Mikko Hyppönen

Mikko Hypponen on the Internet in 2014: “We’re losing the utopia”

As 2013 winds to a close, there’s no denying it’s been a fascinating year – and no one agrees more than Mikko Hypponen, malware adventurer, famed TED speaker, and F-Secure’s Chief Research Officer. But how will the extraordinary events of 2013 influence the Internet in 2014? I sat down with Mr. Hypponen to hear his thoughts about the Snowden revelations, crypto currencies and the hidden Web.

 

How will the Internet change as a result of Snowden’s revelations?

The Web came around 20 years ago. For the first 15 years of the Web, we lived in a sort of utopia where there really were no borders, no distances, no geographies, no countries. People couldn’t care less about where their data was stored. For once, we had something truly global.

What I’m seeing happening right now is we are losing this utopia, and the reason is that this wholesale espionage is being used against the citizens of the world. So people are starting to ask questions like where is my data stored, under which country’s laws, which country is this software coming from. These are questions nobody was asking 20 years ago, and this is a really sad development because this great global Internet is becoming shattered and broken down by country lines. So in 2014 and beyond this segregation of the Internet will continue.

 

What’s the worst case scenario?

The worst case is the Internet becoming a series of disconnected islands because people don’t trust foreign countries anymore, especially powerful countries like the USA. Basically complete breaking of the global trust.

 

And the best case?

Best case is that Snowden keeps leaking explosive stuff about wrongdoings of the US intelligence agencies. Eventually he leaks such bad stuff that the revelations outweigh whatever Snowden himself has done. He’s forgiven by the US people, he receives a hero’s welcome at home, the US intelligence agencies are brought back under control, and everybody wins.

 

How should people change how they use the Web in 2014 because of the revelations?

One thing that I said during my TEDxBrussels talk in October was that people shouldn’t be worried, they should be outraged. Fighting this sort of thing with technical measures is hard. If change is going to happen, it’s going to happen through political change and international pressure.

But as far as technical things, my advice is to use encryption everywhere, use strong passwords or a password manager (like F-Secure Key), use cloud services from countries that aren’t conducting wholesale blanket surveillance. Use the same good computing hygiene that you would use to protect yourself from computer crime and malware.

 

So on the whole, is it good that Snowden did what he did?

Absolutely it’s a good thing. Regardless of Snowden’s motives, he did us a favor by revealing the details of these intelligence agencies. Because they are out of control. The fact that they undermine encryption algorithms makes us all less secure.

 

What do you think about whistleblowing in general?

Protecting valid whistleblowers is very important because they alert us to wrongdoing that would otherwise never have been revealed.

 

All these companies like Google and Facebook say they have not been complying with and didn’t know anything about PRISM. What do you think?

I don’t believe these companies are voluntarily cooperating. When Google says “we are not giving data to the NSA” I believe them. I believe most of these companies are victims themselves. I believe they are getting breached by their own government.

 

What do you think is the US intelligence agencies’ ultimate goal? Do you think their goal is to protect America from terrorism, or is it something more sinister?

I don’t think it’s either. I don’t think the people working inside the NSA are evil people with some sinister plot. I believe they’re trying to fulfill their mission which is to provide signals intelligence. They are fulfilling their mission – but the problem is, they seem to be willing to go to any lengths to do it. They’ve lost their way. They’ve lost sight of their original goals, they’ve become too powerful and they’re out of control. It’s not just about terrorism either, or why would they be tapping Angela Merkel’s phone?

 

Any other predictions for 2014?

On a different subject entirely, I think 2014 will be the year when crypto currencies like Bitcoin switch from being something that only geeks are aware of to something that regular people know about. The age of virtual, crypto currencies is finally here and it’s long overdue. The one to go mainstream might not be Bitcoin, but maybe a clone or son of it. Of course, just like cash, Bitcoin can be used for good and for bad. And we’re seeing the use for bad in the online crime world.

In April I noted on Twitter when Bitcoin value had reached 100 US dollars, and I predicted it would break $1000 by the end of the year. Today it’s $980. Good call!

 

(Bitcoin broke $1000 a few days after this interview)

 

And what about the hidden Web, or deep Web we’ve been hearing about lately?

When the Web originated, the powers that be didn’t see the importance of the Internet. Now the powers that be are trying to control it as much as they can, which means the whole Internet is changing, and we’re fighting for its future.

We’re seeing people who still want to be free on the Web moving to the hidden Web, which will be brought under control as well, in time. And bad things are happening on the hidden Web for sure, but that doesn’t mean the whole thing is bad. People think it’s bad, but that’s what they used to think about the traditional Web as well.

