Slashdot Mirror
The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception'
You asked, he answered!
Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data. Security awareness training
by Anynoymous reader
Do you have any suggestions on how to create a successful security awareness program in a tech company? Some people like Bruce Schneier prefer the time and money spent on better security engineering. What's your take on this?
Mikko Hypponen: If there's one thing that I have learned over my 25-year career in computer security, it is that people never learn. They just won't. They will always follow every link, they will always double-click on every attachment, they will always type their password on every phishing site. Quite often, education just seems like a waste of time. I think we should do the best we can to move the responsibility away from the end user, as much as we can. Most users can't handle it, anyway. The average Slashdot reader can, but most can't.
Anti-virus software
by NotInHere
With recent reports of anti-virus software sometimes actually adding security vulnerabilities to the system, and the fact that Windows ships with its own bundled anti-virus, what advantages do commercial third-party anti-virus solutions offer these days?
MH: Security companies should clearly do a better job in making sure their low-level code is not exploitable. Heck, there's still a lot of security companies who do not run an open bug bounty (we do)! Having said that, it's clear that anti-virus products drastically improve the security level of a typical workstation. We see this every day from our analytics. Every single day, we prevent tens of thousands of our customer from getting infected with malware. These are real cases where our product is the last layer of protection and the user would have been infected without us. The malware went through everything else, including Windows' own security layers and we blocked it. Feels good, man.
Is it too late? Have we lost the battle?
by dougTheRug
Hi Mikko, in my day job I am a security evangelist, carrying out developer education and design reviews. For 8 years previous to that I helped companies use static analysis to detect and eliminate security vulnerabilities at the implementation layer. I am becoming convinced that, with the poor state of software today and extreme complexity, there is simply no way the good guys can win. Defenders have to get it right, every single time while the bad guys only need to be right once, to establish an APT and destroy your company. If the bad guys were parasites I would say this would all simmer down to a balancing point where the parasites existed off a slow background noise of constant attacks, but never enough to kill civilization completely. But with a lack of collusion, attackers are more likely to race to the bottom and to not pay attention to the health of their host. So basically my prediction is: crime will eventually kill technology; it will become unusable. Do you have a more hopeful outcome for us?
MH: Criminals need the internet to make money. They do not want to kill the net and they do not want to make it unusable for their victims. They do want to keep it operational - so they can make money. So, the internet is not about to crash any time soon.
Some wisdom on the future...
by Anonymous reader
We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum?
MH: We are the first generation in mankind's history that can be monitored at this level. We can be monitored digitally throughout our lives. Almost all of our communication can be monitored one way or another. We even carry small tracking devices on us all the time - we just don't call them tracking devices, we call them smartphones. What does that level of monitoring mean to us in the long run? I'm afraid we do not have an answer for that yet. And, security and privacy are not a direct trade off. We need both. It might be that we've already lost the war on privacy, But I refuse to accept that we would have lost the war on security too.
Complicated issues #1
by Aryeh Goretsky
Do you think it is still possible to secure embedded systems (aka the Internet of Things), or is that an impossibility now, practically speaking?
MH: Legacy appliance vendors know a lot about safety. But they don't know much about security. So you can rest assured that your smart lightbulb will not give you an electric shock, and it will not catch fire. But it will leak your wifi password. And this isn't getting better quickly, as security is not a selling point for household appliances: price is. Which means vendors are installing the minimum to their security features.
Users mostly don't care, as they don't understand the scope of the problem. "Why would anybody hack my fridge?" "Why would anybody hack my toaster?" Well, the attackers are not after your toaster: they are after your network. Your toaster is just the easiest way in. IoT devices are not the target - they are the vector. Even more so when those IoT devices are not at your home but at your office.
I'd like to think that in the long run IoT will turn out to be useful like the internet itself. It's clear that the internet exposed our systems to a wide range of new kinds of risks, but the benefits outweighed the risks. I hope that will apply to IoT one day as well.
Complicated issues #2
by Aryeh Goretsky
If there was one thing you could suggest every average computer user to do to improve their security, what would it be?
