As 2013 winds to a close, there’s no denying it’s been a fascinating year – and no one agrees more than Mikko Hypponen, malware adventurer, famed TED speaker, and F-Secure’s Chief Research Officer. But how will the extraordinary events of 2013 influence the Internet in 2014? I sat down with Mr. Hypponen to hear his thoughts about the Snowden revelations, crypto currencies and the hidden Web.
How will the Internet change as a result of Snowden’s revelations?
The Web came around 20 years ago. For the first 15 years of the Web, we lived in a sort of utopia where there really were no borders, no distances, no geographies, no countries. People couldn’t care less about where their data was stored. For once, we had something truly global.
What I’m seeing happening right now is we are losing this utopia, and the reason is that this wholesale espionage is being used against the citizens of the world. So people are starting to ask questions like where is my data stored, under which country’s laws, which country is this software coming from. These are questions nobody was asking 20 years ago, and this is a really sad development because this great global Internet is becoming shattered and broken down by country lines. So in 2014 and beyond this segregation of the Internet will continue.
What’s the worst case scenario?
The worst case is the Internet becoming a series of disconnected islands because people don’t trust foreign countries anymore, especially powerful countries like the USA. Basically complete breaking of the global trust.
And the best case?
Best case is that Snowden keeps leaking explosive stuff about wrongdoings of the US intelligence agencies. Eventually he leaks such bad stuff that the revelations outweigh whatever Snowden himself has done. He’s forgiven by the US people, he receives a hero’s welcome at home, the US intelligence agencies are brought back under control, and everybody wins.
How should people change how they use the Web in 2014 because of the revelations?
One thing that I said during my TEDxBrussels talk in October was that people shouldn’t be worried, they should be outraged. Fighting this sort of thing with technical measures is hard. If change is going to happen, it’s going to happen through political change and international pressure.
But as far as technical things, my advice is to use encryption everywhere, use strong passwords or a password manager (like F-Secure Key), use cloud services from countries that aren’t conducting wholesale blanket surveillance. Use the same good computing hygiene that you would use to protect yourself from computer crime and malware.
So on the whole, is it good that Snowden did what he did?
Absolutely it’s a good thing. Regardless of Snowden’s motives, he did us a favor by revealing the details of these intelligence agencies. Because they are out of control. The fact that they undermine encryption algorithms makes us all less secure.
What do you think about whistleblowing in general?
Protecting valid whistleblowers is very important because they alert us to wrongdoing that would otherwise never have been revealed.
All these companies like Google and Facebook say they have not been complying with and didn’t know anything about PRISM. What do you think?
I don’t believe these companies are voluntarily cooperating. When Google says “we are not giving data to the NSA” I believe them. I believe most of these companies are victims themselves. I believe they are getting breached by their own government.
What do you think is the US intelligence agencies’ ultimate goal? Do you think their goal is to protect America from terrorism, or is it something more sinister?
I don’t think it’s either. I don’t think the people working inside the NSA are evil people with some sinister plot. I believe they’re trying to fulfill their mission which is to provide signals intelligence. They are fulfilling their mission – but the problem is, they seem to be willing to go to any lengths to do it. They’ve lost their way. They’ve lost sight of their original goals, they’ve become too powerful and they’re out of control. It’s not just about terrorism either, or why would they be tapping Angela Merkel’s phone?
Any other predictions for 2014?
On a different subject entirely, I think 2014 will be the year when crypto currencies like Bitcoin switch from being something that only geeks are aware of to something that regular people know about. The age of virtual, crypto currencies is finally here and it’s long overdue. The one to go mainstream might not be Bitcoin, but maybe a clone or son of it. Of course, just like cash, Bitcoin can be used for good and for bad. And we’re seeing the use for bad in the online crime world.
In April I noted on Twitter when Bitcoin value had reached 100 US dollars, and I predicted it would break $1000 by the end of the year. Today it’s $980. Good call!
(Bitcoin broke $1000 a few days after this interview)
And what about the hidden Web, or deep Web we’ve been hearing about lately?
When the Web originated, the powers that be didn’t see the importance of the Internet. Now the powers that be are trying to control it as much as they can, which means the whole Internet is changing, and we’re fighting for its future.