 

See more of Mikko’s recent comments:

TEDx Brussels talk: How the NSA Betrayed the World’s Trust – Time to Act

Reuters TV interview: In Cloud We Trust

Reuters TV interview: Bitcoin – the Latest Front in Cybercrime

-

mikko_face

 

 

 

 

More posts from this topic

MB

In what color would you like your new Mercedes?

A new Mercedes. Nice. Or maybe an Audi R8? That would be cool. But hold it! Don’t sell your old car yet! Liking and sharing that giveaway campaign on Facebook will NOT give you a new car. Those prizes doesn’t even exist. They are just hoaxes. Internet and Facebook is full of crap, junk, rubbish, nonsense and gibberish. Nobody knows how many chain letters there are spreading some kind of unbelievable story. False celebrity news, bogus first-aid advice, phony charity campaigns and this kind of giveaways. We tend to think about these chain letters as hoaxes, pretty harmless jokes that doesn’t hurt us. But that’s not the full story. A hoax can be harmful, like the outright dangerous first aid advice that some people keep spreading. But a car giveaway is probably a harmless and safe prank, even if it’s false? No, not really. These chain letters are actually not traditional hoaxes, they are like-farming scams. There’s no free lunch, you don’t pay for Facebook with money but with your private data. The like-farming scams work in the same currency. You will not lose any money even if you like the page and share it. Instead you will participate in building a page with a lot of supporters, which is valuable and can be sold later. Needless to say, you will not get any of that money. Here’s how it works. Any business has a problem when starting on Facebook. An empty page without likes isn’t trustworthy. So the scammers set up a page containing anything that can go viral. A promise to get a luxury car works well. They just have to tell everyone to like the page and to share it as much as possible, to keep the chain reaction going and get even more likes. The scammers wait until there’s enough likes before they clean out the content, rename it and start looking for a buyer. The price is in “$ per k”, meaning dollars per 1000 likes. A page with 100 000 likes could sell for over $1000. So sharing the page can make quite a lot of money for the scammers if you have a lot of gullible friends, who in turn have a lot of gullible friends, and so on … The downside for you is that the likes stick even if the page is redesigned for some totally different purpose. Your face will be an evangelist for the page’s new owners and show up next to their brand. And you have no idea about what you will be promoting. I have friends who are anti-fur activists. You can probably imagine what one of them would feel when discovering that she likes a fur-coat designer! And finally some concrete advice. Review your list of old likes regularly. Remove everything except those things you truly like and want to support. When you encounter a giveaway post like this, check the involved brand’s main page in Facebook by searching for the brand name. You will in most cases notice that the giveaway is a totally different page that just is named similarly. That’s a strong scam indicator. Use common sense. From the above you get an idea about what likes in Facebook are worth. Does it make sense to give away luxury cars for this? Don’t participate in scams like this. It might feel tempting, but remember that your chance to win is exactly zero. Spread knowledge every time you see a scam of this kind. Comment with a link to this post or the appropriate description on Hoax-Slayer or Snopes.   Those sites are by the way fun and educating reading. I recommend spending some time there getting familiar with other types of hoaxes too. Read at least these two articles: Facebook car giveaway on Snopes and Facebook like-farming scams on Hoax-Slayer .   Safe surfing, Micke  

Dec 16, 2014
BY 
crime scene

Help! I lost my wallet, phone and everything! I need 1000 €!