MH: Back up.
Back up your computer. Back up your phone. Back up your tablet.
Back them up so you can recover them even if your house burns down.
And then take a backup of your backup.
"Question"
by Anonymous reader
Do you have a favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?
MH: Oh, there are several mysteries in the world of malware research. I've always wondered where Dark Avenger is today. He was a legendary Bulgarian virus writer in the early 1990s and he was never caught. One rumour is that he's working at some motherboard vendor nowadays, writing BIOS code. Then there was the mystery of the WHALE virus. I still think about that sometimes, and about what the mysterious message 'I AM '~knzyvo}' IN HAMBURG' means. And then we have Conficker. It's still the most common malware out there today. It was a massive and well-orchestrated operation, for apparently now reason. I believe there's more to that story, but we don't have all the pieces of the puzzle.
Computer health class
by hendric
What would you like to see in a computer 'health' class?
MH: Things like:
- how to uninstall Java and Flash
- how to install a better browser
- how to drop the admin rights
- how to use a password manager
- a lecture on how things that seem too good to be true are never true
- especially on the net
Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data. Security awareness training
by Anynoymous reader
Do you have any suggestions on how to create a successful security awareness program in a tech company? Some people like Bruce Schneier prefer the time and money spent on better security engineering. What's your take on this?
Mikko Hypponen: If there's one thing that I have learned over my 25-year career in computer security, it is that people never learn. They just won't. They will always follow every link, they will always double-click on every attachment, they will always type their password on every phishing site. Quite often, education just seems like a waste of time. I think we should do the best we can to move the responsibility away from the end user, as much as we can. Most users can't handle it, anyway. The average Slashdot reader can, but most can't.
Anti-virus software
by NotInHere
With recent reports of anti-virus software sometimes actually adding security vulnerabilities to the system, and the fact that Windows ships with its own bundled anti-virus, what advantages do commercial third-party anti-virus solutions offer these days?
MH: Security companies should clearly do a better job in making sure their low-level code is not exploitable. Heck, there's still a lot of security companies who do not run an open bug bounty (we do)! Having said that, it's clear that anti-virus products drastically improve the security level of a typical workstation. We see this every day from our analytics. Every single day, we prevent tens of thousands of our customer from getting infected with malware. These are real cases where our product is the last layer of protection and the user would have been infected without us. The malware went through everything else, including Windows' own security layers and we blocked it. Feels good, man.
Is it too late? Have we lost the battle?
by dougTheRug
Hi Mikko, in my day job I am a security evangelist, carrying out developer education and design reviews. For 8 years previous to that I helped companies use static analysis to detect and eliminate security vulnerabilities at the implementation layer. I am becoming convinced that, with the poor state of software today and extreme complexity, there is simply no way the good guys can win. Defenders have to get it right, every single time while the bad guys only need to be right once, to establish an APT and destroy your company. If the bad guys were parasites I would say this would all simmer down to a balancing point where the parasites existed off a slow background noise of constant attacks, but never enough to kill civilization completely. But with a lack of collusion, attackers are more likely to race to the bottom and to not pay attention to the health of their host. So basically my prediction is: crime will eventually kill technology; it will become unusable. Do you have a more hopeful outcome for us?
MH: Criminals need the internet to make money. They do not want to kill the net and they do not want to make it unusable for their victims. They do want to keep it operational - so they can make money. So, the internet is not about to crash any time soon.
Some wisdom on the future...
by Anonymous reader
We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum?
MH: We are the first generation in mankind's history that can be monitored at this level. We can be monitored digitally throughout our lives. Almost all of our communication can be monitored one way or another. We even carry small tracking devices on us all the time - we just don't call them tracking devices, we call them smartphones. What does that level of monitoring mean to us in the long run? I'm afraid we do not have an answer for that yet. And, security and privacy are not a direct trade off. We need both. It might be that we've already lost the war on privacy, But I refuse to accept that we would have lost the war on security too.
