Interviews: Ask Security Expert Mikko Hypponen A Question

Even if you pay only a fraction of your time on security news, you probably already know Mikko Hypponen (Twitter, Wikipedia). He is the Chief Research Officer at F-Secure, a security firm he joined over two decades ago. Hypponen has assisted law enforcement in the United States, Europe and Asia on cybercrime cases, and has also made several appearances on BBC, TED talks, TEDx, DLD, SXSW, Black Hat, DEF CON, and Google Zeitgeist among others. He has also written for CNN, The New York Times, Wired, and BetaNews.

Hypponen has closely watched computers, networks, and security spaces grow over the years. In 2011, Hypponen tracked down the authors of the first PC virus in history -- Brain.A. Whether you want to know about the early days of malware -- when they were mostly created by hobbyists, or get an inside view of the challenges security firms face today, or how exactly does one keep himself or herself safe in the increasingly terrifying world, use the comments section to leave your question.

Editor's note: We will be collecting some of the best questions and sending them to Mikko at 22:00 GMT, Monday.

Wording...

[jo7hs2]

Brain.A was the first MS-DOS virus...so it was first IBM PC-compatible virus but not the first "personal computer" virus.

Security awareness training

Do you have any suggestions on how to create a successful security awareness program in a tech company? Some like Bruce Schneier prefer the time and money is spent on better security engineering. Any experts or articles or books you can recommend?

Anti-virus software

[NotInHere]

With the recent reports of anti-virus software sometimes actually adding security vulnerabilities to the systems, and the fact that windows ships with its own bundled anti-virus, what advantages do commercial third party anti-virus solutions these days offer?

I'm wondering specifically about the windows desktop, because this is the platform usually targeted by attackers.

Re:Anti-virus software

windows defender is already useless.

they all test for passing it.

it doesn't see shadow hidden files. it doesn't protect against uefi drops. it doesn't protect against attacks done by using windows services(the group policy remote managemnt, rmi etc are most powerful attack tools ever).

are Smartphones spyware we pay for?

[turkeydance]

"Edward Snowden has warned that no smartphone is safe..." Is he correct? http://www.v3.co.uk/v3-uk/news...

CPU

What are the pre-2008 intel and pre-2013 AMD processors that you consider the most secure?
What are the ones with the most vulnerable erratas? In short What are the fastest AND safest one?

  https://libreboot.org/faq/#intel
  https://libreboot.org/faq/#amd

Internet of things

[NotInHere]

One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.

This issue affects all places where the hardware vendor also supplies the software, and will become more and more important, as internet connected software gets its way into more and more things around us.

How can this problem be solved?

Re:Internet of things

[RubberDogBone]

One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.

This is not true. My Android Nexus phone receives MONTHLY security updates direct from Google, along with any OS updates, beta versions if I want to try them, and so. Google did not make or manufacture this device. The FCC registration lists Huawei as the maker but Huawei has no say in updates or anything else to do with this phone. Neither does any cell carrier. . Nobody has any control over this device except Google, and me. And Google has been extremely proactive in pushing updates when needed.

So, your statement that "any" Android cannot receive updates except from manufacturer is not accurate. Maybe it is true for most Android devices, rather than all, but that's not what you said or meant.

Re:Internet of things

[AmiMoJo]

A related question: Is this a big issue for Android devices at all? We don't see vast botnets of Android phones and the only viruses that appear all seem to be trojans, i.e. they requite the user to enable installing apps from outside the Play Store and click through numerous warnings, and now on Android 6 click through yet more permission requests.

Is Android proof that the "defence in depth" technique is effective?

Re:Internet of things

[opentunings]

One division of my employer is in the business of testing cell phones for compatibility with the various cell switches, prior to the phone's release to the market. Part of my paycheck is funded by the work we do for these companies. NotInHere's comments are true: the consumer is at the mercy of the manufacturer (and probably the cell phone provider too) in terms of receiving updates.

The question should stand, imho.