“Sorry for the inconvenience, I'm in Limassol, Cyprus. I am here for a week and I just lost my bag containing all my important items, phone and money at the bus station. I need some help from you. Thanks” Many of you have seen these messages and some of you already know what the name of the game is. Yes, it’s another type of Internet scam, an imposter scam variant. I got this message last week from a photo club acquaintance. Or to be precise, the message was in bad Swedish from Google translate. Here’s what happened. First I got the mail. Needless to say, I never suspected that he was in trouble in Limassol. Instead I called him to check if he was aware of the scam. He was, I wasn’t the first to react. Several others had contacted him before me and some were posting warnings to his friends on Facebook. These scams start by someone breaking in to the victim’s web mail, which was Gmail in this case. This can happen because of a bad password, a phishing attack, malware in the computer or a breach in some other system. Then the scammer checks the settings and correspondence to find out what language the victim is using. The next step is to send a message like the above to all the victim’s contacts. The victim had reacted correctly and changed the Gmail password ASAP. But I wanted to verify and replied to the scam mail anyway, asking what I can do to help. One hour later I got this: “Thanks, I need to borrow about 1000 euros, will pay you back as soon as I get home. Western Union Money Transfer is the fastest option to wire funds to me. All you need to do is find the nearest Western Union shop and the money will be sent in minutes. See details needed WU transfer below. Name: (Redacted) Address: Limassol, Cyprus you must email me the reference number provided on the payment slip as soon as you make the transfer so I can receive money here. Thank you,” Now it should be obvious for everyone how this kind of scam works. Once the scammers get the reference number they just go to Western Union to cash in. Most recipients will not fall for this, but the scammers will get a nice profit if even one or two contacts send money. But wait. To pull this off, the scammers need to retain control over the mail account. They need to send the second mail and receive the reference number. How can this work if the victim had changed his password? This works by utilizing human’s inability to notice tiny details. The scammers will register a new mail account with an address that is almost identical to the victim’s. The first mail comes from the victim’s account, but directs replies to the new account. So the conversation can continue with the new account that people believe belongs to the victim. The new address may have a misspelled name or use a different separator between the first and last names. Or be in a different domain that is almost the same as the real one. The two addresses are totally different for computers, but a human need to pay close attention to notice the difference. How many of you would notice if a mail address changes from say Bill.Gates@gmail.com to BiII_Gates@mail.com? (How many differences do you notice, right answer at the end?) To be honest, I was sloppy too in this case and didn’t at first see the tiny difference. In theory it is also possible that webmail servers may leave active sessions open and let the scammers keep using the hacked account for a while after the password has been changed. I just tested this on Gmail. They close old sessions automatically pretty quickly, but it is anyway a good idea to use the security settings and manually terminate any connection the scammers may have open. I exchanged a couple of mails with this person the day after. He told that the scammers had changed the webmail user interface to Arabic, which probably is a hint about where they are from. I was just about to press send when I remembered to check the mail address. Bummer, the scammer’s address was still there so my reply would not have reached him unless I had typed the address manually. The account’s reply-to was still set to the scammer’s fake account. OK, let’s collect a checklist that helps identifying these scams. If someone asks for urgent help by mail, assume it’s a scam. These scams are a far more common than real requests for help. We are of course all ready to help friends, but are YOU really the one that the victim would contact in this situation? Are you close enough? How likely is it that you are close enough, but still had no clue he was travelling in Cyprus? Creating urgency is a very basic tool for scammers. Something must be done NOW so that people haven't got time to think or talk to others. The scammers may or may not be able to write correct English, but other languages are most likely hilarious Google-translations. Bad grammar is a strong warning sign. Requesting money using Western Union is another red flag. Wire transfer of money provides pretty much zero security for the sender, and scammers like that. Many scammers in this category try to fake an embarrassing situation and ask the recipient to not tell anyone else, to reduce the risk that someone else sees through it. These messages often state that the phone is lost to prevent the recipient from calling to check. But that is exactly what you should do anyway. Next checklist, how to deal with a situation where your account has been hijacked and used for scams. Act promptly. Change the mail account’s passwords. Check the webmail settings and especially the reply-to address. Correct any changed settings. Check for a function in the web mail that terminates open sessions from other devices. Gmail has a “Secure your account” -wizard under the account’s security settings. It’s a good idea to go through it. Inform your friends. A fast Facebook update may reach them before they see the scammer’s mail and prevent someone from falling for it. It also helps raising awareness. And finally, how to not be a victim in the first place. This is really about account security basics. Make sure you use a decent password. It’s easier to maintain good password habits with a password manager. Activate two-factor authentication on your important accounts. I think anyone’s main mail account is important enough for it. Learn to recognize phishing scams as they are a very common way to break into accounts. Maintain proper malware protection on all your devices. Spyware is a common way to steal account passwords. The last checklist is primarily about protecting your account. But that’s not the full picture. Imagine one of your friends falls for the scam and loses 1000 € when your account is hacked. It is kind of nice that someone cares that much about you, but losing money for it is not nice. Yes, the criminal scammer is naturally the primarily responsible. And yes, people who fall for the scam can to some extent blame themselves. But the one with the hacked account carries a piece of responsibility too. He or she could have avoided the whole incident with the tools described above. Caring about your account security is caring about your friends too! And last but not least. Knowledge is as usual the strongest weapon against scams. They work only as long as there are people who don’t recognize the scam pattern. Help fighting scam by spreading the word!   Safe surfing, Micke   PS. The two mail addresses above have 3 significant differences. 1. The name separator has changed from a dot to an underscore. 2. The domain name is mail.com instead of gmail.com. 3. The two lower case Ls in Bill has been replaced with capital I. Each of these changes is enough to make it a totally separate mail address.   Image by Yumi Kimura

Dec 8, 2014
BY