As 2013 winds to a close, there’s no denying it’s been a fascinating year – and no one agrees more than Mikko Hypponen, malware adventurer, famed TED speaker, and F-Secure’s Chief Research Officer. But how will the extraordinary events of 2013 influence the Internet in 2014? I sat down with Mr. Hypponen to hear his thoughts about the Snowden revelations, crypto currencies and the hidden Web.
How will the Internet change as a result of Snowden’s revelations?
The Web came around 20 years ago. For the first 15 years of the Web, we lived in a sort of utopia where there really were no borders, no distances, no geographies, no countries. People couldn’t care less about where their data was stored. For once, we had something truly global.
What I’m seeing happening right now is we are losing this utopia, and the reason is that this wholesale espionage is being used against the citizens of the world. So people are starting to ask questions like where is my data stored, under which country’s laws, which country is this software coming from. These are questions nobody was asking 20 years ago, and this is a really sad development because this great global Internet is becoming shattered and broken down by country lines. So in 2014 and beyond this segregation of the Internet will continue.
What’s the worst case scenario?
The worst case is the Internet becoming a series of disconnected islands because people don’t trust foreign countries anymore, especially powerful countries like the USA. Basically complete breaking of the global trust.
And the best case?
Best case is that Snowden keeps leaking explosive stuff about wrongdoings of the US intelligence agencies. Eventually he leaks such bad stuff that the revelations outweigh whatever Snowden himself has done. He’s forgiven by the US people, he receives a hero’s welcome at home, the US intelligence agencies are brought back under control, and everybody wins.
How should people change how they use the Web in 2014 because of the revelations?
One thing that I said during my TEDxBrussels talk in October was that people shouldn’t be worried, they should be outraged. Fighting this sort of thing with technical measures is hard. If change is going to happen, it’s going to happen through political change and international pressure.
But as far as technical things, my advice is to use encryption everywhere, use strong passwords or a password manager (like F-Secure Key), use cloud services from countries that aren’t conducting wholesale blanket surveillance. Use the same good computing hygiene that you would use to protect yourself from computer crime and malware.
So on the whole, is it good that Snowden did what he did?
Absolutely it’s a good thing. Regardless of Snowden’s motives, he did us a favor by revealing the details of these intelligence agencies. Because they are out of control. The fact that they undermine encryption algorithms makes us all less secure.
What do you think about whistleblowing in general?
Protecting valid whistleblowers is very important because they alert us to wrongdoing that would otherwise never have been revealed.
All these companies like Google and Facebook say they have not been complying with and didn’t know anything about PRISM. What do you think?
I don’t believe these companies are voluntarily cooperating. When Google says “we are not giving data to the NSA” I believe them. I believe most of these companies are victims themselves. I believe they are getting breached by their own government.
What do you think is the US intelligence agencies’ ultimate goal? Do you think their goal is to protect America from terrorism, or is it something more sinister?
I don’t think it’s either. I don’t think the people working inside the NSA are evil people with some sinister plot. I believe they’re trying to fulfill their mission which is to provide signals intelligence. They are fulfilling their mission – but the problem is, they seem to be willing to go to any lengths to do it. They’ve lost their way. They’ve lost sight of their original goals, they’ve become too powerful and they’re out of control. It’s not just about terrorism either, or why would they be tapping Angela Merkel’s phone?
Any other predictions for 2014?
On a different subject entirely, I think 2014 will be the year when crypto currencies like Bitcoin switch from being something that only geeks are aware of to something that regular people know about. The age of virtual, crypto currencies is finally here and it’s long overdue. The one to go mainstream might not be Bitcoin, but maybe a clone or son of it. Of course, just like cash, Bitcoin can be used for good and for bad. And we’re seeing the use for bad in the online crime world.
In April I noted on Twitter when Bitcoin value had reached 100 US dollars, and I predicted it would break $1000 by the end of the year. Today it’s $980. Good call!
(Bitcoin broke $1000 a few days after this interview)
And what about the hidden Web, or deep Web we’ve been hearing about lately?