Capability based security

[ka9dgx]

Have you looked into Capability based Security Operating Systems such as Genode? (Genode.org) They seem to offer a way for users to decide what to trust, instead of being forced to blindly trust everything every app does.

What do you think about this approach to security?

notability hole

[epine]

Even if you pay only a fraction of your time on security news, you probably already know Mikko Hypponen.

Nope. It was only recently (about a year ago) that I started to keep a formal list of prominent people in the security sector and, until five minutes ago, he was not there. It was the mosh pit of DNS and SSL security that finally drove me to it. To be honest, it was also the somewhat volatile Thomas H. Ptacek who drove me to it. Here's Colin Percival's rather decisive rebuttal to an ill-considered post by Ptacek.

My Very Important Knob

Interestingly, Ptacek's original post, "Colin's Very Important Knob" is nowhere to be found on the internet. Since then, I've seen them engaging in pleasant, but opinionated exchanges. Normally, you can get a quick sense of who hates whom, but with security it's more like the way certain animals share a kill: with cheeks shredded and bleeding. No hard feelings. They might even be brothers.

Even if you pay only a fraction of your time on security news

Hmm. The eyeball economy is strong in this one.

PHK criticizes HTTP/2; do you buy it?

[epine]

As it happens, I read the following article by Poul-Henning Kamp just the other day and had mixed feelings.

HTTP/2.0 — The IETF is Phoning It In (January 2016)

Mikko, what's your take on HTTP/2.0 in light of PHK's declared position?

—

For context, here are the two points that raised my own eyebrows.

First, PHK implies that HTTP/2.0 could have done something substantial to address the cookie problem.

This is almost triply ironic, because the major drags on HTTP are the cookies, which are such a major privacy problem, that the EU has legislated a notice requirement for them. HTTP/2.0 could have done away with cookies, replacing them instead with a client controlled session identifier. That would put users squarely in charge of when they want to be tracked and when they don't want to—a major improvement in privacy.

The reason HTTP/2.0 does not improve privacy is that the big corporate backers have built their business model on top of the lack of privacy. They are very upset about NSA spying on just about everybody in the entire world, but they do not want to do anything that prevents them from doing the same thing.

Second, PHK implies that encryption is enough of a burden in certain circumstances to make exceptions to the privacy by default revolution. My own gut instinct is that SSL is already cheap enough to simply write off across the board as the cost of doing business, almost always.

Local governments have no desire to spend resources negotiating SSL/TLS with every single smartphone in their area when things explode, rivers flood, or people are poisoned. ... Yet, despite this, HTTP/2.0 will be SSL/TLS only, in at least three out of four of the major browsers, in order to force a particular political agenda.

Isn't it a rather crappy security profile to leave your "innocent" activities in clear text and only encrypt what is conventionally considered "sensitive"?

I did read a valid complaint the other day, where people writing servers trying to maintain 100,000 persistent SSL connections (average connection time measured in hours) become hot and bothered about the 20 kB per connection memory cost, enough to throw away a Go implementation (heavier in memory overhead) and go back to Ruby.

What say you about the technical/political HTTP/2 tango?

Re:PHK criticizes HTTP/2; do you buy it?

[allo]

> To the point that EU cookie notice popups have become more annoying than ads and I need an adblocker to get rid of them. Thanks a lot, EU.
The point is, that companies try to ignore the law that way.

"You're agreeing to cookies by visiting this page [OK]".
Hey, you set a cookie, before i could even read your message. I expect to get NO cookie at all before clicking ok.

There just needs to be prosecution for this practice and a requirement for real informed consent. "We do not really need cookies, but our user tracking depends on them. Accept some cookies? [yes, i like to be trackedn] [Fuck off, just show me the content]".
Of course the requirement needs to include, that not showing content, even when it would be possible without cookies is illegal. So a shopping cart requireing an session cookie should be okay (even without asking, as implicit consent), some tracking cookie should never be okay.

Obvious question: Clinton

What is your opinion on the Hillary Clinton email scandal, specifically with respect to the security of her personal server and Guccifer's claims re hacking the server.

