part because they are expensive to come by. Gold must be dug up from the bowels of the earth, while bitcoin mining requires expensive, powerful, and power-guzzling computers. However, although the amount of gold is limited, we are not sure exactly how much is left—we may continue finding large gold deposits for many years to come. We may even be able to set up gold mines on the Moon or the surfaces of asteroids. The final amount of gold is therefore impossible to estimate. However, we do know exactly how many bitcoins are left.

Bitcoins are valuable because they are expensive to make, impossible to forge, and strictly limited in number. Investors want to buy bitcoins for precisely these characteristics. It’s less about how bitcoins will replace dollars in everyday purchases and more about very high demand for a very limited number of bitcoins.

Hermès, a French luxury brand, makes scarves, perfumes, and hand bags. It is known for its Birkin handbags in particular, which are beautiful, very well made, extremely rare—and very expensive. A new bag costs at least $10,000, while some models may cost more than $100,000. However, even if you have the money, you cannot simply buy a bag. Birkins are so desirable that there is a long waiting list for them, causing the prices of second-hand bags to skyrocket.

How did Hermès make its bags so desirable and expensive? By limiting their numbers: despite high demand, Hermès makes only tens of thousands of new bags per year. The price of bitcoins follows the same logic. Genuine bitcoins are expensive because so few are made, whereas knock-offs are cheap, as are pirate copies of Birkin handbags."

(page 194)

Considering trying to get into this field, what are some of the best and worst moments you have had in your time?

Best moments? Working in our lab during some of the largest malware outbreaks.

Quote:
"When a malware epidemic started, we investigated it, even in the middle of the night. Our phones rang, and our team got to work. We obtained a sample of the new virus, decompiled its code, and determined how it was spread. We then developed a detection algorithm, named the malware, built an update package, and sent it to our customers over the Internet. These sessions were intense. Our team was highly experienced and professional. Everyone knew what they needed to do—it was like watching top surgeons in an emergency room. During a major malware outbreak, our ears buzzed as our bodies pumped adrenalin—as if we were in physical danger. The outer world melted away as we became hyper-focused on the case. If a phone rang in the middle of a big case, effort was required just to comprehend a caller who wanted to talk about something else. Once done, we truly felt that we had completed a labor of Hercules." (page 57)

Worst moments? Trying to convince a client they shouldn't pay money to an online extortionist. They did it anyway. And the extortionist didn't keep their promise.

When was the last time you had short hair? Do you ever rock your hair loose at work?

I've had a ponytail ever since I got out from my military service in 1989. It's been cut twice since, but I've grown it back. I hope to take it to the grave.

Any progress on the Vastaamo case?

The hunt for the hacker who breached the Vastaamo network is still on. I write about this particular case in detail in my book.

Are apprenticeships a feasible entry point for infosec?

Yes. Choose an internship that's paid. Or find a corporate training program that offers a permanent position to all who pass the training. Here's one example: https://twitter.com/mikko/status/1339494886484144129

Hej Mikko! Big fan. What’s your favorite Finnish food?

Is this a password reset question somewhere?

I really wanted to know :(

Okay then. It's mämmi. With cream. Not a joke. It looks awful though. https://i.imgur.com/a/BA0F8xq.jpg

If you could change one thing about Meta, what would it be?

I'd like to pay for their services with money, instead of paying with my data.

Will it be possible to have your book in other languages? I hope in Italian ...

My agent is currently discussing several translations (I'm most excited about the possibility of an Ukrainian version). However, I don't believe Italian translation has been mentioned yet. If you have contacts with local publishers, my DMs are open!

C64 or VIC-20?

Spy Hunter or Uuno muuttaa maalle?

In your opinion, what has been the most beautiful homecomputer that you've ever seen?

My favourite is the Sol-20, an absolute beaut!

I started with a Commodore 64. I still have it, I even have the original receipt. I was 14. I was selling my first programs when I was 17.