We’re seeing people who still want to be free on the Web moving to the hidden Web, which will be brought under control as well, in time. And bad things are happening on the hidden Web for sure, but that doesn’t mean the whole thing is bad. People think it’s bad, but that’s what they used to think about the traditional Web as well.
See more of Mikko’s recent comments:
TEDx Brussels talk: How the NSA Betrayed the World’s Trust – Time to Act
Reuters TV interview: In Cloud We Trust
Reuters TV interview: Bitcoin – the Latest Front in Cybercrime
Many techie terms in the headlines lately. Supercookies, supertrackers, HTTP headers and X-UIDH. If you just skim the news you will learn that this is some kind of new threat against our privacy. But what is it really? Let’s dig a bit deeper. We will discover that this is an issue of surprisingly big importance. Cookies are already familiar to most of us. These are small pieces of information that a web server can ask our browser to store. They are very useful for identifying users and managing sessions. They are designed with security and privacy in mind, and users can control how these cookies are used. In short, they are essential, they can be a privacy problem but we have tools to manage that threat. What’s said above is good for us ordinary folks, but not so good for advertisers. Users get more and more privacy-aware and execute their ability to opt out from too excessive tracking. The mobile device revolution has also changed the game. More and more of our Internet access is done through apps instead of the browser. This is like using a separate “browser” for all the services we use, and this makes it a lot harder to get an overall picture of our surfing habits. And that’s exactly what advertisers want, advertising is like a lottery with bad odds unless they know who’s watching the ad. A new generation of supercookies (* were developed to fight this trend. It is a piece of information that is inserted in your web traffic by your broadband provider. Its purpose is to identify the user from whom the traffic comes. And to generate revenue for the broadband provider by selling information about who you really are to the advertisers. These supercookies are typically used on mobile broadband connections where the subscription is personal, meaning that all traffic on it comes from a single person. So why are supercookies bad? They are inserted in the traffic without your consent and you have no way to opt out. They are not visible at all on your device so there is no way to control them by using browser settings or special tools. They are designed to support advertisers and generate revenue for the mobile broadband provider. Your need for privacy has not been a design goal. They are not domain-specific like ordinary cookies. They are broadcasted to any site you communicate with. They were designed to remain secret. They are hidden in an obscure part of the header information that very few web administrators need to touch. There are two ways to pay for Internet services, with money or by letting someone profile you for marketing purposes. This system combines both. You are utilized for marketing profit by someone you pay money to. But what can and should I do as an ordinary user? Despite the name, this kind of supercookies are technically totally different from ordinary cookies. The privacy challenges related with ordinary cookies are still there and need to be managed. Supercookies have not replaced them. Whatever you do to manage ordinary cookies, keep doing it. Supercookies are only used by some mobile broadband providers. Verizon and AT&T have been most in the headlines, but at least AT&T seems to be ramping down as a result of the bad press. Some other operators are affected as well. If you use a device with a mobile broadband connection, you can test if your provider inserts them. Go to this page while connected over the device’s own data connection, not WiFi. Check what comes after “Broadcast UID:”. This field should be empty. If not, then your broadband provider uses supercookies. Changing provider is one way to get rid of them. Another way is to use a VPN-service. This will encapsulate all your traffic in an encrypted connection, which is impossible to tamper with. We happen to have a great offering for you, F-secure Freedome. Needless to say, using Freedome on your mobile device is a good idea even if you are not affected by these supercookies. Check the site for more details. Last but not least. Even if you’re unaffected, as most of you probably are, this is a great reminder of how important net neutrality is. It means that any carrier that deliver your network traffic should do that only, and not manipulate it for their own profit. This kind of tampering is one evil trick, throttling to extort money from other businesses is another. We take neutrality and equal handling for granted on many other common resources in our society. The road network, the postal service, delivery of electricity, etc. Internet is already a backbone in society and will grow even more important in the future. Maintaining neutrality and fair rules in this network is of paramount importance for our future society. Safe surfing, Micke PS. The bad press has already made AT&T drop the supercookies, which is great. All others involved mobile broadband providers may have done the same by the time you are reading this. But this is still an excellent example of why net neutrality is important and need to be guaranteed by legislation. (* This article uses the simplified term supercookie for the X-UIDH -based tracker values used by Verizon, AT&T and others in November 2014. Supercookie may in other contexts refer to other types of cookie-like objects. The common factor is that a supercookie is more persistent and harder to get rid of than an ordinary cookie. Image by Jer Thorp