Is it too late? Have we lost the battle?

[dougTheRug]

Hi Mikko, in my day job I am a security evangelist, carrying out developer education and design reviews. For 8 years previous to that I helped companies use static analysis to detect and eliminate security vulnerabilities at the implementation layer. I am becoming convinced that, with the poor state of software today and extreme complexity, there is simply no way the good guys can win. Defenders have to get it right, every single time while the bad guys only need to be right once, to establish an APT and destroy your company. If the bad guys were parasites I would say this would all simmer down to a balancing point where the parasites existed off a slow background noise of constant attacks, but never enough to kill civilization completely. But with a lack of collusion, attackers are more likely to race to the bottom and to not pay attention to the health of their host. So basically my prediction is: crime will eventually kill technology; it will become unusable. Do you have a more hopeful outcome for us?

Re:Is it too late? Have we lost the battle?

[ka9dgx]

Doug, there are many non-technical networks in the world which are very complex, have threats against them, yet manage to persist in spite of those threats. For example, consider the world of banking prior to computing. Every branch was subject to attack, but at worst, the financial losses in any theft were limited to those on hand in the vault. There was no way to leverage an activity in one branch against the whole of the banking system.

However, in modern operating systems, there is no practical way to segregate activity of any program to a limited sphere of influence... any line of code can be used as a lever to attack the whole system. There are operating systems which require the user to specify which files and/or folders a process is allowed to use, in a user friendly way.... they are by no means common, nor mainstream... but they do exist, one such example is the Genode project.

This ability to actively and positively limit the scope of changes of any line of code means that complexity doesn't have to equate to insecurity, at least from my perspective. The power grid functions with millions of end points, but circuit breakers keep errant toasters from taking down the grid. The same can be done with computing, and it doesn't have to be user hostile.

The war is not lost, but we have to stop building our fortifications out of crates of C4 before we can turn things around.

Re:Is it too late? Have we lost the battle?

[swb]

IMHO, the future doesn't look good. Less because security is hard and more because technology business has become so focused on data collection that it almost supersedes the product, even when the product is physical (and in Google's case it is the product).

With corporate business focus on data collection, you have a built-in incentive for the kinds of backdoors, lack of user control and monitoring that helps enable security problems, not prevent them. As long as the technology business is in a data-is-the-product paradigm, the software systems will have increased vulnerability.

I think it will take a substantial paradigm shift, probably brought on by some kind of catastrophe to change this, probably forced via legislation as substantial as something like the Pure Food and Drugs act.

Re:OKKAY

[PopeRatzo]

Finnish has a contrast between single and double (aka 'geminate') consonants. Have a look at: https://en.wikipedia.org/wiki/...

I've seen some Finns I'd like the geminate with.

Why do people claim security...

[Khyber]

... while they're using untested and not standardized (hell, not even Version 1) protocols? Example, Discord using WebRTC and claiming it's secure.

Re:Why do people claim security...

[Ash-Fox]

... while they're using untested and not standardized (hell, not even Version 1) protocols? Example, Discord using WebRTC and claiming it's secure.

WebRTC testing in Chrome? There, some testing? Or did you want some security testing of WebRTC? Seems tested to me?

It's using DTLS to handle encryption which is fairly standardized and provided by every most multi-purpose encryption libraries out there.

Is this another of your stories? All you have to do is call "TempDog", that's all it takes!

Re:Why do people claim security...

[Khyber]

You do know WebRTC leaves the fucking data channel wide open once you accept Video and Audio channels, never once asking for authorization? You do know WebRTC has a nasty habit of allowing IP addresses to be revealed?

You keep talking shit when you don't know shit.

Re:Why do people claim security...

[Ash-Fox]

You do know WebRTC leaves the fucking data channel wide open once you accept Video and Audio channels, never once asking for authorization?

Yes, I did read the document I linked which mentioned session hijacking. As I said, it's been tested.