When the Web originated, the powers that be didn’t see the importance of the Internet. Now the powers that be are trying to control it as much as they can, which means the whole Internet is changing, and we’re fighting for its future.
We’re seeing people who still want to be free on the Web moving to the hidden Web, which will be brought under control as well, in time. And bad things are happening on the hidden Web for sure, but that doesn’t mean the whole thing is bad. People think it’s bad, but that’s what they used to think about the traditional Web as well.
See more of Mikko’s recent comments:
TEDx Brussels talk: How the NSA Betrayed the World’s Trust – Time to Act
Reuters TV interview: In Cloud We Trust
Reuters TV interview: Bitcoin – the Latest Front in Cybercrime
If you read our post about why you should travel with glitter nail polish, you know we love unconventional OPSEC advice that keep strangers out of your business. That's why this quote in a recent GQ profile of Kim Kardashian, which was first pointed out by LA Times editor Amy Fiscus, stood out: "She's frighteningly organized: She tells me that before bed she deletes every single text message and e-mail from her phone, unless it's something she still needs to respond to." Is this good OPSEC? We asked one of our resident experts Camillo Särs and he was intrigued. "Yes – the practice of deleting any unnecessary copies as soon as possible is definitely good OPSEC," he explained. "Clearly that is not the actual intent here, but effective, nevertheless!" So be like the woman who broke the internet, and consider getting rid of anything you don't need to keep as soon as possible. And if you're about to go on vacation, here's a quick OPSEC tip for your email out-of-office message, which could be helping criminals trying to phish you. Is there an OPSEC tip you picked up that you've picked up and feel like sharing? Let us know in the comments.
In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]
Mikko Hyppönen -- our Chief Research Officer and probably the most famous code warrior ever to come out of Finland -- likes to point out that he was born the same year as the internet. Jani -- the ten-year-old from Helsinki who made international news by earning Instagram's top bug bounty prize for uncovering a security flaw in the photo-sharing site -- was born a couple a years after Facebook was invented in 2004 and just four years before Instagram went online in 2010. And he's already made some history. Jani discovered a flaw in the site that would have allowed him -- or anyone -- to delete content from any user from the site, even stars with tens of millions of followers including Taylor Swift, Selena Gomez and Beyonce. Like any good white-hat hacker he didn't take advantage of the vulnerability. Instead, he reported the bug to Facebook, which now owns the app, directly. His maturity paid off. Even though he is not technically old enough to use the site according Instagram's terms and conditions, he's become the youngest person ever to win a $10,000 bug bounty, which he's used to purchase a soccer ball, a bike and other essential gear for being ten. To celebrate his feat, F-Secure Labs invited Jani to visit our headquarters for a hamburger and a tour. The visit gave our experts a chance to share their stories about how they were drawn to cybersecurity. Mikko learned to love computers from his mother who was in the industry. Päivi was guided into the field by her father and discovered that she has a passion for rooting out spam. When Tomi was a kid striving to learn the rules of the coin games his friends played so he could hack them and win, he recognized that he didn't see the world like everyone else. Jani has already discovered the same thing. Though he finds plenty of time for school and playing with his friends, he spends 2-3 hours during his off days hunting for vulnerabilities and looking out for new bug bounty programs -- like our own -- that allow him to test his skills. How did he find the vulnerability in Instagram? First he created two accounts. He posted a comment using one account and then just using the publicly available content id number he was able to delete the comment using the other. Immediately he recognized the potential for such a flaw to be exploited. Mikko and Tomi were impressed by how Jani used Linux and Burp Suite -- a tool that pros like the analysts in our Labs use to analyze network traffic -- to help identify the bug. While he used to be interested in a career in video games, Jani says he's now thinking about becoming a cybersecurity specialist. Mikko and Tomi advised him to finish school and stay on the right side of the law. They also invited him to spend a week or two working at the Labs to see how he likes the job, when he's old enough. He's planning on taking them up on the offer, saying that F-Secure looks like a "fun and cool" place to work. Nice. We're always looking for new talent and even Mikko may retire one day.