It's like a press conference anyone can join from anywhere. And even if you don't have a question, you can upvote the ones you don't like and downvote the ones you do. President Obama did one. Snoop Dogg/Snoop Lion did one. An astronaut did one from outer space. And our Mikko Hypponen will sit down for his second Reddit AMA on December 2 at 9 AM ET. If you have something you've wanted to ask him about online security, great. If not, here are five resources that document some of Mikko's more than two decades in the security industry to prod you or prepare you. 1. Check out this 2004 profile of his work from Vanity Fair. 2. Watch his 3 talks that have been featured on TED.com. [protected-iframe id="7579bbf790267cc081ac7d92d951262c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="fdf818f4afa2f7dcb179c5516c44918c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="54be2fe9bce28ae991becbe3d4291e56-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] 3. Check out his first AMA, which took place just after his first talk at TEDglobal was published. 4. Take a trip to Pakistan with Mikko to meet the creators of the first PC virus. [protected-iframe id="8c0605f62076aa901ed165dbd3f4fcd7-10874323-9129869" info="//www.youtube-nocookie.com/v/lnedOWfPKT0?version=3&hl=en_US&rel=0" width="640" height="360"] 5. To get a sense of what he's been thinking about recently, watch his most recent talk at Black Hat "Governments as Malware Creators". [protected-iframe id="54b24406f022e81b15ad6dadf2adfc93-10874323-9129869" info="//www.youtube-nocookie.com/v/txknsq5Z5-8?hl=en_US&version=3&rel=0" width="640" height="360"] BONUS: Make sure you follow him on Twitter to get a constant stream of insight about online security, privacy and classic arcade games. Cheers, Sandra
We wouldn't be F-Secure without the talented and passionate researchers in our Labs. And today we'd like you to meet one whose inquisitive nature has driven him to become an inventor - and a prolific one at that. In his 14-year career with F-Secure, Jarno Niemelä has racked up an impressive 20 patents to his name and has filed 100 patent applications in total. His achievements recently won the title of "Salaried Inventor of 2014" from a group of Finnish inventors' organizations. I sat down to chat with Jarno about where he gets his ideas, and his advice for others. What area do your inventions focus on? I mostly focus on methods to help detect malware on a system, or methods of preventing malware from entering the system in the first place. How do your ideas come about? Inventions mostly happen in the evening when I'm not at work, and not even trying to think about it. I'll be working on some problem at work, and usually a day or two later, when I'm doing something totally unrelated on my own time, it hits me. I understand the problem and come up with a solution. The gym is a really good place for inventions. What motivates you to keep on inventing new solutions? Inventions just happen, pretty much. Whenever I'm able to define a problem, I'm usually always able to come up with a solution. I am lucky to be researching in areas with problems that others have not yet solved. I'll be honest, I don't really like patents that much personally. The fact is though, that companies without patents would pretty much be at the mercy of the competitors. So in my view, patents are basically company self defense. Patents keep things in balance. Were you curious about things growing up? I've always kind of been inventive. You cannot learn to become an inventor, it's either something that's in your nature or it's not. And then you need to hone the talent and learn how to work within the patent framework. Another thing that is very important is good basic education and knowledge about the field. I owe a lot to Metropolia University of Applied Sciences where I studied for my engineering degree. Do you have any advice for people who have this inventive nature and are interested in filing patents? It all starts from defining and understanding the problem. Without a thorough understanding of the problem, you can't come up with a solution. Also, when it comes to patents, it's important to know what has previously been done in your area, and be clear in exactly how your invention is different from those. Otherwise your patent can be easily rejected by the patent examiner. And finally, patents are a long process so you need patience. It can take three to five years to get a patent approved. So this is not for hasty people. What is that rock you're holding? It's my trophy, a piece of Finnish bedrock! Inventors are the bedrock of new products. Do you have any certain goals for your inventions? Before I retire I would like to have at least 50 patents to my name. - Well, he's off to a great start. Congratulations, Jarno! Follow Jarno on Twitter