You do know WebRTC has a nasty habit of allowing IP addresses to be revealed?

If you were concerned about concealing your normal provider's IP address, why would you not be using a network wide VPN? You can practically discover someone's publicly routable IP address in so many different ways. The webbrowser alone makes it easy. Being online and assuming someone nefarious doesn't have your publicly routable IP address is a false sense of security, especially since the entire range is being brute-forced continuously by worms.

But ignoring this, if you look at Google's implementation, they're pushing all traffic through their TURN server. So the issue is already resolved with a implementation change on the hosting provider's side without breaking the specification which solves this. Also, unsurprisingly, the document I linked even includes some of this information!

So, you going to call "TempDog" now? That's all it takes!

some wisdom on the future...

We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum? How do you see the capabilities of our civilization evolving over the next 100-200 years? As a budding PhD student, should I take security as a primary focus? What would be your best advice?

three questions

[Aryeh+Goretsky]

Hello Col. Hypponen,

I have three questions for you:

1. Do you think it is still possible to secure embedded systems (aka the Internet of Things), or is that an impossibility now, practically speaking?

2. If there was one thing you could every average computer user to do to improve their security, what would it be?

3. If you were a person of interest in the murder of your neighbor in a tiny Central American country, what would your strategy be for clearing your name?

Thank you for taking the time to read this. I look forward to your answers.

Regards,

Aryeh Goretsky

Re:OKKAY

The name should be Hyppönen, by the way.

It's called vowel harmony, and mixing the front vowels (y, ä, ö) with back vowels (a, o, u) in a single word is forbidden, except in compound words.

https://en.wikipedia.org/wiki/...

I love how slashdot cuts off raw wikipedia links just before the article name.

Re: What a stupid question. I'll ask a good one.

[TeknoHog]

Why do you want a Bluetooth toothbrush anyway,

I like my teeth white rather than blue, thanks.

Application white-listing for Network Access

[TrimTabTim]

Since moving to Linux about 8 years ago, there's been one thing I have missed, which i still feel is a regression: The ability to use 3rd party purchased programs to control what local processes may access the network. No operating system makes this default, but in Linux-Land, it seems guys like me get actively ridiculed for suggesting "blocking a port" != "blocking an app", which is a bit annoying. There are some promising projects like SELinux, but to date, they are not able to bring this capability into user space in any meaningful or intuitive way that I've been able to find.

Reason I ask: I respect the technological challenge this problem poses, but it still just seems like low hanging fruit to by default say: Programs don't get resources unless a user with elevated rights decides to permit this. It's not like it has never been done before. To imagine the potential benefit: Crypto ransom-ware could be de-fanged if one could decide to only whitelist processes they trusted. If malwareX found its way onto your system, but couldn't by default access corporate network file shares then damage would be hugely negated. While we're at it, let's take away default local disk access outside of highly constrained limits.

Yes. It is a continuation of the cat and mouse game, but currently it seems like the good guys working on desktop OS's aren't putting up much of a fight. My Linux smart phone has better permission controls than my Linux laptop for crying out loud...

The question:
Why do you think the computing industry is so trusting of developers and the corporations that feed them, that they by default always give processes unfettered and unquestioned access to the internet? Are the foxes watching the chickens? Do you foresee any improvements coming in our lifetime?

Or are we doomed? Shall we just roll over and trust our new programmer overlords without question?

Re:Application white-listing for Network Access

[allo]

Maybe you just have a look at cgroups and iptables.

But it's bullshit. If you run untrusted software, you're fucked. Linux users just know it and tell it straight forward, many windows users believe in claims of so called firewall apps.

Easy example for windows: There is an api to fetch urls using IE dlls. This means, a program wanting to communicate even when the firewall blocks all ports, just uses this api and can talk to its server using a operation system process. One, the firewall probably cannot block and if it can, you will have whitelisted it as all other stuff is broken if you don't.

So. STOP. RUNNING. UNTRUSTED. CODE.

Re:Application white-listing for Network Access

[TrimTabTim]

Hey allo, you are right of course. But....