Complicated issues #1
by Aryeh Goretsky
Do you think it is still possible to secure embedded systems (aka the Internet of Things), or is that an impossibility now, practically speaking?
MH: Legacy appliance vendors know a lot about safety. But they don't know much about security. So you can rest assured that your smart lightbulb will not give you an electric shock, and it will not catch fire. But it will leak your wifi password. And this isn't getting better quickly, as security is not a selling point for household appliances: price is. Which means vendors are installing the minimum to their security features.
Users mostly don't care, as they don't understand the scope of the problem. "Why would anybody hack my fridge?" "Why would anybody hack my toaster?" Well, the attackers are not after your toaster: they are after your network. Your toaster is just the easiest way in. IoT devices are not the target - they are the vector. Even more so when those IoT devices are not at your home but at your office.
I'd like to think that in the long run IoT will turn out to be useful like the internet itself. It's clear that the internet exposed our systems to a wide range of new kinds of risks, but the benefits outweighed the risks. I hope that will apply to IoT one day as well.
Complicated issues #2
by Aryeh Goretsky
If there was one thing you could suggest every average computer user to do to improve their security, what would it be?
MH: Back up.
Back up your computer. Back up your phone. Back up your tablet.
Back them up so you can recover them even if your house burns down.
And then take a backup of your backup.
"Question"
by Anonymous reader
Do you have a favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?
MH: Oh, there are several mysteries in the world of malware research. I've always wondered where Dark Avenger is today. He was a legendary Bulgarian virus writer in the early 1990s and he was never caught. One rumour is that he's working at some motherboard vendor nowadays, writing BIOS code. Then there was the mystery of the WHALE virus. I still think about that sometimes, and about what the mysterious message 'I AM '~knzyvo}' IN HAMBURG' means. And then we have Conficker. It's still the most common malware out there today. It was a massive and well-orchestrated operation, for apparently now reason. I believe there's more to that story, but we don't have all the pieces of the puzzle.
Computer health class
by hendric
What would you like to see in a computer 'health' class?
MH: Things like:
- how to uninstall Java and Flash
- how to install a better browser
- how to drop the admin rights
- how to use a password manager
- a lecture on how things that seem too good to be true are never true
- especially on the net
All my data is on google drive, so I know it's backed up.
If I ever loose anything, I'll just file a FOIA and get it back through the government.
My main question: should there be a regulatory agency who oversees various types of security practices for companies? There is already PCI standards, but that is brought on by the credit card industry, not government, and the penalty for not being compliant is just a small fee each month. An example of a problem I've seen in the wild: my old ISP transmits user passwords in plain text via unsecured email messages. This means the odds are also extremely high that they're also storing the passwords as plain text instead of properly hashed values. With this being an ISP, it wouldn't take much to perform as DOS attack on their entire network, just compromise their user account database, "login" to each account, and simply shut off service. When I spoke with the CEO and senior level techs in person at the company in question, they simply gave me a "that's not our problem" attitude, and the issue was never fixed. What sort of recourse should happen at that point, especially when there is the extreme monopoly practice with ISPs, limiting the options to switch to a more competent competitor?
Dark Avenger is working at AMI writing BIOS microcode.
His name has an umlaut. Scandic letter. Whatever you want to call it. The 'o' sound and the 'ö' sounds are completely different in Finnish.
Mikko Hyppönen
'ö' is similar to the vowel sound in the word 'bird'
'o' is similar to the vowel sound in 'thought'
"it's clear that anti-virus products drastically improve the security level of a typical workstation .. The malware went through everything else, including Windows' own security layers and we blocked it. Feels good, man."
Don't us anti-virus product, never got a virus, don't use Windows.
Notice how the client-side attacks through JS never stop? It's time to acknowledge that it will never be gotten right. Browsers should phase it out, with at most some whitelist exceptions that can only be made through nasty security dialogues like the ones for invalid SSL certificates. JS is just too powerful in the hands of bad people. Shut it down.
