Interviews: Ask Security Expert Mikko Hypponen A Question

Even if you pay only a fraction of your time on security news, you probably already know Mikko Hypponen (Twitter, Wikipedia). He is the Chief Research Officer at F-Secure, a security firm he joined over two decades ago. Hypponen has assisted law enforcement in the United States, Europe and Asia on cybercrime cases, and has also made several appearances on BBC, TED talks, TEDx, DLD, SXSW, Black Hat, DEF CON, and Google Zeitgeist among others. He has also written for CNN, The New York Times, Wired, and BetaNews.

Hypponen has closely watched computers, networks, and security spaces grow over the years. In 2011, Hypponen tracked down the authors of the first PC virus in history -- Brain.A. Whether you want to know about the early days of malware -- when they were mostly created by hobbyists, or get an inside view of the challenges security firms face today, or how exactly does one keep himself or herself safe in the increasingly terrifying world, use the comments section to leave your question.

Editor's note: We will be collecting some of the best questions and sending them to Mikko at 22:00 GMT, Monday.

Anti-virus software

[NotInHere]

With the recent reports of anti-virus software sometimes actually adding security vulnerabilities to the systems, and the fact that windows ships with its own bundled anti-virus, what advantages do commercial third party anti-virus solutions these days offer?

I'm wondering specifically about the windows desktop, because this is the platform usually targeted by attackers.

are Smartphones spyware we pay for?

[turkeydance]

"Edward Snowden has warned that no smartphone is safe..." Is he correct? http://www.v3.co.uk/v3-uk/news...

Internet of things

[NotInHere]

One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.

This issue affects all places where the hardware vendor also supplies the software, and will become more and more important, as internet connected software gets its way into more and more things around us.

How can this problem be solved?

Capability based security

[ka9dgx]

Have you looked into Capability based Security Operating Systems such as Genode? (Genode.org) They seem to offer a way for users to decide what to trust, instead of being forced to blindly trust everything every app does.

What do you think about this approach to security?

PHK criticizes HTTP/2; do you buy it?

[epine]

As it happens, I read the following article by Poul-Henning Kamp just the other day and had mixed feelings.

HTTP/2.0 — The IETF is Phoning It In (January 2016)

Mikko, what's your take on HTTP/2.0 in light of PHK's declared position?

—

For context, here are the two points that raised my own eyebrows.

First, PHK implies that HTTP/2.0 could have done something substantial to address the cookie problem.

This is almost triply ironic, because the major drags on HTTP are the cookies, which are such a major privacy problem, that the EU has legislated a notice requirement for them. HTTP/2.0 could have done away with cookies, replacing them instead with a client controlled session identifier. That would put users squarely in charge of when they want to be tracked and when they don't want to—a major improvement in privacy.

The reason HTTP/2.0 does not improve privacy is that the big corporate backers have built their business model on top of the lack of privacy. They are very upset about NSA spying on just about everybody in the entire world, but they do not want to do anything that prevents them from doing the same thing.

Second, PHK implies that encryption is enough of a burden in certain circumstances to make exceptions to the privacy by default revolution. My own gut instinct is that SSL is already cheap enough to simply write off across the board as the cost of doing business, almost always.

Local governments have no desire to spend resources negotiating SSL/TLS with every single smartphone in their area when things explode, rivers flood, or people are poisoned. ... Yet, despite this, HTTP/2.0 will be SSL/TLS only, in at least three out of four of the major browsers, in order to force a particular political agenda.

Isn't it a rather crappy security profile to leave your "innocent" activities in clear text and only encrypt what is conventionally considered "sensitive"?

I did read a valid complaint the other day, where people writing servers trying to maintain 100,000 persistent SSL connections (average connection time measured in hours) become hot and bothered about the 20 kB per connection memory cost, enough to throw away a Go implementation (heavier in memory overhead) and go back to Ruby.

What say you about the technical/political HTTP/2 tango?

Is it too late? Have we lost the battle?

[dougTheRug]

Hi Mikko, in my day job I am a security evangelist, carrying out developer education and design reviews. For 8 years previous to that I helped companies use static analysis to detect and eliminate security vulnerabilities at the implementation layer. I am becoming convinced that, with the poor state of software today and extreme complexity, there is simply no way the good guys can win. Defenders have to get it right, every single time while the bad guys only need to be right once, to establish an APT and destroy your company. If the bad guys were parasites I would say this would all simmer down to a balancing point where the parasites existed off a slow background noise of constant attacks, but never enough to kill civilization completely. But with a lack of collusion, attackers are more likely to race to the bottom and to not pay attention to the health of their host. So basically my prediction is: crime will eventually kill technology; it will become unusable. Do you have a more hopeful outcome for us?

some wisdom on the future...

We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum? How do you see the capabilities of our civilization evolving over the next 100-200 years? As a budding PhD student, should I take security as a primary focus? What would be your best advice?

Intel ME (& AMD equivalent): risks & mitig

Dear Mr. Hypponen,

As a security expert, what would you consider to be the real risks from Intel ME (& AMD equivalent) technologies for the average business? Is there a particular mitigation strategy you would recommend?

By average business I mean a company that engages in financial transactions with its vendors and customers. I'm also assuming that at least some of these companies have trade secrets they want to protect from their competitors.

Many thanks for taking the time to answer our questions.

Kind regards,
A

Question

My question is fairly simple and to the point: Do you have favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?

Computer health class

[hendric]

What would you like to see in a computer 'health' class? After cleaning up several of my son's friend's computers from rampant spyware/malware/etc, it's clear that kids are given computers without any real training or discipline in how to protect themselves.

With all the sharing done on social media today, including lists and 'here's how to generate your porn/potter/star trek/etc name based on street address/birthday/etc', what alternate security questions should (if any) a website use to verify identity?