Yeah I've heard this argument before many times, and believe me, i don't go looking for un-trusted code to run! But we now live in a world where NO code can be trusted. The corporations would seek rent in perpetuity, and bad actors can exert their will on open source projects in a number of profound ways; if not through outright deception, then through controlling payroll and funding for developers.

However, i also know that there are things called process trees. Dockers. VM's. To be a functional OS, "something" needs to be tracking at some level which processes have instantiated other process so it can, well, simply be an operating system. This something should grow to a level we can trust in protecting us rather than the current state of unfettered resource access to any code that asks for it.

On the side I was thinking of obfuscation techniques when i was thinking of the cat and mouse problem. Processes hiding their actions and weaseling out of whatever controls the OS is trying to enforce is an age old comp. sci. battle zone. But i still think this is a worthy and beatable computer science problem.
I'd love to hear Mr. Hypponen's take on it.

Re:Application white-listing for Network Access

[allo]

So, easy route, which might be secure:

- Install some linux
- add a user "restrictednet"
- add a firewall router -A OUTPUT -m owner --uid restrictednet -j DROP
- run stuff as this user

you will still leak anything triggered by setuid programs as ping, dns requests made by the system, etc.

more secure:
- run a vm as this user. Then everything the program can generate is owned by the restricted user.

more flexible:
use firewall rules matching a cgroup, put programs / vm-instances in the cgroup. This allows you to switch network on/off for programs on the fly, but requires some care (as for example you need to make sure you add the pid to the cgroup, you need to create the cgroup in some bootscript, i think you need to add firewall rules after the cgroup was created, etc.)

Intel ME (& AMD equivalent): risks & mitig

Dear Mr. Hypponen,

As a security expert, what would you consider to be the real risks from Intel ME (& AMD equivalent) technologies for the average business? Is there a particular mitigation strategy you would recommend?

By average business I mean a company that engages in financial transactions with its vendors and customers. I'm also assuming that at least some of these companies have trade secrets they want to protect from their competitors.

Many thanks for taking the time to answer our questions.

Kind regards,
A

Re:Why isn't there more concern about systemd?

[telchine]

Congratulations of receiving so many responses on your post about a pet issue of yours - all from different users too - all of which have exactly the same style of grammar, spelling and punctuation as you do. Isn't that a weird coincidence :)

Analog off-switch for microphones etc

Do you think there should be more practical laws protecting people's privacy?

For example, I believe it should be mandatory for the manufacturers of any electronic devices that possess a microphone (primarily smart phones, tablets, laptops, and smart TVs) to provide physical analog controls to switch them (the microphones) off when desired, without having to power off the device itself. Moreover, the cables leading to the microphone and the switches that cut off the power to them should be easy to inspect by any (non-technical) consumer.

This would prevent let's say my Samsung smart TV from 'accidentally' recording every conversation I have in my living room, and sending it to third parties for analysis. It will also prevent malicious actors from eavesdropping, even if they manage to break into the device and install spyware.

Maybe the analog switches could also work for disabling the camera, wifi and bluetooth.

What do you think is the best way to bring about such changes in law?

Thanks,
Dex

Re:Electronic payment through untrusted devices

[Ash-Fox]

Buy a pre-pay Visa/Mastercard from a gas station.

Re:What a stupid question. I'll ask a good one.

[PopeRatzo]

You have a chance to ask one of the leading security experts a question, and that's what you come up with? Fucking pathetic!

You're right, I'm so ashamed. Let me try again:

Mikko Hypponen (if that is your real name), it seems like the internet has never been less secure. Can you explain how and why security experts have failed so miserably?

Protect from intruders, not the legitimate user?

[mlts]

Here is something often conflated: A device may be secure because a user can't get any access to it, but it may be easily compromised from remote. How would one make a device that the user can easily flash, and do what they please with, even flashing a custom OS or firmware, while still making it resistant from remote, and perhaps local attacks? The closest I've seen is Android, which when rooted loses none of its security (other than a user hitting "allow this app to run as root") by accident. Other ecosystems, like iOS, have their entire security model destroyed by jailbreaking.