It took him nearly 4 months to answer and I estimate he answered less than 5% of all the questions posed. I remember some very interesting ones (for example this one) that were modded up and he didn't even bother with them.
If there's one thing that I have learned over my 25-year career in computer security, it is that people never learn. They just won't. They will always follow every link, they will always double-click on every attachment, they will always type their password on every phishing site. Quite often, education just seems like a waste of time.
Maybe he's just a bad teacher. I know plenty of people who have learned this.
"First they came for the slanderers and i said nothing."
APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...
Ads rob speed, security (malvertising) & privacy (tracking).
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.
Works vs. caps & PUSH ads.
Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.
Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.
Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).
Gets data via 10 security sites.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )
I've always wondered where Dark Avenger is today. He was a legendary Bulgarian virus writer in the early 1990s and he was never caught. One rumour is that he's working at some motherboard vendor nowadays, writing BIOS code.
"First they came for the slanderers and i said nothing."
I love this guy's take on "the one thing everybody should be doing a whole lot more of": Backup your stinkin' data. And then make a backup of your backup.
I couldn't agree more. This, for me, is why I will never, ever stop using Dropbox or its equivalent. Every user in my family circle gets backed up to Dropbox. I bought a couple of network storage boxes, and use them to backup Dropbox.
In all the years and years I've been using computers, data loss is the only thing that has ever truly hurt me. Bad guys? Meh. I use credit cards. My losses are limited to $50. And, that's only money.
My data is the one thing I can never replace.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
Your identity is the one thing that you cannot replace, and that is what the fight is for now.
Protecting it requires management out outbound data and not just preserving your information.
APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...
Ads rob speed, security (malvertising) & privacy (tracking).
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.
Works vs. caps & PUSH ads.
Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.
Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.
Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).
Gets data via 10 security sites.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )
"Criminals need the internet to make money. They do not want to kill the net and they do not want to make it unusable for their victims."
But the tragedy of the commons shows how a group of criminals, none of whom want to kill off the net may end up doing so anyway because they are (a) greedy and (b) unable to coordinate their actions to keep their greed in check.
The net is a classic common pool resource, which means that Tragedy of the Commons is a real threat when each additional attack increases the profit to an individual black hat while reducing the collective profits taken by all of the black hats (the marginal utility to the individual is positive, but the marginal utility to the whole dark economy is negative). Over-fishing is a classic example.
Elinor Ostrom showed that in real life, common pool resources can be successfully managed against this threat, but only when there is a mechanism to set and enforce rules (either through formal governance or through informal norms and sanctions). Essentially, unless black hats develop their own dark government to effectively control and limit attacks, there is a real possibility, in principle at least, of tragedy of the commons bringing down the net.
However, just because it is possible does not make it likely. I am not qualified to assess the probability of this kind of collapse.
As expected, the PR guy avoided the hard questions.
Oh look, it's cocksuckerbot. Hi cocksuckerbot! Nobody's buying your stupid shit, everything's just as you left it!
Agreed, the chances of data being 'stolen' is low, maybe 10% ? The chance that most people have at some point lost or accidentally deleted important files, or at least a couple of hours work worth of data, is a lot more like 100% .
To reduce that 10% chance of files being 'stolen' for misuse by someone (person who has learned illegal hacking), there are a couple of measures that make it less and less likely.
e.g. Enabling 2-factor authentication, so you get an SMS code sent to you whenever you log in to Dropbox, makes it a *lot* safer to store private, personal files online. Dropbox has had 2FA available, if users choose to enable it, for a long time and generally has a good track record for data security.
Hopefully soon across the internet, the need for passwords might be easily replaceable with a hardware device, something like the Yubikey
his hosts program is actually pretty good by xenotransplant
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
take a look at the APK hosts file engine by SuperKendall
APK is kinda right. I've tried his hosts file generating software. It works by bmo
APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience by chihowa
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
* My code's liked/used + recommended & hosted by Malwarebytes' hpHosts - Argue w/ the #'s.
APK
P.S.=> Want more opinions like those? Ask & "ye shall receive" while "eating your words"... apk