Yes, I know that VIC-20 has a faster CPU than Commodore 64. But in all other respects Commodore is the king. And Spy Hunter has nothing on my favorite C64 game: Shamus Case ][.

What do you think about F-Secure Antivirus, for Home users?

It's one of the best ones and I would recommend it. Then again, I would, wouldn't I? (I've been working at Data Fellows / F-Secure / WithSecure all my life).

What’s the difference between an global infosec expert and a infosec expert?

Welp, I’ve traveled more than I’d like to admit; the glamour of travel starts to wear off when you sustain a level of 140 flights a year. At least the pandemic stopped this madness. And I'm glad my employer carbon offsets my travels.

Why the renaming to WithSecure? Does the product no longer deserve to carry the F-Secure name?

The company split into two. In effect, the largest cybersecurity company in the nordics split into the largest and the second largest cybersecurity company in the nordics.

WithSecure does security for companies and F-Secure does security for home users. I work at WithSecure but I'm also an advisor at F-Secure.

What's the best security-related advice you ever got?

It was about Schrödinger's backups. That your backups aren't really backups until you've tested that you can actually restore them.

Have you ever been to Hopeakuula Arcade in Kouvola?

Oh yes I have! Great place. Recommended. Other good places worth a visit include The Dutch Pinball Museum in Rotterdam and the Pinball Hall Of Fame in Nevada.

The Silverball Museum in Asbury Park, NJ, USA is also a good venue, although they focus on older/historical machines.

https://www.silverballmuseum.com/asbury-park/about/our-machines/

Thanks! I've heard about Silverball, but I think I've only visited New Jersey on my trips twice. Another place I'd like to visit but I've never been even close is Funspot in Laconia, New Hampshire.

Totally off topic question here but I ask it as often as I cantch these AMAs.

Mash potato whats your recipe?

I'm more of a barbeque kinda guy. I mage veggies, no potatoes. Sorry man.

Putting aside enterprise use completely, Microsoft has been absolutely banging on constantly about updates for home computers, basically saying that if you don't constantly keep your home computer updated with the latest security updates, your computer is going to get super mega hacked. And yet I and many others have kept their completely non-updated computers malware-free for over a decade through just simply good security practices.

What would be your opinion then on Windows updates and even running out-of-support Windows versions like Windows 7? Completely overblown danger for home users, or are we missing something here and Microsoft still has a point?

It largely depends on what you do on the machine. Obviously it's more important to update corporate servers that are exposed to the internet than a home machine which is largely inaccesible to outside attackers. The most common way a home machine gets hit is by users installing something bad (like a browser extension), or opening a bad document and Enabling Content (ie. running macros). Things like drive-by exploits from bad websites are not that common any more as browsers are getting better. Still, running outdates systems on the internet is not something I can recommend.

What new challenges/attack vectors do you see arising as LEO satellite internet constellation projects like Starlink become more ubiquitous?

I saw the Starlink Hack talk in DEF CON two weeks ago, and it was some of the most impressive research I've seen lately. https://i.blackhat.com/USA-22/Wednesday/US-22-Wouters-Glitched-On-Earth.pdf

Hacks like these allow outsiders to snoop in to the internals of the Starlink system and probably find all kinds of interesting stuff.

Nice. What is your favorite pinball machine? I have a Shadow and recently got a Jersey Jack GnR CE.

I listed my favorites in another answer, but man, I sure would like to spend some time with Jersey Jack Guns'n'roses!

Have you ever been approached by foreign agents (to your knowledge)?

Well yeah, but nothing spectacular really. Once I got notified by a friendly spook that the person I was about to go have lunch with is a foreign spy who might try to recruit me, and so.

What’s your favorite pinball machine, or top few if you can’t narrow it down?

Also thoughts on master password tools vs having a system in your head?

Favorite pinball of all time would be Metallica. Or Space Shuttle. Or Firepower. Or Black Knight 2000. Or Total Nuclear Annihilation.