Supe?

[rossdee]

Didn't I see this yesterday?

Re:I asked Aryeh Goretsky of ESET/NOD32

[Opportunist]

Up until you trying to make me use bing I was with you.

Question

My question is fairly simple and to the point: Do you have favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?

IoT

[Sir_Eptishous]

Do you feel security on IoT devices will ever get close to effective, or will the advent of the IoT become a security nightmare?

Re:True security

Hi!

Mikko here... to better answer your question, could you please provide your social security number? Thanks.

Computer health class

[hendric]

What would you like to see in a computer 'health' class? After cleaning up several of my son's friend's computers from rampant spyware/malware/etc, it's clear that kids are given computers without any real training or discipline in how to protect themselves.

With all the sharing done on social media today, including lists and 'here's how to generate your porn/potter/star trek/etc name based on street address/birthday/etc', what alternate security questions should (if any) a website use to verify identity?

Predators [Re:Is it too late? Have we lost...]

[XXongo]

Defenders have to get it right, every single time while the bad guys only need to be right once

That is the typical predator/prey asymmetry.

The lion has to only win the chase every now and then. The antelope has to win the chase every time.

Security vs Insecurity Experts

[bluefoxlucid]

What are your thoughts on the computer security industry's current trend of staffing computer security professionals who look at industry best practices and security products to run down a checklist of actions? I often point out that many (approximately *all* that I've met) computer security professionals are big on password policy, anti-virus, patching, and the like, and *never* sit down to develop operational risk and threat models. In essence: what's going on in the industry with security as simple compliance (executing a prefabricated list of tactics) versus security as an organizational strategy (studying the field and selecting what tactics to apply, and where and how)?

Re:Security vs Insecurity Experts

[Bob+the+Super+Hamste]

Sounds like I have been doing shit wrong and could have gotten things done quicker and slacked off. I do start with the lists of best practices and regulations. Then I go and check their layout, settings, firewall rules, configuration, physical security, etc. seeing how they are running things. After that I go and do a proper vulnerability scan and system scan (outside looking in and inside looking out) to see if what they say their system is setup as is what is actually is. If the customer allows it I do some pen testing on links coming in, physical penetration testing with a little bit of social engineering, or pen testing from machine to machine in their environment. Finally after all that I spend a whole pile of time going over the collected results and create a nice report where I organize the threats and risks into actual threat levels and provide mitigation or remediation steps. Typically I spend 2 weeks on site gathering data, and then about another month going over it. I have never been a big fan of checkbox security as it leads to lots of stupid crap but there is something to be said for going through them because I have found a lot of low hanging fruit that was simply overlooked by others.

Re:Security vs Insecurity Experts

[bluefoxlucid]

I've dealt with a lot of people who argue that the checklist is the only thing important. I've brought up the concept of identifying our assets, determining their importance, and creating trust zones and access controls based on that; people just roll their eyes and point out that the general NAS only allows finance to access the high-sensitivity finance share, and marketing to access marketing shares, etc. Put the finance NAS behind an ASA that does subnet and domain logon checking so that only certain groups in certain subnets can access it? Rubbish.

Yes, modern ASAs will do this: a server can be in some subnet and firewalled based on that, and the firewall can also ask a nearby Domain Controller who is logged into that PC. If it's not someone in Finance, it's also firewalled. Strict firewalls and inline malware protections such as Fortigate's firewall-AV or Sourcefire AMP reduce the risk of malware spread across the network; and, more simply, if Finance has its own NAS, then a malware infection spreading to the NAS used by Sales (as in: physically becoming an active process on the Windows server host) won't be able to use any elevated privileges to write to all other shares (Finance, Accounting, Marketing) and replace document files with malware! That's a scenario I've seen in real life: a worm got admin privileges, uploaded itself to a file share, and replaced every .docx and .pdf with a .docx.exe that infected the client and opened the original file as expected--and the same share storing all of Finance and Accounting's data also stored the roaming profile for the people at the front reception desk!

You'll notice these things aren't unbreachable; they're damned inconvenient to breach, and slow down (or halt) automated spreads. An active hacker can wiggle his way through if he can get domain admin credentials. The scope of blunt port scanning and network service (and client) discovery is sharply reduced; actually *finding* resources to attack is hard; and you gain some time and efficiency at stopping malware spread or closing the hole an active adversary used to gain primary access. It makes a huge difference in the scope of damage left after a breach, and generates additional information during an on-going breach so that you can detect and react to the event more rapidly.

Everybody just wants to say, "Oh, we had some trouble with Trend Micro, so we installed Sophos!" It sounds like they're doing something, even though they have production finance databases running on the same VMware host as DMZ public-facing services with public IPs, with just some VNICs having a public, unfirewalled IP address and other VNICs being in an internal VLAN--there's no way a blunt, unfiltered, bare Internet port connected to a VMware server could pose a threat, right? Physically-separate trust zones are just work.

What do you think of "stunt hacking"

[ageoffri]

What is your thoughts on companies that do public demonstrations of how to execute AV bypass? Are these companies providing a service to the public by doing webcasts that give a high level overview and show an AV bypass working on the latest version of a companies AV?

Ob

[Hognoxious]

Do you enjoy being a security expert more than driving a racing car?

Re:OKKAY

[PopeRatzo]

raikkonen, makkonen, welcome to planet Earth...

Wait, you mean Finland is a real place? Who knew? I thought it was out of Tolkien or something.

My bad.

Will e-voting ever be secure enough

[braincode]

A recent post from David Dill from Stanford University stated that "Online Voting Is a Danger to Democracy"[1]. Given that viruses and security breaches seem to be on the rise lately, do you see e-voting being established in our lifetime? [1]: https://engineering.stanford.e...

Ubuntu Guest User

[kreuzotter]

The default ubuntu installation has a guest user without password. This feature can be turned off but I noticed that every once in a while the configuration changes (move from /etc/lightdm to /usr/share/lightdm without removing /etc/lightdm for example) so that if you don't pay attention the guest user is back. In my opinion the guest user removes one barrier for an attacker and is a bad idea.

Which as-yet un-asked question....

[easyTree]

...would you most like to answer?

Which is more important: edge or app?

[Lodragandraoidh]

Huge efforts and money are spent protecting the edges of the network - whether it be firewalls and other router configurations, OS level configurations, and other filtering tools (such as virus detection and scanning, and log and packet inspection and analysis tools). There are also plenty of security companies willing to sell you a magical black box that will solve all of your security problems.

The opposite seems to be the case when it comes to spending time and money on the security of applications used by internal and external customers - either through retrofitting existing applications, or when building new applications. Companies don't want to spend money to retrofit sunk capital, and I don't see security firms talking about or creating tools and common standards for building new secure applications.

Given this dichotomy, do you think that is a correct characterization of the problem space, and do you think we are spending our time and money in the right places as a result?

Re:Electronic payment through untrusted devices

[Ash-Fox]

Sorry, too little information to help.

Re:Electronic payment through untrusted devices

[Ash-Fox]

I don't live in the USA.

Neither do I.

It's not possible to buy a prepaid internet card at a gas station or at a supermarket where I live.

I didn't talk about "Internet cards".

What more would you like to know?

Your location.

Re:Electronic payment through untrusted devices

[Ash-Fox]

I live in the Netherlands.

Oh, Nederlands. Well I have known for a fact that Mastercard does have pre-paid cards there (I was looking to move there back in 2001 and I was quite aware of these back then).

Unsurprisingly, looking at it on Google, I found a fair few results on such cards. The security on pre-paid items tend to be quite poor. The trick is, you want to use something like a pre-paid gift card as they do not have a name associated with the card it self, so you're able to make payments with either any name, or a name you came up with out of nowhere during registration.