Right now I have 4 pinballs: Judge Dredd (1993), Beatles (2018), Iron Maiden Premium (2018) and Godzilla Premium (2021). Beatles gets played the most!

Why do some websites/providers limit the number of characters they will allow us to use to create passwords?

Beats me! Unless the character limit is 9,223,372,036,854,775,807.

I know that you are active on twitter, and now obviously on reddit too. What are the less obvious risks related to being active on social (or antisocial) media? Do you have examples of what has happened?

I'm a 12-year club member on reddit.

On social media, it's important to keep opsec in mind: don't share information that you don't need to share. It might feel totally harmless now, but you might end up with enemies in the future. If someone wants to make your life miserable for whatever reason, it's much easier to do if they know where you live and if you have a family or not.

What's the most memorable sauna you've ever been to?

There's plenty of great saunas here in Finland, of course. But the most memorable one? That would be the sauna in the Westin Hotel in Cape Town, South Africa. Amazing view! Runner-up would be the sauna world Finnair used to have at their premium lounge.

Pinball Dreams, Pinball Fantasies, or Pinball Illusions?

Stern Premiums or Limited Editions.

Infosec 30 years ago largely consisted of SIPRNet and maybe other government sponsored shenanigans, and seemed largely unheard of in the corporate world (from my experience).

Given my experience was VERY narrow from that timeframe, can you share notes on what you encountered during that timeframe, and how things have evolved?

Infosec 30 years ago was largely about OFFLINE security. Internet was inaccessible to almost all companies and most organizations did not even have a local network; we certainly didn't. Companies had stand-alone PCs and Macs and files were moved between computers on floppies. International data transfer happened when you took a floppy and boarded a plane.

It seems almost absurd that we would have seen big problems with such a restricted offline environment, but we did. Many of the large malware outbreaks of the early 1990s went truly global and managed to even infect computers in the research stations at Antarctica. Of course, spreading speeds were much slower than with network worms.

Should people read ur book?

y̸̺̍e̶̢͖͕͝͠s̵͔̅

In 2022, how bad is it really to have one (or more) dictionary words in a password of otherwise decent complexity? (eg, say, 20+ character length, mixture of lower and upper case, numbers, symbols.)

20+ characters with mixture of lower and upper case, numbers, symbols is good enough. Just don't use the same one on every system.

Regarding the whe "Trump keeps classified info in his golf club scandal" and given the apparent lack of security for highly sensitive files at Mar-a-lago, what do you think the chances are that important info was actually compromised/ accessed?

I don't know Trump but he sure seems like a loose cannon, for a president.

What are your fondest memories of Commodore 64?

Probably the long hours I spent building a 1541 turbo loader. It was such an elegant piece of code. However, my proudest moment is having one of my games archived in a museum. Check it: https://twitter.com/mikko/status/977287981911433217

You play fortnite?

I play Defender and Xevious,thank you very much!

Was Mcafee a skilled hacker?

I've been around forever and I've met pretty much everyone, including all the old school people like Peter Norton and Cliff Stoll. But I never did meet John. So, I don't know.

What does the S in IOT stand for?

Edit: The answer is "Security"

sucker.

How do you spot a catfish these days when Instagram and most private photo repositories cannot be reverse image searched?

GAN and DALL-E killed reverse searches; there's no need to steal profile images any more as you can just generate them.

Hair care routine? Also, have you ever got your hair caught in a door as you closed it behind you, and how does a researcher go about getting information on how online crime gangs operate?

Wash daily. Finding information on organized crime gangs typically means undercover and infiltration work, ie. hanging around in the forums and chats as one of them.

Miksi kirjoitat sukunimesi väärin? Olet Hyppönen etkä Hypponen.

(Why do you misspell your surname? You are Hyppönen, not Hypponen.)

I've always used Hypponen for international use and Hyppönen in Nordic and German-speaking countries. Why do it? Well, just imagine U.S. people trying to search for my book in online bookstores.